Add telemtry for Infisical PKI

Add Telemetry for Infisical SSH

.env.example

@@ -112,4 +112,11 @@ INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
 
 # azure app connection
 INF_APP_CONNECTION_AZURE_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
+INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
+
+# datadog
+SHOULD_USE_DATADOG_TRACER=
+DATADOG_PROFILING_ENABLED=
+DATADOG_ENV=
+DATADOG_SERVICE=
+DATADOG_HOSTNAME=

.envrc

@@ -0,0 +1,3 @@
+# Learn more at https://direnv.net
+# We instruct direnv to use our Nix flake for a consistent development environment.
+use flake

.github/workflows/check-api-for-breaking-changes.yml

@@ -32,10 +32,23 @@ jobs:
         run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
       - name: Start the server
         run: |
-            echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
-            echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
-            echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
-            docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
+          echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
+          echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
+          echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
+
+          echo "Examining built image:"
+          docker image inspect infisical-api | grep -A 5 "Entrypoint"
+          
+          docker run --name infisical-api -d -p 4000:4000 \
+            -e DB_CONNECTION_URI=$DB_CONNECTION_URI \
+            -e REDIS_URL=$REDIS_URL \
+            -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET \
+            -e ENCRYPTION_KEY=$ENCRYPTION_KEY \
+            --env-file .env \
+            infisical-api
+          
+          echo "Container status right after creation:"
+          docker ps -a | grep infisical-api
         env:
           REDIS_URL: redis://172.17.0.1:6379
           DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
@@ -43,35 +56,48 @@ jobs:
           ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.21.5'
+          go-version: "1.21.5"
       - name: Wait for container to be stable and check logs
         run: |
           SECONDS=0
           HEALTHY=0
           while [ $SECONDS -lt 60 ]; do
-            if docker ps | grep infisical-api | grep -q healthy; then
-              echo "Container is healthy."
-              HEALTHY=1
+            # Check if container is running
+            if docker ps | grep infisical-api; then
+              # Try to access the API endpoint
+              if curl -s -f http://localhost:4000/api/docs/json > /dev/null 2>&1; then
+                echo "API endpoint is responding. Container seems healthy."
+                HEALTHY=1
+                break
+              fi
+            else
+              echo "Container is not running!"
+              docker ps -a | grep infisical-api
               break
             fi
+            
             echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
-
-            docker logs infisical-api
-
-            sleep 2
-            SECONDS=$((SECONDS+2))
+            sleep 5
+            SECONDS=$((SECONDS+5))
           done
-      
+          
           if [ $HEALTHY -ne 1 ]; then
             echo "Container did not become healthy in time"
+            echo "Container status:"
+            docker ps -a | grep infisical-api
+            echo "Container logs (if any):"
+            docker logs infisical-api || echo "No logs available"
+            echo "Container inspection:"
+            docker inspect infisical-api | grep -A 5 "State"
             exit 1
           fi
       - name: Install openapi-diff
-        run: go install github.com/tufin/oasdiff@latest
+        run: go install github.com/oasdiff/oasdiff@latest
       - name: Running OpenAPI Spec diff action
         run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
       - name: cleanup
+        if: always()
         run: |
           docker compose -f "docker-compose.dev.yml" down
-          docker stop infisical-api
-          docker remove infisical-api
+          docker stop infisical-api || true
+          docker rm infisical-api || true

.github/workflows/release-k8-operator-helm.yml

@@ -0,0 +1,27 @@
+name: Release K8 Operator Helm Chart
+on:
+    workflow_dispatch:
+
+jobs:
+    release-helm:
+        name: Release Helm Chart
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v2
+
+            - name: Install Helm
+              uses: azure/setup-helm@v3
+              with:
+                  version: v3.10.0
+
+            - name: Install python
+              uses: actions/setup-python@v4
+
+            - name: Install Cloudsmith CLI
+              run: pip install --upgrade cloudsmith-cli
+
+            - name: Build and push helm package to CloudSmith
+              run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
+              env:
+                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release_build_infisical_cli.yml

@@ -26,7 +26,7 @@ jobs:
             CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
     npm-release:
-        runs-on: ubuntu-20.04
+        runs-on: ubuntu-latest
         env:
             working-directory: ./npm
         needs:
@@ -83,7 +83,7 @@ jobs:
                   NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
     goreleaser:
-        runs-on: ubuntu-20.04
+        runs-on: ubuntu-latest
         needs: [cli-integration-tests]
         steps:
             - uses: actions/checkout@v3
@@ -103,11 +103,12 @@ jobs:
                   go-version: ">=1.19.3"
                   cache: true
                   cache-dependency-path: cli/go.sum
-            - name: libssl1.1 => libssl1.0-dev for OSXCross
+            - name: Setup for libssl1.0-dev
               run: |
                   echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-                  sudo apt update && apt-cache policy libssl1.0-dev
-                  sudo apt-get install libssl1.0-dev
+                  sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+                  sudo apt update
+                  sudo apt-get install -y libssl1.0-dev
             - name: OSXCross for CGO Support
               run: |
                   mkdir ../../osxcross

.github/workflows/release_docker_k8_operator.yaml

@@ -1,52 +1,103 @@
-name: Release image + Helm chart K8s Operator
+name: Release K8 Operator Docker Image
 on:
-  push:
-    tags:
-      - "infisical-k8-operator/v*.*.*"
+    push:
+        tags:
+            - "infisical-k8-operator/v*.*.*"
 
 jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
-      - uses: actions/checkout@v2
+    release-image:
+        name: Generate Helm Chart PR
+        runs-on: ubuntu-latest
+        outputs:
+            pr_number: ${{ steps.create-pr.outputs.pull-request-number }}
+        steps:
+            - name: Extract version from tag
+              id: extract_version
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
 
-      - name: 🔧 Set up QEMU
-        uses: docker/setup-qemu-action@v1
+            - name: Checkout code
+              uses: actions/checkout@v2
 
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+            # Dependency for helm generation
+            - name: Install Helm
+              uses: azure/setup-helm@v3
+              with:
+                  version: v3.10.0
 
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+            # Dependency for helm generation
+            - name: Install Go
+              uses: actions/setup-go@v4
+              with:
+                  go-version: 1.21
 
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          context: k8-operator
-          push: true
-          platforms: linux/amd64,linux/arm64
-          tags: |
-            infisical/kubernetes-operator:latest
-            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
+            # Install binaries for helm generation
+            - name: Install dependencies
+              working-directory: k8-operator
+              run: |
+                  make helmify
+                  make kustomize
+                  make controller-gen
 
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-      - name: Install python
-        uses: actions/setup-python@v4
-      - name: Install Cloudsmith CLI
-        run: pip install --upgrade cloudsmith-cli
-      - name: Build and push helm package to Cloudsmith
-        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+            - name: Generate Helm Chart
+              working-directory: k8-operator
+              run: make helm
+
+            - name: Update Helm Chart Version
+              run: ./k8-operator/scripts/update-version.sh ${{ steps.extract_version.outputs.version }}
+
+            - name: Debug - Check file changes
+              run: |
+                  echo "Current git status:"
+                  git status
+                  echo ""
+                  echo "Modified files:"
+                  git diff --name-only
+
+                  # If there is no diff, exit with error. Version should always be changed, so if there is no diff, something is wrong and we should exit.
+                  if [ -z "$(git diff --name-only)" ]; then
+                    echo "No helm changes or version changes. Invalid release detected, Exiting."
+                    exit 1
+                  fi
+
+            - name: Create Helm Chart PR
+              id: create-pr
+              uses: peter-evans/create-pull-request@v5
+              with:
+                  token: ${{ secrets.GITHUB_TOKEN }}
+                  commit-message: "Update Helm chart to version ${{ steps.extract_version.outputs.version }}"
+                  committer: GitHub <noreply@github.com>
+                  author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+                  branch: helm-update-${{ steps.extract_version.outputs.version }}
+                  delete-branch: true
+                  title: "Update Helm chart to version ${{ steps.extract_version.outputs.version }}"
+                  body: |
+                      This PR updates the Helm chart to version `${{ steps.extract_version.outputs.version }}`.
+                      Additionally the helm chart has been updated to match the latest operator code changes.
+
+                      Associated Release Workflow: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+                      Once you have approved this PR, you can trigger the helm release workflow manually.
+                  base: main
+
+            - name: 🔧 Set up QEMU
+              uses: docker/setup-qemu-action@v1
+
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v1
+
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v1
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+            - name: Build and push
+              id: docker_build
+              uses: docker/build-push-action@v2
+              with:
+                  context: k8-operator
+                  push: true
+                  platforms: linux/amd64,linux/arm64
+                  tags: |
+                      infisical/kubernetes-operator:latest
+                      infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}

.github/workflows/run-backend-tests.yml

@@ -34,7 +34,10 @@ jobs:
         working-directory: backend
       - name: Start postgres and redis
         run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
-      - name: Start integration test
+      - name: Run unit test
+        run: npm run test:unit
+        working-directory: backend
+      - name: Run integration test
         run: npm run test:e2e
         working-directory: backend
         env:
@@ -44,4 +47,5 @@ jobs:
           ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
       - name: cleanup
         run: |
-          docker compose -f "docker-compose.dev.yml" down
+          docker compose -f "docker-compose.dev.yml" down
+

Dockerfile.fips.standalone-infisical

@@ -161,6 +161,9 @@ COPY --from=backend-runner /app /backend
 
 COPY --from=frontend-runner /app ./backend/frontend-build
 
+ARG INFISICAL_PLATFORM_VERSION
+ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+
 ENV PORT 8080
 ENV HOST=0.0.0.0
 ENV HTTPS_ENABLED false 

Dockerfile.standalone-infisical

@@ -3,13 +3,10 @@ ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
 ARG CAPTCHA_SITE_KEY=captcha-site-key
 
-FROM  node:20-alpine AS base
+FROM node:20-slim AS base
 
 FROM base AS frontend-dependencies
 
-# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
-RUN apk add --no-cache libc6-compat
-
 WORKDIR /app
 
 COPY frontend/package.json frontend/package-lock.json  ./
@@ -45,8 +42,8 @@ RUN npm run build
 FROM base AS frontend-runner
 WORKDIR /app
 
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 non-root-user
+RUN groupadd --system --gid 1001 nodejs
+RUN useradd --system --uid 1001 --gid nodejs non-root-user
 
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 
@@ -56,21 +53,23 @@ USER non-root-user
 ## BACKEND
 ##
 FROM base AS backend-build
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
 
 WORKDIR /app
 
 # Install all required dependencies for build
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
-    freetds-dev
+    freetds-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --system --gid 1001 nodejs
+RUN useradd --system --uid 1001 --gid nodejs non-root-user
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -86,18 +85,19 @@ FROM base AS backend-runner
 WORKDIR /app
 
 # Install all required dependencies for runtime
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
-    freetds-dev
+    freetds-dev \
+    && rm -rf /var/lib/apt/lists/*
 
 # Configure ODBC
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -109,34 +109,36 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 
-RUN apk add --upgrade --no-cache ca-certificates
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.31.1 && apk add --no-cache git
-
-WORKDIR /
-
-# Install all required runtime dependencies
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    bash \
+    curl \
+    git \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
     freetds-dev \
-    bash \
-    curl \
-    git \
-    openssh
+		wget \
+    openssh-client \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
 
 # Configure ODBC in production
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 # Setup user permissions
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
+RUN groupadd --system --gid 1001 nodejs \
+  && useradd --system --uid 1001 --gid nodejs non-root-user
 
 # Give non-root-user permission to update SSL certs
 RUN chown -R non-root-user /etc/ssl/certs
@@ -154,11 +156,11 @@ ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
 ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
-
 COPY --from=backend-runner /app /backend
-
 COPY --from=frontend-runner /app ./backend/frontend-build
 
+ARG INFISICAL_PLATFORM_VERSION
+ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 
 ENV PORT 8080
 ENV HOST=0.0.0.0
@@ -166,6 +168,7 @@ ENV HTTPS_ENABLED false
 ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
+
 WORKDIR /backend
 
 ENV TELEMETRY_ENABLED true

backend/Dockerfile

@@ -1,23 +1,22 @@
 # Build stage
-FROM node:20-alpine AS build
+FROM node:20-slim AS build
 
 WORKDIR /app
 
 # Required for pkcs11js
-RUN apk --update add \
-        python3 \
-        make \
-        g++ \
-        openssh
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    openssh-client
 
-# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apk add --no-cache \
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
     unixodbc \
-    freetds \
+    freetds-bin \
+    freetds-dev \
     unixodbc-dev \
-    libc-dev \
-    freetds-dev
-
+    libc-dev
 
 COPY package*.json ./
 RUN npm ci --only-production
@@ -26,36 +25,36 @@ COPY . .
 RUN npm run build
 
 # Production stage
-FROM node:20-alpine
+FROM node:20-slim
 WORKDIR /app
 
 ENV npm_config_cache /home/node/.npm
 
 COPY package*.json ./
 
-RUN apk --update add \
-        python3 \
-        make \
-        g++
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++
 
-# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apk add --no-cache \
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
     unixodbc \
-    freetds \
+    freetds-bin \
+    freetds-dev \
     unixodbc-dev \
-    libc-dev \
-    freetds-dev
+    libc-dev
 
-
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 RUN npm ci --only-production && npm cache clean --force
 
 COPY --from=build /app .
 
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.8.1 && apk add --no-cache git
+# Install Infisical CLI
+RUN apt-get install -y curl bash && \
+    curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && apt-get install -y infisical=0.8.1 git
 
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
   CMD node healthcheck.js

backend/Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM node:20-alpine
+FROM node:20-slim
 
 # ? Setup a test SoftHSM module. In production a real HSM is used.
 
@@ -7,32 +7,32 @@ ARG SOFTHSM2_VERSION=2.5.0
 ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
     SOFTHSM2_SOURCES=/tmp/softhsm2
 
-# install build dependencies including python3 (required for pkcs11js and partially TDS driver)
-RUN apk --update add \
-        alpine-sdk \
-        autoconf \
-        automake \
-        git \
-        libtool \
-        openssl-dev \
-        python3 \
-        make \
-        g++ \
-        openssh
+# Install build dependencies including python3 (required for pkcs11js and partially TDS driver)
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    git \
+    libtool \
+    libssl-dev \
+    python3 \
+    make \
+    g++ \
+    openssh-client \
+    curl \
+    pkg-config
 
-# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apk add --no-cache \
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
     unixodbc \
-    freetds \
     unixodbc-dev \
-    libc-dev \
-    freetds-dev
+    freetds-dev \
+    freetds-bin \
+    tdsodbc
 
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
-
-# build and install SoftHSM2
-
+# Build and install SoftHSM2
 RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
 WORKDIR ${SOFTHSM2_SOURCES}
 
@@ -45,16 +45,18 @@ RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
 WORKDIR /root
 RUN rm -fr ${SOFTHSM2_SOURCES}
 
-# install pkcs11-tool
-RUN apk --update add opensc
+# Install pkcs11-tool
+RUN apt-get install -y opensc
 
-RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+RUN mkdir -p /etc/softhsm2/tokens && \
+    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
 
 # ? App setup
 
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.8.1 && apk add --no-cache git
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && \
+    apt-get install -y infisical=0.8.1
 
 WORKDIR /app
 

backend/e2e-test/vitest-environment-knex.ts

@@ -120,4 +120,3 @@ export default {
     };
   }
 };
-

backend/package.json

@@ -40,6 +40,7 @@
     "type:check": "tsc --noEmit",
     "lint:fix": "eslint --fix --ext js,ts ./src",
     "lint": "eslint 'src/**/*.ts'",
+    "test:unit": "vitest run -c vitest.unit.config.ts",
     "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
     "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
     "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
@@ -60,9 +61,17 @@
     "migration:status": "npm run auditlog-migration:status && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:status",
     "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./dist/db/knexfile.mjs migrate:rollback",
     "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./dist/db/knexfile.mjs migrate:unlock",
+    "migration:up-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
+    "migration:down-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
+    "migration:list-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
+    "migration:latest-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
+    "migration:status-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
+    "migration:rollback-dev": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:unlock-dev": "knex --knexfile ./src/db/knexfile.ts migrate:unlock",
     "migrate:org": "tsx ./scripts/migrate-organization.ts",
     "seed:new": "tsx ./scripts/create-seed-file.ts",
     "seed": "knex --knexfile ./dist/db/knexfile.ts --client pg seed:run",
+    "seed-dev": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
     "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
   },
   "keywords": [],
@@ -138,17 +147,18 @@
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@google-cloud/kms": "^4.5.0",
-    "@node-saml/passport-saml": "^4.0.4",
+    "@infisical/quic": "^1.0.8",
+    "@node-saml/passport-saml": "^5.0.1",
     "@octokit/auth-app": "^7.1.1",
     "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
     "@octopusdeploy/api-client": "^3.4.1",
     "@opentelemetry/api": "^1.9.0",
-    "@opentelemetry/auto-instrumentations-node": "^0.53.0",
     "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
     "@opentelemetry/exporter-prometheus": "^0.55.0",
     "@opentelemetry/instrumentation": "^0.55.0",
+    "@opentelemetry/instrumentation-http": "^0.57.2",
     "@opentelemetry/resources": "^1.28.0",
     "@opentelemetry/sdk-metrics": "^1.28.0",
     "@opentelemetry/semantic-conventions": "^1.27.0",
@@ -169,6 +179,7 @@
     "cassandra-driver": "^4.7.2",
     "connect-redis": "^7.1.1",
     "cron": "^3.1.7",
+    "dd-trace": "^5.40.0",
     "dotenv": "^16.4.1",
     "fastify": "^4.28.1",
     "fastify-plugin": "^4.5.1",
@@ -177,6 +188,7 @@
     "handlebars": "^4.7.8",
     "hdb": "^0.19.10",
     "ioredis": "^5.3.2",
+    "isomorphic-dompurify": "^2.22.0",
     "jmespath": "^0.16.0",
     "jsonwebtoken": "^9.0.2",
     "jsrp": "^0.2.4",

backend/src/@types/fastify-request-context.d.ts

@@ -1,7 +0,0 @@
-import "@fastify/request-context";
-
-declare module "@fastify/request-context" {
-  interface RequestContextData {
-    reqId: string;
-  }
-}

backend/src/@types/fastify.d.ts

@@ -100,6 +100,13 @@ import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integ
 declare module "@fastify/request-context" {
   interface RequestContextData {
     reqId: string;
+    identityAuthInfo?: {
+      identityId: string;
+      oidc?: {
+        claims: Record<string, string>;
+      };
+    };
+    identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
   }
 }
 

backend/src/db/knexfile.ts

@@ -39,7 +39,7 @@ export default {
     },
     migrations: {
       tableName: "infisical_migrations",
-      loadExtensions: [".mjs"]
+      loadExtensions: [".mjs", ".ts"]
     }
   },
   production: {
@@ -64,7 +64,7 @@ export default {
     },
     migrations: {
       tableName: "infisical_migrations",
-      loadExtensions: [".mjs"]
+      loadExtensions: [".mjs", ".ts"]
     }
   }
 } as Knex.Config;

backend/src/db/migrations/20250212191958_create-gateway.ts

@@ -85,7 +85,7 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   if (await knex.schema.hasTable(TableName.DynamicSecret)) {
-    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId");
+    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "projectGatewayId");
     await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
       // not setting a foreign constraint so that cascade effects are not triggered
       if (!doesGatewayColExist) {

backend/src/db/migrations/20250226021631_secret-requests.ts

@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { SecretSharingType } from "@app/services/secret-sharing/secret-sharing-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
+
+  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
+    if (!hasSharingTypeColumn) {
+      table.string("type", 32).defaultTo(SecretSharingType.Share).notNullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
+
+  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
+    if (hasSharingTypeColumn) {
+      table.dropColumn("type");
+    }
+  });
+}

backend/src/db/migrations/20250226082254_add-gov-banner-and-consent-fields.ts

@@ -0,0 +1,31 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAuthConsentContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "authConsentContent");
+  const hasPageFrameContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "pageFrameContent");
+  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      if (!hasAuthConsentContentCol) {
+        t.text("authConsentContent");
+      }
+      if (!hasPageFrameContentCol) {
+        t.text("pageFrameContent");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasAuthConsentContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "authConsentContent");
+  const hasPageFrameContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "pageFrameContent");
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (hasAuthConsentContentCol) {
+      t.dropColumn("authConsentContent");
+    }
+    if (hasPageFrameContentCol) {
+      t.dropColumn("pageFrameContent");
+    }
+  });
+}

backend/src/db/migrations/20250228022604_increase-secret-reminder-note-max-length.ts

@@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  for await (const tableName of [
+    TableName.SecretV2,
+    TableName.SecretVersionV2,
+    TableName.SecretApprovalRequestSecretV2
+  ]) {
+    const hasReminderNoteCol = await knex.schema.hasColumn(tableName, "reminderNote");
+
+    if (hasReminderNoteCol) {
+      await knex.schema.alterTable(tableName, (t) => {
+        t.string("reminderNote", 1024).alter();
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  for await (const tableName of [
+    TableName.SecretV2,
+    TableName.SecretVersionV2,
+    TableName.SecretApprovalRequestSecretV2
+  ]) {
+    const hasReminderNoteCol = await knex.schema.hasColumn(tableName, "reminderNote");
+
+    if (hasReminderNoteCol) {
+      await knex.schema.alterTable(tableName, (t) => {
+        t.string("reminderNote").alter();
+      });
+    }
+  }
+}

backend/src/db/migrations/20250303213350_add-folder-description.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
+
+  if (!hasProjectDescription) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.string("description");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
+
+  if (hasProjectDescription) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.dropColumn("description");
+    });
+  }
+}

backend/src/db/migrations/20250305080145_add-secret-review-comment.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "comment"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
+      t.string("comment");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "comment")) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
+      t.dropColumn("comment");
+    });
+  }
+}

backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts

@@ -0,0 +1,45 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
+    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
+    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
+    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
+
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      if (!hasSecretVersionV2UserActorId) {
+        t.uuid("userActorId");
+        t.foreign("userActorId").references("id").inTable(TableName.Users);
+      }
+      if (!hasSecretVersionV2IdentityActorId) {
+        t.uuid("identityActorId");
+        t.foreign("identityActorId").references("id").inTable(TableName.Identity);
+      }
+      if (!hasSecretVersionV2ActorType) {
+        t.string("actorType");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
+    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
+    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
+    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
+
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      if (hasSecretVersionV2UserActorId) {
+        t.dropColumn("userActorId");
+      }
+      if (hasSecretVersionV2IdentityActorId) {
+        t.dropColumn("identityActorId");
+      }
+      if (hasSecretVersionV2ActorType) {
+        t.dropColumn("actorType");
+      }
+    });
+  }
+}

backend/src/db/migrations/20250311105617_add-share-to-anyone-setting-to-organizations.ts

@@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
+      TableName.Organization,
+      "allowSecretSharingOutsideOrganization"
+    );
+
+    if (!hasSecretShareToAnyoneCol) {
+      await knex.schema.alterTable(TableName.Organization, (t) => {
+        t.boolean("allowSecretSharingOutsideOrganization").defaultTo(true);
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
+      TableName.Organization,
+      "allowSecretSharingOutsideOrganization"
+    );
+    if (hasSecretShareToAnyoneCol) {
+      await knex.schema.alterTable(TableName.Organization, (t) => {
+        t.dropColumn("allowSecretSharingOutsideOrganization");
+      });
+    }
+  }
+}

backend/src/db/migrations/20250314145202_identity-oidc-claim-mapping.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
+  if (!hasMappingField) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.jsonb("claimMetadataMapping");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
+  if (hasMappingField) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.dropColumn("claimMetadataMapping");
+    });
+  }
+}

backend/src/db/migrations/20250317101525_add-instance-admin-mi.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds"))) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.specificType("adminIdentityIds", "text[]");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("adminIdentityIds");
+    });
+  }
+}

backend/src/db/migrations/20250319134021_recursive-folder-index.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesParentColumExist = await knex.schema.hasColumn(TableName.SecretFolder, "parentId");
+  const doesNameColumnExist = await knex.schema.hasColumn(TableName.SecretFolder, "name");
+  if (doesParentColumExist && doesNameColumnExist) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.index(["parentId", "name"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesParentColumExist = await knex.schema.hasColumn(TableName.SecretFolder, "parentId");
+  const doesNameColumnExist = await knex.schema.hasColumn(TableName.SecretFolder, "name");
+  if (doesParentColumExist && doesNameColumnExist) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.dropIndex(["parentId", "name"]);
+    });
+  }
+}

backend/src/db/migrations/20250321100157_k8s-self-reviewer-jwt.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasReviewerJwtCol = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesTokenReviewerJwt"
+  );
+  if (hasReviewerJwtCol) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.binary("encryptedKubernetesTokenReviewerJwt").nullable().alter();
+    });
+  }
+}
+
+export async function down(): Promise<void> {
+  // we can't make it back to non nullable, it will fail
+}

backend/src/db/migrations/20250324142102_add-self-approvals-to-secret-approval-policies.ts

@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "allowedSelfApprovals"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.boolean("allowedSelfApprovals").notNullable().defaultTo(true);
+    });
+  }
+  if (!(await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "allowedSelfApprovals"))) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.boolean("allowedSelfApprovals").notNullable().defaultTo(true);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "allowedSelfApprovals")) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.dropColumn("allowedSelfApprovals");
+    });
+  }
+  if (await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "allowedSelfApprovals")) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.dropColumn("allowedSelfApprovals");
+    });
+  }
+}

backend/src/db/schemas/access-approval-policies.ts

@@ -16,7 +16,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   enforcementLevel: z.string().default("hard"),
-  deletedAt: z.date().nullable().optional()
+  deletedAt: z.date().nullable().optional(),
+  allowedSelfApprovals: z.boolean().default(true)
 });
 
 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -28,7 +28,7 @@ export const IdentityKubernetesAuthsSchema = z.object({
   allowedNamespaces: z.string(),
   allowedNames: z.string(),
   allowedAudience: z.string(),
-  encryptedKubernetesTokenReviewerJwt: zodBuffer,
+  encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
   encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
 });
 

backend/src/db/schemas/identity-oidc-auths.ts

@@ -26,7 +26,8 @@ export const IdentityOidcAuthsSchema = z.object({
   boundSubject: z.string().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  encryptedCaCertificate: zodBuffer.nullable().optional()
+  encryptedCaCertificate: zodBuffer.nullable().optional(),
+  claimMetadataMapping: z.unknown().nullable().optional()
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/organizations.ts

@@ -22,7 +22,8 @@ export const OrganizationsSchema = z.object({
   kmsEncryptedDataKey: zodBuffer.nullable().optional(),
   defaultMembershipRole: z.string().default("member"),
   enforceMfa: z.boolean().default(false),
-  selectedMfaMethod: z.string().nullable().optional()
+  selectedMfaMethod: z.string().nullable().optional(),
+  allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/secret-approval-policies.ts

@@ -16,7 +16,8 @@ export const SecretApprovalPoliciesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   enforcementLevel: z.string().default("hard"),
-  deletedAt: z.date().nullable().optional()
+  deletedAt: z.date().nullable().optional(),
+  allowedSelfApprovals: z.boolean().default(true)
 });
 
 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;

backend/src/db/schemas/secret-approval-requests-reviewers.ts

@@ -13,7 +13,8 @@ export const SecretApprovalRequestsReviewersSchema = z.object({
   requestId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  reviewerUserId: z.string().uuid()
+  reviewerUserId: z.string().uuid(),
+  comment: z.string().nullable().optional()
 });
 
 export type TSecretApprovalRequestsReviewers = z.infer<typeof SecretApprovalRequestsReviewersSchema>;

backend/src/db/schemas/secret-folders.ts

@@ -15,7 +15,8 @@ export const SecretFoldersSchema = z.object({
   updatedAt: z.date(),
   envId: z.string().uuid(),
   parentId: z.string().uuid().nullable().optional(),
-  isReserved: z.boolean().default(false).nullable().optional()
+  isReserved: z.boolean().default(false).nullable().optional(),
+  description: z.string().nullable().optional()
 });
 
 export type TSecretFolders = z.infer<typeof SecretFoldersSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -26,7 +26,8 @@ export const SecretSharingSchema = z.object({
   lastViewedAt: z.date().nullable().optional(),
   password: z.string().nullable().optional(),
   encryptedSecret: zodBuffer.nullable().optional(),
-  identifier: z.string().nullable().optional()
+  identifier: z.string().nullable().optional(),
+  type: z.string().default("share")
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/db/schemas/secret-versions-v2.ts

@@ -25,7 +25,10 @@ export const SecretVersionsV2Schema = z.object({
   folderId: z.string().uuid(),
   userId: z.string().uuid().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  userActorId: z.string().uuid().nullable().optional(),
+  identityActorId: z.string().uuid().nullable().optional(),
+  actorType: z.string().nullable().optional()
 });
 
 export type TSecretVersionsV2 = z.infer<typeof SecretVersionsV2Schema>;

backend/src/db/schemas/super-admin.ts

@@ -23,7 +23,10 @@ export const SuperAdminSchema = z.object({
   defaultAuthOrgId: z.string().uuid().nullable().optional(),
   enabledLoginMethods: z.string().array().nullable().optional(),
   encryptedSlackClientId: zodBuffer.nullable().optional(),
-  encryptedSlackClientSecret: zodBuffer.nullable().optional()
+  encryptedSlackClientSecret: zodBuffer.nullable().optional(),
+  authConsentContent: z.string().nullable().optional(),
+  pageFrameContent: z.string().nullable().optional(),
+  adminIdentityIds: z.string().array().nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -29,7 +29,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
           .array()
           .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).default(1),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({
@@ -147,7 +148,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
           .array()
           .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).optional(),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -110,7 +110,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               secretPath: z.string().nullish(),
               envId: z.string(),
               enforcementLevel: z.string(),
-              deletedAt: z.date().nullish()
+              deletedAt: z.date().nullish(),
+              allowedSelfApprovals: z.boolean()
             }),
             reviewers: z
               .object({

backend/src/ee/routes/v1/dynamic-secret-lease-router.ts

@@ -1,10 +1,10 @@
-import ms from "ms";
 import { z } from "zod";
 
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -1,4 +1,3 @@
-import ms from "ms";
 import { z } from "zod";
 
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
@@ -6,6 +5,7 @@ import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/pro
 import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -1,11 +1,11 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
 import { z } from "zod";
 
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";

backend/src/ee/routes/v1/kmip-router.ts

@@ -1,10 +1,10 @@
-import ms from "ms";
 import { z } from "zod";
 
 import { KmipClientsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { KmipPermission } from "@app/ee/services/kmip/kmip-enum";
 import { KmipClientOrderBy } from "@app/ee/services/kmip/kmip-types";
+import { ms } from "@app/lib/ms";
 import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";

backend/src/ee/routes/v1/saml-router.ts

@@ -25,7 +25,7 @@ type TSAMLConfig = {
   callbackUrl: string;
   entryPoint: string;
   issuer: string;
-  cert: string;
+  idpCert: string;
   audience: string;
   wantAuthnResponseSigned?: boolean;
   wantAssertionsSigned?: boolean;
@@ -72,7 +72,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
               callbackUrl: `${appCfg.SITE_URL}/api/v1/sso/saml2/${ssoConfig.id}`,
               entryPoint: ssoConfig.entryPoint,
               issuer: ssoConfig.issuer,
-              cert: ssoConfig.cert,
+              idpCert: ssoConfig.cert,
               audience: appCfg.SITE_URL || ""
             };
             if (ssoConfig.authProvider === SamlProviders.JUMPCLOUD_SAML) {
@@ -302,15 +302,21 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const saml = await server.services.saml.createSamlCfg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.body.organizationId,
-        ...req.body
+      const { isActive, authProvider, issuer, entryPoint, cert } = req.body;
+      const { permission } = req;
+
+      return server.services.saml.createSamlCfg({
+        isActive,
+        authProvider,
+        issuer,
+        entryPoint,
+        idpCert: cert,
+        actor: permission.type,
+        actorId: permission.id,
+        actorAuthMethod: permission.authMethod,
+        actorOrgId: permission.orgId,
+        orgId: req.body.organizationId
       });
-      return saml;
     }
   });
 
@@ -337,15 +343,21 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const saml = await server.services.saml.updateSamlCfg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.body.organizationId,
-        ...req.body
+      const { isActive, authProvider, issuer, entryPoint, cert } = req.body;
+      const { permission } = req;
+
+      return server.services.saml.updateSamlCfg({
+        isActive,
+        authProvider,
+        issuer,
+        entryPoint,
+        idpCert: cert,
+        actor: permission.type,
+        actorId: permission.id,
+        actorAuthMethod: permission.authMethod,
+        actorOrgId: permission.orgId,
+        orgId: req.body.organizationId
       });
-      return saml;
     }
   });
 };

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -35,7 +35,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
           .array()
           .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).default(1),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({
@@ -85,7 +86,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
           .nullable()
           .transform((val) => (val ? removeTrailingSlash(val) : val))
           .transform((val) => (val === "" ? "/" : val)),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
+        enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -1,16 +1,11 @@
 import { z } from "zod";
 
-import {
-  SecretApprovalRequestsReviewersSchema,
-  SecretApprovalRequestsSchema,
-  SecretTagsSchema,
-  UsersSchema
-} from "@app/db/schemas";
+import { SecretApprovalRequestsReviewersSchema, SecretApprovalRequestsSchema, UsersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApprovalStatus, RequestState } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
+import { SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
@@ -54,7 +49,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 .array(),
               secretPath: z.string().optional().nullable(),
               enforcementLevel: z.string(),
-              deletedAt: z.date().nullish()
+              deletedAt: z.date().nullish(),
+              allowedSelfApprovals: z.boolean()
             }),
             committerUser: approvalRequestUser,
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
@@ -159,7 +155,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
         id: z.string()
       }),
       body: z.object({
-        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
+        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED]),
+        comment: z.string().optional()
       }),
       response: {
         200: z.object({
@@ -175,8 +172,25 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         approvalId: req.params.id,
-        status: req.body.status
+        status: req.body.status,
+        comment: req.body.comment
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: review.projectId,
+        event: {
+          type: EventType.SECRET_APPROVAL_REQUEST_REVIEW,
+          metadata: {
+            secretApprovalRequestId: review.requestId,
+            reviewedBy: review.reviewerUserId,
+            status: review.status as ApprovalStatus,
+            comment: review.comment || ""
+          }
+        }
+      });
+
       return { review };
     }
   });
@@ -232,15 +246,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
     }
   });
 
-  const tagSchema = SecretTagsSchema.pick({
-    id: true,
-    slug: true,
-    name: true,
-    color: true
-  })
-    .array()
-    .optional();
-
   server.route({
     method: "GET",
     url: "/:id",
@@ -263,18 +268,19 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 approvers: approvalRequestUser.array(),
                 secretPath: z.string().optional().nullable(),
                 enforcementLevel: z.string(),
-                deletedAt: z.date().nullish()
+                deletedAt: z.date().nullish(),
+                allowedSelfApprovals: z.boolean()
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),
               committerUser: approvalRequestUser,
-              reviewers: approvalRequestUser.extend({ status: z.string() }).array(),
+              reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
               secretPath: z.string(),
               commits: secretRawSchema
                 .omit({ _id: true, environment: true, workspace: true, type: true, version: true })
                 .extend({
                   op: z.string(),
-                  tags: tagSchema,
+                  tags: SanitizedTagSchema.array().optional(),
                   secretMetadata: ResourceMetadataSchema.nullish(),
                   secret: z
                     .object({
@@ -293,7 +299,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                       secretKey: z.string(),
                       secretValue: z.string().optional(),
                       secretComment: z.string().optional(),
-                      tags: tagSchema,
+                      tags: SanitizedTagSchema.array().optional(),
                       secretMetadata: ResourceMetadataSchema.nullish()
                     })
                     .optional()

backend/src/ee/routes/v1/secret-router.ts

@@ -1,6 +1,6 @@
 import z from "zod";
 
-import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionSecretActions } from "@app/ee/services/permission/project-permission";
 import { RAW_SECRETS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit } from "@app/server/config/rateLimiter";
@@ -9,7 +9,7 @@ import { AuthMode } from "@app/services/auth/auth-type";
 
 const AccessListEntrySchema = z
   .object({
-    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
+    allowedActions: z.nativeEnum(ProjectPermissionSecretActions).array(),
     id: z.string(),
     membershipId: z.string(),
     name: z.string()

backend/src/ee/routes/v1/secret-version-router.ts

@@ -22,7 +22,11 @@ export const registerSecretVersionRouter = async (server: FastifyZodProvider) =>
       }),
       response: {
         200: z.object({
-          secretVersions: secretRawSchema.array()
+          secretVersions: secretRawSchema
+            .extend({
+              secretValueHidden: z.boolean()
+            })
+            .array()
         })
       }
     },
@@ -37,6 +41,7 @@ export const registerSecretVersionRouter = async (server: FastifyZodProvider) =>
         offset: req.query.offset,
         secretId: req.params.secretId
       });
+
       return { secretVersions };
     }
   });

backend/src/ee/routes/v1/snapshot-router.ts

@@ -1,10 +1,10 @@
 import { z } from "zod";
 
-import { SecretSnapshotsSchema, SecretTagsSchema } from "@app/db/schemas";
+import { SecretSnapshotsSchema } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
+import { SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
@@ -31,13 +31,9 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
             secretVersions: secretRawSchema
               .omit({ _id: true, environment: true, workspace: true, type: true })
               .extend({
+                secretValueHidden: z.boolean(),
                 secretId: z.string(),
-                tags: SecretTagsSchema.pick({
-                  id: true,
-                  slug: true,
-                  name: true,
-                  color: true
-                }).array()
+                tags: SanitizedTagSchema.array()
               })
               .array(),
             folderVersion: z.object({ id: z.string(), name: z.string() }).array(),
@@ -56,6 +52,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         id: req.params.secretSnapshotId
       });
+
       return { secretSnapshot };
     }
   });

backend/src/ee/routes/v1/ssh-certificate-router.ts

@@ -1,13 +1,15 @@
-import ms from "ms";
 import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerSshCertRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -73,6 +75,16 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.SignSshKey,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          certificateTemplateId: req.body.certificateTemplateId,
+          principals: req.body.principals,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         serialNumber,
         signedKey: signedPublicKey
@@ -152,6 +164,16 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IssueSshCreds,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          certificateTemplateId: req.body.certificateTemplateId,
+          principals: req.body.principals,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         serialNumber,
         signedKey: signedPublicKey,

backend/src/ee/routes/v1/ssh-certificate-template-router.ts

@@ -1,5 +1,4 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
 import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
@@ -10,6 +9,7 @@ import {
   isValidUserPattern
 } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-validators";
 import { SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

backend/src/ee/routes/v1/user-additional-privilege-router.ts

@@ -1,10 +1,11 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
 import { z } from "zod";
 
+import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-types";
 import { PROJECT_USER_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
@@ -23,7 +24,9 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
       body: z.object({
         projectMembershipId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.projectMembershipId),
         slug: slugSchema({ min: 1, max: 60 }).optional().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        permissions: ProjectPermissionV2Schema.array()
+          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+          .refine(checkForInvalidPermissionCombination),
         type: z.discriminatedUnion("isTemporary", [
           z.object({
             isTemporary: z.literal(false)
@@ -81,7 +84,8 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
           slug: slugSchema({ min: 1, max: 60 }).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.slug),
           permissions: ProjectPermissionV2Schema.array()
             .optional()
-            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions)
+            .refine(checkForInvalidPermissionCombination),
           type: z.discriminatedUnion("isTemporary", [
             z.object({ isTemporary: z.literal(false).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary) }),
             z.object({

backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts

@@ -1,10 +1,11 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
 import { z } from "zod";
 
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types";
+import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
@@ -30,7 +31,9 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.identityId),
         projectId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.projectId),
         slug: slugSchema({ min: 1, max: 60 }).optional().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.slug),
-        permissions: ProjectPermissionV2Schema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.permission),
+        permissions: ProjectPermissionV2Schema.array()
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.permission)
+          .refine(checkForInvalidPermissionCombination),
         type: z.discriminatedUnion("isTemporary", [
           z.object({
             isTemporary: z.literal(false)
@@ -94,7 +97,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         slug: slugSchema({ min: 1, max: 60 }).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.slug),
         permissions: ProjectPermissionV2Schema.array()
           .optional()
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.privilegePermission),
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.privilegePermission)
+          .refine(checkForInvalidPermissionCombination),
         type: z.discriminatedUnion("isTemporary", [
           z.object({ isTemporary: z.literal(false).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.isTemporary) }),
           z.object({

backend/src/ee/routes/v2/project-role-router.ts

@@ -2,6 +2,7 @@ import { packRules } from "@casl/ability/extra";
 import { z } from "zod";
 
 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
+import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -37,7 +38,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
           .describe(PROJECT_ROLE.CREATE.slug),
         name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
         description: z.string().trim().nullish().describe(PROJECT_ROLE.CREATE.description),
-        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
+        permissions: ProjectPermissionV2Schema.array()
+          .describe(PROJECT_ROLE.CREATE.permissions)
+          .refine(checkForInvalidPermissionCombination)
       }),
       response: {
         200: z.object({
@@ -92,7 +95,10 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
           .describe(PROJECT_ROLE.UPDATE.slug),
         name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
         description: z.string().trim().nullish().describe(PROJECT_ROLE.UPDATE.description),
-        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
+        permissions: ProjectPermissionV2Schema.array()
+          .describe(PROJECT_ROLE.UPDATE.permissions)
+          .optional()
+          .superRefine(checkForInvalidPermissionCombination)
       }),
       response: {
         200: z.object({

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -65,7 +65,8 @@ export const accessApprovalPolicyServiceFactory = ({
     approvers,
     projectSlug,
     environment,
-    enforcementLevel
+    enforcementLevel,
+    allowedSelfApprovals
   }: TCreateAccessApprovalPolicy) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -153,7 +154,8 @@ export const accessApprovalPolicyServiceFactory = ({
           approvals,
           secretPath,
           name,
-          enforcementLevel
+          enforcementLevel,
+          allowedSelfApprovals
         },
         tx
       );
@@ -216,7 +218,8 @@ export const accessApprovalPolicyServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     approvals,
-    enforcementLevel
+    enforcementLevel,
+    allowedSelfApprovals
   }: TUpdateAccessApprovalPolicy) => {
     const groupApprovers = approvers
       .filter((approver) => approver.type === ApproverType.Group)
@@ -262,7 +265,8 @@ export const accessApprovalPolicyServiceFactory = ({
           approvals,
           secretPath,
           name,
-          enforcementLevel
+          enforcementLevel,
+          allowedSelfApprovals
         },
         tx
       );

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -26,6 +26,7 @@ export type TCreateAccessApprovalPolicy = {
   projectSlug: string;
   name: string;
   enforcementLevel: EnforcementLevel;
+  allowedSelfApprovals: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateAccessApprovalPolicy = {
@@ -35,6 +36,7 @@ export type TUpdateAccessApprovalPolicy = {
   secretPath?: string;
   name?: string;
   enforcementLevel?: EnforcementLevel;
+  allowedSelfApprovals: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteAccessApprovalPolicy = {

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -61,6 +61,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
           db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
           db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
+          db.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
           db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId"),
           db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
         )
@@ -119,6 +120,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             approvals: doc.policyApprovals,
             secretPath: doc.policySecretPath,
             enforcementLevel: doc.policyEnforcementLevel,
+            allowedSelfApprovals: doc.policyAllowedSelfApprovals,
             envId: doc.policyEnvId,
             deletedAt: doc.policyDeletedAt
           },
@@ -254,6 +256,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
         tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
+        tx.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
         tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
         tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
       );
@@ -275,6 +278,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             approvals: el.policyApprovals,
             secretPath: el.policySecretPath,
             enforcementLevel: el.policyEnforcementLevel,
+            allowedSelfApprovals: el.policyAllowedSelfApprovals,
             deletedAt: el.policyDeletedAt
           },
           requestedByUser: {

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,9 +1,10 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
+import msFn from "ms";
 
 import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -246,7 +247,7 @@ export const accessApprovalRequestServiceFactory = ({
           requesterEmail: requestedByUser.email,
           isTemporary,
           ...(isTemporary && {
-            expiresIn: ms(ms(temporaryRange || ""), { long: true })
+            expiresIn: msFn(ms(temporaryRange || ""), { long: true })
           }),
           secretPath,
           environment: envSlug,
@@ -319,6 +320,11 @@ export const accessApprovalRequestServiceFactory = ({
         message: "The policy associated with this access request has been deleted."
       });
     }
+    if (!policy.allowedSelfApprovals && actorId === accessApprovalRequest.requestedByUserId) {
+      throw new BadRequestError({
+        message: "Failed to review access approval request. Users are not authorized to review their own request."
+      });
+    }
 
     const { membership, hasRole } = await permissionService.getProjectPermission({
       actor,

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,8 +1,10 @@
 import { ForbiddenError } from "@casl/ability";
+import { requestContext } from "@fastify/request-context";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
+import { ActorType } from "@app/services/auth/auth-type";
 
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
@@ -81,8 +83,12 @@ export const auditLogServiceFactory = ({
       if (!data.projectId && !data.orgId)
         throw new BadRequestError({ message: "Must specify either project id or org id" });
     }
-
-    return auditLogQueue.pushToLog(data);
+    const el = { ...data };
+    if (el.actor.type === ActorType.USER || el.actor.type === ActorType.IDENTITY) {
+      const permissionMetadata = requestContext.get("identityPermissionMetadata");
+      el.actor.metadata.permission = permissionMetadata;
+    }
+    return auditLogQueue.pushToLog(el);
   };
 
   return {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -22,6 +22,7 @@ import {
 } from "@app/services/secret-sync/secret-sync-types";
 
 import { KmipPermission } from "../kmip/kmip-enum";
+import { ApprovalStatus } from "../secret-approval-request/secret-approval-request-types";
 
 export type TListProjectAuditLogDTO = {
   filter: {
@@ -165,6 +166,7 @@ export enum EventType {
   SECRET_APPROVAL_REQUEST = "secret-approval-request",
   SECRET_APPROVAL_CLOSED = "secret-approval-closed",
   SECRET_APPROVAL_REOPENED = "secret-approval-reopened",
+  SECRET_APPROVAL_REQUEST_REVIEW = "secret-approval-request-review",
   SIGN_SSH_KEY = "sign-ssh-key",
   ISSUE_SSH_CREDS = "issue-ssh-creds",
   CREATE_SSH_CA = "create-ssh-certificate-authority",
@@ -250,6 +252,7 @@ export enum EventType {
   UPDATE_APP_CONNECTION = "update-app-connection",
   DELETE_APP_CONNECTION = "delete-app-connection",
   CREATE_SHARED_SECRET = "create-shared-secret",
+  CREATE_SECRET_REQUEST = "create-secret-request",
   DELETE_SHARED_SECRET = "delete-shared-secret",
   READ_SHARED_SECRET = "read-shared-secret",
   GET_SECRET_SYNCS = "get-secret-syncs",
@@ -287,6 +290,7 @@ interface UserActorMetadata {
   userId: string;
   email?: string | null;
   username: string;
+  permission?: Record<string, unknown>;
 }
 
 interface ServiceActorMetadata {
@@ -297,6 +301,7 @@ interface ServiceActorMetadata {
 interface IdentityActorMetadata {
   identityId: string;
   name: string;
+  permission?: Record<string, unknown>;
 }
 
 interface ScimClientActorMetadata {}
@@ -975,6 +980,7 @@ interface AddIdentityOidcAuthEvent {
     boundIssuer: string;
     boundAudiences: string;
     boundClaims: Record<string, string>;
+    claimMetadataMapping: Record<string, string>;
     boundSubject: string;
     accessTokenTTL: number;
     accessTokenMaxTTL: number;
@@ -999,6 +1005,7 @@ interface UpdateIdentityOidcAuthEvent {
     boundIssuer?: string;
     boundAudiences?: string;
     boundClaims?: Record<string, string>;
+    claimMetadataMapping?: Record<string, string>;
     boundSubject?: string;
     accessTokenTTL?: number;
     accessTokenMaxTTL?: number;
@@ -1141,6 +1148,7 @@ interface CreateFolderEvent {
     folderId: string;
     folderName: string;
     folderPath: string;
+    description?: string;
   };
 }
 
@@ -1312,6 +1320,16 @@ interface SecretApprovalRequest {
   };
 }
 
+interface SecretApprovalRequestReview {
+  type: EventType.SECRET_APPROVAL_REQUEST_REVIEW;
+  metadata: {
+    secretApprovalRequestId: string;
+    reviewedBy: string;
+    status: ApprovalStatus;
+    comment: string;
+  };
+}
+
 interface SignSshKey {
   type: EventType.SIGN_SSH_KEY;
   metadata: {
@@ -2020,6 +2038,15 @@ interface CreateSharedSecretEvent {
   };
 }
 
+interface CreateSecretRequestEvent {
+  type: EventType.CREATE_SECRET_REQUEST;
+  metadata: {
+    id: string;
+    accessType: string;
+    name?: string;
+  };
+}
+
 interface DeleteSharedSecretEvent {
   type: EventType.DELETE_SHARED_SECRET;
   metadata: {
@@ -2470,4 +2497,6 @@ export type Event =
   | KmipOperationActivateEvent
   | KmipOperationRevokeEvent
   | KmipOperationLocateEvent
-  | KmipOperationRegisterEvent;
+  | KmipOperationRegisterEvent
+  | CreateSecretRequestEvent
+  | SecretApprovalRequestReview;

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,5 +1,4 @@
 import { ForbiddenError, subject } from "@casl/ability";
-import ms from "ms";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -11,6 +10,7 @@ import {
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
+import { ms } from "@app/lib/ms";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -1,31 +1,51 @@
-import crypto from "node:crypto";
+import dns from "node:dns/promises";
+import net from "node:net";
 
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
+import { isPrivateIp } from "@app/lib/ip/ipRange";
 import { getDbConnectionHost } from "@app/lib/knex";
 
-export const verifyHostInputValidity = (host: string, isGateway = false) => {
+export const verifyHostInputValidity = async (host: string, isGateway = false) => {
   const appCfg = getConfig();
-  const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-  // no need for validation when it's dev
-  if (appCfg.NODE_ENV === "development") return;
+  // if (appCfg.NODE_ENV === "development") return; // incase you want to remove this check in dev
 
-  if (host === "host.docker.internal") throw new BadRequestError({ message: "Invalid db host" });
+  const reservedHosts = [appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI)].concat(
+    (appCfg.DB_READ_REPLICAS || []).map((el) => getDbConnectionHost(el.DB_CONNECTION_URI)),
+    getDbConnectionHost(appCfg.REDIS_URL)
+  );
 
-  if (
-    appCfg.isCloud &&
-    !isGateway &&
-    // localhost
-    // internal ips
-    (host.match(/^10\.\d+\.\d+\.\d+/) || host.match(/^192\.168\.\d+\.\d+/))
-  )
-    throw new BadRequestError({ message: "Invalid db host" });
-
-  if (
-    host === "localhost" ||
-    host === "127.0.0.1" ||
-    (dbHost?.length === host.length && crypto.timingSafeEqual(Buffer.from(dbHost || ""), Buffer.from(host)))
-  ) {
-    throw new BadRequestError({ message: "Invalid db host" });
+  // get host db ip
+  const exclusiveIps: string[] = [];
+  for await (const el of reservedHosts) {
+    if (el) {
+      if (net.isIPv4(el)) {
+        exclusiveIps.push(el);
+      } else {
+        const resolvedIps = await dns.resolve4(el);
+        exclusiveIps.push(...resolvedIps);
+      }
+    }
   }
+
+  const normalizedHost = host.split(":")[0];
+  const inputHostIps: string[] = [];
+  if (net.isIPv4(host)) {
+    inputHostIps.push(host);
+  } else {
+    if (normalizedHost === "localhost" || normalizedHost === "host.docker.internal") {
+      throw new BadRequestError({ message: "Invalid db host" });
+    }
+    const resolvedIps = await dns.resolve4(host);
+    inputHostIps.push(...resolvedIps);
+  }
+
+  if (!isGateway) {
+    const isInternalIp = inputHostIps.some((el) => isPrivateIp(el));
+    if (isInternalIp) throw new BadRequestError({ message: "Invalid db host" });
+  }
+
+  const isAppUsedIps = inputHostIps.some((el) => exclusiveIps.includes(el));
+  if (isAppUsedIps) throw new BadRequestError({ message: "Invalid db host" });
+  return inputHostIps;
 };

backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts

@@ -13,6 +13,7 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
+import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { DynamicSecretAwsElastiCacheSchema, TDynamicProviderFns } from "./models";
 
@@ -144,6 +145,14 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
     // We can't return the parsed statements here because we need to use the handlebars template to generate the username and password, before we can use the parsed statements.
     CreateElastiCacheUserSchema.parse(JSON.parse(providerInputs.creationStatement));
     DeleteElasticCacheUserSchema.parse(JSON.parse(providerInputs.revocationStatement));
+    validateHandlebarTemplate("AWS ElastiCache creation", providerInputs.creationStatement, {
+      allowedExpressions: (val) => ["username", "password", "expiration"].includes(val)
+    });
+    if (providerInputs.revocationStatement) {
+      validateHandlebarTemplate("AWS ElastiCache revoke", providerInputs.revocationStatement, {
+        allowedExpressions: (val) => ["username"].includes(val)
+      });
+    }
 
     return providerInputs;
   };

backend/src/ee/services/dynamic-secret/providers/cassandra.ts

@@ -3,9 +3,10 @@ import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretCassandraSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = (size = 48) => {
@@ -20,14 +21,28 @@ const generateUsername = () => {
 export const CassandraProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretCassandraSchema.parseAsync(inputs);
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1") {
-      throw new BadRequestError({ message: "Invalid db host" });
+    const hostIps = await Promise.all(
+      providerInputs.host
+        .split(",")
+        .filter(Boolean)
+        .map((el) => verifyHostInputValidity(el).then((ip) => ip[0]))
+    );
+    validateHandlebarTemplate("Cassandra creation", providerInputs.creationStatement, {
+      allowedExpressions: (val) => ["username", "password", "expiration", "keyspace"].includes(val)
+    });
+    if (providerInputs.renewStatement) {
+      validateHandlebarTemplate("Cassandra renew", providerInputs.renewStatement, {
+        allowedExpressions: (val) => ["username", "expiration", "keyspace"].includes(val)
+      });
     }
+    validateHandlebarTemplate("Cassandra revoke", providerInputs.revocationStatement, {
+      allowedExpressions: (val) => ["username"].includes(val)
+    });
 
-    return providerInputs;
+    return { ...providerInputs, hostIps };
   };
 
-  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretCassandraSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretCassandraSchema> & { hostIps: string[] }) => {
     const sslOptions = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
     const client = new cassandra.Client({
       sslOptions,
@@ -40,7 +55,7 @@ export const CassandraProvider = (): TDynamicProviderFns => {
       },
       keyspace: providerInputs.keyspace,
       localDataCenter: providerInputs?.localDataCenter,
-      contactPoints: providerInputs.host.split(",").filter(Boolean)
+      contactPoints: providerInputs.hostIps
     });
     return client;
   };

backend/src/ee/services/dynamic-secret/providers/elastic-search.ts

@@ -19,15 +19,14 @@ const generateUsername = () => {
 export const ElasticSearchProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretElasticSearchSchema.parseAsync(inputs);
-    verifyHostInputValidity(providerInputs.host);
-
-    return providerInputs;
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
+    return { ...providerInputs, hostIp };
   };
 
-  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretElasticSearchSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretElasticSearchSchema> & { hostIp: string }) => {
     const connection = new ElasticSearchClient({
       node: {
-        url: new URL(`${providerInputs.host}:${providerInputs.port}`),
+        url: new URL(`${providerInputs.hostIp}:${providerInputs.port}`),
         ...(providerInputs.ca && {
           ssl: {
             rejectUnauthorized: false,

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -1,5 +1,16 @@
 import { z } from "zod";
 
+export type PasswordRequirements = {
+  length: number;
+  required: {
+    lowercase: number;
+    uppercase: number;
+    digits: number;
+    symbols: number;
+  };
+  allowedSymbols?: string;
+};
+
 export enum SqlProviders {
   Postgres = "postgres",
   MySQL = "mysql2",
@@ -100,6 +111,28 @@ export const DynamicSecretSqlDBSchema = z.object({
   database: z.string().trim(),
   username: z.string().trim(),
   password: z.string().trim(),
+  passwordRequirements: z
+    .object({
+      length: z.number().min(1).max(250),
+      required: z
+        .object({
+          lowercase: z.number().min(0),
+          uppercase: z.number().min(0),
+          digits: z.number().min(0),
+          symbols: z.number().min(0)
+        })
+        .refine((data) => {
+          const total = Object.values(data).reduce((sum, count) => sum + count, 0);
+          return total <= 250;
+        }, "Sum of required characters cannot exceed 250"),
+      allowedSymbols: z.string().optional()
+    })
+    .refine((data) => {
+      const total = Object.values(data.required).reduce((sum, count) => sum + count, 0);
+      return total <= data.length;
+    }, "Sum of required characters cannot exceed the total length")
+    .optional()
+    .describe("Password generation requirements"),
   creationStatement: z.string().trim(),
   revocationStatement: z.string().trim(),
   renewStatement: z.string().trim().optional(),

backend/src/ee/services/dynamic-secret/providers/mongo-db.ts

@@ -19,15 +19,15 @@ const generateUsername = () => {
 export const MongoDBProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretMongoDBSchema.parseAsync(inputs);
-    verifyHostInputValidity(providerInputs.host);
-    return providerInputs;
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
+    return { ...providerInputs, hostIp };
   };
 
-  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoDBSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoDBSchema> & { hostIp: string }) => {
     const isSrv = !providerInputs.port;
     const uri = isSrv
-      ? `mongodb+srv://${providerInputs.host}`
-      : `mongodb://${providerInputs.host}:${providerInputs.port}`;
+      ? `mongodb+srv://${providerInputs.hostIp}`
+      : `mongodb://${providerInputs.hostIp}:${providerInputs.port}`;
 
     const client = new MongoClient(uri, {
       auth: {

backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts

@@ -3,7 +3,6 @@ import https from "https";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { removeTrailingSlash } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
@@ -79,14 +78,13 @@ async function deleteRabbitMqUser({ axiosInstance, usernameToDelete }: TDeleteRa
 export const RabbitMqProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretRabbitMqSchema.parseAsync(inputs);
-    verifyHostInputValidity(providerInputs.host);
-
-    return providerInputs;
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
+    return { ...providerInputs, hostIp };
   };
 
-  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretRabbitMqSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretRabbitMqSchema> & { hostIp: string }) => {
     const axiosInstance = axios.create({
-      baseURL: `${removeTrailingSlash(providerInputs.host)}:${providerInputs.port}/api`,
+      baseURL: `${providerInputs.hostIp}:${providerInputs.port}/api`,
       auth: {
         username: providerInputs.username,
         password: providerInputs.password

backend/src/ee/services/dynamic-secret/providers/redis.ts

@@ -5,6 +5,7 @@ import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRedisDBSchema, TDynamicProviderFns } from "./models";
@@ -51,16 +52,28 @@ const executeTransactions = async (connection: Redis, commands: string[]): Promi
 export const RedisDatabaseProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretRedisDBSchema.parseAsync(inputs);
-    verifyHostInputValidity(providerInputs.host);
-    return providerInputs;
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
+    validateHandlebarTemplate("Redis creation", providerInputs.creationStatement, {
+      allowedExpressions: (val) => ["username", "password", "expiration"].includes(val)
+    });
+    if (providerInputs.renewStatement) {
+      validateHandlebarTemplate("Redis renew", providerInputs.renewStatement, {
+        allowedExpressions: (val) => ["username", "expiration"].includes(val)
+      });
+    }
+    validateHandlebarTemplate("Redis revoke", providerInputs.revocationStatement, {
+      allowedExpressions: (val) => ["username"].includes(val)
+    });
+
+    return { ...providerInputs, hostIp };
   };
 
-  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretRedisDBSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretRedisDBSchema> & { hostIp: string }) => {
     let connection: Redis | null = null;
     try {
       connection = new Redis({
         username: providerInputs.username,
-        host: providerInputs.host,
+        host: providerInputs.hostIp,
         port: providerInputs.port,
         password: providerInputs.password,
         ...(providerInputs.ca && {

backend/src/ee/services/dynamic-secret/providers/sap-ase.ts

@@ -5,6 +5,7 @@ import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretSapAseSchema, TDynamicProviderFns } from "./models";
@@ -27,14 +28,25 @@ export const SapAseProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSapAseSchema.parseAsync(inputs);
 
-    verifyHostInputValidity(providerInputs.host);
-    return providerInputs;
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
+    validateHandlebarTemplate("SAP ASE creation", providerInputs.creationStatement, {
+      allowedExpressions: (val) => ["username", "password"].includes(val)
+    });
+    if (providerInputs.revocationStatement) {
+      validateHandlebarTemplate("SAP ASE revoke", providerInputs.revocationStatement, {
+        allowedExpressions: (val) => ["username"].includes(val)
+      });
+    }
+    return { ...providerInputs, hostIp };
   };
 
-  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSapAseSchema>, useMaster?: boolean) => {
+  const $getClient = async (
+    providerInputs: z.infer<typeof DynamicSecretSapAseSchema> & { hostIp: string },
+    useMaster?: boolean
+  ) => {
     const connectionString =
       `DRIVER={FreeTDS};` +
-      `SERVER=${providerInputs.host};` +
+      `SERVER=${providerInputs.hostIp};` +
       `PORT=${providerInputs.port};` +
       `DATABASE=${useMaster ? "master" : providerInputs.database};` +
       `UID=${providerInputs.username};` +

backend/src/ee/services/dynamic-secret/providers/sap-hana.ts

@@ -11,6 +11,7 @@ import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretSapHanaSchema, TDynamicProviderFns } from "./models";
@@ -28,13 +29,24 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSapHanaSchema.parseAsync(inputs);
 
-    verifyHostInputValidity(providerInputs.host);
-    return providerInputs;
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
+    validateHandlebarTemplate("SAP Hana creation", providerInputs.creationStatement, {
+      allowedExpressions: (val) => ["username", "password", "expiration"].includes(val)
+    });
+    if (providerInputs.renewStatement) {
+      validateHandlebarTemplate("SAP Hana renew", providerInputs.renewStatement, {
+        allowedExpressions: (val) => ["username", "expiration"].includes(val)
+      });
+    }
+    validateHandlebarTemplate("SAP Hana revoke", providerInputs.revocationStatement, {
+      allowedExpressions: (val) => ["username"].includes(val)
+    });
+    return { ...providerInputs, hostIp };
   };
 
-  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSapHanaSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSapHanaSchema> & { hostIp: string }) => {
     const client = hdb.createClient({
-      host: providerInputs.host,
+      host: providerInputs.hostIp,
       port: providerInputs.port,
       user: providerInputs.username,
       password: providerInputs.password,

backend/src/ee/services/dynamic-secret/providers/snowflake.ts

@@ -5,6 +5,7 @@ import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { DynamicSecretSnowflakeSchema, TDynamicProviderFns } from "./models";
 
@@ -31,6 +32,18 @@ const getDaysToExpiry = (expiryDate: Date) => {
 export const SnowflakeProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSnowflakeSchema.parseAsync(inputs);
+    validateHandlebarTemplate("Snowflake creation", providerInputs.creationStatement, {
+      allowedExpressions: (val) => ["username", "password", "expiration"].includes(val)
+    });
+    if (providerInputs.renewStatement) {
+      validateHandlebarTemplate("Snowflake renew", providerInputs.renewStatement, {
+        allowedExpressions: (val) => ["username", "expiration"].includes(val)
+      });
+    }
+    validateHandlebarTemplate("Snowflake revoke", providerInputs.revocationStatement, {
+      allowedExpressions: (val) => ["username"].includes(val)
+    });
+
     return providerInputs;
   };
 

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -1,23 +1,107 @@
+import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex from "knex";
-import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
 import { withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { TGatewayServiceFactory } from "../../gateway/gateway-service";
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
-import { DynamicSecretSqlDBSchema, SqlProviders, TDynamicProviderFns } from "./models";
+import { DynamicSecretSqlDBSchema, PasswordRequirements, SqlProviders, TDynamicProviderFns } from "./models";
 
 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
 
-const generatePassword = (provider: SqlProviders) => {
-  // oracle has limit of 48 password length
-  const size = provider === SqlProviders.Oracle ? 30 : 48;
+const DEFAULT_PASSWORD_REQUIREMENTS = {
+  length: 48,
+  required: {
+    lowercase: 1,
+    uppercase: 1,
+    digits: 1,
+    symbols: 0
+  },
+  allowedSymbols: "-_.~!*"
+};
 
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
-  return customAlphabet(charset, 48)(size);
+const ORACLE_PASSWORD_REQUIREMENTS = {
+  ...DEFAULT_PASSWORD_REQUIREMENTS,
+  length: 30
+};
+
+const generatePassword = (provider: SqlProviders, requirements?: PasswordRequirements) => {
+  const defaultReqs = provider === SqlProviders.Oracle ? ORACLE_PASSWORD_REQUIREMENTS : DEFAULT_PASSWORD_REQUIREMENTS;
+  const finalReqs = requirements || defaultReqs;
+
+  try {
+    const { length, required, allowedSymbols } = finalReqs;
+
+    const chars = {
+      lowercase: "abcdefghijklmnopqrstuvwxyz",
+      uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+      digits: "0123456789",
+      symbols: allowedSymbols || "-_.~!*"
+    };
+
+    const parts: string[] = [];
+
+    if (required.lowercase > 0) {
+      parts.push(
+        ...Array(required.lowercase)
+          .fill(0)
+          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+      );
+    }
+
+    if (required.uppercase > 0) {
+      parts.push(
+        ...Array(required.uppercase)
+          .fill(0)
+          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+      );
+    }
+
+    if (required.digits > 0) {
+      parts.push(
+        ...Array(required.digits)
+          .fill(0)
+          .map(() => chars.digits[randomInt(chars.digits.length)])
+      );
+    }
+
+    if (required.symbols > 0) {
+      parts.push(
+        ...Array(required.symbols)
+          .fill(0)
+          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+      );
+    }
+
+    const requiredTotal = Object.values(required).reduce<number>((a, b) => a + b, 0);
+    const remainingLength = Math.max(length - requiredTotal, 0);
+
+    const allowedChars = Object.entries(chars)
+      .filter(([key]) => required[key as keyof typeof required] > 0)
+      .map(([, value]) => value)
+      .join("");
+
+    parts.push(
+      ...Array(remainingLength)
+        .fill(0)
+        .map(() => allowedChars[randomInt(allowedChars.length)])
+    );
+
+    // shuffle the array to mix up the characters
+    for (let i = parts.length - 1; i > 0; i -= 1) {
+      const j = randomInt(i + 1);
+      [parts[i], parts[j]] = [parts[j], parts[i]];
+    }
+
+    return parts.join("");
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    throw new Error(`Failed to generate password: ${message}`);
+  }
 };
 
 const generateUsername = (provider: SqlProviders) => {
@@ -34,8 +118,21 @@ type TSqlDatabaseProviderDTO = {
 export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
-    verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.projectGatewayId));
-    return providerInputs;
+
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.projectGatewayId));
+    validateHandlebarTemplate("SQL creation", providerInputs.creationStatement, {
+      allowedExpressions: (val) => ["username", "password", "expiration", "database"].includes(val)
+    });
+    if (providerInputs.renewStatement) {
+      validateHandlebarTemplate("SQL renew", providerInputs.renewStatement, {
+        allowedExpressions: (val) => ["username", "expiration", "database"].includes(val)
+      });
+    }
+    validateHandlebarTemplate("SQL revoke", providerInputs.revocationStatement, {
+      allowedExpressions: (val) => ["username", "database"].includes(val)
+    });
+
+    return { ...providerInputs, hostIp };
   };
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
@@ -51,7 +148,6 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         user: providerInputs.username,
         password: providerInputs.password,
         ssl,
-        pool: { min: 0, max: 1 },
         // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
         // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
         // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
@@ -62,7 +158,8 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
             }
           : undefined
       },
-      acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
+      acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT,
+      pool: { min: 0, max: 7 }
     });
     return db;
   };
@@ -87,7 +184,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         tlsOptions: {
           ca: relayDetails.certChain,
           cert: relayDetails.certificate,
-          key: relayDetails.privateKey
+          key: relayDetails.privateKey.toString()
         }
       }
     );
@@ -96,7 +193,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
     let isConnected = false;
-    const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
+    const gatewayCallback = async (host = providerInputs.hostIp, port = providerInputs.port) => {
       const db = await $getClient({ ...providerInputs, port, host });
       // oracle needs from keyword
       const testStatement = providerInputs.client === SqlProviders.Oracle ? "SELECT 1 FROM DUAL" : "SELECT 1";
@@ -106,10 +203,8 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
     };
 
     if (providerInputs.projectGatewayId) {
-      console.log(">>>>>> inside gateway");
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
-      console.log(">>>>>> outside gateway");
       await gatewayCallback();
     }
     return isConnected;
@@ -118,27 +213,30 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
     const username = generateUsername(providerInputs.client);
-    const password = generatePassword(providerInputs.client);
+    const password = generatePassword(providerInputs.client, providerInputs.passwordRequirements);
     const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
       const db = await $getClient({ ...providerInputs, port, host });
-      const { database } = providerInputs;
-      const expiration = new Date(expireAt).toISOString();
+      try {
+        const { database } = providerInputs;
+        const expiration = new Date(expireAt).toISOString();
 
-      const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
-        username,
-        password,
-        expiration,
-        database
-      });
+        const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+          username,
+          password,
+          expiration,
+          database
+        });
 
-      const queries = creationStatement.toString().split(";").filter(Boolean);
-      await db.transaction(async (tx) => {
-        for (const query of queries) {
-          // eslint-disable-next-line
-          await tx.raw(query);
-        }
-      });
-      await db.destroy();
+        const queries = creationStatement.toString().split(";").filter(Boolean);
+        await db.transaction(async (tx) => {
+          for (const query of queries) {
+            // eslint-disable-next-line
+            await tx.raw(query);
+          }
+        });
+      } finally {
+        await db.destroy();
+      }
     };
     if (providerInputs.projectGatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
@@ -154,16 +252,18 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
     const { database } = providerInputs;
     const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
       const db = await $getClient({ ...providerInputs, port, host });
-      const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, database });
-      const queries = revokeStatement.toString().split(";").filter(Boolean);
-      await db.transaction(async (tx) => {
-        for (const query of queries) {
-          // eslint-disable-next-line
-          await tx.raw(query);
-        }
-      });
-
-      await db.destroy();
+      try {
+        const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, database });
+        const queries = revokeStatement.toString().split(";").filter(Boolean);
+        await db.transaction(async (tx) => {
+          for (const query of queries) {
+            // eslint-disable-next-line
+            await tx.raw(query);
+          }
+        });
+      } finally {
+        await db.destroy();
+      }
     };
     if (providerInputs.projectGatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
@@ -187,18 +287,19 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         expiration,
         database
       });
-
-      if (renewStatement) {
-        const queries = renewStatement.toString().split(";").filter(Boolean);
-        await db.transaction(async (tx) => {
-          for (const query of queries) {
-            // eslint-disable-next-line
-            await tx.raw(query);
-          }
-        });
+      try {
+        if (renewStatement) {
+          const queries = renewStatement.toString().split(";").filter(Boolean);
+          await db.transaction(async (tx) => {
+            for (const query of queries) {
+              // eslint-disable-next-line
+              await tx.raw(query);
+            }
+          });
+        }
+      } finally {
+        await db.destroy();
       }
-
-      await db.destroy();
     };
     if (providerInputs.projectGatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);

backend/src/ee/services/gateway/gateway-service.ts

@@ -474,7 +474,7 @@ export const gatewayServiceFactory = ({
       relayHost,
       relayPort: Number(relayPort),
       tlsOptions: {
-        key: privateKey,
+        key: privateKey.toString(),
         ca: `${gatewayCaCert.toString("pem")}\n${rootCaCert.toString("pem")}`.trim(),
         cert: clientCert.toString("pem")
       },

backend/src/ee/services/group/group-service.ts

@@ -3,7 +3,7 @@ import slugify from "@sindresorhus/slugify";
 
 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
-import { isAtLeastAsPrivileged } from "@app/lib/casl";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
@@ -87,9 +87,14 @@ export const groupServiceFactory = ({
       actorOrgId
     );
     const isCustomRole = Boolean(customRole);
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
+
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to create a more privileged group",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     const group = await groupDAL.transaction(async (tx) => {
       const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
@@ -156,9 +161,13 @@ export const groupServiceFactory = ({
       );
 
       const isCustomRole = Boolean(customOrgRole);
-      const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
-      if (!hasRequiredNewRolePermission)
-        throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
+      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+      if (!permissionBoundary.isValid)
+        throw new ForbiddenRequestError({
+          name: "PermissionBoundaryError",
+          message: "Failed to update a more privileged group",
+          details: { missingPermissions: permissionBoundary.missingPermissions }
+        });
       if (isCustomRole) customRole = customOrgRole;
     }
 
@@ -329,9 +338,13 @@ export const groupServiceFactory = ({
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
 
     // check if user has broader or equal to privileges than group
-    const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, groupRolePermission);
-    if (!hasRequiredPrivileges)
-      throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" });
+    const permissionBoundary = validatePermissionBoundary(permission, groupRolePermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to add user to more privileged group",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     const user = await userDAL.findOne({ username });
     if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
@@ -396,9 +409,13 @@ export const groupServiceFactory = ({
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
 
     // check if user has broader or equal to privileges than group
-    const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, groupRolePermission);
-    if (!hasRequiredPrivileges)
-      throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" });
+    const permissionBoundary = validatePermissionBoundary(permission, groupRolePermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to delete user from more privileged group",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     const user = await userDAL.findOne({ username });
     if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -1,10 +1,11 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
-import ms from "ms";
 
 import { ActionProjectType, TableName } from "@app/db/schemas";
-import { isAtLeastAsPrivileged } from "@app/lib/casl";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
+import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { unpackPermissions } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
@@ -79,9 +80,16 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
+    validateHandlebarTemplate("Identity Additional Privilege Create", JSON.stringify(customPermission || []), {
+      allowedExpressions: (val) => val.includes("identity.")
+    });
 
     const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
       slug,
@@ -161,9 +169,17 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
+
+    validateHandlebarTemplate("Identity Additional Privilege Update", JSON.stringify(data.permissions || []), {
+      allowedExpressions: (val) => val.includes("identity.")
+    });
 
     if (data?.slug) {
       const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
@@ -239,9 +255,13 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
     return {

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,10 +1,11 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
-import ms from "ms";
 
 import { ActionProjectType } from "@app/db/schemas";
-import { isAtLeastAsPrivileged } from "@app/lib/casl";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
+import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
@@ -88,9 +89,13 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
       slug,
@@ -98,6 +103,10 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     });
     if (existingSlug) throw new BadRequestError({ message: "Additional privilege of provided slug exist" });
 
+    validateHandlebarTemplate("Identity Additional Privilege Create", JSON.stringify(customPermission || []), {
+      allowedExpressions: (val) => val.includes("identity.")
+    });
+
     const packedPermission = JSON.stringify(packRules(customPermission));
     if (!dto.isTemporary) {
       const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.create({
@@ -172,9 +181,13 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
       slug,
@@ -195,6 +208,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     }
 
     const isTemporary = typeof data?.isTemporary !== "undefined" ? data.isTemporary : identityPrivilege.isTemporary;
+    validateHandlebarTemplate("Identity Additional Privilege Update", JSON.stringify(data.permissions || []), {
+      allowedExpressions: (val) => val.includes("identity.")
+    });
 
     const packedPermission = data.permissions ? JSON.stringify(packRules(data.permissions)) : undefined;
     if (isTemporary) {
@@ -268,9 +284,13 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });
+    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to edit more privileged identity",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
       slug,

backend/src/ee/services/kmip/kmip-service.ts

@@ -1,11 +1,11 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import crypto, { KeyObject } from "crypto";
-import ms from "ms";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidHostname, isValidIp } from "@app/lib/ip";
+import { ms } from "@app/lib/ms";
 import { constructPemChainFromCerts } from "@app/services/certificate/certificate-fns";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
 import {

backend/src/ee/services/license/licence-enums.ts

@@ -0,0 +1,24 @@
+export const BillingPlanRows = {
+  MemberLimit: { name: "Organization member limit", field: "memberLimit" },
+  IdentityLimit: { name: "Organization identity limit", field: "identityLimit" },
+  WorkspaceLimit: { name: "Project limit", field: "workspaceLimit" },
+  EnvironmentLimit: { name: "Environment limit", field: "environmentLimit" },
+  SecretVersioning: { name: "Secret versioning", field: "secretVersioning" },
+  PitRecovery: { name: "Point in time recovery", field: "pitRecovery" },
+  Rbac: { name: "RBAC", field: "rbac" },
+  CustomRateLimits: { name: "Custom rate limits", field: "customRateLimits" },
+  CustomAlerts: { name: "Custom alerts", field: "customAlerts" },
+  AuditLogs: { name: "Audit logs", field: "auditLogs" },
+  SamlSSO: { name: "SAML SSO", field: "samlSSO" },
+  Hsm: { name: "Hardware Security Module (HSM)", field: "hsm" },
+  OidcSSO: { name: "OIDC SSO", field: "oidcSSO" },
+  SecretApproval: { name: "Secret approvals", field: "secretApproval" },
+  SecretRotation: { name: "Secret rotation", field: "secretRotation" },
+  InstanceUserManagement: { name: "Instance User Management", field: "instanceUserManagement" },
+  ExternalKms: { name: "External KMS", field: "externalKms" }
+} as const;
+
+export const BillingPlanTableHead = {
+  Allowed: { name: "Allowed" },
+  Used: { name: "Used" }
+} as const;

backend/src/ee/services/license/license-service.ts

@@ -12,10 +12,13 @@ import { getConfig } from "@app/lib/config/env";
 import { verifyOfflineLicense } from "@app/lib/crypto";
 import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
+import { TIdentityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
 
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
+import { BillingPlanRows, BillingPlanTableHead } from "./licence-enums";
 import { TLicenseDALFactory } from "./license-dal";
 import { getDefaultOnPremFeatures, setupLicenseRequestWithStore } from "./license-fns";
 import {
@@ -28,6 +31,7 @@ import {
   TFeatureSet,
   TGetOrgBillInfoDTO,
   TGetOrgTaxIdDTO,
+  TOfflineLicense,
   TOfflineLicenseContents,
   TOrgInvoiceDTO,
   TOrgLicensesDTO,
@@ -39,10 +43,12 @@ import {
 } from "./license-types";
 
 type TLicenseServiceFactoryDep = {
-  orgDAL: Pick<TOrgDALFactory, "findOrgById">;
+  orgDAL: Pick<TOrgDALFactory, "findOrgById" | "countAllOrgMembers">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseDAL: TLicenseDALFactory;
   keyStore: Pick<TKeyStoreFactory, "setItemWithExpiry" | "getItem" | "deleteItem">;
+  identityOrgMembershipDAL: TIdentityOrgDALFactory;
+  projectDAL: TProjectDALFactory;
 };
 
 export type TLicenseServiceFactory = ReturnType<typeof licenseServiceFactory>;
@@ -50,18 +56,21 @@ export type TLicenseServiceFactory = ReturnType<typeof licenseServiceFactory>;
 const LICENSE_SERVER_CLOUD_LOGIN = "/api/auth/v1/license-server-login";
 const LICENSE_SERVER_ON_PREM_LOGIN = "/api/auth/v1/license-login";
 
-const LICENSE_SERVER_CLOUD_PLAN_TTL = 30; // 30 second
+const LICENSE_SERVER_CLOUD_PLAN_TTL = 5 * 60; // 5 mins
 const FEATURE_CACHE_KEY = (orgId: string) => `infisical-cloud-plan-${orgId}`;
 
 export const licenseServiceFactory = ({
   orgDAL,
   permissionService,
   licenseDAL,
-  keyStore
+  keyStore,
+  identityOrgMembershipDAL,
+  projectDAL
 }: TLicenseServiceFactoryDep) => {
   let isValidLicense = false;
   let instanceType = InstanceType.OnPrem;
   let onPremFeatures: TFeatureSet = getDefaultOnPremFeatures();
+  let selfHostedLicense: TOfflineLicense | null = null;
 
   const appCfg = getConfig();
   const licenseServerCloudApi = setupLicenseRequestWithStore(
@@ -125,6 +134,7 @@ export const licenseServiceFactory = ({
           instanceType = InstanceType.EnterpriseOnPremOffline;
           logger.info(`Instance type: ${InstanceType.EnterpriseOnPremOffline}`);
           isValidLicense = true;
+          selfHostedLicense = contents.license;
           return;
         }
       }
@@ -142,7 +152,10 @@ export const licenseServiceFactory = ({
     try {
       if (instanceType === InstanceType.Cloud) {
         const cachedPlan = await keyStore.getItem(FEATURE_CACHE_KEY(orgId));
-        if (cachedPlan) return JSON.parse(cachedPlan) as TFeatureSet;
+        if (cachedPlan) {
+          logger.info(`getPlan: plan fetched from cache [orgId=${orgId}] [projectId=${projectId}]`);
+          return JSON.parse(cachedPlan) as TFeatureSet;
+        }
 
         const org = await orgDAL.findOrgById(orgId);
         if (!org) throw new NotFoundError({ message: `Organization with ID '${orgId}' not found` });
@@ -170,6 +183,8 @@ export const licenseServiceFactory = ({
         JSON.stringify(onPremFeatures)
       );
       return onPremFeatures;
+    } finally {
+      logger.info(`getPlan: Process done for [orgId=${orgId}] [projectId=${projectId}]`);
     }
     return onPremFeatures;
   };
@@ -343,10 +358,21 @@ export const licenseServiceFactory = ({
         message: `Organization with ID '${orgId}' not found`
       });
     }
-    const { data } = await licenseServerCloudApi.request.get(
-      `/api/license-server/v1/customers/${organization.customerId}/cloud-plan/billing`
-    );
-    return data;
+    if (instanceType !== InstanceType.OnPrem && instanceType !== InstanceType.EnterpriseOnPremOffline) {
+      const { data } = await licenseServerCloudApi.request.get(
+        `/api/license-server/v1/customers/${organization.customerId}/cloud-plan/billing`
+      );
+      return data;
+    }
+
+    return {
+      currentPeriodStart: selfHostedLicense?.issuedAt ? Date.parse(selfHostedLicense?.issuedAt) / 1000 : undefined,
+      currentPeriodEnd: selfHostedLicense?.expiresAt ? Date.parse(selfHostedLicense?.expiresAt) / 1000 : undefined,
+      interval: "month",
+      intervalCount: 1,
+      amount: 0,
+      quantity: 1
+    };
   };
 
   // returns org current plan feature table
@@ -360,10 +386,41 @@ export const licenseServiceFactory = ({
         message: `Organization with ID '${orgId}' not found`
       });
     }
-    const { data } = await licenseServerCloudApi.request.get(
-      `/api/license-server/v1/customers/${organization.customerId}/cloud-plan/table`
+    if (instanceType !== InstanceType.OnPrem && instanceType !== InstanceType.EnterpriseOnPremOffline) {
+      const { data } = await licenseServerCloudApi.request.get(
+        `/api/license-server/v1/customers/${organization.customerId}/cloud-plan/table`
+      );
+      return data;
+    }
+
+    const mappedRows = await Promise.all(
+      Object.values(BillingPlanRows).map(async ({ name, field }: { name: string; field: string }) => {
+        const allowed = onPremFeatures[field as keyof TFeatureSet];
+        let used = "-";
+
+        if (field === BillingPlanRows.MemberLimit.field) {
+          const orgMemberships = await orgDAL.countAllOrgMembers(orgId);
+          used = orgMemberships.toString();
+        } else if (field === BillingPlanRows.WorkspaceLimit.field) {
+          const projects = await projectDAL.find({ orgId });
+          used = projects.length.toString();
+        } else if (field === BillingPlanRows.IdentityLimit.field) {
+          const identities = await identityOrgMembershipDAL.countAllOrgIdentities({ orgId });
+          used = identities.toString();
+        }
+
+        return {
+          name,
+          allowed,
+          used
+        };
+      })
     );
-    return data;
+
+    return {
+      head: Object.values(BillingPlanTableHead),
+      rows: mappedRows
+    };
   };
 
   const getOrgBillingDetails = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {

backend/src/ee/services/permission/org-permission.ts

@@ -32,6 +32,10 @@ export enum OrgPermissionAdminConsoleAction {
   AccessAllProjects = "access-all-projects"
 }
 
+export enum OrgPermissionSecretShareAction {
+  ManageSettings = "manage-settings"
+}
+
 export enum OrgPermissionGatewayActions {
   // is there a better word for this. This mean can an identity be a gateway
   CreateGateways = "create-gateways",
@@ -59,7 +63,8 @@ export enum OrgPermissionSubjects {
   ProjectTemplates = "project-templates",
   AppConnections = "app-connections",
   Kmip = "kmip",
-  Gateway = "gateway"
+  Gateway = "gateway",
+  SecretShare = "secret-share"
 }
 
 export type AppConnectionSubjectFields = {
@@ -91,7 +96,8 @@ export type OrgPermissionSet =
       )
     ]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
-  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip];
+  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip]
+  | [OrgPermissionSecretShareAction, OrgPermissionSubjects.SecretShare];
 
 const AppConnectionConditionSchema = z
   .object({
@@ -185,6 +191,12 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
       "Describe what action an entity can take."
     )
   }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.SecretShare).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionSecretShareAction).describe(
+      "Describe what action an entity can take."
+    )
+  }),
   z.object({
     subject: z.literal(OrgPermissionSubjects.Kmip).describe("The entity this permission pertains to."),
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionKmipActions).describe(
@@ -292,6 +304,8 @@ const buildAdminPermission = () => {
   // the proxy assignment is temporary in order to prevent "more privilege" error during role assignment to MI
   can(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
 
+  can(OrgPermissionSecretShareAction.ManageSettings, OrgPermissionSubjects.SecretShare);
+
   return rules;
 };
 

backend/src/ee/services/permission/permission-fns.ts

@@ -1,7 +1,109 @@
+/* eslint-disable no-nested-ternary */
+import { ForbiddenError, MongoAbility, PureAbility, subject } from "@casl/ability";
+import { z } from "zod";
+
 import { TOrganizations } from "@app/db/schemas";
-import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
 
+import {
+  ProjectPermissionSecretActions,
+  ProjectPermissionSet,
+  ProjectPermissionSub,
+  ProjectPermissionV2Schema,
+  SecretSubjectFields
+} from "./project-permission";
+
+export function throwIfMissingSecretReadValueOrDescribePermission(
+  permission: MongoAbility<ProjectPermissionSet> | PureAbility,
+  action: Extract<
+    ProjectPermissionSecretActions,
+    ProjectPermissionSecretActions.ReadValue | ProjectPermissionSecretActions.DescribeSecret
+  >,
+  subjectFields?: SecretSubjectFields
+) {
+  try {
+    if (subjectFields) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretActions.DescribeAndReadValue,
+        subject(ProjectPermissionSub.Secrets, subjectFields)
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionSecretActions.DescribeAndReadValue,
+        ProjectPermissionSub.Secrets
+      );
+    }
+  } catch {
+    if (subjectFields) {
+      ForbiddenError.from(permission).throwUnlessCan(action, subject(ProjectPermissionSub.Secrets, subjectFields));
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(action, ProjectPermissionSub.Secrets);
+    }
+  }
+}
+
+export function hasSecretReadValueOrDescribePermission(
+  permission: MongoAbility<ProjectPermissionSet>,
+  action: Extract<
+    ProjectPermissionSecretActions,
+    ProjectPermissionSecretActions.DescribeSecret | ProjectPermissionSecretActions.ReadValue
+  >,
+  subjectFields?: SecretSubjectFields
+) {
+  let canNewPermission = false;
+  let canOldPermission = false;
+
+  if (subjectFields) {
+    canNewPermission = permission.can(action, subject(ProjectPermissionSub.Secrets, subjectFields));
+    canOldPermission = permission.can(
+      ProjectPermissionSecretActions.DescribeAndReadValue,
+      subject(ProjectPermissionSub.Secrets, subjectFields)
+    );
+  } else {
+    canNewPermission = permission.can(action, ProjectPermissionSub.Secrets);
+    canOldPermission = permission.can(
+      ProjectPermissionSecretActions.DescribeAndReadValue,
+      ProjectPermissionSub.Secrets
+    );
+  }
+
+  return canNewPermission || canOldPermission;
+}
+
+const OptionalArrayPermissionSchema = ProjectPermissionV2Schema.array().optional();
+export function checkForInvalidPermissionCombination(permissions: z.infer<typeof OptionalArrayPermissionSchema>) {
+  if (!permissions) return;
+
+  for (const permission of permissions) {
+    if (permission.subject === ProjectPermissionSub.Secrets) {
+      if (permission.action.includes(ProjectPermissionSecretActions.DescribeAndReadValue)) {
+        const hasReadValue = permission.action.includes(ProjectPermissionSecretActions.ReadValue);
+        const hasDescribeSecret = permission.action.includes(ProjectPermissionSecretActions.DescribeSecret);
+
+        // eslint-disable-next-line no-continue
+        if (!hasReadValue && !hasDescribeSecret) continue;
+
+        const hasBothDescribeAndReadValue = hasReadValue && hasDescribeSecret;
+
+        throw new BadRequestError({
+          message: `You have selected Read, and ${
+            hasBothDescribeAndReadValue
+              ? "both Read Value and Describe Secret"
+              : hasReadValue
+                ? "Read Value"
+                : hasDescribeSecret
+                  ? "Describe Secret"
+                  : ""
+          }. You cannot select Read Value or Describe Secret if you have selected Read. The Read permission is a legacy action which has been replaced by Describe Secret and Read Value.`
+        });
+      }
+    }
+  }
+
+  return true;
+}
+
 function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
   if (!actorAuthMethod) return false;
 
@@ -29,12 +131,12 @@ function validateOrgSSO(actorAuthMethod: ActorAuthMethod, isOrgSsoEnforced: TOrg
   }
 }
 
-const escapeHandlebarsMissingMetadata = (obj: Record<string, string>) => {
+const escapeHandlebarsMissingDict = (obj: Record<string, string>, key: string) => {
   const handler = {
     get(target: Record<string, string>, prop: string) {
-      if (!(prop in target)) {
+      if (!Object.hasOwn(target, prop)) {
         // eslint-disable-next-line no-param-reassign
-        target[prop] = `{{identity.metadata.${prop}}}`; // Add missing key as an "own" property
+        target[prop] = `{{${key}.${prop}}}`; // Add missing key as an "own" property
       }
       return target[prop];
     }
@@ -43,4 +145,4 @@ const escapeHandlebarsMissingMetadata = (obj: Record<string, string>) => {
   return new Proxy(obj, handler);
 };
 
-export { escapeHandlebarsMissingMetadata, isAuthMethodSaml, validateOrgSSO };
+export { escapeHandlebarsMissingDict, isAuthMethodSaml, validateOrgSSO };

backend/src/ee/services/permission/permission-service.ts

@@ -1,5 +1,6 @@
 import { createMongoAbility, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, unpackRules } from "@casl/ability/extra";
+import { requestContext } from "@fastify/request-context";
 import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 
@@ -22,7 +23,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
-import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
+import { escapeHandlebarsMissingDict, validateOrgSSO } from "./permission-fns";
 import {
   TBuildOrgPermissionDTO,
   TBuildProjectPermissionDTO,
@@ -243,13 +244,13 @@ export const permissionServiceFactory = ({
 
     const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
     const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-      objectify(
-        userProjectPermission.metadata,
-        (i) => i.key,
-        (i) => i.value
-      )
+    const unescapedMetadata = objectify(
+      userProjectPermission.metadata,
+      (i) => i.key,
+      (i) => i.value
     );
+    const metadataKeyValuePair = escapeHandlebarsMissingDict(unescapedMetadata, "identity.metadata");
+    requestContext.set("identityPermissionMetadata", { metadata: unescapedMetadata });
     const interpolateRules = templatedRules(
       {
         identity: {
@@ -317,20 +318,26 @@ export const permissionServiceFactory = ({
 
     const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
     const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-      objectify(
-        identityProjectPermission.metadata,
-        (i) => i.key,
-        (i) => i.value
-      )
+    const unescapedIdentityAuthInfo = requestContext.get("identityAuthInfo");
+    const unescapedMetadata = objectify(
+      identityProjectPermission.metadata,
+      (i) => i.key,
+      (i) => i.value
     );
+    const identityAuthInfo =
+      unescapedIdentityAuthInfo?.identityId === identityId && unescapedIdentityAuthInfo
+        ? escapeHandlebarsMissingDict(unescapedIdentityAuthInfo as never, "identity.auth")
+        : {};
+    const metadataKeyValuePair = escapeHandlebarsMissingDict(unescapedMetadata, "identity.metadata");
 
+    requestContext.set("identityPermissionMetadata", { metadata: unescapedMetadata, auth: unescapedIdentityAuthInfo });
     const interpolateRules = templatedRules(
       {
         identity: {
           id: identityProjectPermission.identityId,
           username: identityProjectPermission.username,
-          metadata: metadataKeyValuePair
+          metadata: metadataKeyValuePair,
+          auth: identityAuthInfo
         }
       },
       { data: false }
@@ -424,12 +431,13 @@ export const permissionServiceFactory = ({
 
       const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
       const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+      const metadataKeyValuePair = escapeHandlebarsMissingDict(
         objectify(
           userProjectPermission.metadata,
           (i) => i.key,
           (i) => i.value
-        )
+        ),
+        "identity.metadata"
       );
       const interpolateRules = templatedRules(
         {
@@ -469,14 +477,14 @@ export const permissionServiceFactory = ({
 
       const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
       const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+      const metadataKeyValuePair = escapeHandlebarsMissingDict(
         objectify(
           identityProjectPermission.metadata,
           (i) => i.key,
           (i) => i.value
-        )
+        ),
+        "identity.metadata"
       );
-
       const interpolateRules = templatedRules(
         {
           identity: {

backend/src/ee/services/permission/permission-types.ts

@@ -5,22 +5,6 @@ import { PermissionConditionOperators } from "@app/lib/casl";
 
 export const PermissionConditionSchema = {
   [PermissionConditionOperators.$IN]: z.string().trim().min(1).array(),
-  [PermissionConditionOperators.$ALL]: z.string().trim().min(1).array(),
-  [PermissionConditionOperators.$REGEX]: z
-    .string()
-    .min(1)
-    .refine(
-      (el) => {
-        try {
-          // eslint-disable-next-line no-new
-          new RegExp(el);
-          return true;
-        } catch {
-          return false;
-        }
-      },
-      { message: "Invalid regex pattern" }
-    ),
   [PermissionConditionOperators.$EQ]: z.string().min(1),
   [PermissionConditionOperators.$NEQ]: z.string().min(1),
   [PermissionConditionOperators.$GLOB]: z

backend/src/ee/services/permission/project-permission.ts

@@ -17,6 +17,15 @@ export enum ProjectPermissionActions {
   Delete = "delete"
 }
 
+export enum ProjectPermissionSecretActions {
+  DescribeAndReadValue = "read",
+  DescribeSecret = "describeSecret",
+  ReadValue = "readValue",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete"
+}
+
 export enum ProjectPermissionCmekActions {
   Read = "read",
   Create = "create",
@@ -115,7 +124,7 @@ export type IdentityManagementSubjectFields = {
 
 export type ProjectPermissionSet =
   | [
-      ProjectPermissionActions,
+      ProjectPermissionSecretActions,
       ProjectPermissionSub.Secrets | (ForcedSubject<ProjectPermissionSub.Secrets> & SecretSubjectFields)
     ]
   | [
@@ -429,6 +438,7 @@ const GeneralPermissionSchema = [
   })
 ];
 
+// Do not update this schema anymore, as it's kept purely for backwards compatability. Update V2 schema only.
 export const ProjectPermissionV1Schema = z.discriminatedUnion("subject", [
   z.object({
     subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
@@ -460,7 +470,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
   z.object({
     subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
     inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretActions).describe(
       "Describe what action an entity can take."
     ),
     conditions: SecretConditionV2Schema.describe(
@@ -517,7 +527,6 @@ const buildAdminPermissionRules = () => {
 
   // Admins get full access to everything
   [
-    ProjectPermissionSub.Secrets,
     ProjectPermissionSub.SecretFolders,
     ProjectPermissionSub.SecretImports,
     ProjectPermissionSub.SecretApproval,
@@ -550,10 +559,22 @@ const buildAdminPermissionRules = () => {
         ProjectPermissionActions.Create,
         ProjectPermissionActions.Delete
       ],
-      el as ProjectPermissionSub
+      el
     );
   });
 
+  can(
+    [
+      ProjectPermissionSecretActions.DescribeAndReadValue,
+      ProjectPermissionSecretActions.DescribeSecret,
+      ProjectPermissionSecretActions.ReadValue,
+      ProjectPermissionSecretActions.Create,
+      ProjectPermissionSecretActions.Edit,
+      ProjectPermissionSecretActions.Delete
+    ],
+    ProjectPermissionSub.Secrets
+  );
+
   can(
     [
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -613,10 +634,12 @@ const buildMemberPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
+      ProjectPermissionSecretActions.DescribeAndReadValue,
+      ProjectPermissionSecretActions.DescribeSecret,
+      ProjectPermissionSecretActions.ReadValue,
+      ProjectPermissionSecretActions.Edit,
+      ProjectPermissionSecretActions.Create,
+      ProjectPermissionSecretActions.Delete
     ],
     ProjectPermissionSub.Secrets
   );
@@ -788,7 +811,9 @@ export const projectMemberPermissions = buildMemberPermissionRules();
 const buildViewerPermissionRules = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
   can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
@@ -837,7 +862,6 @@ export const buildServiceTokenProjectPermission = (
       (subject) => {
         if (canWrite) {
           can(ProjectPermissionActions.Edit, subject, {
-            // TODO: @Akhi
             // @ts-expect-error type
             secretPath: { $glob: secretPath },
             environment
@@ -916,7 +940,17 @@ export const backfillPermissionV1SchemaToV2Schema = (
     subject: ProjectPermissionSub.SecretImports as const
   }));
 
+  const secretPolicies = secretSubjects.map(({ subject, ...el }) => ({
+    subject: ProjectPermissionSub.Secrets as const,
+    ...el,
+    action:
+      el.action.includes(ProjectPermissionActions.Read) && !el.action.includes(ProjectPermissionSecretActions.ReadValue)
+        ? el.action.concat(ProjectPermissionSecretActions.ReadValue)
+        : el.action
+  }));
+
   const secretFolderPolicies = secretSubjects
+
     .map(({ subject, ...el }) => ({
       ...el,
       // read permission is not needed anymore
@@ -958,6 +992,7 @@ export const backfillPermissionV1SchemaToV2Schema = (
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore-error this is valid ts
     secretImportPolicies,
+    secretPolicies,
     dynamicSecretPolicies,
     hasReadOnlyFolder.length ? [] : secretFolderPolicies
   );

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -1,10 +1,11 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
-import ms from "ms";
 
 import { ActionProjectType, TableName } from "@app/db/schemas";
-import { isAtLeastAsPrivileged } from "@app/lib/casl";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
+import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -76,9 +77,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetUserPermission.update(targetUserPermission.rules.concat(customPermission));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetUserPermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+    const permissionBoundary = validatePermissionBoundary(permission, targetUserPermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged user",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     const existingSlug = await projectUserAdditionalPrivilegeDAL.findOne({
       slug,
@@ -88,6 +93,10 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     if (existingSlug)
       throw new BadRequestError({ message: `Additional privilege with provided slug ${slug} already exists` });
 
+    validateHandlebarTemplate("User Additional Privilege Create", JSON.stringify(customPermission || []), {
+      allowedExpressions: (val) => val.includes("identity.")
+    });
+
     const packedPermission = JSON.stringify(packRules(customPermission));
     if (!dto.isTemporary) {
       const additionalPrivilege = await projectUserAdditionalPrivilegeDAL.create({
@@ -163,9 +172,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetUserPermission.update(targetUserPermission.rules.concat(dto.permissions || []));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetUserPermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
+    const permissionBoundary = validatePermissionBoundary(permission, targetUserPermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     if (dto?.slug) {
       const existingSlug = await projectUserAdditionalPrivilegeDAL.findOne({
@@ -177,6 +190,10 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
         throw new BadRequestError({ message: `Additional privilege with provided slug ${dto.slug} already exists` });
     }
 
+    validateHandlebarTemplate("User Additional Privilege Update", JSON.stringify(dto.permissions || []), {
+      allowedExpressions: (val) => val.includes("identity.")
+    });
+
     const isTemporary = typeof dto?.isTemporary !== "undefined" ? dto.isTemporary : userPrivilege.isTemporary;
 
     const packedPermission = dto.permissions && JSON.stringify(packRules(dto.permissions));

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -63,7 +63,7 @@ export const samlConfigServiceFactory = ({
   kmsService
 }: TSamlConfigServiceFactoryDep) => {
   const createSamlCfg = async ({
-    cert,
+    idpCert,
     actor,
     actorAuthMethod,
     actorOrgId,
@@ -93,9 +93,9 @@ export const samlConfigServiceFactory = ({
       orgId,
       authProvider,
       isActive,
-      encryptedSamlIssuer: encryptor({ plainText: Buffer.from(issuer) }).cipherTextBlob,
+      encryptedSamlCertificate: encryptor({ plainText: Buffer.from(idpCert) }).cipherTextBlob,
       encryptedSamlEntryPoint: encryptor({ plainText: Buffer.from(entryPoint) }).cipherTextBlob,
-      encryptedSamlCertificate: encryptor({ plainText: Buffer.from(cert) }).cipherTextBlob
+      encryptedSamlIssuer: encryptor({ plainText: Buffer.from(issuer) }).cipherTextBlob
     });
 
     return samlConfig;
@@ -106,7 +106,7 @@ export const samlConfigServiceFactory = ({
     actor,
     actorOrgId,
     actorAuthMethod,
-    cert,
+    idpCert,
     actorId,
     issuer,
     isActive,
@@ -136,8 +136,8 @@ export const samlConfigServiceFactory = ({
       updateQuery.encryptedSamlIssuer = encryptor({ plainText: Buffer.from(issuer) }).cipherTextBlob;
     }
 
-    if (cert !== undefined) {
-      updateQuery.encryptedSamlCertificate = encryptor({ plainText: Buffer.from(cert) }).cipherTextBlob;
+    if (idpCert !== undefined) {
+      updateQuery.encryptedSamlCertificate = encryptor({ plainText: Buffer.from(idpCert) }).cipherTextBlob;
     }
 
     const [ssoConfig] = await samlConfigDAL.update({ orgId }, updateQuery);

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -15,7 +15,7 @@ export type TCreateSamlCfgDTO = {
   isActive: boolean;
   entryPoint: string;
   issuer: string;
-  cert: string;
+  idpCert: string;
 } & TOrgPermission;
 
 export type TUpdateSamlCfgDTO = Partial<{
@@ -23,7 +23,7 @@ export type TUpdateSamlCfgDTO = Partial<{
   isActive: boolean;
   entryPoint: string;
   issuer: string;
-  cert: string;
+  idpCert: string;
 }> &
   TOrgPermission;
 

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -62,7 +62,8 @@ export const secretApprovalPolicyServiceFactory = ({
     projectId,
     secretPath,
     environment,
-    enforcementLevel
+    enforcementLevel,
+    allowedSelfApprovals
   }: TCreateSapDTO) => {
     const groupApprovers = approvers
       ?.filter((approver) => approver.type === ApproverType.Group)
@@ -113,7 +114,8 @@ export const secretApprovalPolicyServiceFactory = ({
           approvals,
           secretPath,
           name,
-          enforcementLevel
+          enforcementLevel,
+          allowedSelfApprovals
         },
         tx
       );
@@ -172,7 +174,8 @@ export const secretApprovalPolicyServiceFactory = ({
     actorAuthMethod,
     approvals,
     secretPolicyId,
-    enforcementLevel
+    enforcementLevel,
+    allowedSelfApprovals
   }: TUpdateSapDTO) => {
     const groupApprovers = approvers
       ?.filter((approver) => approver.type === ApproverType.Group)
@@ -218,7 +221,8 @@ export const secretApprovalPolicyServiceFactory = ({
           approvals,
           secretPath,
           name,
-          enforcementLevel
+          enforcementLevel,
+          allowedSelfApprovals
         },
         tx
       );

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -10,6 +10,7 @@ export type TCreateSapDTO = {
   projectId: string;
   name: string;
   enforcementLevel: EnforcementLevel;
+  allowedSelfApprovals: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateSapDTO = {
@@ -19,6 +20,7 @@ export type TUpdateSapDTO = {
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   name?: string;
   enforcementLevel?: EnforcementLevel;
+  allowedSelfApprovals?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteSapDTO = {

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -100,6 +100,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("lastName").withSchema("committerUser").as("committerUserLastName"),
         tx.ref("reviewerUserId").withSchema(TableName.SecretApprovalRequestReviewer),
         tx.ref("status").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerStatus"),
+        tx.ref("comment").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerComment"),
         tx.ref("email").withSchema("secretApprovalReviewerUser").as("reviewerEmail"),
         tx.ref("username").withSchema("secretApprovalReviewerUser").as("reviewerUsername"),
         tx.ref("firstName").withSchema("secretApprovalReviewerUser").as("reviewerFirstName"),
@@ -111,6 +112,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
         tx.ref("envId").withSchema(TableName.SecretApprovalPolicy).as("policyEnvId"),
         tx.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
+        tx.ref("allowedSelfApprovals").withSchema(TableName.SecretApprovalPolicy).as("policyAllowedSelfApprovals"),
         tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
         tx.ref("deletedAt").withSchema(TableName.SecretApprovalPolicy).as("policyDeletedAt")
       );
@@ -149,7 +151,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             secretPath: el.policySecretPath,
             enforcementLevel: el.policyEnforcementLevel,
             envId: el.policyEnvId,
-            deletedAt: el.policyDeletedAt
+            deletedAt: el.policyDeletedAt,
+            allowedSelfApprovals: el.policyAllowedSelfApprovals
           }
         }),
         childrenMapper: [
@@ -162,8 +165,10 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
               reviewerEmail: email,
               reviewerLastName: lastName,
               reviewerUsername: username,
-              reviewerFirstName: firstName
-            }) => (userId ? { userId, status, email, firstName, lastName, username } : undefined)
+              reviewerFirstName: firstName,
+              reviewerComment: comment
+            }) =>
+              userId ? { userId, status, email, firstName, lastName, username, comment: comment ?? "" } : undefined
           },
           {
             key: "approverUserId",
@@ -333,6 +338,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           ),
           db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
           db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
+          db.ref("allowedSelfApprovals").withSchema(TableName.SecretApprovalPolicy).as("policyAllowedSelfApprovals"),
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
@@ -361,7 +367,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             name: el.policyName,
             approvals: el.policyApprovals,
             secretPath: el.policySecretPath,
-            enforcementLevel: el.policyEnforcementLevel
+            enforcementLevel: el.policyEnforcementLevel,
+            allowedSelfApprovals: el.policyAllowedSelfApprovals
           },
           committerUser: {
             userId: el.committerUserId,
@@ -479,6 +486,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             `DENSE_RANK() OVER (partition by ${TableName.Environment}."projectId" ORDER BY ${TableName.SecretApprovalRequest}."id" DESC) as rank`
           ),
           db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
+          db.ref("allowedSelfApprovals").withSchema(TableName.SecretApprovalPolicy).as("policyAllowedSelfApprovals"),
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
           db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
@@ -508,7 +516,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             name: el.policyName,
             approvals: el.policyApprovals,
             secretPath: el.policySecretPath,
-            enforcementLevel: el.policyEnforcementLevel
+            enforcementLevel: el.policyEnforcementLevel,
+            allowedSelfApprovals: el.policyAllowedSelfApprovals
           },
           committerUser: {
             userId: el.committerUserId,

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -6,6 +6,7 @@ import {
   SecretEncryptionAlgo,
   SecretKeyEncoding,
   SecretType,
+  TableName,
   TSecretApprovalRequestsSecretsInsert,
   TSecretApprovalRequestsSecretsV2Insert
 } from "@app/db/schemas";
@@ -57,8 +58,9 @@ import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TLicenseServiceFactory } from "../license/license-service";
+import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
@@ -88,7 +90,12 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretDAL: TSecretDALFactory;
   secretTagDAL: Pick<
     TSecretTagDALFactory,
-    "findManyTagsById" | "saveTagsToSecret" | "deleteTagsManySecret" | "saveTagsToSecretV2" | "deleteTagsToSecretV2"
+    | "findManyTagsById"
+    | "saveTagsToSecret"
+    | "deleteTagsManySecret"
+    | "saveTagsToSecretV2"
+    | "deleteTagsToSecretV2"
+    | "find"
   >;
   secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
@@ -106,7 +113,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "encryptWithInputKey" | "decryptWithInputKey">;
   secretV2BridgeDAL: Pick<
     TSecretV2BridgeDALFactory,
-    "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "bulkUpdate" | "deleteMany"
+    "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "bulkUpdate" | "deleteMany" | "find"
   >;
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
@@ -320,6 +327,7 @@ export const secretApprovalRequestServiceFactory = ({
     approvalId,
     actor,
     status,
+    comment,
     actorId,
     actorAuthMethod,
     actorOrgId
@@ -344,6 +352,11 @@ export const secretApprovalRequestServiceFactory = ({
         message: "The policy associated with this secret approval request has been deleted."
       });
     }
+    if (!policy.allowedSelfApprovals && actorId === secretApprovalRequest.committerUserId) {
+      throw new BadRequestError({
+        message: "Failed to review secret approval request. Users are not authorized to review their own request."
+      });
+    }
 
     const { hasRole } = await permissionService.getProjectPermission({
       actor: ActorType.USER,
@@ -372,15 +385,18 @@ export const secretApprovalRequestServiceFactory = ({
         return secretApprovalRequestReviewerDAL.create(
           {
             status,
+            comment,
             requestId: secretApprovalRequest.id,
             reviewerUserId: actorId
           },
           tx
         );
       }
-      return secretApprovalRequestReviewerDAL.updateById(review.id, { status }, tx);
+
+      return secretApprovalRequestReviewerDAL.updateById(review.id, { status, comment }, tx);
     });
-    return reviewStatus;
+
+    return { ...reviewStatus, projectId: secretApprovalRequest.projectId };
   };
 
   const updateApprovalStatus = async ({
@@ -499,7 +515,7 @@ export const secretApprovalRequestServiceFactory = ({
     if (!hasMinApproval && !isSoftEnforcement)
       throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
 
-    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
+    const { botKey, shouldUseSecretV2Bridge, project } = await projectBotService.getBotKey(projectId);
     let mergeStatus;
     if (shouldUseSecretV2Bridge) {
       // this cycle if for bridged secrets
@@ -857,7 +873,6 @@ export const secretApprovalRequestServiceFactory = ({
 
     if (isSoftEnforcement) {
       const cfg = getConfig();
-      const project = await projectDAL.findProjectById(projectId);
       const env = await projectEnvDAL.findOne({ id: policy.envId });
       const requestedByUser = await userDAL.findOne({ id: actorId });
       const approverUsers = await userDAL.find({
@@ -909,10 +924,11 @@ export const secretApprovalRequestServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
+
+    throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
+      environment,
+      secretPath
+    });
 
     await projectDAL.checkProjectUpgradeStatus(projectId);
 
@@ -997,6 +1013,7 @@ export const secretApprovalRequestServiceFactory = ({
               : keyName2BlindIndex[secretName];
           // add tags
           if (tagIds?.length) commitTagIds[keyName2BlindIndex[secretName]] = tagIds;
+
           return {
             ...latestSecretVersions[secretId],
             ...el,
@@ -1152,7 +1169,8 @@ export const secretApprovalRequestServiceFactory = ({
           environment: env.name,
           secretPath,
           projectId,
-          requestId: secretApprovalRequest.id
+          requestId: secretApprovalRequest.id,
+          secretKeys: [...new Set(Object.values(data).flatMap((arr) => arr?.map((item) => item.secretName) ?? []))]
         }
       }
     });
@@ -1294,7 +1312,7 @@ export const secretApprovalRequestServiceFactory = ({
             secretMetadata
           }) => {
             const secretId = updatingSecretsGroupByKey[secretKey][0].id;
-            if (tagIds?.length) commitTagIds[secretKey] = tagIds;
+            if (tagIds?.length) commitTagIds[newSecretName ?? secretKey] = tagIds;
             return {
               ...latestSecretVersions[secretId],
               secretMetadata,
@@ -1323,17 +1341,48 @@ export const secretApprovalRequestServiceFactory = ({
     // deleted secrets
     const deletedSecrets = data[SecretOperations.Delete];
     if (deletedSecrets && deletedSecrets.length) {
-      const secretsToDeleteInDB = await secretV2BridgeDAL.findBySecretKeys(
+      const secretsToDeleteInDB = await secretV2BridgeDAL.find({
         folderId,
-        deletedSecrets.map((el) => ({
-          key: el.secretKey,
-          type: SecretType.Shared
-        }))
-      );
+        $complex: {
+          operator: "and",
+          value: [
+            {
+              operator: "or",
+              value: deletedSecrets.map((el) => ({
+                operator: "and",
+                value: [
+                  {
+                    operator: "eq",
+                    field: `${TableName.SecretV2}.key` as "key",
+                    value: el.secretKey
+                  },
+                  {
+                    operator: "eq",
+                    field: "type",
+                    value: SecretType.Shared
+                  }
+                ]
+              }))
+            }
+          ]
+        }
+      });
       if (secretsToDeleteInDB.length !== deletedSecrets.length)
         throw new NotFoundError({
           message: `Secret does not exist: ${secretsToDeleteInDB.map((el) => el.key).join(",")}`
         });
+      secretsToDeleteInDB.forEach((el) => {
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionSecretActions.Delete,
+          subject(ProjectPermissionSub.Secrets, {
+            environment,
+            secretPath,
+            secretName: el.key,
+            secretTags: el.tags?.map((i) => i.slug)
+          })
+        );
+      });
+
       const secretsGroupedByKey = groupBy(secretsToDeleteInDB, (i) => i.key);
       const deletedSecretIds = deletedSecrets.map((el) => secretsGroupedByKey[el.secretKey][0].id);
       const latestSecretVersions = await secretVersionV2BridgeDAL.findLatestVersionMany(folderId, deletedSecretIds);
@@ -1359,9 +1408,9 @@ export const secretApprovalRequestServiceFactory = ({
     const tagsGroupById = groupBy(tags, (i) => i.id);
 
     commits.forEach((commit) => {
-      let action = ProjectPermissionActions.Create;
-      if (commit.op === SecretOperations.Update) action = ProjectPermissionActions.Edit;
-      if (commit.op === SecretOperations.Delete) action = ProjectPermissionActions.Delete;
+      let action = ProjectPermissionSecretActions.Create;
+      if (commit.op === SecretOperations.Update) action = ProjectPermissionSecretActions.Edit;
+      if (commit.op === SecretOperations.Delete) return; // we do the validation on top
 
       ForbiddenError.from(permission).throwUnlessCan(
         action,
@@ -1452,7 +1501,8 @@ export const secretApprovalRequestServiceFactory = ({
           environment: env.name,
           secretPath,
           projectId,
-          requestId: secretApprovalRequest.id
+          requestId: secretApprovalRequest.id,
+          secretKeys: [...new Set(Object.values(data).flatMap((arr) => arr?.map((item) => item.secretKey) ?? []))]
         }
       }
     });

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -80,6 +80,7 @@ export type TStatusChangeDTO = {
 export type TReviewRequestDTO = {
   approvalId: string;
   status: ApprovalStatus;
+  comment?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TApprovalRequestCountDTO = TProjectPermission;

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -265,6 +265,7 @@ export const secretReplicationServiceFactory = ({
         folderDAL,
         secretImportDAL,
         decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : ""),
+        viewSecretValue: true,
         hasSecretAccess: () => true
       });
       // secrets that gets replicated across imports

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -8,10 +8,9 @@ import axios from "axios";
 import jmespath from "jmespath";
 import knex from "knex";
 
-import { getConfig } from "@app/lib/config/env";
-import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../../dynamic-secret/dynamic-secret-fns";
 import { TAssignOp, TDbProviderClients, TDirectAssignOp, THttpProviderFunction } from "../templates/types";
 import { TSecretRotationData, TSecretRotationDbFn } from "./secret-rotation-queue-types";
 
@@ -88,32 +87,14 @@ export const secretRotationDbFn = async ({
   variables,
   options
 }: TSecretRotationDbFn) => {
-  const appCfg = getConfig();
-
   const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
-  const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
-  const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-
-  if (
-    isCloud &&
-    // internal ips
-    (host === "host.docker.internal" || host.match(/^10\.\d+\.\d+\.\d+/) || host.match(/^192\.168\.\d+\.\d+/))
-  )
-    throw new Error("Invalid db host");
-  if (
-    host === "localhost" ||
-    host === "127.0.0.1" ||
-    // database infisical uses
-    dbHost === host
-  )
-    throw new Error("Invalid db host");
-
+  const [hostIp] = await verifyHostInputValidity(host);
   const db = knex({
     client,
     connection: {
       database,
       port,
-      host,
+      host: hostIp,
       user: username,
       password,
       connectionTimeoutMillis: EXTERNAL_REQUEST_TIMEOUT,

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -13,6 +13,7 @@ import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -332,6 +333,7 @@ export const secretRotationQueueFactory = ({
           await secretVersionV2BridgeDAL.insertMany(
             updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => ({
               ...el,
+              actorType: ActorType.PLATFORM,
               secretId: id
             })),
             tx

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -15,7 +15,11 @@ import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSecretActions,
+  ProjectPermissionSub
+} from "../permission/project-permission";
 import { TSecretRotationDALFactory } from "./secret-rotation-dal";
 import { TSecretRotationQueueFactory } from "./secret-rotation-queue";
 import { TSecretRotationEncData } from "./secret-rotation-queue/secret-rotation-queue-types";
@@ -106,7 +110,7 @@ export const secretRotationServiceFactory = ({
       });
     }
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
+      ProjectPermissionSecretActions.Edit,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );