add sentry error to integ

Add/revise docs for Codefresh and Bitbucket integrations

.env.example

@@ -47,11 +47,13 @@ CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
 CLIENT_ID_GITLAB=
+CLIENT_ID_BITBUCKET=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
 CLIENT_SECRET_GITLAB=
+CLIENT_SECRET_BITBUCKET=
 CLIENT_SLUG_VERCEL=
 
 # Sentry (optional) for monitoring errors

backend/.eslintrc

@@ -24,7 +24,6 @@
     ],
     "@typescript-eslint/no-unused-vars": "off",
     "unused-imports/no-unused-imports": "error",
-    "@typescript-eslint/no-empty-function": "off",
     "unused-imports/no-unused-vars": [
       "warn",
       {

backend/package.json

@@ -2,6 +2,7 @@
   "dependencies": {
     "@aws-sdk/client-secrets-manager": "^3.319.0",
     "@godaddy/terminus": "^4.12.0",
+    "@node-saml/passport-saml": "^4.0.4",
     "@octokit/rest": "^19.0.5",
     "@sentry/node": "^7.49.0",
     "@sentry/tracing": "^7.48.0",

backend/src/config/index.ts

@@ -37,6 +37,7 @@ export const getClientIdNetlify = async () => (await client.getSecret("CLIENT_ID
 export const getClientIdGitHub = async () => (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
 export const getClientIdGitLab = async () => (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
 export const getClientIdGoogle = async () => (await client.getSecret("CLIENT_ID_GOOGLE")).secretValue;
+export const getClientIdBitBucket = async () => (await client.getSecret("CLIENT_ID_BITBUCKET")).secretValue;
 export const getClientSecretAzure = async () => (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
 export const getClientSecretHeroku = async () => (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
 export const getClientSecretVercel = async () => (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
@@ -44,6 +45,7 @@ export const getClientSecretNetlify = async () => (await client.getSecret("CLIEN
 export const getClientSecretGitHub = async () => (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
 export const getClientSecretGitLab = async () => (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
 export const getClientSecretGoogle = async () => (await client.getSecret("CLIENT_SECRET_GOOGLE")).secretValue;
+export const getClientSecretBitBucket = async () => (await client.getSecret("CLIENT_SECRET_BITBUCKET")).secretValue;
 export const getClientSlugVercel = async () => (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;
 export const getPostHogHost = async () => (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
 export const getPostHogProjectApiKey = async () => (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue || "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";

backend/src/controllers/v1/integrationAuthController.ts

@@ -7,6 +7,7 @@ import { IntegrationService } from "../../services";
 import {
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_UTF8,
+  INTEGRATION_BITBUCKET_API_URL,
   INTEGRATION_RAILWAY_API_URL,
   INTEGRATION_SET,
   INTEGRATION_VERCEL_API_URL,
@@ -141,12 +142,14 @@ export const saveIntegrationAccessToken = async (req: Request, res: Response) =>
  */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
   const teamId = req.query.teamId as string;
+  const workspaceSlug = req.query.workspaceSlug as string;
 
   const apps = await getApps({
     integrationAuth: req.integrationAuth,
     accessToken: req.accessToken,
     accessId: req.accessId,
-    ...(teamId && { teamId })
+    ...(teamId && { teamId }),
+    ...(workspaceSlug && { workspaceSlug })
   });
 
   return res.status(200).send({
@@ -382,6 +385,66 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
   });
 };
 
+/**
+ * Return list of workspaces allowed for Bitbucket integration
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getIntegrationAuthBitBucketWorkspaces = async (req: Request, res: Response) => {
+  
+  interface WorkspaceResponse {
+    size: number;
+    page: number;
+    pageLen: number;
+    next: string;
+    previous: string;
+    values: Array<Workspace>;
+  }
+
+  interface Workspace {
+    type: string;
+    uuid: string;
+    name: string;
+    slug: string;
+    is_private: boolean;
+    created_on: string;
+    updated_on: string;
+  }
+
+  const workspaces: Workspace[] = [];
+  let hasNextPage = true;
+  let workspaceUrl = `${INTEGRATION_BITBUCKET_API_URL}/2.0/workspaces`
+
+  while (hasNextPage) {
+    const { data }: { data: WorkspaceResponse } = await standardRequest.get(
+      workspaceUrl,
+      {
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
+      }
+    );
+    
+    if (data?.values.length > 0) {
+      data.values.forEach((workspace) => {
+        workspaces.push(workspace)
+      })
+    }
+
+    if (data.next) {
+      workspaceUrl = data.next
+    } else {
+      hasNextPage = false
+    }
+  }
+
+  return res.status(200).send({
+    workspaces
+  });
+};
+
 /**
  * Delete integration authorization with id [integrationAuthId]
  * @param req

backend/src/controllers/v1/integrationController.ts

@@ -2,7 +2,7 @@ import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { Integration } from "../../models";
 import { EventService } from "../../services";
-import { eventPushSecrets, eventStartIntegration } from "../../events";
+import { eventStartIntegration } from "../../events";
 import Folder from "../../models/folder";
 import { getFolderByPath } from "../../services/FolderService";
 import { BadRequestError } from "../../utils/errors";

backend/src/controllers/v1/organizationController.ts

@@ -9,7 +9,7 @@ import {
 import { createOrganization as create } from "../../helpers/organization";
 import { addMembershipsOrg } from "../../helpers/membershipOrg";
 import { ACCEPTED, OWNER } from "../../variables";
-import { getSiteURL, getLicenseServerUrl } from "../../config";
+import { getLicenseServerUrl, getSiteURL } from "../../config";
 import { licenseServerKeyRequest } from "../../config/request";
 
 export const getOrganizations = async (req: Request, res: Response) => {

backend/src/controllers/v2/environmentController.ts

@@ -27,16 +27,16 @@ export const createWorkspaceEnvironment = async (
   const { workspaceId } = req.params;
   const { environmentName, environmentSlug } = req.body;
   const workspace = await Workspace.findById(workspaceId).exec();
-  
+
   if (!workspace) throw WorkspaceNotFoundError();
-  
+
   const plan = await EELicenseService.getPlan(workspace.organization.toString());
-  
+
   if (plan.environmentLimit !== null) {
     // case: limit imposed on number of environments allowed
     if (workspace.environments.length >= plan.environmentLimit) {
       // case: number of environments used exceeds the number of environments allowed
-      
+
       return res.status(400).send({
         message: "Failed to create environment due to environment limit reached. Upgrade plan to create more environments.",
       });
@@ -191,14 +191,21 @@ export const deleteWorkspaceEnvironment = async (
     workspace: workspaceId,
     environment: environmentSlug,
   });
-  await ServiceToken.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
-  await ServiceTokenData.deleteMany({
-    workspace: workspaceId,
-    environment: environmentSlug,
-  });
+
+  // await ServiceToken.deleteMany({
+  //   workspace: workspaceId,
+  //   environment: environmentSlug,
+  // });
+
+  const result = await ServiceTokenData.updateMany(
+    { workspace: workspaceId },
+    { $pull: { scopes: { environment: environmentSlug } } }
+  );
+
+  if (result.modifiedCount > 0) {
+    await ServiceTokenData.deleteMany({ workspace: workspaceId, scopes: { $size: 0 } });
+  }
+
   await Integration.deleteMany({
     workspace: workspaceId,
     environment: environmentSlug,

backend/src/controllers/v2/secretController.ts

@@ -9,8 +9,6 @@ import {
 } from "../../types/secret";
 const { ValidationError } = mongoose.Error;
 import {
-  BadRequestError,
-  InternalServerError,
   ValidationError as RouteValidationError,
   UnauthorizedRequestError
 } from "../../utils/errors";

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -5,8 +5,6 @@ import { ServiceAccount, ServiceTokenData, User } from "../../models";
 import { AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT } from "../../variables";
 import { getSaltRounds } from "../../config";
 import { BadRequestError } from "../../utils/errors";
-import Folder from "../../models/folder";
-import { getFolderByPath } from "../../services/FolderService";
 
 /**
  * Return service token data associated with service token on request

backend/src/controllers/v2/signupController.ts

@@ -18,7 +18,7 @@ import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
  * @returns
  */
 export const completeAccountSignup = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
+	let user;
   const {
     email,
     firstName,
@@ -119,7 +119,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
     userAgent: req.headers["user-agent"] ?? "",
   });
 
-  token = tokens.token;
+  const token = tokens.token;
 
   // sending a welcome email to new users
   if (await getLoopsApiKey()) {
@@ -159,7 +159,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
  * @returns
  */
 export const completeAccountInvite = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
+	let user;
   const {
     email,
     firstName,
@@ -244,7 +244,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
     userAgent: req.headers["user-agent"] ?? "",
   });
 
-  token = tokens.token;
+  const token = tokens.token;
 
   // store (refresh) token in httpOnly cookie
   res.cookie("jid", tokens.refreshToken, {

backend/src/controllers/v2/workspaceController.ts

@@ -179,10 +179,9 @@ export const getWorkspaceKey = async (req: Request, res: Response) => {
         }
     }   
     */
-  let key;
   const { workspaceId } = req.params;
 
-  key = await Key.findOne({
+  const key = await Key.findOne({
     workspace: workspaceId,
     receiver: req.user._id
   }).populate("sender", "+publicKey");

backend/src/controllers/v3/signupController.ts

@@ -12,6 +12,7 @@ import { standardRequest } from "../../config/request";
 import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config";
 import { BadRequestError } from "../../utils/errors";
 import { TelemetryService } from "../../services";
+import { AuthProvider } from "../../models";
 
 /**
  * Complete setting up user by adding their personal and auth information as part of the
@@ -116,11 +117,13 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 		if (!user)
 			throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null
 
-		// initialize default organization and workspace
-		await initializeDefaultOrg({
-			organizationName,
-			user,
-		});
+		if (user.authProvider !== AuthProvider.OKTA_SAML) {
+			// initialize default organization and workspace
+			await initializeDefaultOrg({
+				organizationName,
+				user,
+			});
+		}
 
 		// update organization membership statuses that are
 		// invited to completed with user attached
@@ -174,7 +177,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 				distinctId: email,
 				properties: {
 					email,
-					attributionSource,
+					...(attributionSource ? { attributionSource } : {})
 				},
 			});
 		}

backend/src/ee/controllers/v1/index.ts

@@ -1,6 +1,7 @@
 import * as secretController from "./secretController";
 import * as secretSnapshotController from "./secretSnapshotController";
 import * as organizationsController from "./organizationsController";
+import * as ssoController from "./ssoController";
 import * as workspaceController from "./workspaceController";
 import * as actionController from "./actionController";
 import * as membershipController from "./membershipController";
@@ -10,6 +11,7 @@ export {
     secretController,
     secretSnapshotController,
     organizationsController,
+    ssoController,
     workspaceController,
     actionController,
     membershipController,

backend/src/ee/controllers/v1/organizationsController.ts

@@ -178,6 +178,12 @@ export const addOrganizationTaxId = async (req: Request, res: Response) => {
     return res.status(200).send(data); 
 }
 
+/**
+ * Delete tax id with id [taxId] from organization tax ids on file
+ * @param req 
+ * @param res 
+ * @returns 
+ */
 export const deleteOrganizationTaxId = async (req: Request, res: Response) => {
     const { taxId } = req.params;
 
@@ -188,6 +194,12 @@ export const deleteOrganizationTaxId = async (req: Request, res: Response) => {
     return res.status(200).send(data); 
 }
 
+/**
+ * Return organization's invoices on file
+ * @param req 
+ * @param res 
+ * @returns 
+ */
 export const getOrganizationInvoices = async (req: Request, res: Response) => {
     const { data: { invoices } } = await licenseServerKeyRequest.get(
         `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/invoices`

backend/src/ee/controllers/v1/ssoController.ts

@@ -0,0 +1,254 @@
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { BotOrgService } from "../../../services";
+import { SSOConfig } from "../../models";
+import { 
+    MembershipOrg,
+    User
+} from "../../../models";
+import { getSSOConfigHelper } from "../../helpers/organizations";
+import { client } from "../../../config";
+import { ResourceNotFoundError } from "../../../utils/errors";
+import { getSiteURL } from "../../../config";
+
+/**
+ * Redirect user to appropriate SSO endpoint after successful authentication
+ * to finish inputting their master key for logging in or signing up
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const redirectSSO = async (req: Request, res: Response) => {
+    if (req.isUserCompleted) {
+      return res.redirect(`${await getSiteURL()}/login/sso?token=${encodeURIComponent(req.providerAuthToken)}`);
+    }
+    
+    return res.redirect(`${await getSiteURL()}/signup/sso?token=${encodeURIComponent(req.providerAuthToken)}`);
+}
+
+/**
+ * Return organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSSOConfig = async (req: Request, res: Response) => {
+    const organizationId = req.query.organizationId as string;
+    
+    const data = await getSSOConfigHelper({
+        organizationId: new Types.ObjectId(organizationId)
+    });
+
+    return res.status(200).send(data);
+}
+
+/**
+ * Update organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateSSOConfig = async (req: Request, res: Response) => {
+    const {
+        organizationId,
+        authProvider,
+        isActive,
+        entryPoint,
+        issuer,
+        cert,
+        audience
+    } = req.body;
+    
+    interface PatchUpdate {
+        authProvider?: string;
+        isActive?: boolean;
+        encryptedEntryPoint?: string;
+        entryPointIV?: string;
+        entryPointTag?: string;
+        encryptedIssuer?: string;
+        issuerIV?: string;
+        issuerTag?: string;
+        encryptedCert?: string;
+        certIV?: string;
+        certTag?: string;
+        encryptedAudience?: string;
+        audienceIV?: string;
+        audienceTag?: string;
+    }
+    
+    const update: PatchUpdate = {};
+    
+    if (authProvider) {
+        update.authProvider = authProvider;
+    }
+    
+    if (isActive !== undefined) {
+        update.isActive = isActive;
+    }
+    
+    const key = await BotOrgService.getSymmetricKey(
+        new Types.ObjectId(organizationId)
+    );
+    
+    if (entryPoint) {
+        const {
+            ciphertext: encryptedEntryPoint,
+            iv: entryPointIV,
+            tag: entryPointTag
+        } = client.encryptSymmetric(entryPoint, key);
+        
+        update.encryptedEntryPoint = encryptedEntryPoint;
+        update.entryPointIV = entryPointIV;
+        update.entryPointTag = entryPointTag;
+    }
+
+    if (issuer) {
+        const {
+            ciphertext: encryptedIssuer,
+            iv: issuerIV,
+            tag: issuerTag
+        } = client.encryptSymmetric(issuer, key);
+        
+        update.encryptedIssuer = encryptedIssuer;
+        update.issuerIV = issuerIV;
+        update.issuerTag = issuerTag;
+    }
+
+    if (cert) {
+        const {
+            ciphertext: encryptedCert,
+            iv: certIV,
+            tag: certTag
+        } = client.encryptSymmetric(cert, key);
+        
+        update.encryptedCert = encryptedCert;
+        update.certIV = certIV;
+        update.certTag = certTag;
+    }
+
+    if (audience) {
+        const {
+            ciphertext: encryptedAudience,
+            iv: audienceIV,
+            tag: audienceTag
+        } = client.encryptSymmetric(audience, key);
+        
+        update.encryptedAudience = encryptedAudience;
+        update.audienceIV = audienceIV;
+        update.audienceTag = audienceTag;
+    }
+    
+    const ssoConfig = await SSOConfig.findOneAndUpdate(
+        {
+            organization: new Types.ObjectId(organizationId)
+        },
+        update,
+        {
+            new: true
+        }
+    );
+    
+    if (!ssoConfig) throw ResourceNotFoundError({
+        message: "Failed to find SSO config to update"
+    });
+    
+    if (update.isActive !== undefined) {
+        const membershipOrgs = await MembershipOrg.find({
+            organization: new Types.ObjectId(organizationId)
+        }).select("user");
+        
+        if (update.isActive) {
+            await User.updateMany(
+                {
+                    _id: {
+                        $in: membershipOrgs.map((membershipOrg) => membershipOrg.user)
+                    }
+                },
+                {
+                    authProvider: ssoConfig.authProvider
+                }
+            );
+        } else {
+            await User.updateMany(
+                {
+                    _id: {
+                        $in: membershipOrgs.map((membershipOrg) => membershipOrg.user)
+                    }
+                },
+                {
+                    $unset: {
+                        authProvider: 1
+                    }
+                }
+            );
+        }
+    }
+    
+    return res.status(200).send(ssoConfig);
+}
+
+/**
+ * Create organization SAML SSO configuration
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createSSOConfig = async (req: Request, res: Response) => {
+    const {
+        organizationId,
+        authProvider,
+        isActive,
+        entryPoint,
+        issuer,
+        cert,
+        audience
+    } = req.body;
+    
+    const key = await BotOrgService.getSymmetricKey(
+        new Types.ObjectId(organizationId)
+    );
+
+    const {
+        ciphertext: encryptedEntryPoint,
+        iv: entryPointIV,
+        tag: entryPointTag
+    } = client.encryptSymmetric(entryPoint, key);
+
+    const {
+        ciphertext: encryptedIssuer,
+        iv: issuerIV,
+        tag: issuerTag
+    } = client.encryptSymmetric(issuer, key);
+
+    const {
+        ciphertext: encryptedCert,
+        iv: certIV,
+        tag: certTag
+    } = client.encryptSymmetric(cert, key);
+
+    const {
+        ciphertext: encryptedAudience,
+        iv: audienceIV,
+        tag: audienceTag
+    } = client.encryptSymmetric(audience, key);
+    
+    const ssoConfig = await new SSOConfig({
+        organization: new Types.ObjectId(organizationId),
+        authProvider,
+        isActive,
+        encryptedEntryPoint,
+        entryPointIV,
+        entryPointTag,
+        encryptedIssuer,
+        issuerIV,
+        issuerTag,
+        encryptedCert,
+        certIV,
+        certTag,
+        encryptedAudience,
+        audienceIV,
+        audienceTag
+    }).save();
+
+    return res.status(200).send(ssoConfig);
+}

backend/src/ee/helpers/organizations.ts

@@ -0,0 +1,72 @@
+import { Types } from "mongoose";
+import {
+    SSOConfig
+} from "../models";
+import {
+    BotOrgService
+} from "../../services";
+import { client } from "../../config";
+import { ValidationError } from "../../utils/errors";
+
+export const getSSOConfigHelper = async ({
+    organizationId,
+    ssoConfigId
+}: {
+    organizationId?: Types.ObjectId;
+    ssoConfigId?: Types.ObjectId;
+}) => {
+    
+    if (!organizationId && !ssoConfigId) throw ValidationError({
+        message: "Getting SSO data requires either id of organization or SSO data"
+    });
+    
+    const ssoConfig = await SSOConfig.findOne({
+        ...(organizationId ? { organization: organizationId } : {}),
+        ...(ssoConfigId ? { _id: ssoConfigId } : {})
+    });
+    
+    if (!ssoConfig) throw new Error("Failed to find organization SSO data");
+    
+    const key = await BotOrgService.getSymmetricKey(
+        ssoConfig.organization
+    );
+    
+    const entryPoint = client.decryptSymmetric(
+        ssoConfig.encryptedEntryPoint,
+        key,
+        ssoConfig.entryPointIV,
+        ssoConfig.entryPointTag
+    );
+
+    const issuer = client.decryptSymmetric(
+        ssoConfig.encryptedIssuer,
+        key,
+        ssoConfig.issuerIV,
+        ssoConfig.issuerTag
+    );
+
+    const cert = client.decryptSymmetric(
+        ssoConfig.encryptedCert,
+        key,
+        ssoConfig.certIV,
+        ssoConfig.certTag
+    );
+
+    const audience = client.decryptSymmetric(
+        ssoConfig.encryptedAudience,
+        key,
+        ssoConfig.audienceIV,
+        ssoConfig.audienceTag
+    );
+    
+    return ({
+        _id: ssoConfig._id,
+        organization: ssoConfig.organization,
+        authProvider: ssoConfig.authProvider,
+        isActive: ssoConfig.isActive,
+        entryPoint,
+        issuer,
+        cert,
+        audience
+    });
+}

backend/src/ee/middleware/index.ts

@@ -1,7 +1,5 @@
-import requireLicenseAuth from "./requireLicenseAuth";
 import requireSecretSnapshotAuth from "./requireSecretSnapshotAuth";
 
 export {
-    requireLicenseAuth,
     requireSecretSnapshotAuth,
 }

backend/src/ee/middleware/requireLicenseAuth.ts

@@ -1,23 +0,0 @@
-import { NextFunction, Request, Response } from "express";
-
-/**
- * Validate if organization hosting meets license requirements to 
- * access a license-specific route.
- * @param {Object} obj
- * @param {String[]} obj.acceptedTiers
- */
-const requireLicenseAuth = ({
-    acceptedTiers,
-}: {
-    acceptedTiers: string[];
-}) => {
-    return async (req: Request, res: Response, next: NextFunction) => {
-        try {
-
-        } catch (err) {
-
-        }
-    }
-}
-
-export default requireLicenseAuth;

backend/src/ee/models/index.ts

@@ -3,6 +3,7 @@ import SecretVersion, { ISecretVersion } from "./secretVersion";
 import FolderVersion, { TFolderRootVersionSchema } from "./folderVersion";
 import Log, { ILog } from "./log";
 import Action, { IAction } from "./action";
+import SSOConfig, { ISSOConfig } from "./ssoConfig";
 
 export {
   SecretSnapshot,
@@ -15,4 +16,6 @@ export {
   ILog,
   Action,
   IAction,
+  SSOConfig,
+  ISSOConfig
 };

backend/src/ee/models/log.ts

@@ -63,9 +63,10 @@ const logSchema = new Schema<ILog>(
         ipAddress: {
             type: String,
         },
-    }, {
-    timestamps: true,
-}
+    }, 
+    {
+        timestamps: true,
+    }
 );
 
 const Log = model<ILog>("Log", logSchema);

backend/src/ee/models/ssoConfig.ts

@@ -0,0 +1,82 @@
+import { Schema, Types, model } from "mongoose";
+
+export interface ISSOConfig {
+    organization: Types.ObjectId;
+    authProvider: "okta-saml"
+    isActive: boolean;
+    encryptedEntryPoint: string;
+    entryPointIV: string;
+    entryPointTag: string;
+    encryptedIssuer: string;
+    issuerIV: string;
+    issuerTag: string;
+    encryptedCert: string;
+    certIV: string;
+    certTag: string;
+    encryptedAudience: string;
+    audienceIV: string;
+    audienceTag: string;
+}
+
+const ssoConfigSchema = new Schema<ISSOConfig>(
+    {
+        organization: {
+            type: Schema.Types.ObjectId,
+            ref: "Organization"
+        },
+        authProvider: {
+            type: String,
+            enum: [
+                "okta-saml"
+            ],
+            required: true
+        },
+        isActive: {
+            type: Boolean,
+            required: true
+        },
+        encryptedEntryPoint: {
+            type: String
+        },
+        entryPointIV: {
+            type: String
+        },
+        entryPointTag: {
+            type: String
+        },
+        encryptedIssuer: {
+            type: String
+        },
+        issuerIV: {
+            type: String
+        },
+        issuerTag: {
+            type: String
+        },
+        encryptedCert: {
+            type: String
+        },
+        certIV: {
+            type: String
+        },
+        certTag: {
+            type: String
+        },
+        encryptedAudience: {
+            type: String
+        },
+        audienceIV: {
+            type: String
+        },
+        audienceTag: {
+            type: String
+        }
+    },
+    {
+        timestamps: true
+    }
+);
+
+const SSOConfig = model<ISSOConfig>("SSOConfig", ssoConfigSchema);
+
+export default SSOConfig;

backend/src/ee/routes/v1/index.ts

@@ -1,6 +1,7 @@
 import secret from "./secret";
 import secretSnapshot from "./secretSnapshot";
 import organizations from "./organizations";
+import sso from "./sso";
 import workspace from "./workspace";
 import action from "./action";
 import cloudProducts from "./cloudProducts";
@@ -9,6 +10,7 @@ export {
     secret,
     secretSnapshot,
     organizations,
+    sso,
     workspace,
     action,
     cloudProducts,

backend/src/ee/routes/v1/sso.ts

@@ -0,0 +1,110 @@
+import express from "express";
+const router = express.Router();
+import passport from "passport";
+import {
+    requireAuth,
+    requireOrganizationAuth,
+    validateRequest,
+} from "../../../middleware";
+import { body, query } from "express-validator";
+import { ssoController } from "../../controllers/v1";
+import { authLimiter } from "../../../helpers/rateLimiter";
+import {
+    ACCEPTED,
+    ADMIN,
+    OWNER
+} from "../../../variables";
+
+router.get(
+  "/redirect/google",
+  authLimiter,
+  passport.authenticate("google", {
+    scope: ["profile", "email"],
+    session: false,
+  })
+);
+
+router.get(
+  "/google",
+  passport.authenticate("google", { 
+    failureRedirect: "/login/provider/error", 
+    session: false 
+  }),
+  ssoController.redirectSSO
+);
+
+router.get(
+  "/redirect/saml2/:ssoIdentifier",
+  authLimiter,
+  passport.authenticate("saml", {
+    failureRedirect: "/login/fail"
+  })
+);
+
+router.post("/saml2/:ssoIdentifier",
+  passport.authenticate("saml", { 
+    failureRedirect: "/login/provider/error", 
+    failureFlash: true, 
+    session: false 
+  }),
+  ssoController.redirectSSO
+);
+
+router.get(
+    "/config",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED],
+        locationOrganizationId: "query"
+    }),
+    query("organizationId").exists().trim(),
+    validateRequest,
+    ssoController.getSSOConfig
+);
+
+router.post(
+    "/config",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED],
+        locationOrganizationId: "body"
+    }),
+    body("organizationId").exists().trim(),
+    body("authProvider").exists().isString(),
+    body("isActive").exists().isBoolean(),
+    body("entryPoint").exists().isString(),
+    body("issuer").exists().isString(),
+    body("cert").exists().isString(),
+    body("audience").exists().isString(),
+    validateRequest,
+    ssoController.createSSOConfig
+);
+
+router.patch(
+    "/config",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN],
+        acceptedStatuses: [ACCEPTED],
+        locationOrganizationId: "body"
+    }),
+    body("organizationId").exists().trim(),
+    body("authProvider").optional().isString(),
+    body("isActive").optional().isBoolean(),
+    body("entryPoint").optional().isString(),
+    body("issuer").optional().isString(),
+    body("cert").optional().isString(),
+    body("audience").optional().isString(),
+    validateRequest,
+    ssoController.updateSSOConfig
+);
+
+export default router;

backend/src/ee/services/EELicenseService.ts

@@ -30,7 +30,8 @@ interface FeatureSet {
     customRateLimits: boolean;
     customAlerts: boolean;
     auditLogs: boolean;
-    status: 'incomplete' | 'incomplete_expired' | 'trialing' | 'active' | 'past_due' | 'canceled' | 'unpaid' | null;
+    samlSSO: boolean;
+    status: "incomplete" | "incomplete_expired" | "trialing" | "active" | "past_due" | "canceled" | "unpaid" | null;
     trial_end: number | null;
     has_used_trial: boolean;
 }
@@ -63,6 +64,7 @@ class EELicenseService {
         customRateLimits: true,
         customAlerts: true,
         auditLogs: false,
+        samlSSO: false,
         status: null,
         trial_end: null,
         has_used_trial: true

backend/src/helpers/botOrg.ts

@@ -0,0 +1,46 @@
+import { Types } from "mongoose";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../config";
+import { BotOrg } from "../models";
+import { decryptSymmetric128BitHexKeyUTF8 } from "../utils/crypto";
+import {
+    ENCODING_SCHEME_BASE64,
+    ENCODING_SCHEME_UTF8
+} from "../variables";
+import { InternalServerError } from "../utils/errors";
+
+// TODO: DOCstrings
+
+export const getSymmetricKeyHelper = async (organizationId: Types.ObjectId) => {
+    const rootEncryptionKey = await getRootEncryptionKey();
+    const encryptionKey = await getEncryptionKey();
+
+    const botOrg = await BotOrg.findOne({
+        organization: organizationId
+    });
+    
+    if (!botOrg) throw new Error("Failed to find organization bot");
+
+    if (rootEncryptionKey && botOrg.symmetricKeyKeyEncoding == ENCODING_SCHEME_BASE64) {
+        const key = client.decryptSymmetric(
+            botOrg.encryptedSymmetricKey, 
+            rootEncryptionKey, 
+            botOrg.symmetricKeyIV, 
+            botOrg.symmetricKeyTag
+        );
+
+        return key;
+    } else if (encryptionKey && botOrg.symmetricKeyKeyEncoding === ENCODING_SCHEME_UTF8) {
+       const key = decryptSymmetric128BitHexKeyUTF8({
+            ciphertext: botOrg.encryptedSymmetricKey,
+            iv: botOrg.symmetricKeyIV,
+            tag: botOrg.symmetricKeyTag,
+            key: encryptionKey
+        });
+        
+        return key;
+    }
+
+    throw InternalServerError({
+        message: "Failed to match encryption key with organization bot symmetric key encoding"
+    });
+}

backend/src/helpers/integration.ts

@@ -9,6 +9,7 @@ import {
   INTEGRATION_VERCEL,
 } from "../variables";
 import { UnauthorizedRequestError } from "../utils/errors";
+import * as Sentry from "@sentry/node";
 
 interface Update {
   workspace: string;
@@ -115,46 +116,52 @@ export const syncIntegrationsHelper = async ({
   workspaceId: Types.ObjectId;
   environment?: string;
 }) => {
-  const integrations = await Integration.find({
-    workspace: workspaceId,
-    ...(environment
-      ? {
+  try {
+    const integrations = await Integration.find({
+      workspace: workspaceId,
+      ...(environment
+        ? {
           environment,
         }
-      : {}),
-    isActive: true,
-    app: { $ne: null },
-  });
-
-  // for each workspace integration, sync/push secrets
-  // to that integration
-  for await (const integration of integrations) {
-    // get workspace, environment (shared) secrets
-    const secrets = await BotService.getSecrets({
-      // issue here?
-      workspaceId: integration.workspace,
-      environment: integration.environment,
-      secretPath: integration.secretPath,
+        : {}),
+      isActive: true,
+      app: { $ne: null },
     });
 
-    const integrationAuth = await IntegrationAuth.findById(
-      integration.integrationAuth
-    );
-    if (!integrationAuth) throw new Error("Failed to find integration auth");
+    // for each workspace integration, sync/push secrets
+    // to that integration
+    for await (const integration of integrations) {
+      // get workspace, environment (shared) secrets
+      const secrets = await BotService.getSecrets({
+        // issue here?
+        workspaceId: integration.workspace,
+        environment: integration.environment,
+        secretPath: integration.secretPath,
+      });
 
-    // get integration auth access token
-    const access = await getIntegrationAuthAccessHelper({
-      integrationAuthId: integration.integrationAuth,
-    });
+      const integrationAuth = await IntegrationAuth.findById(
+        integration.integrationAuth
+      );
+      if (!integrationAuth) throw new Error("Failed to find integration auth");
 
-    // sync secrets to integration
-    await syncSecrets({
-      integration,
-      integrationAuth,
-      secrets,
-      accessId: access.accessId === undefined ? null : access.accessId,
-      accessToken: access.accessToken,
-    });
+      // get integration auth access token
+      const access = await getIntegrationAuthAccessHelper({
+        integrationAuthId: integration.integrationAuth,
+      });
+
+      // sync secrets to integration
+      await syncSecrets({
+        integration,
+        integrationAuth,
+        secrets,
+        accessId: access.accessId === undefined ? null : access.accessId,
+        accessToken: access.accessToken,
+      });
+    }
+  } catch (err) {
+    Sentry.captureException(err);
+    console.log(`syncIntegrationsHelper: failed with [workspaceId=${workspaceId}] [environment=${environment}]`, err) // eslint-disable-line no-use-before-define
+    throw err
   }
 };
 

backend/src/index.ts

@@ -19,6 +19,7 @@ import {
   action as eeActionRouter,
   cloudProducts as eeCloudProductsRouter,
   organizations as eeOrganizationsRouter,
+  sso as eeSSORouter,
   secret as eeSecretRouter,
   secretSnapshot as eeSecretSnapshotRouter,
   workspace as eeWorkspaceRouter
@@ -34,6 +35,7 @@ import {
   membership as v1MembershipRouter,
   organization as v1OrganizationRouter,
   password as v1PasswordRouter,
+  secretImport as v1SecretImportRouter,
   secret as v1SecretRouter,
   secretScanning as v1SecretScanningRouter,
   secretsFolder as v1SecretsFolder,
@@ -41,22 +43,21 @@ import {
   signup as v1SignupRouter,
   userAction as v1UserActionRouter,
   user as v1UserRouter,
-  workspace as v1WorkspaceRouter,
   webhooks as v1WebhooksRouter,
-  secretImport as v1SecretImportRouter
+  workspace as v1WorkspaceRouter
 } from "./routes/v1";
 import {
   auth as v2AuthRouter,
+  environment as v2EnvironmentRouter,
   organizations as v2OrganizationsRouter,
-  signup as v2SignupRouter,
-  users as v2UsersRouter,
-  workspace as v2WorkspaceRouter,
   secret as v2SecretRouter, // begin to phase out
   secrets as v2SecretsRouter,
-  serviceTokenData as v2ServiceTokenDataRouter,
   serviceAccounts as v2ServiceAccountsRouter,
-  environment as v2EnvironmentRouter,
-  tags as v2TagsRouter
+  serviceTokenData as v2ServiceTokenDataRouter,
+  signup as v2SignupRouter,
+  tags as v2TagsRouter,
+  users as v2UsersRouter,
+  workspace as v2WorkspaceRouter,
 } from "./routes/v2";
 import {
   auth as v3AuthRouter,
@@ -81,6 +82,7 @@ const main = async () => {
   const app = express();
   app.enable("trust proxy");
   app.use(express.json());
+  app.use(express.urlencoded({ extended: false }));
   app.use(cookieParser());
   app.use(
     cors({
@@ -130,6 +132,7 @@ const main = async () => {
   app.use("/api/v1/workspace", eeWorkspaceRouter);
   app.use("/api/v1/action", eeActionRouter);
   app.use("/api/v1/organizations", eeOrganizationsRouter);
+  app.use("/api/v1/sso", eeSSORouter);
   app.use("/api/v1/cloud-products", eeCloudProductsRouter);
 
   // v1 routes (default)

backend/src/integrations/apps.ts

@@ -5,12 +5,16 @@ import {
   INTEGRATION_AWS_PARAMETER_STORE,
   INTEGRATION_AWS_SECRET_MANAGER,
   INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_BITBUCKET,
+  INTEGRATION_BITBUCKET_API_URL,
   INTEGRATION_CHECKLY,
   INTEGRATION_CHECKLY_API_URL,
   INTEGRATION_CIRCLECI,
   INTEGRATION_CIRCLECI_API_URL,
   INTEGRATION_CLOUDFLARE_PAGES,
   INTEGRATION_CLOUDFLARE_PAGES_API_URL,
+  INTEGRATION_CODEFRESH,
+  INTEGRATION_CODEFRESH_API_URL,
   INTEGRATION_FLYIO,
   INTEGRATION_FLYIO_API_URL,
   INTEGRATION_GITHUB,
@@ -31,7 +35,7 @@ import {
   INTEGRATION_TRAVISCI,
   INTEGRATION_TRAVISCI_API_URL,
   INTEGRATION_VERCEL,
-  INTEGRATION_VERCEL_API_URL,
+  INTEGRATION_VERCEL_API_URL
 } from "../variables";
 
 interface App {
@@ -54,11 +58,13 @@ const getApps = async ({
   accessToken,
   accessId,
   teamId,
+  workspaceSlug,
 }: {
   integrationAuth: IIntegrationAuth;
   accessToken: string;
   accessId?: string;
   teamId?: string;
+  workspaceSlug?: string;
 }) => {
   let apps: App[] = [];
   switch (integrationAuth.integration) {
@@ -145,6 +151,17 @@ const getApps = async ({
         accountId: accessId
       })
       break;
+    case INTEGRATION_BITBUCKET:
+      apps = await getAppsBitBucket({
+        accessToken,
+        workspaceSlug
+      });
+      break;
+    case INTEGRATION_CODEFRESH:
+      apps = await getAppsCodefresh({
+        accessToken,
+      });
+      break;
   }
 
   return apps;
@@ -196,10 +213,10 @@ const getAppsVercel = async ({
       },
       ...(integrationAuth?.teamId
         ? {
-            params: {
-              teamId: integrationAuth.teamId,
-            },
-          }
+          params: {
+            teamId: integrationAuth.teamId,
+          },
+        }
         : {}),
     })
   ).data;
@@ -695,15 +712,76 @@ const getAppsCheckly = async ({ accessToken }: { accessToken: string }) => {
  * @returns {Object[]} apps - Cloudflare Pages projects
  * @returns {String} apps.name - name of Cloudflare Pages project
  */
-const getAppsCloudflarePages = async ({ 
-    accessToken,
-    accountId
+const getAppsCloudflarePages = async ({
+  accessToken,
+  accountId
 }: {
-    accessToken: string;
-    accountId?: string;
+  accessToken: string;
+  accountId?: string;
 }) => {
-    const { data } = await standardRequest.get(
-        `${INTEGRATION_CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accountId}/pages/projects`,
+  const { data } = await standardRequest.get(
+    `${INTEGRATION_CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accountId}/pages/projects`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept": "application/json",
+      },
+    }
+  );
+
+  const apps = data.result.map((a: any) => {
+    return {
+      name: a.name,
+      appId: a.id,
+    };
+  });
+  return apps;
+}
+
+/**
+ * Return list of repositories for the BitBucket integration based on provided BitBucket workspace
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for BitBucket API
+ * @param {String} obj.workspaceSlug - Workspace identifier for fetching BitBucket repositories
+ * @returns {Object[]} apps - BitBucket repositories
+ * @returns {String} apps.name - name of BitBucket repository
+ */
+const getAppsBitBucket = async ({ 
+  accessToken,
+  workspaceSlug,
+}: {
+  accessToken: string;
+  workspaceSlug?: string;
+}) => {
+  interface RepositoriesResponse {
+    size: number;
+    page: number;
+    pageLen: number;
+    next: string;
+    previous: string;
+    values: Array<Repository>;
+  }
+
+  interface Repository {
+    type: string;
+    uuid: string;
+    name: string;
+    is_private: boolean;
+    created_on: string;
+    updated_on: string;
+  }
+
+  if (!workspaceSlug) {
+    return []
+  }
+  
+  const repositories: Repository[] = [];
+  let hasNextPage = true;
+  let repositoriesUrl = `${INTEGRATION_BITBUCKET_API_URL}/2.0/repositories/${workspaceSlug}`
+
+  while (hasNextPage) {
+    const { data }: { data: RepositoriesResponse } = await standardRequest.get(
+        repositoriesUrl,
         {
             headers: {
                 Authorization: `Bearer ${accessToken}`,
@@ -712,13 +790,56 @@ const getAppsCloudflarePages = async ({
         }
     );
 
-    const apps = data.result.map((a: any) => {
-        return {
-            name: a.name,
-            appId: a.id,
-        };
-    });
-    return apps;
+    if (data?.values.length > 0) {
+      data.values.forEach((repository) => {
+        repositories.push(repository)
+      })
+    }
+
+    if (data.next) {
+      repositoriesUrl = data.next
+    } else {
+      hasNextPage = false
+    }
+  }
+
+  const apps = repositories.map((repository) => {
+      return {
+          name: repository.name,
+          appId: repository.uuid,
+      };
+  });
+  return apps;
 }
 
+/**
+ * Return list of projects for Supabase integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Supabase API
+ * @returns {Object[]} apps - names of Supabase apps
+ * @returns {String} apps.name - name of Supabase app
+ */
+
+const getAppsCodefresh = async ({
+  accessToken,
+}: {
+  accessToken: string;
+}) => {
+  const res = (
+    await standardRequest.get(`${INTEGRATION_CODEFRESH_API_URL}/projects`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      },
+    })
+  ).data;
+
+  const apps = res.projects.map((a: any) => ({
+    name: a.projectName,
+    appId: a.id,
+  }));
+
+  return apps;
+
+};
 export { getApps };

backend/src/integrations/exchange.ts

@@ -2,6 +2,8 @@ import { standardRequest } from "../config/request";
 import {
   INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_AZURE_TOKEN_URL,
+  INTEGRATION_BITBUCKET,
+  INTEGRATION_BITBUCKET_TOKEN_URL,
   INTEGRATION_GITHUB,
   INTEGRATION_GITHUB_TOKEN_URL,
   INTEGRATION_GITLAB,
@@ -15,11 +17,13 @@ import {
 } from "../variables";
 import {
   getClientIdAzure,
+  getClientIdBitBucket,
   getClientIdGitHub,
   getClientIdGitLab,
   getClientIdNetlify,
   getClientIdVercel,
   getClientSecretAzure,
+  getClientSecretBitBucket,
   getClientSecretGitHub,
   getClientSecretGitLab,
   getClientSecretHeroku,
@@ -78,6 +82,15 @@ interface ExchangeCodeGitlabResponse {
   created_at: number;
 }
 
+interface ExchangeCodeBitBucketResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  refresh_token: string;
+  scopes: string;
+  state: string;
+}
+
 /**
  * Return [accessToken], [accessExpiresAt], and [refreshToken] for OAuth2
  * code-token exchange for integration named [integration]
@@ -129,6 +142,12 @@ const exchangeCode = async ({
       obj = await exchangeCodeGitlab({
         code,
       });
+      break;
+    case INTEGRATION_BITBUCKET:
+      obj = await exchangeCodeBitBucket({
+        code,
+      });
+      break;
   }
 
   return obj;
@@ -347,4 +366,43 @@ const exchangeCodeGitlab = async ({ code }: { code: string }) => {
   };
 };
 
+/**
+ * Return [accessToken], [accessExpiresAt], and [refreshToken] for BitBucket
+ * code-token exchange
+ * @param {Object} obj1
+ * @param {Object} obj1.code - code for code-token exchange
+ * @returns {Object} obj2
+ * @returns {String} obj2.accessToken - access token for BitBucket API
+ * @returns {String} obj2.refreshToken - refresh token for BitBucket API
+ * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
+ */
+const exchangeCodeBitBucket = async ({ code }: { code: string }) => {
+  const accessExpiresAt = new Date();
+  const res: ExchangeCodeBitBucketResponse = (
+    await standardRequest.post(
+      INTEGRATION_BITBUCKET_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: "authorization_code",
+        code: code,
+        client_id: await getClientIdBitBucket(),
+        client_secret: await getClientSecretBitBucket(),
+        redirect_uri: `${await getSiteURL()}/integrations/bitbucket/oauth2/callback`,
+      } as any),
+      {
+        headers: {
+          "Accept-Encoding": "application/json",
+        },
+      }
+    )
+  ).data;
+
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + res.expires_in);
+
+  return {
+    accessToken: res.access_token,
+    refreshToken: res.refresh_token,
+    accessExpiresAt,
+  };
+};
+
 export { exchangeCode };

backend/src/integrations/refresh.ts

@@ -2,6 +2,8 @@ import { standardRequest } from "../config/request";
 import { IIntegrationAuth } from "../models";
 import {
   INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_BITBUCKET,
+  INTEGRATION_BITBUCKET_TOKEN_URL,
   INTEGRATION_GITLAB,
   INTEGRATION_HEROKU,
 } from "../variables";
@@ -13,8 +15,10 @@ import {
 import { IntegrationService } from "../services";
 import {
   getClientIdAzure,
+  getClientIdBitBucket,
   getClientIdGitLab,
   getClientSecretAzure,
+  getClientSecretBitBucket,
   getClientSecretGitLab,
   getClientSecretHeroku,
   getSiteURL,
@@ -46,6 +50,15 @@ interface RefreshTokenGitLabResponse {
   created_at: number;
 }
 
+interface RefreshTokenBitBucketResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  refresh_token: string;
+  scopes: string;
+  state: string;
+}
+
 /**
  * Return new access token by exchanging refresh token [refreshToken] for integration
  * named [integration]
@@ -83,6 +96,11 @@ const exchangeRefresh = async ({
         refreshToken,
       });
       break;
+    case INTEGRATION_BITBUCKET:
+      tokenDetails = await exchangeRefreshBitBucket({
+        refreshToken,
+      });
+      break;
     default:
       throw new Error("Failed to exchange token for incompatible integration");
   }
@@ -218,4 +236,46 @@ const exchangeRefreshGitLab = async ({
   };
 };
 
+/**
+ * Return new access token by exchanging refresh token [refreshToken] for the
+ * BitBucket integration
+ * @param {Object} obj
+ * @param {String} obj.refreshToken - refresh token to use to get new access token for BitBucket
+ * @returns
+ */
+const exchangeRefreshBitBucket = async ({
+  refreshToken,
+}: {
+  refreshToken: string;
+}) => {
+  const accessExpiresAt = new Date();
+  const {
+    data,
+  }: {
+    data: RefreshTokenBitBucketResponse;
+  } = await standardRequest.post(
+    INTEGRATION_BITBUCKET_TOKEN_URL,
+    new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: await getClientIdBitBucket(),
+      client_secret: await getClientSecretBitBucket(),
+      redirect_uri: `${await getSiteURL()}/integrations/bitbucket/oauth2/callback`,
+    } as any),
+    {
+      headers: {
+        "Accept-Encoding": "application/json",
+      },
+    }
+  );
+
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + data.expires_in);
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    accessExpiresAt,
+  };
+};
+
 export { exchangeRefresh };

backend/src/integrations/revoke.ts

@@ -18,7 +18,6 @@ const revokeAccess = async ({
   integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
-  let deletedIntegrationAuth;
   // add any integration-specific revocation logic
   switch (integrationAuth.integration) {
     case INTEGRATION_HEROKU:
@@ -33,7 +32,7 @@ const revokeAccess = async ({
       break;
   }
 
-  deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
+  const deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
     _id: integrationAuth._id,
   });
 

backend/src/integrations/sync.ts

@@ -1,7 +1,7 @@
 import _ from "lodash";
 import AWS from "aws-sdk";
-import { 
-  CreateSecretCommand, 
+import {
+  CreateSecretCommand,
   GetSecretValueCommand,
   ResourceNotFoundException,
   SecretsManagerClient,
@@ -14,12 +14,16 @@ import {
   INTEGRATION_AWS_PARAMETER_STORE,
   INTEGRATION_AWS_SECRET_MANAGER,
   INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_BITBUCKET,
+  INTEGRATION_BITBUCKET_API_URL,
   INTEGRATION_CHECKLY,
   INTEGRATION_CHECKLY_API_URL,
   INTEGRATION_CIRCLECI,
   INTEGRATION_CIRCLECI_API_URL,
   INTEGRATION_CLOUDFLARE_PAGES,
   INTEGRATION_CLOUDFLARE_PAGES_API_URL,
+  INTEGRATION_CODEFRESH,
+  INTEGRATION_CODEFRESH_API_URL,
   INTEGRATION_FLYIO,
   INTEGRATION_FLYIO_API_URL,
   INTEGRATION_GITHUB,
@@ -41,9 +45,9 @@ import {
   INTEGRATION_TRAVISCI,
   INTEGRATION_TRAVISCI_API_URL,
   INTEGRATION_VERCEL,
-  INTEGRATION_VERCEL_API_URL,
+  INTEGRATION_VERCEL_API_URL
 } from "../variables";
-import { standardRequest} from "../config/request";
+import { standardRequest } from "../config/request";
 
 /**
  * Sync/push [secrets] to [app] in integration named [integration]
@@ -173,11 +177,11 @@ const syncSecrets = async ({
       break;
     case INTEGRATION_SUPABASE:
       await syncSecretsSupabase({
-          integration,
-          secrets,
-          accessToken,
-        });
-        break;
+        integration,
+        secrets,
+        accessToken,
+      });
+      break;
     case INTEGRATION_CHECKLY:
       await syncSecretsCheckly({
         integration,
@@ -196,13 +200,27 @@ const syncSecrets = async ({
       break;
     case INTEGRATION_CLOUDFLARE_PAGES:
       await syncSecretsCloudflarePages({
-          integration,
-          secrets,
-          accessId,
-          accessToken
+        integration,
+        secrets,
+        accessId,
+        accessToken
       });
       break;
-    }
+    case INTEGRATION_CODEFRESH:
+      await syncSecretsCodefresh({
+        integration,
+        secrets,
+        accessToken,
+      });
+      break;
+    case INTEGRATION_BITBUCKET:
+      await syncSecretsBitBucket({
+        integration,
+        secrets,
+        accessToken,
+      });
+      break;
+  }
 };
 
 /**
@@ -231,11 +249,11 @@ const syncSecretsAzureKeyVault = async ({
       recoverableDays: number;
     }
   }
-  
+
   interface AzureKeyVaultSecret extends GetAzureKeyVaultSecret {
     key: string;
   }
-  
+
   /**
    * Return all secrets from Azure Key Vault by paginating through URL [url]
    * @param {String} url - pagination URL to get next set of secrets from Azure Key Vault
@@ -249,23 +267,23 @@ const syncSecretsAzureKeyVault = async ({
           Authorization: `Bearer ${accessToken}`,
         },
       });
-      
+
       result = result.concat(res.data.value);
-      
+
       url = res.data.nextLink;
     }
-    
+
     return result;
   }
-  
+
   const getAzureKeyVaultSecrets = await paginateAzureKeyVaultSecrets(`${integration.app}/secrets?api-version=7.3`);
-  
+
   let lastSlashIndex: number;
   const res = (await Promise.all(getAzureKeyVaultSecrets.map(async (getAzureKeyVaultSecret) => {
     if (!lastSlashIndex) {
       lastSlashIndex = getAzureKeyVaultSecret.id.lastIndexOf("/");
     }
-    
+
     const azureKeyVaultSecret = await standardRequest.get(`${getAzureKeyVaultSecret.id}?api-version=7.3`, {
       headers: {
         "Authorization": `Bearer ${accessToken}`,
@@ -277,11 +295,11 @@ const syncSecretsAzureKeyVault = async ({
       key: getAzureKeyVaultSecret.id.substring(lastSlashIndex + 1),
     });
   })))
-  .reduce((obj: any, secret: any) => ({
+    .reduce((obj: any, secret: any) => ({
       ...obj,
       [secret.key]: secret,
-  }), {});
-  
+    }), {});
+
   const setSecrets: {
     key: string;
     value: string;
@@ -305,9 +323,9 @@ const syncSecretsAzureKeyVault = async ({
       }
     }
   });
-  
+
   const deleteSecrets: AzureKeyVaultSecret[] = [];
-  
+
   Object.keys(res).forEach((key) => {
     const underscoredKey = key.replace(/-/g, "_");
     if (!(underscoredKey in secrets)) {
@@ -328,7 +346,7 @@ const syncSecretsAzureKeyVault = async ({
   }) => {
     let isSecretSet = false;
     let maxTries = 6;
-    
+
     while (!isSecretSet && maxTries > 0) {
       // try to set secret
       try {
@@ -345,7 +363,7 @@ const syncSecretsAzureKeyVault = async ({
         );
 
         isSecretSet = true;
-      
+
       } catch (err) {
         const error: any = err;
         if (error?.response?.data?.error?.innererror?.code === "ObjectIsDeletedButRecoverable") {
@@ -365,7 +383,7 @@ const syncSecretsAzureKeyVault = async ({
       }
     }
   }
-  
+
   // Sync/push set secrets
   for await (const setSecret of setSecrets) {
     const { key, value } = setSecret;
@@ -376,7 +394,7 @@ const syncSecretsAzureKeyVault = async ({
       accessToken,
     });
   }
-  
+
   for await (const deleteSecret of deleteSecrets) {
     const { key } = deleteSecret;
     await standardRequest.delete(`${integration.app}/secrets/${key}?api-version=7.3`, {
@@ -418,7 +436,7 @@ const syncSecretsAWSParameterStore = async ({
     apiVersion: "2014-11-06",
     region: integration.region,
   });
-  
+
   const params = {
     Path: integration.path,
     Recursive: true,
@@ -426,61 +444,61 @@ const syncSecretsAWSParameterStore = async ({
   };
 
   const parameterList = (await ssm.getParametersByPath(params).promise()).Parameters
-  
+
   let awsParameterStoreSecretsObj: {
     [key: string]: any // TODO: fix type
   } = {};
 
   if (parameterList) {
     awsParameterStoreSecretsObj = parameterList.reduce((obj: any, secret: any) => ({
-        ...obj,
-        [secret.Name.split("/").pop()]: secret,
+      ...obj,
+      [secret.Name.split("/").pop()]: secret,
     }), {});
   }
 
   // Identify secrets to create
   Object.keys(secrets).map(async (key) => {
-      if (!(key in awsParameterStoreSecretsObj)) {
-        // case: secret does not exist in AWS parameter store
-        // -> create secret
+    if (!(key in awsParameterStoreSecretsObj)) {
+      // case: secret does not exist in AWS parameter store
+      // -> create secret
+      await ssm.putParameter({
+        Name: `${integration.path}${key}`,
+        Type: "SecureString",
+        Value: secrets[key],
+        Overwrite: true,
+      }).promise();
+    } else {
+      // case: secret exists in AWS parameter store
+
+      if (awsParameterStoreSecretsObj[key].Value !== secrets[key]) {
+        // case: secret value doesn't match one in AWS parameter store
+        // -> update secret
         await ssm.putParameter({
           Name: `${integration.path}${key}`,
           Type: "SecureString",
           Value: secrets[key],
           Overwrite: true,
         }).promise();
-      } else {
-        // case: secret exists in AWS parameter store
-        
-        if (awsParameterStoreSecretsObj[key].Value !== secrets[key]) {
-          // case: secret value doesn't match one in AWS parameter store
-          // -> update secret
-          await ssm.putParameter({
-            Name: `${integration.path}${key}`,
-            Type: "SecureString",
-            Value: secrets[key],
-            Overwrite: true,
-          }).promise();
-        }
       }
+    }
   });
 
   // Identify secrets to delete
   Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
-      if (!(key in secrets)) {
-        // case: 
-        // -> delete secret
-        await ssm.deleteParameter({
-          Name: awsParameterStoreSecretsObj[key].Name,
-        }).promise();
-      }
+    if (!(key in secrets)) {
+      // case: 
+      // -> delete secret
+      await ssm.deleteParameter({
+        Name: awsParameterStoreSecretsObj[key].Name,
+      }).promise();
+    }
   });
 
   AWS.config.update({
     region: undefined,
     accessKeyId: undefined,
     secretAccessKey: undefined,
-  }); 
+  });
 }
 
 /**
@@ -511,7 +529,7 @@ const syncSecretsAWSSecretManager = async ({
       accessKeyId: accessId,
       secretAccessKey: accessToken,
     });
-    
+
     secretsManager = new SecretsManagerClient({
       region: integration.region,
       credentials: {
@@ -525,13 +543,13 @@ const syncSecretsAWSSecretManager = async ({
         SecretId: integration.app,
       })
     );
-    
+
     let awsSecretManagerSecretObj: { [key: string]: any } = {};
-    
+
     if (awsSecretManagerSecret?.SecretString) {
       awsSecretManagerSecretObj = JSON.parse(awsSecretManagerSecret.SecretString);
     }
-    
+
     if (!_.isEqual(awsSecretManagerSecretObj, secrets)) {
       await secretsManager.send(new UpdateSecretCommand({
         SecretId: integration.app,
@@ -543,19 +561,19 @@ const syncSecretsAWSSecretManager = async ({
       region: undefined,
       accessKeyId: undefined,
       secretAccessKey: undefined,
-    }); 
+    });
   } catch (err) {
     if (err instanceof ResourceNotFoundException && secretsManager) {
       await secretsManager.send(new CreateSecretCommand({
         Name: integration.app,
         SecretString: JSON.stringify(secrets),
       }));
-    } 
+    }
     AWS.config.update({
       region: undefined,
       accessKeyId: undefined,
       secretAccessKey: undefined,
-    }); 
+    });
   }
 }
 
@@ -638,38 +656,36 @@ const syncSecretsVercel = async ({
     decrypt: "true",
     ...(integrationAuth?.teamId
       ? {
-          teamId: integrationAuth.teamId,
-        }
+        teamId: integrationAuth.teamId,
+      }
       : {}),
   };
-    
+
   const vercelSecrets: VercelSecret[] = (await standardRequest.get(
     `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`,
     {
       params,
       headers: {
-          Authorization: `Bearer ${accessToken}`,
-          "Accept-Encoding": "application/json",
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
       },
     }
   ))
-  .data
-  .envs
-  .filter((secret: VercelSecret) => { 
-    if (!secret.target.includes(integration.targetEnvironment)) {
-      // case: secret does not have the same target environment
-      return false;
-    }
+    .data
+    .envs
+    .filter((secret: VercelSecret) => {
+      if (!secret.target.includes(integration.targetEnvironment)) {
+        // case: secret does not have the same target environment
+        return false;
+      }
 
-    if (integration.targetEnvironment === "preview" && integration.path && integration.path !== secret.gitBranch) {
-      // case: secret on preview environment does not have same target git branch
-      return false;
-    }
+      if (integration.targetEnvironment === "preview" && integration.path && integration.path !== secret.gitBranch) {
+        // case: secret on preview environment does not have same target git branch
+        return false;
+      }
 
-    return true;
-  });
-
-  // return secret.target.includes(integration.targetEnvironment);
+      return true;
+    });
 
   const res: { [key: string]: VercelSecret } = {};
 
@@ -677,14 +693,14 @@ const syncSecretsVercel = async ({
     if (vercelSecret.type === "encrypted") {
       // case: secret is encrypted -> need to decrypt
       const decryptedSecret = (await standardRequest.get(
-          `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${vercelSecret.id}`,
-          {
-            params,
-            headers: {
-                Authorization: `Bearer ${accessToken}`,
-                "Accept-Encoding": "application/json",
-            },
-          }
+        `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${vercelSecret.id}`,
+        {
+          params,
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
       )).data;
 
       res[vercelSecret.key] = decryptedSecret;
@@ -692,7 +708,7 @@ const syncSecretsVercel = async ({
       res[vercelSecret.key] = vercelSecret;
     }
   }
-  
+
   const updateSecrets: VercelSecret[] = [];
   const deleteSecrets: VercelSecret[] = [];
   const newSecrets: VercelSecret[] = [];
@@ -723,9 +739,9 @@ const syncSecretsVercel = async ({
           key: key,
           value: secrets[key],
           type: res[key].type,
-          target: res[key].target.includes(integration.targetEnvironment) 
-          ? [...res[key].target] 
-          : [...res[key].target, integration.targetEnvironment],
+          target: res[key].target.includes(integration.targetEnvironment)
+            ? [...res[key].target]
+            : [...res[key].target, integration.targetEnvironment],
           ...(integration.path ? {
             gitBranch: integration.path,
           } : {}),
@@ -775,7 +791,7 @@ const syncSecretsVercel = async ({
           },
         }
       );
-    } 
+    }
   }
 
   for await (const secret of deleteSecrets) {
@@ -788,7 +804,7 @@ const syncSecretsVercel = async ({
           "Accept-Encoding": "application/json",
         },
       }
-    ); 
+    );
   }
 };
 
@@ -1375,7 +1391,7 @@ const syncSecretsCircleCI = async ({
   integration: IIntegration;
   secrets: any;
   accessToken: string;
-}) => {  
+}) => {
   const circleciOrganizationDetail = (
     await standardRequest.get(`${INTEGRATION_CIRCLECI_API_URL}/v2/me/collaborations`, {
       headers: {
@@ -1462,13 +1478,13 @@ const syncSecretsTravisCI = async ({
       }
     )
   )
-  .data
-  ?.env_vars
-  .reduce((obj: any, secret: any) => ({
+    .data
+    ?.env_vars
+    .reduce((obj: any, secret: any) => ({
       ...obj,
       [secret.name]: secret,
-  }), {});
-  
+    }), {});
+
   // add secrets
   for await (const key of Object.keys(secrets)) {
     if (!(key in getSecretsRes)) {
@@ -1513,7 +1529,7 @@ const syncSecretsTravisCI = async ({
   }
 
   for await (const key of Object.keys(getSecretsRes)) {
-    if (!(key in secrets)){
+    if (!(key in secrets)) {
       // delete secret
       await standardRequest.delete(
         `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars/${getSecretsRes[key].id}?repository_id=${getSecretsRes[key].repository_id}`,
@@ -1558,29 +1574,29 @@ const syncSecretsGitLab = async ({
       "Authorization": `Bearer ${accessToken}`,
       "Accept-Encoding": "application/json",
     };
-  
+
     let allEnvVariables: GitLabSecret[] = [];
     let url: string | null = `${gitLabApiUrl}?per_page=100`;
-  
+
     while (url) {
       const response: any = await standardRequest.get(url, { headers });
       allEnvVariables = [...allEnvVariables, ...response.data];
-  
+
       const linkHeader = response.headers.link;
       const nextLink = linkHeader?.split(",").find((part: string) => part.includes('rel="next"'));
-  
+
       if (nextLink) {
         url = nextLink.trim().split(";")[0].slice(1, -1);
       } else {
         url = null;
       }
     }
-  
+
     return allEnvVariables;
   };
 
   const allEnvVariables = await getAllEnvVariables(integration?.appId, accessToken);
-  const getSecretsRes: GitLabSecret[] = allEnvVariables.filter((secret: GitLabSecret) => 
+  const getSecretsRes: GitLabSecret[] = allEnvVariables.filter((secret: GitLabSecret) =>
     secret.environment_scope === integration.targetEnvironment
   );
 
@@ -1662,8 +1678,8 @@ const syncSecretsSupabase = async ({
     `${INTEGRATION_SUPABASE_API_URL}/v1/projects/${integration.appId}/secrets`,
     {
       headers: {
-          Authorization: `Bearer ${accessToken}`,
-          "Accept-Encoding": "application/json",
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
       },
     }
   );
@@ -1672,8 +1688,8 @@ const syncSecretsSupabase = async ({
   const modifiedFormatForSecretInjection = Object.keys(secrets).map(
     (key) => {
       return {
-          name: key,
-          value: secrets[key],
+        name: key,
+        value: secrets[key],
       };
     }
   );
@@ -1683,8 +1699,8 @@ const syncSecretsSupabase = async ({
     modifiedFormatForSecretInjection,
     {
       headers: {
-          Authorization: `Bearer ${accessToken}`,
-          "Accept-Encoding": "application/json",
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
       },
     }
   );
@@ -1692,7 +1708,7 @@ const syncSecretsSupabase = async ({
   const secretsToDelete: any = [];
   getSecretsRes?.forEach((secretObj: any) => {
     if (!(secretObj.name in secrets)) {
-        secretsToDelete.push(secretObj.name);
+      secretsToDelete.push(secretObj.name);
     }
   });
 
@@ -1739,18 +1755,18 @@ const syncSecretsCheckly = async ({
       }
     )
   )
-  .data
-  .reduce((obj: any, secret: any) => ({
+    .data
+    .reduce((obj: any, secret: any) => ({
       ...obj,
       [secret.key]: secret.value,
-  }), {});
-  
+    }), {});
+
   // add secrets
   for await (const key of Object.keys(secrets)) {
     if (!(key in getSecretsRes)) {
       // case: secret does not exist in checkly
       // -> add secret
-      
+
       await standardRequest.post(
         `${INTEGRATION_CHECKLY_API_URL}/v1/variables`,
         {
@@ -1769,7 +1785,7 @@ const syncSecretsCheckly = async ({
     } else {
       // case: secret exists in checkly
       // -> update/set secret
-      
+
       if (secrets[key] !== getSecretsRes[key]) {
         await standardRequest.put(
           `${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`,
@@ -1790,7 +1806,7 @@ const syncSecretsCheckly = async ({
   }
 
   for await (const key of Object.keys(getSecretsRes)) {
-    if (!(key in secrets)){
+    if (!(key in secrets)) {
       // delete secret
       await standardRequest.delete(
         `${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`,
@@ -1827,13 +1843,13 @@ const syncSecretsHashiCorpVault = async ({
   accessToken: string;
 }) => {
   if (!accessId) return;
-  
+
   interface LoginAppRoleRes {
     auth: {
       client_token: string;
     }
   }
-  
+
   // get Vault client token (could be optimized)
   const { data }: { data: LoginAppRoleRes } = await standardRequest.post(
     `${integrationAuth.url}/v1/auth/approle/login`,
@@ -1847,7 +1863,7 @@ const syncSecretsHashiCorpVault = async ({
       },
     }
   );
-  
+
   const clientToken = data.auth.client_token;
 
   await standardRequest.post(
@@ -1875,46 +1891,46 @@ const syncSecretsHashiCorpVault = async ({
  * @param {String} obj.accessToken - API token for Cloudflare
  */
 const syncSecretsCloudflarePages = async ({
-    integration,
-    secrets,
-    accessId,
-    accessToken,
+  integration,
+  secrets,
+  accessId,
+  accessToken,
 }: {
-    integration: IIntegration;
-    secrets: any;
-    accessId: string | null;
-    accessToken: string;
+  integration: IIntegration;
+  secrets: any;
+  accessId: string | null;
+  accessToken: string;
 }) => {
 
   // get secrets from cloudflare pages
   const getSecretsRes = (
-      await standardRequest.get(
-          `${INTEGRATION_CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accessId}/pages/projects/${integration.app}`,
-          {
-              headers: {
-                  Authorization: `Bearer ${accessToken}`,
-                  "Accept": "application/json",
-              },
-          }
-      )
+    await standardRequest.get(
+      `${INTEGRATION_CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accessId}/pages/projects/${integration.app}`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Accept": "application/json",
+        },
+      }
+    )
   )
   .data.result["deployment_configs"][integration.targetEnvironment]["env_vars"];
 
   // copy the secrets object, so we can set deleted keys to null
-  const secretsObj: any = {...secrets};
+  const secretsObj: any = { ...secrets };
 
   for (const [key, val] of Object.entries(secretsObj)) {
-      secretsObj[key] = { type: "secret_text", value: val };
+    secretsObj[key] = { type: "secret_text", value: val };
   }
 
   if (getSecretsRes) {
-      for await (const key of Object.keys(getSecretsRes)) {
-          if (!(key in secrets)) {
-              // case: secret does not exist in infisical
-              // -> delete secret from cloudflare pages
-              secretsObj[key] = null;
-          }
+    for await (const key of Object.keys(getSecretsRes)) {
+      if (!(key in secrets)) {
+        // case: secret does not exist in infisical
+        // -> delete secret from cloudflare pages
+        secretsObj[key] = null;
       }
+    }
   }
 
   const data = {
@@ -1926,15 +1942,163 @@ const syncSecretsCloudflarePages = async ({
   };
 
   await standardRequest.patch(
-      `${INTEGRATION_CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accessId}/pages/projects/${integration.app}`,
-      data,
-      {
-          headers: {
-              Authorization: `Bearer ${accessToken}`,
-              "Accept": "application/json",
-          },
-      }
+    `${INTEGRATION_CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accessId}/pages/projects/${integration.app}`,
+    data,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept": "application/json",
+      },
+    }
   );
 }
 
+/**
+ * Sync/push [secrets] to BitBucket repo with name [integration.app]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for BitBucket integration
+ */
+const syncSecretsBitBucket = async ({
+  integration,
+  secrets,
+  accessToken,
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  interface VariablesResponse {
+    size: number;
+    page: number;
+    pageLen: number;
+    next: string;
+    previous: string;
+    values: Array<BitbucketVariable>;
+  }
+
+  interface BitbucketVariable {
+    type: string;
+    uuid: string;
+    key: string;
+    value: string;
+    secured: boolean;
+  }
+
+  const res: { [key: string]: BitbucketVariable } = {};
+
+  let hasNextPage = true;
+  let variablesUrl = `${INTEGRATION_BITBUCKET_API_URL}/2.0/repositories/${integration.targetEnvironmentId}/${integration.appId}/pipelines_config/variables`
+
+  while (hasNextPage) {
+    const { data }: { data: VariablesResponse } = await standardRequest.get(
+        variablesUrl,
+        {
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Accept": "application/json",
+            },
+        }
+    );
+
+    if (data?.values.length > 0) {
+      data.values.forEach((variable) => {
+        res[variable.key] = variable;
+      });
+    }
+
+    if (data.next) {
+      variablesUrl = data.next
+    } else {
+      hasNextPage = false
+    }
+  }
+
+  for await (const key of Object.keys(secrets)) {
+    if (key in res) {
+      // update existing secret
+      await standardRequest.put(
+          `${variablesUrl}/${res[key].uuid}`,
+          {
+            key,
+            value: secrets[key],
+            secured: true
+          },
+          {
+              headers: {
+                  Authorization: `Bearer ${accessToken}`,
+                  "Accept": "application/json",
+              },
+          }
+      );
+    } else {
+      // create new secret
+      await standardRequest.post(
+          variablesUrl,
+          {
+            key,
+            value: secrets[key],
+            secured: true
+          },
+          {
+              headers: {
+                  Authorization: `Bearer ${accessToken}`,
+                  "Accept": "application/json",
+              },
+          }
+      );
+    }
+  }
+
+  for await (const key of Object.keys(res)) {
+    if (!(key in secrets)) {
+      // delete secret
+      await standardRequest.delete(
+        `${variablesUrl}/${res[key].uuid}`,
+        {
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Accept": "application/json",
+            }
+        }
+      );
+    }
+  }
+}
+
+/*
+ * Sync/push [secrets] to Codefresh with name [integration.app]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Codefresh integration
+ */
+const syncSecretsCodefresh = async ({
+  integration,
+  secrets,
+  accessToken,
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  await standardRequest.patch(
+    `${INTEGRATION_CODEFRESH_API_URL}/projects/${integration.appId}`,
+    {
+      variables: Object.keys(secrets).map((key) => ({
+        key,
+        value: secrets[key]
+      }))
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept": "application/json",
+      },
+    }
+  ); 
+};
+
 export { syncSecrets };

backend/src/middleware/requireAuth.ts

@@ -1,4 +1,5 @@
 import jwt from "jsonwebtoken";
+import { Types } from "mongoose";
 import { NextFunction, Request, Response } from "express";
 import {
 	getAuthAPIKeyPayload,
@@ -51,6 +52,10 @@ const requireAuth = ({
 		});
 
 		let authPayload: IUser | IServiceAccount | IServiceTokenData;
+		let authUserPayload: {
+			user: IUser;
+			tokenVersionId: Types.ObjectId;
+		};
 		switch (authMode) {
 			case AUTH_MODE_SERVICE_ACCOUNT:
 				authPayload = await getAuthSAAKPayload({
@@ -71,12 +76,12 @@ const requireAuth = ({
 				req.user = authPayload;
 				break;
 			default:
-				const { user, tokenVersionId } = await getAuthUserPayload({
+				authUserPayload = await getAuthUserPayload({
 					authTokenValue,
 				});
-				authPayload = user;
-				req.user = user;
-				req.tokenVersionId = tokenVersionId;
+				authPayload = authUserPayload.user;
+				req.user = authUserPayload.user;
+				req.tokenVersionId = authUserPayload.tokenVersionId;
 				break;
 		}
 

backend/src/models/botOrg.ts

@@ -0,0 +1,98 @@
+import { Schema, Types, model } from "mongoose";
+import { 
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_BASE64,
+    ENCODING_SCHEME_UTF8,
+} from "../variables";
+
+export interface IBotOrg {
+	_id: Types.ObjectId;
+    name: string;
+    organization: Types.ObjectId;
+    publicKey: string;
+    encryptedSymmetricKey: string;
+    symmetricKeyIV: string;
+    symmetricKeyTag: string;
+    symmetricKeyAlgorithm: "aes-256-gcm";
+    symmetricKeyKeyEncoding: "base64" | "utf8";
+    encryptedPrivateKey: string;
+    privateKeyIV: string;
+    privateKeyTag: string;
+    privateKeyAlgorithm: "aes-256-gcm";
+    privateKeyKeyEncoding: "base64" | "utf8";
+}
+
+const botOrgSchema = new Schema<IBotOrg>(
+	{
+        name: {
+            type: String,
+            required: true,
+        },
+        organization: {
+            type: Schema.Types.ObjectId,
+            ref: "Organization",
+            required: true,
+        },
+        publicKey: {
+            type: String,
+            required: true,
+        },
+        encryptedSymmetricKey: {
+            type: String,
+            required: true
+        },
+        symmetricKeyIV: {
+            type: String,
+            required: true
+        },
+        symmetricKeyTag: {
+            type: String,
+            required: true
+        },
+        symmetricKeyAlgorithm: {
+            type: String,
+            enum: [ALGORITHM_AES_256_GCM],
+            required: true
+        },
+        symmetricKeyKeyEncoding: {
+            type: String,
+            enum: [
+                ENCODING_SCHEME_UTF8,
+                ENCODING_SCHEME_BASE64,
+            ],
+            required: true
+        },
+        encryptedPrivateKey: {
+            type: String,
+            required: true
+        },
+        privateKeyIV: {
+            type: String,
+            required: true
+        },
+        privateKeyTag: {
+            type: String,
+            required: true
+        },
+        privateKeyAlgorithm: {
+            type: String,
+            enum: [ALGORITHM_AES_256_GCM],
+            required: true
+        },
+        privateKeyKeyEncoding: {
+            type: String,
+            enum: [
+                ENCODING_SCHEME_UTF8,
+                ENCODING_SCHEME_BASE64,
+            ],
+            required: true
+        },
+	},
+	{
+		timestamps: true,
+	}
+);
+
+const BotOrg = model<IBotOrg>("BotOrg", botOrgSchema);
+
+export default BotOrg;

backend/src/models/index.ts

@@ -1,5 +1,6 @@
 import BackupPrivateKey, { IBackupPrivateKey } from "./backupPrivateKey";
 import Bot, { IBot } from "./bot";
+import BotOrg, { IBotOrg } from "./botOrg";
 import BotKey, { IBotKey } from "./botKey";
 import IncidentContactOrg, { IIncidentContactOrg } from "./incidentContactOrg";
 import Integration, { IIntegration } from "./integration";
@@ -31,6 +32,8 @@ export {
 	IBackupPrivateKey,
 	Bot,
 	IBot,
+	BotOrg,
+	IBotOrg,
 	BotKey,
 	IBotKey,
 	IncidentContactOrg,

backend/src/models/integration.ts

@@ -3,9 +3,11 @@ import {
   INTEGRATION_AWS_PARAMETER_STORE,
   INTEGRATION_AWS_SECRET_MANAGER,
   INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_BITBUCKET,
   INTEGRATION_CHECKLY,
   INTEGRATION_CIRCLECI,
   INTEGRATION_CLOUDFLARE_PAGES,
+  INTEGRATION_CODEFRESH,
   INTEGRATION_FLYIO,
   INTEGRATION_GITHUB,
   INTEGRATION_GITLAB,
@@ -17,7 +19,7 @@ import {
   INTEGRATION_RENDER,
   INTEGRATION_SUPABASE,
   INTEGRATION_TRAVISCI,
-  INTEGRATION_VERCEL,
+  INTEGRATION_VERCEL
 } from "../variables";
 
 export interface IIntegration {
@@ -54,7 +56,9 @@ export interface IIntegration {
     | "supabase"
     | "checkly"
     | "hashicorp-vault"
-    | "cloudflare-pages";
+    | "cloudflare-pages"
+    | "bitbucket"
+    | "codefresh"
   integrationAuth: Types.ObjectId;
 }
 
@@ -144,6 +148,8 @@ const integrationSchema = new Schema<IIntegration>(
         INTEGRATION_CHECKLY,
         INTEGRATION_HASHICORP_VAULT,
         INTEGRATION_CLOUDFLARE_PAGES,
+        INTEGRATION_BITBUCKET,
+        INTEGRATION_CODEFRESH
       ],
       required: true,
     },

backend/src/models/integrationAuth.ts

@@ -6,8 +6,10 @@ import {
   INTEGRATION_AWS_PARAMETER_STORE,
   INTEGRATION_AWS_SECRET_MANAGER,
   INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_BITBUCKET,
   INTEGRATION_CIRCLECI,
   INTEGRATION_CLOUDFLARE_PAGES,
+  INTEGRATION_CODEFRESH,
   INTEGRATION_FLYIO,
   INTEGRATION_GITHUB,
   INTEGRATION_GITLAB,
@@ -25,7 +27,26 @@ import {
 export interface IIntegrationAuth extends Document {
   _id: Types.ObjectId;
   workspace: Types.ObjectId;
-  integration: "heroku" | "vercel" | "netlify" | "github" | "gitlab" | "render" | "railway" | "flyio" | "azure-key-vault" | "laravel-forge" | "circleci" | "travisci" | "supabase" | "aws-parameter-store" | "aws-secret-manager" | "checkly" | "cloudflare-pages";
+  integration:
+    | "heroku"
+    | "vercel"
+    | "netlify"
+    | "github"
+    | "gitlab"
+    | "render"
+    | "railway"
+    | "flyio"
+    | "azure-key-vault"
+    | "laravel-forge"
+    | "circleci"
+    | "travisci"
+    | "supabase"
+    | "aws-parameter-store"
+    | "aws-secret-manager"
+    | "checkly"
+    | "cloudflare-pages"
+    | "codefresh"
+    | "bitbucket";
   teamId: string;
   accountId: string;
   url: string;
@@ -71,6 +92,8 @@ const integrationAuthSchema = new Schema<IIntegrationAuth>(
         INTEGRATION_SUPABASE,
         INTEGRATION_HASHICORP_VAULT,
         INTEGRATION_CLOUDFLARE_PAGES,
+        INTEGRATION_BITBUCKET,
+        INTEGRATION_CODEFRESH
       ],
       required: true,
     },

backend/src/models/user.ts

@@ -2,6 +2,7 @@ import { Document, Schema, Types, model } from "mongoose";
 
 export enum AuthProvider {
 	GOOGLE = "google",
+	OKTA_SAML = "okta-saml"
 }
 
 export interface IUser extends Document {

backend/src/routes/v1/auth.ts

@@ -1,7 +1,6 @@
 import express from "express";
 const router = express.Router();
 import { body } from "express-validator";
-import passport from "passport";
 import { requireAuth, validateRequest } from "../../middleware";
 import { authController } from "../../controllers/v1";
 import { authLimiter } from "../../helpers/rateLimiter";
@@ -44,21 +43,6 @@ router.post(
   authController.checkAuth
 );
 
-router.get(
-  "/redirect/google",
-  authLimiter,
-  passport.authenticate("google", {
-    scope: ["profile", "email"],
-    session: false,
-  }),
-);
-
-router.get(
-  "/callback/google",
-  passport.authenticate("google", { failureRedirect: "/login/provider/error", session: false }),
-  authController.handleAuthProviderCallback,
-);
-
 router.get(
   "/common-passwords",
   authLimiter,

backend/src/routes/v1/integrationAuth.ts

@@ -81,6 +81,7 @@ router.get(
 	}),
 	param("integrationAuthId"),
 	query("teamId"),
+	query("workspaceSlug"),
 	validateRequest,
 	integrationAuthController.getIntegrationAuthApps
 );
@@ -141,6 +142,19 @@ router.get(
 	integrationAuthController.getIntegrationAuthRailwayServices
 );
 
+router.get(
+	"/:integrationAuthId/bitbucket/workspaces",
+	requireAuth({
+        acceptedAuthModes: [AUTH_MODE_JWT],
+    }),
+	requireIntegrationAuthorizationAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+	}),
+	param("integrationAuthId").exists().isString(),
+	validateRequest,
+	integrationAuthController.getIntegrationAuthBitBucketWorkspaces
+);
+
 router.delete(
 	"/:integrationAuthId",
 	requireAuth({

backend/src/routes/v1/webhook.ts

@@ -2,7 +2,7 @@ import express from "express";
 const router = express.Router();
 import { requireAuth, requireWorkspaceAuth, validateRequest } from "../../middleware";
 import { body, param, query } from "express-validator";
-import { ADMIN, AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT, MEMBER } from "../../variables";
+import { ADMIN, AUTH_MODE_JWT, MEMBER } from "../../variables";
 import { webhookController } from "../../controllers/v1";
 
 router.post(

backend/src/routes/v3/secrets.ts

@@ -21,7 +21,7 @@ router.get(
   query("workspaceId").exists().isString().trim(),
   query("environment").exists().isString().trim(),
   query("secretPath").default("/").isString().trim(),
-  query("include_imports").isBoolean().default(false),
+  query("include_imports").optional().isBoolean().default(false),
   validateRequest,
   requireAuth({
     acceptedAuthModes: [

backend/src/routes/v3/signup.ts

@@ -21,7 +21,8 @@ router.post(
 	body("salt").exists().isString().trim().notEmpty(),
 	body("verifier").exists().isString().trim().notEmpty(),
 	body("organizationName").exists().isString().trim().notEmpty(),
-	body("providerAuthToken").isString().trim().optional({nullable: true}),
+	body("providerAuthToken").isString().trim().optional({ nullable: true }),
+	body("attributionSource").optional().isString().trim(),
     validateRequest,
     signupController.completeAccountSignup,
 );

backend/src/services/BotOrgService.ts

@@ -0,0 +1,12 @@
+import { Types } from "mongoose";
+import { getSymmetricKeyHelper } from "../helpers/botOrg";
+
+// TODO: DOCstrings
+
+class BotOrgService {
+    static async getSymmetricKey(organizationId: Types.ObjectId) {
+        return await getSymmetricKeyHelper(organizationId);
+    }
+}
+
+export default BotOrgService;

backend/src/services/SecretImportService.ts

@@ -38,6 +38,11 @@ export const getAllImportedSecrets = async (
           folderId: secPathFolder.id,
           secretPath: el.secretPath
         });
+    } else {
+      if (el.secretPath === "/") {
+        // this happens when importing with a fresh env without any folders
+        importedSecByFid.push({ environment: el.environment, folderId: "root", secretPath: "/" });
+      }
     }
   });
   if (importedSecByFid.length === 0) return [];

backend/src/services/index.ts

@@ -2,6 +2,7 @@ import DatabaseService from "./DatabaseService";
 // import { logTelemetryMessage, getPostHogClient } from './TelemetryService';
 import TelemetryService from "./TelemetryService";
 import BotService from "./BotService";
+import BotOrgService from "./BotOrgService";
 import EventService from "./EventService";
 import IntegrationService from "./IntegrationService";
 import TokenService from "./TokenService";
@@ -12,9 +13,10 @@ export {
   TelemetryService,
   DatabaseService,
   BotService,
+  BotOrgService,
   EventService,
   IntegrationService,
   TokenService,
   SecretService,
   GithubSecretScanningService
-};
+}

backend/src/types/express/index.d.ts

@@ -20,6 +20,7 @@ declare global {
 			workspace: any;
 			membership: any;
 			targetMembership: any;
+			isUserCompleted: boolean;
 			providerAuthToken: any;
 			organization: any;
 			membershipOrg: any;

backend/src/utils/aes-gcm.ts

@@ -4,8 +4,6 @@ const ALGORITHM = "aes-256-gcm";
 const BLOCK_SIZE_BYTES = 16;
 
 export default class AesGCM {
-	constructor() {}
-
 	static encrypt(
 		text: string,
 		secret: string

backend/src/utils/auth.ts

@@ -1,11 +1,14 @@
 import express from "express";
 import passport from "passport";
+import { Types } from "mongoose";
 import { AuthData } from "../interfaces/middleware";
 import {
   AuthProvider,
+  MembershipOrg,
+  Organization,
   ServiceAccount,
   ServiceTokenData,
-  User,
+  User
 } from "../models";
 import { createToken } from "../helpers/auth";
 import {
@@ -14,11 +17,15 @@ import {
   getJwtProviderAuthLifetime,
   getJwtProviderAuthSecret,
 } from "../config";
+import { getSSOConfigHelper } from "../ee/helpers/organizations";
+import { InternalServerError, OrganizationNotFoundError } from "./errors";
+import { INVITED, MEMBER } from "../variables";
+import { getSiteURL } from "../config";
 
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const GoogleStrategy = require("passport-google-oauth20").Strategy;
-
-// TODO: find a more optimal folder structure to store these types of functions
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { MultiSamlStrategy } = require("@node-saml/passport-saml");
 
 /**
  * Returns an object containing the id of the authentication data payload
@@ -39,7 +46,6 @@ const getAuthDataPayloadIdObj = (authData: AuthData) => {
   }
 };
 
-
 /**
  * Returns an object containing the user associated with the authentication data payload
  * @param {AuthData} authData - authentication data object
@@ -56,7 +62,7 @@ const getAuthDataPayloadUserObj = (authData: AuthData) => {
   }
 
   if (authData.authPayload instanceof ServiceTokenData) {
-    return { user: authData.authPayload.user };
+    return { user: authData.authPayload.user };0
   }
 }
 
@@ -68,47 +74,143 @@ const initializePassport = async () => {
     passReqToCallback: true,
     clientID: googleClientId,
     clientSecret: googleClientSecret,
-    callbackURL: "/api/v1/auth/callback/google",
+    callbackURL: "/api/v1/sso/google",
     scope: ["profile", " email"],
   }, async (
     req: express.Request,
     accessToken: string,
     refreshToken: string,
     profile: any,
-    cb: any
+    done: any
   ) => {
     try {
       const email = profile.emails[0].value;
+      const firstName = profile.name.givenName;
+      const lastName = profile.name.familyName;
+      
       let user = await User.findOne({
-        authProvider: AuthProvider.GOOGLE,
-        authId: profile.id,
-      }).select("+publicKey")
+        email
+      }).select("+publicKey");
+      
+      if (user && user.authProvider !== AuthProvider.GOOGLE) {
+        done(InternalServerError());
+      }
 
       if (!user) {
         user = await new User({
           email,
           authProvider: AuthProvider.GOOGLE,
           authId: profile.id,
+          firstName,
+          lastName
         }).save();
       }
 
+      const isUserCompleted = !!user.publicKey;
       const providerAuthToken = createToken({
         payload: {
           userId: user._id.toString(),
           email: user.email,
+          firstName,
+          lastName,
           authProvider: user.authProvider,
-          isUserCompleted: !!user.publicKey,
+          isUserCompleted
         },
         expiresIn: await getJwtProviderAuthLifetime(),
         secret: await getJwtProviderAuthSecret(),
       });
 
+      req.isUserCompleted = isUserCompleted;
       req.providerAuthToken = providerAuthToken;
-      cb(null, profile);
+      done(null, profile);
     } catch (err) {
-      cb(null, false);
+      done(null, false);
     }
   }));
+  
+  passport.use("saml", new MultiSamlStrategy(
+    {
+      passReqToCallback: true,
+      getSamlOptions: async (req: any, done: any) => {
+          const { ssoIdentifier } = req.params;
+          
+          const ssoConfig = await getSSOConfigHelper({
+            ssoConfigId: new Types.ObjectId(ssoIdentifier)
+          });
+          
+          const samlConfig = ({
+            path: "/api/v1/auth/callback/saml",
+            callbackURL: `${await getSiteURL()}/api/v1/auth/callback/saml`,
+            entryPoint: ssoConfig.entryPoint,
+            issuer: ssoConfig.issuer,
+            cert: ssoConfig.cert,
+            audience: ssoConfig.audience
+          });
+          
+          req.ssoConfig = ssoConfig;
+
+          done(null, samlConfig);
+      },
+    },
+    async (req: any, profile: any, done: any) => {
+      
+      if (!req.ssoConfig.isActive) return done(InternalServerError());
+
+      const organization = await Organization.findById(req.ssoConfig.organization);
+      
+      if (!organization) return done(OrganizationNotFoundError());
+      
+      const email = profile.email;
+      const firstName = profile.firstName;
+      const lastName = profile.lastName;
+
+      let user = await User.findOne({
+        email
+      }).select("+publicKey");
+      
+      if (user && user.authProvider !== AuthProvider.OKTA_SAML) {
+        done(InternalServerError());
+      }
+
+      if (!user) {
+        user = await new User({
+          email,
+          authProvider: AuthProvider.OKTA_SAML,
+          authId: profile.id,
+          firstName,
+          lastName
+        }).save();
+        
+        await new MembershipOrg({
+          inviteEmail: email,
+          user: user._id,
+          organization: organization?._id,
+          role: MEMBER,
+          status: INVITED
+        }).save();
+      }
+      
+      const isUserCompleted = !!user.publicKey;
+      const providerAuthToken = createToken({
+        payload: {
+          userId: user._id.toString(),
+          email: user.email,
+          firstName,
+          lastName,
+          organizationName: organization?.name,
+          authProvider: user.authProvider,
+          isUserCompleted
+        },
+        expiresIn: await getJwtProviderAuthLifetime(),
+        secret: await getJwtProviderAuthSecret(),
+      });
+      
+      req.isUserCompleted = isUserCompleted;
+      req.providerAuthToken = providerAuthToken;
+
+      done(null, profile);
+    }
+  ));
 }
 
 export {

backend/src/utils/errors.ts

@@ -46,7 +46,7 @@ export const BadRequestError = (error?: Partial<RequestErrorContext>) => new Req
     stack: error?.stack,
 });
 
-export const ResourceNotFound = (error?: Partial<RequestErrorContext>) => new RequestError({
+export const ResourceNotFoundError = (error?: Partial<RequestErrorContext>) => new RequestError({
     logLevel: error?.logLevel ?? LogLevel.INFO,
     statusCode: error?.statusCode ?? 404,
     type: error?.type ?? "resource_not_found",

backend/src/utils/setup/backfillData.ts

@@ -7,9 +7,11 @@ import { ISecretVersion, SecretSnapshot, SecretVersion } from "../../ee/models";
 import {
   BackupPrivateKey,
   Bot,
+  BotOrg,
   ISecret,
   Integration,
   IntegrationAuth,
+  Organization,
   Secret,
   SecretBlindIndexData,
   ServiceTokenData,
@@ -137,6 +139,103 @@ export const backfillBots = async () => {
   await Bot.insertMany(botsToInsert);
 };
 
+/**
+ * Backfill organization bots to ensure that every organization has a bot
+ */
+export const backfillBotOrgs = async () => {
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+
+  const organizationIdsWithBot = await BotOrg.distinct("organization");
+  const organizationIdsToAddBot = await Organization.distinct("_id", {
+    _id: {
+      $nin: organizationIdsWithBot
+    }
+  });
+
+  if (organizationIdsToAddBot.length === 0) return;
+
+  const botsToInsert = await Promise.all(
+    organizationIdsToAddBot.map(async (organizationToAddBot) => {
+      const { publicKey, privateKey } = generateKeyPair();
+      
+      const key = client.createSymmetricKey();
+
+      if (rootEncryptionKey) {
+        const {
+          ciphertext: encryptedPrivateKey,
+          iv: privateKeyIV,
+          tag: privateKeyTag
+        } = client.encryptSymmetric(privateKey, rootEncryptionKey);
+
+        const {
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag
+        } = client.encryptSymmetric(key, rootEncryptionKey);
+
+        return new BotOrg({
+          name: "Infisical Bot",
+          organization: organizationToAddBot,
+          isActive: false,
+          publicKey,
+          encryptedSymmetricKey,
+          symmetricKeyIV,
+          symmetricKeyTag,
+          symmetricKeyAlgorithm: ALGORITHM_AES_256_GCM,
+          symmetricKeyKeyEncoding: ENCODING_SCHEME_BASE64,
+          encryptedPrivateKey,
+          privateKeyIV,
+          privateKeyTag,
+          privateKeyAlgorithm: ALGORITHM_AES_256_GCM,
+          privateKeyKeyEncoding: ENCODING_SCHEME_BASE64
+        });
+      } else if (encryptionKey) {
+        const {
+          ciphertext: encryptedPrivateKey,
+          iv: privateKeyIV,
+          tag: privateKeyTag
+        } = encryptSymmetric128BitHexKeyUTF8({
+          plaintext: privateKey,
+          key: encryptionKey
+        });
+        
+        const {
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag
+        } = encryptSymmetric128BitHexKeyUTF8({
+          plaintext: key,
+          key: encryptionKey
+        });
+
+        return new BotOrg({
+          name: "Infisical Bot",
+          organization: organizationToAddBot,
+          isActive: false,
+          publicKey,
+          encryptedSymmetricKey,
+          symmetricKeyIV,
+          symmetricKeyTag,
+          symmetricKeyAlgorithm: ALGORITHM_AES_256_GCM,
+          symmetricKeyKeyEncoding: ENCODING_SCHEME_UTF8,
+          encryptedPrivateKey,
+          privateKeyIV,
+          privateKeyTag,
+          privateKeyAlgorithm: ALGORITHM_AES_256_GCM,
+          privateKeyKeyEncoding: ENCODING_SCHEME_UTF8
+        });
+      }
+
+      throw InternalServerError({
+        message: "Failed to backfill organization bots due to missing encryption key"
+      });
+    })
+  );
+  
+  await BotOrg.insertMany(botsToInsert);
+};
+
 /**
  * Backfill secret blind index data to ensure that every workspace
  * has a secret blind index data

backend/src/utils/setup/index.ts

@@ -7,6 +7,7 @@ import { createTestUserForDevelopment } from "../addDevelopmentUser";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 import { validateEncryptionKeysConfig } from "./validateConfig";
 import {
+  backfillBotOrgs,
   backfillBots,
   backfillEncryptionMetadata,
   backfillIntegration,
@@ -16,7 +17,11 @@ import {
   backfillServiceToken,
   backfillServiceTokenMultiScope
 } from "./backfillData";
-import { reencryptBotPrivateKeys, reencryptSecretBlindIndexDataSalts } from "./reencryptData";
+import { 
+  reencryptBotOrgKeys,
+  reencryptBotPrivateKeys,
+  reencryptSecretBlindIndexDataSalts
+} from "./reencryptData";
 import {
   getClientIdGoogle,
   getClientSecretGoogle,
@@ -72,6 +77,7 @@ export const setup = async () => {
   // backfilling data to catch up with new collections and updated fields
   await backfillSecretVersions();
   await backfillBots();
+  await backfillBotOrgs();
   await backfillSecretBlindIndexData();
   await backfillEncryptionMetadata();
   await backfillSecretFolders();
@@ -82,6 +88,7 @@ export const setup = async () => {
   // re-encrypt any data previously encrypted under server hex 128-bit ENCRYPTION_KEY
   // to base64 256-bit ROOT_ENCRYPTION_KEY
   await reencryptBotPrivateKeys();
+  await reencryptBotOrgKeys();
   await reencryptSecretBlindIndexDataSalts();
 
   // initializing Sentry

backend/src/utils/setup/reencryptData.ts

@@ -1,6 +1,8 @@
 import {
     Bot,
+    BotOrg,
     IBot,
+    IBotOrg,
     ISecretBlindIndexData,
     SecretBlindIndexData,
 } from "../../models";
@@ -17,7 +19,7 @@ import {
 } from "../../variables";
 
 /**
- * Re-encrypt bot private keys from hex 128-bit ENCRYPTION_KEY
+ * Re-encrypt bot private keys from under hex 128-bit ENCRYPTION_KEY
  * to base64 256-bit ROOT_ENCRYPTION_KEY
  */
 export const reencryptBotPrivateKeys = async () => {
@@ -70,6 +72,79 @@ export const reencryptBotPrivateKeys = async () => {
     }
 }
 
+/**
+ * Re-encrypt organization bot keys (symmetric and private) from under hex 128-bit ENCRYPTION_KEY
+ * to base64 256-bit ROOT_ENCRYPTION_KEY
+ */
+export const reencryptBotOrgKeys = async () => {
+    const encryptionKey = await getEncryptionKey();
+    const rootEncryptionKey = await getRootEncryptionKey();
+
+    if (encryptionKey && rootEncryptionKey) {
+        // 1: re-encrypt organization bot keys under ROOT_ENCRYPTION_KEY
+        const botOrgs = await BotOrg.find({
+            symmetricKeyAlgorithm: ALGORITHM_AES_256_GCM,
+            symmetricKeyKeyEncoding: ENCODING_SCHEME_UTF8,
+            privateKeyAlgorithm: ALGORITHM_AES_256_GCM,
+            privateKeyKeyEncoding: ENCODING_SCHEME_UTF8
+        }).select("+encryptedPrivateKey iv tag algorithm keyEncoding");
+        
+        if (botOrgs.length === 0) return;
+        
+        const operationsBotOrg = await Promise.all(
+            botOrgs.map(async (botOrg: IBotOrg) => {
+                const privateKey = decryptSymmetric128BitHexKeyUTF8({
+                    ciphertext: botOrg.encryptedPrivateKey,
+                    iv: botOrg.privateKeyIV,
+                    tag: botOrg.privateKeyTag,
+                    key: encryptionKey
+                });
+
+                const {
+                    ciphertext: encryptedPrivateKey,
+                    iv: privateKeyIV,
+                    tag: privateKeyTag,
+                } = client.encryptSymmetric(privateKey, rootEncryptionKey);
+                
+                const symmetricKey = decryptSymmetric128BitHexKeyUTF8({
+                    ciphertext: botOrg.encryptedSymmetricKey,
+                    iv: botOrg.symmetricKeyIV,
+                    tag: botOrg.symmetricKeyTag,
+                    key: encryptionKey
+                });
+
+                const {
+                    ciphertext: encryptedSymmetricKey,
+                    iv: symmetricKeyIV,
+                    tag: symmetricKeyTag,
+                } = client.encryptSymmetric(symmetricKey, rootEncryptionKey);
+                
+                return ({
+                    updateOne: {
+                        filter: {
+                            _id: botOrg._id,
+                        },
+                        update: {
+                            encryptedSymmetricKey,
+                            symmetricKeyIV,
+                            symmetricKeyTag,
+                            symmetricKeyAlgorithm: ALGORITHM_AES_256_GCM,
+                            symmetricKeyKeyEncoding: ENCODING_SCHEME_BASE64,
+                            encryptedPrivateKey,
+                            privateKeyIV,
+                            privateKeyTag,
+                            privateKeyAlgorithm: ALGORITHM_AES_256_GCM,
+                            privateKeyKeyEncoding: ENCODING_SCHEME_BASE64,
+                        },
+                    },
+                })
+            })
+        );
+        
+        await BotOrg.bulkWrite(operationsBotOrg);
+    }
+}
+
 /**
  * Re-encrypt secret blind index data salts from hex 128-bit ENCRYPTION_KEY
  * to base64 256-bit ROOT_ENCRYPTION_KEY

backend/src/variables/integration.ts

@@ -1,5 +1,6 @@
 import {
     getClientIdAzure,
+    getClientIdBitBucket,
     getClientIdGitHub,
     getClientIdGitLab,
     getClientIdHeroku,
@@ -26,6 +27,8 @@ export const INTEGRATION_SUPABASE = "supabase";
 export const INTEGRATION_CHECKLY = "checkly";
 export const INTEGRATION_HASHICORP_VAULT = "hashicorp-vault";
 export const INTEGRATION_CLOUDFLARE_PAGES = "cloudflare-pages";
+export const INTEGRATION_BITBUCKET = "bitbucket";
+export const INTEGRATION_CODEFRESH = "codefresh";
 export const INTEGRATION_SET = new Set([
     INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
@@ -41,7 +44,9 @@ export const INTEGRATION_SET = new Set([
   INTEGRATION_SUPABASE,
   INTEGRATION_CHECKLY,
   INTEGRATION_HASHICORP_VAULT,
-  INTEGRATION_CLOUDFLARE_PAGES
+  INTEGRATION_CLOUDFLARE_PAGES,
+  INTEGRATION_BITBUCKET,
+  INTEGRATION_CODEFRESH
 ]);
 
 // integration types
@@ -56,6 +61,7 @@ export const INTEGRATION_NETLIFY_TOKEN_URL = "https://api.netlify.com/oauth/toke
 export const INTEGRATION_GITHUB_TOKEN_URL =
   "https://github.com/login/oauth/access_token";
 export const INTEGRATION_GITLAB_TOKEN_URL = "https://gitlab.com/oauth/token";
+export const INTEGRATION_BITBUCKET_TOKEN_URL = "https://bitbucket.org/site/oauth2/access_token"
 
 // integration apps endpoints
 export const INTEGRATION_HEROKU_API_URL = "https://api.heroku.com";
@@ -71,6 +77,8 @@ export const INTEGRATION_SUPABASE_API_URL = "https://api.supabase.com";
 export const INTEGRATION_LARAVELFORGE_API_URL = "https://forge.laravel.com";
 export const INTEGRATION_CHECKLY_API_URL = "https://api.checklyhq.com";
 export const INTEGRATION_CLOUDFLARE_PAGES_API_URL = "https://api.cloudflare.com";
+export const INTEGRATION_BITBUCKET_API_URL = "https://api.bitbucket.org";
+export const INTEGRATION_CODEFRESH_API_URL = "https://g.codefresh.io/api";
 
 export const getIntegrationOptions = async () => {
     const INTEGRATION_OPTIONS = [
@@ -245,6 +253,24 @@ export const getIntegrationOptions = async () => {
             type: "pat",
             clientId: "",
             docsLink: ""
+        },
+        {
+          name: "BitBucket",
+          slug: "bitbucket",
+          image: "BitBucket.png",
+          isAvailable: true,
+          type: "oauth",
+          clientId: await getClientIdBitBucket(),
+          docsLink: ""
+        },
+        {
+            name: "Codefresh",
+            slug: "codefresh",
+            image: "Codefresh.png",
+            isAvailable: true,
+            type: "pat",
+            clientId: "",
+            docsLink: "",
         }
     ]
     

docs/changelog/overview.mdx

@@ -6,7 +6,7 @@ The changelog below reflects new product developments and updates on a monthly b
 
 ## July 2023
 
-- Released [secret referencing](https://infisical.com/docs/documentation/platform/secret-reference) across folders and environments. 
+- Released [secret referencing and importing](https://infisical.com/docs/documentation/platform/secret-reference) across folders and environments. 
 - Added the [intergation with Laravel Forge](https://infisical.com/docs/integrations/cloud/laravel-forge).
 - Redesigned the project/organization experience.
 

docs/cli/overview.mdx

@@ -3,7 +3,8 @@ title: 'Install'
 description: "Infisical's CLI is one of the best way to manage environments and secrets. Install it here"
 ---
 
-The Infisical CLI can be used to access secrets across various environments, whether it's local development, CI/CD, staging, or production.
+The Infisical CLI is powerful command line tool that can be used to retrieve, modify, export and inject secrets into any process or application as environment variables. 
+You can use it across various environments, whether it's local development, CI/CD, staging, or production.
 
 ## Installation
 
@@ -57,7 +58,10 @@ The Infisical CLI can be used to access secrets across various environments, whe
     	```bash
     	apk update && sudo apk add infisical
     	```
-
+		###
+		<Tip>
+			If you are installing the CLI in production environments, we highly recommend to set the version of the CLI to a specific version. This will help keep your CLI version consistent across reinstalls. [View versions](https://cloudsmith.io/~infisical/repos/infisical-cli/packages/)
+		</Tip>
    </Tab>
 	 <Tab title="RedHat/CentOs/Amazon">
 	 Add Infisical repository
@@ -71,7 +75,10 @@ The Infisical CLI can be used to access secrets across various environments, whe
     	```bash
     	sudo yum install infisical
     	```
-
+		###
+		<Tip>
+			If you are installing the CLI in production environments, we highly recommend to set the version of the CLI to a specific version. This will help keep your CLI version consistent across reinstalls. [View versions](https://cloudsmith.io/~infisical/repos/infisical-cli/packages/)
+		</Tip>
    </Tab>
 	 <Tab title="Debian/Ubuntu">
 	 	Add Infisical repository 
@@ -86,7 +93,10 @@ The Infisical CLI can be used to access secrets across various environments, whe
     	```bash
     	sudo apt-get update && sudo apt-get install -y infisical
     	```
-
+	###
+	<Tip>
+		If you are installing the CLI in production environments, we highly recommend to set the version of the CLI to a specific version. This will help keep your CLI version consistent across reinstalls. [View versions](https://cloudsmith.io/~infisical/repos/infisical-cli/packages/)
+	</Tip>
    </Tab>
 	<Tab title="Arch Linux">
 		Use the `yay` package manager to install from the [Arch User Repository](https://aur.archlinux.org/packages/infisical-bin)
@@ -95,6 +105,9 @@ The Infisical CLI can be used to access secrets across various environments, whe
 		yay -S infisical-bin
 		```
 
+	###
+	<Tip>
+		If you are installing the CLI in production environments, we highly recommend to set the version of the CLI to a specific version. This will help keep your CLI version consistent across reinstalls. [View versions](https://cloudsmith.io/~infisical/repos/infisical-cli/packages/)
+	</Tip>
    </Tab>
 </Tabs>
-

docs/cli/usage.mdx

@@ -8,7 +8,7 @@ The distinguishing factor, however, is the authentication method used.
 
 <Tabs>
   <Tab title="Local development">
-    To use the Infisical CLI in your development environment, simply run the following command and follow the interactive guide. 
+    To use the Infisical CLI in your development environment, simply run the command below and follow the interactive guide. 
 
     ```bash 
     infisical login 

docs/documentation/getting-started/introduction.mdx

@@ -17,7 +17,7 @@ Start syncing environment variables with [Infisical Cloud](https://app.infisical
     Store secrets like API keys, database credentials, environment variables with Infisical
 </Card>
 
-## Integrate with Infisical
+## Access secrets
 
 <CardGroup cols={2}>
   <Card href="../../cli/overview" title="Command Line Interface (CLI)" icon="square-terminal" color="#3775a9">
@@ -31,11 +31,11 @@ Start syncing environment variables with [Infisical Cloud](https://app.infisical
   >
     Fetch secrets with any programming language on demand
   </Card>
-  <Card href="/documentation/getting-started/docker" title="Docker" icon="docker" color="#0078d3">
+  <Card href="../../integrations/platforms/docker-intro" title="Docker" icon="docker" color="#0078d3">
     Inject secrets into Docker containers
   </Card>
   <Card
-    href="/documentation/getting-started/kubernetes"
+    href="../../integrations/platforms/kubernetes"
     title="Kubernetes"
     icon="server"
     color="#3775a9"

docs/documentation/platform/secret-reference.mdx

@@ -29,21 +29,24 @@ Here are a few more examples to help you understand how to reference secrets in
 ## Fetching fully constructed values
 
 Secret referencing combines multiple secrets into one unified value, reconstructed only on the client side. To retrieve this value, you need access to read the environment and [folder](./folder) from where the secrets originate. 
-For instance, to access a secret 'A' composed of secrets 'B' and 'C' from different environments, you must have read access to both. 
+For instance, to access a secret 'A' composed of secrets 'B' and 'C' from different environments, you must have read access to both 'A' and 'B' 
 
 When using [service tokens](./token) to fetch referenced secrets, ensure the service token has read access to all referenced environments and folders. 
 Without proper permissions, the final secret value may be incomplete.
 
-## Import multiple secrets from a environment secret path
+## Import entire folders 
 
-You can import or link another environment's folder to your dashboard to inherit its secrets. This is useful when you need to share secrets across multiple environments.
+While secret referencing effectively minimizes duplication, there might be instances where you need to import or replicate an entire folder's secrets into another. This can be achieved using the 'Import' feature.
 
-To add an import/link, just click on `Secret Link` button and provide an `environment` and `secret path` to which the secrets must be pulled. 
+This feature allows you to link secrets from one environment/folder into another environment/folder. It proves beneficial when you have common secrets that need to be available across multiple environments/folders.
+
+To add an import, simply click on the `Add import` button and provide the environment and secret path from where the secrets should be imported.
 
 ![secret import change order](../../images/secret-import-add.png)
 
-The import hierarchy is "last one wins." This means that the order in which you import matters. The last folder you import will override the secrets from any previous folders. Additionally, any secrets you define in your dashboard will override the secrets from any imported folders.
+The hierarchy of importing secrets is governed by a "last-one-wins" rule. This means the sequence in which you import matters - the final folder imported will override secrets from any prior folders. 
+Moreover, any secrets you define directly in your environment will take precedence over secrets from any imported folders.
 
-You can change the order by dragging and positioning according using the `Change Order` drag handle.
+You can modify this sequence by dragging and rearranging the folders using the `Change Order` drag handle.
 
-![secret import change order](../../images/secret-import-change-order.png
+![secret import change order](../../images/secret-import-change-order.png)

docs/integrations/cicd/bitbucket.mdx

@@ -0,0 +1,31 @@
+---
+title: "Bitbucket"
+description: "How to sync secrets from Infisical to Bitbucket"
+---
+
+Prerequisites:
+
+- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
+
+## Navigate to your project's integrations tab
+
+![integrations](../../images/integrations.png)
+
+## Authorize Infisical for Bitbucket
+
+Press on the Bitbucket tile and grant Infisical access to your Bitbucket account.
+
+![integrations bitbucket authorization](../../images/integrations-bitbucket-auth.png)
+
+<Info>
+  If this is your project's first cloud integration, then you'll have to grant
+  Infisical access to your project's environment variables. Although this step
+  breaks E2EE, it's necessary for Infisical to sync the environment variables to
+  the cloud platform.
+</Info>
+
+## Start integration
+
+Select which Infisical environment secrets you want to sync to which Bitbucket repo and press start integration to start syncing secrets to the repo.
+
+![integrations bitbucket](../../images/integrations-bitbucket.png)

docs/integrations/cicd/codefresh.mdx

@@ -0,0 +1,37 @@
+---
+title: "Codefresh"
+description: "How to sync secrets from Infisical to Codefresh"
+---
+
+Prerequisites:
+
+- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
+
+## Navigate to your project's integrations tab
+
+![integrations](../../images/integrations.png)
+
+## Authorize Infisical for Codefresh
+
+Obtain an API key in User Settings > API Keys
+
+![integrations codefresh dashboard](../../images/integrations-codefresh-dashboard.png)
+![integrations codefresh token](../../images/integrations-codefresh-token.png)
+
+Press on the Codefresh tile and input your Codefresh API key to grant Infisical access to your Codefresh account.
+
+![integrations codefresh authorization](../../images/integrations-codefresh-auth.png)
+
+<Info>
+  If this is your project's first cloud integration, then you'll have to grant
+  Infisical access to your project's environment variables. Although this step
+  breaks E2EE, it's necessary for Infisical to sync the environment variables to
+  the cloud platform.
+</Info>
+
+## Start integration
+
+Select which Infisical environment secrets you want to sync to which Codefresh service and press create integration to start syncing secrets to Codefresh.
+
+![create integration codefresh](../../images/integrations-codefresh-create.png)
+![integrations codefresh](../../images/integrations-codefresh.png)

docs/integrations/overview.mdx

@@ -28,6 +28,8 @@ Missing an integration? [Throw in a request](https://github.com/Infisical/infisi
 | [AWS Parameter Store](/integrations/cloud/aws-parameter-store) | Cloud                  | Available   |
 | [AWS Secret Manager](/integrations/cloud/aws-secret-manager)   | Cloud                  | Available   |
 | [Azure Key Vault](/integrations/cloud/azure-key-vault)         | Cloud                  | Available   |
+| [BitBucket](/integrations/cicd/bitbucket)                      | CI/CD                  | Available   |
+| [Codefresh](/integrations/cicd/codefresh)                      | CI/CD                  | Available   |
 | [GitHub Actions](/integrations/cicd/githubactions)             | CI/CD                  | Available   |
 | [GitLab](/integrations/cicd/gitlab)                            | CI/CD                  | Available   |
 | [CircleCI](/integrations/cicd/circleci)                        | CI/CD                  | Available   |

docs/integrations/platforms/docker-compose.mdx

@@ -11,11 +11,11 @@ Prerequisites:
 
 Follow this [guide](./docker) to configure the Infisical CLI for each service that you wish to inject environment variables into; you'll have to update the Dockerfile of each service.
 
-## Generate Infisical Tokens
+## Generate service token 
 
 Generate a unique [Infisical Token](/documentation/platform/token) for each service.
 
-## Add Infisical Tokens to your Docker Compose file
+## Feed service token to your Docker Compose file
 
 For each service you want to inject secrets into, set an environment variable called `INFISICAL_TOKEN` equal to a unique identifier variable.
 

docs/integrations/platforms/docker-intro.mdx

@@ -0,0 +1,25 @@
+---
+title: "Docker"
+description: "Learn how to feed secrets from Infisical into your docker application"
+---
+There are many methods to inject Infisical secrets to docker-based applications. 
+Regardless of which method you choose, these methods will inject secrets from Infisical as environment variables into your Docker container.
+
+<Card title="Docker Entrypoint" color="#ea5a0c" href="./docker">
+  Install and run your app start command with Infisical CLI
+</Card>
+<CardGroup cols={2}>
+  <Card title="Docker run" color="#0285c7" href="./docker-pass-envs">
+    Feed secrets via `--env-file` flag in docker run command
+  </Card>
+  <Card title="Docker compose" color="#16a34a" href="./docker-compose">
+    Inject secrets to multiple services using Docker Compose
+  </Card>
+</CardGroup>
+
+<Info>
+The main difference between the "Docker Entrypoint" and "Docker run" approach is where the Infisical CLI is installed. 
+In most production settings, it's typically inconvenient to have the Infisical CLI installed and executed externally.
+As a result, we suggest using the "Docker Entrypoint" method for production purposes. 
+However, if this limitation doesn't apply to you, select the method that best fits your needs.
+</Info>

docs/integrations/platforms/docker-pass-envs.mdx

@@ -0,0 +1,48 @@
+---
+title: "Docker Run"
+description: "Pass secrets to your docker container at run time"
+---
+
+This method allows you to feed secrets from Infisical into your container using the `--env-file` flag of `docker run` command. 
+Rather than giving the flag a file path to your env file, you'll use the Infisical CLI to create a virtual file path.
+
+For this method to function as expected, you must have a bash shell (for processing substitution) and the [Infisical CLI](../../cli/overview) installed in the environment where you will be running the `docker run` command.
+
+## 1. Authentication
+
+If you are already logged in via the CLI you can skip this step. Otherwise, head to your project settings in Infisical Cloud to generate an [Infisical Token](/documentation/platform/token). The service token will allow you to authenticate and fetch secrets from Infisical. 
+Once you have created a service token with the required permissions, you'll need to feed the token to the CLI. 
+
+#### Pass as flag
+You may use the --token flag to set the token 
+
+```bash
+infisical export --token=<>
+```
+
+#### Pass via shell environment variable
+The CLI is configured to look for an environment variable named `INFISICAL_TOKEN`. If set, it'll attempt to use it for authentication.
+
+```bash
+export INFISICAL_TOKEN=<>
+```
+
+<Warning>
+  In production scenarios, please to avoid using the `infisical login` command and instead use a [service token](/documentation/platform/token).
+</Warning>
+
+## 2. Run your docker command with Infisical 
+Next, use the --env-file flag of the `docker run` command with Infisical CLI to point to your secrets. 
+Under the hood, this command will fetch secrets from Infisical and serve them as a file to the `--env-file` flag. 
+
+```bash
+# In this example, executing a docker run command will initiate an empty Alpine container and display the environment variables passed to it by Infisical.
+docker run --rm --env-file <(infisical export --format=dotenv) alpine printenv
+```
+
+To view all options of the `export` command, click [here](../../cli/commands/export)
+
+
+<Warning>
+  When using the --env-file option, Docker does not have the capability to support secrets that span multiple lines.
+</Warning>

docs/integrations/platforms/docker.mdx

@@ -1,11 +1,10 @@
 ---
-title: "Docker"
+title: "Docker Entrypoint"
 description: "How to use Infisical to inject environment variables into a Docker container."
 ---
 
-Prerequisites:
-
-- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
+This approach allows you to inject secrets from Infisical directly into your application.
+This is achieved by installing the Infisical CLI into your docker image and modifying your start command to execute with Infisical.
 
 ## Add the Infisical CLI to your Dockerfile
 
@@ -33,6 +32,10 @@ Prerequisites:
 		```
    </Tab>
 </Tabs>
+####
+<Tip>
+  We recommend you to set the version of the CLI to a specific version. This will help keep your CLI version consistent across reinstalls. [View versions](https://cloudsmith.io/~infisical/repos/infisical-cli/packages/)
+</Tip>
 
 ## Modify the start command in your Dockerfile
 
@@ -48,18 +51,17 @@ CMD ["infisical", "run", "--", "npm", "run", "start"]
 CMD ["infisical", "run", "--command", "npm run start && ..."]
 ```
 
-## Generate an Infisical Token
+## Generate an service token
 
-Head to your project settings in Infisical Cloud to generate an [Infisical Token](/documentation/platform/token).
+Head to your project settings in the Infisical dashboard to generate an [service token](/documentation/platform/token). 
+This service token will allow you to authenticate and fetch secrets from Infisical. 
+Once you have created a service token with the required permissions, you’ll need to feed the token to the CLI installed in your docker container.
 
-## Feed Docker your Infisical Token
+## Feed service token to docker container
+The last step is to give the Infisical CLI installed in your Docker container access to the service token. This will allow the CLI to fetch and inject the secrets into your application.
+
+To feed the service token to the container, use the INFISICAL_TOKEN environment variable as shown below.
 
 ```bash
  docker run --env INFISICAL_TOKEN=[token] [DOCKER-IMAGE]...
 ```
-
-<Info>
-
-The Infisical CLI uses the detected `INFISICAL_TOKEN` environment variable to authenticate, retrieve, and inject the environment variables which the token is authorized for.
-
-</Info>

docs/mint.json

@@ -91,8 +91,8 @@
             "documentation/getting-started/introduction",
             "documentation/getting-started/platform",
             "documentation/getting-started/sdks",
-            "documentation/getting-started/docker",
-            "documentation/getting-started/kubernetes",
+            "integrations/platforms/kubernetes",
+            "integrations/platforms/docker-intro",
             "documentation/getting-started/api"
           ]
         },
@@ -187,7 +187,9 @@
         {
           "group": "Docker",
           "pages": [
+            "integrations/platforms/docker-intro",
             "integrations/platforms/docker",
+            "integrations/platforms/docker-pass-envs",
             "integrations/platforms/docker-compose"
           ]
         },
@@ -220,7 +222,9 @@
         "integrations/cicd/githubactions",
         "integrations/cicd/gitlab",
         "integrations/cicd/circleci",
-        "integrations/cicd/travisci"
+        "integrations/cicd/travisci",
+        "integrations/cicd/bitbucket",
+        "integrations/cicd/codefresh"
       ]
     },
     {

docs/self-hosting/configuration/envars.mdx

@@ -107,6 +107,14 @@ Other environment variables are listed below to increase the functionality of yo
     <ParamField query="CLIENT_SLUG_VERCEL" type="string" default="none" optional>
       OAuth2 slug for Vercel integration
     </ParamField>
+
+    <ParamField query="CLIENT_ID_BITBUCKET" type="string" default="none" optional>
+      OAuth2 client ID for BitBucket integration         
+    </ParamField>
+
+    <ParamField query="CLIENT_SECRET_BITBUCKET" type="string" default="none" optional>
+      OAuth2 client secret for BitBucket integration
+    </ParamField>
   </Tab>
   <Tab title="Auth Integrations">
     To integrate with external auth providers, provide value for the related keys

frontend/public/data/frequentConstants.ts

@@ -3,25 +3,27 @@ interface Mapping {
 }
 
 const integrationSlugNameMapping: Mapping = {
-  'azure-key-vault': 'Azure Key Vault',
-  'aws-parameter-store': 'AWS Parameter Store',
-  'aws-secret-manager': 'AWS Secret Manager',
-  'heroku': 'Heroku',
-  'vercel': 'Vercel',
-  'netlify': 'Netlify',
-  'github': 'GitHub',
-  'gitlab': 'GitLab',
-  'render': 'Render',
-  'laravel-forge': "Laravel Forge",
-  'railway': 'Railway',
-  'flyio': 'Fly.io',
-  'circleci': 'CircleCI',
-  'travisci': 'TravisCI',
-  'supabase': 'Supabase',
-  'checkly': 'Checkly',
-  'hashicorp-vault': 'Vault',
-  'cloudflare-pages': 'Cloudflare Pages'
-}
+  "azure-key-vault": "Azure Key Vault",
+  "aws-parameter-store": "AWS Parameter Store",
+  "aws-secret-manager": "AWS Secret Manager",
+  heroku: "Heroku",
+  vercel: "Vercel",
+  netlify: "Netlify",
+  github: "GitHub",
+  gitlab: "GitLab",
+  render: "Render",
+  "laravel-forge": "Laravel Forge",
+  railway: "Railway",
+  flyio: "Fly.io",
+  circleci: "CircleCI",
+  travisci: "TravisCI",
+  supabase: "Supabase",
+  checkly: "Checkly",
+  "hashicorp-vault": "Vault",
+  "cloudflare-pages": "Cloudflare Pages",
+  "codefresh": "Codefresh",
+  bitbucket: "BitBucket"
+};
 
 const envMapping: Mapping = {
   Development: "dev",

frontend/src/components/login/InitialLoginStep.tsx

@@ -1,188 +0,0 @@
-import { FormEvent, useState } from "react";
-import { useTranslation } from "react-i18next";
-import Link from "next/link";
-import { useRouter } from "next/router";
-import axios from "axios"
-
-import attemptLogin from "@app/components/utilities/attemptLogin";
-import getOrganizations from "@app/pages/api/organization/getOrgs";
-
-import Error from "../basic/Error";
-import attemptCliLogin from "../utilities/attemptCliLogin";
-// import { faGoogle } from '@fortawesome/free-brands-svg-icons';
-// import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
-import { Button, Input } from "../v2";
-
-export default function InitialLoginStep({
-    setStep,
-    email,
-    setEmail,
-    password,
-    setPassword,
-}: {
-    setStep: (step: number) => void;
-    email: string;
-    setEmail: (email: string) => void;
-    password: string;
-    setPassword: (password: string) => void;
-}) {
-
-    const router = useRouter();
-    const { t } = useTranslation();
-    const [isLoading, setIsLoading] = useState(false);
-    const [loginError, setLoginError] = useState(false);
-
-    const handleLogin = async (e: FormEvent<HTMLFormElement>) => {
-        e.preventDefault()
-        try {
-            if (!email || !password) {
-                return;
-            }
-
-            setIsLoading(true);
-            const queryParams = new URLSearchParams(window.location.search)
-            if (queryParams && queryParams.get("callback_port")) {
-                const callbackPort = queryParams.get("callback_port")
-
-                // attemptCliLogin
-                const isCliLoginSuccessful = await attemptCliLogin({
-                    email,
-                    password,
-                })
-
-                if (isCliLoginSuccessful && isCliLoginSuccessful.success) {
-
-                    if (isCliLoginSuccessful.mfaEnabled) {
-                        // case: login requires MFA step
-                        setStep(2);
-                        setIsLoading(false);
-                        return;
-                    }
-                    // case: login was successful
-                    const cliUrl = `http://localhost:${callbackPort}`
-
-                    // send request to server endpoint
-                    const instance = axios.create()
-                    const cliResp = await instance.post(cliUrl, { ...isCliLoginSuccessful.loginResponse })
-                    console.log(cliResp)
-
-                    // cli page
-                    router.push("/cli-redirect");
-
-                    // on success, router.push to cli Login Successful page
-
-                }
-            } else {
-                const isLoginSuccessful = await attemptLogin({
-                    email,
-                    password,
-                });
-                if (isLoginSuccessful && isLoginSuccessful.success) {
-                    // case: login was successful
-
-                    if (isLoginSuccessful.mfaEnabled) {
-                        // case: login requires MFA step
-                        setStep(2);
-                        setIsLoading(false);
-                        return;
-                    }
-                    const userOrgs = await getOrganizations();
-                    const userOrg = userOrgs[0] && userOrgs[0]._id;
-
-                    // case: login does not require MFA step
-                    router.push(`/org/${userOrg}/overview`);
-                }
-            }
-
-
-        } catch (err) {
-            setLoginError(true);
-        }
-
-        setIsLoading(false);
-    }
-    
-    return <form onSubmit={handleLogin} className='flex flex-col mx-auto w-full justify-center items-center'>
-        <h1 className='text-xl font-medium text-transparent bg-clip-text bg-gradient-to-b from-white to-bunker-200 text-center mb-8' >Login to Infisical</h1>
-        {/* <div className='lg:w-1/6 w-1/4 min-w-[20rem] rounded-md'>
-            <Button
-                colorSchema="primary" 
-                variant="solid"
-                onClick={() => {
-                    window.open('/api/v1/auth/redirect/google')
-                }} 
-                leftIcon={<FontAwesomeIcon icon={faGoogle} className="mr-1" />}
-                className="h-14 w-full mx-0"
-            > 
-                {t('login.continue-with-google')}
-            </Button>
-        </div> */}
-        <div className="relative md:px-1.5 flex items-center justify-center lg:w-1/6 w-1/4 min-w-[21.3rem] md:min-w-[22rem] mx-auto rounded-lg max-h-24 md:max-h-28">
-            <div className="flex items-center justify-center w-full md:px-2 md:py-1 rounded-lg max-h-24 md:max-h-28">
-                <Input
-                    value={email}
-                    onChange={(e) => setEmail(e.target.value)}
-                    type="email"
-                    placeholder="Enter your email..."
-                    isRequired
-                    autoComplete="username"
-                    className="h-12"
-                />
-            </div>
-        </div>
-        <div className="relative pt-2 md:pt-0 md:px-1.5 flex items-center justify-center w-1/4 lg:w-1/6 min-w-[21.3rem] md:min-w-[22rem] mx-auto rounded-lg max-h-24 md:max-h-28">
-            <div className="flex items-center justify-center w-full md:p-2 rounded-lg max-h-24 md:max-h-28">
-                <Input
-                    value={password}
-                    onChange={(e) => setPassword(e.target.value)}
-                    type="password"
-                    placeholder="Enter your password..."
-                    isRequired
-                    autoComplete="current-password"
-                    id="current-password"
-                    className="h-12 select:-webkit-autofill:focus"
-                />
-            </div>
-        </div>
-        {!isLoading && loginError && <Error text={t("login.error-login") ?? ""} />}
-        <div className='lg:w-1/6 w-1/4 min-w-[21.2rem] md:min-w-[20.1rem] text-center rounded-md mt-4'>
-            <Button
-                type="submit"
-                size="sm"
-                isFullWidth
-                className='h-12'
-                colorSchema="primary"
-                variant="solid"
-                isLoading={isLoading}
-            > Login </Button>
-        </div>
-        <div className='lg:w-1/6 w-1/4 min-w-[20rem] flex flex-row items-center mt-4 py-2'>
-            <div className='w-1/2 border-t border-mineshaft-500' />
-            <span className='px-4 text-sm text-bunker-400'>or</span>
-            <div className='w-1/2 border-t border-mineshaft-500' />
-        </div>
-        <div className='lg:w-1/6 w-1/4 min-w-[20rem] text-center rounded-md mt-4'>
-            <Button
-                colorSchema="primary"
-                variant="outline_bg"
-                onClick={() => router.push("/saml-sso")}
-                isFullWidth
-                className="h-14 w-full mx-0"
-            >
-                Continue with SAML SSO
-            </Button>
-        </div>
-        <div className="mt-6 text-bunker-400 text-sm flex flex-row">
-            <span className="mr-1">Don&apos;t have an acount yet?</span>
-            <Link href="/signup">
-                <span className='hover:underline hover:underline-offset-4 hover:decoration-primary-700 hover:text-bunker-200 duration-200 cursor-pointer'>{t("login.create-account")}</span>
-            </Link>
-        </div>
-        <div className="text-bunker-400 text-sm flex flex-row">
-            <span className="mr-1">Forgot password?</span>
-            <Link href="/verify-email">
-                <span className='hover:underline hover:underline-offset-4 hover:decoration-primary-700 hover:text-bunker-200 duration-200 cursor-pointer'>Recover your account</span>
-            </Link>
-        </div>
-    </form>
-}

frontend/src/components/login/PasswordInputStep.tsx

@@ -1,122 +0,0 @@
-import React, { useState } from "react";
-import { useTranslation } from "react-i18next";
-import Link from "next/link";
-import { useRouter } from "next/router";
-
-import Error from "@app/components/basic/Error";
-import attemptLogin from "@app/components/utilities/attemptLogin";
-import getOrganizations from "@app/pages/api/organization/getOrgs";
-
-import SecurityClient from "../utilities/SecurityClient";
-import { Button, Input } from "../v2";
-
-export default function PasswordInputStep({
-  email,
-  password,
-  providerAuthToken,
-  setPassword,
-  setProviderAuthToken,
-  setStep
-}: {
-  email: string;
-  password: string;
-  providerAuthToken: string;
-  setPassword: (password: string) => void;
-  setProviderAuthToken: (value: string) => void;
-  setStep: (step: number) => void;
-}) {
-  const router = useRouter();
-  const [isLoading, setIsLoading] = useState(false);
-  const [loginError, setLoginError] = useState(false);
-
-  const { t } = useTranslation();
-
-  const handleLogin = async () => {
-    try {
-      setIsLoading(true);
-      const loginAttempt = await attemptLogin({
-        email,
-        password,
-        providerAuthToken,
-      });
-
-      if (loginAttempt && loginAttempt.success) {
-        // case: login was successful
-
-        if (loginAttempt.mfaEnabled) {
-          // case: login requires MFA step
-          setStep(2);
-          setIsLoading(false);
-          return;
-        }
-
-        // case: login does not require MFA step
-        const userOrgs = await getOrganizations();
-        const userOrg = userOrgs[0]._id;
-        router.push(`/org/${userOrg?._id}/overview`);
-      }
-    } catch (err) {
-      setLoginError(true);
-    }
-
-    setIsLoading(false);
-  };
-
-  return (
-    <form onSubmit={(e) => e.preventDefault()}>
-      <div className="h-full mx-auto w-full max-w-md px-6 pt-8">
-        <p className="mx-auto mb-6 flex w-max justify-center text-xl font-medium text-transparent bg-clip-text bg-gradient-to-b from-white to-bunker-200 text-center mb-8">
-          What’s your Infisical Password?
-        </p>
-        <div className="relative flex items-center justify-center lg:w-1/6 w-1/4 min-w-[22rem] mx-auto w-full rounded-lg max-h-24 md:max-h-28">
-          <div className="flex items-center justify-center w-full rounded-lg max-h-24 md:max-h-28">
-            <Input
-              value={password}
-              onChange={(e) => setPassword(e.target.value)}
-              type="password"
-              placeholder="Enter your password..."
-              isRequired
-              autoComplete="current-password"
-              id="current-password"
-              className="h-12"
-            />
-          </div>
-        </div>
-        {!isLoading && loginError && <Error text={t("login.error-login") ?? ""} />}
-        <div className='lg:w-1/6 w-1/4 w-full mx-auto flex items-center justify-center min-w-[22rem] text-center rounded-md mt-4'>
-          <Button
-              colorSchema="primary" 
-              variant="outline_bg"
-              onClick={async () => handleLogin()} 
-              isFullWidth
-              isLoading={isLoading}
-              className="h-14"
-          > 
-              {t("login.login")} 
-          </Button>
-        </div>
-        <div className="text-bunker-400 text-xs flex flex-col items-center w-max mx-auto mt-4">
-          <span className='duration-200 max-w-sm text-center px-4'>
-            Infisical Master Password serves as a decryption mechanism so that even Google is not able to access your secrets.
-          </span>
-          <Link href="/verify-email">
-            <span className='hover:underline mt-2 hover:underline-offset-4 hover:decoration-primary-700 hover:text-bunker-200 duration-200 cursor-pointer'>{t("login.forgot-password")}</span>
-          </Link>
-        </div>
-        <div className="flex flex-row items-center justify-center">
-          <button
-            onClick={(e) => {
-              e.preventDefault();
-              SecurityClient.setProviderAuthToken("");
-              setProviderAuthToken("");
-            }}
-            type="button"
-            className="text-bunker-400 text-xs hover:underline mt-2 hover:underline-offset-4 hover:decoration-primary-700 hover:text-bunker-200 duration-200 cursor-pointer"
-          >
-            {t("login.other-option")}
-          </button>
-        </div>
-      </div>
-    </form>
-  );
-}

frontend/src/components/signup/InitialSignupStep.tsx

@@ -2,8 +2,8 @@ import { useTranslation } from "react-i18next";
 import Link from "next/link";
 import { useRouter } from "next/router";
 
-// import { faGoogle } from '@fortawesome/free-brands-svg-icons';
-// import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
+// import { faGoogle } from "@fortawesome/free-brands-svg-icons";
+// import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { Button } from "../v2";
 
 export default function InitialSignupStep({
@@ -16,19 +16,6 @@ export default function InitialSignupStep({
 
     return <div className='flex flex-col mx-auto w-full justify-center items-center'>
         <h1 className='text-xl font-medium text-transparent bg-clip-text bg-gradient-to-b from-white to-bunker-200 text-center mb-8' >{t("signup.initial-title")}</h1>
-        {/* <div className='lg:w-1/6 w-1/4 min-w-[20rem] rounded-md'>
-            <Button
-                colorSchema="primary"
-                variant="solid"
-                onClick={() => {
-                    window.open('/api/v1/auth/redirect/google')
-                }}
-                leftIcon={<FontAwesomeIcon icon={faGoogle} className="mr-1" />}
-                className="h-14 w-full mx-0"
-            >
-                {t('signup.continue-with-google')}
-            </Button>
-        </div> */}
         <div className='lg:w-1/6 w-1/4 min-w-[20rem] text-center rounded-md'>
             <Button
                 colorSchema="primary"
@@ -42,6 +29,25 @@ export default function InitialSignupStep({
                 Sign Up with email
             </Button>
         </div>
+        <div className='lg:w-1/6 w-1/4 min-w-[20rem] flex flex-row items-center my-4 py-2'>
+            <div className='w-1/2 border-t border-mineshaft-500' />
+            <span className='px-4 text-sm text-bunker-400'>or</span>
+            <div className='w-1/2 border-t border-mineshaft-500' />
+        </div>
+        {/* <div className='lg:w-1/6 w-1/4 min-w-[20rem] rounded-md'>
+            <Button
+                colorSchema="primary"
+                variant="solid"
+                onClick={() => {
+                    window.open("/api/v1/sso/redirect/google");
+                    window.close();
+                }}
+                leftIcon={<FontAwesomeIcon icon={faGoogle} className="mr-1" />}
+                className="h-14 w-full mx-0"
+            >
+                {t("signup.continue-with-google")}
+            </Button>
+        </div> */}
         <div className='lg:w-1/6 w-1/4 min-w-[20rem] text-center rounded-md mt-4'>
             <Button
                 colorSchema="primary" 

frontend/src/const.ts

@@ -4,6 +4,7 @@ export const publicPaths = [
   "/signupinvite",
   "/pricing",
   "/signup",
+  "/signup/sso",
   "/login",
   "/blog",
   "/docs",
@@ -18,8 +19,9 @@ export const publicPaths = [
   "/verify-email",
   "/password-reset",
   "/saml-sso",
-  "/login/provider/success",
-  "/login/provider/error"
+  "/login/provider/success", // TODO: change
+  "/login/provider/error", // TODO: change
+  "/login/sso"
 ];
 
 export const languageMap = {

frontend/src/hooks/api/index.tsx

@@ -11,6 +11,7 @@ export * from "./secrets";
 export * from "./secretSnapshots";
 export * from "./serviceAccounts";
 export * from "./serviceTokens";
+export * from "./ssoConfig";
 export * from "./subscriptions";
 export * from "./tags";
 export * from "./users";

frontend/src/hooks/api/integrationAuth/index.tsx

@@ -1,9 +1,10 @@
 export {
   useDeleteIntegrationAuth,
   useGetIntegrationAuthApps,
+  useGetIntegrationAuthBitBucketWorkspaces,
   useGetIntegrationAuthById,
   useGetIntegrationAuthRailwayEnvironments,
   useGetIntegrationAuthRailwayServices,
   useGetIntegrationAuthTeams,
-  useGetIntegrationAuthVercelBranches
+  useGetIntegrationAuthVercelBranches,
 } from "./queries";

frontend/src/hooks/api/integrationAuth/queries.tsx

@@ -3,13 +3,13 @@ import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 import { apiRequest } from "@app/config/request";
 
 import { workspaceKeys } from "../workspace/queries";
-import { App, Environment, IntegrationAuth, Service, Team } from "./types";
+import { App, BitBucketWorkspace, Environment, IntegrationAuth, Service, Team } from "./types";
 
 const integrationAuthKeys = {
   getIntegrationAuthById: (integrationAuthId: string) =>
     [{ integrationAuthId }, "integrationAuth"] as const,
-  getIntegrationAuthApps: (integrationAuthId: string, teamId?: string) =>
-    [{ integrationAuthId, teamId }, "integrationAuthApps"] as const,
+  getIntegrationAuthApps: (integrationAuthId: string, teamId?: string, workspaceSlug?: string) =>
+    [{ integrationAuthId, teamId, workspaceSlug }, "integrationAuthApps"] as const,
   getIntegrationAuthTeams: (integrationAuthId: string) =>
     [{ integrationAuthId }, "integrationAuthTeams"] as const,
   getIntegrationAuthVercelBranches: ({
@@ -19,6 +19,7 @@ const integrationAuthKeys = {
     integrationAuthId: string;
     appId: string;
   }) => [{ integrationAuthId, appId }, "integrationAuthVercelBranches"] as const,
+
   getIntegrationAuthRailwayEnvironments: ({
     integrationAuthId,
     appId
@@ -32,7 +33,9 @@ const integrationAuthKeys = {
   }: {
     integrationAuthId: string;
     appId: string;
-  }) => [{ integrationAuthId, appId }, "integrationAuthRailwayServices"] as const
+  }) => [{ integrationAuthId, appId }, "integrationAuthRailwayServices"] as const,
+  getIntegrationAuthBitBucketWorkspaces: (integrationAuthId: string) =>
+    [{ integrationAuthId }, "integrationAuthBitbucketWorkspaces"] as const,
 };
 
 const fetchIntegrationAuthById = async (integrationAuthId: string) => {
@@ -44,12 +47,22 @@ const fetchIntegrationAuthById = async (integrationAuthId: string) => {
 
 const fetchIntegrationAuthApps = async ({
   integrationAuthId,
-  teamId
+  teamId,
+  workspaceSlug
 }: {
   integrationAuthId: string;
   teamId?: string;
+  workspaceSlug?: string;
 }) => {
-  const searchParams = new URLSearchParams(teamId ? { teamId } : undefined);
+  const params: Record<string, string> = {}
+  if (teamId) {
+    params.teamId = teamId
+  }
+  if (workspaceSlug) {
+    params.workspaceSlug = workspaceSlug
+  }
+
+  const searchParams = new URLSearchParams(params);
   const { data } = await apiRequest.get<{ apps: App[] }>(
     `/api/v1/integration-auth/${integrationAuthId}/apps`,
     { params: searchParams }
@@ -64,6 +77,7 @@ const fetchIntegrationAuthTeams = async (integrationAuthId: string) => {
   return data.teams;
 };
 
+
 const fetchIntegrationAuthVercelBranches = async ({
   integrationAuthId,
   appId
@@ -127,6 +141,13 @@ const fetchIntegrationAuthRailwayServices = async ({
   return services;
 };
 
+const fetchIntegrationAuthBitBucketWorkspaces = async (integrationAuthId: string) => {
+  const { data: { workspaces } } = await apiRequest.get<{ workspaces: BitBucketWorkspace[] }>(
+    `/api/v1/integration-auth/${integrationAuthId}/bitbucket/workspaces`
+  );
+  return workspaces;
+};
+
 export const useGetIntegrationAuthById = (integrationAuthId: string) => {
   return useQuery({
     queryKey: integrationAuthKeys.getIntegrationAuthById(integrationAuthId),
@@ -137,17 +158,20 @@ export const useGetIntegrationAuthById = (integrationAuthId: string) => {
 
 export const useGetIntegrationAuthApps = ({
   integrationAuthId,
-  teamId
+  teamId,
+  workspaceSlug,
 }: {
   integrationAuthId: string;
   teamId?: string;
+  workspaceSlug?: string;
 }) => {
   return useQuery({
-    queryKey: integrationAuthKeys.getIntegrationAuthApps(integrationAuthId, teamId),
+    queryKey: integrationAuthKeys.getIntegrationAuthApps(integrationAuthId, teamId, workspaceSlug),
     queryFn: () =>
       fetchIntegrationAuthApps({
         integrationAuthId,
-        teamId
+        teamId,
+        workspaceSlug
       }),
     enabled: true
   });
@@ -224,6 +248,14 @@ export const useGetIntegrationAuthRailwayServices = ({
   });
 };
 
+export const useGetIntegrationAuthBitBucketWorkspaces = (integrationAuthId: string) => {
+  return useQuery({
+    queryKey: integrationAuthKeys.getIntegrationAuthBitBucketWorkspaces(integrationAuthId),
+    queryFn: () => fetchIntegrationAuthBitBucketWorkspaces(integrationAuthId),
+    enabled: true
+  });
+};
+
 export const useDeleteIntegrationAuth = () => {
   const queryClient = useQueryClient();
 
@@ -235,3 +267,4 @@ export const useDeleteIntegrationAuth = () => {
     }
   });
 };
+

frontend/src/hooks/api/integrationAuth/types.ts

@@ -29,3 +29,9 @@ export type Service = {
   name: string;
   serviceId: string;
 };
+
+export type BitBucketWorkspace = {
+  uuid: string;
+  name: string;
+  slug: string;
+}

frontend/src/hooks/api/organization/queries.tsx

@@ -22,7 +22,7 @@ const organizationKeys = {
   getOrgBillingDetails: (orgId: string) => [{ orgId }, "organization-billing-details"] as const,
   getOrgPmtMethods: (orgId: string) => [{ orgId }, "organization-pmt-methods"] as const,
   getOrgTaxIds: (orgId: string) => [{ orgId }, "organization-tax-ids"] as const,
-  getOrgInvoices: (orgId: string) => [{ orgId }, "organization-invoices"] as const
+  getOrgInvoices: (orgId: string) => [{ orgId }, "organization-invoices"] as const,
 };
 
 export const useGetOrganization = () => {

frontend/src/hooks/api/ssoConfig/index.tsx

@@ -0,0 +1,5 @@
+export {
+    useCreateSSOConfig,
+    useGetSSOConfig,
+    useUpdateSSOConfig
+} from "./queries";

frontend/src/hooks/api/ssoConfig/queries.tsx

@@ -0,0 +1,103 @@
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+const ssoConfigKeys = {
+    getSSOConfig: (orgId: string) => [{ orgId }, "organization-saml-sso"] as const,
+}
+
+export const useGetSSOConfig = (organizationId: string) => {
+  return useQuery({
+    queryKey: ssoConfigKeys.getSSOConfig(organizationId),
+    queryFn: async () => {
+      const { data } = await apiRequest.get(
+        `/api/v1/sso/config?organizationId=${organizationId}`
+      );
+
+      return data;
+    },
+    enabled: true
+  });
+}
+
+export const useCreateSSOConfig = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async ({
+      organizationId,
+      authProvider,
+      isActive,
+      entryPoint,
+      issuer,
+      cert,
+      audience
+    }: {
+      organizationId: string;
+      authProvider: string;
+      isActive: boolean;
+      entryPoint: string;
+      issuer: string;
+      cert: string;
+      audience: string;
+    }) => {
+      const { data } = await apiRequest.post(
+        "/api/v1/sso/config",
+        {
+          organizationId,
+          authProvider,
+          isActive,
+          entryPoint,
+          issuer,
+          cert,
+          audience
+        }
+      );
+      
+      return data;
+    },
+    onSuccess(_, dto) {
+      queryClient.invalidateQueries(ssoConfigKeys.getSSOConfig(dto.organizationId));
+    }
+  });
+};
+
+export const useUpdateSSOConfig = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async ({
+      organizationId,
+      authProvider,
+      isActive,
+      entryPoint,
+      issuer,
+      cert,
+      audience
+    }: {
+      organizationId: string;
+      authProvider?: string;
+      isActive?: boolean;
+      entryPoint?: string;
+      issuer?: string;
+      cert?: string;
+      audience?: string;
+    }) => {
+      const { data } = await apiRequest.patch(
+        "/api/v1/sso/config",
+        {
+          organizationId,
+          ...(authProvider !== undefined ? { authProvider } : {}),
+          ...(isActive !== undefined ? { isActive } : {}),
+          ...(entryPoint !== undefined ? { entryPoint } : {}),
+          ...(issuer !== undefined ? { issuer } : {}),
+          ...(cert !== undefined ? { cert } : {}),
+          ...(audience !== undefined ? { audience } : {})
+        }
+      );
+      
+      return data;
+    },
+    onSuccess(_, dto) {
+      queryClient.invalidateQueries(ssoConfigKeys.getSSOConfig(dto.organizationId));
+    }
+  });
+};

frontend/src/hooks/api/subscriptions/types.ts

@@ -13,6 +13,7 @@ export type SubscriptionPlan = {
   workspaceLimit: number;
   workspacesUsed: number;
   environmentLimit: number;
+  samlSSO: boolean;
   status: "incomplete" | "incomplete_expired" | "trialing" | "active" | "past_due" | "canceled" | "unpaid" | null;
   trial_end: number | null;
   has_used_trial: boolean;

frontend/src/hooks/useProviderAuth.ts

@@ -1,99 +0,0 @@
-import { useEffect, useState } from "react";
-import { useRouter } from "next/router";
-import jwt_decode from "jwt-decode";
-
-import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
-import SecurityClient, { PROVIDER_AUTH_TOKEN_KEY } from "@app/components/utilities/SecurityClient";
-
-export const useProviderAuth = () => {
-    const router = useRouter();
-    const { providerAuthToken: redirectedProviderAuthToken } = router.query;
-    const [email, setEmail] = useState<string>("");
-    const [userId, setUserId] = useState<string>("");
-    const [providerAuthToken, setProviderAuthToken] = useState<string>(
-        redirectedProviderAuthToken as string || ""
-    );
-    const [isProviderUserCompleted, setIsProviderUserCompleted] = useState<boolean>();
-    const { createNotification } = useNotificationContext();
-    const AUTH_ERROR_KEY = "PROVIDER_AUTH_ERROR"
-
-    const handleRedirectWithToken = () => {
-        if (providerAuthToken) {
-            const {
-                userId: resultUserId,
-                email: resultEmail,
-                isUserCompleted: resultIsUserCompleted,
-            } = jwt_decode(providerAuthToken) as any;
-            setEmail(resultEmail);
-            setUserId(resultUserId);
-            setIsProviderUserCompleted(resultIsUserCompleted);
-        }
-
-    }
-
-    useEffect(() => {
-        handleRedirectWithToken();
-
-        // reset when there is no redirect auth token
-        if (!providerAuthToken) {
-            SecurityClient.setProviderAuthToken("");
-        }
-
-        window.localStorage.removeItem(AUTH_ERROR_KEY);
-
-        const handleStorageChange = (event: StorageEvent) => {
-            if (event.storageArea !== localStorage) {
-                return;
-            }
-
-            if (event.key === PROVIDER_AUTH_TOKEN_KEY) {
-                if (event.newValue) {
-                    const token = event.newValue;
-                    const {
-                        userId: resultUserId,
-                        email: resultEmail,
-                        isUserCompleted: resultIsUserCompleted,
-                    } = jwt_decode(token) as any;
-                    setIsProviderUserCompleted(resultIsUserCompleted);
-                    setProviderAuthToken(token);
-                    setEmail(resultEmail);
-                    setUserId(resultUserId);
-                } else {
-                    setProviderAuthToken("");
-                    setEmail("");
-                    setUserId("");
-                    setIsProviderUserCompleted(false);
-                }
-                setProviderAuthToken(event.newValue || "");
-            }
-
-            if (event.key === AUTH_ERROR_KEY) {
-                if (event.newValue) {
-                    createNotification({
-                        text: "An error has occured during login.",
-                        type: "error",
-                        timeoutMs: 6000,
-                    })
-
-                    window.localStorage.removeItem(AUTH_ERROR_KEY);
-                }
-            }
-        };
-
-        window.addEventListener("storage", handleStorageChange);
-
-        return () => {
-            window.removeEventListener("storage", handleStorageChange);
-        };
-    }, []);
-
-    return {
-        email,
-        isProviderUserCompleted,
-        providerAuthToken,
-        userId,
-        setEmail,
-        setProviderAuthToken,
-        setUserId,
-    };
-};

frontend/src/pages/api/auth/CompleteAccountInformationSignup.ts

@@ -70,7 +70,7 @@ const completeAccountInformationSignup = async ({
     verifier,
     organizationName,
     providerAuthToken,
-    attributionSource,
+    ...(attributionSource ? { attributionSource } : {})
   });
 
   return data;

frontend/src/pages/integrations/bitbucket/create.tsx

@@ -0,0 +1,198 @@
+import { useEffect, useState } from "react";
+import { useRouter } from "next/router";
+import queryString from "query-string";
+
+import {
+  Button,
+  Card,
+  CardTitle,
+  FormControl,
+  Input,
+  Select,
+  SelectItem
+} from "../../../components/v2";
+import {
+  useGetIntegrationAuthApps,
+  useGetIntegrationAuthBitBucketWorkspaces,
+  useGetIntegrationAuthById,
+} from "../../../hooks/api/integrationAuth";
+import { useGetWorkspaceById } from "../../../hooks/api/workspace";
+import createIntegration from "../../api/integrations/createIntegration";
+
+export default function BitBucketCreateIntegrationPage() {
+  const router = useRouter();
+
+  const [targetAppId, setTargetAppId] = useState("");
+  const [targetEnvironmentId, setTargetEnvironmentId] = useState("");
+
+  const [selectedSourceEnvironment, setSelectedSourceEnvironment] = useState("");
+  const [secretPath, setSecretPath] = useState("/");
+  const [isLoading, setIsLoading] = useState(false);
+
+  const { integrationAuthId } = queryString.parse(router.asPath.split("?")[1]);
+  const { data: integrationAuth } = useGetIntegrationAuthById((integrationAuthId as string) ?? "");
+  const { data: workspace } = useGetWorkspaceById(localStorage.getItem("projectData.id") ?? "");
+  const { data: targetEnvironments } = useGetIntegrationAuthBitBucketWorkspaces((integrationAuthId as string) ?? "");
+  const { data: integrationAuthApps } = useGetIntegrationAuthApps({
+    integrationAuthId: (integrationAuthId as string) ?? "",
+    workspaceSlug: targetEnvironmentId
+  });
+
+  useEffect(() => {
+    if (workspace) {
+      setSelectedSourceEnvironment(workspace.environments[0].slug);
+    }
+  }, [workspace]);
+
+  useEffect(() => {
+    if (integrationAuthApps) {
+      if (integrationAuthApps.length > 0) {
+        setTargetAppId(integrationAuthApps[0].appId as string);
+      } else {
+        setTargetAppId("none");
+      }
+    }
+  }, [integrationAuthApps]);
+
+  useEffect(() => {
+    if (targetEnvironments) {
+      if (targetEnvironments.length > 0) {
+        setTargetEnvironmentId(targetEnvironments[0].slug);
+      } else {
+        setTargetEnvironmentId("none");
+      }
+    }
+  }, [targetEnvironments]);
+
+  const handleButtonClick = async () => {
+    try {
+      setIsLoading(true);
+
+      if (!integrationAuth?._id) return;
+
+      const targetApp = integrationAuthApps?.find(
+        (integrationAuthApp) => integrationAuthApp.appId === targetAppId
+      );
+      const targetEnvironment = targetEnvironments?.find(
+        (environment) => environment.slug === targetEnvironmentId
+      );
+
+      if (!targetApp || !targetApp.appId || !targetEnvironment) return;
+
+      await createIntegration({
+        integrationAuthId: integrationAuth?._id,
+        isActive: true,
+        app: targetApp.name,
+        appId: targetApp.appId,
+        sourceEnvironment: selectedSourceEnvironment,
+        targetEnvironment: targetEnvironment.name,
+        targetEnvironmentId: targetEnvironment.slug,
+        targetService: null,
+        targetServiceId: null,
+        owner: null,
+        path: null,
+        region: null,
+        secretPath
+      });
+
+      setIsLoading(false);
+
+      router.push(`/integrations/${localStorage.getItem("projectData.id")}`);
+    } catch (err) {
+      console.error(err);
+    }
+  };
+
+  return integrationAuth &&
+    workspace &&
+    selectedSourceEnvironment &&
+    integrationAuthApps &&
+    targetEnvironments ? (
+    <div className="flex h-full w-full items-center justify-center">
+      <Card className="max-w-md rounded-md p-8">
+        <CardTitle className="text-center">BitBucket Integration</CardTitle>
+        <FormControl label="Project Environment" className="mt-4">
+          <Select
+            value={selectedSourceEnvironment}
+            onValueChange={(val) => setSelectedSourceEnvironment(val)}
+            className="w-full border border-mineshaft-500"
+          >
+            {workspace?.environments.map((sourceEnvironment) => (
+              <SelectItem
+                value={sourceEnvironment.slug}
+                key={`source-environment-${sourceEnvironment.slug}`}
+              >
+                {sourceEnvironment.name}
+              </SelectItem>
+            ))}
+          </Select>
+        </FormControl>
+        <FormControl label="Secrets Path">
+          <Input
+            value={secretPath}
+            onChange={(evt) => setSecretPath(evt.target.value)}
+            placeholder="Provide a path, default is /"
+          />
+        </FormControl>
+        <FormControl label="BitBucket Workspace">
+          <Select
+            value={targetEnvironmentId}
+            onValueChange={(val) => setTargetEnvironmentId(val)}
+            className="w-full border border-mineshaft-500"
+            isDisabled={targetEnvironments.length === 0}
+          >
+            {targetEnvironments.length > 0 ? (
+              targetEnvironments.map((targetEnvironment) => (
+                <SelectItem
+                  value={targetEnvironment.slug as string}
+                  key={`target-environment-${targetEnvironment.slug as string}`}
+                >
+                  {targetEnvironment.name}
+                </SelectItem>
+              ))
+            ) : (
+              <SelectItem value="none" key="target-environment-none">
+                No workspaces found
+              </SelectItem>
+            )}
+          </Select>
+        </FormControl>
+        <FormControl label="BitBucket Repo">
+          <Select
+            value={targetAppId}
+            onValueChange={(val) => setTargetAppId(val)}
+            className="w-full border border-mineshaft-500"
+          >
+            {integrationAuthApps.length > 0 ? (
+              integrationAuthApps.map((integrationAuthApp) => (
+                <SelectItem
+                  value={integrationAuthApp.appId as string}
+                  key={`target-app-${integrationAuthApp.appId as string}`}
+                >
+                  {integrationAuthApp.name}
+                </SelectItem>
+              ))
+            ) : (
+              <SelectItem value="none" key="target-app-none">
+                No repositories found
+              </SelectItem>
+            )}
+          </Select>
+        </FormControl>
+        <Button
+          onClick={handleButtonClick}
+          color="mineshaft"
+          className="mt-4"
+          isLoading={isLoading}
+          isDisabled={integrationAuthApps.length === 0}
+        >
+          Create Integration
+        </Button>
+      </Card>
+    </div>
+  ) : (
+    <div />
+  );
+}
+
+BitBucketCreateIntegrationPage.requireAuth = true;

frontend/src/pages/integrations/bitbucket/oauth2/callback.tsx

@@ -0,0 +1,34 @@
+import { useEffect } from "react";
+import { useRouter } from "next/router";
+import queryString from "query-string";
+
+import AuthorizeIntegration from "../../../api/integrations/authorizeIntegration";
+
+export default function BitBucketOAuth2CallbackPage() {
+  const router = useRouter();
+  const { code, state } = queryString.parse(router.asPath.split("?")[1]);
+
+  useEffect(() => {
+    (async () => {
+      try {
+        // validate state
+        if (state !== localStorage.getItem("latestCSRFToken")) return;
+        localStorage.removeItem("latestCSRFToken");
+
+        const integrationAuth = await AuthorizeIntegration({
+          workspaceId: localStorage.getItem("projectData.id") as string,
+          code: code as string,
+          integration: "bitbucket"
+        });
+
+        router.push(`/integrations/bitbucket/create?integrationAuthId=${integrationAuth._id}`);
+      } catch (err) {
+        console.error(err);
+      }
+    })();
+  }, []);
+
+  return <div />;
+}
+
+BitBucketOAuth2CallbackPage.requireAuth = true;