doc: initial docs for kms

feat: added project data key

.github/workflows/build-binaries.yml

@@ -14,6 +14,7 @@ defaults:
 
 jobs:
     build-and-deploy:
+        runs-on: ubuntu-20.04
         strategy:
             matrix:
                 arch: [x64, arm64]
@@ -23,7 +24,6 @@ jobs:
                       target: node20-linux
                     - os: win
                       target: node20-win
-        runs-on: ${{ (matrix.arch == 'arm64' && matrix.os == 'linux') && 'ubuntu24-arm64' || 'ubuntu-latest' }}
 
         steps:
             - name: Checkout code
@@ -49,9 +49,9 @@ jobs:
             - name: Package into node binary
               run: |
                   if [ "${{ matrix.os }}" != "linux" ]; then
-                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
+                    pkg --no-bytecode --public-packages "*" --public --compress Brotli --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
                   else
-                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
+                    pkg --no-bytecode --public-packages "*" --public --compress Brotli --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
                   fi
 
             # Set up .deb package structure (Debian/Ubuntu only)
@@ -84,12 +84,7 @@ jobs:
                   mv infisical-core.deb ./binary/infisical-core-${{matrix.arch}}.deb
 
             - uses: actions/setup-python@v4
-              with:
-                  python-version: "3.x" # Specify the Python version you need
-            - name: Install Python dependencies
-              run: |
-                  python -m pip install --upgrade pip
-                  pip install --upgrade cloudsmith-cli
+            - run: pip install --upgrade cloudsmith-cli
 
             # Publish .deb file to Cloudsmith (Debian/Ubuntu only)
             - name: Publish to Cloudsmith (Debian/Ubuntu)

.github/workflows/check-api-for-breaking-changes.yml

@@ -22,14 +22,14 @@ jobs:
       # uncomment this when testing locally using nektos/act
       - uses: KengoTODA/actions-setup-docker-compose@v1
         if: ${{ env.ACT }}
-        name: Install `docker compose` for local simulations
+        name: Install `docker-compose` for local simulations
         with:
           version: "2.14.2"
       - name: 📦Build the latest image
         run: docker build --tag infisical-api .
         working-directory: backend
       - name: Start postgres and redis
-        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
+        run: touch .env && docker-compose -f docker-compose.dev.yml up -d db redis
       - name: Start the server
         run: |
             echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
@@ -72,6 +72,6 @@ jobs:
         run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
       - name: cleanup
         run: |
-          docker compose -f "docker-compose.dev.yml" down
+          docker-compose -f "docker-compose.dev.yml" down
           docker stop infisical-api
           docker remove infisical-api

.github/workflows/run-backend-tests.yml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@v3
       - uses: KengoTODA/actions-setup-docker-compose@v1
         if: ${{ env.ACT }}
-        name: Install `docker compose` for local simulations
+        name: Install `docker-compose` for local simulations
         with:
           version: "2.14.2"
       - name: 🔧 Setup Node 20
@@ -33,7 +33,7 @@ jobs:
         run: npm install
         working-directory: backend
       - name: Start postgres and redis
-        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
+        run: touch .env && docker-compose -f docker-compose.dev.yml up -d db redis
       - name: Start integration test
         run: npm run test:e2e
         working-directory: backend
@@ -44,4 +44,4 @@ jobs:
           ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
       - name: cleanup
         run: |
-          docker compose -f "docker-compose.dev.yml" down
+          docker-compose -f "docker-compose.dev.yml" down

backend/e2e-test/routes/v3/secrets-v2.spec.ts

@@ -1,576 +0,0 @@
-import { SecretType } from "@app/db/schemas";
-import { seedData1 } from "@app/db/seed-data";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-type TRawSecret = {
-  secretKey: string;
-  secretValue: string;
-  secretComment?: string;
-  version: number;
-};
-const createSecret = async (dto: { path: string; key: string; value: string; comment: string; type?: SecretType }) => {
-  const createSecretReqBody = {
-    workspaceId: seedData1.projectV3.id,
-    environment: seedData1.environment.slug,
-    type: dto.type || SecretType.Shared,
-    secretPath: dto.path,
-    secretKey: dto.key,
-    secretValue: dto.value,
-    secretComment: dto.comment
-  };
-  const createSecRes = await testServer.inject({
-    method: "POST",
-    url: `/api/v3/secrets/raw/${dto.key}`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createSecretReqBody
-  });
-  expect(createSecRes.statusCode).toBe(200);
-  const createdSecretPayload = JSON.parse(createSecRes.payload);
-  expect(createdSecretPayload).toHaveProperty("secret");
-  return createdSecretPayload.secret as TRawSecret;
-};
-
-const deleteSecret = async (dto: { path: string; key: string }) => {
-  const deleteSecRes = await testServer.inject({
-    method: "DELETE",
-    url: `/api/v3/secrets/raw/${dto.key}`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: {
-      workspaceId: seedData1.projectV3.id,
-      environment: seedData1.environment.slug,
-      secretPath: dto.path
-    }
-  });
-  expect(deleteSecRes.statusCode).toBe(200);
-  const updatedSecretPayload = JSON.parse(deleteSecRes.payload);
-  expect(updatedSecretPayload).toHaveProperty("secret");
-  return updatedSecretPayload.secret as TRawSecret;
-};
-
-describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }])(
-  "Secret V2 Architecture - $auth mode",
-  async ({ auth }) => {
-    let folderId = "";
-    let authToken = "";
-    const secretTestCases = [
-      {
-        path: "/",
-        secret: {
-          key: "SEC1",
-          value: "something-secret",
-          comment: "some comment"
-        }
-      },
-      {
-        path: "/nested1/nested2/folder",
-        secret: {
-          key: "NESTED-SEC1",
-          value: "something-secret",
-          comment: "some comment"
-        }
-      },
-      {
-        path: "/",
-        secret: {
-          key: "secret-key-2",
-          value: `-----BEGIN PRIVATE KEY-----
-        MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCa6eeFk+cMVqFn
-        hoVQDYgn2Ptp5Azysr2UPq6P73pCL9BzUtOXKZROqDyGehzzfg3wE2KdYU1Jk5Uq
-        fP0ZOWDIlM2SaVCSI3FW32o5+ZiggjpqcVdLFc/PS0S/ZdSmpPd8h11iO2brtIAI
-        ugTW8fcKlGSNUwx9aFmE7A6JnTRliTxB1l6QaC+YAwTK39VgeVH2gDSWC407aS15
-        QobAkaBKKmFkzB5D7i2ZJwt+uXJV/rbLmyDmtnw0lubciGn7NX9wbYef180fisqT
-        aPNAz0nPKk0fFH2Wd5MZixNGbrrpDA+FCYvI5doThZyT2hpj08qWP07oXXCAqw46
-        IEupNSILAgMBAAECggEBAIJb5KzeaiZS3B3O8G4OBQ5rJB3WfyLYUHnoSWLsBbie
-        nc392/ovThLmtZAAQE6SO85Tsb93+t64Z2TKqv1H8G658UeMgfWIB78v4CcLJ2mi
-        TN/3opqXrzjkQOTDHzBgT7al/mpETHZ6fOdbCemK0fVALGFUioUZg4M8VXtuI4Jw
-        q28jAyoRKrCrzda4BeQ553NZ4G5RvwhX3O2I8B8upTbt5hLcisBKy8MPLYY5LUFj
-        YKAP+raf6QLliP6KYHuVxUlgzxjLTxVG41etcyqqZF+foyiKBO3PU3n8oh++tgQP
-        ExOxiR0JSkBG5b+oOBD0zxcvo3/SjBHn0dJOZCSU2SkCgYEAyCe676XnNyBZMRD7
-        6trsaoiCWBpA6M8H44+x3w4cQFtqV38RyLy60D+iMKjIaLqeBbnay61VMzo24Bz3
-        EuF2n4+9k/MetLJ0NCw8HmN5k0WSMD2BFsJWG8glVbzaqzehP4tIclwDTYc1jQVt
-        IoV2/iL7HGT+x2daUwbU5kN5hK0CgYEAxiLB+fmjxJW7VY4SHDLqPdpIW0q/kv4K
-        d/yZBrCX799vjmFb9vLh7PkQUfJhMJ/ttJOd7EtT3xh4mfkBeLfHwVU0d/ahbmSH
-        UJu/E9ZGxAW3PP0kxHZtPrLKQwBnfq8AxBauIhR3rPSorQTIOKtwz1jMlHFSUpuL
-        3KeK2YfDYJcCgYEAkQnJOlNcAuRb/WQzSHIvktssqK8NjiZHryy3Vc0hx7j2jES2
-        HGI2dSVHYD9OSiXA0KFm3OTTsnViwm/60iGzFdjRJV6tR39xGUVcoyCuPnvRfUd0
-        PYvBXgxgkYpyYlPDcwp5CvWGJy3tLi1acgOIwIuUr3S38sL//t4adGk8q1kCgYB8
-        Jbs1Tl53BvrimKpwUNbE+sjrquJu0A7vL68SqgQJoQ7dP9PH4Ff/i+/V6PFM7mib
-        BQOm02wyFbs7fvKVGVJoqWK+6CIucX732x7W5yRgHtS5ukQXdbzt1Ek3wkEW98Cb
-        HTruz7RNAt/NyXlLSODeit1lBbx3Vk9EaxZtRsv88QKBgGn7JwXgez9NOyobsNIo
-        QVO80rpUeenSjuFi+R0VmbLKe/wgAQbYJ0xTAsQ0btqViMzB27D6mJyC+KUIwWNX
-        MN8a+m46v4kqvZkKL2c4gmDibyURNe/vCtCHFuanJS/1mo2tr4XDyEeiuK52eTd9
-        omQDpP86RX/hIIQ+JyLSaWYa
-        -----END PRIVATE KEY-----`,
-          comment:
-            "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation"
-        }
-      },
-      {
-        path: "/nested1/nested2/folder",
-        secret: {
-          key: "secret-key-3",
-          value: `-----BEGIN PRIVATE KEY-----
-        MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCa6eeFk+cMVqFn
-        hoVQDYgn2Ptp5Azysr2UPq6P73pCL9BzUtOXKZROqDyGehzzfg3wE2KdYU1Jk5Uq
-        fP0ZOWDIlM2SaVCSI3FW32o5+ZiggjpqcVdLFc/PS0S/ZdSmpPd8h11iO2brtIAI
-        ugTW8fcKlGSNUwx9aFmE7A6JnTRliTxB1l6QaC+YAwTK39VgeVH2gDSWC407aS15
-        QobAkaBKKmFkzB5D7i2ZJwt+uXJV/rbLmyDmtnw0lubciGn7NX9wbYef180fisqT
-        aPNAz0nPKk0fFH2Wd5MZixNGbrrpDA+FCYvI5doThZyT2hpj08qWP07oXXCAqw46
-        IEupNSILAgMBAAECggEBAIJb5KzeaiZS3B3O8G4OBQ5rJB3WfyLYUHnoSWLsBbie
-        nc392/ovThLmtZAAQE6SO85Tsb93+t64Z2TKqv1H8G658UeMgfWIB78v4CcLJ2mi
-        TN/3opqXrzjkQOTDHzBgT7al/mpETHZ6fOdbCemK0fVALGFUioUZg4M8VXtuI4Jw
-        q28jAyoRKrCrzda4BeQ553NZ4G5RvwhX3O2I8B8upTbt5hLcisBKy8MPLYY5LUFj
-        YKAP+raf6QLliP6KYHuVxUlgzxjLTxVG41etcyqqZF+foyiKBO3PU3n8oh++tgQP
-        ExOxiR0JSkBG5b+oOBD0zxcvo3/SjBHn0dJOZCSU2SkCgYEAyCe676XnNyBZMRD7
-        6trsaoiCWBpA6M8H44+x3w4cQFtqV38RyLy60D+iMKjIaLqeBbnay61VMzo24Bz3
-        EuF2n4+9k/MetLJ0NCw8HmN5k0WSMD2BFsJWG8glVbzaqzehP4tIclwDTYc1jQVt
-        IoV2/iL7HGT+x2daUwbU5kN5hK0CgYEAxiLB+fmjxJW7VY4SHDLqPdpIW0q/kv4K
-        d/yZBrCX799vjmFb9vLh7PkQUfJhMJ/ttJOd7EtT3xh4mfkBeLfHwVU0d/ahbmSH
-        UJu/E9ZGxAW3PP0kxHZtPrLKQwBnfq8AxBauIhR3rPSorQTIOKtwz1jMlHFSUpuL
-        3KeK2YfDYJcCgYEAkQnJOlNcAuRb/WQzSHIvktssqK8NjiZHryy3Vc0hx7j2jES2
-        HGI2dSVHYD9OSiXA0KFm3OTTsnViwm/60iGzFdjRJV6tR39xGUVcoyCuPnvRfUd0
-        PYvBXgxgkYpyYlPDcwp5CvWGJy3tLi1acgOIwIuUr3S38sL//t4adGk8q1kCgYB8
-        Jbs1Tl53BvrimKpwUNbE+sjrquJu0A7vL68SqgQJoQ7dP9PH4Ff/i+/V6PFM7mib
-        BQOm02wyFbs7fvKVGVJoqWK+6CIucX732x7W5yRgHtS5ukQXdbzt1Ek3wkEW98Cb
-        HTruz7RNAt/NyXlLSODeit1lBbx3Vk9EaxZtRsv88QKBgGn7JwXgez9NOyobsNIo
-        QVO80rpUeenSjuFi+R0VmbLKe/wgAQbYJ0xTAsQ0btqViMzB27D6mJyC+KUIwWNX
-        MN8a+m46v4kqvZkKL2c4gmDibyURNe/vCtCHFuanJS/1mo2tr4XDyEeiuK52eTd9
-        omQDpP86RX/hIIQ+JyLSaWYa
-        -----END PRIVATE KEY-----`,
-          comment:
-            "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation"
-        }
-      },
-      {
-        path: "/nested1/nested2/folder",
-        secret: {
-          key: "secret-key-3",
-          value:
-            "TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZWxpdC4gU2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRvbG9yZSBtYWduYSBhbGlxdWEuIFV0IGVuaW0gYWQgbWluaW0gdmVuaWFtLCBxdWlzIG5vc3RydWQgZXhlcmNpdGF0aW9uCg==",
-          comment: ""
-        }
-      }
-    ];
-
-    beforeAll(async () => {
-      if (auth === AuthMode.JWT) {
-        authToken = jwtAuthToken;
-      } else if (auth === AuthMode.IDENTITY_ACCESS_TOKEN) {
-        const identityLogin = await testServer.inject({
-          method: "POST",
-          url: "/api/v1/auth/universal-auth/login",
-          body: {
-            clientSecret: seedData1.machineIdentity.clientCredentials.secret,
-            clientId: seedData1.machineIdentity.clientCredentials.id
-          }
-        });
-        expect(identityLogin.statusCode).toBe(200);
-        authToken = identityLogin.json().accessToken;
-      }
-      // create a deep folder
-      const folderCreate = await testServer.inject({
-        method: "POST",
-        url: `/api/v1/folders`,
-        headers: {
-          authorization: `Bearer ${jwtAuthToken}`
-        },
-        body: {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          name: "folder",
-          path: "/nested1/nested2"
-        }
-      });
-      expect(folderCreate.statusCode).toBe(200);
-      folderId = folderCreate.json().folder.id;
-    });
-
-    afterAll(async () => {
-      const deleteFolder = await testServer.inject({
-        method: "DELETE",
-        url: `/api/v1/folders/${folderId}`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          path: "/nested1/nested2"
-        }
-      });
-      expect(deleteFolder.statusCode).toBe(200);
-    });
-
-    const getSecrets = async (environment: string, secretPath = "/") => {
-      const res = await testServer.inject({
-        method: "GET",
-        url: `/api/v3/secrets/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        query: {
-          secretPath,
-          environment,
-          workspaceId: seedData1.projectV3.id
-        }
-      });
-      const secrets: TRawSecret[] = JSON.parse(res.payload).secrets || [];
-      return secrets;
-    };
-
-    test.each(secretTestCases)("Create secret in path $path", async ({ secret, path }) => {
-      const createdSecret = await createSecret({ path, ...secret });
-      expect(createdSecret.secretKey).toEqual(secret.key);
-      expect(createdSecret.secretValue).toEqual(secret.value);
-      expect(createdSecret.secretComment || "").toEqual(secret.comment);
-      expect(createdSecret.version).toEqual(1);
-
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            secretKey: secret.key,
-            secretValue: secret.value,
-            type: SecretType.Shared
-          })
-        ])
-      );
-      await deleteSecret({ path, key: secret.key });
-    });
-
-    test.each(secretTestCases)("Get secret by name in path $path", async ({ secret, path }) => {
-      await createSecret({ path, ...secret });
-
-      const getSecByNameRes = await testServer.inject({
-        method: "GET",
-        url: `/api/v3/secrets/raw/${secret.key}`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        query: {
-          secretPath: path,
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug
-        }
-      });
-      expect(getSecByNameRes.statusCode).toBe(200);
-      const getSecretByNamePayload = JSON.parse(getSecByNameRes.payload);
-      expect(getSecretByNamePayload).toHaveProperty("secret");
-      const decryptedSecret = getSecretByNamePayload.secret as TRawSecret;
-      expect(decryptedSecret.secretKey).toEqual(secret.key);
-      expect(decryptedSecret.secretValue).toEqual(secret.value);
-      expect(decryptedSecret.secretComment || "").toEqual(secret.comment);
-
-      await deleteSecret({ path, key: secret.key });
-    });
-
-    if (auth === AuthMode.JWT) {
-      test.each(secretTestCases)(
-        "Creating personal secret without shared throw error in path $path",
-        async ({ secret }) => {
-          const createSecretReqBody = {
-            workspaceId: seedData1.projectV3.id,
-            environment: seedData1.environment.slug,
-            type: SecretType.Personal,
-            secretKey: secret.key,
-            secretValue: secret.value,
-            secretComment: secret.comment
-          };
-          const createSecRes = await testServer.inject({
-            method: "POST",
-            url: `/api/v3/secrets/raw/SEC2`,
-            headers: {
-              authorization: `Bearer ${authToken}`
-            },
-            body: createSecretReqBody
-          });
-          const payload = JSON.parse(createSecRes.payload);
-          expect(createSecRes.statusCode).toBe(400);
-          expect(payload.error).toEqual("BadRequest");
-        }
-      );
-
-      test.each(secretTestCases)("Creating personal secret in path $path", async ({ secret, path }) => {
-        await createSecret({ path, ...secret });
-
-        const createSecretReqBody = {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          type: SecretType.Personal,
-          secretPath: path,
-          secretKey: secret.key,
-          secretValue: "personal-value",
-          secretComment: secret.comment
-        };
-        const createSecRes = await testServer.inject({
-          method: "POST",
-          url: `/api/v3/secrets/raw/${secret.key}`,
-          headers: {
-            authorization: `Bearer ${authToken}`
-          },
-          body: createSecretReqBody
-        });
-        expect(createSecRes.statusCode).toBe(200);
-
-        // list secrets should contain personal one and shared one
-        const secrets = await getSecrets(seedData1.environment.slug, path);
-        expect(secrets).toEqual(
-          expect.arrayContaining([
-            expect.objectContaining({
-              secretKey: secret.key,
-              secretValue: secret.value,
-              type: SecretType.Shared
-            }),
-            expect.objectContaining({
-              secretKey: secret.key,
-              secretValue: "personal-value",
-              type: SecretType.Personal
-            })
-          ])
-        );
-
-        await deleteSecret({ path, key: secret.key });
-      });
-
-      test.each(secretTestCases)(
-        "Deleting personal one should not delete shared secret in path $path",
-        async ({ secret, path }) => {
-          await createSecret({ path, ...secret }); // shared one
-          await createSecret({ path, ...secret, type: SecretType.Personal });
-
-          // shared secret deletion should delete personal ones also
-          const secrets = await getSecrets(seedData1.environment.slug, path);
-          expect(secrets).toEqual(
-            expect.arrayContaining([
-              expect.objectContaining({
-                secretKey: secret.key,
-                type: SecretType.Shared
-              }),
-              expect.not.objectContaining({
-                secretKey: secret.key,
-                type: SecretType.Personal
-              })
-            ])
-          );
-          await deleteSecret({ path, key: secret.key });
-        }
-      );
-    }
-
-    test.each(secretTestCases)("Update secret in path $path", async ({ path, secret }) => {
-      await createSecret({ path, ...secret });
-      const updateSecretReqBody = {
-        workspaceId: seedData1.projectV3.id,
-        environment: seedData1.environment.slug,
-        type: SecretType.Shared,
-        secretPath: path,
-        secretKey: secret.key,
-        secretValue: "new-value",
-        secretComment: secret.comment
-      };
-      const updateSecRes = await testServer.inject({
-        method: "PATCH",
-        url: `/api/v3/secrets/raw/${secret.key}`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: updateSecretReqBody
-      });
-      expect(updateSecRes.statusCode).toBe(200);
-      const updatedSecretPayload = JSON.parse(updateSecRes.payload);
-      expect(updatedSecretPayload).toHaveProperty("secret");
-      const decryptedSecret = updatedSecretPayload.secret;
-      expect(decryptedSecret.secretKey).toEqual(secret.key);
-      expect(decryptedSecret.secretValue).toEqual("new-value");
-      expect(decryptedSecret.secretComment || "").toEqual(secret.comment);
-
-      // list secret should have updated value
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            secretKey: secret.key,
-            secretValue: "new-value",
-            type: SecretType.Shared
-          })
-        ])
-      );
-
-      await deleteSecret({ path, key: secret.key });
-    });
-
-    test.each(secretTestCases)("Delete secret in path $path", async ({ secret, path }) => {
-      await createSecret({ path, ...secret });
-      const deletedSecret = await deleteSecret({ path, key: secret.key });
-      expect(deletedSecret.secretKey).toEqual(secret.key);
-
-      // shared secret deletion should delete personal ones also
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.not.arrayContaining([
-          expect.objectContaining({
-            secretKey: secret.key,
-            type: SecretType.Shared
-          }),
-          expect.objectContaining({
-            secretKey: secret.key,
-            type: SecretType.Personal
-          })
-        ])
-      );
-    });
-
-    test.each(secretTestCases)("Bulk create secrets in path $path", async ({ secret, path }) => {
-      const createSharedSecRes = await testServer.inject({
-        method: "POST",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          secretPath: path,
-          secrets: Array.from(Array(5)).map((_e, i) => ({
-            secretKey: `BULK-${secret.key}-${i + 1}`,
-            secretValue: secret.value,
-            secretComment: secret.comment
-          }))
-        }
-      });
-      expect(createSharedSecRes.statusCode).toBe(200);
-      const createSharedSecPayload = JSON.parse(createSharedSecRes.payload);
-      expect(createSharedSecPayload).toHaveProperty("secrets");
-
-      // bulk ones should exist
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.arrayContaining(
-          Array.from(Array(5)).map((_e, i) =>
-            expect.objectContaining({
-              secretKey: `BULK-${secret.key}-${i + 1}`,
-              secretValue: secret.value,
-              type: SecretType.Shared
-            })
-          )
-        )
-      );
-
-      await Promise.all(
-        Array.from(Array(5)).map((_e, i) => deleteSecret({ path, key: `BULK-${secret.key}-${i + 1}` }))
-      );
-    });
-
-    test.each(secretTestCases)("Bulk create fail on existing secret in path $path", async ({ secret, path }) => {
-      await createSecret({ ...secret, key: `BULK-${secret.key}-1`, path });
-
-      const createSharedSecRes = await testServer.inject({
-        method: "POST",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          secretPath: path,
-          secrets: Array.from(Array(5)).map((_e, i) => ({
-            secretKey: `BULK-${secret.key}-${i + 1}`,
-            secretValue: secret.value,
-            secretComment: secret.comment
-          }))
-        }
-      });
-      expect(createSharedSecRes.statusCode).toBe(400);
-
-      await deleteSecret({ path, key: `BULK-${secret.key}-1` });
-    });
-
-    test.each(secretTestCases)("Bulk update secrets in path $path", async ({ secret, path }) => {
-      await Promise.all(
-        Array.from(Array(5)).map((_e, i) => createSecret({ ...secret, key: `BULK-${secret.key}-${i + 1}`, path }))
-      );
-
-      const updateSharedSecRes = await testServer.inject({
-        method: "PATCH",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          secretPath: path,
-          secrets: Array.from(Array(5)).map((_e, i) => ({
-            secretKey: `BULK-${secret.key}-${i + 1}`,
-            secretValue: "update-value",
-            secretComment: secret.comment
-          }))
-        }
-      });
-      expect(updateSharedSecRes.statusCode).toBe(200);
-      const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
-      expect(updateSharedSecPayload).toHaveProperty("secrets");
-
-      // bulk ones should exist
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.arrayContaining(
-          Array.from(Array(5)).map((_e, i) =>
-            expect.objectContaining({
-              secretKey: `BULK-${secret.key}-${i + 1}`,
-              secretValue: "update-value",
-              type: SecretType.Shared
-            })
-          )
-        )
-      );
-      await Promise.all(
-        Array.from(Array(5)).map((_e, i) => deleteSecret({ path, key: `BULK-${secret.key}-${i + 1}` }))
-      );
-    });
-
-    test.each(secretTestCases)("Bulk delete secrets in path $path", async ({ secret, path }) => {
-      await Promise.all(
-        Array.from(Array(5)).map((_e, i) => createSecret({ ...secret, key: `BULK-${secret.key}-${i + 1}`, path }))
-      );
-
-      const deletedSharedSecRes = await testServer.inject({
-        method: "DELETE",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          secretPath: path,
-          secrets: Array.from(Array(5)).map((_e, i) => ({
-            secretKey: `BULK-${secret.key}-${i + 1}`
-          }))
-        }
-      });
-
-      expect(deletedSharedSecRes.statusCode).toBe(200);
-      const deletedSecretPayload = JSON.parse(deletedSharedSecRes.payload);
-      expect(deletedSecretPayload).toHaveProperty("secrets");
-
-      // bulk ones should exist
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.not.arrayContaining(
-          Array.from(Array(5)).map((_e, i) =>
-            expect.objectContaining({
-              secretKey: `BULK-${secret.value}-${i + 1}`,
-              type: SecretType.Shared
-            })
-          )
-        )
-      );
-    });
-  }
-);

backend/package-lock.json

@@ -25,7 +25,6 @@
         "@fastify/swagger": "^8.14.0",
         "@fastify/swagger-ui": "^2.1.0",
         "@node-saml/passport-saml": "^4.0.4",
-        "@octokit/plugin-retry": "^5.0.5",
         "@octokit/rest": "^20.0.2",
         "@octokit/webhooks-types": "^7.3.1",
         "@peculiar/asn1-schema": "^2.3.8",
@@ -7813,45 +7812,19 @@
       }
     },
     "node_modules/@octokit/plugin-retry": {
-      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-5.0.5.tgz",
-      "integrity": "sha512-sB1RWMhSrre02Atv95K6bhESlJ/sPdZkK/wE/w1IdSCe0yM6FxSjksLa6T7aAvxvxlLKzQEC4KIiqpqyov1Tbg==",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-6.0.1.tgz",
+      "integrity": "sha512-SKs+Tz9oj0g4p28qkZwl/topGcb0k0qPNX/i7vBKmDsjoeqnVfFUquqrE/O9oJY7+oLzdCtkiWSXLpLjvl6uog==",
       "dependencies": {
-        "@octokit/request-error": "^4.0.1",
-        "@octokit/types": "^10.0.0",
+        "@octokit/request-error": "^5.0.0",
+        "@octokit/types": "^12.0.0",
         "bottleneck": "^2.15.3"
       },
       "engines": {
         "node": ">= 18"
       },
       "peerDependencies": {
-        "@octokit/core": ">=3"
-      }
-    },
-    "node_modules/@octokit/plugin-retry/node_modules/@octokit/openapi-types": {
-      "version": "18.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-18.1.1.tgz",
-      "integrity": "sha512-VRaeH8nCDtF5aXWnjPuEMIYf1itK/s3JYyJcWFJT8X9pSNnBtriDf7wlEWsGuhPLl4QIH4xM8fqTXDwJ3Mu6sw=="
-    },
-    "node_modules/@octokit/plugin-retry/node_modules/@octokit/request-error": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-4.0.2.tgz",
-      "integrity": "sha512-uqwUEmZw3x4I9DGYq9fODVAAvcLsPQv97NRycP6syEFu5916M189VnNBW2zANNwqg3OiligNcAey7P0SET843w==",
-      "dependencies": {
-        "@octokit/types": "^10.0.0",
-        "deprecation": "^2.0.0",
-        "once": "^1.4.0"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/@octokit/plugin-retry/node_modules/@octokit/types": {
-      "version": "10.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-10.0.0.tgz",
-      "integrity": "sha512-Vm8IddVmhCgU1fxC1eyinpwqzXPEYu0NrYzD3YZjlGjyftdLBTeqNblRC0jmJmgxbJIsQlyogVeGnrNaaMVzIg==",
-      "dependencies": {
-        "@octokit/openapi-types": "^18.0.0"
+        "@octokit/core": ">=5"
       }
     },
     "node_modules/@octokit/plugin-throttling": {
@@ -17423,22 +17396,6 @@
         "node": ">=18"
       }
     },
-    "node_modules/probot/node_modules/@octokit/plugin-retry": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-6.0.1.tgz",
-      "integrity": "sha512-SKs+Tz9oj0g4p28qkZwl/topGcb0k0qPNX/i7vBKmDsjoeqnVfFUquqrE/O9oJY7+oLzdCtkiWSXLpLjvl6uog==",
-      "dependencies": {
-        "@octokit/request-error": "^5.0.0",
-        "@octokit/types": "^12.0.0",
-        "bottleneck": "^2.15.3"
-      },
-      "engines": {
-        "node": ">= 18"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=5"
-      }
-    },
     "node_modules/probot/node_modules/commander": {
       "version": "11.1.0",
       "resolved": "https://registry.npmjs.org/commander/-/commander-11.1.0.tgz",

backend/package.json

@@ -40,8 +40,8 @@
     "type:check": "tsc --noEmit",
     "lint:fix": "eslint --fix --ext js,ts ./src",
     "lint": "eslint 'src/**/*.ts'",
-    "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
-    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
+    "test:e2e": "vitest run -c vitest.e2e.config.ts",
+    "test:e2e-watch": "vitest -c vitest.e2e.config.ts",
     "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
     "generate:component": "tsx ./scripts/create-backend-file.ts",
     "generate:schema": "tsx ./scripts/generate-schema-types.ts",
@@ -121,7 +121,6 @@
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@node-saml/passport-saml": "^4.0.4",
-    "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
     "@peculiar/asn1-schema": "^2.3.8",

backend/src/@types/fastify.d.ts

@@ -18,7 +18,6 @@ import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-ser
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
-import { RateLimitConfiguration } from "@app/ee/services/rate-limit/rate-limit-types";
 import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@@ -51,7 +50,6 @@ import { TIntegrationServiceFactory } from "@app/services/integration/integratio
 import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
 import { TOrgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { TOrgServiceFactory } from "@app/services/org/org-service";
-import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@@ -90,7 +88,6 @@ declare module "fastify" {
       id: string;
       orgId: string;
     };
-    rateLimits: RateLimitConfiguration;
     // passport data
     passportUser: {
       isUserCompleted: string;
@@ -168,7 +165,6 @@ declare module "fastify" {
       rateLimit: TRateLimitServiceFactory;
       userEngagement: TUserEngagementServiceFactory;
       externalKms: TExternalKmsServiceFactory;
-      orgAdmin: TOrgAdminServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -204,9 +204,6 @@ import {
   TSecretApprovalRequestSecretTags,
   TSecretApprovalRequestSecretTagsInsert,
   TSecretApprovalRequestSecretTagsUpdate,
-  TSecretApprovalRequestSecretTagsV2,
-  TSecretApprovalRequestSecretTagsV2Insert,
-  TSecretApprovalRequestSecretTagsV2Update,
   TSecretApprovalRequestsInsert,
   TSecretApprovalRequestsReviewers,
   TSecretApprovalRequestsReviewersInsert,
@@ -214,9 +211,6 @@ import {
   TSecretApprovalRequestsSecrets,
   TSecretApprovalRequestsSecretsInsert,
   TSecretApprovalRequestsSecretsUpdate,
-  TSecretApprovalRequestsSecretsV2,
-  TSecretApprovalRequestsSecretsV2Insert,
-  TSecretApprovalRequestsSecretsV2Update,
   TSecretApprovalRequestsUpdate,
   TSecretBlindIndexes,
   TSecretBlindIndexesInsert,
@@ -233,15 +227,9 @@ import {
   TSecretReferences,
   TSecretReferencesInsert,
   TSecretReferencesUpdate,
-  TSecretReferencesV2,
-  TSecretReferencesV2Insert,
-  TSecretReferencesV2Update,
   TSecretRotationOutputs,
   TSecretRotationOutputsInsert,
   TSecretRotationOutputsUpdate,
-  TSecretRotationOutputV2,
-  TSecretRotationOutputV2Insert,
-  TSecretRotationOutputV2Update,
   TSecretRotations,
   TSecretRotationsInsert,
   TSecretRotationsUpdate,
@@ -260,9 +248,6 @@ import {
   TSecretSnapshotSecrets,
   TSecretSnapshotSecretsInsert,
   TSecretSnapshotSecretsUpdate,
-  TSecretSnapshotSecretsV2,
-  TSecretSnapshotSecretsV2Insert,
-  TSecretSnapshotSecretsV2Update,
   TSecretSnapshotsInsert,
   TSecretSnapshotsUpdate,
   TSecretsUpdate,
@@ -278,9 +263,6 @@ import {
   TSecretVersionTagJunction,
   TSecretVersionTagJunctionInsert,
   TSecretVersionTagJunctionUpdate,
-  TSecretVersionV2TagJunction,
-  TSecretVersionV2TagJunctionInsert,
-  TSecretVersionV2TagJunctionUpdate,
   TServiceTokens,
   TServiceTokensInsert,
   TServiceTokensUpdate,
@@ -309,17 +291,6 @@ import {
   TWebhooksInsert,
   TWebhooksUpdate
 } from "@app/db/schemas";
-import {
-  TSecretV2TagJunction,
-  TSecretV2TagJunctionInsert,
-  TSecretV2TagJunctionUpdate
-} from "@app/db/schemas/secret-v2-tag-junction";
-import {
-  TSecretVersionsV2,
-  TSecretVersionsV2Insert,
-  TSecretVersionsV2Update
-} from "@app/db/schemas/secret-versions-v2";
-import { TSecretsV2, TSecretsV2Insert, TSecretsV2Update } from "@app/db/schemas/secrets-v2";
 
 declare module "knex" {
   namespace Knex {
@@ -674,23 +645,7 @@ declare module "knex/types/tables" {
       TSecretScanningGitRisksUpdate
     >;
     [TableName.TrustedIps]: KnexOriginal.CompositeTableType<TTrustedIps, TTrustedIpsInsert, TTrustedIpsUpdate>;
-    [TableName.SecretV2]: KnexOriginal.CompositeTableType<TSecretsV2, TSecretsV2Insert, TSecretsV2Update>;
-    [TableName.SecretVersionV2]: KnexOriginal.CompositeTableType<
-      TSecretVersionsV2,
-      TSecretVersionsV2Insert,
-      TSecretVersionsV2Update
-    >;
-    [TableName.SecretReferenceV2]: KnexOriginal.CompositeTableType<
-      TSecretReferencesV2,
-      TSecretReferencesV2Insert,
-      TSecretReferencesV2Update
-    >;
     // Junction tables
-    [TableName.SecretV2JnTag]: KnexOriginal.CompositeTableType<
-      TSecretV2TagJunction,
-      TSecretV2TagJunctionInsert,
-      TSecretV2TagJunctionUpdate
-    >;
     [TableName.JnSecretTag]: KnexOriginal.CompositeTableType<
       TSecretTagJunction,
       TSecretTagJunctionInsert,
@@ -701,31 +656,6 @@ declare module "knex/types/tables" {
       TSecretVersionTagJunctionInsert,
       TSecretVersionTagJunctionUpdate
     >;
-    [TableName.SecretVersionV2Tag]: KnexOriginal.CompositeTableType<
-      TSecretVersionV2TagJunction,
-      TSecretVersionV2TagJunctionInsert,
-      TSecretVersionV2TagJunctionUpdate
-    >;
-    [TableName.SnapshotSecretV2]: KnexOriginal.CompositeTableType<
-      TSecretSnapshotSecretsV2,
-      TSecretSnapshotSecretsV2Insert,
-      TSecretSnapshotSecretsV2Update
-    >;
-    [TableName.SecretApprovalRequestSecretV2]: KnexOriginal.CompositeTableType<
-      TSecretApprovalRequestsSecretsV2,
-      TSecretApprovalRequestsSecretsV2Insert,
-      TSecretApprovalRequestsSecretsV2Update
-    >;
-    [TableName.SecretApprovalRequestSecretTagV2]: KnexOriginal.CompositeTableType<
-      TSecretApprovalRequestSecretTagsV2,
-      TSecretApprovalRequestSecretTagsV2Insert,
-      TSecretApprovalRequestSecretTagsV2Update
-    >;
-    [TableName.SecretRotationOutputV2]: KnexOriginal.CompositeTableType<
-      TSecretRotationOutputV2,
-      TSecretRotationOutputV2Insert,
-      TSecretRotationOutputV2Update
-    >;
     // KMS service
     [TableName.KmsServerRootConfig]: KnexOriginal.CompositeTableType<
       TKmsRootConfig,

backend/src/db/migrations/20240717184929_add-enforcement-level-secrets-policies.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { EnforcementLevel } from "@app/lib/types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "enforcementLevel");
-  if (!hasColumn) {
-    await knex.schema.table(TableName.SecretApprovalPolicy, (table) => {
-      table.string("enforcementLevel", 10).notNullable().defaultTo(EnforcementLevel.Hard);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "enforcementLevel");
-  if (hasColumn) {
-    await knex.schema.table(TableName.SecretApprovalPolicy, (table) => {
-      table.dropColumn("enforcementLevel");
-    });
-  }
-}

backend/src/db/migrations/20240717194958_add-enforcement-level-access-policies.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { EnforcementLevel } from "@app/lib/types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "enforcementLevel");
-  if (!hasColumn) {
-    await knex.schema.table(TableName.AccessApprovalPolicy, (table) => {
-      table.string("enforcementLevel", 10).notNullable().defaultTo(EnforcementLevel.Hard);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "enforcementLevel");
-  if (hasColumn) {
-    await knex.schema.table(TableName.AccessApprovalPolicy, (table) => {
-      table.dropColumn("enforcementLevel");
-    });
-  }
-}

backend/src/db/migrations/20240718170955_add-access-secret-sharing.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretSharingAccessType } from "@app/lib/types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretSharing, "accessType");
-  if (!hasColumn) {
-    await knex.schema.table(TableName.SecretSharing, (table) => {
-      table.string("accessType").notNullable().defaultTo(SecretSharingAccessType.Anyone);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretSharing, "accessType");
-  if (hasColumn) {
-    await knex.schema.table(TableName.SecretSharing, (table) => {
-      table.dropColumn("accessType");
-    });
-  }
-}

backend/src/db/migrations/20240719182539_add-bypass-reason-secret-approval-requets.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "bypassReason");
-  if (!hasColumn) {
-    await knex.schema.table(TableName.SecretApprovalRequest, (table) => {
-      table.string("bypassReason").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "bypassReason");
-  if (hasColumn) {
-    await knex.schema.table(TableName.SecretApprovalRequest, (table) => {
-      table.dropColumn("bypassReason");
-    });
-  }
-}

backend/src/db/migrations/20240728010334_secret-sharing-name.ts

@@ -1,39 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const doesNameExist = await knex.schema.hasColumn(TableName.SecretSharing, "name");
-    if (!doesNameExist) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.string("name").nullable();
-      });
-    }
-
-    const doesLastViewedAtExist = await knex.schema.hasColumn(TableName.SecretSharing, "lastViewedAt");
-    if (!doesLastViewedAtExist) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.timestamp("lastViewedAt").nullable();
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const doesNameExist = await knex.schema.hasColumn(TableName.SecretSharing, "name");
-    if (doesNameExist) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.dropColumn("name");
-      });
-    }
-
-    const doesLastViewedAtExist = await knex.schema.hasColumn(TableName.SecretSharing, "lastViewedAt");
-    if (doesLastViewedAtExist) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.dropColumn("lastViewedAt");
-      });
-    }
-  }
-}

backend/src/db/migrations/20240730181850_secret-v2.ts

@@ -1,181 +0,0 @@
-/* eslint-disable @typescript-eslint/ban-ts-comment */
-import { Knex } from "knex";
-
-import { SecretType, TableName } from "../schemas";
-import { createJunctionTable, createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSecretV2TableExist = await knex.schema.hasTable(TableName.SecretV2);
-  if (!doesSecretV2TableExist) {
-    await knex.schema.createTable(TableName.SecretV2, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").defaultTo(1).notNullable();
-      t.string("type").notNullable().defaultTo(SecretType.Shared);
-      t.string("key", 500).notNullable();
-      t.binary("encryptedValue");
-      t.binary("encryptedComment");
-      t.string("reminderNote");
-      t.integer("reminderRepeatDays");
-      t.boolean("skipMultilineEncoding").defaultTo(false);
-      t.jsonb("metadata");
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.uuid("folderId").notNullable();
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-      t.index(["folderId", "userId"]);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretV2);
-
-  // many to many relation between tags
-  await createJunctionTable(knex, TableName.SecretV2JnTag, TableName.SecretV2, TableName.SecretTag);
-
-  const doesSecretV2VersionTableExist = await knex.schema.hasTable(TableName.SecretVersionV2);
-  if (!doesSecretV2VersionTableExist) {
-    await knex.schema.createTable(TableName.SecretVersionV2, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").defaultTo(1).notNullable();
-      t.string("type").notNullable().defaultTo(SecretType.Shared);
-      t.string("key", 500).notNullable();
-      t.binary("encryptedValue");
-      t.binary("encryptedComment");
-      t.string("reminderNote");
-      t.integer("reminderRepeatDays");
-      t.boolean("skipMultilineEncoding").defaultTo(false);
-      t.jsonb("metadata");
-      // to avoid orphan rows
-      t.uuid("envId");
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.uuid("secretId").notNullable();
-      t.uuid("folderId").notNullable();
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretVersionV2);
-
-  if (!(await knex.schema.hasTable(TableName.SecretReferenceV2))) {
-    await knex.schema.createTable(TableName.SecretReferenceV2, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("environment").notNullable();
-      t.string("secretPath").notNullable();
-      t.string("secretKey", 500).notNullable();
-      t.uuid("secretId").notNullable();
-      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-    });
-  }
-
-  await createJunctionTable(knex, TableName.SecretVersionV2Tag, TableName.SecretVersionV2, TableName.SecretTag);
-
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalRequestSecretV2))) {
-    await knex.schema.createTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      // everything related  to secret
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").defaultTo(1);
-      t.string("key", 500).notNullable();
-      t.binary("encryptedValue");
-      t.binary("encryptedComment");
-      t.string("reminderNote");
-      t.integer("reminderRepeatDays");
-      t.boolean("skipMultilineEncoding").defaultTo(false);
-      t.jsonb("metadata");
-      t.timestamps(true, true, true);
-      // commit details
-      t.uuid("requestId").notNullable();
-      t.foreign("requestId").references("id").inTable(TableName.SecretApprovalRequest).onDelete("CASCADE");
-      t.string("op").notNullable();
-      t.uuid("secretId");
-      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("SET NULL");
-      t.uuid("secretVersion");
-      t.foreign("secretVersion").references("id").inTable(TableName.SecretVersionV2).onDelete("SET NULL");
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalRequestSecretTagV2))) {
-    await knex.schema.createTable(TableName.SecretApprovalRequestSecretTagV2, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("secretId").notNullable();
-      t.foreign("secretId").references("id").inTable(TableName.SecretApprovalRequestSecretV2).onDelete("CASCADE");
-      t.uuid("tagId").notNullable();
-      t.foreign("tagId").references("id").inTable(TableName.SecretTag).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SnapshotSecretV2))) {
-    await knex.schema.createTable(TableName.SnapshotSecretV2, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("envId").index().notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      // not a relation kept like that to keep it when rolled back
-      t.uuid("secretVersionId").index().notNullable();
-      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
-      t.uuid("snapshotId").index().notNullable();
-      t.foreign("snapshotId").references("id").inTable(TableName.Snapshot).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  if (await knex.schema.hasTable(TableName.IntegrationAuth)) {
-    const hasEncryptedAccess = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedAccess");
-    const hasEncryptedAccessId = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedAccessId");
-    const hasEncryptedRefresh = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedRefresh");
-    const hasEncryptedAwsIamAssumRole = await knex.schema.hasColumn(
-      TableName.IntegrationAuth,
-      "encryptedAwsAssumeIamRoleArn"
-    );
-    await knex.schema.alterTable(TableName.IntegrationAuth, (t) => {
-      if (!hasEncryptedAccess) t.binary("encryptedAccess");
-      if (!hasEncryptedAccessId) t.binary("encryptedAccessId");
-      if (!hasEncryptedRefresh) t.binary("encryptedRefresh");
-      if (!hasEncryptedAwsIamAssumRole) t.binary("encryptedAwsAssumeIamRoleArn");
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SecretRotationOutputV2))) {
-    await knex.schema.createTable(TableName.SecretRotationOutputV2, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("key").notNullable();
-      t.uuid("secretId").notNullable();
-      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      t.uuid("rotationId").notNullable();
-      t.foreign("rotationId").references("id").inTable(TableName.SecretRotation).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SnapshotSecretV2);
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalRequestSecretTagV2);
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalRequestSecretV2);
-
-  await knex.schema.dropTableIfExists(TableName.SecretV2JnTag);
-  await knex.schema.dropTableIfExists(TableName.SecretReferenceV2);
-
-  await knex.schema.dropTableIfExists(TableName.SecretRotationOutputV2);
-
-  await dropOnUpdateTrigger(knex, TableName.SecretVersionV2);
-  await knex.schema.dropTableIfExists(TableName.SecretVersionV2Tag);
-  await knex.schema.dropTableIfExists(TableName.SecretVersionV2);
-
-  await dropOnUpdateTrigger(knex, TableName.SecretV2);
-  await knex.schema.dropTableIfExists(TableName.SecretV2);
-
-  if (await knex.schema.hasTable(TableName.IntegrationAuth)) {
-    const hasEncryptedAccess = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedAccess");
-    const hasEncryptedAccessId = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedAccessId");
-    const hasEncryptedRefresh = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedRefresh");
-    const hasEncryptedAwsIamAssumRole = await knex.schema.hasColumn(
-      TableName.IntegrationAuth,
-      "encryptedAwsAssumeIamRoleArn"
-    );
-    await knex.schema.alterTable(TableName.IntegrationAuth, (t) => {
-      if (hasEncryptedAccess) t.dropColumn("encryptedAccess");
-      if (hasEncryptedAccessId) t.dropColumn("encryptedAccessId");
-      if (hasEncryptedRefresh) t.dropColumn("encryptedRefresh");
-      if (hasEncryptedAwsIamAssumRole) t.dropColumn("encryptedAwsAssumeIamRoleArn");
-    });
-  }
-}

backend/src/db/migrations/20240806113425_remove-creation-limit-rate-limit.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCreationLimitCol = await knex.schema.hasColumn(TableName.RateLimit, "creationLimit");
-  await knex.schema.alterTable(TableName.RateLimit, (t) => {
-    if (hasCreationLimitCol) {
-      t.dropColumn("creationLimit");
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCreationLimitCol = await knex.schema.hasColumn(TableName.RateLimit, "creationLimit");
-  await knex.schema.alterTable(TableName.RateLimit, (t) => {
-    if (!hasCreationLimitCol) {
-      t.integer("creationLimit").defaultTo(30).notNullable();
-    }
-  });
-}

backend/src/db/migrations/utils/kms.ts

@@ -1,105 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { randomSecureBytes } from "@app/lib/crypto";
-import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-const getInstanceRootKey = async (knex: Knex) => {
-  const encryptionKey = process.env.ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
-  // if root key its base64 encoded
-  const isBase64 = !process.env.ENCRYPTION_KEY;
-  if (!encryptionKey) throw new Error("ENCRYPTION_KEY variable needed for migration");
-  const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
-
-  const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
-  const kmsRootConfig = await knex(TableName.KmsServerRootConfig).where({ id: KMS_ROOT_CONFIG_UUID }).first();
-  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-  if (kmsRootConfig) {
-    const decryptedRootKey = cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
-    // set the flag so that other instancen nodes can start
-    return decryptedRootKey;
-  }
-
-  const newRootKey = randomSecureBytes(32);
-  const encryptedRootKey = cipher.encrypt(newRootKey, encryptionKeyBuffer);
-  await knex(TableName.KmsServerRootConfig).insert({
-    encryptedRootKey,
-    // eslint-disable-next-line
-    // @ts-ignore id is kept as fixed for idempotence and to avoid race condition
-    id: KMS_ROOT_CONFIG_UUID
-  });
-  return encryptedRootKey;
-};
-
-export const getSecretManagerDataKey = async (knex: Knex, projectId: string) => {
-  const KMS_VERSION = "v01";
-  const KMS_VERSION_BLOB_LENGTH = 3;
-  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-  const project = await knex(TableName.Project).where({ id: projectId }).first();
-  if (!project) throw new Error("Missing project id");
-
-  const ROOT_ENCRYPTION_KEY = await getInstanceRootKey(knex);
-
-  let secretManagerKmsKey;
-  const projectSecretManagerKmsId = project?.kmsSecretManagerKeyId;
-  if (projectSecretManagerKmsId) {
-    const kmsDoc = await knex(TableName.KmsKey)
-      .leftJoin(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
-      .where({ [`${TableName.KmsKey}.id` as "id"]: projectSecretManagerKmsId })
-      .first();
-    if (!kmsDoc) throw new Error("missing kms");
-    secretManagerKmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
-  } else {
-    const [kmsDoc] = await knex(TableName.KmsKey)
-      .insert({
-        slug: slugify(alphaNumericNanoId(8).toLowerCase()),
-        orgId: project.orgId,
-        isReserved: false
-      })
-      .returning("*");
-
-    secretManagerKmsKey = randomSecureBytes(32);
-    const encryptedKeyMaterial = cipher.encrypt(secretManagerKmsKey, ROOT_ENCRYPTION_KEY);
-    await knex(TableName.InternalKms).insert({
-      version: 1,
-      encryptedKey: encryptedKeyMaterial,
-      encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
-      kmsKeyId: kmsDoc.id
-    });
-  }
-
-  const encryptedSecretManagerDataKey = project?.kmsSecretManagerEncryptedDataKey;
-  let dataKey: Buffer;
-  if (!encryptedSecretManagerDataKey) {
-    dataKey = randomSecureBytes();
-    // the below versioning we do it automatically in kms service
-    const unversionedDataKey = cipher.encrypt(dataKey, secretManagerKmsKey);
-    const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
-    await knex(TableName.Project)
-      .where({ id: projectId })
-      .update({
-        kmsSecretManagerEncryptedDataKey: Buffer.concat([unversionedDataKey, versionBlob])
-      });
-  } else {
-    const cipherTextBlob = encryptedSecretManagerDataKey.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-    dataKey = cipher.decrypt(cipherTextBlob, secretManagerKmsKey);
-  }
-
-  return {
-    encryptor: ({ plainText }: { plainText: Buffer }) => {
-      const encryptedPlainTextBlob = cipher.encrypt(plainText, dataKey);
-
-      // Buffer#1 encrypted text + Buffer#2 version number
-      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
-      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
-      return { cipherTextBlob };
-    },
-    decryptor: ({ cipherTextBlob: versionedCipherTextBlob }: { cipherTextBlob: Buffer }) => {
-      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-      const decryptedBlob = cipher.decrypt(cipherTextBlob, dataKey);
-      return decryptedBlob;
-    }
-  };
-};

backend/src/db/schemas/access-approval-policies.ts

@@ -14,8 +14,7 @@ export const AccessApprovalPoliciesSchema = z.object({
   secretPath: z.string().nullable().optional(),
   envId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  updatedAt: z.date()
 });
 
 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;

backend/src/db/schemas/index.ts

@@ -66,35 +66,26 @@ export * from "./scim-tokens";
 export * from "./secret-approval-policies";
 export * from "./secret-approval-policies-approvers";
 export * from "./secret-approval-request-secret-tags";
-export * from "./secret-approval-request-secret-tags-v2";
 export * from "./secret-approval-requests";
 export * from "./secret-approval-requests-reviewers";
 export * from "./secret-approval-requests-secrets";
-export * from "./secret-approval-requests-secrets-v2";
 export * from "./secret-blind-indexes";
 export * from "./secret-folder-versions";
 export * from "./secret-folders";
 export * from "./secret-imports";
 export * from "./secret-references";
-export * from "./secret-references-v2";
-export * from "./secret-rotation-output-v2";
 export * from "./secret-rotation-outputs";
 export * from "./secret-rotations";
 export * from "./secret-scanning-git-risks";
 export * from "./secret-sharing";
 export * from "./secret-snapshot-folders";
 export * from "./secret-snapshot-secrets";
-export * from "./secret-snapshot-secrets-v2";
 export * from "./secret-snapshots";
 export * from "./secret-tag-junction";
 export * from "./secret-tags";
-export * from "./secret-v2-tag-junction";
 export * from "./secret-version-tag-junction";
-export * from "./secret-version-v2-tag-junction";
 export * from "./secret-versions";
-export * from "./secret-versions-v2";
 export * from "./secrets";
-export * from "./secrets-v2";
 export * from "./service-tokens";
 export * from "./super-admin";
 export * from "./trusted-ips";

backend/src/db/schemas/integration-auths.ts

@@ -5,8 +5,6 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const IntegrationAuthsSchema = z.object({
@@ -34,11 +32,7 @@ export const IntegrationAuthsSchema = z.object({
   updatedAt: z.date(),
   awsAssumeIamRoleArnCipherText: z.string().nullable().optional(),
   awsAssumeIamRoleArnIV: z.string().nullable().optional(),
-  awsAssumeIamRoleArnTag: z.string().nullable().optional(),
-  encryptedAccess: zodBuffer.nullable().optional(),
-  encryptedAccessId: zodBuffer.nullable().optional(),
-  encryptedRefresh: zodBuffer.nullable().optional(),
-  encryptedAwsAssumeIamRoleArn: zodBuffer.nullable().optional()
+  awsAssumeIamRoleArnTag: z.string().nullable().optional()
 });
 
 export type TIntegrationAuths = z.infer<typeof IntegrationAuthsSchema>;

backend/src/db/schemas/models.ts

@@ -90,18 +90,9 @@ export enum TableName {
   TrustedIps = "trusted_ips",
   DynamicSecret = "dynamic_secrets",
   DynamicSecretLease = "dynamic_secret_leases",
-  SecretV2 = "secrets_v2",
-  SecretReferenceV2 = "secret_references_v2",
-  SecretVersionV2 = "secret_versions_v2",
-  SecretApprovalRequestSecretV2 = "secret_approval_requests_secrets_v2",
-  SecretApprovalRequestSecretTagV2 = "secret_approval_request_secret_tags_v2",
-  SnapshotSecretV2 = "secret_snapshot_secrets_v2",
   // junction tables with tags
-  SecretV2JnTag = "secret_v2_tag_junction",
   JnSecretTag = "secret_tag_junction",
   SecretVersionTag = "secret_version_tag_junction",
-  SecretVersionV2Tag = "secret_version_v2_tag_junction",
-  SecretRotationOutputV2 = "secret_rotation_output_v2",
   // KMS Service
   KmsServerRootConfig = "kms_root_config",
   KmsKey = "kms_keys",
@@ -166,8 +157,7 @@ export enum SecretType {
 
 export enum ProjectVersion {
   V1 = 1,
-  V2 = 2,
-  V3 = 3
+  V2 = 2
 }
 
 export enum ProjectUpgradeStatus {

backend/src/db/schemas/org-memberships.ts

@@ -18,7 +18,7 @@ export const OrgMembershipsSchema = z.object({
   orgId: z.string().uuid(),
   roleId: z.string().uuid().nullable().optional(),
   projectFavorites: z.string().array().nullable().optional(),
-  isActive: z.boolean().default(true)
+  isActive: z.boolean()
 });
 
 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;

backend/src/db/schemas/rate-limit.ts

@@ -15,6 +15,7 @@ export const RateLimitSchema = z.object({
   authRateLimit: z.number().default(60),
   inviteUserRateLimit: z.number().default(30),
   mfaRateLimit: z.number().default(20),
+  creationLimit: z.number().default(30),
   publicEndpointLimit: z.number().default(30),
   createdAt: z.date(),
   updatedAt: z.date()

backend/src/db/schemas/secret-approval-policies.ts

@@ -14,8 +14,7 @@ export const SecretApprovalPoliciesSchema = z.object({
   approvals: z.number().default(1),
   envId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  updatedAt: z.date()
 });
 
 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;

backend/src/db/schemas/secret-approval-request-secret-tags-v2.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretApprovalRequestSecretTagsV2Schema = z.object({
-  id: z.string().uuid(),
-  secretId: z.string().uuid(),
-  tagId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretApprovalRequestSecretTagsV2 = z.infer<typeof SecretApprovalRequestSecretTagsV2Schema>;
-export type TSecretApprovalRequestSecretTagsV2Insert = Omit<
-  z.input<typeof SecretApprovalRequestSecretTagsV2Schema>,
-  TImmutableDBKeys
->;
-export type TSecretApprovalRequestSecretTagsV2Update = Partial<
-  Omit<z.input<typeof SecretApprovalRequestSecretTagsV2Schema>, TImmutableDBKeys>
->;

backend/src/db/schemas/secret-approval-requests-secrets-v2.ts

@@ -1,37 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretApprovalRequestsSecretsV2Schema = z.object({
-  id: z.string().uuid(),
-  version: z.number().default(1).nullable().optional(),
-  key: z.string(),
-  encryptedValue: zodBuffer.nullable().optional(),
-  encryptedComment: zodBuffer.nullable().optional(),
-  reminderNote: z.string().nullable().optional(),
-  reminderRepeatDays: z.number().nullable().optional(),
-  skipMultilineEncoding: z.boolean().default(false).nullable().optional(),
-  metadata: z.unknown().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  requestId: z.string().uuid(),
-  op: z.string(),
-  secretId: z.string().uuid().nullable().optional(),
-  secretVersion: z.string().uuid().nullable().optional()
-});
-
-export type TSecretApprovalRequestsSecretsV2 = z.infer<typeof SecretApprovalRequestsSecretsV2Schema>;
-export type TSecretApprovalRequestsSecretsV2Insert = Omit<
-  z.input<typeof SecretApprovalRequestsSecretsV2Schema>,
-  TImmutableDBKeys
->;
-export type TSecretApprovalRequestsSecretsV2Update = Partial<
-  Omit<z.input<typeof SecretApprovalRequestsSecretsV2Schema>, TImmutableDBKeys>
->;

backend/src/db/schemas/secret-approval-requests.ts

@@ -19,8 +19,7 @@ export const SecretApprovalRequestsSchema = z.object({
   updatedAt: z.date(),
   isReplicated: z.boolean().nullable().optional(),
   committerUserId: z.string().uuid(),
-  statusChangedByUserId: z.string().uuid().nullable().optional(),
-  bypassReason: z.string().nullable().optional()
+  statusChangedByUserId: z.string().uuid().nullable().optional()
 });
 
 export type TSecretApprovalRequests = z.infer<typeof SecretApprovalRequestsSchema>;

backend/src/db/schemas/secret-references-v2.ts

@@ -1,20 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretReferencesV2Schema = z.object({
-  id: z.string().uuid(),
-  environment: z.string(),
-  secretPath: z.string(),
-  secretKey: z.string(),
-  secretId: z.string().uuid()
-});
-
-export type TSecretReferencesV2 = z.infer<typeof SecretReferencesV2Schema>;
-export type TSecretReferencesV2Insert = Omit<z.input<typeof SecretReferencesV2Schema>, TImmutableDBKeys>;
-export type TSecretReferencesV2Update = Partial<Omit<z.input<typeof SecretReferencesV2Schema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-rotation-output-v2.ts

@@ -1,21 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretRotationOutputV2Schema = z.object({
-  id: z.string().uuid(),
-  key: z.string(),
-  secretId: z.string().uuid(),
-  rotationId: z.string().uuid()
-});
-
-export type TSecretRotationOutputV2 = z.infer<typeof SecretRotationOutputV2Schema>;
-export type TSecretRotationOutputV2Insert = Omit<z.input<typeof SecretRotationOutputV2Schema>, TImmutableDBKeys>;
-export type TSecretRotationOutputV2Update = Partial<
-  Omit<z.input<typeof SecretRotationOutputV2Schema>, TImmutableDBKeys>
->;

backend/src/db/schemas/secret-sharing.ts

@@ -18,10 +18,7 @@ export const SecretSharingSchema = z.object({
   orgId: z.string().uuid().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  expiresAfterViews: z.number().nullable().optional(),
-  accessType: z.string().default("anyone"),
-  name: z.string().nullable().optional(),
-  lastViewedAt: z.date().nullable().optional()
+  expiresAfterViews: z.number().nullable().optional()
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/db/schemas/secret-snapshot-secrets-v2.ts

@@ -1,23 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretSnapshotSecretsV2Schema = z.object({
-  id: z.string().uuid(),
-  envId: z.string().uuid(),
-  secretVersionId: z.string().uuid(),
-  snapshotId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretSnapshotSecretsV2 = z.infer<typeof SecretSnapshotSecretsV2Schema>;
-export type TSecretSnapshotSecretsV2Insert = Omit<z.input<typeof SecretSnapshotSecretsV2Schema>, TImmutableDBKeys>;
-export type TSecretSnapshotSecretsV2Update = Partial<
-  Omit<z.input<typeof SecretSnapshotSecretsV2Schema>, TImmutableDBKeys>
->;

backend/src/db/schemas/secret-v2-tag-junction.ts

@@ -1,18 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretV2TagJunctionSchema = z.object({
-  id: z.string().uuid(),
-  secrets_v2Id: z.string().uuid(),
-  secret_tagsId: z.string().uuid()
-});
-
-export type TSecretV2TagJunction = z.infer<typeof SecretV2TagJunctionSchema>;
-export type TSecretV2TagJunctionInsert = Omit<z.input<typeof SecretV2TagJunctionSchema>, TImmutableDBKeys>;
-export type TSecretV2TagJunctionUpdate = Partial<Omit<z.input<typeof SecretV2TagJunctionSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-version-v2-tag-junction.ts

@@ -1,23 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretVersionV2TagJunctionSchema = z.object({
-  id: z.string().uuid(),
-  secret_versions_v2Id: z.string().uuid(),
-  secret_tagsId: z.string().uuid()
-});
-
-export type TSecretVersionV2TagJunction = z.infer<typeof SecretVersionV2TagJunctionSchema>;
-export type TSecretVersionV2TagJunctionInsert = Omit<
-  z.input<typeof SecretVersionV2TagJunctionSchema>,
-  TImmutableDBKeys
->;
-export type TSecretVersionV2TagJunctionUpdate = Partial<
-  Omit<z.input<typeof SecretVersionV2TagJunctionSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/secret-versions-v2.ts

@@ -1,33 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretVersionsV2Schema = z.object({
-  id: z.string().uuid(),
-  version: z.number().default(1),
-  type: z.string().default("shared"),
-  key: z.string(),
-  encryptedValue: zodBuffer.nullable().optional(),
-  encryptedComment: zodBuffer.nullable().optional(),
-  reminderNote: z.string().nullable().optional(),
-  reminderRepeatDays: z.number().nullable().optional(),
-  skipMultilineEncoding: z.boolean().default(false).nullable().optional(),
-  metadata: z.unknown().nullable().optional(),
-  envId: z.string().uuid().nullable().optional(),
-  secretId: z.string().uuid(),
-  folderId: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretVersionsV2 = z.infer<typeof SecretVersionsV2Schema>;
-export type TSecretVersionsV2Insert = Omit<z.input<typeof SecretVersionsV2Schema>, TImmutableDBKeys>;
-export type TSecretVersionsV2Update = Partial<Omit<z.input<typeof SecretVersionsV2Schema>, TImmutableDBKeys>>;

backend/src/db/schemas/secrets-v2.ts

@@ -1,31 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretsV2Schema = z.object({
-  id: z.string().uuid(),
-  version: z.number().default(1),
-  type: z.string().default("shared"),
-  key: z.string(),
-  encryptedValue: zodBuffer.nullable().optional(),
-  encryptedComment: zodBuffer.nullable().optional(),
-  reminderNote: z.string().nullable().optional(),
-  reminderRepeatDays: z.number().nullable().optional(),
-  skipMultilineEncoding: z.boolean().default(false).nullable().optional(),
-  metadata: z.unknown().nullable().optional(),
-  userId: z.string().uuid().nullable().optional(),
-  folderId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretsV2 = z.infer<typeof SecretsV2Schema>;
-export type TSecretsV2Insert = Omit<z.input<typeof SecretsV2Schema>, TImmutableDBKeys>;
-export type TSecretsV2Update = Partial<Omit<z.input<typeof SecretsV2Schema>, TImmutableDBKeys>>;

backend/src/db/seed-data.ts

@@ -33,11 +33,6 @@ export const seedData1 = {
     name: "first project",
     slug: "first-project"
   },
-  projectV3: {
-    id: "77fa7aed-9288-401e-a4c9-3a9430be62a4",
-    name: "first project v2",
-    slug: "first-project-v2"
-  },
   environment: {
     name: "Development",
     slug: "dev"

backend/src/db/seeds/4-machine-identity.ts

@@ -86,15 +86,4 @@ export async function seed(knex: Knex): Promise<void> {
     role: ProjectMembershipRole.Admin,
     projectMembershipId: identityProjectMembership[0].id
   });
-  const identityProjectMembershipV3 = await knex(TableName.IdentityProjectMembership)
-    .insert({
-      identityId: seedData1.machineIdentity.id,
-      projectId: seedData1.projectV3.id
-    })
-    .returning("*");
-
-  await knex(TableName.IdentityProjectMembershipRole).insert({
-    role: ProjectMembershipRole.Admin,
-    projectMembershipId: identityProjectMembershipV3[0].id
-  });
 }

backend/src/db/seeds/4-project-v3.ts

@@ -1,50 +0,0 @@
-import { Knex } from "knex";
-
-import { ProjectMembershipRole, ProjectVersion, TableName } from "../schemas";
-import { seedData1 } from "../seed-data";
-
-export const DEFAULT_PROJECT_ENVS = [
-  { name: "Development", slug: "dev" },
-  { name: "Staging", slug: "staging" },
-  { name: "Production", slug: "prod" }
-];
-
-export async function seed(knex: Knex): Promise<void> {
-  const [projectV2] = await knex(TableName.Project)
-    .insert({
-      name: seedData1.projectV3.name,
-      orgId: seedData1.organization.id,
-      slug: seedData1.projectV3.slug,
-      version: ProjectVersion.V3,
-      // eslint-disable-next-line
-      // @ts-ignore
-      id: seedData1.projectV3.id
-    })
-    .returning("*");
-
-  const projectMembershipV3 = await knex(TableName.ProjectMembership)
-    .insert({
-      projectId: projectV2.id,
-      userId: seedData1.id
-    })
-    .returning("*");
-  await knex(TableName.ProjectUserMembershipRole).insert({
-    role: ProjectMembershipRole.Admin,
-    projectMembershipId: projectMembershipV3[0].id
-  });
-
-  // create default environments and default folders
-  const projectV3Envs = await knex(TableName.Environment)
-    .insert(
-      DEFAULT_PROJECT_ENVS.map(({ name, slug }, index) => ({
-        name,
-        slug,
-        projectId: seedData1.projectV3.id,
-        position: index + 1
-      }))
-    )
-    .returning("*");
-  await knex(TableName.SecretFolder).insert(
-    projectV3Envs.map(({ id }) => ({ name: "root", envId: id, parentId: null }))
-  );
-}

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -1,7 +1,6 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
-import { EnforcementLevel } from "@app/lib/types";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -18,8 +17,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
           secretPath: z.string().trim().default("/"),
           environment: z.string(),
           approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+          approvals: z.number().min(1).default(1)
         })
         .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],
@@ -40,8 +38,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         ...req.body,
         projectSlug: req.body.projectSlug,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
-        enforcementLevel: req.body.enforcementLevel
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
       });
       return { approval };
     }
@@ -118,8 +115,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
             .optional()
             .transform((val) => (val === "" ? "/" : val)),
           approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+          approvals: z.number().min(1).default(1)
         })
         .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -99,8 +99,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               approvals: z.number(),
               approvers: z.string().array(),
               secretPath: z.string().nullish(),
-              envId: z.string(),
-              enforcementLevel: z.string()
+              envId: z.string()
             }),
             reviewers: z
               .object({

backend/src/ee/routes/v1/external-kms-router.ts

@@ -58,7 +58,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
     schema: {
       body: z.object({
         slug: z.string().min(1).trim().toLowerCase(),
-        description: z.string().trim().optional(),
+        description: z.string().min(1).trim().optional(),
         provider: ExternalKmsInputSchema
       }),
       response: {
@@ -109,7 +109,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
       }),
       body: z.object({
         slug: z.string().min(1).trim().toLowerCase().optional(),
-        description: z.string().trim().optional(),
+        description: z.string().min(1).trim().optional(),
         provider: ExternalKmsInputUpdateSchema
       }),
       response: {

backend/src/ee/routes/v1/org-role-router.ts

@@ -52,36 +52,6 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    method: "GET",
-    url: "/:organizationId/roles/:roleId",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        organizationId: z.string().trim(),
-        roleId: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          role: OrgRolesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const role = await server.services.orgRole.getRole(
-        req.permission.id,
-        req.params.organizationId,
-        req.params.roleId,
-        req.permission.authMethod,
-        req.permission.orgId
-      );
-      return { role };
-    }
-  });
-
   server.route({
     method: "PATCH",
     url: "/:organizationId/roles/:roleId",
@@ -99,7 +69,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           .trim()
           .optional()
           .refine(
-            (val) => typeof val !== "undefined" && !Object.keys(OrgMembershipRole).includes(val),
+            (val) => typeof val === "undefined" || Object.keys(OrgMembershipRole).includes(val),
             "Please choose a different slug, the slug you have entered is reserved."
           )
           .refine((val) => typeof val === "undefined" || slugify(val) === val, {
@@ -107,7 +77,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           }),
         name: z.string().trim().optional(),
         description: z.string().trim().optional(),
-        permissions: z.any().array().optional()
+        permissions: z.any().array()
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/project-role-router.ts

@@ -101,7 +101,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
             message: "Slug must be a valid"
           }),
         name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
+        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.UPDATE.permissions)
       }),
       response: {
         200: z.object({
@@ -120,7 +120,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         roleId: req.params.roleId,
         data: {
           ...req.body,
-          permissions: req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined
+          permissions: JSON.stringify(packRules(req.body.permissions))
         }
       });
       return { role };

backend/src/ee/routes/v1/project-router.ts

@@ -7,7 +7,6 @@ import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { KmsType } from "@app/services/kms/kms-types";
 
 export const registerProjectRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -195,7 +194,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const kmsKey = await server.services.project.getProjectKmsKeys({
+      const kmsKeys = await server.services.project.getProjectKmsKeys({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -203,7 +202,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         projectId: req.params.workspaceId
       });
 
-      return kmsKey;
+      return kmsKeys;
     }
   });
 
@@ -218,10 +217,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         workspaceId: z.string().trim()
       }),
       body: z.object({
-        kms: z.discriminatedUnion("type", [
-          z.object({ type: z.literal(KmsType.Internal) }),
-          z.object({ type: z.literal(KmsType.External), kmsId: z.string() })
-        ])
+        secretManagerKmsKeyId: z.string()
       }),
       response: {
         200: z.object({
@@ -349,35 +345,4 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       return backup;
     }
   });
-
-  server.route({
-    method: "POST",
-    url: "/:workspaceId/migrate-v3",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        workspaceId: z.string().trim()
-      }),
-
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const migration = await server.services.secret.startSecretV2Migration({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId
-      });
-
-      return migration;
-    }
-  });
 };

backend/src/ee/routes/v1/rate-limit-router.ts

@@ -58,6 +58,7 @@ export const registerRateLimitRouter = async (server: FastifyZodProvider) => {
         authRateLimit: z.number(),
         inviteUserRateLimit: z.number(),
         mfaRateLimit: z.number(),
+        creationLimit: z.number(),
         publicEndpointLimit: z.number()
       }),
       response: {

backend/src/ee/routes/v1/scim-router.ts

@@ -350,12 +350,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
               schemas: z.array(z.string()),
               id: z.string().trim(),
               displayName: z.string().trim(),
-              members: z.array(
-                z.object({
-                  value: z.string(),
-                  display: z.string()
-                })
-              ),
+              members: z.array(z.any()).length(0),
               meta: z.object({
                 resourceType: z.string().trim()
               })
@@ -428,7 +423,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
         displayName: z.string().trim(),
         members: z.array(
           z.object({
-            value: z.string(),
+            value: z.string(), // infisical orgMembershipId
             display: z.string()
           })
         )

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -2,7 +2,6 @@ import { nanoid } from "nanoid";
 import { z } from "zod";
 
 import { removeTrailingSlash } from "@app/lib/fn";
-import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
@@ -25,13 +24,11 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
             .string()
             .optional()
             .nullable()
-            .default("/")
             .transform((val) => (val ? removeTrailingSlash(val) : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+          approverUserIds: z.string().array().min(1),
+          approvals: z.number().min(1).default(1)
         })
-        .refine((data) => data.approvals <= data.approvers.length, {
+        .refine((data) => data.approvals <= data.approverUserIds.length, {
           path: ["approvals"],
           message: "The number of approvals should be lower than the number of approvers."
         }),
@@ -50,8 +47,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         projectId: req.body.workspaceId,
         ...req.body,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
-        enforcementLevel: req.body.enforcementLevel
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
       });
       return { approval };
     }
@@ -70,17 +66,15 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       body: z
         .object({
           name: z.string().optional(),
-          approvers: z.string().array().min(1),
+          approverUserIds: z.string().array().min(1),
           approvals: z.number().min(1).default(1),
           secretPath: z
             .string()
             .optional()
             .nullable()
             .transform((val) => (val ? removeTrailingSlash(val) : val))
-            .transform((val) => (val === "" ? "/" : val)),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
         })
-        .refine((data) => data.approvals <= data.approvers.length, {
+        .refine((data) => data.approvals <= data.approverUserIds.length, {
           path: ["approvals"],
           message: "The number of approvals should be lower than the number of approvers."
         }),

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -3,14 +3,16 @@ import { z } from "zod";
 import {
   SecretApprovalRequestsReviewersSchema,
   SecretApprovalRequestsSchema,
+  SecretApprovalRequestsSecretsSchema,
+  SecretsSchema,
   SecretTagsSchema,
+  SecretVersionsSchema,
   UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApprovalStatus, RequestState } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 const approvalRequestUser = z.object({ userId: z.string() }).merge(
@@ -47,8 +49,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               name: z.string(),
               approvals: z.number(),
               approvers: z.string().array(),
-              secretPath: z.string().optional().nullable(),
-              enforcementLevel: z.string()
+              secretPath: z.string().optional().nullable()
             }),
             committerUser: approvalRequestUser,
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
@@ -115,9 +116,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
       params: z.object({
         id: z.string()
       }),
-      body: z.object({
-        bypassReason: z.string().optional()
-      }),
       response: {
         200: z.object({
           approval: SecretApprovalRequestsSchema
@@ -131,8 +129,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
         actor: req.permission.type,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        approvalId: req.params.id,
-        bypassReason: req.body.bypassReason
+        approvalId: req.params.id
       });
       return { approval };
     }
@@ -251,40 +248,53 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 name: z.string(),
                 approvals: z.number(),
                 approvers: approvalRequestUser.array(),
-                secretPath: z.string().optional().nullable(),
-                enforcementLevel: z.string()
+                secretPath: z.string().optional().nullable()
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),
               committerUser: approvalRequestUser,
               reviewers: approvalRequestUser.extend({ status: z.string() }).array(),
               secretPath: z.string(),
-              commits: secretRawSchema
-                .omit({ _id: true, environment: true, workspace: true, type: true, version: true })
-                .extend({
-                  op: z.string(),
-                  tags: tagSchema,
-                  secret: z
-                    .object({
-                      id: z.string(),
-                      version: z.number(),
-                      secretKey: z.string(),
-                      secretValue: z.string().optional(),
-                      secretComment: z.string().optional()
+              commits: SecretApprovalRequestsSecretsSchema.omit({ secretBlindIndex: true })
+                .merge(
+                  z.object({
+                    tags: tagSchema,
+                    secret: SecretsSchema.pick({
+                      id: true,
+                      version: true,
+                      secretKeyIV: true,
+                      secretKeyTag: true,
+                      secretKeyCiphertext: true,
+                      secretValueIV: true,
+                      secretValueTag: true,
+                      secretValueCiphertext: true,
+                      secretCommentIV: true,
+                      secretCommentTag: true,
+                      secretCommentCiphertext: true
                     })
-                    .optional()
-                    .nullable(),
-                  secretVersion: z
-                    .object({
-                      id: z.string(),
-                      version: z.number(),
-                      secretKey: z.string(),
-                      secretValue: z.string().optional(),
-                      secretComment: z.string().optional(),
-                      tags: tagSchema
+                      .optional()
+                      .nullable(),
+                    secretVersion: SecretVersionsSchema.pick({
+                      id: true,
+                      version: true,
+                      secretKeyIV: true,
+                      secretKeyTag: true,
+                      secretKeyCiphertext: true,
+                      secretValueIV: true,
+                      secretValueTag: true,
+                      secretValueCiphertext: true,
+                      secretCommentIV: true,
+                      secretCommentTag: true,
+                      secretCommentCiphertext: true
                     })
-                    .optional()
-                })
+                      .merge(
+                        z.object({
+                          tags: tagSchema
+                        })
+                      )
+                      .optional()
+                  })
+                )
                 .array()
             })
           )

backend/src/ee/routes/v1/secret-rotation-router.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { SecretRotationOutputsSchema, SecretRotationsSchema } from "@app/db/schemas";
+import { SecretRotationOutputsSchema, SecretRotationsSchema, SecretsSchema } from "@app/db/schemas";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -112,10 +112,18 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
               outputs: z
                 .object({
                   key: z.string(),
-                  secret: z.object({
-                    secretKey: z.string(),
-                    id: z.string(),
-                    version: z.number()
+                  secret: SecretsSchema.pick({
+                    id: true,
+                    version: true,
+                    secretKeyIV: true,
+                    secretKeyTag: true,
+                    secretKeyCiphertext: true,
+                    secretValueIV: true,
+                    secretValueTag: true,
+                    secretValueCiphertext: true,
+                    secretCommentIV: true,
+                    secretCommentTag: true,
+                    secretCommentCiphertext: true
                   })
                 })
                 .array()

backend/src/ee/routes/v1/secret-version-router.ts

@@ -1,8 +1,8 @@
 import { z } from "zod";
 
+import { SecretVersionsSchema } from "@app/db/schemas";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerSecretVersionRouter = async (server: FastifyZodProvider) => {
@@ -22,7 +22,7 @@ export const registerSecretVersionRouter = async (server: FastifyZodProvider) =>
       }),
       response: {
         200: z.object({
-          secretVersions: secretRawSchema.array()
+          secretVersions: SecretVersionsSchema.omit({ secretBlindIndex: true }).array()
         })
       }
     },

backend/src/ee/routes/v1/snapshot-router.ts

@@ -1,10 +1,9 @@
 import { z } from "zod";
 
-import { SecretSnapshotsSchema, SecretTagsSchema } from "@app/db/schemas";
+import { SecretSnapshotsSchema, SecretTagsSchema, SecretVersionsSchema } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
@@ -28,17 +27,17 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
               slug: z.string(),
               name: z.string()
             }),
-            secretVersions: secretRawSchema
-              .omit({ _id: true, environment: true, workspace: true, type: true })
-              .extend({
-                secretId: z.string(),
-                tags: SecretTagsSchema.pick({
-                  id: true,
-                  slug: true,
-                  name: true,
-                  color: true
-                }).array()
-              })
+            secretVersions: SecretVersionsSchema.omit({ secretBlindIndex: true })
+              .merge(
+                z.object({
+                  tags: SecretTagsSchema.pick({
+                    id: true,
+                    slug: true,
+                    name: true,
+                    color: true
+                  }).array()
+                })
+              )
               .array(),
             folderVersion: z.object({ id: z.string(), name: z.string() }).array(),
             createdAt: z.date(),

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -47,8 +47,7 @@ export const accessApprovalPolicyServiceFactory = ({
     approvals,
     approvers,
     projectSlug,
-    environment,
-    enforcementLevel
+    environment
   }: TCreateAccessApprovalPolicy) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new BadRequestError({ message: "Project not found" });
@@ -95,8 +94,7 @@ export const accessApprovalPolicyServiceFactory = ({
           envId: env.id,
           approvals,
           secretPath,
-          name,
-          enforcementLevel
+          name
         },
         tx
       );
@@ -145,8 +143,7 @@ export const accessApprovalPolicyServiceFactory = ({
     actor,
     actorOrgId,
     actorAuthMethod,
-    approvals,
-    enforcementLevel
+    approvals
   }: TUpdateAccessApprovalPolicy) => {
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
     if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
@@ -166,8 +163,7 @@ export const accessApprovalPolicyServiceFactory = ({
         {
           approvals,
           secretPath,
-          name,
-          enforcementLevel
+          name
         },
         tx
       );

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -1,4 +1,4 @@
-import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
+import { TProjectPermission } from "@app/lib/types";
 import { ActorAuthMethod } from "@app/services/auth/auth-type";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
@@ -20,7 +20,6 @@ export type TCreateAccessApprovalPolicy = {
   approvers: string[];
   projectSlug: string;
   name: string;
-  enforcementLevel: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateAccessApprovalPolicy = {
@@ -29,7 +28,6 @@ export type TUpdateAccessApprovalPolicy = {
   approvers?: string[];
   secretPath?: string;
   name?: string;
-  enforcementLevel?: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteAccessApprovalPolicy = {

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -48,7 +48,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
           db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
           db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
-          db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId")
         )
 
@@ -99,7 +98,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             name: doc.policyName,
             approvals: doc.policyApprovals,
             secretPath: doc.policySecretPath,
-            enforcementLevel: doc.policyEnforcementLevel,
             envId: doc.policyEnvId
           },
           privilege: doc.privilegeId
@@ -167,7 +165,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("projectId").withSchema(TableName.Environment),
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
-        tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
         tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
         tx.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover)
       );
@@ -187,8 +184,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             id: el.policyId,
             name: el.policyName,
             approvals: el.policyApprovals,
-            secretPath: el.policySecretPath,
-            enforcementLevel: el.policyEnforcementLevel
+            secretPath: el.policySecretPath
           }
         }),
         childrenMapper: [

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -106,7 +106,6 @@ export enum EventType {
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
-  GET_ENVIRONMENT = "get-environment",
   ADD_WORKSPACE_MEMBER = "add-workspace-member",
   ADD_BATCH_WORKSPACE_MEMBER = "add-workspace-members",
   REMOVE_WORKSPACE_MEMBER = "remove-workspace-member",
@@ -136,7 +135,6 @@ export enum EventType {
   IMPORT_CA_CERT = "import-certificate-authority-cert",
   GET_CA_CRL = "get-certificate-authority-crl",
   ISSUE_CERT = "issue-cert",
-  SIGN_CERT = "sign-cert",
   GET_CERT = "get-cert",
   DELETE_CERT = "delete-cert",
   REVOKE_CERT = "revoke-cert",
@@ -147,8 +145,7 @@ export enum EventType {
   GET_KMS = "get-kms",
   UPDATE_PROJECT_KMS = "update-project-kms",
   GET_PROJECT_KMS_BACKUP = "get-project-kms-backup",
-  LOAD_PROJECT_KMS_BACKUP = "load-project-kms-backup",
-  ORG_ADMIN_ACCESS_PROJECT = "org-admin-accessed-project"
+  LOAD_PROJECT_KMS_BACKUP = "load-project-kms-backup"
 }
 
 interface UserActorMetadata {
@@ -338,7 +335,6 @@ interface DeleteIntegrationEvent {
     targetServiceId?: string;
     path?: string;
     region?: string;
-    shouldDeleteIntegrationSecrets?: boolean;
   };
 }
 
@@ -842,13 +838,6 @@ interface CreateEnvironmentEvent {
   };
 }
 
-interface GetEnvironmentEvent {
-  type: EventType.GET_ENVIRONMENT;
-  metadata: {
-    id: string;
-  };
-}
-
 interface UpdateEnvironmentEvent {
   type: EventType.UPDATE_ENVIRONMENT;
   metadata: {
@@ -1146,15 +1135,6 @@ interface IssueCert {
   };
 }
 
-interface SignCert {
-  type: EventType.SIGN_CERT;
-  metadata: {
-    caId: string;
-    dn: string;
-    serialNumber: string;
-  };
-}
-
 interface GetCert {
   type: EventType.GET_CERT;
   metadata: {
@@ -1247,16 +1227,6 @@ interface LoadProjectKmsBackupEvent {
   metadata: Record<string, string>; // no metadata yet
 }
 
-interface OrgAdminAccessProjectEvent {
-  type: EventType.ORG_ADMIN_ACCESS_PROJECT;
-  metadata: {
-    userId: string;
-    username: string;
-    email: string;
-    projectId: string;
-  }; // no metadata yet
-}
-
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -1323,7 +1293,6 @@ export type Event =
   | UpdateIdentityOidcAuthEvent
   | GetIdentityOidcAuthEvent
   | CreateEnvironmentEvent
-  | GetEnvironmentEvent
   | UpdateEnvironmentEvent
   | DeleteEnvironmentEvent
   | AddWorkspaceMemberEvent
@@ -1355,7 +1324,6 @@ export type Event =
   | ImportCaCert
   | GetCaCrl
   | IssueCert
-  | SignCert
   | GetCert
   | DeleteCert
   | RevokeCert
@@ -1366,5 +1334,4 @@ export type Event =
   | GetKmsEvent
   | UpdateProjectKmsEvent
   | GetProjectKmsBackupEvent
-  | LoadProjectKmsBackupEvent
-  | OrgAdminAccessProjectEvent;
+  | LoadProjectKmsBackupEvent;

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal.ts

@@ -12,7 +12,10 @@ export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
 
   const countLeasesForDynamicSecret = async (dynamicSecretId: string, tx?: Knex) => {
     try {
-      const doc = await (tx || db)(TableName.DynamicSecretLease).count("*").where({ dynamicSecretId }).first();
+      const doc = await (tx || db.replicaNode())(TableName.DynamicSecretLease)
+        .count("*")
+        .where({ dynamicSecretId })
+        .first();
       return parseInt(doc || "0", 10);
     } catch (error) {
       throw new DatabaseError({ error, name: "DynamicSecretCountLeases" });
@@ -21,7 +24,7 @@ export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
 
   const findById = async (id: string, tx?: Knex) => {
     try {
-      const doc = await (tx || db)(TableName.DynamicSecretLease)
+      const doc = await (tx || db.replicaNode())(TableName.DynamicSecretLease)
         .where({ [`${TableName.DynamicSecretLease}.id` as "id"]: id })
         .first()
         .join(

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -5,7 +5,6 @@ import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -24,7 +23,10 @@ import { ExternalKmsAwsSchema, KmsProviders } from "./providers/model";
 
 type TExternalKmsServiceFactoryDep = {
   externalKmsDAL: TExternalKmsDALFactory;
-  kmsService: Pick<TKmsServiceFactory, "getOrgKmsKeyId" | "createCipherPairWithDataKey">;
+  kmsService: Pick<
+    TKmsServiceFactory,
+    "getOrgKmsKeyId" | "decryptWithInputKey" | "encryptWithInputKey" | "getOrgKmsDataKey"
+  >;
   kmsDAL: Pick<TKmsKeyDALFactory, "create" | "updateById" | "findById" | "deleteById" | "findOne">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -82,12 +84,12 @@ export const externalKmsServiceFactory = ({
         throw new BadRequestError({ message: "external kms provided is invalid" });
     }
 
-    const { encryptor: orgDataKeyEncryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.Organization,
-      orgId: actorOrgId
+    const orgKmsDataKey = await kmsService.getOrgKmsDataKey(actorOrgId);
+    const kmsEncryptor = await kmsService.encryptWithInputKey({
+      key: orgKmsDataKey
     });
 
-    const { cipherTextBlob: encryptedProviderInputs } = orgDataKeyEncryptor({
+    const { cipherTextBlob: encryptedProviderInputs } = kmsEncryptor({
       plainText: Buffer.from(sanitizedProviderInput, "utf8")
     });
 
@@ -148,13 +150,13 @@ export const externalKmsServiceFactory = ({
     if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
 
     let sanitizedProviderInput = "";
-    const { encryptor: orgDataKeyEncryptor, decryptor: orgDataKeyDecryptor } =
-      await kmsService.createCipherPairWithDataKey({
-        type: KmsDataKey.Organization,
-        orgId: actorOrgId
-      });
     if (provider) {
-      const decryptedProviderInputBlob = orgDataKeyDecryptor({
+      const orgKmsDataKey = await kmsService.getOrgKmsDataKey(kmsDoc.orgId);
+      const kmsDecryptor = await kmsService.decryptWithInputKey({
+        key: orgKmsDataKey
+      });
+
+      const decryptedProviderInputBlob = kmsDecryptor({
         cipherTextBlob: externalKmsDoc.encryptedProviderInputs
       });
 
@@ -177,7 +179,11 @@ export const externalKmsServiceFactory = ({
 
     let encryptedProviderInputs: Buffer | undefined;
     if (sanitizedProviderInput) {
-      const { cipherTextBlob } = orgDataKeyEncryptor({
+      const orgKmsDataKey = await kmsService.getOrgKmsDataKey(actorOrgId);
+      const kmsEncryptor = await kmsService.encryptWithInputKey({
+        key: orgKmsDataKey
+      });
+      const { cipherTextBlob } = kmsEncryptor({
         plainText: Buffer.from(sanitizedProviderInput, "utf8")
       });
       encryptedProviderInputs = cipherTextBlob;
@@ -260,12 +266,12 @@ export const externalKmsServiceFactory = ({
     const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
     if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
 
-    const { decryptor: orgDataKeyDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.Organization,
-      orgId: actorOrgId
+    const orgKmsDataKey = await kmsService.getOrgKmsDataKey(kmsDoc.orgId);
+    const kmsDecryptor = await kmsService.decryptWithInputKey({
+      key: orgKmsDataKey
     });
 
-    const decryptedProviderInputBlob = orgDataKeyDecryptor({
+    const decryptedProviderInputBlob = kmsDecryptor({
       cipherTextBlob: externalKmsDoc.encryptedProviderInputs
     });
     switch (externalKmsDoc.provider) {
@@ -300,12 +306,12 @@ export const externalKmsServiceFactory = ({
     const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
     if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
 
-    const { decryptor: orgDataKeyDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.Organization,
-      orgId: actorOrgId
+    const orgKmsDataKey = await kmsService.getOrgKmsDataKey(kmsDoc.orgId);
+    const kmsDecryptor = await kmsService.decryptWithInputKey({
+      key: orgKmsDataKey
     });
 
-    const decryptedProviderInputBlob = orgDataKeyDecryptor({
+    const decryptedProviderInputBlob = kmsDecryptor({
       cipherTextBlob: externalKmsDoc.encryptedProviderInputs
     });
 

backend/src/ee/services/group/group-fns.ts

@@ -336,36 +336,31 @@ export const removeUsersFromGroupByUserIds = async ({
         )
       );
 
-      const promises: Array<Promise<void>> = [];
-      for (const userId of userIds) {
-        promises.push(
-          (async () => {
-            const t = await userGroupMembershipDAL.filterProjectsByUserMembership(userId, group.id, projectIds, tx);
-            const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p));
+      // TODO: this part can be optimized
+      for await (const userId of userIds) {
+        const t = await userGroupMembershipDAL.filterProjectsByUserMembership(userId, group.id, projectIds, tx);
+        const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p));
 
-            if (projectsToDeleteKeyFor.length) {
-              await projectKeyDAL.delete(
-                {
-                  receiverId: userId,
-                  $in: {
-                    projectId: projectsToDeleteKeyFor
-                  }
-                },
-                tx
-              );
-            }
+        if (projectsToDeleteKeyFor.length) {
+          await projectKeyDAL.delete(
+            {
+              receiverId: userId,
+              $in: {
+                projectId: projectsToDeleteKeyFor
+              }
+            },
+            tx
+          );
+        }
 
-            await userGroupMembershipDAL.delete(
-              {
-                groupId: group.id,
-                userId
-              },
-              tx
-            );
-          })()
+        await userGroupMembershipDAL.delete(
+          {
+            groupId: group.id,
+            userId
+          },
+          tx
         );
       }
-      await Promise.all(promises);
     }
 
     if (membersToRemoveFromGroupPending.length) {

backend/src/ee/services/group/user-group-membership-dal.ts

@@ -162,50 +162,17 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findGroupMembershipsByUserIdInOrg = async (userId: string, orgId: string) => {
+  const findUserGroupMembershipsInOrg = async (userId: string, orgId: string) => {
     try {
       const docs = await db
         .replicaNode()(TableName.UserGroupMembership)
         .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
-        .join(TableName.OrgMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.OrgMembership}.userId`)
-        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
         .where(`${TableName.UserGroupMembership}.userId`, userId)
-        .where(`${TableName.Groups}.orgId`, orgId)
-        .select(
-          db.ref("id").withSchema(TableName.UserGroupMembership),
-          db.ref("groupId").withSchema(TableName.UserGroupMembership),
-          db.ref("name").withSchema(TableName.Groups).as("groupName"),
-          db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"),
-          db.ref("firstName").withSchema(TableName.Users).as("firstName"),
-          db.ref("lastName").withSchema(TableName.Users).as("lastName")
-        );
+        .where(`${TableName.Groups}.orgId`, orgId);
 
       return docs;
     } catch (error) {
-      throw new DatabaseError({ error, name: "Find group memberships by user id in org" });
-    }
-  };
-
-  const findGroupMembershipsByGroupIdInOrg = async (groupId: string, orgId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.UserGroupMembership)
-        .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
-        .join(TableName.OrgMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.OrgMembership}.userId`)
-        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
-        .where(`${TableName.Groups}.id`, groupId)
-        .where(`${TableName.Groups}.orgId`, orgId)
-        .select(
-          db.ref("id").withSchema(TableName.UserGroupMembership),
-          db.ref("groupId").withSchema(TableName.UserGroupMembership),
-          db.ref("name").withSchema(TableName.Groups).as("groupName"),
-          db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"),
-          db.ref("firstName").withSchema(TableName.Users).as("firstName"),
-          db.ref("lastName").withSchema(TableName.Users).as("lastName")
-        );
-      return docs;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find group memberships by group id in org" });
+      throw new DatabaseError({ error, name: "findTest" });
     }
   };
 
@@ -215,7 +182,6 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
     findUserGroupMembershipsInProject,
     findGroupMembersNotInProject,
     deletePendingUserGroupMembershipsByUserIds,
-    findGroupMembershipsByUserIdInOrg,
-    findGroupMembershipsByGroupIdInOrg
+    findUserGroupMembershipsInOrg
   };
 };

backend/src/ee/services/license/licence-fns.ts

@@ -40,12 +40,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   secretRotation: true,
   caCrl: false,
   instanceUserManagement: false,
-  externalKms: false,
-  rateLimits: {
-    readLimit: 60,
-    writeLimit: 200,
-    secretsLimit: 40
-  }
+  externalKms: false
 });
 
 export const setupLicenceRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/ee/services/license/license-types.ts

@@ -58,11 +58,6 @@ export type TFeatureSet = {
   caCrl: false;
   instanceUserManagement: false;
   externalKms: false;
-  rateLimits: {
-    readLimit: number;
-    writeLimit: number;
-    secretsLimit: number;
-  };
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/permission/org-permission.ts

@@ -9,10 +9,6 @@ export enum OrgPermissionActions {
   Delete = "delete"
 }
 
-export enum OrgPermissionAdminConsoleAction {
-  AccessAllProjects = "access-all-projects"
-}
-
 export enum OrgPermissionSubjects {
   Workspace = "workspace",
   Role = "role",
@@ -26,8 +22,7 @@ export enum OrgPermissionSubjects {
   Billing = "billing",
   SecretScanning = "secret-scanning",
   Identity = "identity",
-  Kms = "kms",
-  AdminConsole = "organization-admin-console"
+  Kms = "kms"
 }
 
 export type OrgPermissionSet =
@@ -44,8 +39,7 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
   | [OrgPermissionActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionActions, OrgPermissionSubjects.Identity]
-  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
-  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
+  | [OrgPermissionActions, OrgPermissionSubjects.Kms];
 
 const buildAdminPermission = () => {
   const { can, build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
@@ -113,8 +107,6 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.Kms);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);
 
-  can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
-
   return build({ conditionsMatcher });
 };
 

backend/src/ee/services/permission/project-permission.ts

@@ -23,7 +23,6 @@ export enum ProjectPermissionSub {
   IpAllowList = "ip-allowlist",
   Project = "workspace",
   Secrets = "secrets",
-  SecretFolders = "secret-folders",
   SecretRollback = "secret-rollback",
   SecretApproval = "secret-approval",
   SecretRotation = "secret-rotation",
@@ -43,10 +42,6 @@ export type ProjectPermissionSet =
       ProjectPermissionActions,
       ProjectPermissionSub.Secrets | (ForcedSubject<ProjectPermissionSub.Secrets> & SubjectFields)
     ]
-  | [
-      ProjectPermissionActions,
-      ProjectPermissionSub.SecretFolders | (ForcedSubject<ProjectPermissionSub.SecretFolders> & SubjectFields)
-    ]
   | [ProjectPermissionActions, ProjectPermissionSub.Role]
   | [ProjectPermissionActions, ProjectPermissionSub.Tags]
   | [ProjectPermissionActions, ProjectPermissionSub.Member]

backend/src/ee/services/rate-limit/rate-limit-service.ts

@@ -4,16 +4,17 @@ import { logger } from "@app/lib/logger";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TRateLimitDALFactory } from "./rate-limit-dal";
-import { RateLimitConfiguration, TRateLimit, TRateLimitUpdateDTO } from "./rate-limit-types";
+import { TRateLimit, TRateLimitUpdateDTO } from "./rate-limit-types";
 
-let rateLimitMaxConfiguration: RateLimitConfiguration = {
+let rateLimitMaxConfiguration = {
   readLimit: 60,
   publicEndpointLimit: 30,
   writeLimit: 200,
   secretsLimit: 60,
   authRateLimit: 60,
   inviteUserRateLimit: 30,
-  mfaRateLimit: 20
+  mfaRateLimit: 20,
+  creationLimit: 30
 };
 
 Object.freeze(rateLimitMaxConfiguration);
@@ -66,7 +67,8 @@ export const rateLimitServiceFactory = ({ rateLimitDAL, licenseService }: TRateL
           secretsLimit: rateLimit.secretsRateLimit,
           authRateLimit: rateLimit.authRateLimit,
           inviteUserRateLimit: rateLimit.inviteUserRateLimit,
-          mfaRateLimit: rateLimit.mfaRateLimit
+          mfaRateLimit: rateLimit.mfaRateLimit,
+          creationLimit: rateLimit.creationLimit
         };
 
         logger.info(`syncRateLimitConfiguration: rate limit configuration: %o`, newRateLimitMaxConfiguration);

backend/src/ee/services/rate-limit/rate-limit-types.ts

@@ -5,6 +5,7 @@ export type TRateLimitUpdateDTO = {
   authRateLimit: number;
   inviteUserRateLimit: number;
   mfaRateLimit: number;
+  creationLimit: number;
   publicEndpointLimit: number;
 };
 
@@ -13,13 +14,3 @@ export type TRateLimit = {
   createdAt: Date;
   updatedAt: Date;
 } & TRateLimitUpdateDTO;
-
-export type RateLimitConfiguration = {
-  readLimit: number;
-  publicEndpointLimit: number;
-  writeLimit: number;
-  secretsLimit: number;
-  authRateLimit: number;
-  inviteUserRateLimit: number;
-  mfaRateLimit: number;
-};

backend/src/ee/services/scim/scim-service.ts

@@ -9,7 +9,6 @@ import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-grou
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
-import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
 import { AuthTokenType } from "@app/services/auth/auth-type";
@@ -52,7 +51,6 @@ import {
   TListScimUsers,
   TListScimUsersDTO,
   TReplaceScimUserDTO,
-  TScimGroup,
   TScimTokenJwtPayload,
   TUpdateScimGroupNamePatchDTO,
   TUpdateScimGroupNamePutDTO,
@@ -85,8 +83,7 @@ type TScimServiceFactoryDep = {
     | "insertMany"
     | "filterProjectsByUserMembership"
     | "delete"
-    | "findGroupMembershipsByUserIdInOrg"
-    | "findGroupMembershipsByGroupIdInOrg"
+    | "findUserGroupMembershipsInOrg"
   >;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
@@ -255,10 +252,7 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    const groupMembershipsInOrg = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(
-      membership.userId,
-      orgId
-    );
+    const groupMembershipsInOrg = await userGroupMembershipDAL.findUserGroupMembershipsInOrg(membership.userId, orgId);
 
     return buildScimUser({
       orgMembershipId: membership.id,
@@ -269,7 +263,7 @@ export const scimServiceFactory = ({
       active: membership.isActive,
       groups: groupMembershipsInOrg.map((group) => ({
         value: group.groupId,
-        display: group.groupName
+        display: group.name
       }))
     });
   };
@@ -515,10 +509,7 @@ export const scimServiceFactory = ({
       isActive: active
     });
 
-    const groupMembershipsInOrg = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(
-      membership.userId,
-      orgId
-    );
+    const groupMembershipsInOrg = await userGroupMembershipDAL.findUserGroupMembershipsInOrg(membership.userId, orgId);
 
     return buildScimUser({
       orgMembershipId: membership.id,
@@ -529,7 +520,7 @@ export const scimServiceFactory = ({
       active,
       groups: groupMembershipsInOrg.map((group) => ({
         value: group.groupId,
-        display: group.groupName
+        display: group.name
       }))
     });
   };
@@ -598,20 +589,13 @@ export const scimServiceFactory = ({
       }
     );
 
-    const scimGroups: TScimGroup[] = [];
-
-    for await (const group of groups) {
-      const members = await userGroupMembershipDAL.findGroupMembershipsByGroupIdInOrg(group.id, orgId);
-      const scimGroup = buildScimGroup({
+    const scimGroups = groups.map((group) =>
+      buildScimGroup({
         groupId: group.id,
         name: group.name,
-        members: members.map((member) => ({
-          value: member.orgMembershipId,
-          display: `${member.firstName ?? ""} ${member.lastName ?? ""}`
-        }))
-      });
-      scimGroups.push(scimGroup);
-    }
+        members: [] // does this need to be populated?
+      })
+    );
 
     return buildScimGroupList({
       scimGroups,
@@ -888,27 +872,23 @@ export const scimServiceFactory = ({
           break;
         }
         case "add": {
-          try {
-            const orgMemberships = await orgMembershipDAL.find({
-              $in: {
-                id: operation.value.map((member) => member.value)
-              }
-            });
+          const orgMemberships = await orgMembershipDAL.find({
+            $in: {
+              id: operation.value.map((member) => member.value)
+            }
+          });
 
-            await addUsersToGroupByUserIds({
-              group,
-              userIds: orgMemberships.map((membership) => membership.userId as string),
-              userDAL,
-              userGroupMembershipDAL,
-              orgDAL,
-              groupProjectDAL,
-              projectKeyDAL,
-              projectDAL,
-              projectBotDAL
-            });
-          } catch {
-            logger.info("Repeat SCIM user-group add operation");
-          }
+          await addUsersToGroupByUserIds({
+            group,
+            userIds: orgMemberships.map((membership) => membership.userId as string),
+            userDAL,
+            userGroupMembershipDAL,
+            orgDAL,
+            groupProjectDAL,
+            projectKeyDAL,
+            projectDAL,
+            projectBotDAL
+          });
 
           break;
         }
@@ -936,15 +916,10 @@ export const scimServiceFactory = ({
       }
     }
 
-    const members = await userGroupMembershipDAL.findGroupMembershipsByGroupIdInOrg(group.id, orgId);
-
     return buildScimGroup({
       groupId: group.id,
       name: group.name,
-      members: members.map((member) => ({
-        value: member.orgMembershipId,
-        display: `${member.firstName ?? ""} ${member.lastName ?? ""}`
-      }))
+      members: []
     });
   };
 

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -45,13 +45,12 @@ export const secretApprovalPolicyServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     approvals,
-    approvers,
+    approverUserIds,
     projectId,
     secretPath,
-    environment,
-    enforcementLevel
+    environment
   }: TCreateSapDTO) => {
-    if (approvals > approvers.length)
+    if (approvals > approverUserIds.length)
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
 
     const { permission } = await permissionService.getProjectPermission(
@@ -74,13 +73,12 @@ export const secretApprovalPolicyServiceFactory = ({
           envId: env.id,
           approvals,
           secretPath,
-          name,
-          enforcementLevel
+          name
         },
         tx
       );
       await secretApprovalPolicyApproverDAL.insertMany(
-        approvers.map((approverUserId) => ({
+        approverUserIds.map((approverUserId) => ({
           approverUserId,
           policyId: doc.id
         })),
@@ -92,7 +90,7 @@ export const secretApprovalPolicyServiceFactory = ({
   };
 
   const updateSecretApprovalPolicy = async ({
-    approvers,
+    approverUserIds,
     secretPath,
     name,
     actorId,
@@ -100,8 +98,7 @@ export const secretApprovalPolicyServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     approvals,
-    secretPolicyId,
-    enforcementLevel
+    secretPolicyId
   }: TUpdateSapDTO) => {
     const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
     if (!secretApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
@@ -121,15 +118,14 @@ export const secretApprovalPolicyServiceFactory = ({
         {
           approvals,
           secretPath,
-          name,
-          enforcementLevel
+          name
         },
         tx
       );
-      if (approvers) {
+      if (approverUserIds) {
         await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
         await secretApprovalPolicyApproverDAL.insertMany(
-          approvers.map((approverUserId) => ({
+          approverUserIds.map((approverUserId) => ({
             approverUserId,
             policyId: doc.id
           })),

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -1,22 +1,20 @@
-import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
+import { TProjectPermission } from "@app/lib/types";
 
 export type TCreateSapDTO = {
   approvals: number;
   secretPath?: string | null;
   environment: string;
-  approvers: string[];
+  approverUserIds: string[];
   projectId: string;
   name: string;
-  enforcementLevel: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
   secretPath?: string | null;
-  approvers: string[];
+  approverUserIds: string[];
   name?: string;
-  enforcementLevel?: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteSapDTO = {

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -94,8 +94,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("projectId").withSchema(TableName.Environment),
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
-        tx.ref("envId").withSchema(TableName.SecretApprovalPolicy).as("policyEnvId"),
-        tx.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
         tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals")
       );
 
@@ -130,9 +128,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             id: el.policyId,
             name: el.policyName,
             approvals: el.policyApprovals,
-            secretPath: el.policySecretPath,
-            enforcementLevel: el.policyEnforcementLevel,
-            envId: el.policyEnvId
+            secretPath: el.policySecretPath
           }
         }),
         childrenMapper: [
@@ -286,7 +282,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             `DENSE_RANK() OVER (partition by ${TableName.Environment}."projectId" ORDER BY ${TableName.SecretApprovalRequest}."id" DESC) as rank`
           ),
           db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
-          db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
@@ -313,8 +308,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             id: el.policyId,
             name: el.policyName,
             approvals: el.policyApprovals,
-            secretPath: el.policySecretPath,
-            enforcementLevel: el.policyEnforcementLevel
+            secretPath: el.policySecretPath
           },
           committerUser: {
             userId: el.committerUserId,
@@ -356,161 +350,5 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findByProjectIdBridgeSecretV2 = async (
-    { status, limit = 20, offset = 0, projectId, committer, environment, userId }: TFindQueryFilter,
-    tx?: Knex
-  ) => {
-    try {
-      // akhilmhdh: If ever u wanted a 1 to so many relationship connected with pagination
-      // this is the place u wanna look at.
-      const query = (tx || db.replicaNode())(TableName.SecretApprovalRequest)
-        .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
-        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
-        .join(
-          TableName.SecretApprovalPolicy,
-          `${TableName.SecretApprovalRequest}.policyId`,
-          `${TableName.SecretApprovalPolicy}.id`
-        )
-        .join(
-          TableName.SecretApprovalPolicyApprover,
-          `${TableName.SecretApprovalPolicy}.id`,
-          `${TableName.SecretApprovalPolicyApprover}.policyId`
-        )
-        .join<TUsers>(
-          db(TableName.Users).as("committerUser"),
-          `${TableName.SecretApprovalRequest}.committerUserId`,
-          `committerUser.id`
-        )
-        .leftJoin(
-          TableName.SecretApprovalRequestReviewer,
-          `${TableName.SecretApprovalRequest}.id`,
-          `${TableName.SecretApprovalRequestReviewer}.requestId`
-        )
-        .leftJoin<TSecretApprovalRequestsSecrets>(
-          TableName.SecretApprovalRequestSecretV2,
-          `${TableName.SecretApprovalRequestSecretV2}.requestId`,
-          `${TableName.SecretApprovalRequest}.id`
-        )
-        .where(
-          stripUndefinedInWhere({
-            projectId,
-            [`${TableName.Environment}.slug` as "slug"]: environment,
-            [`${TableName.SecretApprovalRequest}.status`]: status,
-            committerUserId: committer
-          })
-        )
-        .andWhere(
-          (bd) =>
-            void bd
-              .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
-              .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
-        )
-        .select(selectAllTableCols(TableName.SecretApprovalRequest))
-        .select(
-          db.ref("projectId").withSchema(TableName.Environment),
-          db.ref("slug").withSchema(TableName.Environment).as("environment"),
-          db.ref("id").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerId"),
-          db.ref("reviewerUserId").withSchema(TableName.SecretApprovalRequestReviewer),
-          db.ref("status").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerStatus"),
-          db.ref("id").withSchema(TableName.SecretApprovalPolicy).as("policyId"),
-          db.ref("name").withSchema(TableName.SecretApprovalPolicy).as("policyName"),
-          db.ref("op").withSchema(TableName.SecretApprovalRequestSecretV2).as("commitOp"),
-          db.ref("secretId").withSchema(TableName.SecretApprovalRequestSecretV2).as("commitSecretId"),
-          db.ref("id").withSchema(TableName.SecretApprovalRequestSecretV2).as("commitId"),
-          db.raw(
-            `DENSE_RANK() OVER (partition by ${TableName.Environment}."projectId" ORDER BY ${TableName.SecretApprovalRequest}."id" DESC) as rank`
-          ),
-          db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
-          db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
-          db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
-          db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
-          db.ref("email").withSchema("committerUser").as("committerUserEmail"),
-          db.ref("username").withSchema("committerUser").as("committerUserUsername"),
-          db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
-          db.ref("lastName").withSchema("committerUser").as("committerUserLastName")
-        )
-        .orderBy("createdAt", "desc");
-
-      const docs = await (tx || db)
-        .with("w", query)
-        .select("*")
-        .from<Awaited<typeof query>[number]>("w")
-        .where("w.rank", ">=", offset)
-        .andWhere("w.rank", "<", offset + limit);
-      const formatedDoc = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (el) => ({
-          ...SecretApprovalRequestsSchema.parse(el),
-          environment: el.environment,
-          projectId: el.projectId,
-          policy: {
-            id: el.policyId,
-            name: el.policyName,
-            approvals: el.policyApprovals,
-            secretPath: el.policySecretPath,
-            enforcementLevel: el.policyEnforcementLevel
-          },
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          }
-        }),
-        childrenMapper: [
-          {
-            key: "reviewerId",
-            label: "reviewers" as const,
-            mapper: ({ reviewerUserId, reviewerStatus: s }) =>
-              reviewerUserId ? { userId: reviewerUserId, status: s } : undefined
-          },
-          {
-            key: "approverUserId",
-            label: "approvers" as const,
-            mapper: ({ approverUserId }) => approverUserId
-          },
-          {
-            key: "commitId",
-            label: "commits" as const,
-            mapper: ({ commitSecretId: secretId, commitId: id, commitOp: op }) => ({
-              op,
-              id,
-              secretId
-            })
-          }
-        ]
-      });
-      return formatedDoc.map((el) => ({
-        ...el,
-        policy: { ...el.policy, approvers: el.approvers }
-      }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindSAR" });
-    }
-  };
-
-  const deleteByProjectId = async (projectId: string, tx?: Knex) => {
-    try {
-      const query = await (tx || db)(TableName.SecretApprovalRequest)
-        .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
-        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
-        .where({ projectId })
-        .delete();
-
-      return query;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "DeleteByProjectId" });
-    }
-  };
-
-  return {
-    ...secretApprovalRequestOrm,
-    findById,
-    findProjectRequestCount,
-    findByProjectId,
-    findByProjectIdBridgeSecretV2,
-    deleteByProjectId
-  };
+  return { ...secretApprovalRequestOrm, findById, findProjectRequestCount, findByProjectId };
 };

backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts

@@ -3,7 +3,6 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import {
   SecretApprovalRequestsSecretsSchema,
-  SecretApprovalRequestsSecretsV2Schema,
   TableName,
   TSecretApprovalRequestsSecrets,
   TSecretTags
@@ -16,8 +15,6 @@ export type TSecretApprovalRequestSecretDALFactory = ReturnType<typeof secretApp
 export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
   const secretApprovalRequestSecretOrm = ormify(db, TableName.SecretApprovalRequestSecret);
   const secretApprovalRequestSecretTagOrm = ormify(db, TableName.SecretApprovalRequestSecretTag);
-  const secretApprovalRequestSecretV2TagOrm = ormify(db, TableName.SecretApprovalRequestSecretTagV2);
-  const secretApprovalRequestSecretV2Orm = ormify(db, TableName.SecretApprovalRequestSecretV2);
 
   const bulkUpdateNoVersionIncrement = async (data: TSecretApprovalRequestsSecrets[], tx?: Knex) => {
     try {
@@ -224,197 +221,10 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
       throw new DatabaseError({ error, name: "FindByRequestId" });
     }
   };
-
-  const findByRequestIdBridgeSecretV2 = async (requestId: string, tx?: Knex) => {
-    try {
-      const doc = await (tx || db.replicaNode())({
-        secVerTag: TableName.SecretTag
-      })
-        .from(TableName.SecretApprovalRequestSecretV2)
-        .where({ requestId })
-        .leftJoin(
-          TableName.SecretApprovalRequestSecretTagV2,
-          `${TableName.SecretApprovalRequestSecretV2}.id`,
-          `${TableName.SecretApprovalRequestSecretTagV2}.secretId`
-        )
-        .leftJoin(
-          TableName.SecretTag,
-          `${TableName.SecretApprovalRequestSecretTagV2}.tagId`,
-          `${TableName.SecretTag}.id`
-        )
-        .leftJoin(TableName.SecretV2, `${TableName.SecretApprovalRequestSecretV2}.secretId`, `${TableName.SecretV2}.id`)
-        .leftJoin(
-          TableName.SecretVersionV2,
-          `${TableName.SecretVersionV2}.id`,
-          `${TableName.SecretApprovalRequestSecretV2}.secretVersion`
-        )
-        .leftJoin(
-          TableName.SecretVersionV2Tag,
-          `${TableName.SecretVersionV2Tag}.${TableName.SecretVersionV2}Id`,
-          `${TableName.SecretVersionV2}.id`
-        )
-        .leftJoin<TSecretTags>(
-          db.ref(TableName.SecretTag).as("secVerTag"),
-          `${TableName.SecretVersionV2Tag}.${TableName.SecretTag}Id`,
-          db.ref("id").withSchema("secVerTag")
-        )
-        .select(selectAllTableCols(TableName.SecretApprovalRequestSecretV2))
-        .select({
-          secVerTagId: "secVerTag.id",
-          secVerTagColor: "secVerTag.color",
-          secVerTagSlug: "secVerTag.slug",
-          secVerTagName: "secVerTag.name"
-        })
-        .select(
-          db.ref("id").withSchema(TableName.SecretTag).as("tagId"),
-          db.ref("id").withSchema(TableName.SecretApprovalRequestSecretTagV2).as("tagJnId"),
-          db.ref("color").withSchema(TableName.SecretTag).as("tagColor"),
-          db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"),
-          db.ref("name").withSchema(TableName.SecretTag).as("tagName")
-        )
-        .select(
-          db.ref("version").withSchema(TableName.SecretV2).as("orgSecVersion"),
-          db.ref("key").withSchema(TableName.SecretV2).as("orgSecKey"),
-          db.ref("encryptedValue").withSchema(TableName.SecretV2).as("orgSecValue"),
-          db.ref("encryptedComment").withSchema(TableName.SecretV2).as("orgSecComment")
-        )
-        .select(
-          db.ref("version").withSchema(TableName.SecretVersionV2).as("secVerVersion"),
-          db.ref("key").withSchema(TableName.SecretVersionV2).as("secVerKey"),
-          db.ref("encryptedValue").withSchema(TableName.SecretVersionV2).as("secVerValue"),
-          db.ref("encryptedComment").withSchema(TableName.SecretVersionV2).as("secVerComment")
-        );
-      const formatedDoc = sqlNestRelationships({
-        data: doc,
-        key: "id",
-        parentMapper: (data) => SecretApprovalRequestsSecretsV2Schema.omit({ secretVersion: true }).parse(data),
-        childrenMapper: [
-          {
-            key: "tagJnId",
-            label: "tags" as const,
-            mapper: ({ tagId: id, tagName: name, tagSlug: slug, tagColor: color }) => ({
-              id,
-              name,
-              slug,
-              color
-            })
-          },
-          {
-            key: "secretId",
-            label: "secret" as const,
-            mapper: ({ orgSecVersion, orgSecKey, orgSecValue, orgSecComment, secretId }) =>
-              secretId
-                ? {
-                    id: secretId,
-                    version: orgSecVersion,
-                    key: orgSecKey,
-                    encryptedValue: orgSecValue,
-                    encryptedComment: orgSecComment
-                  }
-                : undefined
-          },
-          {
-            key: "secretVersion",
-            label: "secretVersion" as const,
-            mapper: ({ secretVersion, secVerVersion, secVerKey, secVerValue, secVerComment }) =>
-              secretVersion
-                ? {
-                    version: secVerVersion,
-                    id: secretVersion,
-                    key: secVerKey,
-                    encryptedValue: secVerValue,
-                    encryptedComment: secVerComment
-                  }
-                : undefined,
-            childrenMapper: [
-              {
-                key: "secVerTagId",
-                label: "tags" as const,
-                mapper: ({ secVerTagId: id, secVerTagName: name, secVerTagSlug: slug, secVerTagColor: color }) => ({
-                  // eslint-disable-next-line
-                  id,
-                  // eslint-disable-next-line
-                  name,
-                  // eslint-disable-next-line
-                  slug,
-                  // eslint-disable-next-line
-                  color
-                })
-              }
-            ]
-          }
-        ]
-      });
-      return formatedDoc?.map(({ secret, secretVersion, ...el }) => ({
-        ...el,
-        secret: secret?.[0],
-        secretVersion: secretVersion?.[0]
-      }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindByRequestId" });
-    }
-  };
-  // special query for migration to v2 secret
-  const findByProjectId = async (projectId: string, tx?: Knex) => {
-    try {
-      const docs = await (tx || db)(TableName.SecretApprovalRequestSecret)
-        .join(
-          TableName.SecretApprovalRequest,
-          `${TableName.SecretApprovalRequest}.id`,
-          `${TableName.SecretApprovalRequestSecret}.requestId`
-        )
-        .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
-        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
-        .leftJoin(
-          TableName.SecretApprovalRequestSecretTag,
-          `${TableName.SecretApprovalRequestSecret}.id`,
-          `${TableName.SecretApprovalRequestSecretTag}.secretId`
-        )
-        .where({ projectId })
-        .select(selectAllTableCols(TableName.SecretApprovalRequestSecret))
-        .select(
-          db.ref("id").withSchema(TableName.SecretApprovalRequestSecretTag).as("secretApprovalTagId"),
-          db.ref("secretId").withSchema(TableName.SecretApprovalRequestSecretTag).as("secretApprovalTagSecretId"),
-          db.ref("tagId").withSchema(TableName.SecretApprovalRequestSecretTag).as("secretApprovalTagSecretTagId"),
-          db.ref("createdAt").withSchema(TableName.SecretApprovalRequestSecretTag).as("secretApprovalTagCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.SecretApprovalRequestSecretTag).as("secretApprovalTagUpdatedAt")
-        );
-      const formatedDoc = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (data) => SecretApprovalRequestsSecretsSchema.parse(data),
-        childrenMapper: [
-          {
-            key: "secretApprovalTagId",
-            label: "tags" as const,
-            mapper: ({
-              secretApprovalTagSecretId,
-              secretApprovalTagId,
-              secretApprovalTagUpdatedAt,
-              secretApprovalTagCreatedAt
-            }) => ({
-              secretApprovalTagSecretId,
-              secretApprovalTagId,
-              secretApprovalTagUpdatedAt,
-              secretApprovalTagCreatedAt
-            })
-          }
-        ]
-      });
-      return formatedDoc;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindByRequestId" });
-    }
-  };
-
   return {
     ...secretApprovalRequestSecretOrm,
-    insertV2Bridge: secretApprovalRequestSecretV2Orm.insertMany,
     findByRequestId,
-    findByRequestIdBridgeSecretV2,
     bulkUpdateNoVersionIncrement,
-    findByProjectId,
-    insertApprovalSecretTags: secretApprovalRequestSecretTagOrm.insertMany,
-    insertApprovalSecretV2Tags: secretApprovalRequestSecretV2TagOrm.insertMany
+    insertApprovalSecretTags: secretApprovalRequestSecretTagOrm.insertMany
   };
 };

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -5,25 +5,17 @@ import {
   SecretEncryptionAlgo,
   SecretKeyEncoding,
   SecretType,
-  TSecretApprovalRequestsSecretsInsert,
-  TSecretApprovalRequestsSecretsV2Insert
+  TSecretApprovalRequestsSecretsInsert
 } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
-import { setKnexStringValue } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { EnforcementLevel } from "@app/lib/types";
 import { ActorType } from "@app/services/auth/auth-type";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
-import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import {
-  decryptSecretWithBot,
   fnSecretBlindIndexCheck,
   fnSecretBlindIndexCheckV2,
   fnSecretBulkDelete,
@@ -38,17 +30,6 @@ import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version
 import { TSecretBlindIndexDALFactory } from "@app/services/secret-blind-index/secret-blind-index-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
-import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
-import {
-  fnSecretBulkDelete as fnSecretV2BridgeBulkDelete,
-  fnSecretBulkInsert as fnSecretV2BridgeBulkInsert,
-  fnSecretBulkUpdate as fnSecretV2BridgeBulkUpdate,
-  getAllNestedSecretReferences as getAllNestedSecretReferencesV2Bridge
-} from "@app/services/secret-v2-bridge/secret-v2-bridge-fns";
-import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
-import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
-import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
-import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
@@ -61,7 +42,6 @@ import {
   RequestState,
   TApprovalRequestCountDTO,
   TGenerateSecretApprovalRequestDTO,
-  TGenerateSecretApprovalRequestV2BridgeDTO,
   TListApprovalsDTO,
   TMergeSecretApprovalRequestDTO,
   TReviewRequestDTO,
@@ -77,26 +57,13 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretApprovalRequestReviewerDAL: TSecretApprovalRequestReviewerDALFactory;
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findSecretPathByFolderIds">;
   secretDAL: TSecretDALFactory;
-  secretTagDAL: Pick<
-    TSecretTagDALFactory,
-    "findManyTagsById" | "saveTagsToSecret" | "deleteTagsManySecret" | "saveTagsToSecretV2" | "deleteTagsToSecretV2"
-  >;
+  secretTagDAL: Pick<TSecretTagDALFactory, "findManyTagsById" | "saveTagsToSecret" | "deleteTagsManySecret">;
   secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
-  smtpService: Pick<TSmtpService, "sendMail">;
-  userDAL: Pick<TUserDALFactory, "find" | "findOne">;
-  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
-  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findById" | "findProjectById">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "removeSecretReminder">;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "encryptWithInputKey" | "decryptWithInputKey">;
-  secretV2BridgeDAL: Pick<
-    TSecretV2BridgeDALFactory,
-    "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "bulkUpdate" | "deleteMany"
-  >;
-  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
-  secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
 };
 
 export type TSecretApprovalRequestServiceFactory = ReturnType<typeof secretApprovalRequestServiceFactory>;
@@ -115,14 +82,7 @@ export const secretApprovalRequestServiceFactory = ({
   snapshotService,
   secretVersionDAL,
   secretQueueService,
-  projectBotService,
-  smtpService,
-  userDAL,
-  projectEnvDAL,
-  kmsService,
-  secretV2BridgeDAL,
-  secretVersionV2BridgeDAL,
-  secretVersionTagV2BridgeDAL
+  projectBotService
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@@ -154,19 +114,6 @@ export const secretApprovalRequestServiceFactory = ({
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
     await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
-
-    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
-    if (shouldUseSecretV2Bridge) {
-      return secretApprovalRequestDAL.findByProjectIdBridgeSecretV2({
-        projectId,
-        committer,
-        environment,
-        status,
-        userId: actorId,
-        limit,
-        offset
-      });
-    }
     const approvals = await secretApprovalRequestDAL.findByProjectId({
       projectId,
       committer,
@@ -191,14 +138,11 @@ export const secretApprovalRequestServiceFactory = ({
     const secretApprovalRequest = await secretApprovalRequestDAL.findById(id);
     if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
 
-    const { projectId } = secretApprovalRequest;
-    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
-
     const { policy } = secretApprovalRequest;
     const { hasRole } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId,
+      secretApprovalRequest.projectId,
       actorAuthMethod,
       actorOrgId
     );
@@ -210,75 +154,7 @@ export const secretApprovalRequestServiceFactory = ({
       throw new UnauthorizedError({ message: "User has no access" });
     }
 
-    let secrets;
-    if (shouldUseSecretV2Bridge) {
-      const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-        type: KmsDataKey.SecretManager,
-        projectId
-      });
-      const encrypedSecrets = await secretApprovalRequestSecretDAL.findByRequestIdBridgeSecretV2(
-        secretApprovalRequest.id
-      );
-      secrets = encrypedSecrets.map((el) => ({
-        ...el,
-        secretKey: el.key,
-        id: el.id,
-        version: el.version,
-        secretValue: el.encryptedValue
-          ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
-          : undefined,
-        secretComment: el.encryptedComment
-          ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
-          : undefined,
-        secret: el.secret
-          ? {
-              secretKey: el.secret.key,
-              id: el.secret.id,
-              version: el.secret.version,
-              secretValue: el.secret.encryptedValue
-                ? secretManagerDecryptor({ cipherTextBlob: el.secret.encryptedValue }).toString()
-                : undefined,
-              secretComment: el.secret.encryptedComment
-                ? secretManagerDecryptor({ cipherTextBlob: el.secret.encryptedComment }).toString()
-                : undefined
-            }
-          : undefined,
-        secretVersion: el.secretVersion
-          ? {
-              secretKey: el.secretVersion.key,
-              id: el.secretVersion.id,
-              version: el.secretVersion.version,
-              secretValue: el.secretVersion.encryptedValue
-                ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedValue }).toString()
-                : undefined,
-              secretComment: el.secretVersion.encryptedComment
-                ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedComment }).toString()
-                : undefined
-            }
-          : undefined
-      }));
-    } else {
-      if (!botKey) throw new BadRequestError({ message: "Bot key not found" });
-      const encrypedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
-      secrets = encrypedSecrets.map((el) => ({
-        ...el,
-        ...decryptSecretWithBot(el, botKey),
-        secret: el.secret
-          ? {
-              id: el.secret.id,
-              version: el.secret.version,
-              ...decryptSecretWithBot(el.secret, botKey)
-            }
-          : undefined,
-        secretVersion: el.secretVersion
-          ? {
-              id: el.secretVersion.id,
-              version: el.secretVersion.version,
-              ...decryptSecretWithBot(el.secretVersion, botKey)
-            }
-          : undefined
-      }));
-    }
+    const secrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
     const secretPath = await folderDAL.findSecretPathByFolderIds(secretApprovalRequest.projectId, [
       secretApprovalRequest.folderId
     ]);
@@ -381,8 +257,7 @@ export const secretApprovalRequestServiceFactory = ({
     actor,
     actorId,
     actorOrgId,
-    actorAuthMethod,
-    bypassReason
+    actorAuthMethod
   }: TMergeSecretApprovalRequestDTO) => {
     const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
     if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
@@ -413,167 +288,45 @@ export const secretApprovalRequestServiceFactory = ({
       secretApprovalRequest.policy.approvers.filter(
         ({ userId: approverId }) => reviewers[approverId.toString()] === ApprovalStatus.APPROVED
       ).length;
-    const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;
 
-    if (!hasMinApproval && !isSoftEnforcement)
-      throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
+    if (!hasMinApproval) throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
+    const secretApprovalSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
+    if (!secretApprovalSecrets) throw new BadRequestError({ message: "No secrets found" });
 
-    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
-    let mergeStatus;
-    if (shouldUseSecretV2Bridge) {
-      // this cycle if for bridged secrets
-      const secretApprovalSecrets = await secretApprovalRequestSecretDAL.findByRequestIdBridgeSecretV2(
-        secretApprovalRequest.id
+    const conflicts: Array<{ secretId: string; op: SecretOperations }> = [];
+    let secretCreationCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Create);
+    if (secretCreationCommits.length) {
+      const { secsGroupedByBlindIndex: conflictGroupByBlindIndex } = await fnSecretBlindIndexCheckV2({
+        folderId,
+        secretDAL,
+        inputSecrets: secretCreationCommits.map(({ secretBlindIndex }) => {
+          if (!secretBlindIndex) {
+            throw new BadRequestError({
+              message: "Missing secret blind index"
+            });
+          }
+          return { secretBlindIndex };
+        })
+      });
+      secretCreationCommits
+        .filter(({ secretBlindIndex }) => conflictGroupByBlindIndex[secretBlindIndex || ""])
+        .forEach((el) => {
+          conflicts.push({ op: SecretOperations.Create, secretId: el.id });
+        });
+      secretCreationCommits = secretCreationCommits.filter(
+        ({ secretBlindIndex }) => !conflictGroupByBlindIndex[secretBlindIndex || ""]
       );
-      if (!secretApprovalSecrets) throw new BadRequestError({ message: "No secrets found" });
+    }
 
-      const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-        type: KmsDataKey.SecretManager,
-        projectId
-      });
-
-      const conflicts: Array<{ secretId: string; op: SecretOperations }> = [];
-      let secretCreationCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Create);
-      if (secretCreationCommits.length) {
-        const secrets = await secretV2BridgeDAL.findBySecretKeys(
-          folderId,
-          secretCreationCommits.map((el) => ({
-            key: el.key,
-            type: SecretType.Shared
-          }))
-        );
-        const creationConflictSecretsGroupByKey = groupBy(secrets, (i) => i.key);
-        secretCreationCommits
-          .filter(({ key }) => creationConflictSecretsGroupByKey[key])
-          .forEach((el) => {
-            conflicts.push({ op: SecretOperations.Create, secretId: el.id });
-          });
-        secretCreationCommits = secretCreationCommits.filter(({ key }) => !creationConflictSecretsGroupByKey[key]);
-      }
-
-      let secretUpdationCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Update);
-      if (secretUpdationCommits.length) {
-        const secrets = await secretV2BridgeDAL.findBySecretKeys(
-          folderId,
-          secretCreationCommits.map((el) => ({
-            key: el.key,
-            type: SecretType.Shared
-          }))
-        );
-        const updationConflictSecretsGroupByKey = groupBy(secrets, (i) => i.key);
-        secretUpdationCommits
-          .filter(({ key, secretId }) => updationConflictSecretsGroupByKey[key] || !secretId)
-          .forEach((el) => {
-            conflicts.push({ op: SecretOperations.Update, secretId: el.id });
-          });
-
-        secretUpdationCommits = secretUpdationCommits.filter(
-          ({ key, secretId }) => Boolean(secretId) && !updationConflictSecretsGroupByKey[key]
-        );
-      }
-
-      const secretDeletionCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Delete);
-      mergeStatus = await secretApprovalRequestDAL.transaction(async (tx) => {
-        const newSecrets = secretCreationCommits.length
-          ? await fnSecretV2BridgeBulkInsert({
-              tx,
-              folderId,
-              inputSecrets: secretCreationCommits.map((el) => ({
-                tagIds: el?.tags.map(({ id }) => id),
-                version: 1,
-                encryptedComment: el.encryptedComment,
-                encryptedValue: el.encryptedValue,
-                skipMultilineEncoding: el.skipMultilineEncoding,
-                key: el.key,
-                references: el.encryptedValue
-                  ? getAllNestedSecretReferencesV2Bridge(
-                      secretManagerDecryptor({
-                        cipherTextBlob: el.encryptedValue
-                      }).toString()
-                    )
-                  : [],
-                type: SecretType.Shared
-              })),
-              secretDAL: secretV2BridgeDAL,
-              secretVersionDAL: secretVersionV2BridgeDAL,
-              secretTagDAL,
-              secretVersionTagDAL: secretVersionTagV2BridgeDAL
-            })
-          : [];
-        const updatedSecrets = secretUpdationCommits.length
-          ? await fnSecretV2BridgeBulkUpdate({
-              folderId,
-              tx,
-              inputSecrets: secretUpdationCommits.map((el) => {
-                const encryptedValue =
-                  typeof el.encryptedValue !== "undefined"
-                    ? {
-                        encryptedValue: el.encryptedValue as Buffer,
-                        references: el.encryptedValue
-                          ? getAllNestedSecretReferencesV2Bridge(
-                              secretManagerDecryptor({
-                                cipherTextBlob: el.encryptedValue
-                              }).toString()
-                            )
-                          : []
-                      }
-                    : {};
-                return {
-                  filter: { id: el.secretId as string, type: SecretType.Shared },
-                  data: {
-                    reminderRepeatDays: el.reminderRepeatDays,
-                    encryptedComment: el.encryptedComment,
-                    reminderNote: el.reminderNote,
-                    skipMultilineEncoding: el.skipMultilineEncoding,
-                    key: el.key,
-                    tagIds: el?.tags.map(({ id }) => id),
-                    ...encryptedValue
-                  }
-                };
-              }),
-              secretDAL: secretV2BridgeDAL,
-              secretVersionDAL: secretVersionV2BridgeDAL,
-              secretTagDAL,
-              secretVersionTagDAL: secretVersionTagV2BridgeDAL
-            })
-          : [];
-        const deletedSecret = secretDeletionCommits.length
-          ? await fnSecretV2BridgeBulkDelete({
-              projectId,
-              folderId,
-              tx,
-              actorId: "",
-              secretDAL: secretV2BridgeDAL,
-              secretQueueService,
-              inputSecrets: secretDeletionCommits.map(({ key }) => ({ secretKey: key, type: SecretType.Shared }))
-            })
-          : [];
-        const updatedSecretApproval = await secretApprovalRequestDAL.updateById(
-          secretApprovalRequest.id,
-          {
-            conflicts: JSON.stringify(conflicts),
-            hasMerged: true,
-            status: RequestState.Closed,
-            statusChangedByUserId: actorId
-          },
-          tx
-        );
-        return {
-          secrets: { created: newSecrets, updated: updatedSecrets, deleted: deletedSecret },
-          approval: updatedSecretApproval
-        };
-      });
-    } else {
-      const secretApprovalSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
-      if (!secretApprovalSecrets) throw new BadRequestError({ message: "No secrets found" });
-
-      const conflicts: Array<{ secretId: string; op: SecretOperations }> = [];
-      let secretCreationCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Create);
-      if (secretCreationCommits.length) {
-        const { secsGroupedByBlindIndex: conflictGroupByBlindIndex } = await fnSecretBlindIndexCheckV2({
-          folderId,
-          secretDAL,
-          inputSecrets: secretCreationCommits.map(({ secretBlindIndex }) => {
+    let secretUpdationCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Update);
+    if (secretUpdationCommits.length) {
+      const { secsGroupedByBlindIndex: conflictGroupByBlindIndex } = await fnSecretBlindIndexCheckV2({
+        folderId,
+        secretDAL,
+        userId: "",
+        inputSecrets: secretUpdationCommits
+          .filter(({ secretBlindIndex, secret }) => secret && secret.secretBlindIndex !== secretBlindIndex)
+          .map(({ secretBlindIndex }) => {
             if (!secretBlindIndex) {
               throw new BadRequestError({
                 message: "Missing secret blind index"
@@ -581,56 +334,80 @@ export const secretApprovalRequestServiceFactory = ({
             }
             return { secretBlindIndex };
           })
-        });
-        secretCreationCommits
-          .filter(({ secretBlindIndex }) => conflictGroupByBlindIndex[secretBlindIndex || ""])
-          .forEach((el) => {
-            conflicts.push({ op: SecretOperations.Create, secretId: el.id });
-          });
-        secretCreationCommits = secretCreationCommits.filter(
-          ({ secretBlindIndex }) => !conflictGroupByBlindIndex[secretBlindIndex || ""]
-        );
-      }
-
-      let secretUpdationCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Update);
-      if (secretUpdationCommits.length) {
-        const { secsGroupedByBlindIndex: conflictGroupByBlindIndex } = await fnSecretBlindIndexCheckV2({
-          folderId,
-          secretDAL,
-          userId: "",
-          inputSecrets: secretUpdationCommits
-            .filter(({ secretBlindIndex, secret }) => secret && secret.secretBlindIndex !== secretBlindIndex)
-            .map(({ secretBlindIndex }) => {
-              if (!secretBlindIndex) {
-                throw new BadRequestError({
-                  message: "Missing secret blind index"
-                });
-              }
-              return { secretBlindIndex };
-            })
-        });
-        secretUpdationCommits
-          .filter(
-            ({ secretBlindIndex, secretId }) =>
-              (secretBlindIndex && conflictGroupByBlindIndex[secretBlindIndex]) || !secretId
-          )
-          .forEach((el) => {
-            conflicts.push({ op: SecretOperations.Update, secretId: el.id });
-          });
-
-        secretUpdationCommits = secretUpdationCommits.filter(
+      });
+      secretUpdationCommits
+        .filter(
           ({ secretBlindIndex, secretId }) =>
-            Boolean(secretId) && (secretBlindIndex ? !conflictGroupByBlindIndex[secretBlindIndex] : true)
-        );
-      }
+            (secretBlindIndex && conflictGroupByBlindIndex[secretBlindIndex]) || !secretId
+        )
+        .forEach((el) => {
+          conflicts.push({ op: SecretOperations.Update, secretId: el.id });
+        });
 
-      const secretDeletionCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Delete);
-      mergeStatus = await secretApprovalRequestDAL.transaction(async (tx) => {
-        const newSecrets = secretCreationCommits.length
-          ? await fnSecretBulkInsert({
-              tx,
-              folderId,
-              inputSecrets: secretCreationCommits.map((el) => ({
+      secretUpdationCommits = secretUpdationCommits.filter(
+        ({ secretBlindIndex, secretId }) =>
+          Boolean(secretId) && (secretBlindIndex ? !conflictGroupByBlindIndex[secretBlindIndex] : true)
+      );
+    }
+
+    const secretDeletionCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Delete);
+    const botKey = await projectBotService.getBotKey(projectId).catch(() => null);
+    const mergeStatus = await secretApprovalRequestDAL.transaction(async (tx) => {
+      const newSecrets = secretCreationCommits.length
+        ? await fnSecretBulkInsert({
+            tx,
+            folderId,
+            inputSecrets: secretCreationCommits.map((el) => ({
+              ...pick(el, [
+                "secretCommentCiphertext",
+                "secretCommentTag",
+                "secretCommentIV",
+                "secretValueIV",
+                "secretValueTag",
+                "secretValueCiphertext",
+                "secretKeyCiphertext",
+                "secretKeyTag",
+                "secretKeyIV",
+                "metadata",
+                "skipMultilineEncoding",
+                "secretReminderNote",
+                "secretReminderRepeatDays",
+                "algorithm",
+                "keyEncoding",
+                "secretBlindIndex"
+              ]),
+              tags: el?.tags.map(({ id }) => id),
+              version: 1,
+              type: SecretType.Shared,
+              references: botKey
+                ? getAllNestedSecretReferences(
+                    decryptSymmetric128BitHexKeyUTF8({
+                      ciphertext: el.secretValueCiphertext,
+                      iv: el.secretValueIV,
+                      tag: el.secretValueTag,
+                      key: botKey
+                    })
+                  )
+                : undefined
+            })),
+            secretDAL,
+            secretVersionDAL,
+            secretTagDAL,
+            secretVersionTagDAL
+          })
+        : [];
+      const updatedSecrets = secretUpdationCommits.length
+        ? await fnSecretBulkUpdate({
+            folderId,
+            projectId,
+            tx,
+            inputSecrets: secretUpdationCommits.map((el) => ({
+              filter: {
+                id: el.secretId as string, // this null check is already checked at top on conflict strategy
+                type: SecretType.Shared
+              },
+              data: {
+                tags: el?.tags.map(({ id }) => id),
                 ...pick(el, [
                   "secretCommentCiphertext",
                   "secretCommentTag",
@@ -645,13 +422,8 @@ export const secretApprovalRequestServiceFactory = ({
                   "skipMultilineEncoding",
                   "secretReminderNote",
                   "secretReminderRepeatDays",
-                  "algorithm",
-                  "keyEncoding",
                   "secretBlindIndex"
                 ]),
-                tags: el?.tags.map(({ id }) => id),
-                version: 1,
-                type: SecretType.Shared,
                 references: botKey
                   ? getAllNestedSecretReferences(
                       decryptSymmetric128BitHexKeyUTF8({
@@ -662,94 +434,47 @@ export const secretApprovalRequestServiceFactory = ({
                       })
                     )
                   : undefined
-              })),
-              secretDAL,
-              secretVersionDAL,
-              secretTagDAL,
-              secretVersionTagDAL
+              }
+            })),
+            secretDAL,
+            secretVersionDAL,
+            secretTagDAL,
+            secretVersionTagDAL
+          })
+        : [];
+      const deletedSecret = secretDeletionCommits.length
+        ? await fnSecretBulkDelete({
+            projectId,
+            folderId,
+            tx,
+            actorId: "",
+            secretDAL,
+            secretQueueService,
+            inputSecrets: secretDeletionCommits.map(({ secretBlindIndex }) => {
+              if (!secretBlindIndex) {
+                throw new BadRequestError({
+                  message: "Missing secret blind index"
+                });
+              }
+              return { secretBlindIndex, type: SecretType.Shared };
             })
-          : [];
-        const updatedSecrets = secretUpdationCommits.length
-          ? await fnSecretBulkUpdate({
-              folderId,
-              projectId,
-              tx,
-              inputSecrets: secretUpdationCommits.map((el) => ({
-                filter: {
-                  id: el.secretId as string, // this null check is already checked at top on conflict strategy
-                  type: SecretType.Shared
-                },
-                data: {
-                  tags: el?.tags.map(({ id }) => id),
-                  ...pick(el, [
-                    "secretCommentCiphertext",
-                    "secretCommentTag",
-                    "secretCommentIV",
-                    "secretValueIV",
-                    "secretValueTag",
-                    "secretValueCiphertext",
-                    "secretKeyCiphertext",
-                    "secretKeyTag",
-                    "secretKeyIV",
-                    "metadata",
-                    "skipMultilineEncoding",
-                    "secretReminderNote",
-                    "secretReminderRepeatDays",
-                    "secretBlindIndex"
-                  ]),
-                  references: botKey
-                    ? getAllNestedSecretReferences(
-                        decryptSymmetric128BitHexKeyUTF8({
-                          ciphertext: el.secretValueCiphertext,
-                          iv: el.secretValueIV,
-                          tag: el.secretValueTag,
-                          key: botKey
-                        })
-                      )
-                    : undefined
-                }
-              })),
-              secretDAL,
-              secretVersionDAL,
-              secretTagDAL,
-              secretVersionTagDAL
-            })
-          : [];
-        const deletedSecret = secretDeletionCommits.length
-          ? await fnSecretBulkDelete({
-              projectId,
-              folderId,
-              tx,
-              actorId: "",
-              secretDAL,
-              secretQueueService,
-              inputSecrets: secretDeletionCommits.map(({ secretBlindIndex }) => {
-                if (!secretBlindIndex) {
-                  throw new BadRequestError({
-                    message: "Missing secret blind index"
-                  });
-                }
-                return { secretBlindIndex, type: SecretType.Shared };
-              })
-            })
-          : [];
-        const updatedSecretApproval = await secretApprovalRequestDAL.updateById(
-          secretApprovalRequest.id,
-          {
-            conflicts: JSON.stringify(conflicts),
-            hasMerged: true,
-            status: RequestState.Closed,
-            statusChangedByUserId: actorId
-          },
-          tx
-        );
-        return {
-          secrets: { created: newSecrets, updated: updatedSecrets, deleted: deletedSecret },
-          approval: updatedSecretApproval
-        };
-      });
-    }
-
+          })
+        : [];
+      const updatedSecretApproval = await secretApprovalRequestDAL.updateById(
+        secretApprovalRequest.id,
+        {
+          conflicts: JSON.stringify(conflicts),
+          hasMerged: true,
+          status: RequestState.Closed,
+          statusChangedByUserId: actorId
+        },
+        tx
+      );
+      return {
+        secrets: { created: newSecrets, updated: updatedSecrets, deleted: deletedSecret },
+        approval: updatedSecretApproval
+      };
+    });
     await snapshotService.performSnapshot(folderId);
     const [folder] = await folderDAL.findSecretPathByFolderIds(projectId, [folderId]);
     if (!folder) throw new BadRequestError({ message: "Folder not found" });
@@ -760,35 +485,6 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       actor
     });
-
-    if (isSoftEnforcement) {
-      const cfg = getConfig();
-      const project = await projectDAL.findProjectById(projectId);
-      const env = await projectEnvDAL.findOne({ id: policy.envId });
-      const requestedByUser = await userDAL.findOne({ id: actorId });
-      const approverUsers = await userDAL.find({
-        $in: {
-          id: policy.approvers.map((approver: { userId: string }) => approver.userId)
-        }
-      });
-
-      await smtpService.sendMail({
-        recipients: approverUsers.filter((approver) => approver.email).map((approver) => approver.email!),
-        subjectLine: "Infisical Secret Change Policy Bypassed",
-
-        substitutions: {
-          projectName: project.name,
-          requesterFullName: `${requestedByUser.firstName} ${requestedByUser.lastName}`,
-          requesterEmail: requestedByUser.email,
-          bypassReason,
-          secretPath: policy.secretPath,
-          environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
-        },
-        template: SmtpTemplates.AccessSecretRequestBypassed
-      });
-    }
-
     return mergeStatus;
   };
 
@@ -1038,262 +734,8 @@ export const secretApprovalRequestServiceFactory = ({
     });
     return secretApprovalRequest;
   };
-
-  const generateSecretApprovalRequestV2Bridge = async ({
-    data,
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    policy,
-    projectId,
-    secretPath,
-    environment
-  }: TGenerateSecretApprovalRequestV2BridgeDTO) => {
-    if (actor === ActorType.SERVICE || actor === ActorType.Machine)
-      throw new BadRequestError({ message: "Cannot use service token or machine token over protected branches" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
-    if (!folder)
-      throw new BadRequestError({
-        message: "Folder not found for the given environment slug & secret path",
-        name: "GenSecretApproval"
-      });
-    const folderId = folder.id;
-
-    const commits: Omit<TSecretApprovalRequestsSecretsV2Insert, "requestId">[] = [];
-    const commitTagIds: Record<string, string[]> = {};
-
-    const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.SecretManager,
-      projectId
-    });
-
-    // for created secret approval change
-    const createdSecrets = data[SecretOperations.Create];
-    if (createdSecrets && createdSecrets?.length) {
-      const secrets = await secretV2BridgeDAL.findBySecretKeys(
-        folderId,
-        createdSecrets.map((el) => ({
-          key: el.secretKey,
-          type: SecretType.Shared
-        }))
-      );
-      if (secrets.length)
-        throw new BadRequestError({ message: `Secret already exist: ${secrets.map((el) => el.key).join(",")}` });
-
-      commits.push(
-        ...createdSecrets.map((createdSecret) => ({
-          op: SecretOperations.Create,
-          version: 1,
-          encryptedComment: setKnexStringValue(
-            createdSecret.secretComment,
-            (value) => secretManagerEncryptor({ plainText: Buffer.from(value) }).cipherTextBlob
-          ),
-          encryptedValue: setKnexStringValue(
-            createdSecret.secretValue,
-            (value) => secretManagerEncryptor({ plainText: Buffer.from(value) }).cipherTextBlob
-          ),
-          skipMultilineEncoding: createdSecret.skipMultilineEncoding,
-          key: createdSecret.secretKey,
-          type: SecretType.Shared
-        }))
-      );
-      createdSecrets.forEach(({ tagIds, secretKey }) => {
-        if (tagIds?.length) commitTagIds[secretKey] = tagIds;
-      });
-    }
-    // not secret approval for update operations
-    const secretsToUpdate = data[SecretOperations.Update];
-    if (secretsToUpdate && secretsToUpdate?.length) {
-      const secretsToUpdateStoredInDB = await secretV2BridgeDAL.findBySecretKeys(
-        folderId,
-        secretsToUpdate.map((el) => ({
-          key: el.secretKey,
-          type: SecretType.Shared
-        }))
-      );
-      if (secretsToUpdateStoredInDB.length !== secretsToUpdate.length)
-        throw new BadRequestError({
-          message: `Secret not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
-        });
-
-      // now find any secret that needs to update its name
-      // same process as above
-      const secretsWithNewName = secretsToUpdate.filter(({ newSecretName }) => Boolean(newSecretName));
-      if (secretsWithNewName.length) {
-        const secrets = await secretV2BridgeDAL.findBySecretKeys(
-          folderId,
-          secretsWithNewName.map((el) => ({
-            key: el.secretKey,
-            type: SecretType.Shared
-          }))
-        );
-        if (secrets.length)
-          throw new BadRequestError({
-            message: `Secret not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
-          });
-      }
-
-      const updatingSecretsGroupByKey = groupBy(secretsToUpdateStoredInDB, (el) => el.key);
-      const latestSecretVersions = await secretVersionV2BridgeDAL.findLatestVersionMany(
-        folderId,
-        secretsToUpdateStoredInDB.map(({ id }) => id)
-      );
-      commits.push(
-        ...secretsToUpdate.map(
-          ({
-            newSecretName,
-            secretKey,
-            tagIds,
-            secretValue,
-            reminderRepeatDays,
-            reminderNote,
-            secretComment,
-            metadata,
-            skipMultilineEncoding
-          }) => {
-            const secretId = updatingSecretsGroupByKey[secretKey][0].id;
-            if (tagIds?.length) commitTagIds[secretKey] = tagIds;
-            return {
-              ...latestSecretVersions[secretId],
-              key: newSecretName || secretKey,
-              encryptedComment: setKnexStringValue(
-                secretComment,
-                (value) => secretManagerEncryptor({ plainText: Buffer.from(value) }).cipherTextBlob
-              ),
-              encryptedValue: setKnexStringValue(
-                secretValue,
-                (value) => secretManagerEncryptor({ plainText: Buffer.from(value) }).cipherTextBlob
-              ),
-              reminderRepeatDays,
-              reminderNote,
-              metadata,
-              skipMultilineEncoding,
-              op: SecretOperations.Update as const,
-              secret: secretId,
-              secretVersion: latestSecretVersions[secretId].id,
-              version: updatingSecretsGroupByKey[secretKey][0].version || 1
-            };
-          }
-        )
-      );
-    }
-    // deleted secrets
-    const deletedSecrets = data[SecretOperations.Delete];
-    if (deletedSecrets && deletedSecrets.length) {
-      const secretsToDeleteInDB = await secretV2BridgeDAL.findBySecretKeys(
-        folderId,
-        deletedSecrets.map((el) => ({
-          key: el.secretKey,
-          type: SecretType.Shared
-        }))
-      );
-      if (secretsToDeleteInDB.length !== deletedSecrets.length)
-        throw new BadRequestError({
-          message: `Secret not exist: ${secretsToDeleteInDB.map((el) => el.key).join(",")}`
-        });
-      const secretsGroupedByKey = groupBy(secretsToDeleteInDB, (i) => i.key);
-      const deletedSecretIds = deletedSecrets.map((el) => secretsGroupedByKey[el.secretKey][0].id);
-      const latestSecretVersions = await secretVersionV2BridgeDAL.findLatestVersionMany(folderId, deletedSecretIds);
-      commits.push(
-        ...deletedSecrets.map(({ secretKey }) => {
-          const secretId = secretsGroupedByKey[secretKey][0].id;
-          return {
-            op: SecretOperations.Delete as const,
-            ...latestSecretVersions[secretId],
-            key: secretKey,
-            secret: secretId,
-            secretVersion: latestSecretVersions[secretId].id
-          };
-        })
-      );
-    }
-
-    if (!commits.length) throw new BadRequestError({ message: "Empty commits" });
-
-    const tagIds = unique(Object.values(commitTagIds).flat());
-    const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
-    if (tagIds.length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
-
-    const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
-      const doc = await secretApprovalRequestDAL.create(
-        {
-          folderId,
-          slug: alphaNumericNanoId(),
-          policyId: policy.id,
-          status: "open",
-          hasMerged: false,
-          committerUserId: actorId
-        },
-        tx
-      );
-      const approvalCommits = await secretApprovalRequestSecretDAL.insertV2Bridge(
-        commits.map(
-          ({
-            version,
-            op,
-            key,
-            encryptedComment,
-            skipMultilineEncoding,
-            metadata,
-            reminderNote,
-            reminderRepeatDays,
-            encryptedValue,
-            secretId,
-            secretVersion
-          }) => ({
-            version,
-            requestId: doc.id,
-            op,
-            secretId,
-            metadata,
-            secretVersion,
-            skipMultilineEncoding,
-            encryptedValue,
-            reminderRepeatDays,
-            reminderNote,
-            encryptedComment,
-            key
-          })
-        ),
-        tx
-      );
-
-      const commitsGroupByKey = groupBy(approvalCommits, (i) => i.key);
-      if (tagIds.length) {
-        await secretApprovalRequestSecretDAL.insertApprovalSecretV2Tags(
-          Object.keys(commitTagIds).flatMap((blindIndex) =>
-            commitTagIds[blindIndex]
-              ? commitTagIds[blindIndex].map((tagId) => ({
-                  secretId: commitsGroupByKey[blindIndex][0].id,
-                  tagId
-                }))
-              : []
-          ),
-          tx
-        );
-      }
-      return { ...doc, commits: approvalCommits };
-    });
-    return secretApprovalRequest;
-  };
-
   return {
     generateSecretApprovalRequest,
-    generateSecretApprovalRequestV2Bridge,
     mergeSecretApprovalRequest,
     reviewApproval,
     updateApprovalStatus,

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -26,23 +26,6 @@ export type TApprovalUpdateSecret = Partial<TApprovalCreateSecret> & {
   tagIds?: string[];
 };
 
-export type TApprovalCreateSecretV2Bridge = {
-  secretKey: string;
-  secretValue?: string;
-  secretComment?: string;
-  reminderNote?: string | null;
-  reminderRepeatDays?: number | null;
-  skipMultilineEncoding?: boolean;
-  metadata?: Record<string, string>;
-  tagIds?: string[];
-};
-
-export type TApprovalUpdateSecretV2Bridge = Partial<TApprovalCreateSecretV2Bridge> & {
-  secretKey: string;
-  newSecretName?: string;
-  tagIds?: string[];
-};
-
 export type TGenerateSecretApprovalRequestDTO = {
   environment: string;
   secretPath: string;
@@ -54,20 +37,8 @@ export type TGenerateSecretApprovalRequestDTO = {
   };
 } & TProjectPermission;
 
-export type TGenerateSecretApprovalRequestV2BridgeDTO = {
-  environment: string;
-  secretPath: string;
-  policy: TSecretApprovalPolicies;
-  data: {
-    [SecretOperations.Create]?: TApprovalCreateSecretV2Bridge[];
-    [SecretOperations.Update]?: TApprovalUpdateSecretV2Bridge[];
-    [SecretOperations.Delete]?: { secretKey: string }[];
-  };
-} & TProjectPermission;
-
 export type TMergeSecretApprovalRequestDTO = {
   approvalId: string;
-  bypassReason?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TStatusChangeDTO = {

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -1,4 +1,4 @@
-import { SecretType, TSecrets, TSecretsV2 } from "@app/db/schemas";
+import { SecretType, TSecrets } from "@app/db/schemas";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
 import { TSecretApprovalRequestSecretDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-secret-dal";
@@ -10,8 +10,6 @@ import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueName, TQueueServiceFactory } from "@app/queue";
 import { ActorType } from "@app/services/auth/auth-type";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { fnSecretBulkInsert, fnSecretBulkUpdate } from "@app/services/secret/secret-fns";
@@ -19,20 +17,12 @@ import { TSecretQueueFactory, uniqueSecretQueueKey } from "@app/services/secret/
 import { SecretOperations } from "@app/services/secret/secret-types";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
 import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version-tag-dal";
+import { TSecretBlindIndexDALFactory } from "@app/services/secret-blind-index/secret-blind-index-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { ReservedFolders } from "@app/services/secret-folder/secret-folder-types";
 import { TSecretImportDALFactory } from "@app/services/secret-import/secret-import-dal";
-import { fnSecretsFromImports, fnSecretsV2FromImports } from "@app/services/secret-import/secret-import-fns";
+import { fnSecretsFromImports } from "@app/services/secret-import/secret-import-fns";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
-import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
-import {
-  fnSecretBulkInsert as fnSecretV2BridgeBulkInsert,
-  fnSecretBulkUpdate as fnSecretV2BridgeBulkUpdate,
-  getAllNestedSecretReferences,
-  getAllNestedSecretReferences as getAllNestedSecretReferencesV2Bridge
-} from "@app/services/secret-v2-bridge/secret-v2-bridge-fns";
-import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
-import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
 
 import { MAX_REPLICATION_DEPTH } from "./secret-replication-constants";
 
@@ -42,42 +32,24 @@ type TSecretReplicationServiceFactoryDep = {
     "find" | "findByBlindIndexes" | "insertMany" | "bulkUpdate" | "delete" | "upsertSecretReferences" | "transaction"
   >;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "find" | "insertMany" | "update" | "findLatestVersionMany">;
-  secretV2BridgeDAL: Pick<
-    TSecretV2BridgeDALFactory,
-    "find" | "findBySecretKeys" | "insertMany" | "bulkUpdate" | "delete" | "upsertSecretReferences" | "transaction"
-  >;
-  secretVersionV2BridgeDAL: Pick<
-    TSecretVersionV2DALFactory,
-    "find" | "insertMany" | "update" | "findLatestVersionMany"
-  >;
   secretImportDAL: Pick<TSecretImportDALFactory, "find" | "updateById" | "findByFolderIds">;
   folderDAL: Pick<
     TSecretFolderDALFactory,
     "findSecretPathByFolderIds" | "findBySecretPath" | "create" | "findOne" | "findByManySecretPath"
   >;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "find" | "insertMany">;
-  secretVersionV2TagBridgeDAL: Pick<TSecretVersionV2TagDALFactory, "find" | "insertMany">;
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "replicateSecrets">;
   queueService: Pick<TQueueServiceFactory, "start" | "listen" | "queue" | "stopJobById">;
   secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
   keyStore: Pick<TKeyStoreFactory, "acquireLock" | "setItemWithExpiry" | "getItem">;
-  secretTagDAL: Pick<
-    TSecretTagDALFactory,
-    | "findManyTagsById"
-    | "saveTagsToSecret"
-    | "deleteTagsManySecret"
-    | "find"
-    | "saveTagsToSecretV2"
-    | "deleteTagsToSecretV2"
-  >;
+  secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
+  secretTagDAL: Pick<TSecretTagDALFactory, "findManyTagsById" | "saveTagsToSecret" | "deleteTagsManySecret" | "find">;
   secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "create" | "transaction">;
   secretApprovalRequestSecretDAL: Pick<
     TSecretApprovalRequestSecretDALFactory,
-    "insertMany" | "insertApprovalSecretTags" | "insertV2Bridge"
+    "insertMany" | "insertApprovalSecretTags"
   >;
-
   projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
 };
 
 export type TSecretReplicationServiceFactory = ReturnType<typeof secretReplicationServiceFactory>;
@@ -118,13 +90,9 @@ export const secretReplicationServiceFactory = ({
   secretApprovalRequestSecretDAL,
   secretApprovalRequestDAL,
   secretQueueService,
-  projectBotService,
-  secretVersionV2TagBridgeDAL,
-  secretVersionV2BridgeDAL,
-  secretV2BridgeDAL,
-  kmsService
+  projectBotService
 }: TSecretReplicationServiceFactoryDep) => {
-  const $getReplicatedSecrets = (
+  const getReplicatedSecrets = (
     botKey: string,
     localSecrets: TSecrets[],
     importedSecrets: { secrets: TSecrets[] }[]
@@ -151,25 +119,6 @@ export const secretReplicationServiceFactory = ({
     return secrets;
   };
 
-  const $getReplicatedSecretsV2 = (
-    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[],
-    importedSecrets: { secrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[] }[]
-  ) => {
-    const deDupe = new Set<string>();
-    const secrets = [...localSecrets];
-
-    for (let i = importedSecrets.length - 1; i >= 0; i = -1) {
-      importedSecrets[i].secrets.forEach((el) => {
-        if (deDupe.has(el.key)) {
-          return;
-        }
-        deDupe.add(el.key);
-        secrets.push(el);
-      });
-    }
-    return secrets;
-  };
-
   // IMPORTANT NOTE BEFORE READING THE FUNCTION
   // SOURCE - Where secrets are copied from
   // DESTINATION - Where the replicated imports that points to SOURCE from Destination
@@ -190,7 +139,6 @@ export const secretReplicationServiceFactory = ({
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, secretPath);
     if (!folder) return;
-    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
 
     // the the replicated imports made to the source. These are the destinations
     const destinationSecretImports = await secretImportDAL.find({
@@ -243,270 +191,8 @@ export const secretReplicationServiceFactory = ({
       : destinationReplicatedSecretImports;
     if (!destinationReplicatedSecretImports.length) return;
 
-    if (shouldUseSecretV2Bridge) {
-      const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-        type: KmsDataKey.SecretManager,
-        projectId
-      });
+    const botKey = await projectBotService.getBotKey(projectId);
 
-      // these are the secrets to be added in replicated folders
-      const sourceLocalSecrets = await secretV2BridgeDAL.find({ folderId: folder.id, type: SecretType.Shared });
-      const sourceSecretImports = await secretImportDAL.find({ folderId: folder.id });
-      const sourceImportedSecrets = await fnSecretsV2FromImports({
-        allowedImports: sourceSecretImports,
-        secretDAL: secretV2BridgeDAL,
-        folderDAL,
-        secretImportDAL,
-        decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined)
-      });
-      // secrets that gets replicated across imports
-      const sourceDecryptedLocalSecrets = sourceLocalSecrets.map((el) => ({
-        ...el,
-        secretKey: el.key,
-        secretValue: el.encryptedValue
-          ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
-          : undefined
-      }));
-      const sourceSecrets = $getReplicatedSecretsV2(sourceDecryptedLocalSecrets, sourceImportedSecrets);
-      const sourceSecretsGroupByKey = groupBy(sourceSecrets, (i) => i.key);
-
-      const lock = await keyStore.acquireLock(
-        [getReplicationKeyLockPrefix(projectId, environmentSlug, secretPath)],
-        5000
-      );
-
-      try {
-        /*  eslint-disable no-await-in-loop */
-        for (const destinationSecretImport of destinationReplicatedSecretImports) {
-          try {
-            const hasJobCompleted = await keyStore.getItem(
-              keystoreReplicationSuccessKey(job.id as string, destinationSecretImport.id),
-              KeyStorePrefixes.SecretReplication
-            );
-            if (hasJobCompleted) {
-              logger.info(
-                { jobId: job.id, importId: destinationSecretImport.id },
-                "Skipping this job as this has been successfully replicated."
-              );
-              // eslint-disable-next-line
-              continue;
-            }
-
-            const [destinationFolder] = await folderDAL.findSecretPathByFolderIds(projectId, [
-              destinationSecretImport.folderId
-            ]);
-            if (!destinationFolder) throw new BadRequestError({ message: "Imported folder not found" });
-
-            let destinationReplicationFolder = await folderDAL.findOne({
-              parentId: destinationFolder.id,
-              name: getReplicationFolderName(destinationSecretImport.id),
-              isReserved: true
-            });
-            if (!destinationReplicationFolder) {
-              destinationReplicationFolder = await folderDAL.create({
-                parentId: destinationFolder.id,
-                name: getReplicationFolderName(destinationSecretImport.id),
-                envId: destinationFolder.envId,
-                isReserved: true
-              });
-            }
-            const destinationReplicationFolderId = destinationReplicationFolder.id;
-
-            const destinationLocalSecretsFromDB = await secretV2BridgeDAL.find({
-              folderId: destinationReplicationFolderId
-            });
-            const destinationLocalSecrets = destinationLocalSecretsFromDB.map((el) => ({
-              ...el,
-              secretKey: el.key,
-              secretValue: el.encryptedValue
-                ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
-                : undefined
-            }));
-
-            const destinationLocalSecretsGroupedByKey = groupBy(destinationLocalSecrets, (i) => i.key);
-
-            const locallyCreatedSecrets = sourceSecrets
-              .filter(({ key }) => !destinationLocalSecretsGroupedByKey[key]?.[0])
-              .map((el) => ({ ...el, operation: SecretOperations.Create })); // rewrite update ops to create
-
-            const locallyUpdatedSecrets = sourceSecrets
-              .filter(
-                ({ key, secretKey, secretValue }) =>
-                  destinationLocalSecretsGroupedByKey[key]?.[0] &&
-                  // if key or value changed
-                  (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretKey !== secretKey ||
-                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue)
-              )
-              .map((el) => ({ ...el, operation: SecretOperations.Update })); // rewrite update ops to create
-
-            const locallyDeletedSecrets = destinationLocalSecrets
-              .filter(({ key }) => !sourceSecretsGroupByKey[key]?.[0])
-              .map((el) => ({ ...el, operation: SecretOperations.Delete }));
-
-            const isEmtpy =
-              locallyCreatedSecrets.length + locallyUpdatedSecrets.length + locallyDeletedSecrets.length === 0;
-            // eslint-disable-next-line
-            if (isEmtpy) continue;
-
-            const policy = await secretApprovalPolicyService.getSecretApprovalPolicy(
-              projectId,
-              destinationFolder.environmentSlug,
-              destinationFolder.path
-            );
-            // this means it should be a approval request rather than direct replication
-            if (policy && actor === ActorType.USER) {
-              const localSecretsLatestVersions = destinationLocalSecrets.map(({ id }) => id);
-              const latestSecretVersions = await secretVersionV2BridgeDAL.findLatestVersionMany(
-                destinationReplicationFolderId,
-                localSecretsLatestVersions
-              );
-              await secretApprovalRequestDAL.transaction(async (tx) => {
-                const approvalRequestDoc = await secretApprovalRequestDAL.create(
-                  {
-                    folderId: destinationReplicationFolderId,
-                    slug: alphaNumericNanoId(),
-                    policyId: policy.id,
-                    status: "open",
-                    hasMerged: false,
-                    committerUserId: actorId,
-                    isReplicated: true
-                  },
-                  tx
-                );
-                const commits = locallyCreatedSecrets
-                  .concat(locallyUpdatedSecrets)
-                  .concat(locallyDeletedSecrets)
-                  .map((doc) => {
-                    const { operation } = doc;
-                    const localSecret = destinationLocalSecretsGroupedByKey[doc.key]?.[0];
-
-                    return {
-                      op: operation,
-                      requestId: approvalRequestDoc.id,
-                      metadata: doc.metadata,
-                      key: doc.key,
-                      encryptedValue: doc.encryptedValue,
-                      encryptedComment: doc.encryptedComment,
-                      skipMultilineEncoding: doc.skipMultilineEncoding,
-                      // except create operation other two needs the secret id and version id
-                      ...(operation !== SecretOperations.Create
-                        ? { secretId: localSecret.id, secretVersion: latestSecretVersions[localSecret.id].id }
-                        : {})
-                    };
-                  });
-                const approvalCommits = await secretApprovalRequestSecretDAL.insertV2Bridge(commits, tx);
-
-                return { ...approvalRequestDoc, commits: approvalCommits };
-              });
-            } else {
-              await secretDAL.transaction(async (tx) => {
-                if (locallyCreatedSecrets.length) {
-                  await fnSecretV2BridgeBulkInsert({
-                    folderId: destinationReplicationFolderId,
-                    secretVersionDAL: secretVersionV2BridgeDAL,
-                    secretDAL: secretV2BridgeDAL,
-                    tx,
-                    secretTagDAL,
-                    secretVersionTagDAL: secretVersionV2TagBridgeDAL,
-                    inputSecrets: locallyCreatedSecrets.map((doc) => {
-                      return {
-                        type: doc.type,
-                        metadata: doc.metadata,
-                        key: doc.key,
-                        encryptedValue: doc.encryptedValue,
-                        encryptedComment: doc.encryptedComment,
-                        skipMultilineEncoding: doc.skipMultilineEncoding,
-                        references: doc.secretValue ? getAllNestedSecretReferencesV2Bridge(doc.secretValue) : []
-                      };
-                    })
-                  });
-                }
-                if (locallyUpdatedSecrets.length) {
-                  await fnSecretV2BridgeBulkUpdate({
-                    folderId: destinationReplicationFolderId,
-                    secretVersionDAL: secretVersionV2BridgeDAL,
-                    secretDAL: secretV2BridgeDAL,
-                    tx,
-                    secretTagDAL,
-                    secretVersionTagDAL: secretVersionV2TagBridgeDAL,
-                    inputSecrets: locallyUpdatedSecrets.map((doc) => {
-                      return {
-                        filter: {
-                          folderId: destinationReplicationFolderId,
-                          id: destinationLocalSecretsGroupedByKey[doc.key][0].id
-                        },
-                        data: {
-                          type: doc.type,
-                          metadata: doc.metadata,
-                          key: doc.key,
-                          encryptedValue: doc.encryptedValue as Buffer,
-                          encryptedComment: doc.encryptedComment,
-                          skipMultilineEncoding: doc.skipMultilineEncoding,
-                          references: doc.secretValue ? getAllNestedSecretReferencesV2Bridge(doc.secretValue) : []
-                        }
-                      };
-                    })
-                  });
-                }
-                if (locallyDeletedSecrets.length) {
-                  await secretV2BridgeDAL.delete(
-                    {
-                      $in: {
-                        id: locallyDeletedSecrets.map(({ id }) => id)
-                      },
-                      folderId: destinationReplicationFolderId
-                    },
-                    tx
-                  );
-                }
-              });
-
-              await secretQueueService.syncSecrets({
-                projectId,
-                secretPath: destinationFolder.path,
-                environmentSlug: destinationFolder.environmentSlug,
-                actorId,
-                actor,
-                _depth: depth + 1,
-                _deDupeReplicationQueue: deDupeReplicationQueue,
-                _deDupeQueue: deDupeQueue
-              });
-            }
-
-            // this is used to avoid multiple times generating secret approval by failed one
-            await keyStore.setItemWithExpiry(
-              keystoreReplicationSuccessKey(job.id as string, destinationSecretImport.id),
-              SECRET_IMPORT_SUCCESS_LOCK,
-              1,
-              KeyStorePrefixes.SecretReplication
-            );
-
-            await secretImportDAL.updateById(destinationSecretImport.id, {
-              lastReplicated: new Date(),
-              replicationStatus: null,
-              isReplicationSuccess: true
-            });
-          } catch (err) {
-            logger.error(
-              err,
-              `Failed to replicate secret with import id=[${destinationSecretImport.id}] env=[${destinationSecretImport.importEnv.slug}] path=[${destinationSecretImport.importPath}]`
-            );
-            await secretImportDAL.updateById(destinationSecretImport.id, {
-              lastReplicated: new Date(),
-              replicationStatus: (err as Error)?.message.slice(0, 500),
-              isReplicationSuccess: false
-            });
-          }
-        }
-        /*  eslint-enable no-await-in-loop */
-      } finally {
-        await lock.release();
-        logger.info(job.data, "Replication finished");
-      }
-      return;
-    }
-
-    if (!botKey) throw new BadRequestError({ message: "Bot not found" });
     // these are the secrets to be added in replicated folders
     const sourceLocalSecrets = await secretDAL.find({ folderId: folder.id, type: SecretType.Shared });
     const sourceSecretImports = await secretImportDAL.find({ folderId: folder.id });
@@ -517,7 +203,7 @@ export const secretReplicationServiceFactory = ({
       secretImportDAL
     });
     // secrets that gets replicated across imports
-    const sourceSecrets = $getReplicatedSecrets(botKey, sourceLocalSecrets, sourceImportedSecrets);
+    const sourceSecrets = getReplicatedSecrets(botKey, sourceLocalSecrets, sourceImportedSecrets);
     const sourceSecretsGroupByBlindIndex = groupBy(sourceSecrets, (i) => i.secretBlindIndex as string);
 
     const lock = await keyStore.acquireLock(
@@ -686,8 +372,7 @@ export const secretReplicationServiceFactory = ({
                       secretCommentIV: doc.secretCommentIV,
                       secretCommentTag: doc.secretCommentTag,
                       secretCommentCiphertext: doc.secretCommentCiphertext,
-                      skipMultilineEncoding: doc.skipMultilineEncoding,
-                      references: getAllNestedSecretReferences(doc.secretValue)
+                      skipMultilineEncoding: doc.skipMultilineEncoding
                     };
                   })
                 });
@@ -722,8 +407,7 @@ export const secretReplicationServiceFactory = ({
                         secretCommentIV: doc.secretCommentIV,
                         secretCommentTag: doc.secretCommentTag,
                         secretCommentCiphertext: doc.secretCommentCiphertext,
-                        skipMultilineEncoding: doc.skipMultilineEncoding,
-                        references: getAllNestedSecretReferences(doc.secretValue)
+                        skipMultilineEncoding: doc.skipMultilineEncoding
                       }
                     };
                   })

backend/src/ee/services/secret-rotation/secret-rotation-dal.ts

@@ -10,7 +10,6 @@ export type TSecretRotationDALFactory = ReturnType<typeof secretRotationDALFacto
 export const secretRotationDALFactory = (db: TDbClient) => {
   const secretRotationOrm = ormify(db, TableName.SecretRotation);
   const secretRotationOutputOrm = ormify(db, TableName.SecretRotationOutput);
-  const secretRotationOutputV2Orm = ormify(db, TableName.SecretRotationOutputV2);
 
   const findQuery = (filter: TFindFilter<TSecretRotations & { projectId: string }>, tx: Knex) =>
     tx(TableName.SecretRotation)
@@ -32,7 +31,13 @@ export const secretRotationDALFactory = (db: TDbClient) => {
       .select(tx.ref("version").withSchema(TableName.Secret).as("secVersion"))
       .select(tx.ref("secretKeyIV").withSchema(TableName.Secret))
       .select(tx.ref("secretKeyTag").withSchema(TableName.Secret))
-      .select(tx.ref("secretKeyCiphertext").withSchema(TableName.Secret));
+      .select(tx.ref("secretKeyCiphertext").withSchema(TableName.Secret))
+      .select(tx.ref("secretValueIV").withSchema(TableName.Secret))
+      .select(tx.ref("secretValueTag").withSchema(TableName.Secret))
+      .select(tx.ref("secretValueCiphertext").withSchema(TableName.Secret))
+      .select(tx.ref("secretCommentIV").withSchema(TableName.Secret))
+      .select(tx.ref("secretCommentTag").withSchema(TableName.Secret))
+      .select(tx.ref("secretCommentCiphertext").withSchema(TableName.Secret));
 
   const find = async (filter: TFindFilter<TSecretRotations & { projectId: string }>, tx?: Knex) => {
     try {
@@ -49,65 +54,33 @@ export const secretRotationDALFactory = (db: TDbClient) => {
           {
             key: "secId",
             label: "outputs" as const,
-            mapper: ({ secId, outputKey, secVersion, secretKeyIV, secretKeyTag, secretKeyCiphertext }) => ({
+            mapper: ({
+              secId,
+              outputKey,
+              secVersion,
+              secretKeyIV,
+              secretKeyTag,
+              secretKeyCiphertext,
+              secretValueTag,
+              secretValueIV,
+              secretValueCiphertext,
+              secretCommentIV,
+              secretCommentTag,
+              secretCommentCiphertext
+            }) => ({
               key: outputKey,
               secret: {
                 id: secId,
                 version: secVersion,
                 secretKeyIV,
                 secretKeyTag,
-                secretKeyCiphertext
-              }
-            })
-          }
-        ]
-      });
-    } catch (error) {
-      throw new DatabaseError({ error, name: "SecretRotationFind" });
-    }
-  };
-
-  const findQuerySecretV2 = (filter: TFindFilter<TSecretRotations & { projectId: string }>, tx: Knex) =>
-    tx(TableName.SecretRotation)
-      .where(filter)
-      .join(TableName.Environment, `${TableName.SecretRotation}.envId`, `${TableName.Environment}.id`)
-      .leftJoin(
-        TableName.SecretRotationOutputV2,
-        `${TableName.SecretRotation}.id`,
-        `${TableName.SecretRotationOutputV2}.rotationId`
-      )
-      .join(TableName.SecretV2, `${TableName.SecretRotationOutputV2}.secretId`, `${TableName.SecretV2}.id`)
-      .select(selectAllTableCols(TableName.SecretRotation))
-      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
-      .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
-      .select(tx.ref("projectId").withSchema(TableName.Environment))
-      .select(tx.ref("key").withSchema(TableName.SecretRotationOutputV2).as("outputKey"))
-      .select(tx.ref("id").withSchema(TableName.SecretV2).as("secId"))
-      .select(tx.ref("version").withSchema(TableName.SecretV2).as("secVersion"))
-      .select(tx.ref("key").withSchema(TableName.SecretV2).as("secretKey"));
-
-  const findSecretV2 = async (filter: TFindFilter<TSecretRotations & { projectId: string }>, tx?: Knex) => {
-    try {
-      const data = await findQuerySecretV2(filter, tx || db.replicaNode());
-      return sqlNestRelationships({
-        data,
-        key: "id",
-        parentMapper: (el) => ({
-          ...SecretRotationsSchema.parse(el),
-          projectId: el.projectId,
-          environment: { id: el.envId, name: el.envName, slug: el.envSlug }
-        }),
-        childrenMapper: [
-          {
-            key: "secId",
-            label: "outputs" as const,
-            mapper: ({ secId, outputKey, secVersion, secretKey }) => ({
-              key: outputKey,
-              secret: {
-                id: secId,
-                version: secVersion,
-                secretKey
+                secretKeyCiphertext,
+                secretValueTag,
+                secretValueIV,
+                secretValueCiphertext,
+                secretCommentIV,
+                secretCommentTag,
+                secretCommentCiphertext
               }
             })
           }
@@ -141,19 +114,12 @@ export const secretRotationDALFactory = (db: TDbClient) => {
   };
 
   const findRotationOutputsByRotationId = async (rotationId: string) => secretRotationOutputOrm.find({ rotationId });
-  const findRotationOutputsV2ByRotationId = async (rotationId: string) =>
-    secretRotationOutputV2Orm.find({ rotationId });
-
-  // special query
 
   return {
     ...secretRotationOrm,
     find,
-    findSecretV2,
     findById,
     secretOutputInsertMany: secretRotationOutputOrm.insertMany,
-    secretOutputV2InsertMany: secretRotationOutputV2Orm.insertMany,
-    findRotationOutputsByRotationId,
-    findRotationOutputsV2ByRotationId
+    findRotationOutputsByRotationId
   };
 };

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -17,13 +17,9 @@ import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
-import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
-import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
 import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
@@ -51,11 +47,8 @@ type TSecretRotationQueueFactoryDep = {
   secretRotationDAL: TSecretRotationDALFactory;
   projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
   secretDAL: Pick<TSecretDALFactory, "bulkUpdate" | "find">;
-  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "bulkUpdate" | "find">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "insertMany" | "findLatestVersionMany">;
-  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   telemetryService: Pick<TTelemetryServiceFactory, "sendPostHogEvents">;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
 };
 
 // These error should stop the repeatable job and ask user to reconfigure rotation
@@ -77,10 +70,7 @@ export const secretRotationQueueFactory = ({
   projectBotService,
   secretDAL,
   secretVersionDAL,
-  telemetryService,
-  secretV2BridgeDAL,
-  secretVersionV2BridgeDAL,
-  kmsService
+  telemetryService
 }: TSecretRotationQueueFactoryDep) => {
   const addToQueue = async (rotationId: string, interval: number) => {
     const appCfg = getConfig();
@@ -121,13 +111,7 @@ export const secretRotationQueueFactory = ({
     try {
       if (!rotationProvider || !secretRotation) throw new DisableRotationErrors({ message: "Provider not found" });
 
-      const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(secretRotation.projectId);
-      let rotationOutputs;
-      if (shouldUseSecretV2Bridge) {
-        rotationOutputs = await secretRotationDAL.findRotationOutputsV2ByRotationId(rotationId);
-      } else {
-        rotationOutputs = await secretRotationDAL.findRotationOutputsByRotationId(rotationId);
-      }
+      const rotationOutputs = await secretRotationDAL.findRotationOutputsByRotationId(rotationId);
       if (!rotationOutputs.length) throw new DisableRotationErrors({ message: "Secrets not found" });
 
       // deep copy
@@ -283,112 +267,62 @@ export const secretRotationQueueFactory = ({
         internal: newCredential.internal
       });
       const encVarData = infisicalSymmetricEncypt(JSON.stringify(variables));
-      const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
-        type: KmsDataKey.SecretManager,
-        projectId: secretRotation.projectId
-      });
-
-      const numberOfSecretsRotated = rotationOutputs.length;
-      if (shouldUseSecretV2Bridge) {
-        const encryptedSecrets = rotationOutputs.map(({ key: outputKey, secretId }) => ({
-          secretId,
-          value:
-            typeof newCredential.outputs[outputKey] === "object"
-              ? JSON.stringify(newCredential.outputs[outputKey])
-              : String(newCredential.outputs[outputKey])
-        }));
-        // map the final values to output keys in the board
-        await secretRotationDAL.transaction(async (tx) => {
-          await secretRotationDAL.updateById(
-            rotationId,
-            {
-              encryptedData: encVarData.ciphertext,
-              encryptedDataIV: encVarData.iv,
-              encryptedDataTag: encVarData.tag,
-              keyEncoding: encVarData.encoding,
-              algorithm: encVarData.algorithm,
-              lastRotatedAt: new Date(),
-              statusMessage: "Rotated successfull",
-              status: "success"
-            },
-            tx
-          );
-          const updatedSecrets = await secretV2BridgeDAL.bulkUpdate(
-            encryptedSecrets.map(({ secretId, value }) => ({
-              // this secret id is validated when user is inserted
-              filter: { id: secretId, type: SecretType.Shared },
-              data: {
-                encryptedValue: secretManagerEncryptor({ plainText: Buffer.from(value) }).cipherTextBlob
-              }
-            })),
-            tx
-          );
-          await secretVersionV2BridgeDAL.insertMany(
-            updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => ({
+      const key = await projectBotService.getBotKey(secretRotation.projectId);
+      const encryptedSecrets = rotationOutputs.map(({ key: outputKey, secretId }) => ({
+        secretId,
+        value: encryptSymmetric128BitHexKeyUTF8(
+          typeof newCredential.outputs[outputKey] === "object"
+            ? JSON.stringify(newCredential.outputs[outputKey])
+            : String(newCredential.outputs[outputKey]),
+          key
+        )
+      }));
+      // map the final values to output keys in the board
+      await secretRotationDAL.transaction(async (tx) => {
+        await secretRotationDAL.updateById(
+          rotationId,
+          {
+            encryptedData: encVarData.ciphertext,
+            encryptedDataIV: encVarData.iv,
+            encryptedDataTag: encVarData.tag,
+            keyEncoding: encVarData.encoding,
+            algorithm: encVarData.algorithm,
+            lastRotatedAt: new Date(),
+            statusMessage: "Rotated successfull",
+            status: "success"
+          },
+          tx
+        );
+        const updatedSecrets = await secretDAL.bulkUpdate(
+          encryptedSecrets.map(({ secretId, value }) => ({
+            // this secret id is validated when user is inserted
+            filter: { id: secretId, type: SecretType.Shared },
+            data: {
+              secretValueCiphertext: value.ciphertext,
+              secretValueIV: value.iv,
+              secretValueTag: value.tag
+            }
+          })),
+          tx
+        );
+        await secretVersionDAL.insertMany(
+          updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => {
+            if (!el.secretBlindIndex) throw new BadRequestError({ message: "Missing blind index" });
+            return {
               ...el,
-              secretId: id
-            })),
-            tx
-          );
-        });
-      } else {
-        if (!botKey) throw new BadRequestError({ message: "Bot not found" });
-        const encryptedSecrets = rotationOutputs.map(({ key: outputKey, secretId }) => ({
-          secretId,
-          value: encryptSymmetric128BitHexKeyUTF8(
-            typeof newCredential.outputs[outputKey] === "object"
-              ? JSON.stringify(newCredential.outputs[outputKey])
-              : String(newCredential.outputs[outputKey]),
-            botKey
-          )
-        }));
-        // map the final values to output keys in the board
-        await secretRotationDAL.transaction(async (tx) => {
-          await secretRotationDAL.updateById(
-            rotationId,
-            {
-              encryptedData: encVarData.ciphertext,
-              encryptedDataIV: encVarData.iv,
-              encryptedDataTag: encVarData.tag,
-              keyEncoding: encVarData.encoding,
-              algorithm: encVarData.algorithm,
-              lastRotatedAt: new Date(),
-              statusMessage: "Rotated successfull",
-              status: "success"
-            },
-            tx
-          );
-          const updatedSecrets = await secretDAL.bulkUpdate(
-            encryptedSecrets.map(({ secretId, value }) => ({
-              // this secret id is validated when user is inserted
-              filter: { id: secretId, type: SecretType.Shared },
-              data: {
-                secretValueCiphertext: value.ciphertext,
-                secretValueIV: value.iv,
-                secretValueTag: value.tag
-              }
-            })),
-            tx
-          );
-          await secretVersionDAL.insertMany(
-            updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => {
-              if (!el.secretBlindIndex) throw new BadRequestError({ message: "Missing blind index" });
-              return {
-                ...el,
-                secretId: id,
-                secretBlindIndex: el.secretBlindIndex
-              };
-            }),
-            tx
-          );
-        });
-      }
+              secretId: id,
+              secretBlindIndex: el.secretBlindIndex
+            };
+          }),
+          tx
+        );
+      });
 
       await telemetryService.sendPostHogEvents({
         event: PostHogEventTypes.SecretRotated,
         distinctId: "",
         properties: {
-          numberOfSecrets: numberOfSecretsRotated,
+          numberOfSecrets: encryptedSecrets.length,
           environment: secretRotation.environment.slug,
           secretPath: secretRotation.secretPath,
           workspaceId: secretRotation.projectId

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -1,15 +1,12 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
-import { ProjectVersion } from "@app/db/schemas";
-import { decryptSymmetric128BitHexKeyUTF8, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
-import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TPermissionServiceFactory } from "../permission/permission-service";
@@ -25,11 +22,9 @@ type TSecretRotationServiceFactoryDep = {
   projectDAL: Pick<TProjectDALFactory, "findById">;
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
   secretDAL: Pick<TSecretDALFactory, "find">;
-  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "find">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   secretRotationQueue: TSecretRotationQueueFactory;
-  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
 };
 
 export type TSecretRotationServiceFactory = ReturnType<typeof secretRotationServiceFactory>;
@@ -42,9 +37,7 @@ export const secretRotationServiceFactory = ({
   licenseService,
   projectDAL,
   folderDAL,
-  secretDAL,
-  projectBotService,
-  secretV2BridgeDAL
+  secretDAL
 }: TSecretRotationServiceFactoryDep) => {
   const getProviderTemplates = async ({
     actor,
@@ -99,25 +92,15 @@ export const secretRotationServiceFactory = ({
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
+
+    const selectedSecrets = await secretDAL.find({
+      folderId: folder.id,
+      $in: { id: Object.values(outputs) }
+    });
+    if (selectedSecrets.length !== Object.values(outputs).length)
+      throw new BadRequestError({ message: "Secrets not found" });
+
     const project = await projectDAL.findById(projectId);
-    const shouldUseBridge = project.version === ProjectVersion.V3;
-
-    if (shouldUseBridge) {
-      const selectedSecrets = await secretV2BridgeDAL.find({
-        folderId: folder.id,
-        $in: { id: Object.values(outputs) }
-      });
-      if (selectedSecrets.length !== Object.values(outputs).length)
-        throw new BadRequestError({ message: "Secrets not found" });
-    } else {
-      const selectedSecrets = await secretDAL.find({
-        folderId: folder.id,
-        $in: { id: Object.values(outputs) }
-      });
-      if (selectedSecrets.length !== Object.values(outputs).length)
-        throw new BadRequestError({ message: "Secrets not found" });
-    }
-
     const plan = await licenseService.getPlan(project.orgId);
     if (!plan.secretRotation)
       throw new BadRequestError({
@@ -165,18 +148,10 @@ export const secretRotationServiceFactory = ({
         },
         tx
       );
-      let outputSecretMapping;
-      if (shouldUseBridge) {
-        outputSecretMapping = await secretRotationDAL.secretOutputV2InsertMany(
-          Object.entries(outputs).map(([key, secretId]) => ({ key, secretId, rotationId: doc.id })),
-          tx
-        );
-      } else {
-        outputSecretMapping = await secretRotationDAL.secretOutputInsertMany(
-          Object.entries(outputs).map(([key, secretId]) => ({ key, secretId, rotationId: doc.id })),
-          tx
-        );
-      }
+      const outputSecretMapping = await secretRotationDAL.secretOutputInsertMany(
+        Object.entries(outputs).map(([key, secretId]) => ({ key, secretId, rotationId: doc.id })),
+        tx
+      );
       return { ...doc, outputs: outputSecretMapping, environment: folder.environment };
     });
     await secretRotationQueue.addToQueue(secretRotation.id, secretRotation.interval);
@@ -192,30 +167,8 @@ export const secretRotationServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
-    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
-    if (shouldUseSecretV2Bridge) {
-      const docs = await secretRotationDAL.findSecretV2({ projectId });
-      return docs;
-    }
-
-    if (!botKey) throw new BadRequestError({ message: "bot not found" });
-    const docs = await secretRotationDAL.find({ projectId });
-    return docs.map((el) => ({
-      ...el,
-      outputs: el.outputs.map((output) => ({
-        ...output,
-        secret: {
-          id: output.secret.id,
-          version: output.secret.version,
-          secretKey: decryptSymmetric128BitHexKeyUTF8({
-            ciphertext: output.secret.secretKeyCiphertext,
-            iv: output.secret.secretKeyIV,
-            tag: output.secret.secretKeyTag,
-            key: botKey
-          })
-        }
-      }))
-    }));
+    const doc = await secretRotationDAL.find({ projectId });
+    return doc;
   };
 
   const restartById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TRestartDTO) => {

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -1,22 +1,15 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { TableName, TSecretTagJunctionInsert } from "@app/db/schemas";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
 import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version-tag-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretFolderVersionDALFactory } from "@app/services/secret-folder/secret-folder-version-dal";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
-import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
-import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
-import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TPermissionServiceFactory } from "../permission/permission-service";
@@ -30,27 +23,20 @@ import {
 import { TSnapshotDALFactory } from "./snapshot-dal";
 import { TSnapshotFolderDALFactory } from "./snapshot-folder-dal";
 import { TSnapshotSecretDALFactory } from "./snapshot-secret-dal";
-import { TSnapshotSecretV2DALFactory } from "./snapshot-secret-v2-dal";
 import { getFullFolderPath } from "./snapshot-service-fns";
 
 type TSecretSnapshotServiceFactoryDep = {
   snapshotDAL: TSnapshotDALFactory;
   snapshotSecretDAL: TSnapshotSecretDALFactory;
-  snapshotSecretV2BridgeDAL: TSnapshotSecretV2DALFactory;
   snapshotFolderDAL: TSnapshotFolderDALFactory;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "insertMany" | "findLatestVersionByFolderId">;
-  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionByFolderId">;
   folderVersionDAL: Pick<TSecretFolderVersionDALFactory, "findLatestVersionByFolderId" | "insertMany">;
   secretDAL: Pick<TSecretDALFactory, "delete" | "insertMany">;
-  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "delete" | "insertMany">;
-  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecret" | "saveTagsToSecretV2">;
+  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecret">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
-  secretVersionV2TagBridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
   folderDAL: Pick<TSecretFolderDALFactory, "findById" | "findBySecretPath" | "delete" | "insertMany" | "find">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   licenseService: Pick<TLicenseServiceFactory, "isValidLicense">;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
 };
 
 export type TSecretSnapshotServiceFactory = ReturnType<typeof secretSnapshotServiceFactory>;
@@ -66,13 +52,7 @@ export const secretSnapshotServiceFactory = ({
   permissionService,
   licenseService,
   secretTagDAL,
-  secretVersionTagDAL,
-  secretVersionV2BridgeDAL,
-  secretV2BridgeDAL,
-  snapshotSecretV2BridgeDAL,
-  secretVersionV2TagBridgeDAL,
-  kmsService,
-  projectBotService
+  secretVersionTagDAL
 }: TSecretSnapshotServiceFactoryDep) => {
   const projectSecretSnapshotCount = async ({
     environment,
@@ -138,7 +118,7 @@ export const secretSnapshotServiceFactory = ({
   };
 
   const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
-    const snapshot = await snapshotDAL.findById(id);
+    const snapshot = await snapshotDAL.findSecretSnapshotDataById(id);
     if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -147,122 +127,31 @@ export const secretSnapshotServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
-    const shouldUseBridge = snapshot.projectVersion === 3;
-    let snapshotDetails;
-    if (shouldUseBridge) {
-      const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-        type: KmsDataKey.SecretManager,
-        projectId: snapshot.projectId
-      });
-      const encryptedSnapshotDetails = await snapshotDAL.findSecretSnapshotV2DataById(id);
-      snapshotDetails = {
-        ...encryptedSnapshotDetails,
-        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => ({
-          ...el,
-          secretKey: el.key,
-          secretValue: el.encryptedValue
-            ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
-            : undefined,
-          secretComment: el.encryptedComment
-            ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
-            : undefined
-        }))
-      };
-    } else {
-      const encryptedSnapshotDetails = await snapshotDAL.findSecretSnapshotDataById(id);
-      const { botKey } = await projectBotService.getBotKey(snapshot.projectId);
-      if (!botKey) throw new BadRequestError({ message: "bot not found" });
-      snapshotDetails = {
-        ...encryptedSnapshotDetails,
-        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => ({
-          ...el,
-          secretKey: decryptSymmetric128BitHexKeyUTF8({
-            ciphertext: el.secretKeyCiphertext,
-            iv: el.secretKeyIV,
-            tag: el.secretKeyTag,
-            key: botKey
-          }),
-          secretValue: decryptSymmetric128BitHexKeyUTF8({
-            ciphertext: el.secretValueCiphertext,
-            iv: el.secretValueIV,
-            tag: el.secretValueTag,
-            key: botKey
-          }),
-          secretComment:
-            el.secretCommentTag && el.secretCommentIV && el.secretCommentCiphertext
-              ? decryptSymmetric128BitHexKeyUTF8({
-                  ciphertext: el.secretCommentCiphertext,
-                  iv: el.secretCommentIV,
-                  tag: el.secretCommentTag,
-                  key: botKey
-                })
-              : ""
-        }))
-      };
-    }
 
     const fullFolderPath = await getFullFolderPath({
       folderDAL,
-      folderId: snapshotDetails.folderId,
-      envId: snapshotDetails.environment.id
+      folderId: snapshot.folderId,
+      envId: snapshot.environment.id
     });
 
     // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, {
-        environment: snapshotDetails.environment.slug,
-        secretPath: fullFolderPath
-      })
+      subject(ProjectPermissionSub.Secrets, { environment: snapshot.environment.slug, secretPath: fullFolderPath })
     );
 
-    return snapshotDetails;
+    return snapshot;
   };
 
   const performSnapshot = async (folderId: string) => {
     try {
       if (!licenseService.isValidLicense) throw new InternalServerError({ message: "Invalid license" });
-      const folder = await folderDAL.findById(folderId);
-      if (!folder) throw new BadRequestError({ message: "Folder not found" });
-      const shouldUseSecretV2Bridge = folder.projectVersion === 3;
-
-      if (shouldUseSecretV2Bridge) {
-        const snapshot = await snapshotDAL.transaction(async (tx) => {
-          const secretVersions = await secretVersionV2BridgeDAL.findLatestVersionByFolderId(folderId, tx);
-          const folderVersions = await folderVersionDAL.findLatestVersionByFolderId(folderId, tx);
-          const newSnapshot = await snapshotDAL.create(
-            {
-              folderId,
-              envId: folder.environment.envId,
-              parentFolderId: folder.parentId
-            },
-            tx
-          );
-          const snapshotSecrets = await snapshotSecretV2BridgeDAL.insertMany(
-            secretVersions.map(({ id }) => ({
-              secretVersionId: id,
-              envId: folder.environment.envId,
-              snapshotId: newSnapshot.id
-            })),
-            tx
-          );
-          const snapshotFolders = await snapshotFolderDAL.insertMany(
-            folderVersions.map(({ id }) => ({
-              folderVersionId: id,
-              envId: folder.environment.envId,
-              snapshotId: newSnapshot.id
-            })),
-            tx
-          );
-
-          return { ...newSnapshot, secrets: snapshotSecrets, folder: snapshotFolders };
-        });
-        return snapshot;
-      }
 
       const snapshot = await snapshotDAL.transaction(async (tx) => {
+        const folder = await folderDAL.findById(folderId, tx);
+        if (!folder) throw new BadRequestError({ message: "Folder not found" });
+
         const secretVersions = await secretVersionDAL.findLatestVersionByFolderId(folderId, tx);
         const folderVersions = await folderVersionDAL.findLatestVersionByFolderId(folderId, tx);
         const newSnapshot = await snapshotDAL.create(
@@ -310,7 +199,6 @@ export const secretSnapshotServiceFactory = ({
   }: TRollbackSnapshotDTO) => {
     const snapshot = await snapshotDAL.findById(snapshotId);
     if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
-    const shouldUseBridge = snapshot.projectVersion === 3;
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -324,117 +212,6 @@ export const secretSnapshotServiceFactory = ({
       ProjectPermissionSub.SecretRollback
     );
 
-    if (shouldUseBridge) {
-      const rollback = await snapshotDAL.transaction(async (tx) => {
-        const rollbackSnaps = await snapshotDAL.findRecursivelySnapshotsV2Bridge(snapshot.id, tx);
-        // this will remove all secrets in current folder
-        const deletedTopLevelSecs = await secretV2BridgeDAL.delete({ folderId: snapshot.folderId }, tx);
-        const deletedTopLevelSecsGroupById = groupBy(deletedTopLevelSecs, (item) => item.id);
-        // this will remove all secrets and folders on child
-        // due to sql foreign key and link list connection removing the folders removes everything below too
-        const deletedFolders = await folderDAL.delete({ parentId: snapshot.folderId, isReserved: false }, tx);
-        const deletedTopLevelFolders = groupBy(
-          deletedFolders.filter(({ parentId }) => parentId === snapshot.folderId),
-          (item) => item.id
-        );
-        const folders = await folderDAL.insertMany(
-          rollbackSnaps.flatMap(({ folderVersion, folderId }) =>
-            folderVersion.map(({ name, id, latestFolderVersion }) => ({
-              envId: snapshot.envId,
-              id,
-              // this means don't bump up the version if not root folder
-              // because below ones can be same version as nothing changed
-              version: deletedTopLevelFolders[folderId] ? latestFolderVersion + 1 : latestFolderVersion,
-              name,
-              parentId: folderId
-            }))
-          ),
-          tx
-        );
-        const secrets = await secretV2BridgeDAL.insertMany(
-          rollbackSnaps.flatMap(({ secretVersions, folderId }) =>
-            secretVersions.map(
-              ({ latestSecretVersion, version, updatedAt, createdAt, secretId, envId, id, tags, ...el }) => ({
-                ...el,
-                id: secretId,
-                version: deletedTopLevelSecsGroupById[secretId] ? latestSecretVersion + 1 : latestSecretVersion,
-                folderId
-              })
-            )
-          ),
-          tx
-        );
-        const secretTagsToBeInsert: TSecretV2TagJunctionInsert[] = [];
-        const secretVerTagToBeInsert: Record<string, string[]> = {};
-        rollbackSnaps.forEach(({ secretVersions }) => {
-          secretVersions.forEach((secVer) => {
-            secVer.tags.forEach((tag) => {
-              secretTagsToBeInsert.push({ secrets_v2Id: secVer.secretId, secret_tagsId: tag.id });
-              if (!secretVerTagToBeInsert?.[secVer.secretId]) secretVerTagToBeInsert[secVer.secretId] = [];
-              secretVerTagToBeInsert[secVer.secretId].push(tag.id);
-            });
-          });
-        });
-        await secretTagDAL.saveTagsToSecretV2(secretTagsToBeInsert, tx);
-        const folderVersions = await folderVersionDAL.insertMany(
-          folders.map(({ version, name, id, envId }) => ({
-            name,
-            version,
-            folderId: id,
-            envId
-          })),
-          tx
-        );
-        const secretVersions = await secretVersionV2BridgeDAL.insertMany(
-          secrets.map(({ id, updatedAt, createdAt, ...el }) => ({ ...el, secretId: id })),
-          tx
-        );
-        await secretVersionV2TagBridgeDAL.insertMany(
-          secretVersions.flatMap(({ secretId, id }) =>
-            secretVerTagToBeInsert?.[secretId]?.length
-              ? secretVerTagToBeInsert[secretId].map((tagId) => ({
-                  [`${TableName.SecretTag}Id` as const]: tagId,
-                  [`${TableName.SecretVersionV2}Id` as const]: id
-                }))
-              : []
-          ),
-          tx
-        );
-        const newSnapshot = await snapshotDAL.create(
-          {
-            folderId: snapshot.folderId,
-            envId: snapshot.envId,
-            parentFolderId: snapshot.parentFolderId
-          },
-          tx
-        );
-        const snapshotSecrets = await snapshotSecretV2BridgeDAL.insertMany(
-          secretVersions
-            .filter(({ secretId }) => Boolean(deletedTopLevelSecsGroupById?.[secretId]))
-            .map(({ id }) => ({
-              secretVersionId: id,
-              envId: newSnapshot.envId,
-              snapshotId: newSnapshot.id
-            })),
-          tx
-        );
-        const snapshotFolders = await snapshotFolderDAL.insertMany(
-          folderVersions
-            .filter(({ folderId }) => Boolean(deletedTopLevelFolders?.[folderId]))
-            .map(({ id }) => ({
-              folderVersionId: id,
-              envId: newSnapshot.envId,
-              snapshotId: newSnapshot.id
-            })),
-          tx
-        );
-
-        return { ...newSnapshot, snapshotSecrets, snapshotFolders };
-      });
-
-      return rollback;
-    }
-
     const rollback = await snapshotDAL.transaction(async (tx) => {
       const rollbackSnaps = await snapshotDAL.findRecursivelySnapshots(snapshot.id, tx);
       // this will remove all secrets in current folder

backend/src/ee/services/secret-snapshot/snapshot-dal.ts

@@ -1,17 +1,14 @@
 /* eslint-disable no-await-in-loop */
 import { Knex } from "knex";
-import { z } from "zod";
 
 import { TDbClient } from "@app/db";
 import {
   SecretVersionsSchema,
-  SecretVersionsV2Schema,
   TableName,
   TSecretFolderVersions,
   TSecretSnapshotFolders,
   TSecretSnapshots,
-  TSecretVersions,
-  TSecretVersionsV2
+  TSecretVersions
 } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
@@ -27,14 +24,12 @@ export const snapshotDALFactory = (db: TDbClient) => {
       const data = await (tx || db.replicaNode())(TableName.Snapshot)
         .where(`${TableName.Snapshot}.id`, id)
         .join(TableName.Environment, `${TableName.Snapshot}.envId`, `${TableName.Environment}.id`)
-        .join(TableName.Project, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
         .select(selectAllTableCols(TableName.Snapshot))
         .select(
           db.ref("id").withSchema(TableName.Environment).as("envId"),
           db.ref("projectId").withSchema(TableName.Environment),
           db.ref("name").withSchema(TableName.Environment).as("envName"),
-          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
-          db.ref("version").withSchema(TableName.Project).as("projectVersion")
+          db.ref("slug").withSchema(TableName.Environment).as("envSlug")
         )
         .first();
       if (data) {
@@ -154,101 +149,6 @@ export const snapshotDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findSecretSnapshotV2DataById = async (snapshotId: string, tx?: Knex) => {
-    try {
-      const data = await (tx || db.replicaNode())(TableName.Snapshot)
-        .where(`${TableName.Snapshot}.id`, snapshotId)
-        .join(TableName.Environment, `${TableName.Snapshot}.envId`, `${TableName.Environment}.id`)
-        .leftJoin(TableName.SnapshotSecretV2, `${TableName.Snapshot}.id`, `${TableName.SnapshotSecretV2}.snapshotId`)
-        .leftJoin(
-          TableName.SecretVersionV2,
-          `${TableName.SnapshotSecretV2}.secretVersionId`,
-          `${TableName.SecretVersionV2}.id`
-        )
-        .leftJoin(
-          TableName.SecretVersionV2Tag,
-          `${TableName.SecretVersionV2Tag}.${TableName.SecretVersionV2}Id`,
-          `${TableName.SecretVersionV2}.id`
-        )
-        .leftJoin(
-          TableName.SecretTag,
-          `${TableName.SecretVersionV2Tag}.${TableName.SecretTag}Id`,
-          `${TableName.SecretTag}.id`
-        )
-        .leftJoin(TableName.SnapshotFolder, `${TableName.SnapshotFolder}.snapshotId`, `${TableName.Snapshot}.id`)
-        .leftJoin<TSecretFolderVersions>(
-          TableName.SecretFolderVersion,
-          `${TableName.SnapshotFolder}.folderVersionId`,
-          `${TableName.SecretFolderVersion}.id`
-        )
-        .select(selectAllTableCols(TableName.SecretVersionV2))
-        .select(
-          db.ref("id").withSchema(TableName.Snapshot).as("snapshotId"),
-          db.ref("createdAt").withSchema(TableName.Snapshot).as("snapshotCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.Snapshot).as("snapshotUpdatedAt"),
-          db.ref("id").withSchema(TableName.Environment).as("envId"),
-          db.ref("name").withSchema(TableName.Environment).as("envName"),
-          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
-          db.ref("projectId").withSchema(TableName.Environment),
-          db.ref("name").withSchema(TableName.SecretFolderVersion).as("folderVerName"),
-          db.ref("folderId").withSchema(TableName.SecretFolderVersion).as("folderVerId"),
-          db.ref("id").withSchema(TableName.SecretTag).as("tagId"),
-          db.ref("id").withSchema(TableName.SecretVersionV2Tag).as("tagVersionId"),
-          db.ref("color").withSchema(TableName.SecretTag).as("tagColor"),
-          db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"),
-          db.ref("name").withSchema(TableName.SecretTag).as("tagName")
-        );
-      return sqlNestRelationships({
-        data,
-        key: "snapshotId",
-        parentMapper: ({
-          snapshotId: id,
-          folderId,
-          projectId,
-          envId,
-          envSlug,
-          envName,
-          snapshotCreatedAt: createdAt,
-          snapshotUpdatedAt: updatedAt
-        }) => ({
-          id,
-          folderId,
-          projectId,
-          createdAt,
-          updatedAt,
-          environment: { id: envId, slug: envSlug, name: envName }
-        }),
-        childrenMapper: [
-          {
-            key: "id",
-            label: "secretVersions" as const,
-            mapper: (el) => SecretVersionsV2Schema.parse(el),
-            childrenMapper: [
-              {
-                key: "tagVersionId",
-                label: "tags" as const,
-                mapper: ({ tagId: id, tagName: name, tagSlug: slug, tagColor: color, tagVersionId: vId }) => ({
-                  id,
-                  name,
-                  slug,
-                  color,
-                  vId
-                })
-              }
-            ]
-          },
-          {
-            key: "folderVerId",
-            label: "folderVersion" as const,
-            mapper: ({ folderVerId: id, folderVerName: name }) => ({ id, name })
-          }
-        ]
-      })?.[0];
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindSecretSnapshotDataById" });
-    }
-  };
-
   // this is used for rollback
   // from a starting snapshot it will collect all the secrets and folder of that
   // then it will start go through recursively the below folders latest snapshots then their child folder snapshot until leaf node
@@ -404,161 +304,6 @@ export const snapshotDALFactory = (db: TDbClient) => {
     }
   };
 
-  // this is used for rollback
-  // from a starting snapshot it will collect all the secrets and folder of that
-  // then it will start go through recursively the below folders latest snapshots then their child folder snapshot until leaf node
-  // the recursive part find all snapshot id
-  // then joins with respective secrets and folder
-  const findRecursivelySnapshotsV2Bridge = async (snapshotId: string, tx?: Knex) => {
-    try {
-      const data = await (tx || db)
-        .withRecursive("parent", (qb) => {
-          void qb
-            .from(TableName.Snapshot)
-            .leftJoin<TSecretSnapshotFolders>(
-              TableName.SnapshotFolder,
-              `${TableName.SnapshotFolder}.snapshotId`,
-              `${TableName.Snapshot}.id`
-            )
-            .leftJoin<TSecretFolderVersions>(
-              TableName.SecretFolderVersion,
-              `${TableName.SnapshotFolder}.folderVersionId`,
-              `${TableName.SecretFolderVersion}.id`
-            )
-            .select(selectAllTableCols(TableName.Snapshot))
-            .select({ depth: 1 })
-            .select(
-              db.ref("name").withSchema(TableName.SecretFolderVersion).as("folderVerName"),
-              db.ref("folderId").withSchema(TableName.SecretFolderVersion).as("folderVerId")
-            )
-            .where(`${TableName.Snapshot}.id`, snapshotId)
-            .union(
-              (cb) =>
-                void cb
-                  .select(selectAllTableCols(TableName.Snapshot))
-                  .select({ depth: db.raw("parent.depth + 1") })
-                  .select(
-                    db.ref("name").withSchema(TableName.SecretFolderVersion).as("folderVerName"),
-                    db.ref("folderId").withSchema(TableName.SecretFolderVersion).as("folderVerId")
-                  )
-                  .from(TableName.Snapshot)
-                  .join<TSecretSnapshots, TSecretSnapshots & { secretId: string; max: number }>(
-                    db(TableName.Snapshot).groupBy("folderId").max("createdAt").select("folderId").as("latestVersion"),
-                    `${TableName.Snapshot}.createdAt`,
-                    "latestVersion.max"
-                  )
-                  .leftJoin<TSecretSnapshotFolders>(
-                    TableName.SnapshotFolder,
-                    `${TableName.SnapshotFolder}.snapshotId`,
-                    `${TableName.Snapshot}.id`
-                  )
-                  .leftJoin<TSecretFolderVersions>(
-                    TableName.SecretFolderVersion,
-                    `${TableName.SnapshotFolder}.folderVersionId`,
-                    `${TableName.SecretFolderVersion}.id`
-                  )
-                  .join("parent", "parent.folderVerId", `${TableName.Snapshot}.folderId`)
-            );
-        })
-        .orderBy("depth", "asc")
-        .from<TSecretSnapshots & { folderVerId: string; folderVerName: string }>("parent")
-        .leftJoin<TSecretSnapshots>(TableName.SnapshotSecretV2, `parent.id`, `${TableName.SnapshotSecretV2}.snapshotId`)
-        .leftJoin<TSecretVersionsV2>(
-          TableName.SecretVersionV2,
-          `${TableName.SnapshotSecretV2}.secretVersionId`,
-          `${TableName.SecretVersionV2}.id`
-        )
-        .leftJoin(
-          TableName.SecretVersionV2Tag,
-          `${TableName.SecretVersionV2Tag}.${TableName.SecretVersionV2}Id`,
-          `${TableName.SecretVersionV2}.id`
-        )
-        .leftJoin(
-          TableName.SecretTag,
-          `${TableName.SecretVersionV2Tag}.${TableName.SecretTag}Id`,
-          `${TableName.SecretTag}.id`
-        )
-        .leftJoin<{ latestSecretVersion: number }>(
-          (tx || db)(TableName.SecretVersionV2)
-            .groupBy("secretId")
-            .select("secretId")
-            .max("version")
-            .as("secGroupByMaxVersion"),
-          `${TableName.SecretVersionV2}.secretId`,
-          "secGroupByMaxVersion.secretId"
-        )
-        .leftJoin<{ latestFolderVersion: number }>(
-          (tx || db)(TableName.SecretFolderVersion)
-            .groupBy("folderId")
-            .select("folderId")
-            .max("version")
-            .as("folderGroupByMaxVersion"),
-          `parent.folderId`,
-          "folderGroupByMaxVersion.folderId"
-        )
-        .select(selectAllTableCols(TableName.SecretVersionV2))
-        .select(
-          db.ref("id").withSchema("parent").as("snapshotId"),
-          db.ref("folderId").withSchema("parent").as("snapshotFolderId"),
-          db.ref("parentFolderId").withSchema("parent").as("snapshotParentFolderId"),
-          db.ref("folderVerName").withSchema("parent"),
-          db.ref("folderVerId").withSchema("parent"),
-          db.ref("max").withSchema("secGroupByMaxVersion").as("latestSecretVersion"),
-          db.ref("max").withSchema("folderGroupByMaxVersion").as("latestFolderVersion"),
-          db.ref("id").withSchema(TableName.SecretTag).as("tagId"),
-          db.ref("id").withSchema(TableName.SecretVersionV2Tag).as("tagVersionId"),
-          db.ref("color").withSchema(TableName.SecretTag).as("tagColor"),
-          db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"),
-          db.ref("name").withSchema(TableName.SecretTag).as("tagName")
-        );
-
-      const formated = sqlNestRelationships({
-        data,
-        key: "snapshotId",
-        parentMapper: ({ snapshotId: id, snapshotFolderId: folderId, snapshotParentFolderId: parentFolderId }) => ({
-          id,
-          folderId,
-          parentFolderId
-        }),
-        childrenMapper: [
-          {
-            key: "id",
-            label: "secretVersions" as const,
-            mapper: (el) => ({
-              ...SecretVersionsV2Schema.parse(el),
-              latestSecretVersion: el.latestSecretVersion as number
-            }),
-            childrenMapper: [
-              {
-                key: "tagVersionId",
-                label: "tags" as const,
-                mapper: ({ tagId: id, tagName: name, tagSlug: slug, tagColor: color, tagVersionId: vId }) => ({
-                  id,
-                  name,
-                  slug,
-                  color,
-                  vId
-                })
-              }
-            ]
-          },
-          {
-            key: "folderVerId",
-            label: "folderVersion" as const,
-            mapper: ({ folderVerId: id, folderVerName: name, latestFolderVersion }) => ({
-              id,
-              name,
-              latestFolderVersion: latestFolderVersion as number
-            })
-          }
-        ]
-      });
-      return formated;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindRecursivelySnapshots" });
-    }
-  };
-
   // instead of copying all child folders
   // we will take the latest snapshot of those folders
   // when we need to rollback we will pull from these snapshots
@@ -720,108 +465,13 @@ export const snapshotDALFactory = (db: TDbClient) => {
     }
   };
 
-  // special query for migration for secret v2
-  const findNSecretV1SnapshotByFolderId = async (folderId: string, n = 15, tx?: Knex) => {
-    try {
-      const query = (tx || db.replicaNode())(TableName.Snapshot)
-        .leftJoin(TableName.SnapshotSecret, `${TableName.Snapshot}.id`, `${TableName.SnapshotSecret}.snapshotId`)
-        .leftJoin(
-          TableName.SecretVersion,
-          `${TableName.SnapshotSecret}.secretVersionId`,
-          `${TableName.SecretVersion}.id`
-        )
-        .leftJoin(
-          TableName.SecretVersionTag,
-          `${TableName.SecretVersionTag}.${TableName.SecretVersion}Id`,
-          `${TableName.SecretVersion}.id`
-        )
-        .select(selectAllTableCols(TableName.SecretVersion))
-        .select(
-          db.ref("id").withSchema(TableName.Snapshot).as("snapshotId"),
-          db.ref("createdAt").withSchema(TableName.Snapshot).as("snapshotCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.Snapshot).as("snapshotUpdatedAt"),
-          db.ref("envId").withSchema(TableName.SnapshotSecret).as("snapshotEnvId"),
-          db.ref("id").withSchema(TableName.SecretVersionTag).as("secretVersionTagId"),
-          db.ref("secret_versionsId").withSchema(TableName.SecretVersionTag).as("secretVersionTagSecretId"),
-          db.ref("secret_tagsId").withSchema(TableName.SecretVersionTag).as("secretVersionTagSecretTagId"),
-          db.raw(
-            `DENSE_RANK() OVER (partition by ${TableName.Snapshot}."id" ORDER BY ${TableName.SecretVersion}."createdAt") as rank`
-          )
-        )
-        .orderBy(`${TableName.Snapshot}.createdAt`, "desc")
-        .where(`${TableName.Snapshot}.folderId`, folderId);
-      const data = await (tx || db)
-        .with("w", query)
-        .select("*")
-        .from<Awaited<typeof query>[number]>("w")
-        .andWhere("w.rank", "<", n);
-
-      return sqlNestRelationships({
-        data,
-        key: "snapshotId",
-        parentMapper: ({ snapshotId: id, snapshotCreatedAt: createdAt, snapshotUpdatedAt: updatedAt }) => ({
-          id,
-          folderId,
-          createdAt,
-          updatedAt
-        }),
-        childrenMapper: [
-          {
-            key: "id",
-            label: "secretVersions" as const,
-            mapper: (el) => SecretVersionsSchema.extend({ snapshotEnvId: z.string() }).parse(el),
-            childrenMapper: [
-              {
-                key: "secretVersionTagId",
-                label: "tags" as const,
-                mapper: ({ secretVersionTagId, secretVersionTagSecretId, secretVersionTagSecretTagId }) => ({
-                  id: secretVersionTagId,
-                  secretVersionId: secretVersionTagSecretId,
-                  secretTagId: secretVersionTagSecretTagId
-                })
-              }
-            ]
-          }
-        ]
-      });
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindSecretSnapshotDataById" });
-    }
-  };
-
-  const deleteSnapshotsAboveLimit = async (folderId: string, n = 15, tx?: Knex) => {
-    try {
-      const query = await (tx || db)
-        .with("to_delete", (qb) => {
-          void qb
-            .select("id")
-            .from(TableName.Snapshot)
-            .where("folderId", folderId)
-            .orderBy("createdAt", "desc")
-            .offset(n);
-        })
-        .from(TableName.Snapshot)
-        .whereIn("id", (qb) => {
-          void qb.select("id").from("to_delete");
-        })
-        .delete();
-      return query;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "DeleteSnapshotsAboveLimit" });
-    }
-  };
-
   return {
     ...secretSnapshotOrm,
     findById,
     findLatestSnapshotByFolderId,
     findRecursivelySnapshots,
-    findRecursivelySnapshotsV2Bridge,
     countOfSnapshotsByFolderId,
     findSecretSnapshotDataById,
-    findSecretSnapshotV2DataById,
-    pruneExcessSnapshots,
-    findNSecretV1SnapshotByFolderId,
-    deleteSnapshotsAboveLimit
+    pruneExcessSnapshots
   };
 };

backend/src/ee/services/secret-snapshot/snapshot-secret-v2-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TSnapshotSecretV2DALFactory = ReturnType<typeof snapshotSecretV2DALFactory>;
-
-export const snapshotSecretV2DALFactory = (db: TDbClient) => {
-  const snapshotSecretOrm = ormify(db, TableName.SnapshotSecretV2);
-  return snapshotSecretOrm;
-};

backend/src/keystore/keystore.ts

@@ -40,7 +40,7 @@ export const keyStoreFactory = (redisUrl: string) => {
     exp: number | string,
     value: string | number | Buffer,
     prefix?: string
-  ) => redis.set(prefix ? `${prefix}:${key}` : key, value, "EX", exp);
+  ) => redis.setex(prefix ? `${prefix}:${key}` : key, exp, value);
 
   const deleteItem = async (key: string) => redis.del(key);
 
@@ -65,7 +65,7 @@ export const keyStoreFactory = (redisUrl: string) => {
       });
       attempts += 1;
       // eslint-disable-next-line
-      isReady = keyCheckCb(await getItem(key));
+      isReady = keyCheckCb(await getItem(key, "wait_till_ready"));
     }
   };
 

backend/src/lib/api-docs/constants.ts

@@ -348,15 +348,10 @@ export const ORGANIZATIONS = {
   LIST_USER_MEMBERSHIPS: {
     organizationId: "The ID of the organization to get memberships from."
   },
-  GET_USER_MEMBERSHIP: {
-    organizationId: "The ID of the organization to get the membership for.",
-    membershipId: "The ID of the membership to get."
-  },
   UPDATE_USER_MEMBERSHIP: {
     organizationId: "The ID of the organization to update the membership for.",
     membershipId: "The ID of the membership to update.",
-    role: "The new role of the membership.",
-    isActive: "The active status of the membership"
+    role: "The new role of the membership."
   },
   DELETE_USER_MEMBERSHIP: {
     organizationId: "The ID of the organization to delete the membership from.",
@@ -425,21 +420,6 @@ export const PROJECTS = {
   },
   LIST_INTEGRATION_AUTHORIZATION: {
     workspaceId: "The ID of the project to list integration auths for."
-  },
-  LIST_CAS: {
-    slug: "The slug of the project to list CAs for.",
-    status: "The status of the CA to filter by.",
-    friendlyName: "The friendly name of the CA to filter by.",
-    commonName: "The common name of the CA to filter by.",
-    offset: "The offset to start from. If you enter 10, it will start from the 10th CA.",
-    limit: "The number of CAs to return."
-  },
-  LIST_CERTIFICATES: {
-    slug: "The slug of the project to list certificates for.",
-    friendlyName: "The friendly name of the certificate to filter by.",
-    commonName: "The common name of the certificate to filter by.",
-    offset: "The offset to start from. If you enter 10, it will start from the 10th certificate.",
-    limit: "The number of certificates to return."
   }
 } as const;
 
@@ -525,10 +505,6 @@ export const ENVIRONMENTS = {
   DELETE: {
     workspaceId: "The ID of the project to delete the environment from.",
     id: "The ID of the environment to delete."
-  },
-  GET: {
-    workspaceId: "The ID of the project the environment belongs to.",
-    id: "The ID of the environment to fetch."
   }
 } as const;
 
@@ -608,9 +584,7 @@ export const RAW_SECRETS = {
     skipMultilineEncoding: "Skip multiline encoding for the secret value.",
     type: "The type of the secret to create.",
     workspaceId: "The ID of the project to create the secret in.",
-    tagIds: "The ID of the tags to be attached to the created secret.",
-    secretReminderRepeatDays: "Interval for secret rotation notifications, measured in days",
-    secretReminderNote: "Note to be attached in notification email"
+    tagIds: "The ID of the tags to be attached to the created secret."
   },
   GET: {
     expand: "Whether or not to expand secret references",
@@ -633,10 +607,7 @@ export const RAW_SECRETS = {
     type: "The type of the secret to update.",
     projectSlug: "The slug of the project to update the secret in.",
     workspaceId: "The ID of the project to update the secret in.",
-    tagIds: "The ID of the tags to be attached to the updated secret.",
-    secretReminderRepeatDays: "Interval for secret rotation notifications, measured in days",
-    secretReminderNote: "Note to be attached in notification email",
-    newSecretName: "The new name for the secret"
+    tagIds: "The ID of the tags to be attached to the updated secret."
   },
   DELETE: {
     secretName: "The name of the secret to delete.",
@@ -1056,7 +1027,7 @@ export const CERTIFICATE_AUTHORITIES = {
   },
   SIGN_INTERMEDIATE: {
     caId: "The ID of the CA to sign the intermediate certificate with",
-    csr: "The pem-encoded CSR to sign with the CA",
+    csr: "The CSR to sign with the CA",
     notBefore: "The date and time when the intermediate CA becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
     notAfter: "The date and time when the intermediate CA expires in YYYY-MM-DDTHH:mm:ss.sssZ format",
     maxPathLength:
@@ -1086,21 +1057,6 @@ export const CERTIFICATE_AUTHORITIES = {
     privateKey: "The private key of the issued certificate",
     serialNumber: "The serial number of the issued certificate"
   },
-  SIGN_CERT: {
-    caId: "The ID of the CA to issue the certificate from",
-    csr: "The pem-encoded CSR to sign with the CA to be used for certificate issuance",
-    friendlyName: "A friendly name for the certificate",
-    commonName: "The common name (CN) for the certificate",
-    altNames:
-      "A comma-delimited list of Subject Alternative Names (SANs) for the certificate; these can be host names or email addresses.",
-    ttl: "The time to live for the certificate such as 1m, 1h, 1d, 1y, ...",
-    notBefore: "The date and time when the certificate becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
-    notAfter: "The date and time when the certificate expires in YYYY-MM-DDTHH:mm:ss.sssZ format",
-    certificate: "The issued certificate",
-    issuingCaCertificate: "The certificate of the issuing CA",
-    certificateChain: "The certificate chain of the issued certificate",
-    serialNumber: "The serial number of the issued certificate"
-  },
   GET_CRL: {
     caId: "The ID of the CA to get the certificate revocation list (CRL) for",
     crl: "The certificate revocation list (CRL) of the CA"

backend/src/lib/crypto/encryption.ts

@@ -226,9 +226,8 @@ export const infisicalSymmetricDecrypt = <T = string>({
   keyEncoding: SecretKeyEncoding;
 }) => {
   const appCfg = getConfig();
-  // the or gate is used used in migration
-  const rootEncryptionKey = appCfg?.ROOT_ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
-  const encryptionKey = appCfg?.ENCRYPTION_KEY || process.env.ENCRYPTION_KEY;
+  const rootEncryptionKey = appCfg.ROOT_ENCRYPTION_KEY;
+  const encryptionKey = appCfg.ENCRYPTION_KEY;
   if (rootEncryptionKey && keyEncoding === SecretKeyEncoding.BASE64) {
     const data = decryptSymmetric({ key: rootEncryptionKey, iv, tag, ciphertext });
     return data as T;

backend/src/lib/fn/array.ts

@@ -17,23 +17,6 @@ export const groupBy = <T, Key extends string | number | symbol>(
     {} as Record<Key, T[]>
   );
 
-/**
- * Sorts an array of items into groups. The return value is a map where the keys are
- * the group ids the given getGroupId function produced and the value will be the last found one for the group key
- */
-export const groupByUnique = <T, Key extends string | number | symbol>(
-  array: readonly T[],
-  getGroupId: (item: T) => Key
-): Record<Key, T> =>
-  array.reduce(
-    (acc, item) => {
-      const groupId = getGroupId(item);
-      acc[groupId] = item;
-      return acc;
-    },
-    {} as Record<Key, T>
-  );
-
 /**
  * Given a list of items returns a new list with only
  * unique items. Accepts an optional identity function

backend/src/lib/fn/index.ts

@@ -6,4 +6,3 @@ export * from "./array";
 export * from "./dates";
 export * from "./object";
 export * from "./string";
-export * from "./undefined";

backend/src/lib/fn/undefined.ts

@@ -1,3 +0,0 @@
-export const executeIfDefined = <T, R>(func: (input: T) => R, input: T | undefined): R | undefined => {
-  return input === undefined ? undefined : func(input);
-};

backend/src/lib/knex/index.ts

@@ -19,43 +19,23 @@ export const withTransaction = <K extends object>(db: Knex, dal: K) => ({
 
 export type TFindFilter<R extends object = object> = Partial<R> & {
   $in?: Partial<{ [k in keyof R]: R[k][] }>;
-  $search?: Partial<{ [k in keyof R]: R[k] }>;
 };
 export const buildFindFilter =
-  <R extends object = object>({ $in, $search, ...filter }: TFindFilter<R>) =>
+  <R extends object = object>({ $in, ...filter }: TFindFilter<R>) =>
   (bd: Knex.QueryBuilder<R, R>) => {
     void bd.where(filter);
     if ($in) {
       Object.entries($in).forEach(([key, val]) => {
-        if (val) {
-          void bd.whereIn(key as never, val as never);
-        }
-      });
-    }
-    if ($search) {
-      Object.entries($search).forEach(([key, val]) => {
-        if (val) {
-          void bd.whereILike(key as never, val as never);
-        }
+        void bd.whereIn(key as never, val as never);
       });
     }
     return bd;
   };
 
-export type TFindReturn<TQuery extends Knex.QueryBuilder, TCount extends boolean = false> = Array<
-  Awaited<TQuery>[0] &
-    (TCount extends true
-      ? {
-          count: string;
-        }
-      : unknown)
->;
-
-export type TFindOpt<R extends object = object, TCount extends boolean = boolean> = {
+export type TFindOpt<R extends object = object> = {
   limit?: number;
   offset?: number;
   sort?: Array<[keyof R, "asc" | "desc"] | [keyof R, "asc" | "desc", "first" | "last"]>;
-  count?: TCount;
   tx?: Knex;
 };
 
@@ -86,22 +66,18 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
       throw new DatabaseError({ error, name: "Find one" });
     }
   },
-  find: async <TCount extends boolean = false>(
+  find: async (
     filter: TFindFilter<Tables[Tname]["base"]>,
-    { offset, limit, sort, count, tx }: TFindOpt<Tables[Tname]["base"], TCount> = {}
+    { offset, limit, sort, tx }: TFindOpt<Tables[Tname]["base"]> = {}
   ) => {
     try {
       const query = (tx || db.replicaNode())(tableName).where(buildFindFilter(filter));
-      if (count) {
-        void query.select(db.raw("COUNT(*) OVER() AS count"));
-        void query.select("*");
-      }
       if (limit) void query.limit(limit);
       if (offset) void query.offset(offset);
       if (sort) {
         void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
       }
-      const res = (await query) as TFindReturn<typeof query, TCount>;
+      const res = await query;
       return res;
     } catch (error) {
       throw new DatabaseError({ error, name: "Find one" });
@@ -128,19 +104,6 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
       throw new DatabaseError({ error, name: "Create" });
     }
   },
-  upsert: async (data: readonly Tables[Tname]["insert"][], onConflictField: keyof Tables[Tname]["base"], tx?: Knex) => {
-    try {
-      if (!data.length) return [];
-      const res = await (tx || db)(tableName)
-        .insert(data as never)
-        .onConflict(onConflictField as never)
-        .merge()
-        .returning("*");
-      return res;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Create" });
-    }
-  },
   updateById: async (
     id: string,
     {

backend/src/lib/knex/select.ts

@@ -12,12 +12,3 @@ export const stripUndefinedInWhere = <T extends object>(val: T): Exclude<T, unde
   });
   return copy as Exclude<T, undefined>;
 };
-
-// if its undefined its skipped in knex
-// if its empty string its set as null
-// else pass to the required one
-export const setKnexStringValue = <T>(value: string | null | undefined, cb: (arg: string) => T) => {
-  if (typeof value === "undefined") return;
-  if (value === "" || value === null) return null;
-  return cb(value);
-};

backend/src/lib/types/index.ts

@@ -42,13 +42,3 @@ export type RequiredKeys<T> = {
 }[keyof T];
 
 export type PickRequired<T> = Pick<T, RequiredKeys<T>>;
-
-export enum EnforcementLevel {
-  Hard = "hard",
-  Soft = "soft"
-}
-
-export enum SecretSharingAccessType {
-  Anyone = "anyone",
-  Organization = "organization"
-}

backend/src/queue/queue-service.ts

@@ -25,8 +25,7 @@ export enum QueueName {
   DynamicSecretRevocation = "dynamic-secret-revocation",
   CaCrlRotation = "ca-crl-rotation",
   SecretReplication = "secret-replication",
-  SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
-  ProjectV3Migration = "project-v3-migration"
+  SecretSync = "secret-sync" // parent queue to push integration sync, webhook, and secret replication
 }
 
 export enum QueueJobs {
@@ -45,8 +44,7 @@ export enum QueueJobs {
   DynamicSecretPruning = "dynamic-secret-pruning",
   CaCrlRotation = "ca-crl-rotation-job",
   SecretReplication = "secret-replication",
-  SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
-  ProjectV3Migration = "project-v3-migration"
+  SecretSync = "secret-sync" // parent queue to push integration sync, webhook, and secret replication
 }
 
 export type TQueueJobTypes = {
@@ -138,10 +136,6 @@ export type TQueueJobTypes = {
     name: QueueJobs.SecretSync;
     payload: TSyncSecretsDTO;
   };
-  [QueueName.ProjectV3Migration]: {
-    name: QueueJobs.ProjectV3Migration;
-    payload: { projectId: string };
-  };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
@@ -216,7 +210,6 @@ export const queueServiceFactory = (redisUrl: string) => {
     const job = await q.getJob(jobId);
     if (!job) return true;
     if (!job.repeatJobKey) return true;
-    await job.remove();
     return q.removeRepeatableByKey(job.repeatJobKey);
   };
 

backend/src/server/config/rateLimiter.ts

@@ -1,6 +1,7 @@
 import type { RateLimitOptions, RateLimitPluginOptions } from "@fastify/rate-limit";
 import { Redis } from "ioredis";
 
+import { getRateLimiterConfig } from "@app/ee/services/rate-limit/rate-limit-service";
 import { getConfig } from "@app/lib/config/env";
 
 export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
@@ -21,16 +22,14 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
 // GET endpoints
 export const readLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  hook: "preValidation",
-  max: (req) => req.rateLimits.readLimit,
+  max: () => getRateLimiterConfig().readLimit,
   keyGenerator: (req) => req.realIp
 };
 
 // POST, PATCH, PUT, DELETE endpoints
 export const writeLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  hook: "preValidation",
-  max: (req) => req.rateLimits.writeLimit,
+  max: () => getRateLimiterConfig().writeLimit,
   keyGenerator: (req) => req.realIp
 };
 
@@ -38,40 +37,42 @@ export const writeLimit: RateLimitOptions = {
 export const secretsLimit: RateLimitOptions = {
   // secrets, folders, secret imports
   timeWindow: 60 * 1000,
-  hook: "preValidation",
-  max: (req) => req.rateLimits.secretsLimit,
+  max: () => getRateLimiterConfig().secretsLimit,
   keyGenerator: (req) => req.realIp
 };
 
 export const authRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  hook: "preValidation",
-  max: (req) => req.rateLimits.authRateLimit,
+  max: () => getRateLimiterConfig().authRateLimit,
   keyGenerator: (req) => req.realIp
 };
 
 export const inviteUserRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  hook: "preValidation",
-  max: (req) => req.rateLimits.inviteUserRateLimit,
+  max: () => getRateLimiterConfig().inviteUserRateLimit,
   keyGenerator: (req) => req.realIp
 };
 
 export const mfaRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  hook: "preValidation",
-  max: (req) => req.rateLimits.mfaRateLimit,
+  max: () => getRateLimiterConfig().mfaRateLimit,
   keyGenerator: (req) => {
     return req.headers.authorization?.split(" ")[1] || req.realIp;
   }
 };
 
+export const creationLimit: RateLimitOptions = {
+  // identity, project, org
+  timeWindow: 60 * 1000,
+  max: () => getRateLimiterConfig().creationLimit,
+  keyGenerator: (req) => req.realIp
+};
+
 // Public endpoints to avoid brute force attacks
 export const publicEndpointLimit: RateLimitOptions = {
   // Read Shared Secrets
   timeWindow: 60 * 1000,
-  hook: "preValidation",
-  max: (req) => req.rateLimits.publicEndpointLimit,
+  max: () => getRateLimiterConfig().publicEndpointLimit,
   keyGenerator: (req) => req.realIp
 };
 

backend/src/server/plugins/inject-rate-limits.ts

@@ -1,38 +0,0 @@
-import fp from "fastify-plugin";
-
-import { getRateLimiterConfig } from "@app/ee/services/rate-limit/rate-limit-service";
-import { getConfig } from "@app/lib/config/env";
-
-export const injectRateLimits = fp(async (server) => {
-  server.decorateRequest("rateLimits", null);
-  server.addHook("onRequest", async (req) => {
-    const appCfg = getConfig();
-
-    const instanceRateLimiterConfig = getRateLimiterConfig();
-    if (!req.auth?.orgId) {
-      // for public endpoints, we always use the instance-wide default rate limits
-      req.rateLimits = instanceRateLimiterConfig;
-      return;
-    }
-
-    const { rateLimits, customRateLimits } = await server.services.license.getPlan(req.auth.orgId);
-
-    if (customRateLimits && !appCfg.isCloud) {
-      // we do this because for self-hosted/dedicated instances, we want custom rate limits to be based on admin configuration
-      // note that the syncing of custom rate limit happens on the instanceRateLimiterConfig object
-      req.rateLimits = instanceRateLimiterConfig;
-      return;
-    }
-
-    // we're using the null coalescing operator in order to handle outdated licenses
-    req.rateLimits = {
-      readLimit: rateLimits?.readLimit ?? instanceRateLimiterConfig.readLimit,
-      writeLimit: rateLimits?.writeLimit ?? instanceRateLimiterConfig.writeLimit,
-      secretsLimit: rateLimits?.secretsLimit ?? instanceRateLimiterConfig.secretsLimit,
-      publicEndpointLimit: instanceRateLimiterConfig.publicEndpointLimit,
-      authRateLimit: instanceRateLimiterConfig.authRateLimit,
-      inviteUserRateLimit: instanceRateLimiterConfig.inviteUserRateLimit,
-      mfaRateLimit: instanceRateLimiterConfig.mfaRateLimit
-    };
-  });
-});

backend/src/server/routes/index.ts

@@ -66,7 +66,6 @@ import { secretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/s
 import { snapshotDALFactory } from "@app/ee/services/secret-snapshot/snapshot-dal";
 import { snapshotFolderDALFactory } from "@app/ee/services/secret-snapshot/snapshot-folder-dal";
 import { snapshotSecretDALFactory } from "@app/ee/services/secret-snapshot/snapshot-secret-dal";
-import { snapshotSecretV2DALFactory } from "@app/ee/services/secret-snapshot/snapshot-secret-v2-dal";
 import { trustedIpDALFactory } from "@app/ee/services/trusted-ip/trusted-ip-dal";
 import { trustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
@@ -129,7 +128,6 @@ import { orgDALFactory } from "@app/services/org/org-dal";
 import { orgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { orgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { orgServiceFactory } from "@app/services/org/org-service";
-import { orgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
 import { orgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
@@ -162,10 +160,6 @@ import { secretSharingDALFactory } from "@app/services/secret-sharing/secret-sha
 import { secretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
 import { secretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 import { secretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
-import { secretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
-import { secretV2BridgeServiceFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-service";
-import { secretVersionV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
-import { secretVersionV2TagBridgeDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
 import { serviceTokenDALFactory } from "@app/services/service-token/service-token-dal";
 import { serviceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
@@ -184,7 +178,6 @@ import { webhookServiceFactory } from "@app/services/webhook/webhook-service";
 import { injectAuditLogInfo } from "../plugins/audit-log";
 import { injectIdentity } from "../plugins/auth/inject-identity";
 import { injectPermission } from "../plugins/auth/inject-permission";
-import { injectRateLimits } from "../plugins/inject-rate-limits";
 import { registerSecretScannerGhApp } from "../plugins/secret-scanner";
 import { registerV1Routes } from "./v1";
 import { registerV2Routes } from "./v2";
@@ -236,10 +229,6 @@ export const registerRoutes = async (
   const secretVersionTagDAL = secretVersionTagDALFactory(db);
   const secretBlindIndexDAL = secretBlindIndexDALFactory(db);
 
-  const secretV2BridgeDAL = secretV2BridgeDALFactory(db);
-  const secretVersionV2BridgeDAL = secretVersionV2BridgeDALFactory(db);
-  const secretVersionTagV2BridgeDAL = secretVersionV2TagBridgeDALFactory(db);
-
   const integrationDAL = integrationDALFactory(db);
   const integrationAuthDAL = integrationAuthDALFactory(db);
   const webhookDAL = webhookDALFactory(db);
@@ -288,7 +277,6 @@ export const registerRoutes = async (
   const secretRotationDAL = secretRotationDALFactory(db);
   const snapshotDAL = snapshotDALFactory(db);
   const snapshotSecretDAL = snapshotSecretDALFactory(db);
-  const snapshotSecretV2BridgeDAL = snapshotSecretV2DALFactory(db);
   const snapshotFolderDAL = snapshotFolderDALFactory(db);
 
   const gitAppInstallSessionDAL = gitAppInstallSessionDALFactory(db);
@@ -470,7 +458,6 @@ export const registerRoutes = async (
     tokenService,
     projectDAL,
     projectMembershipDAL,
-    orgMembershipDAL,
     projectKeyDAL,
     smtpService,
     userDAL,
@@ -500,16 +487,6 @@ export const registerRoutes = async (
     keyStore,
     licenseService
   });
-  const orgAdminService = orgAdminServiceFactory({
-    projectDAL,
-    permissionService,
-    projectUserMembershipRoleDAL,
-    userDAL,
-    projectBotDAL,
-    projectKeyDAL,
-    projectMembershipDAL
-  });
-
   const rateLimitService = rateLimitServiceFactory({
     rateLimitDAL,
     licenseService
@@ -632,8 +609,10 @@ export const registerRoutes = async (
     permissionService,
     projectDAL,
     projectQueue: projectQueueService,
+    secretBlindIndexDAL,
     identityProjectDAL,
     identityOrgMembershipDAL,
+    projectBotDAL,
     projectKeyDAL,
     userDAL,
     projectEnvDAL,
@@ -647,8 +626,7 @@ export const registerRoutes = async (
     projectUserMembershipRoleDAL,
     identityProjectMembershipRoleDAL,
     keyStore,
-    kmsService,
-    projectBotDAL
+    kmsService
   });
 
   const projectEnvService = projectEnvServiceFactory({
@@ -678,13 +656,7 @@ export const registerRoutes = async (
     secretVersionDAL,
     folderVersionDAL,
     secretTagDAL,
-    secretVersionTagDAL,
-    projectBotService,
-    kmsService,
-    secretV2BridgeDAL,
-    secretVersionV2BridgeDAL,
-    snapshotSecretV2BridgeDAL,
-    secretVersionV2TagBridgeDAL: secretVersionTagV2BridgeDAL
+    secretVersionTagDAL
   });
   const webhookService = webhookServiceFactory({
     permissionService,
@@ -707,8 +679,8 @@ export const registerRoutes = async (
     integrationAuthDAL,
     integrationDAL,
     permissionService,
-    projectBotService,
-    kmsService
+    projectBotDAL,
+    projectBotService
   });
   const secretQueueService = secretQueueFactory({
     queueService,
@@ -728,77 +700,23 @@ export const registerRoutes = async (
     secretVersionDAL,
     secretBlindIndexDAL,
     secretTagDAL,
-    secretVersionTagDAL,
-    kmsService,
-    secretVersionV2BridgeDAL,
-    secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL,
-    secretRotationDAL,
-    integrationAuthDAL,
-    snapshotDAL,
-    snapshotSecretV2BridgeDAL,
-    secretApprovalRequestDAL
+    secretVersionTagDAL
   });
   const secretImportService = secretImportServiceFactory({
     licenseService,
-    projectBotService,
     projectEnvDAL,
     folderDAL,
     permissionService,
     secretImportDAL,
     projectDAL,
     secretDAL,
-    secretQueueService,
-    secretV2BridgeDAL,
-    kmsService
+    secretQueueService
   });
   const secretBlindIndexService = secretBlindIndexServiceFactory({
     permissionService,
     secretDAL,
     secretBlindIndexDAL
   });
-
-  const secretV2BridgeService = secretV2BridgeServiceFactory({
-    folderDAL,
-    secretVersionDAL: secretVersionV2BridgeDAL,
-    secretQueueService,
-    secretDAL: secretV2BridgeDAL,
-    permissionService,
-    secretVersionTagDAL: secretVersionTagV2BridgeDAL,
-    secretTagDAL,
-    projectEnvDAL,
-    secretImportDAL,
-    secretApprovalRequestDAL,
-    secretApprovalPolicyService,
-    secretApprovalRequestSecretDAL,
-    kmsService,
-    snapshotService
-  });
-
-  const secretApprovalRequestService = secretApprovalRequestServiceFactory({
-    permissionService,
-    projectBotService,
-    folderDAL,
-    secretDAL,
-    secretTagDAL,
-    secretApprovalRequestSecretDAL,
-    secretApprovalRequestReviewerDAL,
-    projectDAL,
-    secretVersionDAL,
-    secretBlindIndexDAL,
-    secretApprovalRequestDAL,
-    snapshotService,
-    secretVersionTagDAL,
-    secretQueueService,
-    kmsService,
-    secretV2BridgeDAL,
-    secretVersionV2BridgeDAL,
-    secretVersionTagV2BridgeDAL,
-    smtpService,
-    projectEnvDAL,
-    userDAL
-  });
-
   const secretService = secretServiceFactory({
     folderDAL,
     secretVersionDAL,
@@ -815,15 +733,29 @@ export const registerRoutes = async (
     projectBotService,
     secretApprovalPolicyService,
     secretApprovalRequestDAL,
-    secretApprovalRequestSecretDAL,
-    secretV2BridgeService,
-    secretApprovalRequestService
+    secretApprovalRequestSecretDAL
   });
 
   const secretSharingService = secretSharingServiceFactory({
     permissionService,
-    secretSharingDAL,
-    orgDAL
+    secretSharingDAL
+  });
+
+  const secretApprovalRequestService = secretApprovalRequestServiceFactory({
+    permissionService,
+    projectBotService,
+    folderDAL,
+    secretDAL,
+    secretTagDAL,
+    secretApprovalRequestSecretDAL,
+    secretApprovalRequestReviewerDAL,
+    projectDAL,
+    secretVersionDAL,
+    secretBlindIndexDAL,
+    secretApprovalRequestDAL,
+    snapshotService,
+    secretVersionTagDAL,
+    secretQueueService
   });
 
   const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
@@ -859,14 +791,11 @@ export const registerRoutes = async (
     queueService,
     folderDAL,
     secretApprovalPolicyService,
+    secretBlindIndexDAL,
     secretApprovalRequestDAL,
     secretApprovalRequestSecretDAL,
     secretQueueService,
-    projectBotService,
-    kmsService,
-    secretV2BridgeDAL,
-    secretVersionV2TagBridgeDAL: secretVersionTagV2BridgeDAL,
-    secretVersionV2BridgeDAL
+    projectBotService
   });
   const secretRotationQueue = secretRotationQueueFactory({
     telemetryService,
@@ -874,10 +803,7 @@ export const registerRoutes = async (
     queue: queueService,
     secretDAL,
     secretVersionDAL,
-    projectBotService,
-    secretVersionV2BridgeDAL,
-    secretV2BridgeDAL,
-    kmsService
+    projectBotService
   });
 
   const secretRotationService = secretRotationServiceFactory({
@@ -887,9 +813,7 @@ export const registerRoutes = async (
     projectDAL,
     licenseService,
     secretDAL,
-    folderDAL,
-    projectBotService,
-    secretV2BridgeDAL
+    folderDAL
   });
 
   const integrationService = integrationServiceFactory({
@@ -897,15 +821,8 @@ export const registerRoutes = async (
     folderDAL,
     integrationDAL,
     integrationAuthDAL,
-    secretQueueService,
-    integrationAuthService,
-    projectBotService,
-    secretV2BridgeDAL,
-    secretImportDAL,
-    secretDAL,
-    kmsService
+    secretQueueService
   });
-
   const serviceTokenService = serviceTokenServiceFactory({
     projectEnvDAL,
     serviceTokenDAL,
@@ -1036,8 +953,7 @@ export const registerRoutes = async (
     secretFolderVersionDAL: folderVersionDAL,
     snapshotDAL,
     identityAccessTokenDAL,
-    secretSharingDAL,
-    secretVersionV2DAL: secretVersionV2BridgeDAL
+    secretSharingDAL
   });
 
   const oidcService = oidcConfigServiceFactory({
@@ -1132,8 +1048,7 @@ export const registerRoutes = async (
     identityProjectAdditionalPrivilege: identityProjectAdditionalPrivilegeService,
     secretSharing: secretSharingService,
     userEngagement: userEngagementService,
-    externalKms: externalKmsService,
-    orgAdmin: orgAdminService
+    externalKms: externalKmsService
   });
 
   const cronJobs: CronJob[] = [];
@@ -1150,7 +1065,6 @@ export const registerRoutes = async (
 
   await server.register(injectIdentity, { userDAL, serviceTokenDAL });
   await server.register(injectPermission);
-  await server.register(injectRateLimits);
   await server.register(injectAuditLogInfo);
 
   server.route({

backend/src/server/routes/sanitizedSchemas.ts

@@ -5,7 +5,6 @@ import {
   IdentityProjectAdditionalPrivilegeSchema,
   IntegrationAuthsSchema,
   ProjectRolesSchema,
-  ProjectsSchema,
   SecretApprovalPoliciesSchema,
   UsersSchema
 } from "@app/db/schemas";
@@ -63,14 +62,8 @@ export const secretRawSchema = z.object({
   version: z.number(),
   type: z.string(),
   secretKey: z.string(),
-  secretValue: z.string().optional(),
-  secretComment: z.string().optional(),
-  secretReminderNote: z.string().nullable().optional(),
-  secretReminderRepeatDays: z.number().nullable().optional(),
-  skipMultilineEncoding: z.boolean().default(false).nullable().optional(),
-  metadata: z.unknown().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
+  secretValue: z.string(),
+  secretComment: z.string().optional()
 });
 
 export const ProjectPermissionSchema = z.object({
@@ -142,18 +135,3 @@ export const SanitizedAuditLogStreamSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date()
 });
-
-export const SanitizedProjectSchema = ProjectsSchema.pick({
-  id: true,
-  name: true,
-  slug: true,
-  autoCapitalization: true,
-  orgId: true,
-  createdAt: true,
-  updatedAt: true,
-  version: true,
-  upgradeStatus: true,
-  pitVersionLimit: true,
-  kmsCertificateKeyId: true,
-  auditLogsRetentionDays: true
-});

backend/src/server/routes/v1/certificate-authority-router.ts

@@ -337,7 +337,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.caId)
       }),
       body: z.object({
-        csr: z.string().trim().min(1).describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.csr),
+        csr: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.csr),
         notBefore: validateCaDateField.optional().describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.notBefore),
         notAfter: validateCaDateField.describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.notAfter),
         maxPathLength: z.number().min(-1).default(-1).describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.maxPathLength)
@@ -453,7 +453,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }),
       body: z
         .object({
-          friendlyName: z.string().trim().optional().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.friendlyName),
+          friendlyName: z.string().optional().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.friendlyName),
           commonName: z.string().trim().min(1).describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.commonName),
           altNames: validateAltNamesField.describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.altNames),
           ttl: z
@@ -516,81 +516,4 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       };
     }
   });
-
-  server.route({
-    method: "POST",
-    url: "/:caId/sign-certificate",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Sign certificate from CA",
-      params: z.object({
-        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.caId)
-      }),
-      body: z
-        .object({
-          csr: z.string().trim().min(1).describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.csr),
-          friendlyName: z.string().trim().optional().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.friendlyName),
-          commonName: z.string().trim().min(1).optional().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.commonName),
-          altNames: validateAltNamesField.describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.altNames),
-          ttl: z
-            .string()
-            .refine((val) => ms(val) > 0, "TTL must be a positive number")
-            .describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.ttl),
-          notBefore: validateCaDateField.optional().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.notBefore),
-          notAfter: validateCaDateField.optional().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.notAfter)
-        })
-        .refine(
-          (data) => {
-            const { ttl, notAfter } = data;
-            return (ttl !== undefined && notAfter === undefined) || (ttl === undefined && notAfter !== undefined);
-          },
-          {
-            message: "Either ttl or notAfter must be present, but not both",
-            path: ["ttl", "notAfter"]
-          }
-        ),
-      response: {
-        200: z.object({
-          certificate: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.certificate),
-          issuingCaCertificate: z.string().trim().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.issuingCaCertificate),
-          certificateChain: z.string().trim().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.certificateChain),
-          serialNumber: z.string().trim().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.serialNumber)
-        })
-      }
-    },
-    handler: async (req) => {
-      const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca } =
-        await server.services.certificateAuthority.signCertFromCa({
-          caId: req.params.caId,
-          actor: req.permission.type,
-          actorId: req.permission.id,
-          actorAuthMethod: req.permission.authMethod,
-          actorOrgId: req.permission.orgId,
-          ...req.body
-        });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: ca.projectId,
-        event: {
-          type: EventType.SIGN_CERT,
-          metadata: {
-            caId: ca.id,
-            dn: ca.dn,
-            serialNumber
-          }
-        }
-      });
-
-      return {
-        certificate,
-        certificateChain,
-        issuingCaCertificate,
-        serialNumber
-      };
-    }
-  });
 };

backend/src/server/routes/v1/identity-router.ts

@@ -1,22 +1,26 @@
 import { z } from "zod";
 
-import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgMembershipRole, OrgRolesSchema } from "@app/db/schemas";
+import {
+  IdentitiesSchema,
+  IdentityOrgMembershipsSchema,
+  OrgMembershipRole,
+  OrgRolesSchema,
+  ProjectsSchema
+} from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { IDENTITIES } from "@app/lib/api-docs";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
-import { SanitizedProjectSchema } from "../sanitizedSchemas";
-
 export const registerIdentityRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
     url: "/",
     config: {
-      rateLimit: writeLimit
+      rateLimit: creationLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
@@ -303,7 +307,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
                 })
               ),
               identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true }),
-              project: SanitizedProjectSchema.pick({ name: true, id: true })
+              project: ProjectsSchema.pick({ name: true, id: true })
             })
           )
         })

backend/src/server/routes/v1/index.ts

@@ -15,7 +15,6 @@ import { registerIdentityUaRouter } from "./identity-universal-auth-router";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
 import { registerIntegrationRouter } from "./integration-router";
 import { registerInviteOrgRouter } from "./invite-org-router";
-import { registerOrgAdminRouter } from "./org-admin-router";
 import { registerOrgRouter } from "./organization-router";
 import { registerPasswordRouter } from "./password-router";
 import { registerProjectEnvRouter } from "./project-env-router";
@@ -51,7 +50,6 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerPasswordRouter, { prefix: "/password" });
   await server.register(registerOrgRouter, { prefix: "/organization" });
   await server.register(registerAdminRouter, { prefix: "/admin" });
-  await server.register(registerOrgAdminRouter, { prefix: "/organization-admin" });
   await server.register(registerUserRouter, { prefix: "/user" });
   await server.register(registerInviteOrgRouter, { prefix: "/invite-org" });
   await server.register(registerUserActionRouter, { prefix: "/user-action" });

backend/src/server/routes/v1/integration-router.ts

@@ -170,12 +170,6 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
       params: z.object({
         integrationId: z.string().trim().describe(INTEGRATION.DELETE.integrationId)
       }),
-      querystring: z.object({
-        shouldDeleteIntegrationSecrets: z
-          .enum(["true", "false"])
-          .optional()
-          .transform((val) => val === "true")
-      }),
       response: {
         200: z.object({
           integration: IntegrationsSchema
@@ -189,8 +183,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         actorAuthMethod: req.permission.authMethod,
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
-        id: req.params.integrationId,
-        shouldDeleteIntegrationSecrets: req.query.shouldDeleteIntegrationSecrets
+        id: req.params.integrationId
       });
 
       await server.services.auditLog.createAuditLog({
@@ -212,8 +205,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
             targetService: integration.targetService,
             targetServiceId: integration.targetServiceId,
             path: integration.path,
-            region: integration.region,
-            shouldDeleteIntegrationSecrets: req.query.shouldDeleteIntegrationSecrets
+            region: integration.region
             // eslint-disable-next-line
           }) as any
         }

backend/src/server/routes/v1/org-admin-router.ts

@@ -1,90 +0,0 @@
-import { z } from "zod";
-
-import { ProjectMembershipsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-import { SanitizedProjectSchema } from "../sanitizedSchemas";
-
-export const registerOrgAdminRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/projects",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      querystring: z.object({
-        search: z.string().optional(),
-        offset: z.coerce.number().default(0),
-        limit: z.coerce.number().max(100).default(50)
-      }),
-      response: {
-        200: z.object({
-          projects: SanitizedProjectSchema.array(),
-          count: z.coerce.number()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { projects, count } = await server.services.orgAdmin.listOrgProjects({
-        limit: req.query.limit,
-        offset: req.query.offset,
-        search: req.query.search,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        actorId: req.permission.id,
-        actor: req.permission.type
-      });
-      return { projects, count };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/projects/:projectId/grant-admin-access",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        projectId: z.string()
-      }),
-      response: {
-        200: z.object({
-          membership: ProjectMembershipsSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { membership } = await server.services.orgAdmin.grantProjectAdminAccess({
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        projectId: req.params.projectId
-      });
-      if (req.auth.authMode === AuthMode.JWT) {
-        await server.services.auditLog.createAuditLog({
-          ...req.auditLogInfo,
-          projectId: req.params.projectId,
-          event: {
-            type: EventType.ORG_ADMIN_ACCESS_PROJECT,
-            metadata: {
-              projectId: req.params.projectId,
-              username: req.auth.user.username,
-              email: req.auth.user.email || "",
-              userId: req.auth.userId
-            }
-          }
-        });
-      }
-
-      return { membership };
-    }
-  });
-};

backend/src/server/routes/v1/project-env-router.ts

@@ -9,55 +9,6 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/:workspaceId/environments/:envId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Get Environment",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        workspaceId: z.string().trim().describe(ENVIRONMENTS.GET.workspaceId),
-        envId: z.string().trim().describe(ENVIRONMENTS.GET.id)
-      }),
-      response: {
-        200: z.object({
-          environment: ProjectEnvironmentsSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const environment = await server.services.projectEnv.getEnvironmentById({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        projectId: req.params.workspaceId,
-        id: req.params.envId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: environment.projectId,
-        event: {
-          type: EventType.GET_ENVIRONMENT,
-          metadata: {
-            id: environment.id
-          }
-        }
-      });
-
-      return { environment };
-    }
-  });
-
   server.route({
     method: "POST",
     url: "/:workspaceId/environments",