Revert "Add condition to avoid secret names that contain forward slashes"

.github/workflows/release_build_infisical_cli.yml

@@ -145,9 +145,3 @@ jobs:
           INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
           AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-      - name: Invalidate Cloudfront cache
-        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-          CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}

.infisicalignore

@@ -22,5 +22,3 @@ frontend/src/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredent
 frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:28
 frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:65
 frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretRotationListView/SecretRotationItem.tsx:generic-api-key:26
-docs/documentation/platform/kms/overview.mdx:generic-api-key:281
-docs/documentation/platform/kms/overview.mdx:generic-api-key:344

README.md

@@ -50,7 +50,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Dashboard](https://infisical.com/docs/documentation/platform/project)**: Manage secrets across projects and environments (e.g. development, production, etc.) through a user-friendly interface.
 - **[Native Integrations](https://infisical.com/docs/integrations/overview)**: Sync secrets to platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and use tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more.
 - **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)**: Keep track of every secret and project state; roll back when needed.
-- **[Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview)**: Rotate secrets at regular intervals for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/secret-rotation/postgres-credentials), [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql), [AWS IAM](https://infisical.com/docs/documentation/platform/secret-rotation/aws-iam), and more.
+- **[Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview)**: Rotate secrets at regular intervals for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/secret-rotation/postgres), [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql), [AWS IAM](https://infisical.com/docs/documentation/platform/secret-rotation/aws-iam), and more.
 - **[Dynamic Secrets](https://infisical.com/docs/documentation/platform/dynamic-secrets/overview)**: Generate ephemeral secrets on-demand for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/dynamic-secrets/postgresql), [MySQL](https://infisical.com/docs/documentation/platform/dynamic-secrets/mysql), [RabbitMQ](https://infisical.com/docs/documentation/platform/dynamic-secrets/rabbit-mq), and more.
 - **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)**: Prevent secrets from leaking to git.
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.

backend/Dockerfile

@@ -8,8 +8,7 @@ RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
-    openssh-client \
-    openssl 
+    openssh-client
 
 # Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apt-get install -y \

backend/Dockerfile.dev

@@ -19,7 +19,6 @@ RUN apt-get update && apt-get install -y \
     make \
     g++ \
     openssh-client \
-    openssl \
     curl \
     pkg-config
 

backend/package-lock.json

@@ -104,7 +104,6 @@
         "pkijs": "^3.2.4",
         "posthog-node": "^3.6.2",
         "probot": "^13.3.8",
-        "re2": "^1.21.4",
         "safe-regex": "^2.1.1",
         "scim-patch": "^0.8.3",
         "scim2-parse-filter": "^0.2.10",
@@ -133,7 +132,7 @@
         "@types/jsrp": "^0.2.6",
         "@types/libsodium-wrappers": "^0.7.13",
         "@types/lodash.isequal": "^4.5.8",
-        "@types/node": "^20.17.30",
+        "@types/node": "^20.9.5",
         "@types/nodemailer": "^6.4.14",
         "@types/passport-github": "^1.1.12",
         "@types/passport-google-oauth20": "^2.0.14",
@@ -6861,79 +6860,6 @@
         "node": ">= 8"
       }
     },
-    "node_modules/@npmcli/agent": {
-      "version": "2.2.2",
-      "resolved": "https://registry.npmjs.org/@npmcli/agent/-/agent-2.2.2.tgz",
-      "integrity": "sha512-OrcNPXdpSl9UX7qPVRWbmWMCSXrcDa2M9DvrbOTj7ao1S4PlqVFYv9/yLKMkrJKZ/V5A/kDBC690or307i26Og==",
-      "license": "ISC",
-      "dependencies": {
-        "agent-base": "^7.1.0",
-        "http-proxy-agent": "^7.0.0",
-        "https-proxy-agent": "^7.0.1",
-        "lru-cache": "^10.0.1",
-        "socks-proxy-agent": "^8.0.3"
-      },
-      "engines": {
-        "node": "^16.14.0 || >=18.0.0"
-      }
-    },
-    "node_modules/@npmcli/agent/node_modules/agent-base": {
-      "version": "7.1.3",
-      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.3.tgz",
-      "integrity": "sha512-jRR5wdylq8CkOe6hei19GGZnxM6rBGwFl3Bg0YItGDimvjGtAvdZk4Pu6Cl4u4Igsws4a1fd1Vq3ezrhn4KmFw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 14"
-      }
-    },
-    "node_modules/@npmcli/agent/node_modules/debug": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
-      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@npmcli/agent/node_modules/https-proxy-agent": {
-      "version": "7.0.6",
-      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz",
-      "integrity": "sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw==",
-      "license": "MIT",
-      "dependencies": {
-        "agent-base": "^7.1.2",
-        "debug": "4"
-      },
-      "engines": {
-        "node": ">= 14"
-      }
-    },
-    "node_modules/@npmcli/agent/node_modules/lru-cache": {
-      "version": "10.4.3",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
-      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==",
-      "license": "ISC"
-    },
-    "node_modules/@npmcli/fs": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/@npmcli/fs/-/fs-3.1.1.tgz",
-      "integrity": "sha512-q9CRWjpHCMIh5sVyefoD1cA7PkvILqCZsnSOEUUivORLjxCO/Irmue2DprETiNgEqktDBZaM1Bi+jrarx1XdCg==",
-      "license": "ISC",
-      "dependencies": {
-        "semver": "^7.3.5"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
     "node_modules/@octokit/auth-app": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-7.1.1.tgz",
@@ -9827,12 +9753,11 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "20.17.30",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.17.30.tgz",
-      "integrity": "sha512-7zf4YyHA+jvBNfVrk2Gtvs6x7E8V+YDW05bNfG2XkWDJfYRXrTiP/DsB2zSYTaHX0bGIujTBQdMVAhb+j7mwpg==",
-      "license": "MIT",
+      "version": "20.9.5",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.9.5.tgz",
+      "integrity": "sha512-Uq2xbNq0chGg+/WQEU0LJTSs/1nKxz6u1iemLcGomkSnKokbW1fbLqc3HOqCf2JP7KjlL4QkS7oZZTrOQHQYgQ==",
       "dependencies": {
-        "undici-types": "~6.19.2"
+        "undici-types": "~5.26.4"
       }
     },
     "node_modules/@types/node-fetch": {
@@ -11937,115 +11862,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/cacache": {
-      "version": "18.0.4",
-      "resolved": "https://registry.npmjs.org/cacache/-/cacache-18.0.4.tgz",
-      "integrity": "sha512-B+L5iIa9mgcjLbliir2th36yEwPftrzteHYujzsx3dFP/31GCHcIeS8f5MGd80odLOjaOvSpU3EEAmRQptkxLQ==",
-      "license": "ISC",
-      "dependencies": {
-        "@npmcli/fs": "^3.1.0",
-        "fs-minipass": "^3.0.0",
-        "glob": "^10.2.2",
-        "lru-cache": "^10.0.1",
-        "minipass": "^7.0.3",
-        "minipass-collect": "^2.0.1",
-        "minipass-flush": "^1.0.5",
-        "minipass-pipeline": "^1.2.4",
-        "p-map": "^4.0.0",
-        "ssri": "^10.0.0",
-        "tar": "^6.1.11",
-        "unique-filename": "^3.0.0"
-      },
-      "engines": {
-        "node": "^16.14.0 || >=18.0.0"
-      }
-    },
-    "node_modules/cacache/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "node_modules/cacache/node_modules/fs-minipass": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-3.0.3.tgz",
-      "integrity": "sha512-XUBA9XClHbnJWSfBzjkm6RvPsyg3sryZt06BEQoXcF7EK/xpGaQYJgQKDJSUH5SGZ76Y7pFx1QBnXz09rU5Fbw==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^7.0.3"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
-    "node_modules/cacache/node_modules/glob": {
-      "version": "10.4.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
-      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
-      "license": "ISC",
-      "dependencies": {
-        "foreground-child": "^3.1.0",
-        "jackspeak": "^3.1.2",
-        "minimatch": "^9.0.4",
-        "minipass": "^7.1.2",
-        "package-json-from-dist": "^1.0.0",
-        "path-scurry": "^1.11.1"
-      },
-      "bin": {
-        "glob": "dist/esm/bin.mjs"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/cacache/node_modules/jackspeak": {
-      "version": "3.4.3",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
-      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
-      "license": "BlueOak-1.0.0",
-      "dependencies": {
-        "@isaacs/cliui": "^8.0.2"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      },
-      "optionalDependencies": {
-        "@pkgjs/parseargs": "^0.11.0"
-      }
-    },
-    "node_modules/cacache/node_modules/lru-cache": {
-      "version": "10.4.3",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
-      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==",
-      "license": "ISC"
-    },
-    "node_modules/cacache/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/cacache/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
     "node_modules/call-bind": {
       "version": "1.0.7",
       "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.7.tgz",
@@ -13025,16 +12841,6 @@
         "node": ">= 0.8"
       }
     },
-    "node_modules/encoding": {
-      "version": "0.1.13",
-      "resolved": "https://registry.npmjs.org/encoding/-/encoding-0.1.13.tgz",
-      "integrity": "sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==",
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "iconv-lite": "^0.6.2"
-      }
-    },
     "node_modules/end-of-stream": {
       "version": "1.4.4",
       "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz",
@@ -13067,21 +12873,6 @@
         "url": "https://github.com/fb55/entities?sponsor=1"
       }
     },
-    "node_modules/env-paths": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/env-paths/-/env-paths-2.2.1.tgz",
-      "integrity": "sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=6"
-      }
-    },
-    "node_modules/err-code": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/err-code/-/err-code-2.0.3.tgz",
-      "integrity": "sha512-2bmlRpNKBxT/CRmPOlyISQpNj+qSeYvcym/uT0Jx2bMOlKLtSy1ZmLuVxSEKKyor/N5yhvp/ZiG1oE3DEYMSFA==",
-      "license": "MIT"
-    },
     "node_modules/error-ex": {
       "version": "1.3.2",
       "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.2.tgz",
@@ -13852,12 +13643,6 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/exponential-backoff": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/exponential-backoff/-/exponential-backoff-3.1.2.tgz",
-      "integrity": "sha512-8QxYTVXUkuy7fIIoitQkPwGonB8F3Zj8eEO8Sqg9Zv/bkI7RJAzowee4gr81Hak/dUTpA2Z7VfQgoijjPNlUZA==",
-      "license": "Apache-2.0"
-    },
     "node_modules/express": {
       "version": "4.21.2",
       "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
@@ -15435,12 +15220,6 @@
       ],
       "license": "MIT"
     },
-    "node_modules/http-cache-semantics": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz",
-      "integrity": "sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ==",
-      "license": "BSD-2-Clause"
-    },
     "node_modules/http-errors": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz",
@@ -15623,6 +15402,7 @@
       "version": "0.1.4",
       "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz",
       "integrity": "sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==",
+      "dev": true,
       "engines": {
         "node": ">=0.8.19"
       }
@@ -15655,16 +15435,6 @@
       "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==",
       "dev": true
     },
-    "node_modules/install-artifact-from-github": {
-      "version": "1.3.5",
-      "resolved": "https://registry.npmjs.org/install-artifact-from-github/-/install-artifact-from-github-1.3.5.tgz",
-      "integrity": "sha512-gZHC7f/cJgXz7MXlHFBxPVMsvIbev1OQN1uKQYKVJDydGNm9oYf9JstbU4Atnh/eSvk41WtEovoRm+8IF686xg==",
-      "license": "BSD-3-Clause",
-      "bin": {
-        "install-from-cache": "bin/install-from-cache.js",
-        "save-to-github-cache": "bin/save-to-github-cache.js"
-      }
-    },
     "node_modules/internal-slot": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/internal-slot/-/internal-slot-1.0.6.tgz",
@@ -15747,19 +15517,6 @@
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
       "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
     },
-    "node_modules/ip-address": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-9.0.5.tgz",
-      "integrity": "sha512-zHtQzGojZXTwZTHQqra+ETKd4Sn3vgi7uBmlPoXVWZqYvuKmtI0l/VZTjqGmJY9x88GGOaZ9+G9ES8hC4T4X8g==",
-      "license": "MIT",
-      "dependencies": {
-        "jsbn": "1.1.0",
-        "sprintf-js": "^1.1.3"
-      },
-      "engines": {
-        "node": ">= 12"
-      }
-    },
     "node_modules/ip-num": {
       "version": "1.5.1",
       "resolved": "https://registry.npmjs.org/ip-num/-/ip-num-1.5.1.tgz",
@@ -15959,12 +15716,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/is-lambda": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/is-lambda/-/is-lambda-1.0.1.tgz",
-      "integrity": "sha512-z7CMFGNrENq5iFB9Bqo64Xk6Y9sg+epq1myIcdHaGnbMTYOxvzsEtdYqQUylB7LxfkvgrrjP32T6Ywciio9UIQ==",
-      "license": "MIT"
-    },
     "node_modules/is-negative-zero": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/is-negative-zero/-/is-negative-zero-2.0.2.tgz",
@@ -17108,38 +16859,6 @@
       "integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==",
       "dev": true
     },
-    "node_modules/make-fetch-happen": {
-      "version": "13.0.1",
-      "resolved": "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-13.0.1.tgz",
-      "integrity": "sha512-cKTUFc/rbKUd/9meOvgrpJ2WrNzymt6jfRDdwg5UCnVzv9dTpEj9JS5m3wtziXVCjluIXyL8pcaukYqezIzZQA==",
-      "license": "ISC",
-      "dependencies": {
-        "@npmcli/agent": "^2.0.0",
-        "cacache": "^18.0.0",
-        "http-cache-semantics": "^4.1.1",
-        "is-lambda": "^1.0.1",
-        "minipass": "^7.0.2",
-        "minipass-fetch": "^3.0.0",
-        "minipass-flush": "^1.0.5",
-        "minipass-pipeline": "^1.2.4",
-        "negotiator": "^0.6.3",
-        "proc-log": "^4.2.0",
-        "promise-retry": "^2.0.1",
-        "ssri": "^10.0.0"
-      },
-      "engines": {
-        "node": "^16.14.0 || >=18.0.0"
-      }
-    },
-    "node_modules/make-fetch-happen/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
     "node_modules/math-intrinsics": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
@@ -17313,125 +17032,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/minipass-collect": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/minipass-collect/-/minipass-collect-2.0.1.tgz",
-      "integrity": "sha512-D7V8PO9oaz7PWGLbCACuI1qEOsq7UKfLotx/C0Aet43fCUB/wfQ7DYeq2oR/svFJGYDHPr38SHATeaj/ZoKHKw==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^7.0.3"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
-    "node_modules/minipass-collect/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
-    "node_modules/minipass-fetch": {
-      "version": "3.0.5",
-      "resolved": "https://registry.npmjs.org/minipass-fetch/-/minipass-fetch-3.0.5.tgz",
-      "integrity": "sha512-2N8elDQAtSnFV0Dk7gt15KHsS0Fyz6CbYZ360h0WTYV1Ty46li3rAXVOQj1THMNLdmrD9Vt5pBPtWtVkpwGBqg==",
-      "license": "MIT",
-      "dependencies": {
-        "minipass": "^7.0.3",
-        "minipass-sized": "^1.0.3",
-        "minizlib": "^2.1.2"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      },
-      "optionalDependencies": {
-        "encoding": "^0.1.13"
-      }
-    },
-    "node_modules/minipass-fetch/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
-    "node_modules/minipass-flush": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/minipass-flush/-/minipass-flush-1.0.5.tgz",
-      "integrity": "sha512-JmQSYYpPUqX5Jyn1mXaRwOda1uQ8HP5KAT/oDSLCzt1BYRhQU0/hDtsB1ufZfEEzMZ9aAVmsBw8+FWsIXlClWw==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^3.0.0"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/minipass-flush/node_modules/minipass": {
-      "version": "3.3.6",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
-      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/minipass-pipeline": {
-      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/minipass-pipeline/-/minipass-pipeline-1.2.4.tgz",
-      "integrity": "sha512-xuIq7cIOt09RPRJ19gdi4b+RiNvDFYe5JH+ggNvBqGqpQXcru3PcRmOZuHBKWK1Txf9+cQ+HMVN4d6z46LZP7A==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/minipass-pipeline/node_modules/minipass": {
-      "version": "3.3.6",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
-      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/minipass-sized": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/minipass-sized/-/minipass-sized-1.0.3.tgz",
-      "integrity": "sha512-MbkQQ2CTiBMlA2Dm/5cY+9SWFEN8pzzOXi6rlM5Xxq0Yqbda5ZQy9sU75a673FE9ZK0Zsbr6Y5iP6u9nktfg2g==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/minipass-sized/node_modules/minipass": {
-      "version": "3.3.6",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
-      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
     "node_modules/minizlib": {
       "version": "2.1.2",
       "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-2.1.2.tgz",
@@ -17753,12 +17353,6 @@
         "node": ">=12"
       }
     },
-    "node_modules/nan": {
-      "version": "2.22.2",
-      "resolved": "https://registry.npmjs.org/nan/-/nan-2.22.2.tgz",
-      "integrity": "sha512-DANghxFkS1plDdRsX0X9pm0Z6SJNN6gBdtXfanwoZ8hooC5gosGFSBGRYHUVPz1asKA/kMRqDRdHrluZ61SpBQ==",
-      "license": "MIT"
-    },
     "node_modules/nanoid": {
       "version": "3.3.8",
       "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz",
@@ -17849,30 +17443,6 @@
         }
       }
     },
-    "node_modules/node-gyp": {
-      "version": "10.3.1",
-      "resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-10.3.1.tgz",
-      "integrity": "sha512-Pp3nFHBThHzVtNY7U6JfPjvT/DTE8+o/4xKsLQtBoU+j2HLsGlhcfzflAoUreaJbNmYnX+LlLi0qjV8kpyO6xQ==",
-      "license": "MIT",
-      "dependencies": {
-        "env-paths": "^2.2.0",
-        "exponential-backoff": "^3.1.1",
-        "glob": "^10.3.10",
-        "graceful-fs": "^4.2.6",
-        "make-fetch-happen": "^13.0.0",
-        "nopt": "^7.0.0",
-        "proc-log": "^4.1.0",
-        "semver": "^7.3.5",
-        "tar": "^6.2.1",
-        "which": "^4.0.0"
-      },
-      "bin": {
-        "node-gyp": "bin/node-gyp.js"
-      },
-      "engines": {
-        "node": "^16.14.0 || >=18.0.0"
-      }
-    },
     "node_modules/node-gyp-build": {
       "version": "3.9.0",
       "resolved": "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-3.9.0.tgz",
@@ -17894,122 +17464,6 @@
         "node-gyp-build-optional-packages-test": "build-test.js"
       }
     },
-    "node_modules/node-gyp/node_modules/abbrev": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-2.0.0.tgz",
-      "integrity": "sha512-6/mh1E2u2YgEsCHdY0Yx5oW+61gZU+1vXaoiHHrpKeuRNNgFvS+/jrwHiQhB5apAf5oB7UB7E19ol2R2LKH8hQ==",
-      "license": "ISC",
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
-    "node_modules/node-gyp/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "node_modules/node-gyp/node_modules/glob": {
-      "version": "10.4.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
-      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
-      "license": "ISC",
-      "dependencies": {
-        "foreground-child": "^3.1.0",
-        "jackspeak": "^3.1.2",
-        "minimatch": "^9.0.4",
-        "minipass": "^7.1.2",
-        "package-json-from-dist": "^1.0.0",
-        "path-scurry": "^1.11.1"
-      },
-      "bin": {
-        "glob": "dist/esm/bin.mjs"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/node-gyp/node_modules/isexe": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/isexe/-/isexe-3.1.1.tgz",
-      "integrity": "sha512-LpB/54B+/2J5hqQ7imZHfdU31OlgQqx7ZicVlkm9kzg9/w8GKLEcFfJl/t7DCEDueOyBAD6zCCwTO6Fzs0NoEQ==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16"
-      }
-    },
-    "node_modules/node-gyp/node_modules/jackspeak": {
-      "version": "3.4.3",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
-      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
-      "license": "BlueOak-1.0.0",
-      "dependencies": {
-        "@isaacs/cliui": "^8.0.2"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      },
-      "optionalDependencies": {
-        "@pkgjs/parseargs": "^0.11.0"
-      }
-    },
-    "node_modules/node-gyp/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/node-gyp/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
-    "node_modules/node-gyp/node_modules/nopt": {
-      "version": "7.2.1",
-      "resolved": "https://registry.npmjs.org/nopt/-/nopt-7.2.1.tgz",
-      "integrity": "sha512-taM24ViiimT/XntxbPyJQzCG+p4EKOpgD3mxFwW38mGjVUrfERQOeY4EDHjdnptttfHuHQXFx+lTP08Q+mLa/w==",
-      "license": "ISC",
-      "dependencies": {
-        "abbrev": "^2.0.0"
-      },
-      "bin": {
-        "nopt": "bin/nopt.js"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
-    "node_modules/node-gyp/node_modules/which": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/which/-/which-4.0.0.tgz",
-      "integrity": "sha512-GlaYyEb07DPxYCKhKzplCWBJtvxZcZMrL+4UkrTSJHHPyZU4mYYTv3qaOe77H7EODLSSopAUFAc6W8U4yqvscg==",
-      "license": "ISC",
-      "dependencies": {
-        "isexe": "^3.1.1"
-      },
-      "bin": {
-        "node-which": "bin/which.js"
-      },
-      "engines": {
-        "node": "^16.13.0 || >=18.0.0"
-      }
-    },
     "node_modules/node-releases": {
       "version": "2.0.14",
       "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.14.tgz",
@@ -18670,21 +18124,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/p-map": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/p-map/-/p-map-4.0.0.tgz",
-      "integrity": "sha512-/bjOqmgETBYB5BoEeGVea8dmvHb2m9GLy1E9W43yeyfP6QQCZGFNa+XRceJEuDB6zqr+gKpIAmlLebMpykw/MQ==",
-      "license": "MIT",
-      "dependencies": {
-        "aggregate-error": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=10"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
     "node_modules/p-queue": {
       "version": "6.6.2",
       "resolved": "https://registry.npmjs.org/p-queue/-/p-queue-6.6.2.tgz",
@@ -19762,15 +19201,6 @@
         "real-require": "^0.2.0"
       }
     },
-    "node_modules/proc-log": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/proc-log/-/proc-log-4.2.0.tgz",
-      "integrity": "sha512-g8+OnU/L2v+wyiVK+D5fA34J7EH8jZ8DDlvwhRCMxmMj7UCBvxiO1mGeN+36JXIKF4zevU4kRBd8lVgG9vLelA==",
-      "license": "ISC",
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
     "node_modules/process": {
       "version": "0.11.10",
       "resolved": "https://registry.npmjs.org/process/-/process-0.11.10.tgz",
@@ -19799,28 +19229,6 @@
         "node": ">=0.4.0"
       }
     },
-    "node_modules/promise-retry": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/promise-retry/-/promise-retry-2.0.1.tgz",
-      "integrity": "sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==",
-      "license": "MIT",
-      "dependencies": {
-        "err-code": "^2.0.2",
-        "retry": "^0.12.0"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/promise-retry/node_modules/retry": {
-      "version": "0.12.0",
-      "resolved": "https://registry.npmjs.org/retry/-/retry-0.12.0.tgz",
-      "integrity": "sha512-9LkiTwjUh6rT555DtE9rTX+BKByPfrMzEAtnlEtdEwr3Nkffwiihqe2bWADg+OQRjt9gl6ICdmB/ZFDCGAtSow==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 4"
-      }
-    },
     "node_modules/prompt-sync": {
       "version": "4.2.0",
       "resolved": "https://registry.npmjs.org/prompt-sync/-/prompt-sync-4.2.0.tgz",
@@ -20092,18 +19500,6 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/re2": {
-      "version": "1.21.4",
-      "resolved": "https://registry.npmjs.org/re2/-/re2-1.21.4.tgz",
-      "integrity": "sha512-MVIfXWJmsP28mRsSt8HeL750ifb8H5+oF2UDIxGaiJCr8fkMqhLZ7kcX9ADRk2dC8qeGKedB7UVYRfBVpEiLfA==",
-      "hasInstallScript": true,
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "install-artifact-from-github": "^1.3.5",
-        "nan": "^2.20.0",
-        "node-gyp": "^10.2.0"
-      }
-    },
     "node_modules/react-is": {
       "version": "18.2.0",
       "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.2.0.tgz",
@@ -20685,6 +20081,11 @@
         "undici-types": "~6.19.2"
       }
     },
+    "node_modules/scim-patch/node_modules/undici-types": {
+      "version": "6.19.8",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz",
+      "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw=="
+    },
     "node_modules/scim2-parse-filter": {
       "version": "0.2.10",
       "resolved": "https://registry.npmjs.org/scim2-parse-filter/-/scim2-parse-filter-0.2.10.tgz",
@@ -21025,16 +20426,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/smart-buffer": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/smart-buffer/-/smart-buffer-4.2.0.tgz",
-      "integrity": "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 6.0.0",
-        "npm": ">= 3.0.0"
-      }
-    },
     "node_modules/smee-client": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/smee-client/-/smee-client-2.0.0.tgz",
@@ -21238,60 +20629,6 @@
         "uuid": "dist/bin/uuid"
       }
     },
-    "node_modules/socks": {
-      "version": "2.8.4",
-      "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.4.tgz",
-      "integrity": "sha512-D3YaD0aRxR3mEcqnidIs7ReYJFVzWdd6fXJYUM8ixcQcJRGTka/b3saV0KflYhyVJXKhb947GndU35SxYNResQ==",
-      "license": "MIT",
-      "dependencies": {
-        "ip-address": "^9.0.5",
-        "smart-buffer": "^4.2.0"
-      },
-      "engines": {
-        "node": ">= 10.0.0",
-        "npm": ">= 3.0.0"
-      }
-    },
-    "node_modules/socks-proxy-agent": {
-      "version": "8.0.5",
-      "resolved": "https://registry.npmjs.org/socks-proxy-agent/-/socks-proxy-agent-8.0.5.tgz",
-      "integrity": "sha512-HehCEsotFqbPW9sJ8WVYB6UbmIMv7kUUORIF2Nncq4VQvBfNBLibW9YZR5dlYCSUhwcD628pRllm7n+E+YTzJw==",
-      "license": "MIT",
-      "dependencies": {
-        "agent-base": "^7.1.2",
-        "debug": "^4.3.4",
-        "socks": "^2.8.3"
-      },
-      "engines": {
-        "node": ">= 14"
-      }
-    },
-    "node_modules/socks-proxy-agent/node_modules/agent-base": {
-      "version": "7.1.3",
-      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.3.tgz",
-      "integrity": "sha512-jRR5wdylq8CkOe6hei19GGZnxM6rBGwFl3Bg0YItGDimvjGtAvdZk4Pu6Cl4u4Igsws4a1fd1Vq3ezrhn4KmFw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 14"
-      }
-    },
-    "node_modules/socks-proxy-agent/node_modules/debug": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
-      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
     "node_modules/sonic-boom": {
       "version": "3.7.0",
       "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-3.7.0.tgz",
@@ -21347,27 +20684,6 @@
         "node": ">= 0.6"
       }
     },
-    "node_modules/ssri": {
-      "version": "10.0.6",
-      "resolved": "https://registry.npmjs.org/ssri/-/ssri-10.0.6.tgz",
-      "integrity": "sha512-MGrFH9Z4NP9Iyhqn16sDtBpRRNJ0Y2hNa6D65h736fVSaPCHr4DM4sWUNvVaSuC+0OBGhwsrydQwmgfg5LncqQ==",
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^7.0.3"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
-    "node_modules/ssri/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
     "node_modules/stack-trace": {
       "version": "0.0.10",
       "resolved": "https://registry.npmjs.org/stack-trace/-/stack-trace-0.0.10.tgz",
@@ -23126,9 +22442,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "6.19.8",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz",
-      "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw=="
+      "version": "5.26.5",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
+      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="
     },
     "node_modules/unicode-canonical-property-names-ecmascript": {
       "version": "2.0.0",
@@ -23170,30 +22486,6 @@
         "node": ">=4"
       }
     },
-    "node_modules/unique-filename": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/unique-filename/-/unique-filename-3.0.0.tgz",
-      "integrity": "sha512-afXhuC55wkAmZ0P18QsVE6kp8JaxrEokN2HGIoIVv2ijHQd419H0+6EigAFcIzXeMIkcIkNBpB3L/DXB3cTS/g==",
-      "license": "ISC",
-      "dependencies": {
-        "unique-slug": "^4.0.0"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
-    "node_modules/unique-slug": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/unique-slug/-/unique-slug-4.0.0.tgz",
-      "integrity": "sha512-WrcA6AyEfqDX5bWige/4NQfPZMtASNVxdmWR76WESYQVAACSgWcR6e9i0mofqqBxYFtL4oAxPIptY73/0YE1DQ==",
-      "license": "ISC",
-      "dependencies": {
-        "imurmurhash": "^0.1.4"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
-      }
-    },
     "node_modules/universal-github-app-jwt": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/universal-github-app-jwt/-/universal-github-app-jwt-2.2.0.tgz",

backend/package.json

@@ -89,7 +89,7 @@
     "@types/jsrp": "^0.2.6",
     "@types/libsodium-wrappers": "^0.7.13",
     "@types/lodash.isequal": "^4.5.8",
-    "@types/node": "^20.17.30",
+    "@types/node": "^20.9.5",
     "@types/nodemailer": "^6.4.14",
     "@types/passport-github": "^1.1.12",
     "@types/passport-google-oauth20": "^2.0.14",
@@ -221,7 +221,6 @@
     "pkijs": "^3.2.4",
     "posthog-node": "^3.6.2",
     "probot": "^13.3.8",
-    "re2": "^1.21.4",
     "safe-regex": "^2.1.1",
     "scim-patch": "^0.8.3",
     "scim2-parse-filter": "^0.2.10",

backend/src/@types/fastify.d.ts

@@ -136,7 +136,7 @@ declare module "fastify" {
     rateLimits: RateLimitConfiguration;
     // passport data
     passportUser: {
-      isUserCompleted: boolean;
+      isUserCompleted: string;
       providerAuthToken: string;
     };
     kmipUser: {

backend/src/db/migrations/20250402000941_add-type-to-kms-keys.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { KmsKeyUsage } from "@app/services/kms/kms-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasKeyUsageColumn = await knex.schema.hasColumn(TableName.KmsKey, "keyUsage");
-
-  if (!hasKeyUsageColumn) {
-    await knex.schema.alterTable(TableName.KmsKey, (t) => {
-      t.string("keyUsage").notNullable().defaultTo(KmsKeyUsage.ENCRYPT_DECRYPT);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasKeyUsageColumn = await knex.schema.hasColumn(TableName.KmsKey, "keyUsage");
-
-  if (hasKeyUsageColumn) {
-    await knex.schema.alterTable(TableName.KmsKey, (t) => {
-      t.dropColumn("keyUsage");
-    });
-  }
-}

backend/src/db/migrations/20250409161555_add-dynamic-secret-to-resource-metadata.ts

@@ -1,20 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.ResourceMetadata, "dynamicSecretId"))) {
-    await knex.schema.alterTable(TableName.ResourceMetadata, (tb) => {
-      tb.uuid("dynamicSecretId");
-      tb.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.ResourceMetadata, "dynamicSecretId")) {
-    await knex.schema.alterTable(TableName.ResourceMetadata, (tb) => {
-      tb.dropColumn("dynamicSecretId");
-    });
-  }
-}

backend/src/db/migrations/20250414203701_add-notification-flag-service-token.ts

@@ -1,27 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.ServiceToken, "expiryNotificationSent");
-  if (!hasCol) {
-    await knex.schema.alterTable(TableName.ServiceToken, (t) => {
-      t.boolean("expiryNotificationSent").defaultTo(false);
-    });
-
-    // Update only tokens where expiresAt is before current time
-    await knex(TableName.ServiceToken)
-      .whereRaw(`${TableName.ServiceToken}."expiresAt" < NOW()`)
-      .whereNotNull("expiresAt")
-      .update({ expiryNotificationSent: true });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.ServiceToken, "expiryNotificationSent");
-  if (hasCol) {
-    await knex.schema.alterTable(TableName.ServiceToken, (t) => {
-      t.dropColumn("expiryNotificationSent");
-    });
-  }
-}

backend/src/db/migrations/20250414234624_add-project-delete-protection.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.Project, "hasDeleteProtection");
-  if (!hasCol) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.boolean("hasDeleteProtection").defaultTo(false);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.Project, "hasDeleteProtection");
-  if (hasCol) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("hasDeleteProtection");
-    });
-  }
-}

backend/src/db/migrations/20250415010421_increase-certificate-altnames-character-limit.ts

@@ -1,15 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.Certificate, (t) => {
-    t.string("altNames", 4096).alter();
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.Certificate, (t) => {
-    t.string("altNames").alter(); // Defaults to varchar(255)
-  });
-}

backend/src/db/migrations/20250415020304_increase-kmip-certificate-altnames-character-limit.ts

@@ -1,15 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.KmipOrgServerCertificates, (t) => {
-    t.string("altNames", 4096).alter();
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.KmipOrgServerCertificates, (t) => {
-    t.string("altNames").alter(); // Defaults to varchar(255)
-  });
-}

backend/src/db/migrations/20250416113437_add-oidc-jwt-signature-algorithm.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.OidcConfig, "jwtSignatureAlgorithm"))) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      t.string("jwtSignatureAlgorithm").defaultTo(OIDCJWTSignatureAlgorithm.RS256).notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.OidcConfig, "jwtSignatureAlgorithm")) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      t.dropColumn("jwtSignatureAlgorithm");
-    });
-  }
-}

backend/src/db/migrations/20250416145120_add-enable-bypass-org-auth-flag.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Organization, "bypassOrgAuthEnabled"))) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.boolean("bypassOrgAuthEnabled").defaultTo(false).notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Organization, "bypassOrgAuthEnabled")) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.dropColumn("bypassOrgAuthEnabled");
-    });
-  }
-}

backend/src/db/migrations/20250421165221_fix-identites-and-user-deletion-secret-version-reference.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.dropForeign(["userActorId"]);
-    table.dropForeign(["identityActorId"]);
-  });
-
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.foreign("userActorId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-
-    table.foreign("identityActorId").references("id").inTable(TableName.Identity).onDelete("SET NULL");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.dropForeign(["userActorId"]);
-    table.dropForeign(["identityActorId"]);
-  });
-
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.foreign("userActorId").references("id").inTable(TableName.Users);
-
-    table.foreign("identityActorId").references("id").inTable(TableName.Identity);
-  });
-}

backend/src/db/migrations/20250425163216_ssh-nullable-ca-defaults.ts

@@ -1,47 +0,0 @@
-import { Knex } from "knex";
-
-import { ProjectType, TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasDefaultUserCaCol = await knex.schema.hasColumn(TableName.ProjectSshConfig, "defaultUserSshCaId");
-  const hasDefaultHostCaCol = await knex.schema.hasColumn(TableName.ProjectSshConfig, "defaultHostSshCaId");
-
-  if (hasDefaultUserCaCol && hasDefaultHostCaCol) {
-    await knex.schema.alterTable(TableName.ProjectSshConfig, (t) => {
-      t.dropForeign(["defaultUserSshCaId"]);
-      t.dropForeign(["defaultHostSshCaId"]);
-    });
-    await knex.schema.alterTable(TableName.ProjectSshConfig, (t) => {
-      // allow nullable (does not wipe existing values)
-      t.uuid("defaultUserSshCaId").nullable().alter();
-      t.uuid("defaultHostSshCaId").nullable().alter();
-      // re-add with SET NULL behavior (previously CASCADE)
-      t.foreign("defaultUserSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
-      t.foreign("defaultHostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
-    });
-  }
-
-  // (dangtony98): backfill by adding null defaults CAs for all existing Infisical SSH projects
-  // that do not have an associated ProjectSshConfig record introduced in Infisical SSH V2.
-
-  const allProjects = await knex(TableName.Project).where("type", ProjectType.SSH).select("id");
-
-  const projectsWithConfig = await knex(TableName.ProjectSshConfig).select("projectId");
-  const projectIdsWithConfig = new Set(projectsWithConfig.map((config) => config.projectId));
-
-  const projectsNeedingConfig = allProjects.filter((project) => !projectIdsWithConfig.has(project.id));
-
-  if (projectsNeedingConfig.length > 0) {
-    const configsToInsert = projectsNeedingConfig.map((project) => ({
-      projectId: project.id,
-      defaultUserSshCaId: null,
-      defaultHostSshCaId: null,
-      createdAt: new Date(),
-      updatedAt: new Date()
-    }));
-
-    await knex.batchInsert(TableName.ProjectSshConfig, configsToInsert);
-  }
-}
-
-export async function down(): Promise<void> {}

backend/src/db/schemas/kms-keys.ts

@@ -16,8 +16,7 @@ export const KmsKeysSchema = z.object({
   name: z.string(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  projectId: z.string().nullable().optional(),
-  keyUsage: z.string().default("encrypt-decrypt")
+  projectId: z.string().nullable().optional()
 });
 
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;

backend/src/db/schemas/oidc-configs.ts

@@ -30,10 +30,9 @@ export const OidcConfigsSchema = z.object({
   updatedAt: z.date(),
   orgId: z.string().uuid(),
   lastUsed: z.date().nullable().optional(),
-  encryptedOidcClientId: zodBuffer,
-  encryptedOidcClientSecret: zodBuffer,
   manageGroupMemberships: z.boolean().default(false),
-  jwtSignatureAlgorithm: z.string().default("RS256")
+  encryptedOidcClientId: zodBuffer,
+  encryptedOidcClientSecret: zodBuffer
 });
 
 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;

backend/src/db/schemas/organizations.ts

@@ -26,8 +26,7 @@ export const OrganizationsSchema = z.object({
   allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional(),
   shouldUseNewPrivilegeSystem: z.boolean().default(true),
   privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
-  privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
-  bypassOrgAuthEnabled: z.boolean().default(false)
+  privilegeUpgradeInitiatedAt: z.date().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/projects.ts

@@ -26,8 +26,7 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
   type: z.string(),
-  enforceCapitalization: z.boolean().default(false),
-  hasDeleteProtection: z.boolean().default(true).nullable().optional()
+  enforceCapitalization: z.boolean().default(false)
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/resource-metadata.ts

@@ -16,8 +16,7 @@ export const ResourceMetadataSchema = z.object({
   identityId: z.string().uuid().nullable().optional(),
   secretId: z.string().uuid().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  dynamicSecretId: z.string().uuid().nullable().optional()
+  updatedAt: z.date()
 });
 
 export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;

backend/src/db/schemas/service-tokens.ts

@@ -21,8 +21,7 @@ export const ServiceTokensSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   createdBy: z.string(),
-  projectId: z.string(),
-  expiryNotificationSent: z.boolean().default(false).nullable().optional()
+  projectId: z.string()
 });
 
 export type TServiceTokens = z.infer<typeof ServiceTokensSchema>;

backend/src/ee/routes/v1/dynamic-secret-lease-router.ts

@@ -1,7 +1,7 @@
 import { z } from "zod";
 
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
-import { ApiDocsTags, DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
+import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
@@ -18,8 +18,6 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
       body: z.object({
         dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
         projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
@@ -67,8 +65,6 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.leaseId)
       }),
@@ -111,8 +107,6 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.leaseId)
       }),
@@ -166,8 +160,6 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.leaseId)
       }),

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/providers/models";
-import { ApiDocsTags, DYNAMIC_SECRETS } from "@app/lib/api-docs";
+import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
@@ -11,7 +11,6 @@ import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -21,8 +20,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
       body: z.object({
         projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.CREATE.projectSlug),
         provider: DynamicSecretProviderSchema.describe(DYNAMIC_SECRETS.CREATE.provider),
@@ -51,8 +48,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
           .nullable(),
         path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
         environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
-        name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name),
-        metadata: ResourceMetadataSchema.optional()
+        name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name)
       }),
       response: {
         200: z.object({
@@ -113,8 +109,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.UPDATE.name)
       }),
@@ -149,8 +143,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
                 ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
             })
             .nullable(),
-          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional(),
-          metadata: ResourceMetadataSchema.optional()
+          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional()
         })
       }),
       response: {
@@ -183,8 +176,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.DELETE.name)
       }),
@@ -221,8 +212,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         name: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.name)
       }),
@@ -249,7 +238,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
         name: req.params.name,
         ...req.query
       });
-
       return { dynamicSecret: dynamicSecretCfg };
     }
   });
@@ -261,8 +249,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
       querystring: z.object({
         projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.projectSlug),
         path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.LIST.path),
@@ -294,20 +280,18 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
-        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.name)
+        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.name)
       }),
       querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.projectSlug),
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.projectSlug),
         path: z
           .string()
           .trim()
           .default("/")
           .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.environmentSlug)
+          .describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.path),
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.environmentSlug)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/group-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { GroupsSchema, OrgMembershipRole, UsersSchema } from "@app/db/schemas";
 import { EFilterReturnedUsers } from "@app/ee/services/group/group-types";
-import { ApiDocsTags, GROUPS } from "@app/lib/api-docs";
+import { GROUPS } from "@app/lib/api-docs";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -13,8 +13,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
       body: z.object({
         name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
         slug: slugSchema({ min: 5, max: 36 }).optional().describe(GROUPS.CREATE.slug),
@@ -42,8 +40,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
       }),
@@ -69,8 +65,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
       response: {
         200: GroupsSchema.array()
       }
@@ -93,8 +87,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     method: "PATCH",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.UPDATE.id)
       }),
@@ -128,8 +120,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     method: "DELETE",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.DELETE.id)
       }),
@@ -155,8 +145,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     url: "/:id/users",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.LIST_USERS.id)
       }),
@@ -206,8 +194,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     url: "/:id/users/:username",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.ADD_USER.id),
         username: z.string().trim().describe(GROUPS.ADD_USER.username)
@@ -241,8 +227,6 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     url: "/:id/users/:username",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.DELETE_USER.id),
         username: z.string().trim().describe(GROUPS.DELETE_USER.username)

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -3,7 +3,7 @@ import { z } from "zod";
 
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
-import { ApiDocsTags, IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
+import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -25,8 +25,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "Create a permanent or a non expiry specific privilege for identity.",
       security: [
         {
@@ -87,8 +85,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "Create a temporary or a expiring specific privilege for identity.",
       security: [
         {
@@ -161,8 +157,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "Update a specific privilege of an identity.",
       security: [
         {
@@ -246,8 +240,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "Delete a specific privilege of an identity.",
       security: [
         {
@@ -287,8 +279,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "Retrieve details of a specific privilege by privilege slug.",
       security: [
         {
@@ -329,8 +319,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "List of a specific privilege of an identity in a project.",
       security: [
         {

backend/src/ee/routes/v1/kmip-spec-router.ts

@@ -2,7 +2,7 @@ import z from "zod";
 
 import { KmsKeysSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -74,7 +74,7 @@ export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
     schema: {
       description: "KMIP endpoint for creating managed objects",
       body: z.object({
-        algorithm: z.nativeEnum(SymmetricKeyAlgorithm)
+        algorithm: z.nativeEnum(SymmetricEncryption)
       }),
       response: {
         200: KmsKeysSchema
@@ -433,7 +433,7 @@ export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         key: z.string(),
         name: z.string(),
-        algorithm: z.nativeEnum(SymmetricKeyAlgorithm)
+        algorithm: z.nativeEnum(SymmetricEncryption)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/oidc-router.ts

@@ -12,7 +12,7 @@ import RedisStore from "connect-redis";
 import { z } from "zod";
 
 import { OidcConfigsSchema } from "@app/db/schemas";
-import { OIDCConfigurationType, OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
+import { OIDCConfigurationType } from "@app/ee/services/oidc/oidc-config-types";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -30,8 +30,7 @@ const SanitizedOidcConfigSchema = OidcConfigsSchema.pick({
   orgId: true,
   isActive: true,
   allowedEmailDomains: true,
-  manageGroupMemberships: true,
-  jwtSignatureAlgorithm: true
+  manageGroupMemberships: true
 });
 
 export const registerOidcRouter = async (server: FastifyZodProvider) => {
@@ -137,12 +136,11 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
     url: "/login/error",
     method: "GET",
     handler: async (req, res) => {
-      const failureMessage = req.session.get<any>("messages");
       await req.session.destroy();
 
       return res.status(500).send({
         error: "Authentication error",
-        details: failureMessage ?? req.query
+        details: req.query
       });
     }
   });
@@ -171,8 +169,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           isActive: true,
           orgId: true,
           allowedEmailDomains: true,
-          manageGroupMemberships: true,
-          jwtSignatureAlgorithm: true
+          manageGroupMemberships: true
         }).extend({
           clientId: z.string(),
           clientSecret: z.string()
@@ -227,8 +224,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           clientId: z.string().trim(),
           clientSecret: z.string().trim(),
           isActive: z.boolean(),
-          manageGroupMemberships: z.boolean().optional(),
-          jwtSignatureAlgorithm: z.nativeEnum(OIDCJWTSignatureAlgorithm).optional()
+          manageGroupMemberships: z.boolean().optional()
         })
         .partial()
         .merge(z.object({ orgSlug: z.string() })),
@@ -295,11 +291,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           clientSecret: z.string().trim(),
           isActive: z.boolean(),
           orgSlug: z.string().trim(),
-          manageGroupMemberships: z.boolean().optional().default(false),
-          jwtSignatureAlgorithm: z
-            .nativeEnum(OIDCJWTSignatureAlgorithm)
-            .optional()
-            .default(OIDCJWTSignatureAlgorithm.RS256)
+          manageGroupMemberships: z.boolean().optional().default(false)
         })
         .superRefine((data, ctx) => {
           if (data.configurationType === OIDCConfigurationType.CUSTOM) {

backend/src/ee/routes/v1/project-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
-import { ApiDocsTags, AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
+import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -17,8 +17,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.Projects],
       description: "Return project secret snapshots ids",
       security: [
         {

backend/src/ee/routes/v1/project-template-router.ts

@@ -5,7 +5,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
-import { ApiDocsTags, ProjectTemplates } from "@app/lib/api-docs";
+import { ProjectTemplates } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -101,8 +101,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectTemplates],
       description: "List project templates for the current organization.",
       response: {
         200: z.object({
@@ -139,8 +137,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectTemplates],
       description: "Get a project template by ID.",
       params: z.object({
         templateId: z.string().uuid()
@@ -180,8 +176,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectTemplates],
       description: "Create a project template.",
       body: z.object({
         name: slugSchema({ field: "name" })
@@ -225,8 +219,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectTemplates],
       description: "Update a project template.",
       params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.UPDATE.templateId) }),
       body: z.object({
@@ -277,8 +269,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectTemplates],
       description: "Delete a project template.",
       params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.DELETE.templateId) }),
 

backend/src/ee/routes/v1/saml-router.ts

@@ -223,18 +223,12 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
         samlConfigId: z.string().trim()
       })
     },
-    preValidation: passport.authenticate(
-      "saml",
-      {
-        session: false
-      },
-      async (req, res, err, user) => {
-        if (err) {
-          throw new BadRequestError({ message: `Saml authentication failed. ${err?.message}`, error: err });
-        }
-        req.passportUser = user as { isUserCompleted: boolean; providerAuthToken: string };
-      }
-    ) as any, // this is due to zod type difference
+    preValidation: passport.authenticate("saml", {
+      session: false,
+      failureFlash: true,
+      failureRedirect: "/login/provider/error"
+      // this is due to zod type difference
+    }) as any,
     handler: (req, res) => {
       if (req.passportUser.isUserCompleted) {
         return res.redirect(

backend/src/ee/routes/v1/secret-rotation-provider-router.ts

@@ -23,8 +23,7 @@ export const registerSecretRotationProviderRouter = async (server: FastifyZodPro
               title: z.string(),
               image: z.string().optional(),
               description: z.string().optional(),
-              template: z.any(),
-              isDeprecated: z.boolean().optional()
+              template: z.any()
             })
             .array()
         })

backend/src/ee/routes/v1/secret-rotation-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { SecretRotationOutputsSchema, SecretRotationsSchema } from "@app/db/schemas";
+import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -40,16 +41,10 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
       }
     },
     onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const secretRotation = await server.services.secretRotation.createRotation({
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        projectId: req.body.workspaceId
+    handler: async () => {
+      throw new BadRequestError({
+        message: `This version of Secret Rotations has been deprecated. Please see docs for new version.`
       });
-      return { secretRotation };
     }
   });
 

backend/src/ee/routes/v1/snapshot-router.ts

@@ -1,7 +1,7 @@
 import { z } from "zod";
 
 import { SecretSnapshotsSchema } from "@app/db/schemas";
-import { ApiDocsTags, PROJECTS } from "@app/lib/api-docs";
+import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
@@ -65,8 +65,6 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.Projects],
       description: "Roll back project secrets to those captured in a secret snapshot version.",
       security: [
         {

backend/src/ee/routes/v1/ssh-certificate-authority-router.ts

@@ -6,7 +6,7 @@ import { sanitizedSshCa } from "@app/ee/services/ssh/ssh-certificate-authority-s
 import { SshCaKeySource, SshCaStatus } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
 import { sanitizedSshCertificateTemplate } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-schema";
-import { ApiDocsTags, SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,8 +20,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Create SSH CA",
       body: z
         .object({
@@ -94,8 +92,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Get SSH CA",
       params: z.object({
         sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET.sshCaId)
@@ -142,8 +138,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Get public key of SSH CA",
       params: z.object({
         sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_PUBLIC_KEY.sshCaId)
@@ -169,8 +163,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Update SSH CA",
       params: z.object({
         sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.UPDATE.sshCaId)
@@ -224,8 +216,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Delete SSH CA",
       params: z.object({
         sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.DELETE.sshCaId)
@@ -271,8 +261,6 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Get list of certificate templates for the SSH CA",
       params: z.object({
         sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_CERTIFICATE_TEMPLATES.sshCaId)

backend/src/ee/routes/v1/ssh-certificate-router.ts

@@ -3,7 +3,7 @@ import { z } from "zod";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
-import { ApiDocsTags, SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -20,8 +20,6 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificates],
       description: "Sign SSH public key",
       body: z.object({
         certificateTemplateId: z
@@ -102,8 +100,6 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificates],
       description: "Issue SSH credentials (certificate + key)",
       body: z.object({
         certificateTemplateId: z

backend/src/ee/routes/v1/ssh-certificate-template-router.ts

@@ -8,7 +8,7 @@ import {
   isValidHostPattern,
   isValidUserPattern
 } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-validators";
-import { ApiDocsTags, SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
+import { SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -22,8 +22,6 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateTemplates],
       params: z.object({
         certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.GET.certificateTemplateId)
       }),
@@ -63,8 +61,6 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateTemplates],
       body: z
         .object({
           sshCaId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.sshCaId),
@@ -145,8 +141,6 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateTemplates],
       body: z.object({
         status: z.nativeEnum(SshCertTemplateStatus).optional(),
         name: z
@@ -230,8 +224,6 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SshCertificateTemplates],
       params: z.object({
         certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.DELETE.certificateTemplateId)
       }),

backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts

@@ -4,7 +4,7 @@ import { z } from "zod";
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { ApiDocsTags, IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
+import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -21,8 +21,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "Add an additional privilege for identity.",
       security: [
         {
@@ -86,8 +84,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "Update a specific identity privilege.",
       security: [
         {
@@ -152,8 +148,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "Delete the specified identity privilege.",
       security: [
         {
@@ -189,8 +183,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "Retrieve details of a specific privilege by id.",
       security: [
         {
@@ -226,8 +218,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "Retrieve details of a specific privilege by slug.",
       security: [
         {
@@ -268,8 +258,6 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "List privileges for the specified identity by project.",
       security: [
         {

backend/src/ee/routes/v2/project-role-router.ts

@@ -4,7 +4,7 @@ import { z } from "zod";
 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { ApiDocsTags, PROJECT_ROLE } from "@app/lib/api-docs";
+import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -20,8 +20,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectRoles],
       description: "Create a project role",
       security: [
         {
@@ -77,8 +75,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectRoles],
       description: "Update a project role",
       security: [
         {
@@ -134,8 +130,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectRoles],
       description: "Delete a project role",
       security: [
         {
@@ -172,8 +166,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectRoles],
       description: "List project role",
       security: [
         {
@@ -212,8 +204,6 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.ProjectRoles],
       params: z.object({
         projectId: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.projectId),
         roleSlug: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.roleSlug)

backend/src/ee/routes/v2/secret-rotation-v2-routers/auth0-client-secret-rotation-router.ts

@@ -1,19 +0,0 @@
-import {
-  Auth0ClientSecretRotationGeneratedCredentialsSchema,
-  Auth0ClientSecretRotationSchema,
-  CreateAuth0ClientSecretRotationSchema,
-  UpdateAuth0ClientSecretRotationSchema
-} from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-
-import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
-
-export const registerAuth0ClientSecretRotationRouter = async (server: FastifyZodProvider) =>
-  registerSecretRotationEndpoints({
-    type: SecretRotation.Auth0ClientSecret,
-    server,
-    responseSchema: Auth0ClientSecretRotationSchema,
-    createSchema: CreateAuth0ClientSecretRotationSchema,
-    updateSchema: UpdateAuth0ClientSecretRotationSchema,
-    generatedCredentialsSchema: Auth0ClientSecretRotationGeneratedCredentialsSchema
-  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/aws-iam-user-secret-rotation-router.ts

@@ -1,19 +0,0 @@
-import {
-  AwsIamUserSecretRotationGeneratedCredentialsSchema,
-  AwsIamUserSecretRotationSchema,
-  CreateAwsIamUserSecretRotationSchema,
-  UpdateAwsIamUserSecretRotationSchema
-} from "@app/ee/services/secret-rotation-v2/aws-iam-user-secret";
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-
-import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
-
-export const registerAwsIamUserSecretRotationRouter = async (server: FastifyZodProvider) =>
-  registerSecretRotationEndpoints({
-    type: SecretRotation.AwsIamUserSecret,
-    server,
-    responseSchema: AwsIamUserSecretRotationSchema,
-    createSchema: CreateAwsIamUserSecretRotationSchema,
-    updateSchema: UpdateAwsIamUserSecretRotationSchema,
-    generatedCredentialsSchema: AwsIamUserSecretRotationGeneratedCredentialsSchema
-  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -1,7 +1,5 @@
 import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 
-import { registerAuth0ClientSecretRotationRouter } from "./auth0-client-secret-rotation-router";
-import { registerAwsIamUserSecretRotationRouter } from "./aws-iam-user-secret-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
@@ -12,7 +10,5 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
   (server: FastifyZodProvider) => Promise<void>
 > = {
   [SecretRotation.PostgresCredentials]: registerPostgresCredentialsRotationRouter,
-  [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter,
-  [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
-  [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter
+  [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter
 };

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts

@@ -9,7 +9,7 @@ import {
   TSecretRotationV2GeneratedCredentials,
   TSecretRotationV2Input
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
+import { SecretRotations } from "@app/lib/api-docs";
 import { startsWithVowel } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -66,8 +66,6 @@ export const registerSecretRotationEndpoints = <
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
       description: `List the ${rotationType} Rotations for the specified project.`,
       querystring: z.object({
         projectId: z.string().trim().min(1, "Project ID required").describe(SecretRotations.LIST(type).projectId)
@@ -111,8 +109,6 @@ export const registerSecretRotationEndpoints = <
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
       description: `Get the specified ${rotationType} Rotation by ID.`,
       params: z.object({
         rotationId: z.string().uuid().describe(SecretRotations.GET_BY_ID(type).rotationId)
@@ -155,8 +151,6 @@ export const registerSecretRotationEndpoints = <
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
       description: `Get the specified ${rotationType} Rotation by name, secret path, environment and project ID.`,
       params: z.object({
         rotationName: z
@@ -221,8 +215,6 @@ export const registerSecretRotationEndpoints = <
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
       description: `Create ${
         startsWithVowel(rotationType) ? "an" : "a"
       } ${rotationType} Rotation for the specified project.`,
@@ -262,8 +254,6 @@ export const registerSecretRotationEndpoints = <
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
       description: `Update the specified ${rotationType} Rotation.`,
       params: z.object({
         rotationId: z.string().uuid().describe(SecretRotations.UPDATE(type).rotationId)
@@ -306,8 +296,6 @@ export const registerSecretRotationEndpoints = <
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
       description: `Delete the specified ${rotationType} Rotation.`,
       params: z.object({
         rotationId: z.string().uuid().describe(SecretRotations.DELETE(type).rotationId)
@@ -361,8 +349,6 @@ export const registerSecretRotationEndpoints = <
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
       description: `Get the generated credentials for the specified ${rotationType} Rotation.`,
       params: z.object({
         rotationId: z.string().uuid().describe(SecretRotations.GET_GENERATED_CREDENTIALS_BY_ID(type).rotationId)
@@ -416,8 +402,6 @@ export const registerSecretRotationEndpoints = <
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
       description: `Rotate the generated credentials for the specified ${rotationType} Rotation.`,
       params: z.object({
         rotationId: z.string().uuid().describe(SecretRotations.ROTATE(type).rotationId)

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -1,21 +1,17 @@
 import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { Auth0ClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
-import { AwsIamUserSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/aws-iam-user-secret";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
-import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
+import { SecretRotations } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationListItemSchema,
-  MsSqlCredentialsRotationListItemSchema,
-  Auth0ClientSecretRotationListItemSchema,
-  AwsIamUserSecretRotationListItemSchema
+  MsSqlCredentialsRotationListItemSchema
 ]);
 
 export const registerSecretRotationV2Router = async (server: FastifyZodProvider) => {
@@ -26,8 +22,6 @@ export const registerSecretRotationV2Router = async (server: FastifyZodProvider)
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
       description: "List the available Secret Rotation Options.",
       response: {
         200: z.object({
@@ -49,8 +43,6 @@ export const registerSecretRotationV2Router = async (server: FastifyZodProvider)
       rateLimit: readLimit
     },
     schema: {
-      hide: false,
-      tags: [ApiDocsTags.SecretRotations],
       description: "List all the Secret Rotations for the specified project.",
       querystring: z.object({
         projectId: z.string().trim().min(1, "Project ID required").describe(SecretRotations.LIST().projectId)

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -12,8 +12,7 @@ import {
 import { SshCaStatus, SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
 import { SshCertTemplateStatus } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-types";
-import { SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
-import { AsymmetricKeyAlgorithm, SigningAlgorithm } from "@app/lib/crypto/sign/types";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
@@ -234,7 +233,6 @@ export enum EventType {
   GET_PROJECT_KMS_BACKUP = "get-project-kms-backup",
   LOAD_PROJECT_KMS_BACKUP = "load-project-kms-backup",
   ORG_ADMIN_ACCESS_PROJECT = "org-admin-accessed-project",
-  ORG_ADMIN_BYPASS_SSO = "org-admin-bypassed-sso",
   CREATE_CERTIFICATE_TEMPLATE = "create-certificate-template",
   UPDATE_CERTIFICATE_TEMPLATE = "update-certificate-template",
   DELETE_CERTIFICATE_TEMPLATE = "delete-certificate-template",
@@ -249,8 +247,6 @@ export enum EventType {
   DELETE_SLACK_INTEGRATION = "delete-slack-integration",
   GET_PROJECT_SLACK_CONFIG = "get-project-slack-config",
   UPDATE_PROJECT_SLACK_CONFIG = "update-project-slack-config",
-  GET_PROJECT_SSH_CONFIG = "get-project-ssh-config",
-  UPDATE_PROJECT_SSH_CONFIG = "update-project-ssh-config",
   INTEGRATION_SYNCED = "integration-synced",
   CREATE_CMEK = "create-cmek",
   UPDATE_CMEK = "update-cmek",
@@ -259,11 +255,6 @@ export enum EventType {
   GET_CMEK = "get-cmek",
   CMEK_ENCRYPT = "cmek-encrypt",
   CMEK_DECRYPT = "cmek-decrypt",
-  CMEK_SIGN = "cmek-sign",
-  CMEK_VERIFY = "cmek-verify",
-  CMEK_LIST_SIGNING_ALGORITHMS = "cmek-list-signing-algorithms",
-  CMEK_GET_PUBLIC_KEY = "cmek-get-public-key",
-
   UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
   GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "get-external-group-org-role-mapping",
   GET_PROJECT_TEMPLATES = "get-project-templates",
@@ -1910,11 +1901,6 @@ interface OrgAdminAccessProjectEvent {
   }; // no metadata yet
 }
 
-interface OrgAdminBypassSSOEvent {
-  type: EventType.ORG_ADMIN_BYPASS_SSO;
-  metadata: Record<string, string>; // no metadata yet
-}
-
 interface CreateCertificateTemplateEstConfig {
   type: EventType.CREATE_CERTIFICATE_TEMPLATE_EST_CONFIG;
   metadata: {
@@ -1994,25 +1980,6 @@ interface GetProjectSlackConfig {
     id: string;
   };
 }
-
-interface GetProjectSshConfig {
-  type: EventType.GET_PROJECT_SSH_CONFIG;
-  metadata: {
-    id: string;
-    projectId: string;
-  };
-}
-
-interface UpdateProjectSshConfig {
-  type: EventType.UPDATE_PROJECT_SSH_CONFIG;
-  metadata: {
-    id: string;
-    projectId: string;
-    defaultUserSshCaId?: string | null;
-    defaultHostSshCaId?: string | null;
-  };
-}
-
 interface IntegrationSyncedEvent {
   type: EventType.INTEGRATION_SYNCED;
   metadata: {
@@ -2030,7 +1997,7 @@ interface CreateCmekEvent {
     keyId: string;
     name: string;
     description?: string;
-    encryptionAlgorithm: SymmetricKeyAlgorithm | AsymmetricKeyAlgorithm;
+    encryptionAlgorithm: SymmetricEncryption;
   };
 }
 
@@ -2078,39 +2045,6 @@ interface CmekDecryptEvent {
   };
 }
 
-interface CmekSignEvent {
-  type: EventType.CMEK_SIGN;
-  metadata: {
-    keyId: string;
-    signingAlgorithm: SigningAlgorithm;
-    signature: string;
-  };
-}
-
-interface CmekVerifyEvent {
-  type: EventType.CMEK_VERIFY;
-  metadata: {
-    keyId: string;
-    signingAlgorithm: SigningAlgorithm;
-    signature: string;
-    signatureValid: boolean;
-  };
-}
-
-interface CmekListSigningAlgorithmsEvent {
-  type: EventType.CMEK_LIST_SIGNING_ALGORITHMS;
-  metadata: {
-    keyId: string;
-  };
-}
-
-interface CmekGetPublicKeyEvent {
-  type: EventType.CMEK_GET_PUBLIC_KEY;
-  metadata: {
-    keyId: string;
-  };
-}
-
 interface GetExternalGroupOrgRoleMappingsEvent {
   type: EventType.GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS;
   metadata?: Record<string, never>; // not needed, based off orgId
@@ -2683,7 +2617,6 @@ export type Event =
   | GetProjectKmsBackupEvent
   | LoadProjectKmsBackupEvent
   | OrgAdminAccessProjectEvent
-  | OrgAdminBypassSSOEvent
   | CreateCertificateTemplate
   | UpdateCertificateTemplate
   | GetCertificateTemplate
@@ -2698,8 +2631,6 @@ export type Event =
   | GetSlackIntegration
   | UpdateProjectSlackConfig
   | GetProjectSlackConfig
-  | GetProjectSshConfig
-  | UpdateProjectSshConfig
   | IntegrationSyncedEvent
   | CreateCmekEvent
   | UpdateCmekEvent
@@ -2708,10 +2639,6 @@ export type Event =
   | GetCmeksEvent
   | CmekEncryptEvent
   | CmekDecryptEvent
-  | CmekSignEvent
-  | CmekVerifyEvent
-  | CmekListSigningAlgorithmsEvent
-  | CmekGetPublicKeyEvent
   | GetExternalGroupOrgRoleMappingsEvent
   | UpdateExternalGroupOrgRoleMappingsEvent
   | GetProjectTemplatesEvent

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -78,6 +78,10 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan?.dynamicSecret) {
@@ -98,15 +102,6 @@ export const dynamicSecretLeaseServiceFactory = ({
         message: `Dynamic secret with name '${name}' in folder with path '${path}' not found`
       });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
     const totalLeasesTaken = await dynamicSecretLeaseDAL.countLeasesForDynamicSecret(dynamicSecretCfg.id);
     if (totalLeasesTaken >= appCfg.MAX_LEASE_LIMIT)
       throw new BadRequestError({ message: `Max lease limit reached. Limit: ${appCfg.MAX_LEASE_LIMIT}` });
@@ -130,17 +125,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max TTL" });
     }
 
-    let result;
-    try {
-      result = await selectedProvider.create(decryptedStoredInput, expireAt.getTime());
-    } catch (error: unknown) {
-      if (error && typeof error === "object" && error !== null && "sqlMessage" in error) {
-        throw new BadRequestError({ message: error.sqlMessage as string });
-      }
-      throw error;
-    }
-    const { entityId, data } = result;
-
+    const { entityId, data } = await selectedProvider.create(decryptedStoredInput, expireAt.getTime());
     const dynamicSecretLease = await dynamicSecretLeaseDAL.create({
       expireAt,
       version: 1,
@@ -174,6 +159,10 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.SecretManager,
@@ -198,25 +187,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
     }
 
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({
-      id: dynamicSecretLease.dynamicSecretId,
-      folderId: folder.id
-    });
-
-    if (!dynamicSecretCfg)
-      throw new NotFoundError({
-        message: `Dynamic secret with ID '${dynamicSecretLease.dynamicSecretId}' not found`
-      });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
+    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
     const decryptedStoredInput = JSON.parse(
       secretManagerDecryptor({ cipherTextBlob: Buffer.from(dynamicSecretCfg.encryptedInput) }).toString()
@@ -268,6 +239,10 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.SecretManager,
@@ -284,25 +259,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!dynamicSecretLease || dynamicSecretLease.dynamicSecret.folderId !== folder.id)
       throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
 
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({
-      id: dynamicSecretLease.dynamicSecretId,
-      folderId: folder.id
-    });
-
-    if (!dynamicSecretCfg)
-      throw new NotFoundError({
-        message: `Dynamic secret with ID '${dynamicSecretLease.dynamicSecretId}' not found`
-      });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
+    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
     const decryptedStoredInput = JSON.parse(
       secretManagerDecryptor({ cipherTextBlob: Buffer.from(dynamicSecretCfg.encryptedInput) }).toString()
@@ -352,6 +309,10 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder)
@@ -365,15 +326,6 @@ export const dynamicSecretLeaseServiceFactory = ({
         message: `Dynamic secret with name '${name}' in folder with path '${path}' not found`
       });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
     const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
     return dynamicSecretLeases;
   };
@@ -400,6 +352,10 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder) throw new NotFoundError({ message: `Folder with path '${path}' not found` });
@@ -408,25 +364,6 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!dynamicSecretLease)
       throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
 
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({
-      id: dynamicSecretLease.dynamicSecretId,
-      folderId: folder.id
-    });
-
-    if (!dynamicSecretCfg)
-      throw new NotFoundError({
-        message: `Dynamic secret with ID '${dynamicSecretLease.dynamicSecretId}' not found`
-      });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
     return dynamicSecretLease;
   };
 

backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts

@@ -1,17 +1,9 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName, TDynamicSecrets } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import {
-  buildFindFilter,
-  ormify,
-  prependTableNameToFindFilter,
-  selectAllTableCols,
-  sqlNestRelationships,
-  TFindFilter,
-  TFindOpt
-} from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
@@ -20,86 +12,6 @@ export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory
 export const dynamicSecretDALFactory = (db: TDbClient) => {
   const orm = ormify(db, TableName.DynamicSecret);
 
-  const findOne = async (filter: TFindFilter<TDynamicSecrets>, tx?: Knex) => {
-    const query = (tx || db.replicaNode())(TableName.DynamicSecret)
-      .leftJoin(
-        TableName.ResourceMetadata,
-        `${TableName.ResourceMetadata}.dynamicSecretId`,
-        `${TableName.DynamicSecret}.id`
-      )
-      .select(selectAllTableCols(TableName.DynamicSecret))
-      .select(
-        db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-        db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-        db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
-      )
-      .where(prependTableNameToFindFilter(TableName.DynamicSecret, filter));
-
-    const docs = sqlNestRelationships({
-      data: await query,
-      key: "id",
-      parentMapper: (el) => el,
-      childrenMapper: [
-        {
-          key: "metadataId",
-          label: "metadata" as const,
-          mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-            id: metadataId,
-            key: metadataKey,
-            value: metadataValue
-          })
-        }
-      ]
-    });
-
-    return docs[0];
-  };
-
-  const findWithMetadata = async (
-    filter: TFindFilter<TDynamicSecrets>,
-    { offset, limit, sort, tx }: TFindOpt<TDynamicSecrets> = {}
-  ) => {
-    const query = (tx || db.replicaNode())(TableName.DynamicSecret)
-      .leftJoin(
-        TableName.ResourceMetadata,
-        `${TableName.ResourceMetadata}.dynamicSecretId`,
-        `${TableName.DynamicSecret}.id`
-      )
-      .select(selectAllTableCols(TableName.DynamicSecret))
-      .select(
-        db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-        db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-        db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
-      )
-      // eslint-disable-next-line @typescript-eslint/no-misused-promises
-      .where(buildFindFilter(filter));
-
-    if (limit) void query.limit(limit);
-    if (offset) void query.offset(offset);
-    if (sort) {
-      void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
-    }
-
-    const docs = sqlNestRelationships({
-      data: await query,
-      key: "id",
-      parentMapper: (el) => el,
-      childrenMapper: [
-        {
-          key: "metadataId",
-          label: "metadata" as const,
-          mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-            id: metadataId,
-            key: metadataKey,
-            value: metadataValue
-          })
-        }
-      ]
-    });
-
-    return docs;
-  };
-
   // find dynamic secrets for multiple environments (folder IDs are cross env, thus need to rank for pagination)
   const listDynamicSecretsByFolderIds = async (
     {
@@ -127,27 +39,18 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
             void bd.whereILike(`${TableName.DynamicSecret}.name`, `%${search}%`);
           }
         })
-        .leftJoin(
-          TableName.ResourceMetadata,
-          `${TableName.ResourceMetadata}.dynamicSecretId`,
-          `${TableName.DynamicSecret}.id`
-        )
         .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
         .leftJoin(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
         .select(
           selectAllTableCols(TableName.DynamicSecret),
           db.ref("slug").withSchema(TableName.Environment).as("environment"),
-          db.raw(`DENSE_RANK() OVER (ORDER BY ${TableName.DynamicSecret}."name" ${orderDirection}) as rank`),
-          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+          db.raw(`DENSE_RANK() OVER (ORDER BY ${TableName.DynamicSecret}."name" ${orderDirection}) as rank`)
         )
         .orderBy(`${TableName.DynamicSecret}.${orderBy}`, orderDirection);
 
-      let queryWithLimit;
       if (limit) {
         const rankOffset = offset + 1;
-        queryWithLimit = (tx || db.replicaNode())
+        return await (tx || db)
           .with("w", query)
           .select("*")
           .from<Awaited<typeof query>[number]>("w")
@@ -155,22 +58,7 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
           .andWhere("w.rank", "<", rankOffset + limit);
       }
 
-      const dynamicSecrets = sqlNestRelationships({
-        data: await (queryWithLimit || query),
-        key: "id",
-        parentMapper: (el) => el,
-        childrenMapper: [
-          {
-            key: "metadataId",
-            label: "metadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
-          }
-        ]
-      });
+      const dynamicSecrets = await query;
 
       return dynamicSecrets;
     } catch (error) {
@@ -178,5 +66,5 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...orm, listDynamicSecretsByFolderIds, findOne, findWithMetadata };
+  return { ...orm, listDynamicSecretsByFolderIds };
 };

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -42,7 +42,7 @@ export const verifyHostInputValidity = async (host: string, isGateway = false) =
     inputHostIps.push(...resolvedIps);
   }
 
-  if (!isGateway && !(appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP || appCfg.ALLOW_INTERNAL_IP_CONNECTIONS)) {
+  if (!isGateway && !appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP) {
     const isInternalIp = inputHostIps.some((el) => isPrivateIp(el));
     if (isInternalIp) throw new BadRequestError({ message: "Invalid db host" });
   }

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -12,7 +12,6 @@ import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 
 import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
@@ -47,7 +46,6 @@ type TDynamicSecretServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
   projectGatewayDAL: Pick<TProjectGatewayDALFactory, "findOne">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TDynamicSecretServiceFactory = ReturnType<typeof dynamicSecretServiceFactory>;
@@ -62,8 +60,7 @@ export const dynamicSecretServiceFactory = ({
   dynamicSecretQueueService,
   projectDAL,
   kmsService,
-  projectGatewayDAL,
-  resourceMetadataDAL
+  projectGatewayDAL
 }: TDynamicSecretServiceFactoryDep) => {
   const create = async ({
     path,
@@ -76,8 +73,7 @@ export const dynamicSecretServiceFactory = ({
     projectSlug,
     actorOrgId,
     defaultTTL,
-    actorAuthMethod,
-    metadata
+    actorAuthMethod
   }: TCreateDynamicSecretDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -91,10 +87,9 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.CreateRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path, metadata })
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
     );
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -136,36 +131,16 @@ export const dynamicSecretServiceFactory = ({
       projectId
     });
 
-    const dynamicSecretCfg = await dynamicSecretDAL.transaction(async (tx) => {
-      const cfg = await dynamicSecretDAL.create(
-        {
-          type: provider.type,
-          version: 1,
-          encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(inputs)) }).cipherTextBlob,
-          maxTTL,
-          defaultTTL,
-          folderId: folder.id,
-          name,
-          projectGatewayId: selectedGatewayId
-        },
-        tx
-      );
-
-      if (metadata) {
-        await resourceMetadataDAL.insertMany(
-          metadata.map(({ key, value }) => ({
-            key,
-            value,
-            dynamicSecretId: cfg.id,
-            orgId: actorOrgId
-          })),
-          tx
-        );
-      }
-
-      return cfg;
+    const dynamicSecretCfg = await dynamicSecretDAL.create({
+      type: provider.type,
+      version: 1,
+      encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(inputs)) }).cipherTextBlob,
+      maxTTL,
+      defaultTTL,
+      folderId: folder.id,
+      name,
+      projectGatewayId: selectedGatewayId
     });
-
     return dynamicSecretCfg;
   };
 
@@ -181,8 +156,7 @@ export const dynamicSecretServiceFactory = ({
     actorId,
     newName,
     actorOrgId,
-    actorAuthMethod,
-    metadata
+    actorAuthMethod
   }: TUpdateDynamicSecretDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -197,6 +171,10 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.EditRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan?.dynamicSecret) {
@@ -215,27 +193,6 @@ export const dynamicSecretServiceFactory = ({
         message: `Dynamic secret with name '${name}' in folder '${folder.path}' not found`
       });
     }
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
-    if (metadata) {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionDynamicSecretActions.EditRootCredential,
-        subject(ProjectPermissionSub.DynamicSecrets, {
-          environment: environmentSlug,
-          secretPath: path,
-          metadata
-        })
-      );
-    }
-
     if (newName) {
       const existingDynamicSecret = await dynamicSecretDAL.findOne({ name: newName, folderId: folder.id });
       if (existingDynamicSecret)
@@ -274,41 +231,14 @@ export const dynamicSecretServiceFactory = ({
     const isConnected = await selectedProvider.validateConnection(newInput);
     if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
 
-    const updatedDynamicCfg = await dynamicSecretDAL.transaction(async (tx) => {
-      const cfg = await dynamicSecretDAL.updateById(
-        dynamicSecretCfg.id,
-        {
-          encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(updatedInput)) })
-            .cipherTextBlob,
-          maxTTL,
-          defaultTTL,
-          name: newName ?? name,
-          status: null,
-          projectGatewayId: selectedGatewayId
-        },
-        tx
-      );
-
-      if (metadata) {
-        await resourceMetadataDAL.delete(
-          {
-            dynamicSecretId: cfg.id
-          },
-          tx
-        );
-
-        await resourceMetadataDAL.insertMany(
-          metadata.map(({ key, value }) => ({
-            key,
-            value,
-            dynamicSecretId: cfg.id,
-            orgId: actorOrgId
-          })),
-          tx
-        );
-      }
-
-      return cfg;
+    const updatedDynamicCfg = await dynamicSecretDAL.updateById(dynamicSecretCfg.id, {
+      encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(updatedInput)) }).cipherTextBlob,
+      maxTTL,
+      defaultTTL,
+      name: newName ?? name,
+      status: null,
+      statusDetails: null,
+      projectGatewayId: selectedGatewayId
     });
 
     return updatedDynamicCfg;
@@ -338,6 +268,10 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder)
@@ -348,15 +282,6 @@ export const dynamicSecretServiceFactory = ({
       throw new NotFoundError({ message: `Dynamic secret with name '${name}' in folder '${folder.path}' not found` });
     }
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
     const leases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
     // when not forced we check with the external system to first remove the things
     // we introduce a forced concept because consider the external lease got deleted by some other external like a human or another system
@@ -404,6 +329,14 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.ReadRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.EditRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder)
@@ -413,25 +346,6 @@ export const dynamicSecretServiceFactory = ({
     if (!dynamicSecretCfg) {
       throw new NotFoundError({ message: `Dynamic secret with name '${name} in folder '${path}' not found` });
     }
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, {
-        environment: environmentSlug,
-        secretPath: path,
-        metadata: dynamicSecretCfg.metadata
-      })
-    );
-
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.SecretManager,
       projectId
@@ -442,7 +356,6 @@ export const dynamicSecretServiceFactory = ({
     ) as object;
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
     const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput)) as object;
-
     return { ...dynamicSecretCfg, inputs: providerInputs };
   };
 
@@ -513,7 +426,7 @@ export const dynamicSecretServiceFactory = ({
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      ProjectPermissionSub.DynamicSecrets
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -560,12 +473,16 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.ReadRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder)
       throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });
 
-    const dynamicSecretCfg = await dynamicSecretDAL.findWithMetadata(
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
       { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
       {
         limit,
@@ -573,17 +490,7 @@ export const dynamicSecretServiceFactory = ({
         sort: orderBy ? [[orderBy, orderDirection]] : undefined
       }
     );
-
-    return dynamicSecretCfg.filter((dynamicSecret) => {
-      return permission.can(
-        ProjectPermissionDynamicSecretActions.ReadRootCredential,
-        subject(ProjectPermissionSub.DynamicSecrets, {
-          environment: environmentSlug,
-          secretPath: path,
-          metadata: dynamicSecret.metadata
-        })
-      );
-    });
+    return dynamicSecretCfg;
   };
 
   const listDynamicSecretsByFolderIds = async (
@@ -635,14 +542,24 @@ export const dynamicSecretServiceFactory = ({
     isInternal,
     ...params
   }: TListDynamicSecretsMultiEnvDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+    if (!isInternal) {
+      const { permission } = await permissionService.getProjectPermission({
+        actor,
+        actorId,
+        projectId,
+        actorAuthMethod,
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
+      });
+
+      // verify user has access to each env in request
+      environmentSlugs.forEach((environmentSlug) =>
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionDynamicSecretActions.ReadRootCredential,
+          subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+        )
+      );
+    }
 
     const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
     if (!folders.length)
@@ -655,16 +572,7 @@ export const dynamicSecretServiceFactory = ({
       ...params
     });
 
-    return dynamicSecretCfg.filter((dynamicSecret) => {
-      return permission.can(
-        ProjectPermissionDynamicSecretActions.ReadRootCredential,
-        subject(ProjectPermissionSub.DynamicSecrets, {
-          environment: dynamicSecret.environment,
-          secretPath: path,
-          metadata: dynamicSecret.metadata
-        })
-      );
-    });
+    return dynamicSecretCfg;
   };
 
   const fetchAzureEntraIdUsers = async ({

backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { OrderByDirection, TProjectPermission } from "@app/lib/types";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
 import { DynamicSecretProviderSchema } from "./providers/models";
@@ -21,7 +20,6 @@ export type TCreateDynamicSecretDTO = {
   environmentSlug: string;
   name: string;
   projectSlug: string;
-  metadata?: ResourceMetadataDTO;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateDynamicSecretDTO = {
@@ -33,7 +31,6 @@ export type TUpdateDynamicSecretDTO = {
   environmentSlug: string;
   inputs?: TProvider["inputs"];
   projectSlug: string;
-  metadata?: ResourceMetadataDTO;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteDynamicSecretDTO = {

backend/src/ee/services/dynamic-secret/providers/ldap.ts

@@ -2,7 +2,6 @@ import handlebars from "handlebars";
 import ldapjs from "ldapjs";
 import ldif from "ldif";
 import { customAlphabet } from "nanoid";
-import RE2 from "re2";
 import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
@@ -195,8 +194,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
     const client = await $getClient(providerInputs);
 
     if (providerInputs.credentialType === LdapCredentialType.Static) {
-      const dnRegex = new RE2("^dn:\\s*(.+)", "m");
-      const dnMatch = dnRegex.exec(providerInputs.rotationLdif);
+      const dnMatch = providerInputs.rotationLdif.match(/^dn:\s*(.+)/m);
 
       if (dnMatch) {
         const username = dnMatch[1];
@@ -240,8 +238,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
     const client = await $getClient(providerInputs);
 
     if (providerInputs.credentialType === LdapCredentialType.Static) {
-      const dnRegex = new RE2("^dn:\\s*(.+)", "m");
-      const dnMatch = dnRegex.exec(providerInputs.rotationLdif);
+      const dnMatch = providerInputs.rotationLdif.match(/^dn:\s*(.+)/m);
 
       if (dnMatch) {
         const username = dnMatch[1];

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -7,7 +7,7 @@ import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/er
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey, KmsKeyUsage } from "@app/services/kms/kms-types";
+import { KmsDataKey } from "@app/services/kms/kms-types";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -115,7 +115,6 @@ export const externalKmsServiceFactory = ({
         {
           isReserved: false,
           description,
-          keyUsage: KmsKeyUsage.ENCRYPT_DECRYPT,
           name: kmsName,
           orgId: actorOrgId
         },

backend/src/ee/services/external-kms/providers/gcp-kms.ts

@@ -92,7 +92,7 @@ export const GcpKmsProviderFactory = async ({ inputs }: GcpKmsProviderArgs): Pro
       plaintext: data
     });
     if (!encryptedText[0].ciphertext) throw new Error("encryption failed");
-    return { encryptedBlob: Buffer.from(encryptedText[0].ciphertext as Uint8Array) };
+    return { encryptedBlob: Buffer.from(encryptedText[0].ciphertext) };
   };
 
   const decrypt = async (encryptedBlob: Buffer) => {
@@ -101,7 +101,7 @@ export const GcpKmsProviderFactory = async ({ inputs }: GcpKmsProviderArgs): Pro
       ciphertext: encryptedBlob
     });
     if (!decryptedText[0].plaintext) throw new Error("decryption failed");
-    return { data: Buffer.from(decryptedText[0].plaintext as Uint8Array) };
+    return { data: Buffer.from(decryptedText[0].plaintext) };
   };
 
   return {

backend/src/ee/services/hsm/hsm-service.ts

@@ -258,7 +258,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
   const decrypt: {
     (encryptedBlob: Buffer, providedSession: pkcs11js.Handle): Promise<Buffer>;
     (encryptedBlob: Buffer): Promise<Buffer>;
-  } = async (encryptedBlob: Buffer, providedSession?: pkcs11js.Handle): Promise<Buffer> => {
+  } = async (encryptedBlob: Buffer, providedSession?: pkcs11js.Handle) => {
     if (!pkcs11 || !isInitialized) {
       throw new Error("PKCS#11 module is not initialized");
     }
@@ -309,10 +309,10 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
 
         pkcs11.C_DecryptInit(sessionHandle, decryptMechanism, aesKey);
 
-        const tempBuffer: Buffer = Buffer.alloc(encryptedData.length);
-        // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+        const tempBuffer = Buffer.alloc(encryptedData.length);
         const decryptedData = pkcs11.C_Decrypt(sessionHandle, encryptedData, tempBuffer);
 
+        // Create a new buffer from the decrypted data
         return Buffer.from(decryptedData);
       } catch (error) {
         logger.error(error, "HSM: Failed to perform decryption");

backend/src/ee/services/kmip/kmip-operation-service.ts

@@ -3,7 +3,6 @@ import { ForbiddenError } from "@casl/ability";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsKeyUsage } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
 import { OrgPermissionKmipActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -404,7 +403,6 @@ export const kmipOperationServiceFactory = ({
       algorithm,
       isReserved: false,
       projectId,
-      keyUsage: KmsKeyUsage.ENCRYPT_DECRYPT,
       orgId: project.orgId
     });
 

backend/src/ee/services/kmip/kmip-types.ts

@@ -1,4 +1,4 @@
-import { SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { OrderByDirection, TOrgPermission, TProjectPermission } from "@app/lib/types";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 
@@ -49,7 +49,7 @@ type KmipOperationBaseDTO = {
 } & Omit<TOrgPermission, "orgId">;
 
 export type TKmipCreateDTO = {
-  algorithm: SymmetricKeyAlgorithm;
+  algorithm: SymmetricEncryption;
 } & KmipOperationBaseDTO;
 
 export type TKmipGetDTO = {
@@ -77,7 +77,7 @@ export type TKmipLocateDTO = KmipOperationBaseDTO;
 export type TKmipRegisterDTO = {
   name: string;
   key: string;
-  algorithm: SymmetricKeyAlgorithm;
+  algorithm: SymmetricEncryption;
 } & KmipOperationBaseDTO;
 
 export type TSetupOrgKmipDTO = {

backend/src/ee/services/oidc/oidc-config-dal.ts

@@ -1,5 +1,6 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";
 
 export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
@@ -7,5 +8,22 @@ export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
 export const oidcConfigDALFactory = (db: TDbClient) => {
   const oidcCfgOrm = ormify(db, TableName.OidcConfig);
 
-  return oidcCfgOrm;
+  const findEnforceableOidcCfg = async (orgId: string) => {
+    try {
+      const oidcCfg = await db
+        .replicaNode()(TableName.OidcConfig)
+        .where({
+          orgId,
+          isActive: true
+        })
+        .whereNotNull("lastUsed")
+        .first();
+
+      return oidcCfg;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find org by id" });
+    }
+  };
+
+  return { ...oidcCfgOrm, findEnforceableOidcCfg };
 };

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -165,8 +165,7 @@ export const oidcConfigServiceFactory = ({
       allowedEmailDomains: oidcCfg.allowedEmailDomains,
       clientId,
       clientSecret,
-      manageGroupMemberships: oidcCfg.manageGroupMemberships,
-      jwtSignatureAlgorithm: oidcCfg.jwtSignatureAlgorithm
+      manageGroupMemberships: oidcCfg.manageGroupMemberships
     };
   };
 
@@ -482,8 +481,7 @@ export const oidcConfigServiceFactory = ({
     userinfoEndpoint,
     clientId,
     clientSecret,
-    manageGroupMemberships,
-    jwtSignatureAlgorithm
+    manageGroupMemberships
   }: TUpdateOidcCfgDTO) => {
     const org = await orgDAL.findOne({
       slug: orgSlug
@@ -538,8 +536,7 @@ export const oidcConfigServiceFactory = ({
       jwksUri,
       isActive,
       lastUsed: null,
-      manageGroupMemberships,
-      jwtSignatureAlgorithm
+      manageGroupMemberships
     };
 
     if (clientId !== undefined) {
@@ -572,8 +569,7 @@ export const oidcConfigServiceFactory = ({
     userinfoEndpoint,
     clientId,
     clientSecret,
-    manageGroupMemberships,
-    jwtSignatureAlgorithm
+    manageGroupMemberships
   }: TCreateOidcCfgDTO) => {
     const org = await orgDAL.findOne({
       slug: orgSlug
@@ -617,7 +613,6 @@ export const oidcConfigServiceFactory = ({
       userinfoEndpoint,
       orgId: org.id,
       manageGroupMemberships,
-      jwtSignatureAlgorithm,
       encryptedOidcClientId: encryptor({ plainText: Buffer.from(clientId) }).cipherTextBlob,
       encryptedOidcClientSecret: encryptor({ plainText: Buffer.from(clientSecret) }).cipherTextBlob
     });
@@ -681,8 +676,7 @@ export const oidcConfigServiceFactory = ({
     const client = new issuer.Client({
       client_id: oidcCfg.clientId,
       client_secret: oidcCfg.clientSecret,
-      redirect_uris: [`${appCfg.SITE_URL}/api/v1/sso/oidc/callback`],
-      id_token_signed_response_alg: oidcCfg.jwtSignatureAlgorithm
+      redirect_uris: [`${appCfg.SITE_URL}/api/v1/sso/oidc/callback`]
     });
 
     const strategy = new OpenIdStrategy(

backend/src/ee/services/oidc/oidc-config-types.ts

@@ -5,12 +5,6 @@ export enum OIDCConfigurationType {
   DISCOVERY_URL = "discoveryURL"
 }
 
-export enum OIDCJWTSignatureAlgorithm {
-  RS256 = "RS256",
-  HS256 = "HS256",
-  RS512 = "RS512"
-}
-
 export type TOidcLoginDTO = {
   externalId: string;
   email: string;
@@ -46,7 +40,6 @@ export type TCreateOidcCfgDTO = {
   isActive: boolean;
   orgSlug: string;
   manageGroupMemberships: boolean;
-  jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 } & TGenericPermission;
 
 export type TUpdateOidcCfgDTO = Partial<{
@@ -63,6 +56,5 @@ export type TUpdateOidcCfgDTO = Partial<{
   isActive: boolean;
   orgSlug: string;
   manageGroupMemberships: boolean;
-  jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 }> &
   TGenericPermission;

backend/src/ee/services/permission/permission-dal.ts

@@ -3,7 +3,6 @@ import { z } from "zod";
 import { TDbClient } from "@app/db";
 import {
   IdentityProjectMembershipRoleSchema,
-  OrgMembershipRole,
   OrgMembershipsSchema,
   TableName,
   TProjectRoles,
@@ -54,7 +53,6 @@ export const permissionDALFactory = (db: TDbClient) => {
           db.ref("slug").withSchema(TableName.OrgRoles).withSchema(TableName.OrgRoles).as("customRoleSlug"),
           db.ref("permissions").withSchema(TableName.OrgRoles),
           db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("bypassOrgAuthEnabled").withSchema(TableName.Organization).as("bypassOrgAuthEnabled"),
           db.ref("groupId").withSchema("userGroups"),
           db.ref("groupOrgId").withSchema("userGroups"),
           db.ref("groupName").withSchema("userGroups"),
@@ -73,7 +71,6 @@ export const permissionDALFactory = (db: TDbClient) => {
           OrgMembershipsSchema.extend({
             permissions: z.unknown(),
             orgAuthEnforced: z.boolean().optional().nullable(),
-            bypassOrgAuthEnabled: z.boolean(),
             customRoleSlug: z.string().optional().nullable(),
             shouldUseNewPrivilegeSystem: z.boolean()
           }).parse(el),
@@ -574,11 +571,6 @@ export const permissionDALFactory = (db: TDbClient) => {
         })
         .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
         .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
-        .join(TableName.OrgMembership, (qb) => {
-          void qb
-            .on(`${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
-            .andOn(`${TableName.OrgMembership}.orgId`, `${TableName.Organization}.id`);
-        })
         .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
           void queryBuilder
             .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
@@ -678,8 +670,6 @@ export const permissionDALFactory = (db: TDbClient) => {
           db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
           db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
           db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("bypassOrgAuthEnabled").withSchema(TableName.Organization).as("bypassOrgAuthEnabled"),
-          db.ref("role").withSchema(TableName.OrgMembership).as("orgRole"),
           db.ref("orgId").withSchema(TableName.Project),
           db.ref("type").withSchema(TableName.Project).as("projectType"),
           db.ref("id").withSchema(TableName.Project).as("projectId"),
@@ -693,7 +683,6 @@ export const permissionDALFactory = (db: TDbClient) => {
           orgId,
           username,
           orgAuthEnforced,
-          orgRole,
           membershipId,
           groupMembershipId,
           membershipCreatedAt,
@@ -701,12 +690,10 @@ export const permissionDALFactory = (db: TDbClient) => {
           groupMembershipUpdatedAt,
           membershipUpdatedAt,
           projectType,
-          shouldUseNewPrivilegeSystem,
-          bypassOrgAuthEnabled
+          shouldUseNewPrivilegeSystem
         }) => ({
           orgId,
           orgAuthEnforced,
-          orgRole: orgRole as OrgMembershipRole,
           userId,
           projectId,
           username,
@@ -714,8 +701,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           id: membershipId || groupMembershipId,
           createdAt: membershipCreatedAt || groupMembershipCreatedAt,
           updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt,
-          shouldUseNewPrivilegeSystem,
-          bypassOrgAuthEnabled
+          shouldUseNewPrivilegeSystem
         }),
         childrenMapper: [
           {

backend/src/ee/services/permission/permission-fns.ts

@@ -2,7 +2,7 @@
 import { ForbiddenError, MongoAbility, PureAbility, subject } from "@casl/ability";
 import { z } from "zod";
 
-import { OrgMembershipRole, TOrganizations } from "@app/db/schemas";
+import { TOrganizations } from "@app/db/schemas";
 import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
@@ -118,20 +118,11 @@ function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
   ].includes(actorAuthMethod);
 }
 
-function validateOrgSSO(
-  actorAuthMethod: ActorAuthMethod,
-  isOrgSsoEnforced: TOrganizations["authEnforced"],
-  isOrgSsoBypassEnabled: TOrganizations["bypassOrgAuthEnabled"],
-  orgRole: OrgMembershipRole
-) {
+function validateOrgSSO(actorAuthMethod: ActorAuthMethod, isOrgSsoEnforced: TOrganizations["authEnforced"]) {
   if (actorAuthMethod === undefined) {
     throw new UnauthorizedError({ name: "No auth method defined" });
   }
 
-  if (isOrgSsoEnforced && isOrgSsoBypassEnabled && orgRole === OrgMembershipRole.Admin) {
-    return;
-  }
-
   if (
     isOrgSsoEnforced &&
     actorAuthMethod !== null &&

backend/src/ee/services/permission/permission-service.ts

@@ -139,12 +139,7 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
     }
 
-    validateOrgSSO(
-      authMethod,
-      membership.orgAuthEnforced,
-      membership.bypassOrgAuthEnabled,
-      membership.role as OrgMembershipRole
-    );
+    validateOrgSSO(authMethod, membership.orgAuthEnforced);
 
     const finalPolicyRoles = [{ role: membership.role, permissions: membership.permissions }].concat(
       membership?.groups?.map(({ role, customRolePermission }) => ({
@@ -231,12 +226,7 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
     }
 
-    validateOrgSSO(
-      authMethod,
-      userProjectPermission.orgAuthEnforced,
-      userProjectPermission.bypassOrgAuthEnabled,
-      userProjectPermission.orgRole
-    );
+    validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);
 
     if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
       throw new BadRequestError({

backend/src/ee/services/permission/project-permission.ts

@@ -32,9 +32,7 @@ export enum ProjectPermissionCmekActions {
   Edit = "edit",
   Delete = "delete",
   Encrypt = "encrypt",
-  Decrypt = "decrypt",
-  Sign = "sign",
-  Verify = "verify"
+  Decrypt = "decrypt"
 }
 
 export enum ProjectPermissionDynamicSecretActions {
@@ -155,10 +153,6 @@ export type SecretFolderSubjectFields = {
 export type DynamicSecretSubjectFields = {
   environment: string;
   secretPath: string;
-  metadata?: {
-    key: string;
-    value: string;
-  }[];
 };
 
 export type SecretImportSubjectFields = {
@@ -288,42 +282,6 @@ const SecretConditionV1Schema = z
   })
   .partial();
 
-const DynamicSecretConditionV2Schema = z
-  .object({
-    environment: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-        })
-        .partial()
-    ]),
-    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA,
-    metadata: z.object({
-      [PermissionConditionOperators.$ELEMENTMATCH]: z
-        .object({
-          key: z
-            .object({
-              [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-              [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-              [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-            })
-            .partial(),
-          value: z
-            .object({
-              [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-              [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-              [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-            })
-            .partial()
-        })
-        .partial()
-    })
-  })
-  .partial();
-
 const SecretConditionV2Schema = z
   .object({
     environment: z.union([
@@ -621,7 +579,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionDynamicSecretActions).describe(
       "Describe what action an entity can take."
     ),
-    conditions: DynamicSecretConditionV2Schema.describe(
+    conditions: SecretConditionV1Schema.describe(
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
@@ -774,9 +732,7 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionCmekActions.Delete,
       ProjectPermissionCmekActions.Read,
       ProjectPermissionCmekActions.Encrypt,
-      ProjectPermissionCmekActions.Decrypt,
-      ProjectPermissionCmekActions.Sign,
-      ProjectPermissionCmekActions.Verify
+      ProjectPermissionCmekActions.Decrypt
     ],
     ProjectPermissionSub.Cmek
   );
@@ -965,6 +921,7 @@ const buildMemberPermissionRules = () => {
   can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
   can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
 
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateAuthorities);
   can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificates);
   can([ProjectPermissionActions.Create], ProjectPermissionSub.SshCertificates);
   can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateTemplates);
@@ -978,9 +935,7 @@ const buildMemberPermissionRules = () => {
       ProjectPermissionCmekActions.Delete,
       ProjectPermissionCmekActions.Read,
       ProjectPermissionCmekActions.Encrypt,
-      ProjectPermissionCmekActions.Decrypt,
-      ProjectPermissionCmekActions.Sign,
-      ProjectPermissionCmekActions.Verify
+      ProjectPermissionCmekActions.Decrypt
     ],
     ProjectPermissionSub.Cmek
   );
@@ -1030,6 +985,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
   can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateAuthorities);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
   can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);

backend/src/ee/services/saml-config/saml-config-dal.ts

@@ -1,5 +1,6 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";
 
 export type TSamlConfigDALFactory = ReturnType<typeof samlConfigDALFactory>;
@@ -7,5 +8,25 @@ export type TSamlConfigDALFactory = ReturnType<typeof samlConfigDALFactory>;
 export const samlConfigDALFactory = (db: TDbClient) => {
   const samlCfgOrm = ormify(db, TableName.SamlConfig);
 
-  return samlCfgOrm;
+  const findEnforceableSamlCfg = async (orgId: string) => {
+    try {
+      const samlCfg = await db
+        .replicaNode()(TableName.SamlConfig)
+        .where({
+          orgId,
+          isActive: true
+        })
+        .whereNotNull("lastUsed")
+        .first();
+
+      return samlCfg;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find org by id" });
+    }
+  };
+
+  return {
+    ...samlCfgOrm,
+    findEnforceableSamlCfg
+  };
 };

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -267,6 +267,7 @@ export const secretReplicationServiceFactory = ({
       const sourceLocalSecrets = await secretV2BridgeDAL.find({ folderId: folder.id, type: SecretType.Shared });
       const sourceSecretImports = await secretImportDAL.find({ folderId: folder.id });
       const sourceImportedSecrets = await fnSecretsV2FromImports({
+        projectId,
         secretImports: sourceSecretImports,
         secretDAL: secretV2BridgeDAL,
         folderDAL,

backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-constants.ts

@@ -1,15 +0,0 @@
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
-  name: "Auth0 Client Secret",
-  type: SecretRotation.Auth0ClientSecret,
-  connection: AppConnection.Auth0,
-  template: {
-    secretsMapping: {
-      clientId: "AUTH0_CLIENT_ID",
-      clientSecret: "AUTH0_CLIENT_SECRET"
-    }
-  }
-};

backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-fns.ts

@@ -1,104 +0,0 @@
-import {
-  TAuth0ClientSecretRotationGeneratedCredentials,
-  TAuth0ClientSecretRotationWithConnection
-} from "@app/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-types";
-import {
-  TRotationFactory,
-  TRotationFactoryGetSecretsPayload,
-  TRotationFactoryIssueCredentials,
-  TRotationFactoryRevokeCredentials,
-  TRotationFactoryRotateCredentials
-} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { request } from "@app/lib/config/request";
-import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
-import { getAuth0ConnectionAccessToken } from "@app/services/app-connection/auth0";
-
-import { generatePassword } from "../shared/utils";
-
-export const auth0ClientSecretRotationFactory: TRotationFactory<
-  TAuth0ClientSecretRotationWithConnection,
-  TAuth0ClientSecretRotationGeneratedCredentials
-> = (secretRotation, appConnectionDAL, kmsService) => {
-  const {
-    connection,
-    parameters: { clientId },
-    secretsMapping
-  } = secretRotation;
-
-  const $rotateClientSecret = async () => {
-    const accessToken = await getAuth0ConnectionAccessToken(connection, appConnectionDAL, kmsService);
-    const { audience } = connection.credentials;
-    await blockLocalAndPrivateIpAddresses(audience);
-    const clientSecret = generatePassword();
-
-    await request.request({
-      method: "PATCH",
-      url: `${audience}clients/${clientId}`,
-      headers: { authorization: `Bearer ${accessToken}` },
-      data: {
-        client_secret: clientSecret
-      }
-    });
-
-    return { clientId, clientSecret };
-  };
-
-  const issueCredentials: TRotationFactoryIssueCredentials<TAuth0ClientSecretRotationGeneratedCredentials> = async (
-    callback
-  ) => {
-    const credentials = await $rotateClientSecret();
-
-    return callback(credentials);
-  };
-
-  const revokeCredentials: TRotationFactoryRevokeCredentials<TAuth0ClientSecretRotationGeneratedCredentials> = async (
-    _,
-    callback
-  ) => {
-    const accessToken = await getAuth0ConnectionAccessToken(connection, appConnectionDAL, kmsService);
-    const { audience } = connection.credentials;
-    await blockLocalAndPrivateIpAddresses(audience);
-
-    // we just trigger an auth0 rotation to negate our credentials
-    await request.request({
-      method: "POST",
-      url: `${audience}clients/${clientId}/rotate-secret`,
-      headers: { authorization: `Bearer ${accessToken}` }
-    });
-
-    return callback();
-  };
-
-  const rotateCredentials: TRotationFactoryRotateCredentials<TAuth0ClientSecretRotationGeneratedCredentials> = async (
-    _,
-    callback
-  ) => {
-    const credentials = await $rotateClientSecret();
-
-    return callback(credentials);
-  };
-
-  const getSecretsPayload: TRotationFactoryGetSecretsPayload<TAuth0ClientSecretRotationGeneratedCredentials> = (
-    generatedCredentials
-  ) => {
-    const secrets = [
-      {
-        key: secretsMapping.clientId,
-        value: generatedCredentials.clientId
-      },
-      {
-        key: secretsMapping.clientSecret,
-        value: generatedCredentials.clientSecret
-      }
-    ];
-
-    return secrets;
-  };
-
-  return {
-    issueCredentials,
-    revokeCredentials,
-    rotateCredentials,
-    getSecretsPayload
-  };
-};

backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-schemas.ts

@@ -1,67 +0,0 @@
-import { z } from "zod";
-
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-import {
-  BaseCreateSecretRotationSchema,
-  BaseSecretRotationSchema,
-  BaseUpdateSecretRotationSchema
-} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
-import { SecretRotations } from "@app/lib/api-docs";
-import { SecretNameSchema } from "@app/server/lib/schemas";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const Auth0ClientSecretRotationGeneratedCredentialsSchema = z
-  .object({
-    clientId: z.string(),
-    clientSecret: z.string()
-  })
-  .array()
-  .min(1)
-  .max(2);
-
-const Auth0ClientSecretRotationParametersSchema = z.object({
-  clientId: z
-    .string()
-    .trim()
-    .min(1, "Client ID Required")
-    .describe(SecretRotations.PARAMETERS.AUTH0_CLIENT_SECRET.clientId)
-});
-
-const Auth0ClientSecretRotationSecretsMappingSchema = z.object({
-  clientId: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.AUTH0_CLIENT_SECRET.clientId),
-  clientSecret: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.AUTH0_CLIENT_SECRET.clientSecret)
-});
-
-export const Auth0ClientSecretRotationTemplateSchema = z.object({
-  secretsMapping: z.object({
-    clientId: z.string(),
-    clientSecret: z.string()
-  })
-});
-
-export const Auth0ClientSecretRotationSchema = BaseSecretRotationSchema(SecretRotation.Auth0ClientSecret).extend({
-  type: z.literal(SecretRotation.Auth0ClientSecret),
-  parameters: Auth0ClientSecretRotationParametersSchema,
-  secretsMapping: Auth0ClientSecretRotationSecretsMappingSchema
-});
-
-export const CreateAuth0ClientSecretRotationSchema = BaseCreateSecretRotationSchema(
-  SecretRotation.Auth0ClientSecret
-).extend({
-  parameters: Auth0ClientSecretRotationParametersSchema,
-  secretsMapping: Auth0ClientSecretRotationSecretsMappingSchema
-});
-
-export const UpdateAuth0ClientSecretRotationSchema = BaseUpdateSecretRotationSchema(
-  SecretRotation.Auth0ClientSecret
-).extend({
-  parameters: Auth0ClientSecretRotationParametersSchema.optional(),
-  secretsMapping: Auth0ClientSecretRotationSecretsMappingSchema.optional()
-});
-
-export const Auth0ClientSecretRotationListItemSchema = z.object({
-  name: z.literal("Auth0 Client Secret"),
-  connection: z.literal(AppConnection.Auth0),
-  type: z.literal(SecretRotation.Auth0ClientSecret),
-  template: Auth0ClientSecretRotationTemplateSchema
-});

backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-types.ts

@@ -1,24 +0,0 @@
-import { z } from "zod";
-
-import { TAuth0Connection } from "@app/services/app-connection/auth0";
-
-import {
-  Auth0ClientSecretRotationGeneratedCredentialsSchema,
-  Auth0ClientSecretRotationListItemSchema,
-  Auth0ClientSecretRotationSchema,
-  CreateAuth0ClientSecretRotationSchema
-} from "./auth0-client-secret-rotation-schemas";
-
-export type TAuth0ClientSecretRotation = z.infer<typeof Auth0ClientSecretRotationSchema>;
-
-export type TAuth0ClientSecretRotationInput = z.infer<typeof CreateAuth0ClientSecretRotationSchema>;
-
-export type TAuth0ClientSecretRotationListItem = z.infer<typeof Auth0ClientSecretRotationListItemSchema>;
-
-export type TAuth0ClientSecretRotationWithConnection = TAuth0ClientSecretRotation & {
-  connection: TAuth0Connection;
-};
-
-export type TAuth0ClientSecretRotationGeneratedCredentials = z.infer<
-  typeof Auth0ClientSecretRotationGeneratedCredentialsSchema
->;

backend/src/ee/services/secret-rotation-v2/auth0-client-secret/index.ts

@@ -1,3 +0,0 @@
-export * from "./auth0-client-secret-rotation-constants";
-export * from "./auth0-client-secret-rotation-schemas";
-export * from "./auth0-client-secret-rotation-types";

backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-constants.ts

@@ -1,15 +0,0 @@
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
-  name: "AWS IAM User Secret",
-  type: SecretRotation.AwsIamUserSecret,
-  connection: AppConnection.AWS,
-  template: {
-    secretsMapping: {
-      accessKeyId: "AWS_ACCESS_KEY_ID",
-      secretAccessKey: "AWS_SECRET_ACCESS_KEY"
-    }
-  }
-};

backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-fns.ts

@@ -1,123 +0,0 @@
-import AWS from "aws-sdk";
-
-import {
-  TAwsIamUserSecretRotationGeneratedCredentials,
-  TAwsIamUserSecretRotationWithConnection
-} from "@app/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-types";
-import {
-  TRotationFactory,
-  TRotationFactoryGetSecretsPayload,
-  TRotationFactoryIssueCredentials,
-  TRotationFactoryRevokeCredentials,
-  TRotationFactoryRotateCredentials
-} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { getAwsConnectionConfig } from "@app/services/app-connection/aws";
-
-const getCreateDate = (key: AWS.IAM.AccessKeyMetadata): number => {
-  return key.CreateDate ? new Date(key.CreateDate).getTime() : 0;
-};
-
-export const awsIamUserSecretRotationFactory: TRotationFactory<
-  TAwsIamUserSecretRotationWithConnection,
-  TAwsIamUserSecretRotationGeneratedCredentials
-> = (secretRotation) => {
-  const {
-    parameters: { region, userName },
-    connection,
-    secretsMapping
-  } = secretRotation;
-
-  const $rotateClientSecret = async () => {
-    const { credentials } = await getAwsConnectionConfig(connection, region);
-    const iam = new AWS.IAM({ credentials });
-
-    const { AccessKeyMetadata } = await iam.listAccessKeys({ UserName: userName }).promise();
-
-    if (AccessKeyMetadata && AccessKeyMetadata.length > 0) {
-      // Sort keys by creation date (oldest first)
-      const sortedKeys = [...AccessKeyMetadata].sort((a, b) => getCreateDate(a) - getCreateDate(b));
-
-      // If we already have 2 keys, delete the oldest one
-      if (sortedKeys.length >= 2) {
-        const accessId = sortedKeys[0].AccessKeyId || sortedKeys[1].AccessKeyId;
-        if (accessId) {
-          await iam
-            .deleteAccessKey({
-              UserName: userName,
-              AccessKeyId: accessId
-            })
-            .promise();
-        }
-      }
-    }
-
-    const { AccessKey } = await iam.createAccessKey({ UserName: userName }).promise();
-
-    return {
-      accessKeyId: AccessKey.AccessKeyId,
-      secretAccessKey: AccessKey.SecretAccessKey
-    };
-  };
-
-  const issueCredentials: TRotationFactoryIssueCredentials<TAwsIamUserSecretRotationGeneratedCredentials> = async (
-    callback
-  ) => {
-    const credentials = await $rotateClientSecret();
-
-    return callback(credentials);
-  };
-
-  const revokeCredentials: TRotationFactoryRevokeCredentials<TAwsIamUserSecretRotationGeneratedCredentials> = async (
-    generatedCredentials,
-    callback
-  ) => {
-    const { credentials } = await getAwsConnectionConfig(connection, region);
-    const iam = new AWS.IAM({ credentials });
-
-    await Promise.all(
-      generatedCredentials.map((generatedCredential) =>
-        iam
-          .deleteAccessKey({
-            UserName: userName,
-            AccessKeyId: generatedCredential.accessKeyId
-          })
-          .promise()
-      )
-    );
-
-    return callback();
-  };
-
-  const rotateCredentials: TRotationFactoryRotateCredentials<TAwsIamUserSecretRotationGeneratedCredentials> = async (
-    _,
-    callback
-  ) => {
-    const credentials = await $rotateClientSecret();
-
-    return callback(credentials);
-  };
-
-  const getSecretsPayload: TRotationFactoryGetSecretsPayload<TAwsIamUserSecretRotationGeneratedCredentials> = (
-    generatedCredentials
-  ) => {
-    const secrets = [
-      {
-        key: secretsMapping.accessKeyId,
-        value: generatedCredentials.accessKeyId
-      },
-      {
-        key: secretsMapping.secretAccessKey,
-        value: generatedCredentials.secretAccessKey
-      }
-    ];
-
-    return secrets;
-  };
-
-  return {
-    issueCredentials,
-    revokeCredentials,
-    rotateCredentials,
-    getSecretsPayload
-  };
-};

backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-schemas.ts

@@ -1,68 +0,0 @@
-import { z } from "zod";
-
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-import {
-  BaseCreateSecretRotationSchema,
-  BaseSecretRotationSchema,
-  BaseUpdateSecretRotationSchema
-} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
-import { SecretRotations } from "@app/lib/api-docs";
-import { SecretNameSchema } from "@app/server/lib/schemas";
-import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
-
-export const AwsIamUserSecretRotationGeneratedCredentialsSchema = z
-  .object({
-    accessKeyId: z.string(),
-    secretAccessKey: z.string()
-  })
-  .array()
-  .min(1)
-  .max(2);
-
-const AwsIamUserSecretRotationParametersSchema = z.object({
-  userName: z
-    .string()
-    .trim()
-    .min(1, "Client Name Required")
-    .describe(SecretRotations.PARAMETERS.AWS_IAM_USER_SECRET.userName),
-  region: z.nativeEnum(AWSRegion).describe(SecretRotations.PARAMETERS.AWS_IAM_USER_SECRET.region).optional()
-});
-
-const AwsIamUserSecretRotationSecretsMappingSchema = z.object({
-  accessKeyId: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.AWS_IAM_USER_SECRET.accessKeyId),
-  secretAccessKey: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.AWS_IAM_USER_SECRET.secretAccessKey)
-});
-
-export const AwsIamUserSecretRotationTemplateSchema = z.object({
-  secretsMapping: z.object({
-    accessKeyId: z.string(),
-    secretAccessKey: z.string()
-  })
-});
-
-export const AwsIamUserSecretRotationSchema = BaseSecretRotationSchema(SecretRotation.AwsIamUserSecret).extend({
-  type: z.literal(SecretRotation.AwsIamUserSecret),
-  parameters: AwsIamUserSecretRotationParametersSchema,
-  secretsMapping: AwsIamUserSecretRotationSecretsMappingSchema
-});
-
-export const CreateAwsIamUserSecretRotationSchema = BaseCreateSecretRotationSchema(
-  SecretRotation.AwsIamUserSecret
-).extend({
-  parameters: AwsIamUserSecretRotationParametersSchema,
-  secretsMapping: AwsIamUserSecretRotationSecretsMappingSchema
-});
-
-export const UpdateAwsIamUserSecretRotationSchema = BaseUpdateSecretRotationSchema(
-  SecretRotation.AwsIamUserSecret
-).extend({
-  parameters: AwsIamUserSecretRotationParametersSchema.optional(),
-  secretsMapping: AwsIamUserSecretRotationSecretsMappingSchema.optional()
-});
-
-export const AwsIamUserSecretRotationListItemSchema = z.object({
-  name: z.literal("AWS IAM User Secret"),
-  connection: z.literal(AppConnection.AWS),
-  type: z.literal(SecretRotation.AwsIamUserSecret),
-  template: AwsIamUserSecretRotationTemplateSchema
-});

backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/aws-iam-user-secret-rotation-types.ts

@@ -1,24 +0,0 @@
-import { z } from "zod";
-
-import { TAwsConnection } from "@app/services/app-connection/aws";
-
-import {
-  AwsIamUserSecretRotationGeneratedCredentialsSchema,
-  AwsIamUserSecretRotationListItemSchema,
-  AwsIamUserSecretRotationSchema,
-  CreateAwsIamUserSecretRotationSchema
-} from "./aws-iam-user-secret-rotation-schemas";
-
-export type TAwsIamUserSecretRotation = z.infer<typeof AwsIamUserSecretRotationSchema>;
-
-export type TAwsIamUserSecretRotationInput = z.infer<typeof CreateAwsIamUserSecretRotationSchema>;
-
-export type TAwsIamUserSecretRotationListItem = z.infer<typeof AwsIamUserSecretRotationListItemSchema>;
-
-export type TAwsIamUserSecretRotationWithConnection = TAwsIamUserSecretRotation & {
-  connection: TAwsConnection;
-};
-
-export type TAwsIamUserSecretRotationGeneratedCredentials = z.infer<
-  typeof AwsIamUserSecretRotationGeneratedCredentialsSchema
->;

backend/src/ee/services/secret-rotation-v2/aws-iam-user-secret/index.ts

@@ -1,3 +0,0 @@
-export * from "./aws-iam-user-secret-rotation-constants";
-export * from "./aws-iam-user-secret-rotation-schemas";
-export * from "./aws-iam-user-secret-rotation-types";

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts

@@ -1,8 +1,6 @@
 export enum SecretRotation {
   PostgresCredentials = "postgres-credentials",
-  MsSqlCredentials = "mssql-credentials",
-  Auth0ClientSecret = "auth0-client-secret",
-  AwsIamUserSecret = "aws-iam-user-secret"
+  MsSqlCredentials = "mssql-credentials"
 }
 
 export enum SecretRotationStatus {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -3,8 +3,6 @@ import { AxiosError } from "axios";
 import { getConfig } from "@app/lib/config/env";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
-import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret";
-import { AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION } from "./aws-iam-user-secret";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
@@ -18,9 +16,7 @@ import {
 
 const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2ListItem> = {
   [SecretRotation.PostgresCredentials]: POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION,
-  [SecretRotation.MsSqlCredentials]: MSSQL_CREDENTIALS_ROTATION_LIST_OPTION,
-  [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION,
-  [SecretRotation.AwsIamUserSecret]: AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION
+  [SecretRotation.MsSqlCredentials]: MSSQL_CREDENTIALS_ROTATION_LIST_OPTION
 };
 
 export const listSecretRotationOptions = () => {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts

@@ -3,14 +3,10 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 
 export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
   [SecretRotation.PostgresCredentials]: "PostgreSQL Credentials",
-  [SecretRotation.MsSqlCredentials]: "Microsoft SQL Server Credentials",
-  [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret",
-  [SecretRotation.AwsIamUserSecret]: "AWS IAM User Secret"
+  [SecretRotation.MsSqlCredentials]: "Microsoft SQL Sever Credentials"
 };
 
 export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnection> = {
   [SecretRotation.PostgresCredentials]: AppConnection.Postgres,
-  [SecretRotation.MsSqlCredentials]: AppConnection.MsSql,
-  [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0,
-  [SecretRotation.AwsIamUserSecret]: AppConnection.AWS
+  [SecretRotation.MsSqlCredentials]: AppConnection.MsSql
 };

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -13,7 +13,6 @@ import {
   ProjectPermissionSecretRotationActions,
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
-import { auth0ClientSecretRotationFactory } from "@app/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-fns";
 import { SecretRotation, SecretRotationStatus } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 import {
   calculateNextRotationAt,
@@ -42,7 +41,6 @@ import {
   TRotationFactory,
   TSecretRotationRotateGeneratedCredentials,
   TSecretRotationV2,
-  TSecretRotationV2GeneratedCredentials,
   TSecretRotationV2Raw,
   TSecretRotationV2WithConnection,
   TUpdateSecretRotationV2DTO
@@ -55,7 +53,6 @@ import { DatabaseErrorCode } from "@app/lib/error-codes";
 import { BadRequestError, DatabaseError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
 import { QueueJobs, TQueueServiceFactory } from "@app/queue";
-import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { decryptAppConnection } from "@app/services/app-connection/app-connection-fns";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -77,7 +74,6 @@ import {
 import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
 
-import { awsIamUserSecretRotationFactory } from "./aws-iam-user-secret/aws-iam-user-secret-rotation-fns";
 import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 
 export type TSecretRotationV2ServiceFactoryDep = {
@@ -101,22 +97,15 @@ export type TSecretRotationV2ServiceFactoryDep = {
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "removeSecretReminder">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   queueService: Pick<TQueueServiceFactory, "queuePg">;
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
 };
 
 export type TSecretRotationV2ServiceFactory = ReturnType<typeof secretRotationV2ServiceFactory>;
 
 const MAX_GENERATED_CREDENTIALS_LENGTH = 2;
 
-type TRotationFactoryImplementation = TRotationFactory<
-  TSecretRotationV2WithConnection,
-  TSecretRotationV2GeneratedCredentials
->;
-const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplementation> = {
-  [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
-  [SecretRotation.MsSqlCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
-  [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation,
-  [SecretRotation.AwsIamUserSecret]: awsIamUserSecretRotationFactory as TRotationFactoryImplementation
+const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactory> = {
+  [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory,
+  [SecretRotation.MsSqlCredentials]: sqlCredentialsRotationFactory
 };
 
 export const secretRotationV2ServiceFactory = ({
@@ -136,8 +125,7 @@ export const secretRotationV2ServiceFactory = ({
   secretQueueService,
   snapshotService,
   keyStore,
-  queueService,
-  appConnectionDAL
+  queueService
 }: TSecretRotationV2ServiceFactoryDep) => {
   const $queueSendSecretRotationStatusNotification = async (secretRotation: TSecretRotationV2Raw) => {
     const appCfg = getConfig();
@@ -441,15 +429,11 @@ export const secretRotationV2ServiceFactory = ({
     // validates permission to connect and app is valid for rotation type
     const connection = await appConnectionService.connectAppConnectionById(typeApp, payload.connectionId, actor);
 
-    const rotationFactory = SECRET_ROTATION_FACTORY_MAP[payload.type](
-      {
-        parameters: payload.parameters,
-        secretsMapping,
-        connection
-      } as TSecretRotationV2WithConnection,
-      appConnectionDAL,
-      kmsService
-    );
+    const rotationFactory = SECRET_ROTATION_FACTORY_MAP[payload.type]({
+      parameters: payload.parameters,
+      secretsMapping,
+      connection
+    } as TSecretRotationV2WithConnection);
 
     try {
       const currentTime = new Date();
@@ -457,7 +441,7 @@ export const secretRotationV2ServiceFactory = ({
       // callback structure to support transactional rollback when possible
       const secretRotation = await rotationFactory.issueCredentials(async (newCredentials) => {
         const encryptedGeneratedCredentials = await encryptSecretRotationCredentials({
-          generatedCredentials: [newCredentials] as TSecretRotationV2GeneratedCredentials,
+          generatedCredentials: [newCredentials],
           projectId,
           kmsService
         });
@@ -756,37 +740,32 @@ export const secretRotationV2ServiceFactory = ({
         message: `Secret Rotation with ID "${rotationId}" is not configured for ${SECRET_ROTATION_NAME_MAP[type]}`
       });
 
-    const deleteTransaction = async () =>
-      secretRotationV2DAL.transaction(async (tx) => {
-        if (deleteSecrets) {
-          await fnSecretBulkDelete({
-            secretDAL: secretV2BridgeDAL,
-            secretQueueService,
-            inputSecrets: Object.values(secretsMapping as TSecretRotationV2["secretsMapping"]).map((secretKey) => ({
-              secretKey,
-              type: SecretType.Shared
-            })),
-            projectId,
-            folderId,
-            actorId: actor.id, // not actually used since rotated secrets are shared
-            tx
-          });
-        }
+    const deleteTransaction = secretRotationV2DAL.transaction(async (tx) => {
+      if (deleteSecrets) {
+        await fnSecretBulkDelete({
+          secretDAL: secretV2BridgeDAL,
+          secretQueueService,
+          inputSecrets: Object.values(secretsMapping as TSecretRotationV2["secretsMapping"]).map((secretKey) => ({
+            secretKey,
+            type: SecretType.Shared
+          })),
+          projectId,
+          folderId,
+          actorId: actor.id, // not actually used since rotated secrets are shared
+          tx
+        });
+      }
 
-        return secretRotationV2DAL.deleteById(rotationId, tx);
-      });
+      return secretRotationV2DAL.deleteById(rotationId, tx);
+    });
 
     if (revokeGeneratedCredentials) {
       const appConnection = await decryptAppConnection(connection, kmsService);
 
-      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type](
-        {
-          ...secretRotation,
-          connection: appConnection
-        } as TSecretRotationV2WithConnection,
-        appConnectionDAL,
-        kmsService
-      );
+      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type]({
+        ...secretRotation,
+        connection: appConnection
+      } as TSecretRotationV2WithConnection);
 
       const generatedCredentials = await decryptSecretRotationCredentials({
         encryptedGeneratedCredentials,
@@ -794,9 +773,9 @@ export const secretRotationV2ServiceFactory = ({
         kmsService
       });
 
-      await rotationFactory.revokeCredentials(generatedCredentials, deleteTransaction);
+      await rotationFactory.revokeCredentials(generatedCredentials, async () => deleteTransaction);
     } else {
-      await deleteTransaction();
+      await deleteTransaction;
     }
 
     if (deleteSecrets) {
@@ -861,14 +840,10 @@ export const secretRotationV2ServiceFactory = ({
 
       const inactiveCredentials = generatedCredentials[inactiveIndex];
 
-      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type as SecretRotation](
-        {
-          ...secretRotation,
-          connection: appConnection
-        } as TSecretRotationV2WithConnection,
-        appConnectionDAL,
-        kmsService
-      );
+      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type as SecretRotation]({
+        ...secretRotation,
+        connection: appConnection
+      } as TSecretRotationV2WithConnection);
 
       const updatedRotation = await rotationFactory.rotateCredentials(inactiveCredentials, async (newCredentials) => {
         const updatedCredentials = [...generatedCredentials];
@@ -876,7 +851,7 @@ export const secretRotationV2ServiceFactory = ({
 
         const encryptedUpdatedCredentials = await encryptSecretRotationCredentials({
           projectId,
-          generatedCredentials: updatedCredentials as TSecretRotationV2GeneratedCredentials,
+          generatedCredentials: updatedCredentials,
           kmsService
         });
 

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts

@@ -1,24 +1,8 @@
 import { AuditLogInfo } from "@app/ee/services/audit-log/audit-log-types";
 import { TSqlCredentialsRotationGeneratedCredentials } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-types";
 import { OrderByDirection } from "@app/lib/types";
-import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
-import {
-  TAuth0ClientSecretRotation,
-  TAuth0ClientSecretRotationGeneratedCredentials,
-  TAuth0ClientSecretRotationInput,
-  TAuth0ClientSecretRotationListItem,
-  TAuth0ClientSecretRotationWithConnection
-} from "./auth0-client-secret";
-import {
-  TAwsIamUserSecretRotation,
-  TAwsIamUserSecretRotationGeneratedCredentials,
-  TAwsIamUserSecretRotationInput,
-  TAwsIamUserSecretRotationListItem,
-  TAwsIamUserSecretRotationWithConnection
-} from "./aws-iam-user-secret";
 import {
   TMsSqlCredentialsRotation,
   TMsSqlCredentialsRotationInput,
@@ -34,34 +18,17 @@ import {
 import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 import { SecretRotation } from "./secret-rotation-v2-enums";
 
-export type TSecretRotationV2 =
-  | TPostgresCredentialsRotation
-  | TMsSqlCredentialsRotation
-  | TAuth0ClientSecretRotation
-  | TAwsIamUserSecretRotation;
+export type TSecretRotationV2 = TPostgresCredentialsRotation | TMsSqlCredentialsRotation;
 
 export type TSecretRotationV2WithConnection =
   | TPostgresCredentialsRotationWithConnection
-  | TMsSqlCredentialsRotationWithConnection
-  | TAuth0ClientSecretRotationWithConnection
-  | TAwsIamUserSecretRotationWithConnection;
+  | TMsSqlCredentialsRotationWithConnection;
 
-export type TSecretRotationV2GeneratedCredentials =
-  | TSqlCredentialsRotationGeneratedCredentials
-  | TAuth0ClientSecretRotationGeneratedCredentials
-  | TAwsIamUserSecretRotationGeneratedCredentials;
+export type TSecretRotationV2GeneratedCredentials = TSqlCredentialsRotationGeneratedCredentials;
 
-export type TSecretRotationV2Input =
-  | TPostgresCredentialsRotationInput
-  | TMsSqlCredentialsRotationInput
-  | TAuth0ClientSecretRotationInput
-  | TAwsIamUserSecretRotationInput;
+export type TSecretRotationV2Input = TPostgresCredentialsRotationInput | TMsSqlCredentialsRotationInput;
 
-export type TSecretRotationV2ListItem =
-  | TPostgresCredentialsRotationListItem
-  | TMsSqlCredentialsRotationListItem
-  | TAuth0ClientSecretRotationListItem
-  | TAwsIamUserSecretRotationListItem;
+export type TSecretRotationV2ListItem = TPostgresCredentialsRotationListItem | TMsSqlCredentialsRotationListItem;
 
 export type TSecretRotationV2Raw = NonNullable<Awaited<ReturnType<TSecretRotationV2DALFactory["findById"]>>>;
 
@@ -162,34 +129,27 @@ export type TSecretRotationSendNotificationJobPayload = {
 // transactional behavior. By passing in the rotation mutation, if this mutation fails we can roll back the
 // third party credential changes (when supported), preventing credentials getting out of sync
 
-export type TRotationFactoryIssueCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
-  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>
+export type TRotationFactoryIssueCredentials = (
+  callback: (newCredentials: TSecretRotationV2GeneratedCredentials[number]) => Promise<TSecretRotationV2Raw>
 ) => Promise<TSecretRotationV2Raw>;
 
-export type TRotationFactoryRevokeCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
-  generatedCredentials: T,
+export type TRotationFactoryRevokeCredentials = (
+  generatedCredentials: TSecretRotationV2GeneratedCredentials,
   callback: () => Promise<TSecretRotationV2Raw>
 ) => Promise<TSecretRotationV2Raw>;
 
-export type TRotationFactoryRotateCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
-  credentialsToRevoke: T[number] | undefined,
-  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>
+export type TRotationFactoryRotateCredentials = (
+  credentialsToRevoke: TSecretRotationV2GeneratedCredentials[number] | undefined,
+  callback: (newCredentials: TSecretRotationV2GeneratedCredentials[number]) => Promise<TSecretRotationV2Raw>
 ) => Promise<TSecretRotationV2Raw>;
 
-export type TRotationFactoryGetSecretsPayload<T extends TSecretRotationV2GeneratedCredentials> = (
-  generatedCredentials: T[number]
+export type TRotationFactoryGetSecretsPayload = (
+  generatedCredentials: TSecretRotationV2GeneratedCredentials[number]
 ) => { key: string; value: string }[];
 
-export type TRotationFactory<
-  T extends TSecretRotationV2WithConnection,
-  C extends TSecretRotationV2GeneratedCredentials
-> = (
-  secretRotation: T,
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
-) => {
-  issueCredentials: TRotationFactoryIssueCredentials<C>;
-  revokeCredentials: TRotationFactoryRevokeCredentials<C>;
-  rotateCredentials: TRotationFactoryRotateCredentials<C>;
-  getSecretsPayload: TRotationFactoryGetSecretsPayload<C>;
+export type TRotationFactory = (secretRotation: TSecretRotationV2WithConnection) => {
+  issueCredentials: TRotationFactoryIssueCredentials;
+  revokeCredentials: TRotationFactoryRevokeCredentials;
+  rotateCredentials: TRotationFactoryRotateCredentials;
+  getSecretsPayload: TRotationFactoryGetSecretsPayload;
 };

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts

@@ -1,14 +1,9 @@
 import { z } from "zod";
 
-import { Auth0ClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
 import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { PostgresCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 
-import { AwsIamUserSecretRotationSchema } from "./aws-iam-user-secret";
-
 export const SecretRotationV2Schema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationSchema,
-  MsSqlCredentialsRotationSchema,
-  Auth0ClientSecretRotationSchema,
-  AwsIamUserSecretRotationSchema
+  MsSqlCredentialsRotationSchema
 ]);

backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts

@@ -1,5 +1,6 @@
+import { randomInt } from "crypto";
+
 import {
-  TRotationFactory,
   TRotationFactoryGetSecretsPayload,
   TRotationFactoryIssueCredentials,
   TRotationFactoryRevokeCredentials,
@@ -7,12 +8,94 @@ import {
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
 import { getSqlConnectionClient, SQL_CONNECTION_ALTER_LOGIN_STATEMENT } from "@app/services/app-connection/shared/sql";
 
-import { generatePassword } from "../utils";
 import {
   TSqlCredentialsRotationGeneratedCredentials,
   TSqlCredentialsRotationWithConnection
 } from "./sql-credentials-rotation-types";
 
+const DEFAULT_PASSWORD_REQUIREMENTS = {
+  length: 48,
+  required: {
+    lowercase: 1,
+    uppercase: 1,
+    digits: 1,
+    symbols: 0
+  },
+  allowedSymbols: "-_.~!*"
+};
+
+const generatePassword = () => {
+  try {
+    const { length, required, allowedSymbols } = DEFAULT_PASSWORD_REQUIREMENTS;
+
+    const chars = {
+      lowercase: "abcdefghijklmnopqrstuvwxyz",
+      uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+      digits: "0123456789",
+      symbols: allowedSymbols || "-_.~!*"
+    };
+
+    const parts: string[] = [];
+
+    if (required.lowercase > 0) {
+      parts.push(
+        ...Array(required.lowercase)
+          .fill(0)
+          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+      );
+    }
+
+    if (required.uppercase > 0) {
+      parts.push(
+        ...Array(required.uppercase)
+          .fill(0)
+          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+      );
+    }
+
+    if (required.digits > 0) {
+      parts.push(
+        ...Array(required.digits)
+          .fill(0)
+          .map(() => chars.digits[randomInt(chars.digits.length)])
+      );
+    }
+
+    if (required.symbols > 0) {
+      parts.push(
+        ...Array(required.symbols)
+          .fill(0)
+          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+      );
+    }
+
+    const requiredTotal = Object.values(required).reduce<number>((a, b) => a + b, 0);
+    const remainingLength = Math.max(length - requiredTotal, 0);
+
+    const allowedChars = Object.entries(chars)
+      .filter(([key]) => required[key as keyof typeof required] > 0)
+      .map(([, value]) => value)
+      .join("");
+
+    parts.push(
+      ...Array(remainingLength)
+        .fill(0)
+        .map(() => allowedChars[randomInt(allowedChars.length)])
+    );
+
+    // shuffle the array to mix up the characters
+    for (let i = parts.length - 1; i > 0; i -= 1) {
+      const j = randomInt(i + 1);
+      [parts[i], parts[j]] = [parts[j], parts[i]];
+    }
+
+    return parts.join("");
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    throw new Error(`Failed to generate password: ${message}`);
+  }
+};
+
 const redactPasswords = (e: unknown, credentials: TSqlCredentialsRotationGeneratedCredentials) => {
   const error = e as Error;
 
@@ -27,10 +110,7 @@ const redactPasswords = (e: unknown, credentials: TSqlCredentialsRotationGenerat
   return redactedMessage;
 };
 
-export const sqlCredentialsRotationFactory: TRotationFactory<
-  TSqlCredentialsRotationWithConnection,
-  TSqlCredentialsRotationGeneratedCredentials
-> = (secretRotation) => {
+export const sqlCredentialsRotationFactory = (secretRotation: TSqlCredentialsRotationWithConnection) => {
   const {
     connection,
     parameters: { username1, username2 },
@@ -38,7 +118,7 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     secretsMapping
   } = secretRotation;
 
-  const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
+  const validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
     const client = await getSqlConnectionClient({
       ...connection,
       credentials: {
@@ -56,9 +136,7 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     }
   };
 
-  const issueCredentials: TRotationFactoryIssueCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
-    callback
-  ) => {
+  const issueCredentials: TRotationFactoryIssueCredentials = async (callback) => {
     const client = await getSqlConnectionClient(connection);
 
     // For SQL, since we get existing users, we change both their passwords
@@ -81,16 +159,13 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     }
 
     for await (const credentials of credentialsSet) {
-      await $validateCredentials(credentials);
+      await validateCredentials(credentials);
     }
 
     return callback(credentialsSet[0]);
   };
 
-  const revokeCredentials: TRotationFactoryRevokeCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
-    credentialsToRevoke,
-    callback
-  ) => {
+  const revokeCredentials: TRotationFactoryRevokeCredentials = async (credentialsToRevoke, callback) => {
     const client = await getSqlConnectionClient(connection);
 
     const revokedCredentials = credentialsToRevoke.map(({ username }) => ({ username, password: generatePassword() }));
@@ -111,10 +186,7 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     return callback();
   };
 
-  const rotateCredentials: TRotationFactoryRotateCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
-    _,
-    callback
-  ) => {
+  const rotateCredentials: TRotationFactoryRotateCredentials = async (_, callback) => {
     const client = await getSqlConnectionClient(connection);
 
     // generate new password for the next active user
@@ -128,14 +200,12 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
       await client.destroy();
     }
 
-    await $validateCredentials(credentials);
+    await validateCredentials(credentials);
 
     return callback(credentials);
   };
 
-  const getSecretsPayload: TRotationFactoryGetSecretsPayload<TSqlCredentialsRotationGeneratedCredentials> = (
-    generatedCredentials
-  ) => {
+  const getSecretsPayload: TRotationFactoryGetSecretsPayload = (generatedCredentials) => {
     const { username, password } = secretsMapping;
 
     const secrets = [
@@ -156,6 +226,7 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     issueCredentials,
     revokeCredentials,
     rotateCredentials,
-    getSecretsPayload
+    getSecretsPayload,
+    validateCredentials
   };
 };

backend/src/ee/services/secret-rotation-v2/shared/utils/index.ts

@@ -1,84 +0,0 @@
-import { randomInt } from "crypto";
-
-const DEFAULT_PASSWORD_REQUIREMENTS = {
-  length: 48,
-  required: {
-    lowercase: 1,
-    uppercase: 1,
-    digits: 1,
-    symbols: 0
-  },
-  allowedSymbols: "-_.~!*"
-};
-
-export const generatePassword = () => {
-  try {
-    const { length, required, allowedSymbols } = DEFAULT_PASSWORD_REQUIREMENTS;
-
-    const chars = {
-      lowercase: "abcdefghijklmnopqrstuvwxyz",
-      uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
-      digits: "0123456789",
-      symbols: allowedSymbols || "-_.~!*"
-    };
-
-    const parts: string[] = [];
-
-    if (required.lowercase > 0) {
-      parts.push(
-        ...Array(required.lowercase)
-          .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
-      );
-    }
-
-    if (required.uppercase > 0) {
-      parts.push(
-        ...Array(required.uppercase)
-          .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
-      );
-    }
-
-    if (required.digits > 0) {
-      parts.push(
-        ...Array(required.digits)
-          .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
-      );
-    }
-
-    if (required.symbols > 0) {
-      parts.push(
-        ...Array(required.symbols)
-          .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
-      );
-    }
-
-    const requiredTotal = Object.values(required).reduce<number>((a, b) => a + b, 0);
-    const remainingLength = Math.max(length - requiredTotal, 0);
-
-    const allowedChars = Object.entries(chars)
-      .filter(([key]) => required[key as keyof typeof required] > 0)
-      .map(([, value]) => value)
-      .join("");
-
-    parts.push(
-      ...Array(remainingLength)
-        .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
-    );
-
-    // shuffle the array to mix up the characters
-    for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
-      [parts[i], parts[j]] = [parts[j], parts[i]];
-    }
-
-    return parts.join("");
-  } catch (error: unknown) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    throw new Error(`Failed to generate password: ${message}`);
-  }
-};

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -127,13 +127,6 @@ export const secretRotationServiceFactory = ({
       });
       if (selectedSecrets.length !== Object.values(outputs).length)
         throw new NotFoundError({ message: `Secrets not found in folder with ID '${folder.id}'` });
-      const rotatedSecrets = selectedSecrets.filter(({ isRotatedSecret }) => isRotatedSecret);
-      if (rotatedSecrets.length)
-        throw new BadRequestError({
-          message: `Selected secrets are already used for rotation: ${rotatedSecrets
-            .map((secret) => secret.key)
-            .join(", ")}`
-        });
     } else {
       const selectedSecrets = await secretDAL.find({
         folderId: folder.id,

backend/src/ee/services/secret-rotation/templates/index.ts

@@ -18,8 +18,7 @@ export const rotationTemplates: TSecretRotationProviderTemplate[] = [
     title: "PostgreSQL",
     image: "postgres.png",
     description: "Rotate PostgreSQL/CockroachDB user credentials",
-    template: POSTGRES_TEMPLATE,
-    isDeprecated: true
+    template: POSTGRES_TEMPLATE
   },
   {
     name: "mysql",
@@ -33,8 +32,7 @@ export const rotationTemplates: TSecretRotationProviderTemplate[] = [
     title: "Microsoft SQL Server",
     image: "mssqlserver.png",
     description: "Rotate Microsoft SQL server user credentials",
-    template: MSSQL_TEMPLATE,
-    isDeprecated: true
+    template: MSSQL_TEMPLATE
   },
   {
     name: "aws-iam",

backend/src/ee/services/secret-rotation/templates/types.ts

@@ -50,7 +50,6 @@ export type TSecretRotationProviderTemplate = {
   image?: string;
   description?: string;
   template: THttpProviderTemplate | TDbProviderTemplate | TAwsProviderTemplate;
-  isDeprecated?: boolean;
 };
 
 export type THttpProviderTemplate = {

backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-validators.ts

@@ -1,5 +1,4 @@
 import { isIP } from "net";
-import RE2 from "re2";
 
 import { isFQDN } from "@app/lib/validator/validate-url";
 
@@ -11,7 +10,7 @@ export const isValidUserPattern = (value: string): boolean => {
   if (value === "*") return true; // Handle wildcard separately
 
   // Simpler, more specific pattern for usernames
-  const userRegex = new RE2(/^[a-z_][a-z0-9_-]*$/i);
+  const userRegex = /^[a-z_][a-z0-9_-]*$/i;
   return userRegex.test(value);
 };
 

backend/src/ee/services/ssh/ssh-certificate-authority-fns.ts

@@ -4,7 +4,6 @@ import { promises as fs } from "fs";
 import { Knex } from "knex";
 import os from "os";
 import path from "path";
-import RE2 from "re2";
 import { promisify } from "util";
 
 import { TSshCertificateTemplates } from "@app/db/schemas";
@@ -157,14 +156,14 @@ export const validateSshCertificatePrincipals = (
       });
     }
 
-    if (new RE2(/\r|\n|\t|\0/).test(sanitized)) {
+    if (/\r|\n|\t|\0/.test(sanitized)) {
       throw new BadRequestError({
         message: `Principal '${sanitized}' contains invalid whitespace or control characters.`
       });
     }
 
     // disallow whitespace anywhere
-    if (new RE2(/\s/).test(sanitized)) {
+    if (/\s/.test(sanitized)) {
       throw new BadRequestError({
         message: `Principal '${sanitized}' cannot contain whitespace.`
       });

backend/src/lib/api-docs/constants.ts

@@ -8,51 +8,6 @@ import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connec
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 
-export enum ApiDocsTags {
-  Identities = "Identities",
-  TokenAuth = "Token Auth",
-  UniversalAuth = "Universal Auth",
-  GcpAuth = "GCP Auth",
-  AwsAuth = "AWS Auth",
-  AzureAuth = "Azure Auth",
-  KubernetesAuth = "Kubernetes Auth",
-  JwtAuth = "JWT Auth",
-  OidcAuth = "OIDC Auth",
-  Groups = "Groups",
-  Organizations = "Organizations",
-  Projects = "Projects",
-  ProjectUsers = "Project Users",
-  ProjectGroups = "Project Groups",
-  ProjectIdentities = "Project Identities",
-  ProjectRoles = "Project Roles",
-  ProjectTemplates = "Project Templates",
-  Environments = "Environments",
-  Folders = "Folders",
-  SecretTags = "Secret Tags",
-  Secrets = "Secrets",
-  DynamicSecrets = "Dynamic Secrets",
-  SecretImports = "Secret Imports",
-  SecretRotations = "Secret Rotations",
-  IdentitySpecificPrivilegesV1 = "Identity Specific Privileges",
-  IdentitySpecificPrivilegesV2 = "Identity Specific Privileges V2",
-  AppConnections = "App Connections",
-  SecretSyncs = "Secret Syncs",
-  Integrations = "Integrations",
-  ServiceTokens = "Service Tokens",
-  AuditLogs = "Audit Logs",
-  PkiCertificateAuthorities = "PKI Certificate Authorities",
-  PkiCertificates = "PKI Certificates",
-  PkiCertificateTemplates = "PKI Certificate Templates",
-  PkiCertificateCollections = "PKI Certificate Collections",
-  PkiAlerting = "PKI Alerting",
-  SshCertificates = "SSH Certificates",
-  SshCertificateAuthorities = "SSH Certificate Authorities",
-  SshCertificateTemplates = "SSH Certificate Templates",
-  KmsKeys = "KMS Keys",
-  KmsEncryption = "KMS Encryption",
-  KmsSigning = "KMS Signing"
-}
-
 export const GROUPS = {
   CREATE: {
     name: "The name of the group to create.",
@@ -523,8 +478,7 @@ export const PROJECTS = {
     name: "The new name of the project.",
     projectDescription: "An optional description label for the project.",
     autoCapitalization: "Disable or enable auto-capitalization for the project.",
-    slug: "An optional slug for the project. (must be unique within the organization)",
-    hasDeleteProtection: "Enable or disable delete protection for the project."
+    slug: "An optional slug for the project. (must be unique within the organization)"
   },
   GET_KEY: {
     workspaceId: "The ID of the project to get the key from."
@@ -933,7 +887,7 @@ export const DYNAMIC_SECRETS = {
     environmentSlug: "The slug of the environment to list folders from.",
     path: "The path to list folders from."
   },
-  LIST_LEASES_BY_NAME: {
+  LIST_LEAES_BY_NAME: {
     projectSlug: "The slug of the project to create dynamic secret in.",
     environmentSlug: "The slug of the environment to list folders from.",
     path: "The path to list folders from.",
@@ -1718,8 +1672,7 @@ export const KMS = {
     projectId: "The ID of the project to create the key in.",
     name: "The name of the key to be created. Must be slug-friendly.",
     description: "An optional description of the key.",
-    encryptionAlgorithm: "The algorithm to use when performing cryptographic operations with the key.",
-    type: "The type of key to be created, either encrypt-decrypt or sign-verify, based on your intended use for the key."
+    encryptionAlgorithm: "The algorithm to use when performing cryptographic operations with the key."
   },
   UPDATE_KEY: {
     keyId: "The ID of the key to be updated.",
@@ -1752,28 +1705,6 @@ export const KMS = {
   DECRYPT: {
     keyId: "The ID of the key to decrypt the data with.",
     ciphertext: "The ciphertext to be decrypted (base64 encoded)."
-  },
-
-  LIST_SIGNING_ALGORITHMS: {
-    keyId: "The ID of the key to list the signing algorithms for. The key must be for signing and verifying."
-  },
-
-  GET_PUBLIC_KEY: {
-    keyId: "The ID of the key to get the public key for. The key must be for signing and verifying."
-  },
-
-  SIGN: {
-    keyId: "The ID of the key to sign the data with.",
-    data: "The data in string format to be signed (base64 encoded).",
-    isDigest:
-      "Whether the data is already digested or not. Please be aware that if you are passing a digest the algorithm used to create the digest must match the signing algorithm used to sign the digest.",
-    signingAlgorithm: "The algorithm to use when performing cryptographic operations with the key."
-  },
-  VERIFY: {
-    keyId: "The ID of the key to verify the data with.",
-    data: "The data in string format to be verified (base64 encoded). For data larger than 4096 bytes you must first create a digest of the data and then pass the digest in the data parameter.",
-    signature: "The signature to be verified (base64 encoded).",
-    isDigest: "Whether the data is already digested or not."
   }
 };
 
@@ -1828,12 +1759,6 @@ export const AppConnections = {
     connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to be deleted.`
   }),
   CREDENTIALS: {
-    AUTH0_CONNECTION: {
-      domain: "The domain of the Auth0 instance to connect to.",
-      clientId: "Your Auth0 application's Client ID.",
-      clientSecret: "Your Auth0 application's Client Secret.",
-      audience: "The unique identifier of the target API you want to access."
-    },
     SQL_CONNECTION: {
       host: "The hostname of the database server.",
       port: "The port number of the database.",
@@ -1853,14 +1778,6 @@ export const AppConnections = {
     CAMUNDA: {
       clientId: "The client ID used to authenticate with Camunda.",
       clientSecret: "The client secret used to authenticate with Camunda."
-    },
-    WINDMILL: {
-      instanceUrl: "The Windmill instance URL to connect with (defaults to https://app.windmill.dev).",
-      accessToken: "The access token to use to connect with Windmill."
-    },
-    TEAMCITY: {
-      instanceUrl: "The TeamCity instance URL to connect with.",
-      accessToken: "The access token to use to connect with TeamCity."
     }
   }
 };
@@ -1996,14 +1913,6 @@ export const SecretSyncs = {
       env: "The ID of the Vercel environment to sync secrets to.",
       branch: "The branch to sync preview secrets to.",
       teamId: "The ID of the Vercel team to sync secrets to."
-    },
-    WINDMILL: {
-      workspace: "The Windmill workspace to sync secrets to.",
-      path: "The Windmill workspace path to sync secrets to."
-    },
-    TEAMCITY: {
-      project: "The TeamCity project to sync secrets to.",
-      buildConfig: "The TeamCity build configuration to sync secrets to."
     }
   }
 };
@@ -2065,27 +1974,12 @@ export const SecretRotations = {
         "The username of the first login to rotate passwords for. This user must already exists in your database.",
       username2:
         "The username of the second login to rotate passwords for. This user must already exists in your database."
-    },
-    AUTH0_CLIENT_SECRET: {
-      clientId: "The client ID of the Auth0 Application to rotate the client secret for."
-    },
-    AWS_IAM_USER_SECRET: {
-      userName: "The name of the client to rotate credentials for.",
-      region: "The AWS region the client is present in."
     }
   },
   SECRETS_MAPPING: {
     SQL_CREDENTIALS: {
       username: "The name of the secret that the active username will be mapped to.",
       password: "The name of the secret that the generated password will be mapped to."
-    },
-    AUTH0_CLIENT_SECRET: {
-      clientId: "The name of the secret that the client ID will be mapped to.",
-      clientSecret: "The name of the secret that the rotated client secret will be mapped to."
-    },
-    AWS_IAM_USER_SECRET: {
-      accessKeyId: "The name of the secret that the access key ID will be mapped to.",
-      secretAccessKey: "The name of the secret that the rotated secret access key will be mapped to."
     }
   }
 };

backend/src/lib/base64/index.ts

@@ -1,16 +1,12 @@
-import RE2 from "re2";
-
 type Base64Options = {
   urlSafe?: boolean;
   padding?: boolean;
 };
 
-const base64WithPadding = new RE2(/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/);
-const base64WithoutPadding = new RE2(/^[A-Za-z0-9+/]+$/);
-const base64UrlWithPadding = new RE2(
-  /^(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})$/
-);
-const base64UrlWithoutPadding = new RE2(/^[A-Za-z0-9_-]+$/);
+const base64WithPadding = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/;
+const base64WithoutPadding = /^[A-Za-z0-9+/]+$/;
+const base64UrlWithPadding = /^(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})$/;
+const base64UrlWithoutPadding = /^[A-Za-z0-9_-]+$/;
 
 export const isBase64 = (str: string, options: Base64Options = {}): boolean => {
   if (typeof str !== "string") {

backend/src/lib/casl/index.ts

@@ -24,6 +24,5 @@ export enum PermissionConditionOperators {
   $IN = "$in",
   $EQ = "$eq",
   $NEQ = "$ne",
-  $GLOB = "$glob",
-  $ELEMENTMATCH = "$elemMatch"
+  $GLOB = "$glob"
 }

backend/src/lib/config/env.ts

@@ -197,7 +197,6 @@ const envSchema = z
     /* ----------------------------------------------------------------------------- */
 
     /* App Connections ----------------------------------------------------------------------------- */
-    ALLOW_INTERNAL_IP_CONNECTIONS: zodStrBool.default("false"),
 
     // aws
     INF_APP_CONNECTION_AWS_ACCESS_KEY_ID: zpStr(z.string().optional()),

backend/src/lib/crypto/cipher/cipher.ts

@@ -1,6 +1,6 @@
 import crypto from "crypto";
 
-import { SymmetricKeyAlgorithm, TSymmetricEncryptionFns } from "./types";
+import { SymmetricEncryption, TSymmetricEncryptionFns } from "./types";
 
 const getIvLength = () => {
   return 12;
@@ -10,9 +10,7 @@ const getTagLength = () => {
   return 16;
 };
 
-export const symmetricCipherService = (
-  type: SymmetricKeyAlgorithm.AES_GCM_128 | SymmetricKeyAlgorithm.AES_GCM_256
-): TSymmetricEncryptionFns => {
+export const symmetricCipherService = (type: SymmetricEncryption): TSymmetricEncryptionFns => {
   const IV_LENGTH = getIvLength();
   const TAG_LENGTH = getTagLength();
 

backend/src/lib/crypto/cipher/index.ts

@@ -1,2 +1,2 @@
 export { symmetricCipherService } from "./cipher";
-export { AllowedEncryptionKeyAlgorithms, SymmetricKeyAlgorithm } from "./types";
+export { SymmetricEncryption } from "./types";

backend/src/lib/crypto/cipher/types.ts

@@ -1,18 +1,7 @@
-import { z } from "zod";
-
-import { AsymmetricKeyAlgorithm } from "../sign/types";
-
-// Supported symmetric encrypt/decrypt algorithms
-export enum SymmetricKeyAlgorithm {
+export enum SymmetricEncryption {
   AES_GCM_256 = "aes-256-gcm",
   AES_GCM_128 = "aes-128-gcm"
 }
-export const SymmetricKeyAlgorithmEnum = z.enum(Object.values(SymmetricKeyAlgorithm) as [string, ...string[]]).options;
-
-export const AllowedEncryptionKeyAlgorithms = z.enum([
-  ...Object.values(SymmetricKeyAlgorithm),
-  ...Object.values(AsymmetricKeyAlgorithm)
-] as [string, ...string[]]).options;
 
 export type TSymmetricEncryptionFns = {
   encrypt: (text: Buffer, key: Buffer) => Buffer;

backend/src/lib/crypto/sign/index.ts

@@ -1,2 +0,0 @@
-export { signingService } from "./signing";
-export { AsymmetricKeyAlgorithm, SigningAlgorithm } from "./types";

backend/src/lib/crypto/sign/signing.ts

@@ -1,564 +0,0 @@
-import { execFile } from "child_process";
-import crypto from "crypto";
-import fs from "fs/promises";
-import path from "path";
-import { promisify } from "util";
-
-import { BadRequestError } from "@app/lib/errors";
-import { cleanTemporaryDirectory, createTemporaryDirectory, writeToTemporaryFile } from "@app/lib/files";
-import { logger } from "@app/lib/logger";
-
-import { AsymmetricKeyAlgorithm, SigningAlgorithm, TAsymmetricSignVerifyFns } from "./types";
-
-const execFileAsync = promisify(execFile);
-
-interface SigningParams {
-  hashAlgorithm: SupportedHashAlgorithm;
-  padding?: number;
-  saltLength?: number;
-}
-
-enum SupportedHashAlgorithm {
-  SHA256 = "sha256",
-  SHA384 = "sha384",
-  SHA512 = "sha512"
-}
-
-const COMMAND_TIMEOUT = 15_000;
-
-const SHA256_DIGEST_LENGTH = 32;
-const SHA384_DIGEST_LENGTH = 48;
-const SHA512_DIGEST_LENGTH = 64;
-
-/**
- * Service for cryptographic signing and verification operations using asymmetric keys
- *
- * @param algorithm The key algorithm itself. The signing algorithm is supplied in the individual sign/verify functions.
- * @returns Object with sign and verify functions
- */
-export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSignVerifyFns => {
-  const $getSigningParams = (signingAlgorithm: SigningAlgorithm): SigningParams => {
-    switch (signingAlgorithm) {
-      // RSA PSS
-      case SigningAlgorithm.RSASSA_PSS_SHA_512:
-        return {
-          hashAlgorithm: SupportedHashAlgorithm.SHA512,
-          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: SHA512_DIGEST_LENGTH
-        };
-      case SigningAlgorithm.RSASSA_PSS_SHA_256:
-        return {
-          hashAlgorithm: SupportedHashAlgorithm.SHA256,
-          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: SHA256_DIGEST_LENGTH
-        };
-      case SigningAlgorithm.RSASSA_PSS_SHA_384:
-        return {
-          hashAlgorithm: SupportedHashAlgorithm.SHA384,
-          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: SHA384_DIGEST_LENGTH
-        };
-
-      // RSA PKCS#1 v1.5
-      case SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_512:
-        return {
-          hashAlgorithm: SupportedHashAlgorithm.SHA512,
-          padding: crypto.constants.RSA_PKCS1_PADDING
-        };
-      case SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_384:
-        return {
-          hashAlgorithm: SupportedHashAlgorithm.SHA384,
-          padding: crypto.constants.RSA_PKCS1_PADDING
-        };
-      case SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256:
-        return {
-          hashAlgorithm: SupportedHashAlgorithm.SHA256,
-          padding: crypto.constants.RSA_PKCS1_PADDING
-        };
-
-      // ECDSA
-      case SigningAlgorithm.ECDSA_SHA_256:
-        return { hashAlgorithm: SupportedHashAlgorithm.SHA256 };
-      case SigningAlgorithm.ECDSA_SHA_384:
-        return { hashAlgorithm: SupportedHashAlgorithm.SHA384 };
-      case SigningAlgorithm.ECDSA_SHA_512:
-        return { hashAlgorithm: SupportedHashAlgorithm.SHA512 };
-
-      default:
-        throw new Error(`Unsupported signing algorithm: ${signingAlgorithm as string}`);
-    }
-  };
-
-  const $getEcCurveName = (keyAlgorithm: AsymmetricKeyAlgorithm): { full: string; short: string } => {
-    // We will support more in the future
-    switch (keyAlgorithm) {
-      case AsymmetricKeyAlgorithm.ECC_NIST_P256:
-        return {
-          full: "prime256v1",
-          short: "p256"
-        };
-      default:
-        throw new Error(`Unsupported EC curve: ${keyAlgorithm}`);
-    }
-  };
-
-  const $validateAlgorithmWithKeyType = (signingAlgorithm: SigningAlgorithm) => {
-    const isRsaKey = algorithm.startsWith("RSA");
-    const isEccKey = algorithm.startsWith("ECC");
-
-    const isRsaAlgorithm = signingAlgorithm.startsWith("RSASSA");
-    const isEccAlgorithm = signingAlgorithm.startsWith("ECDSA");
-
-    if (isRsaKey && !isRsaAlgorithm) {
-      throw new BadRequestError({ message: `KMS RSA key cannot be used with ${signingAlgorithm}` });
-    }
-
-    if (isEccKey && !isEccAlgorithm) {
-      throw new BadRequestError({ message: `KMS ECC key cannot be used with ${signingAlgorithm}` });
-    }
-  };
-
-  const $signRsaDigest = async (
-    digest: Buffer,
-    privateKey: Buffer,
-    hashAlgorithm: SupportedHashAlgorithm,
-    signingAlgorithm: SigningAlgorithm
-  ) => {
-    const tempDir = await createTemporaryDirectory("kms-rsa-sign");
-    const digestPath = path.join(tempDir, "digest.bin");
-    const sigPath = path.join(tempDir, "signature.bin");
-    const keyPath = path.join(tempDir, "key.pem");
-
-    try {
-      await writeToTemporaryFile(digestPath, digest);
-      await writeToTemporaryFile(keyPath, privateKey);
-
-      const { stderr } = await execFileAsync(
-        "openssl",
-        [
-          "pkeyutl",
-          "-sign",
-          "-in",
-          digestPath,
-          "-inkey",
-          keyPath,
-          "-pkeyopt",
-          `digest:${hashAlgorithm}`,
-          "-out",
-          sigPath
-        ],
-        {
-          maxBuffer: 10 * 1024 * 1024,
-          timeout: COMMAND_TIMEOUT
-        }
-      );
-
-      if (stderr) {
-        logger.error(stderr, "KMS: Failed to sign RSA digest");
-        throw new BadRequestError({
-          message: "Failed to sign RSA digest due to signing error"
-        });
-      }
-      const signature = await fs.readFile(sigPath);
-
-      if (!signature) {
-        throw new BadRequestError({
-          message:
-            "No signature was created. Make sure you are using an appropriate signing algorithm that uses the same hashing algorithm as the one used to create the digest."
-        });
-      }
-
-      return signature;
-    } catch (err) {
-      logger.error(err, "KMS: Failed to sign RSA digest");
-      throw new BadRequestError({
-        message: `Failed to sign RSA digest with ${signingAlgorithm} due to signing error. Ensure that your digest is hashed with ${hashAlgorithm.toUpperCase()}.`
-      });
-    } finally {
-      await cleanTemporaryDirectory(tempDir);
-    }
-  };
-
-  const $signEccDigest = async (
-    digest: Buffer,
-    privateKey: Buffer,
-    hashAlgorithm: SupportedHashAlgorithm,
-    signingAlgorithm: SigningAlgorithm
-  ) => {
-    const tempDir = await createTemporaryDirectory("ecc-sign");
-    const digestPath = path.join(tempDir, "digest.bin");
-    const keyPath = path.join(tempDir, "key.pem");
-    const sigPath = path.join(tempDir, "signature.bin");
-
-    try {
-      await writeToTemporaryFile(digestPath, digest);
-      await writeToTemporaryFile(keyPath, privateKey);
-
-      const { stderr } = await execFileAsync(
-        "openssl",
-        [
-          "pkeyutl",
-          "-sign",
-          "-in",
-          digestPath,
-          "-inkey",
-          keyPath,
-          "-pkeyopt",
-          `digest:${hashAlgorithm}`,
-          "-out",
-          sigPath
-        ],
-        {
-          maxBuffer: 10 * 1024 * 1024,
-          timeout: COMMAND_TIMEOUT
-        }
-      );
-
-      if (stderr) {
-        logger.error(stderr, "KMS: Failed to sign ECC digest");
-        throw new BadRequestError({
-          message: "Failed to sign ECC digest due to signing error"
-        });
-      }
-
-      const signature = await fs.readFile(sigPath);
-
-      if (!signature) {
-        throw new BadRequestError({
-          message:
-            "No signature was created. Make sure you are using an appropriate signing algorithm that uses the same hashing algorithm as the one used to create the digest."
-        });
-      }
-
-      return signature;
-    } catch (err) {
-      logger.error(err, "KMS: Failed to sign ECC digest");
-      throw new BadRequestError({
-        message: `Failed to sign ECC digest with ${signingAlgorithm} due to signing error. Ensure that your digest is hashed with ${hashAlgorithm.toUpperCase()}.`
-      });
-    } finally {
-      await cleanTemporaryDirectory(tempDir);
-    }
-  };
-
-  const $verifyEccDigest = async (
-    digest: Buffer,
-    signature: Buffer,
-    publicKey: Buffer,
-    hashAlgorithm: SupportedHashAlgorithm
-  ) => {
-    const tempDir = await createTemporaryDirectory("ecc-signature-verification");
-    const publicKeyFile = path.join(tempDir, "public-key.pem");
-    const sigFile = path.join(tempDir, "signature.sig");
-    const digestFile = path.join(tempDir, "digest.bin");
-
-    try {
-      await writeToTemporaryFile(publicKeyFile, publicKey);
-      await writeToTemporaryFile(sigFile, signature);
-      await writeToTemporaryFile(digestFile, digest);
-
-      await execFileAsync(
-        "openssl",
-        [
-          "pkeyutl",
-          "-verify",
-          "-in",
-          digestFile,
-          "-inkey",
-          publicKeyFile,
-          "-pubin", // Important for EC public keys
-          "-sigfile",
-          sigFile,
-          "-pkeyopt",
-          `digest:${hashAlgorithm}`
-        ],
-        { timeout: COMMAND_TIMEOUT }
-      );
-
-      return true;
-    } catch (error) {
-      const err = error as { stderr: string };
-
-      if (
-        !err?.stderr?.toLowerCase()?.includes("signature verification failure") &&
-        !err?.stderr?.toLowerCase()?.includes("bad signature")
-      ) {
-        logger.error(error, "KMS: Failed to verify ECC signature");
-      }
-      return false;
-    } finally {
-      await cleanTemporaryDirectory(tempDir);
-    }
-  };
-
-  const $verifyRsaDigest = async (
-    digest: Buffer,
-    signature: Buffer,
-    publicKey: Buffer,
-    hashAlgorithm: SupportedHashAlgorithm
-  ) => {
-    const tempDir = await createTemporaryDirectory("kms-signature-verification");
-    const publicKeyFile = path.join(tempDir, "public-key.pub");
-    const signatureFile = path.join(tempDir, "signature.sig");
-    const digestFile = path.join(tempDir, "digest.bin");
-
-    try {
-      await writeToTemporaryFile(publicKeyFile, publicKey);
-      await writeToTemporaryFile(signatureFile, signature);
-      await writeToTemporaryFile(digestFile, digest);
-
-      await execFileAsync(
-        "openssl",
-        [
-          "pkeyutl",
-          "-verify",
-          "-in",
-          digestFile,
-          "-inkey",
-          publicKeyFile,
-          "-pubin",
-          "-sigfile",
-          signatureFile,
-          "-pkeyopt",
-          `digest:${hashAlgorithm}`
-        ],
-        { timeout: COMMAND_TIMEOUT }
-      );
-
-      // it'll throw if the verification was not successful
-      return true;
-    } catch (error) {
-      const err = error as { stdout: string };
-
-      if (!err?.stdout?.toLowerCase()?.includes("signature verification failure")) {
-        logger.error(error, "KMS: Failed to verify signature");
-      }
-      return false;
-    } finally {
-      await cleanTemporaryDirectory(tempDir);
-    }
-  };
-
-  const verifyDigestFunctionsMap: Record<
-    AsymmetricKeyAlgorithm,
-    (data: Buffer, signature: Buffer, publicKey: Buffer, hashAlgorithm: SupportedHashAlgorithm) => Promise<boolean>
-  > = {
-    [AsymmetricKeyAlgorithm.ECC_NIST_P256]: $verifyEccDigest,
-    [AsymmetricKeyAlgorithm.RSA_4096]: $verifyRsaDigest
-  };
-
-  const signDigestFunctionsMap: Record<
-    AsymmetricKeyAlgorithm,
-    (
-      data: Buffer,
-      privateKey: Buffer,
-      hashAlgorithm: SupportedHashAlgorithm,
-      signingAlgorithm: SigningAlgorithm
-    ) => Promise<Buffer>
-  > = {
-    [AsymmetricKeyAlgorithm.ECC_NIST_P256]: $signEccDigest,
-    [AsymmetricKeyAlgorithm.RSA_4096]: $signRsaDigest
-  };
-
-  const sign = async (
-    data: Buffer,
-    privateKey: Buffer,
-    signingAlgorithm: SigningAlgorithm,
-    isDigest: boolean
-  ): Promise<Buffer> => {
-    $validateAlgorithmWithKeyType(signingAlgorithm);
-
-    const { hashAlgorithm, padding, saltLength } = $getSigningParams(signingAlgorithm);
-
-    if (isDigest) {
-      if (signingAlgorithm.startsWith("RSASSA_PSS")) {
-        throw new BadRequestError({
-          message: "RSA PSS does not support digested input"
-        });
-      }
-
-      const signFunction = signDigestFunctionsMap[algorithm];
-
-      if (!signFunction) {
-        throw new BadRequestError({
-          message: `Digested input is not supported for key algorithm ${algorithm}`
-        });
-      }
-
-      const signature = await signFunction(data, privateKey, hashAlgorithm, signingAlgorithm);
-      return signature;
-    }
-
-    const privateKeyObject = crypto.createPrivateKey({
-      key: privateKey,
-      format: "pem",
-      type: "pkcs8"
-    });
-
-    // For RSA signatures
-    if (signingAlgorithm.startsWith("RSA")) {
-      const signer = crypto.createSign(hashAlgorithm);
-      signer.update(data);
-
-      return signer.sign({
-        key: privateKeyObject,
-        padding,
-        ...(signingAlgorithm.includes("PSS") ? { saltLength } : {})
-      });
-    }
-    if (signingAlgorithm.startsWith("ECDSA")) {
-      // For ECDSA signatures
-      const signer = crypto.createSign(hashAlgorithm);
-      signer.update(data);
-      return signer.sign({
-        key: privateKeyObject,
-        dsaEncoding: "der"
-      });
-    }
-    throw new BadRequestError({
-      message: `Signing algorithm ${signingAlgorithm} not implemented`
-    });
-  };
-
-  const verify = async (
-    data: Buffer,
-    signature: Buffer,
-    publicKey: Buffer,
-    signingAlgorithm: SigningAlgorithm,
-    isDigest: boolean
-  ): Promise<boolean> => {
-    try {
-      $validateAlgorithmWithKeyType(signingAlgorithm);
-
-      const { hashAlgorithm, padding, saltLength } = $getSigningParams(signingAlgorithm);
-
-      if (isDigest) {
-        if (signingAlgorithm.startsWith("RSASSA_PSS")) {
-          throw new BadRequestError({
-            message: "RSA PSS does not support digested input"
-          });
-        }
-
-        const verifyFunction = verifyDigestFunctionsMap[algorithm];
-
-        if (!verifyFunction) {
-          throw new BadRequestError({
-            message: `Digested input is not supported for key algorithm ${algorithm}`
-          });
-        }
-
-        const signatureValid = await verifyFunction(data, signature, publicKey, hashAlgorithm);
-
-        return signatureValid;
-      }
-
-      const publicKeyObject = crypto.createPublicKey({
-        key: publicKey,
-        format: "der",
-        type: "spki"
-      });
-
-      // For RSA signatures
-      if (signingAlgorithm.startsWith("RSA")) {
-        const verifier = crypto.createVerify(hashAlgorithm);
-        verifier.update(data);
-
-        return verifier.verify(
-          {
-            key: publicKeyObject,
-            padding,
-            ...(signingAlgorithm.includes("PSS") ? { saltLength } : {})
-          },
-          signature
-        );
-      }
-      // For ECDSA signatures
-      if (signingAlgorithm.startsWith("ECDSA")) {
-        const verifier = crypto.createVerify(hashAlgorithm);
-        verifier.update(data);
-        return verifier.verify(
-          {
-            key: publicKeyObject,
-            dsaEncoding: "der"
-          },
-          signature
-        );
-      }
-      throw new BadRequestError({
-        message: `Verification for algorithm ${signingAlgorithm} not implemented`
-      });
-    } catch (error) {
-      if (error instanceof BadRequestError) {
-        throw error;
-      }
-      logger.error(error, "KMS: Failed to verify signature");
-      return false;
-    }
-  };
-
-  const generateAsymmetricPrivateKey = async () => {
-    const { privateKey } = await new Promise<{ privateKey: string }>((resolve, reject) => {
-      if (algorithm.startsWith("RSA")) {
-        crypto.generateKeyPair(
-          "rsa",
-          {
-            modulusLength: Number(algorithm.split("_")[1]),
-            publicKeyEncoding: { type: "spki", format: "pem" },
-            privateKeyEncoding: { type: "pkcs8", format: "pem" }
-          },
-          (err, _, pk) => {
-            if (err) {
-              reject(err);
-            } else {
-              resolve({ privateKey: pk });
-            }
-          }
-        );
-      } else {
-        const { full: namedCurve } = $getEcCurveName(algorithm);
-
-        crypto.generateKeyPair(
-          "ec",
-          {
-            namedCurve,
-            publicKeyEncoding: { type: "spki", format: "pem" },
-            privateKeyEncoding: { type: "pkcs8", format: "pem" }
-          },
-          (err, _, pk) => {
-            if (err) {
-              reject(err);
-            } else {
-              resolve({
-                privateKey: pk
-              });
-            }
-          }
-        );
-      }
-    });
-
-    return Buffer.from(privateKey);
-  };
-
-  const getPublicKeyFromPrivateKey = (privateKey: Buffer) => {
-    const privateKeyObj = crypto.createPrivateKey({
-      key: privateKey,
-      format: "pem",
-      type: "pkcs8"
-    });
-
-    const publicKey = crypto.createPublicKey(privateKeyObj).export({
-      type: "spki",
-      format: "der"
-    });
-
-    return publicKey;
-  };
-
-  return {
-    sign,
-    verify,
-    generateAsymmetricPrivateKey,
-    getPublicKeyFromPrivateKey
-  };
-};

backend/src/lib/crypto/sign/types.ts

@@ -1,45 +0,0 @@
-import { z } from "zod";
-
-export type TAsymmetricSignVerifyFns = {
-  sign: (data: Buffer, key: Buffer, signingAlgorithm: SigningAlgorithm, isDigest: boolean) => Promise<Buffer>;
-  verify: (
-    data: Buffer,
-    signature: Buffer,
-    key: Buffer,
-    signingAlgorithm: SigningAlgorithm,
-    isDigest: boolean
-  ) => Promise<boolean>;
-  generateAsymmetricPrivateKey: () => Promise<Buffer>;
-  getPublicKeyFromPrivateKey: (privateKey: Buffer) => Buffer;
-};
-
-// Supported asymmetric key types
-export enum AsymmetricKeyAlgorithm {
-  RSA_4096 = "RSA_4096",
-  ECC_NIST_P256 = "ECC_NIST_P256"
-}
-
-export const AsymmetricKeyAlgorithmEnum = z.enum(
-  Object.values(AsymmetricKeyAlgorithm) as [string, ...string[]]
-).options;
-
-export enum SigningAlgorithm {
-  // RSA PSS algorithms
-  // These are NOT deterministic and include randomness.
-  // This means that the output signature is different each time for the same input.
-  RSASSA_PSS_SHA_512 = "RSASSA_PSS_SHA_512",
-  RSASSA_PSS_SHA_384 = "RSASSA_PSS_SHA_384",
-  RSASSA_PSS_SHA_256 = "RSASSA_PSS_SHA_256",
-
-  // RSA PKCS#1 v1.5 algorithms
-  // These are deterministic and the output is the same each time for the same input.
-  RSASSA_PKCS1_V1_5_SHA_512 = "RSASSA_PKCS1_V1_5_SHA_512",
-  RSASSA_PKCS1_V1_5_SHA_384 = "RSASSA_PKCS1_V1_5_SHA_384",
-  RSASSA_PKCS1_V1_5_SHA_256 = "RSASSA_PKCS1_V1_5_SHA_256",
-
-  // ECDSA algorithms
-  // None of these are deterministic and include randomness like RSA PSS.
-  ECDSA_SHA_512 = "ECDSA_SHA_512",
-  ECDSA_SHA_384 = "ECDSA_SHA_384",
-  ECDSA_SHA_256 = "ECDSA_SHA_256"
-}