filter out random request ID value

feat(secret-rotation): MySQL Secret Rotation v2

backend/e2e-test/vitest-environment-knex.ts

@@ -15,8 +15,8 @@ import { mockSmtpServer } from "./mocks/smtp";
 import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
-import { Redis } from "ioredis";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
+import { buildRedisFromConfig } from "@app/lib/config/redis";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -30,7 +30,7 @@ export default {
       dbRootCert: envConfig.DB_ROOT_CERT
     });
 
-    const redis = new Redis(envConfig.REDIS_URL);
+    const redis = buildRedisFromConfig(envConfig);
     await redis.flushdb("SYNC");
 
     try {
@@ -55,8 +55,8 @@ export default {
       });
 
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig.REDIS_URL, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig.REDIS_URL);
+      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envConfig);
 
       const hsmModule = initializeHsmModule(envConfig);
       hsmModule.initialize();

backend/package.json

@@ -131,6 +131,7 @@
     "@aws-sdk/client-elasticache": "^3.637.0",
     "@aws-sdk/client-iam": "^3.525.0",
     "@aws-sdk/client-kms": "^3.609.0",
+    "@aws-sdk/client-route-53": "^3.810.0",
     "@aws-sdk/client-secrets-manager": "^3.504.0",
     "@aws-sdk/client-sts": "^3.600.0",
     "@casl/ability": "^6.5.0",
@@ -174,6 +175,7 @@
     "@slack/oauth": "^3.0.2",
     "@slack/web-api": "^7.8.0",
     "@ucast/mongo2js": "^1.3.4",
+    "acme-client": "^5.4.0",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
     "aws-sdk": "^2.1553.0",

backend/src/@types/fastify.d.ts

@@ -53,6 +53,7 @@ import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
+import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
@@ -82,6 +83,7 @@ import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-servi
 import { TPkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-service";
 import { TPkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
 import { TPkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
+import { TPkiTemplatesServiceFactory } from "@app/services/pki-templates/pki-templates-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@@ -269,6 +271,8 @@ declare module "fastify" {
       microsoftTeams: TMicrosoftTeamsServiceFactory;
       assumePrivileges: TAssumePrivilegeServiceFactory;
       githubOrgSync: TGithubOrgSyncServiceFactory;
+      internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
+      pkiTemplate: TPkiTemplatesServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -6,6 +6,9 @@ import {
   TAccessApprovalPoliciesApprovers,
   TAccessApprovalPoliciesApproversInsert,
   TAccessApprovalPoliciesApproversUpdate,
+  TAccessApprovalPoliciesBypassers,
+  TAccessApprovalPoliciesBypassersInsert,
+  TAccessApprovalPoliciesBypassersUpdate,
   TAccessApprovalPoliciesInsert,
   TAccessApprovalPoliciesUpdate,
   TAccessApprovalRequests,
@@ -68,6 +71,9 @@ import {
   TDynamicSecrets,
   TDynamicSecretsInsert,
   TDynamicSecretsUpdate,
+  TExternalCertificateAuthorities,
+  TExternalCertificateAuthoritiesInsert,
+  TExternalCertificateAuthoritiesUpdate,
   TExternalGroupOrgRoleMappings,
   TExternalGroupOrgRoleMappingsInsert,
   TExternalGroupOrgRoleMappingsUpdate,
@@ -155,6 +161,9 @@ import {
   TIntegrations,
   TIntegrationsInsert,
   TIntegrationsUpdate,
+  TInternalCertificateAuthorities,
+  TInternalCertificateAuthoritiesInsert,
+  TInternalCertificateAuthoritiesUpdate,
   TInternalKms,
   TInternalKmsInsert,
   TInternalKmsUpdate,
@@ -270,6 +279,9 @@ import {
   TSecretApprovalPoliciesApprovers,
   TSecretApprovalPoliciesApproversInsert,
   TSecretApprovalPoliciesApproversUpdate,
+  TSecretApprovalPoliciesBypassers,
+  TSecretApprovalPoliciesBypassersInsert,
+  TSecretApprovalPoliciesBypassersUpdate,
   TSecretApprovalPoliciesInsert,
   TSecretApprovalPoliciesUpdate,
   TSecretApprovalRequests,
@@ -538,6 +550,16 @@ declare module "knex/types/tables" {
       TCertificateAuthorityCrlInsert,
       TCertificateAuthorityCrlUpdate
     >;
+    [TableName.InternalCertificateAuthority]: KnexOriginal.CompositeTableType<
+      TInternalCertificateAuthorities,
+      TInternalCertificateAuthoritiesInsert,
+      TInternalCertificateAuthoritiesUpdate
+    >;
+    [TableName.ExternalCertificateAuthority]: KnexOriginal.CompositeTableType<
+      TExternalCertificateAuthorities,
+      TExternalCertificateAuthoritiesInsert,
+      TExternalCertificateAuthoritiesUpdate
+    >;
     [TableName.Certificate]: KnexOriginal.CompositeTableType<TCertificates, TCertificatesInsert, TCertificatesUpdate>;
     [TableName.CertificateTemplate]: KnexOriginal.CompositeTableType<
       TCertificateTemplates,
@@ -804,6 +826,12 @@ declare module "knex/types/tables" {
       TAccessApprovalPoliciesApproversUpdate
     >;
 
+    [TableName.AccessApprovalPolicyBypasser]: KnexOriginal.CompositeTableType<
+      TAccessApprovalPoliciesBypassers,
+      TAccessApprovalPoliciesBypassersInsert,
+      TAccessApprovalPoliciesBypassersUpdate
+    >;
+
     [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
       TAccessApprovalRequests,
       TAccessApprovalRequestsInsert,
@@ -827,6 +855,11 @@ declare module "knex/types/tables" {
       TSecretApprovalPoliciesApproversInsert,
       TSecretApprovalPoliciesApproversUpdate
     >;
+    [TableName.SecretApprovalPolicyBypasser]: KnexOriginal.CompositeTableType<
+      TSecretApprovalPoliciesBypassers,
+      TSecretApprovalPoliciesBypassersInsert,
+      TSecretApprovalPoliciesBypassersUpdate
+    >;
     [TableName.SecretApprovalRequest]: KnexOriginal.CompositeTableType<
       TSecretApprovalRequests,
       TSecretApprovalRequestsInsert,

backend/src/db/migrations/20250429203304_certificates-ca-relation-removal.ts

@@ -0,0 +1,44 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.Certificate, "projectId");
+    if (!hasProjectIdColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("projectId", 36).nullable();
+        t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      });
+
+      await knex.raw(`
+          UPDATE "${TableName.Certificate}" cert
+          SET "projectId" = ca."projectId"
+          FROM "${TableName.CertificateAuthority}" ca
+          WHERE cert."caId" = ca.id
+        `);
+
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("projectId").notNullable().alter();
+      });
+    }
+
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.uuid("caId").nullable().alter();
+      t.uuid("caCertId").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    if (await knex.schema.hasColumn(TableName.Certificate, "projectId")) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.dropForeign("projectId");
+        t.dropColumn("projectId");
+      });
+    }
+  }
+
+  // Altering back to notNullable for caId and caCertId will fail
+}

backend/src/db/migrations/20250521110635_add-external-ca-pki.ts

@@ -0,0 +1,205 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
+  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
+  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
+
+  if (hasCATable && !hasInternalCATable) {
+    await knex.schema.createTableLike(TableName.InternalCertificateAuthority, TableName.CertificateAuthority, (t) => {
+      t.uuid("caId").nullable();
+    });
+
+    // @ts-expect-error intentional: migration
+    await knex(TableName.InternalCertificateAuthority).insert(knex(TableName.CertificateAuthority).select("*"));
+    await knex(TableName.InternalCertificateAuthority).update("caId", knex.ref("id"));
+
+    await knex.schema.alterTable(TableName.InternalCertificateAuthority, (t) => {
+      t.dropColumn("projectId");
+      t.dropColumn("requireTemplateForIssuance");
+      t.dropColumn("createdAt");
+      t.dropColumn("updatedAt");
+      t.dropColumn("status");
+      t.uuid("parentCaId")
+        .nullable()
+        .references("id")
+        .inTable(TableName.CertificateAuthority)
+        .onDelete("CASCADE")
+        .alter();
+      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert).alter();
+      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE").alter();
+    });
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.renameColumn("requireTemplateForIssuance", "enableDirectIssuance");
+      t.string("name").nullable();
+    });
+
+    // prefill name for existing internal CAs and flip enableDirectIssuance
+    const cas = await knex(TableName.CertificateAuthority).select("id", "friendlyName", "enableDirectIssuance");
+    await Promise.all(
+      cas.map((ca) => {
+        const slugifiedName = ca.friendlyName
+          ? slugify(`${ca.friendlyName.slice(0, 16)}-${alphaNumericNanoId(8)}`)
+          : slugify(alphaNumericNanoId(12));
+
+        return knex(TableName.CertificateAuthority)
+          .where({ id: ca.id })
+          .update({ name: slugifiedName, enableDirectIssuance: !ca.enableDirectIssuance });
+      })
+    );
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.dropColumn("parentCaId");
+      t.dropColumn("type");
+      t.dropColumn("friendlyName");
+      t.dropColumn("organization");
+      t.dropColumn("ou");
+      t.dropColumn("country");
+      t.dropColumn("province");
+      t.dropColumn("locality");
+      t.dropColumn("commonName");
+      t.dropColumn("dn");
+      t.dropColumn("serialNumber");
+      t.dropColumn("maxPathLength");
+      t.dropColumn("keyAlgorithm");
+      t.dropColumn("notBefore");
+      t.dropColumn("notAfter");
+      t.dropColumn("activeCaCertId");
+      t.boolean("enableDirectIssuance").notNullable().defaultTo(true).alter();
+      t.string("name").notNullable().alter();
+      t.unique(["name", "projectId"]);
+    });
+  }
+
+  if (!hasExternalCATable) {
+    await knex.schema.createTable(TableName.ExternalCertificateAuthority, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("type").notNullable();
+      t.uuid("appConnectionId").nullable();
+      t.foreign("appConnectionId").references("id").inTable(TableName.AppConnection);
+      t.uuid("dnsAppConnectionId").nullable();
+      t.foreign("dnsAppConnectionId").references("id").inTable(TableName.AppConnection);
+      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.binary("credentials");
+      t.json("configuration");
+    });
+  }
+
+  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.string("ttl").nullable().alter();
+
+      t.boolean("enableAutoRenewal").notNullable().defaultTo(false);
+      t.integer("autoRenewalPeriodInDays");
+      t.datetime("lastAutoRenewAt");
+
+      t.string("lastOperationStatus");
+      t.text("lastOperationMessage");
+      t.dateTime("lastOperationAt");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
+  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
+  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
+
+  if (hasCATable && hasInternalCATable) {
+    // First add all columns as nullable
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.uuid("parentCaId").nullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.string("type").nullable();
+      t.string("friendlyName").nullable();
+      t.string("organization").nullable();
+      t.string("ou").nullable();
+      t.string("country").nullable();
+      t.string("province").nullable();
+      t.string("locality").nullable();
+      t.string("commonName").nullable();
+      t.string("dn").nullable();
+      t.string("serialNumber").nullable().unique();
+      t.integer("maxPathLength").nullable();
+      t.string("keyAlgorithm").nullable();
+      t.timestamp("notBefore").nullable();
+      t.timestamp("notAfter").nullable();
+      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert);
+      t.renameColumn("enableDirectIssuance", "requireTemplateForIssuance");
+      t.dropColumn("name");
+    });
+
+    // flip requireTemplateForIssuance for existing internal CAs
+    const cas = await knex(TableName.CertificateAuthority).select("id", "requireTemplateForIssuance");
+    await Promise.all(
+      cas.map((ca) => {
+        return (
+          knex(TableName.CertificateAuthority)
+            .where({ id: ca.id })
+            // @ts-expect-error intentional: migration
+            .update({ requireTemplateForIssuance: !ca.requireTemplateForIssuance })
+        );
+      })
+    );
+
+    await knex.raw(`
+      UPDATE ${TableName.CertificateAuthority} ca
+      SET
+        type = ica.type,
+        "friendlyName" = ica."friendlyName",
+        organization = ica.organization,
+        ou = ica.ou,
+        country = ica.country,
+        province = ica.province,
+        locality = ica.locality,
+        "commonName" = ica."commonName",
+        dn = ica.dn,
+        "parentCaId" = ica."parentCaId",
+        "serialNumber" = ica."serialNumber",
+        "maxPathLength" = ica."maxPathLength",
+        "keyAlgorithm" = ica."keyAlgorithm",
+        "notBefore" = ica."notBefore",
+        "notAfter" = ica."notAfter",
+        "activeCaCertId" = ica."activeCaCertId"
+      FROM ${TableName.InternalCertificateAuthority} ica
+      WHERE ca.id = ica."caId"
+    `);
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.string("type").notNullable().alter();
+      t.string("friendlyName").notNullable().alter();
+      t.string("organization").notNullable().alter();
+      t.string("ou").notNullable().alter();
+      t.string("country").notNullable().alter();
+      t.string("province").notNullable().alter();
+      t.string("locality").notNullable().alter();
+      t.string("commonName").notNullable().alter();
+      t.string("dn").notNullable().alter();
+      t.string("keyAlgorithm").notNullable().alter();
+      t.boolean("requireTemplateForIssuance").notNullable().defaultTo(false).alter();
+    });
+
+    await knex.schema.dropTable(TableName.InternalCertificateAuthority);
+  }
+
+  if (hasExternalCATable) {
+    await knex.schema.dropTable(TableName.ExternalCertificateAuthority);
+  }
+
+  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.dropColumn("enableAutoRenewal");
+      t.dropColumn("autoRenewalPeriodInDays");
+      t.dropColumn("lastAutoRenewAt");
+
+      t.dropColumn("lastOperationStatus");
+      t.dropColumn("lastOperationMessage");
+      t.dropColumn("lastOperationAt");
+    });
+  }
+}

backend/src/db/migrations/20250527030702_policy-bypassers.ts

@@ -0,0 +1,48 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyBypasser))) {
+    await knex.schema.createTable(TableName.AccessApprovalPolicyBypasser, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("bypasserGroupId").nullable();
+      t.foreign("bypasserGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+
+      t.uuid("bypasserUserId").nullable();
+      t.foreign("bypasserUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+
+      t.uuid("policyId").notNullable();
+      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyBypasser);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicyBypasser))) {
+    await knex.schema.createTable(TableName.SecretApprovalPolicyBypasser, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("bypasserGroupId").nullable();
+      t.foreign("bypasserGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+
+      t.uuid("bypasserUserId").nullable();
+      t.foreign("bypasserUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+
+      t.uuid("policyId").notNullable();
+      t.foreign("policyId").references("id").inTable(TableName.SecretApprovalPolicy).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+    await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicyBypasser);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicyBypasser);
+  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyBypasser);
+
+  await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicyBypasser);
+  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyBypasser);
+}

backend/src/db/migrations/20250527164523_add-mi-access-token-period.ts

@@ -0,0 +1,139 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+}

backend/src/db/migrations/20250528145356_add-template-slug.ts

@@ -0,0 +1,24 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasNameCol = await knex.schema.hasColumn(TableName.CertificateTemplate, "name");
+  if (hasNameCol) {
+    const templates = await knex(TableName.CertificateTemplate).select("id", "name");
+    await Promise.all(
+      templates.map((el) => {
+        const slugifiedName = el.name
+          ? slugify(`${el.name.slice(0, 16)}-${alphaNumericNanoId(8)}`)
+          : slugify(alphaNumericNanoId(12));
+
+        return knex(TableName.CertificateTemplate).where({ id: el.id }).update({ name: slugifiedName });
+      })
+    );
+  }
+}
+
+export async function down(): Promise<void> {}

backend/src/db/migrations/20250528183744_remove-encrypted-salt-from-shared-secret.ts

@@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+
+    if (hasEncryptedSalt) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.dropColumn("encryptedSalt");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+
+    if (!hasEncryptedSalt) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.binary("encryptedSalt").nullable();
+      });
+    }
+  }
+}

backend/src/db/migrations/20250530152721_add-access-approval-request-deleted-at.ts

@@ -0,0 +1,63 @@
+import { Knex } from "knex";
+
+import { ApprovalStatus } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasPrivilegeDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalRequest,
+    "privilegeDeletedAt"
+  );
+  const hasStatusColumn = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "status");
+
+  if (!hasPrivilegeDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.timestamp("privilegeDeletedAt").nullable();
+    });
+  }
+
+  if (!hasStatusColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.string("status").defaultTo(ApprovalStatus.PENDING).notNullable();
+    });
+
+    // Update existing rows based on business logic
+    // If privilegeId is not null, set status to "approved"
+    await knex(TableName.AccessApprovalRequest).whereNotNull("privilegeId").update({ status: ApprovalStatus.APPROVED });
+
+    // If privilegeId is null and there's a rejected reviewer, set to "rejected"
+    const rejectedRequestIds = await knex(TableName.AccessApprovalRequestReviewer)
+      .select("requestId")
+      .where("status", "rejected")
+      .distinct()
+      .pluck("requestId");
+
+    if (rejectedRequestIds.length > 0) {
+      await knex(TableName.AccessApprovalRequest)
+        .whereNull("privilegeId")
+        .whereIn("id", rejectedRequestIds)
+        .update({ status: ApprovalStatus.REJECTED });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasPrivilegeDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalRequest,
+    "privilegeDeletedAt"
+  );
+  const hasStatusColumn = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "status");
+
+  if (hasPrivilegeDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.dropColumn("privilegeDeletedAt");
+    });
+  }
+
+  if (hasStatusColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.dropColumn("status");
+    });
+  }
+}

backend/src/db/schemas/access-approval-policies-bypassers.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AccessApprovalPoliciesBypassersSchema = z.object({
+  id: z.string().uuid(),
+  bypasserGroupId: z.string().uuid().nullable().optional(),
+  bypasserUserId: z.string().uuid().nullable().optional(),
+  policyId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAccessApprovalPoliciesBypassers = z.infer<typeof AccessApprovalPoliciesBypassersSchema>;
+export type TAccessApprovalPoliciesBypassersInsert = Omit<
+  z.input<typeof AccessApprovalPoliciesBypassersSchema>,
+  TImmutableDBKeys
+>;
+export type TAccessApprovalPoliciesBypassersUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalPoliciesBypassersSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/access-approval-requests.ts

@@ -18,7 +18,9 @@ export const AccessApprovalRequestsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   requestedByUserId: z.string().uuid(),
-  note: z.string().nullable().optional()
+  note: z.string().nullable().optional(),
+  privilegeDeletedAt: z.date().nullable().optional(),
+  status: z.string().default("pending")
 });
 
 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;

backend/src/db/schemas/certificate-authorities.ts

@@ -11,25 +11,10 @@ export const CertificateAuthoritiesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  parentCaId: z.string().uuid().nullable().optional(),
   projectId: z.string(),
-  type: z.string(),
+  enableDirectIssuance: z.boolean().default(true),
   status: z.string(),
-  friendlyName: z.string(),
-  organization: z.string(),
-  ou: z.string(),
-  country: z.string(),
-  province: z.string(),
-  locality: z.string(),
-  commonName: z.string(),
-  dn: z.string(),
-  serialNumber: z.string().nullable().optional(),
-  maxPathLength: z.number().nullable().optional(),
-  keyAlgorithm: z.string(),
-  notBefore: z.date().nullable().optional(),
-  notAfter: z.date().nullable().optional(),
-  activeCaCertId: z.string().uuid().nullable().optional(),
-  requireTemplateForIssuance: z.boolean().default(false)
+  name: z.string()
 });
 
 export type TCertificateAuthorities = z.infer<typeof CertificateAuthoritiesSchema>;

backend/src/db/schemas/certificates.ts

@@ -11,7 +11,7 @@ export const CertificatesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  caId: z.string().uuid(),
+  caId: z.string().uuid().nullable().optional(),
   status: z.string(),
   serialNumber: z.string(),
   friendlyName: z.string(),
@@ -21,11 +21,12 @@ export const CertificatesSchema = z.object({
   revokedAt: z.date().nullable().optional(),
   revocationReason: z.number().nullable().optional(),
   altNames: z.string().nullable().optional(),
-  caCertId: z.string().uuid(),
+  caCertId: z.string().uuid().nullable().optional(),
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
   extendedKeyUsages: z.string().array().nullable().optional(),
-  pkiSubscriberId: z.string().uuid().nullable().optional()
+  pkiSubscriberId: z.string().uuid().nullable().optional(),
+  projectId: z.string()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/external-certificate-authorities.ts

@@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ExternalCertificateAuthoritiesSchema = z.object({
+  id: z.string().uuid(),
+  type: z.string(),
+  appConnectionId: z.string().uuid().nullable().optional(),
+  dnsAppConnectionId: z.string().uuid().nullable().optional(),
+  caId: z.string().uuid(),
+  credentials: zodBuffer.nullable().optional(),
+  configuration: z.unknown().nullable().optional()
+});
+
+export type TExternalCertificateAuthorities = z.infer<typeof ExternalCertificateAuthoritiesSchema>;
+export type TExternalCertificateAuthoritiesInsert = Omit<
+  z.input<typeof ExternalCertificateAuthoritiesSchema>,
+  TImmutableDBKeys
+>;
+export type TExternalCertificateAuthoritiesUpdate = Partial<
+  Omit<z.input<typeof ExternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/identity-access-tokens.ts

@@ -21,7 +21,8 @@ export const IdentityAccessTokensSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   name: z.string().nullable().optional(),
-  authMethod: z.string()
+  authMethod: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAccessTokens = z.infer<typeof IdentityAccessTokensSchema>;

backend/src/db/schemas/identity-aws-auths.ts

@@ -19,7 +19,8 @@ export const IdentityAwsAuthsSchema = z.object({
   type: z.string(),
   stsEndpoint: z.string(),
   allowedPrincipalArns: z.string(),
-  allowedAccountIds: z.string()
+  allowedAccountIds: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;

backend/src/db/schemas/identity-azure-auths.ts

@@ -18,7 +18,8 @@ export const IdentityAzureAuthsSchema = z.object({
   identityId: z.string().uuid(),
   tenantId: z.string(),
   resource: z.string(),
-  allowedServicePrincipalIds: z.string()
+  allowedServicePrincipalIds: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -19,7 +19,8 @@ export const IdentityGcpAuthsSchema = z.object({
   type: z.string(),
   allowedServiceAccounts: z.string().nullable().optional(),
   allowedProjects: z.string().nullable().optional(),
-  allowedZones: z.string().nullable().optional()
+  allowedZones: z.string().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;

backend/src/db/schemas/identity-jwt-auths.ts

@@ -25,7 +25,8 @@ export const IdentityJwtAuthsSchema = z.object({
   boundClaims: z.unknown(),
   boundSubject: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityJwtAuths = z.infer<typeof IdentityJwtAuthsSchema>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -30,7 +30,8 @@ export const IdentityKubernetesAuthsSchema = z.object({
   allowedAudience: z.string(),
   encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
   encryptedKubernetesCaCertificate: zodBuffer.nullable().optional(),
-  gatewayId: z.string().uuid().nullable().optional()
+  gatewayId: z.string().uuid().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;

backend/src/db/schemas/identity-ldap-auths.ts

@@ -24,7 +24,8 @@ export const IdentityLdapAuthsSchema = z.object({
   searchFilter: z.string(),
   allowedFields: z.unknown().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityLdapAuths = z.infer<typeof IdentityLdapAuthsSchema>;

backend/src/db/schemas/identity-oci-auths.ts

@@ -18,7 +18,8 @@ export const IdentityOciAuthsSchema = z.object({
   identityId: z.string().uuid(),
   type: z.string(),
   tenancyOcid: z.string(),
-  allowedUsernames: z.string().nullable().optional()
+  allowedUsernames: z.string().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityOciAuths = z.infer<typeof IdentityOciAuthsSchema>;

backend/src/db/schemas/identity-oidc-auths.ts

@@ -27,7 +27,8 @@ export const IdentityOidcAuthsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedCaCertificate: zodBuffer.nullable().optional(),
-  claimMetadataMapping: z.unknown().nullable().optional()
+  claimMetadataMapping: z.unknown().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/identity-token-auths.ts

@@ -15,7 +15,8 @@ export const IdentityTokenAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityTokenAuths = z.infer<typeof IdentityTokenAuthsSchema>;

backend/src/db/schemas/identity-universal-auths.ts

@@ -17,7 +17,8 @@ export const IdentityUniversalAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityUniversalAuths = z.infer<typeof IdentityUniversalAuthsSchema>;

backend/src/db/schemas/index.ts

@@ -1,5 +1,6 @@
 export * from "./access-approval-policies";
 export * from "./access-approval-policies-approvers";
+export * from "./access-approval-policies-bypassers";
 export * from "./access-approval-requests";
 export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
@@ -20,6 +21,7 @@ export * from "./certificate-templates";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
+export * from "./external-certificate-authorities";
 export * from "./external-group-org-role-mappings";
 export * from "./external-kms";
 export * from "./gateways";
@@ -49,6 +51,7 @@ export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
+export * from "./internal-certificate-authorities";
 export * from "./internal-kms";
 export * from "./kmip-client-certificates";
 export * from "./kmip-clients";
@@ -90,6 +93,7 @@ export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
 export * from "./secret-approval-policies-approvers";
+export * from "./secret-approval-policies-bypassers";
 export * from "./secret-approval-request-secret-tags";
 export * from "./secret-approval-request-secret-tags-v2";
 export * from "./secret-approval-requests";

backend/src/db/schemas/internal-certificate-authorities.ts

@@ -0,0 +1,38 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const InternalCertificateAuthoritiesSchema = z.object({
+  id: z.string().uuid(),
+  parentCaId: z.string().uuid().nullable().optional(),
+  type: z.string(),
+  friendlyName: z.string(),
+  organization: z.string(),
+  ou: z.string(),
+  country: z.string(),
+  province: z.string(),
+  locality: z.string(),
+  commonName: z.string(),
+  dn: z.string(),
+  serialNumber: z.string().nullable().optional(),
+  maxPathLength: z.number().nullable().optional(),
+  keyAlgorithm: z.string(),
+  notBefore: z.date().nullable().optional(),
+  notAfter: z.date().nullable().optional(),
+  activeCaCertId: z.string().uuid().nullable().optional(),
+  caId: z.string().uuid()
+});
+
+export type TInternalCertificateAuthorities = z.infer<typeof InternalCertificateAuthoritiesSchema>;
+export type TInternalCertificateAuthoritiesInsert = Omit<
+  z.input<typeof InternalCertificateAuthoritiesSchema>,
+  TImmutableDBKeys
+>;
+export type TInternalCertificateAuthoritiesUpdate = Partial<
+  Omit<z.input<typeof InternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/models.ts

@@ -13,6 +13,8 @@ export enum TableName {
   SshCertificate = "ssh_certificates",
   SshCertificateBody = "ssh_certificate_bodies",
   CertificateAuthority = "certificate_authorities",
+  ExternalCertificateAuthority = "external_certificate_authorities",
+  InternalCertificateAuthority = "internal_certificate_authorities",
   CertificateTemplateEstConfig = "certificate_template_est_configs",
   CertificateAuthorityCert = "certificate_authority_certs",
   CertificateAuthoritySecret = "certificate_authority_secret",
@@ -93,10 +95,12 @@ export enum TableName {
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",
+  AccessApprovalPolicyBypasser = "access_approval_policies_bypassers",
   AccessApprovalRequest = "access_approval_requests",
   AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
+  SecretApprovalPolicyBypasser = "secret_approval_policies_bypassers",
   SecretApprovalRequest = "secret_approval_requests",
   SecretApprovalRequestReviewer = "secret_approval_requests_reviewers",
   SecretApprovalRequestSecret = "secret_approval_requests_secrets",

backend/src/db/schemas/pki-subscribers.ts

@@ -16,10 +16,16 @@ export const PkiSubscribersSchema = z.object({
   name: z.string(),
   commonName: z.string(),
   subjectAlternativeNames: z.string().array(),
-  ttl: z.string(),
+  ttl: z.string().nullable().optional(),
   keyUsages: z.string().array(),
   extendedKeyUsages: z.string().array(),
-  status: z.string()
+  status: z.string(),
+  enableAutoRenewal: z.boolean().default(false),
+  autoRenewalPeriodInDays: z.number().nullable().optional(),
+  lastAutoRenewAt: z.date().nullable().optional(),
+  lastOperationStatus: z.string().nullable().optional(),
+  lastOperationMessage: z.string().nullable().optional(),
+  lastOperationAt: z.date().nullable().optional()
 });
 
 export type TPkiSubscribers = z.infer<typeof PkiSubscribersSchema>;

backend/src/db/schemas/secret-approval-policies-bypassers.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretApprovalPoliciesBypassersSchema = z.object({
+  id: z.string().uuid(),
+  bypasserGroupId: z.string().uuid().nullable().optional(),
+  bypasserUserId: z.string().uuid().nullable().optional(),
+  policyId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TSecretApprovalPoliciesBypassers = z.infer<typeof SecretApprovalPoliciesBypassersSchema>;
+export type TSecretApprovalPoliciesBypassersInsert = Omit<
+  z.input<typeof SecretApprovalPoliciesBypassersSchema>,
+  TImmutableDBKeys
+>;
+export type TSecretApprovalPoliciesBypassersUpdate = Partial<
+  Omit<z.input<typeof SecretApprovalPoliciesBypassersSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/secret-sharing.ts

@@ -28,7 +28,6 @@ export const SecretSharingSchema = z.object({
   encryptedSecret: zodBuffer.nullable().optional(),
   identifier: z.string().nullable().optional(),
   type: z.string().default("share"),
-  encryptedSalt: zodBuffer.nullable().optional(),
   authorizedEmails: z.unknown().nullable().optional()
 });
 

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -1,7 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
-import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -24,10 +24,19 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
           ])
           .array()
+          .max(100, "Cannot have more than 100 approvers")
           .min(1, { message: "At least one approver should be provided" }),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
         approvals: z.number().min(1).default(1),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -72,7 +81,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
                 .object({ type: z.nativeEnum(ApproverType), id: z.string().nullable().optional() })
                 .array()
                 .nullable()
-                .optional()
+                .optional(),
+              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array()
             })
             .array()
             .nullable()
@@ -143,10 +153,19 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" }),
+          .min(1, { message: "At least one approver should be provided" })
+          .max(100, "Cannot have more than 100 approvers"),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
         approvals: z.number().min(1).optional(),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -220,6 +239,15 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
               })
               .array()
               .nullable()
+              .optional(),
+            bypassers: z
+              .object({
+                type: z.nativeEnum(BypasserType),
+                id: z.string().nullable().optional(),
+                name: z.string().nullable().optional()
+              })
+              .array()
+              .nullable()
               .optional()
           })
         })

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -113,6 +113,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               name: z.string(),
               approvals: z.number(),
               approvers: z.string().array(),
+              bypassers: z.string().array(),
               secretPath: z.string().nullish(),
               envId: z.string(),
               enforcementLevel: z.string(),

backend/src/ee/routes/v1/license-router.ts

@@ -47,7 +47,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
         200: z.object({ plan: z.any() })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const plan = await server.services.license.getOrgPlan({
         actorId: req.permission.id,

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -1,7 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
-import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -30,10 +30,19 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" }),
+          .min(1, { message: "At least one approver should be provided" })
+          .max(100, "Cannot have more than 100 approvers"),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
         approvals: z.number().min(1).default(1),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -75,10 +84,19 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" }),
+          .min(1, { message: "At least one approver should be provided" })
+          .max(100, "Cannot have more than 100 approvers"),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
         approvals: z.number().min(1).default(1),
         secretPath: z
           .string()
@@ -157,6 +175,12 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
                   id: z.string().nullable().optional(),
                   type: z.nativeEnum(ApproverType)
                 })
+                .array(),
+              bypassers: z
+                .object({
+                  id: z.string().nullable().optional(),
+                  type: z.nativeEnum(BypasserType)
+                })
                 .array()
             })
             .array()
@@ -193,7 +217,14 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
               .object({
                 id: z.string().nullable().optional(),
                 type: z.nativeEnum(ApproverType),
-                name: z.string().nullable().optional()
+                username: z.string().nullable().optional()
+              })
+              .array(),
+            bypassers: z
+              .object({
+                id: z.string().nullable().optional(),
+                type: z.nativeEnum(BypasserType),
+                username: z.string().nullable().optional()
               })
               .array()
           })

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -47,6 +47,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                   userId: z.string().nullable().optional()
                 })
                 .array(),
+              bypassers: z
+                .object({
+                  userId: z.string().nullable().optional()
+                })
+                .array(),
               secretPath: z.string().optional().nullable(),
               enforcementLevel: z.string(),
               deletedAt: z.date().nullish(),
@@ -266,6 +271,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 name: z.string(),
                 approvals: z.number(),
                 approvers: approvalRequestUser.array(),
+                bypassers: approvalRequestUser.array(),
                 secretPath: z.string().optional().nullable(),
                 enforcementLevel: z.string(),
                 deletedAt: z.date().nullish(),

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -5,6 +5,7 @@ import { registerAwsIamUserSecretRotationRouter } from "./aws-iam-user-secret-ro
 import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-rotation-router";
 import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
+import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
 export * from "./secret-rotation-v2-router";
@@ -15,6 +16,7 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
 > = {
   [SecretRotation.PostgresCredentials]: registerPostgresCredentialsRotationRouter,
   [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter,
+  [SecretRotation.MySqlCredentials]: registerMySqlCredentialsRotationRouter,
   [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
   [SecretRotation.AzureClientSecret]: registerAzureClientSecretRotationRouter,
   [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,

backend/src/ee/routes/v2/secret-rotation-v2-routers/mysql-credentials-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  CreateMySqlCredentialsRotationSchema,
+  MySqlCredentialsRotationSchema,
+  UpdateMySqlCredentialsRotationSchema
+} from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { SqlCredentialsRotationGeneratedCredentialsSchema } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerMySqlCredentialsRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.MySqlCredentials,
+    server,
+    responseSchema: MySqlCredentialsRotationSchema,
+    createSchema: CreateMySqlCredentialsRotationSchema,
+    updateSchema: UpdateMySqlCredentialsRotationSchema,
+    generatedCredentialsSchema: SqlCredentialsRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -6,6 +6,7 @@ import { AwsIamUserSecretRotationListItemSchema } from "@app/ee/services/secret-
 import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/azure-client-secret";
 import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
+import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
 import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
@@ -16,6 +17,7 @@ import { AuthMode } from "@app/services/auth/auth-type";
 const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationListItemSchema,
   MsSqlCredentialsRotationListItemSchema,
+  MySqlCredentialsRotationListItemSchema,
   Auth0ClientSecretRotationListItemSchema,
   AzureClientSecretRotationListItemSchema,
   AwsIamUserSecretRotationListItemSchema,

backend/src/ee/services/access-approval-policy/access-approval-policy-approver-dal.ts

@@ -8,3 +8,10 @@ export const accessApprovalPolicyApproverDALFactory = (db: TDbClient) => {
   const accessApprovalPolicyApproverOrm = ormify(db, TableName.AccessApprovalPolicyApprover);
   return { ...accessApprovalPolicyApproverOrm };
 };
+
+export type TAccessApprovalPolicyBypasserDALFactory = ReturnType<typeof accessApprovalPolicyBypasserDALFactory>;
+
+export const accessApprovalPolicyBypasserDALFactory = (db: TDbClient) => {
+  const accessApprovalPolicyBypasserOrm = ormify(db, TableName.AccessApprovalPolicyBypasser);
+  return { ...accessApprovalPolicyBypasserOrm };
+};

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -1,11 +1,11 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies } from "@app/db/schemas";
+import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies, TUsers } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
-import { ApproverType } from "./access-approval-policy-types";
+import { ApproverType, BypasserType } from "./access-approval-policy-types";
 
 export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;
 
@@ -34,9 +34,22 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicyApprover}.policyId`
       )
       .leftJoin(TableName.Users, `${TableName.AccessApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
+      .leftJoin(
+        TableName.AccessApprovalPolicyBypasser,
+        `${TableName.AccessApprovalPolicy}.id`,
+        `${TableName.AccessApprovalPolicyBypasser}.policyId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("bypasserUsers"),
+        `${TableName.AccessApprovalPolicyBypasser}.bypasserUserId`,
+        `bypasserUsers.id`
+      )
       .select(tx.ref("username").withSchema(TableName.Users).as("approverUsername"))
+      .select(tx.ref("username").withSchema("bypasserUsers").as("bypasserUsername"))
       .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
       .select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
+      .select(tx.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
+      .select(tx.ref("bypasserGroupId").withSchema(TableName.AccessApprovalPolicyBypasser))
       .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
       .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
       .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@@ -129,6 +142,23 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
               id,
               type: ApproverType.Group
             })
+          },
+          {
+            key: "bypasserUserId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserUserId: id, bypasserUsername }) => ({
+              id,
+              type: BypasserType.User,
+              name: bypasserUsername
+            })
+          },
+          {
+            key: "bypasserGroupId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserGroupId: id }) => ({
+              id,
+              type: BypasserType.Group
+            })
           }
         ]
       });
@@ -144,5 +174,28 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
     return softDeletedPolicy;
   };
 
-  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById };
+  const findLastValidPolicy = async ({ envId, secretPath }: { envId: string; secretPath: string }, tx?: Knex) => {
+    try {
+      const result = await (tx || db.replicaNode())(TableName.AccessApprovalPolicy)
+        .where(
+          // eslint-disable-next-line @typescript-eslint/no-misused-promises
+          buildFindFilter(
+            {
+              envId,
+              secretPath
+            },
+            TableName.AccessApprovalPolicy
+          )
+        )
+        .orderBy("deletedAt", "desc")
+        .orderByRaw(`"deletedAt" IS NULL`)
+        .first();
+
+      return result;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindLastValidPolicy" });
+    }
+  };
+
+  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById, findLastValidPolicy };
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -2,8 +2,9 @@ import { ForbiddenError } from "@casl/ability";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -14,10 +15,14 @@ import { TAccessApprovalRequestReviewerDALFactory } from "../access-approval-req
 import { ApprovalStatus } from "../access-approval-request/access-approval-request-types";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
-import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
+import {
+  TAccessApprovalPolicyApproverDALFactory,
+  TAccessApprovalPolicyBypasserDALFactory
+} from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
 import {
   ApproverType,
+  BypasserType,
   TCreateAccessApprovalPolicy,
   TDeleteAccessApprovalPolicy,
   TGetAccessApprovalPolicyByIdDTO,
@@ -32,12 +37,14 @@ type TAccessApprovalPolicyServiceFactoryDep = {
   accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
   accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
+  accessApprovalPolicyBypasserDAL: TAccessApprovalPolicyBypasserDALFactory;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
   groupDAL: TGroupDALFactory;
   userDAL: Pick<TUserDALFactory, "find">;
   accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update" | "find">;
   additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
   accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find">;
 };
 
 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@@ -45,6 +52,7 @@ export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprov
 export const accessApprovalPolicyServiceFactory = ({
   accessApprovalPolicyDAL,
   accessApprovalPolicyApproverDAL,
+  accessApprovalPolicyBypasserDAL,
   groupDAL,
   permissionService,
   projectEnvDAL,
@@ -52,7 +60,8 @@ export const accessApprovalPolicyServiceFactory = ({
   userDAL,
   accessApprovalRequestDAL,
   additionalPrivilegeDAL,
-  accessApprovalRequestReviewerDAL
+  accessApprovalRequestReviewerDAL,
+  orgMembershipDAL
 }: TAccessApprovalPolicyServiceFactoryDep) => {
   const createAccessApprovalPolicy = async ({
     name,
@@ -63,6 +72,7 @@ export const accessApprovalPolicyServiceFactory = ({
     actorAuthMethod,
     approvals,
     approvers,
+    bypassers,
     projectSlug,
     environment,
     enforcementLevel,
@@ -82,7 +92,7 @@ export const accessApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
       .filter(Boolean) as string[];
 
     if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
@@ -98,7 +108,7 @@ export const accessApprovalPolicyServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Create,
+      ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretApproval
     );
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
@@ -147,6 +157,44 @@ export const accessApprovalPolicyServiceFactory = ({
       .map((user) => user.id);
     verifyAllApprovers.push(...verifyGroupApprovers);
 
+    let groupBypassers: string[] = [];
+    let bypasserUserIds: string[] = [];
+
+    if (bypassers && bypassers.length) {
+      groupBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.Group)
+        .map((bypasser) => bypasser.id) as string[];
+
+      const userBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.User)
+        .map((bypasser) => bypasser.id)
+        .filter(Boolean) as string[];
+
+      const userBypasserNames = bypassers
+        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
+        .filter(Boolean) as string[];
+
+      bypasserUserIds = userBypassers;
+      if (userBypasserNames.length) {
+        const bypasserUsers = await userDAL.find({
+          $in: {
+            username: userBypasserNames
+          }
+        });
+
+        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
+        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
+
+        if (invalidUsernames.length) {
+          throw new BadRequestError({
+            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
+          });
+        }
+
+        bypasserUserIds = bypasserUserIds.concat(bypasserUsers.map((user) => user.id));
+      }
+    }
+
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
@@ -159,6 +207,7 @@ export const accessApprovalPolicyServiceFactory = ({
         },
         tx
       );
+
       if (approverUserIds.length) {
         await accessApprovalPolicyApproverDAL.insertMany(
           approverUserIds.map((userId) => ({
@@ -179,8 +228,29 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
+      if (bypasserUserIds.length) {
+        await accessApprovalPolicyBypasserDAL.insertMany(
+          bypasserUserIds.map((userId) => ({
+            bypasserUserId: userId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
+      if (groupBypassers.length) {
+        await accessApprovalPolicyBypasserDAL.insertMany(
+          groupBypassers.map((groupId) => ({
+            bypasserGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
       return doc;
     });
+
     return { ...accessApproval, environment: env, projectId: project.id };
   };
 
@@ -211,6 +281,7 @@ export const accessApprovalPolicyServiceFactory = ({
   const updateAccessApprovalPolicy = async ({
     policyId,
     approvers,
+    bypassers,
     secretPath,
     name,
     actorId,
@@ -231,15 +302,15 @@ export const accessApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
       .filter(Boolean) as string[];
 
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    const currentAppovals = approvals || accessApprovalPolicy.approvals;
+    const currentApprovals = approvals || accessApprovalPolicy.approvals;
     if (
       groupApprovers?.length === 0 &&
       userApprovers &&
-      currentAppovals > userApprovers.length + userApproverNames.length
+      currentApprovals > userApprovers.length + userApproverNames.length
     ) {
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
@@ -256,10 +327,79 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Edit,
-      ProjectPermissionSub.SecretApproval
-    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
+
+    let groupBypassers: string[] = [];
+    let bypasserUserIds: string[] = [];
+
+    if (bypassers && bypassers.length) {
+      groupBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.Group)
+        .map((bypasser) => bypasser.id) as string[];
+
+      groupBypassers = [...new Set(groupBypassers)];
+
+      const userBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.User)
+        .map((bypasser) => bypasser.id)
+        .filter(Boolean) as string[];
+
+      const userBypasserNames = bypassers
+        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
+        .filter(Boolean) as string[];
+
+      bypasserUserIds = userBypassers;
+      if (userBypasserNames.length) {
+        const bypasserUsers = await userDAL.find({
+          $in: {
+            username: userBypasserNames
+          }
+        });
+
+        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
+        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
+
+        if (invalidUsernames.length) {
+          throw new BadRequestError({
+            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
+          });
+        }
+
+        bypasserUserIds = [...new Set(bypasserUserIds.concat(bypasserUsers.map((user) => user.id)))];
+      }
+
+      // Validate user bypassers
+      if (bypasserUserIds.length > 0) {
+        const orgMemberships = await orgMembershipDAL.find({
+          $in: { userId: bypasserUserIds },
+          orgId: actorOrgId
+        });
+
+        if (orgMemberships.length !== bypasserUserIds.length) {
+          const foundUserIdsInOrg = new Set(orgMemberships.map((mem) => mem.userId));
+          const missingUserIds = bypasserUserIds.filter((id) => !foundUserIdsInOrg.has(id));
+          throw new BadRequestError({
+            message: `One or more specified bypasser users are not part of the organization or do not exist. Invalid or non-member user IDs: ${missingUserIds.join(", ")}`
+          });
+        }
+      }
+
+      // Validate group bypassers
+      if (groupBypassers.length > 0) {
+        const orgGroups = await groupDAL.find({
+          $in: { id: groupBypassers },
+          orgId: actorOrgId
+        });
+
+        if (orgGroups.length !== groupBypassers.length) {
+          const foundGroupIdsInOrg = new Set(orgGroups.map((group) => group.id));
+          const missingGroupIds = groupBypassers.filter((id) => !foundGroupIdsInOrg.has(id));
+          throw new BadRequestError({
+            message: `One or more specified bypasser groups are not part of the organization or do not exist. Invalid or non-member group IDs: ${missingGroupIds.join(", ")}`
+          });
+        }
+      }
+    }
 
     const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.updateById(
@@ -316,6 +456,28 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
+      await accessApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
+
+      if (bypasserUserIds.length) {
+        await accessApprovalPolicyBypasserDAL.insertMany(
+          bypasserUserIds.map((userId) => ({
+            bypasserUserId: userId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
+      if (groupBypassers.length) {
+        await accessApprovalPolicyBypasserDAL.insertMany(
+          groupBypassers.map((groupId) => ({
+            bypasserGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
       return doc;
     });
     return {
@@ -344,7 +506,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Delete,
+      ProjectPermissionActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -435,10 +597,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Read,
-      ProjectPermissionSub.SecretApproval
-    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
     return policy;
   };

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -18,11 +18,20 @@ export enum ApproverType {
   User = "user"
 }
 
+export enum BypasserType {
+  Group = "group",
+  User = "user"
+}
+
 export type TCreateAccessApprovalPolicy = {
   approvals: number;
   secretPath: string;
   environment: string;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
+  bypassers?: (
+    | { type: BypasserType.Group; id: string }
+    | { type: BypasserType.User; id?: string; username?: string }
+  )[];
   projectSlug: string;
   name: string;
   enforcementLevel: EnforcementLevel;
@@ -32,7 +41,11 @@ export type TCreateAccessApprovalPolicy = {
 export type TUpdateAccessApprovalPolicy = {
   policyId: string;
   approvals?: number;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
+  bypassers?: (
+    | { type: BypasserType.Group; id: string }
+    | { type: BypasserType.User; id?: string; username?: string }
+  )[];
   secretPath?: string;
   name?: string;
   enforcementLevel?: EnforcementLevel;

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -1,7 +1,13 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { AccessApprovalRequestsSchema, TableName, TAccessApprovalRequests, TUsers } from "@app/db/schemas";
+import {
+  AccessApprovalRequestsSchema,
+  TableName,
+  TAccessApprovalRequests,
+  TUserGroupMembership,
+  TUsers
+} from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
@@ -28,12 +34,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.AccessApprovalRequest}.policyId`,
           `${TableName.AccessApprovalPolicy}.id`
         )
-
         .leftJoin(
           TableName.AccessApprovalRequestReviewer,
           `${TableName.AccessApprovalRequest}.id`,
           `${TableName.AccessApprovalRequestReviewer}.requestId`
         )
+
         .leftJoin(
           TableName.AccessApprovalPolicyApprover,
           `${TableName.AccessApprovalPolicy}.id`,
@@ -46,6 +52,17 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         )
         .leftJoin(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
 
+        .leftJoin(
+          TableName.AccessApprovalPolicyBypasser,
+          `${TableName.AccessApprovalPolicy}.id`,
+          `${TableName.AccessApprovalPolicyBypasser}.policyId`
+        )
+        .leftJoin<TUserGroupMembership>(
+          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
+          `${TableName.AccessApprovalPolicyBypasser}.bypasserGroupId`,
+          `bypasserUserGroupMembership.groupId`
+        )
+
         .join<TUsers>(
           db(TableName.Users).as("requestedByUser"),
           `${TableName.AccessApprovalRequest}.requestedByUserId`,
@@ -69,6 +86,9 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
         .select(db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"))
 
+        .select(db.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
+        .select(db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"))
+
         .select(
           db.ref("projectId").withSchema(TableName.Environment),
           db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
@@ -145,7 +165,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
               }
             : null,
 
-          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId
+          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId || doc.status !== ApprovalStatus.PENDING
         }),
         childrenMapper: [
           {
@@ -158,6 +178,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             key: "approverGroupUserId",
             label: "approvers" as const,
             mapper: ({ approverGroupUserId }) => approverGroupUserId
+          },
+          { key: "bypasserUserId", label: "bypassers" as const, mapper: ({ bypasserUserId }) => bypasserUserId },
+          {
+            key: "bypasserGroupUserId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserGroupUserId }) => bypasserGroupUserId
           }
         ]
       });
@@ -166,7 +192,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
 
       return formattedDocs.map((doc) => ({
         ...doc,
-        policy: { ...doc.policy, approvers: doc.approvers }
+        policy: { ...doc.policy, approvers: doc.approvers, bypassers: doc.bypassers }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "FindRequestsWithPrivilege" });
@@ -193,7 +219,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicy}.id`,
         `${TableName.AccessApprovalPolicyApprover}.policyId`
       )
-
       .leftJoin<TUsers>(
         db(TableName.Users).as("accessApprovalPolicyApproverUser"),
         `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
@@ -204,13 +229,33 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
         `${TableName.UserGroupMembership}.groupId`
       )
-
       .leftJoin<TUsers>(
         db(TableName.Users).as("accessApprovalPolicyGroupApproverUser"),
         `${TableName.UserGroupMembership}.userId`,
         "accessApprovalPolicyGroupApproverUser.id"
       )
 
+      .leftJoin(
+        TableName.AccessApprovalPolicyBypasser,
+        `${TableName.AccessApprovalPolicy}.id`,
+        `${TableName.AccessApprovalPolicyBypasser}.policyId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("accessApprovalPolicyBypasserUser"),
+        `${TableName.AccessApprovalPolicyBypasser}.bypasserUserId`,
+        "accessApprovalPolicyBypasserUser.id"
+      )
+      .leftJoin<TUserGroupMembership>(
+        db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
+        `${TableName.AccessApprovalPolicyBypasser}.bypasserGroupId`,
+        `bypasserUserGroupMembership.groupId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("accessApprovalPolicyGroupBypasserUser"),
+        `bypasserUserGroupMembership.userId`,
+        "accessApprovalPolicyGroupBypasserUser.id"
+      )
+
       .leftJoin(
         TableName.AccessApprovalRequestReviewer,
         `${TableName.AccessApprovalRequest}.id`,
@@ -241,6 +286,18 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("firstName").withSchema("requestedByUser").as("requestedByUserFirstName"),
         tx.ref("lastName").withSchema("requestedByUser").as("requestedByUserLastName"),
 
+        // Bypassers
+        tx.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser),
+        tx.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
+        tx.ref("email").withSchema("accessApprovalPolicyBypasserUser").as("bypasserEmail"),
+        tx.ref("email").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupEmail"),
+        tx.ref("username").withSchema("accessApprovalPolicyBypasserUser").as("bypasserUsername"),
+        tx.ref("username").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupUsername"),
+        tx.ref("firstName").withSchema("accessApprovalPolicyBypasserUser").as("bypasserFirstName"),
+        tx.ref("firstName").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupFirstName"),
+        tx.ref("lastName").withSchema("accessApprovalPolicyBypasserUser").as("bypasserLastName"),
+        tx.ref("lastName").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupLastName"),
+
         tx.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer),
 
         tx.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"),
@@ -265,7 +322,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
     try {
       const sql = findQuery({ [`${TableName.AccessApprovalRequest}.id` as "id"]: id }, tx || db.replicaNode());
       const docs = await sql;
-      const formatedDoc = sqlNestRelationships({
+      const formattedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -335,13 +392,51 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
               lastName,
               username
             })
+          },
+          {
+            key: "bypasserUserId",
+            label: "bypassers" as const,
+            mapper: ({
+              bypasserUserId,
+              bypasserEmail: email,
+              bypasserUsername: username,
+              bypasserLastName: lastName,
+              bypasserFirstName: firstName
+            }) => ({
+              userId: bypasserUserId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
+          },
+          {
+            key: "bypasserGroupUserId",
+            label: "bypassers" as const,
+            mapper: ({
+              userId,
+              bypasserGroupEmail: email,
+              bypasserGroupUsername: username,
+              bypasserGroupLastName: lastName,
+              bypasserFirstName: firstName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
           }
         ]
       });
-      if (!formatedDoc?.[0]) return;
+      if (!formattedDoc?.[0]) return;
       return {
-        ...formatedDoc[0],
-        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
+        ...formattedDoc[0],
+        policy: {
+          ...formattedDoc[0].policy,
+          approvers: formattedDoc[0].approvers,
+          bypassers: formattedDoc[0].bypassers
+        }
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "FindByIdAccessApprovalRequest" });
@@ -392,14 +487,20 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         ]
       });
 
-      // an approval is pending if there is no reviewer rejections and no privilege ID is set
+      // an approval is pending if there is no reviewer rejections, no privilege ID is set and the status is pending
       const pendingApprovals = formattedRequests.filter(
-        (req) => !req.privilegeId && !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
+        (req) =>
+          !req.privilegeId &&
+          !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) &&
+          req.status === ApprovalStatus.PENDING
       );
 
-      // an approval is finalized if there are any rejections or a privilege ID is set
+      // an approval is finalized if there are any rejections, a privilege ID is set or the number of approvals is equal to the number of approvals required
       const finalizedApprovals = formattedRequests.filter(
-        (req) => req.privilegeId || req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
+        (req) =>
+          req.privilegeId ||
+          req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) ||
+          req.status !== ApprovalStatus.PENDING
       );
 
       return { pendingCount: pendingApprovals.length, finalizedCount: finalizedApprovals.length };

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -23,7 +23,6 @@ import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-poli
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
 import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
@@ -57,7 +56,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
     | "findOne"
     | "getCount"
   >;
-  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find">;
+  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find" | "findLastValidPolicy">;
   accessApprovalRequestReviewerDAL: Pick<
     TAccessApprovalRequestReviewerDALFactory,
     "create" | "find" | "findOne" | "transaction"
@@ -132,7 +131,7 @@ export const accessApprovalRequestServiceFactory = ({
 
     if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });
 
-    const policy = await accessApprovalPolicyDAL.findOne({
+    const policy = await accessApprovalPolicyDAL.findLastValidPolicy({
       envId: environment.id,
       secretPath
     });
@@ -204,7 +203,7 @@ export const accessApprovalRequestServiceFactory = ({
 
           const isRejected = reviewers.some((reviewer) => reviewer.status === ApprovalStatus.REJECTED);
 
-          if (!isRejected) {
+          if (!isRejected && duplicateRequest.status === ApprovalStatus.PENDING) {
             throw new BadRequestError({ message: "You already have a pending access request with the same criteria" });
           }
         }
@@ -340,7 +339,7 @@ export const accessApprovalRequestServiceFactory = ({
       });
     }
 
-    const { membership, hasRole, permission } = await permissionService.getProjectPermission({
+    const { membership, hasRole } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
@@ -355,13 +354,13 @@ export const accessApprovalRequestServiceFactory = ({
 
     const isSelfApproval = actorId === accessApprovalRequest.requestedByUserId;
     const isSoftEnforcement = policy.enforcementLevel === EnforcementLevel.Soft;
-    const canBypassApproval = permission.can(
-      ProjectPermissionApprovalActions.AllowAccessBypass,
-      ProjectPermissionSub.SecretApproval
-    );
-    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypassApproval);
+    const canBypass = !policy.bypassers.length || policy.bypassers.some((bypasser) => bypasser.userId === actorId);
+    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypass);
 
-    if (!policy.allowedSelfApprovals && isSelfApproval && cannotBypassUnderSoftEnforcement) {
+    const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
+
+    // If user is (not an approver OR cant self approve) AND can't bypass policy
+    if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
       throw new BadRequestError({
         message: "Failed to review access approval request. Users are not authorized to review their own request."
       });
@@ -370,7 +369,7 @@ export const accessApprovalRequestServiceFactory = ({
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
-      !policy.approvers.find((approver) => approver.userId === actorId) // The request isn't performed by an assigned approver
+      !isApprover // The request isn't performed by an assigned approver
     ) {
       throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
     }
@@ -478,7 +477,11 @@ export const accessApprovalRequestServiceFactory = ({
             );
             privilegeIdToSet = privilege.id;
           }
-          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId: privilegeIdToSet }, tx);
+          await accessApprovalRequestDAL.updateById(
+            accessApprovalRequest.id,
+            { privilegeId: privilegeIdToSet, status: ApprovalStatus.APPROVED },
+            tx
+          );
         }
       }
 

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -21,7 +21,7 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
-import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
+import { CaStatus } from "@app/services/certificate-authority/certificate-authority-enums";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
@@ -232,6 +232,7 @@ export enum EventType {
   REMOVE_HOST_FROM_SSH_HOST_GROUP = "remove-host-from-ssh-host-group",
   CREATE_CA = "create-certificate-authority",
   GET_CA = "get-certificate-authority",
+  GET_CAS = "get-certificate-authorities",
   UPDATE_CA = "update-certificate-authority",
   DELETE_CA = "delete-certificate-authority",
   RENEW_CA = "renew-certificate-authority",
@@ -242,6 +243,7 @@ export enum EventType {
   IMPORT_CA_CERT = "import-certificate-authority-cert",
   GET_CA_CRLS = "get-certificate-authority-crls",
   ISSUE_CERT = "issue-cert",
+  IMPORT_CERT = "import-cert",
   SIGN_CERT = "sign-cert",
   GET_CA_CERTIFICATE_TEMPLATES = "get-ca-certificate-templates",
   GET_CERT = "get-cert",
@@ -267,7 +269,9 @@ export enum EventType {
   GET_PKI_SUBSCRIBER = "get-pki-subscriber",
   ISSUE_PKI_SUBSCRIBER_CERT = "issue-pki-subscriber-cert",
   SIGN_PKI_SUBSCRIBER_CERT = "sign-pki-subscriber-cert",
+  AUTOMATED_RENEW_SUBSCRIBER_CERT = "automated-renew-subscriber-cert",
   LIST_PKI_SUBSCRIBER_CERTS = "list-pki-subscriber-certs",
+  GET_SUBSCRIBER_ACTIVE_CERT_BUNDLE = "get-subscriber-active-cert-bundle",
   CREATE_KMS = "create-kms",
   UPDATE_KMS = "update-kms",
   DELETE_KMS = "delete-kms",
@@ -1778,7 +1782,8 @@ interface CreateCa {
   type: EventType.CREATE_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
   };
 }
 
@@ -1786,7 +1791,15 @@ interface GetCa {
   type: EventType.GET_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
+  };
+}
+
+interface GetCAs {
+  type: EventType.GET_CAS;
+  metadata: {
+    caIds: string[];
   };
 }
 
@@ -1794,7 +1807,8 @@ interface UpdateCa {
   type: EventType.UPDATE_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
     status: CaStatus;
   };
 }
@@ -1803,7 +1817,8 @@ interface DeleteCa {
   type: EventType.DELETE_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
   };
 }
 
@@ -1873,6 +1888,15 @@ interface IssueCert {
   };
 }
 
+interface ImportCert {
+  type: EventType.IMPORT_CERT;
+  metadata: {
+    certId: string;
+    cn: string;
+    serialNumber: string;
+  };
+}
+
 interface SignCert {
   type: EventType.SIGN_CERT;
   metadata: {
@@ -2040,7 +2064,7 @@ interface CreatePkiSubscriber {
     caId?: string;
     name: string;
     commonName: string;
-    ttl: string;
+    ttl?: string;
     subjectAlternativeNames: string[];
     keyUsages: CertKeyUsage[];
     extendedKeyUsages: CertExtendedKeyUsage[];
@@ -2082,7 +2106,15 @@ interface IssuePkiSubscriberCert {
   metadata: {
     subscriberId: string;
     name: string;
-    serialNumber: string;
+    serialNumber?: string;
+  };
+}
+
+interface AutomatedRenewPkiSubscriberCert {
+  type: EventType.AUTOMATED_RENEW_SUBSCRIBER_CERT;
+  metadata: {
+    subscriberId: string;
+    name: string;
   };
 }
 
@@ -2104,6 +2136,16 @@ interface ListPkiSubscriberCerts {
   };
 }
 
+interface GetSubscriberActiveCertBundle {
+  type: EventType.GET_SUBSCRIBER_ACTIVE_CERT_BUNDLE;
+  metadata: {
+    subscriberId: string;
+    name: string;
+    certId: string;
+    serialNumber: string;
+  };
+}
+
 interface CreateKmsEvent {
   type: EventType.CREATE_KMS;
   metadata: {
@@ -3088,6 +3130,7 @@ export type Event =
   | IssueSshHostHostCert
   | CreateCa
   | GetCa
+  | GetCAs
   | UpdateCa
   | DeleteCa
   | RenewCa
@@ -3098,6 +3141,7 @@ export type Event =
   | ImportCaCert
   | GetCaCrls
   | IssueCert
+  | ImportCert
   | SignCert
   | GetCaCertificateTemplates
   | GetCert
@@ -3123,7 +3167,9 @@ export type Event =
   | GetPkiSubscriber
   | IssuePkiSubscriberCert
   | SignPkiSubscriberCert
+  | AutomatedRenewPkiSubscriberCert
   | ListPkiSubscriberCerts
+  | GetSubscriberActiveCertBundle
   | CreateKmsEvent
   | UpdateKmsEvent
   | DeleteKmsEvent

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -7,6 +7,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { NotFoundError } from "@app/lib/errors";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
+import { expandInternalCa } from "@app/services/certificate-authority/certificate-authority-fns";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns";
@@ -14,7 +15,7 @@ import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns
 import { TGetCaCrlsDTO, TGetCrlById } from "./certificate-authority-crl-types";
 
 type TCertificateAuthorityCrlServiceFactoryDep = {
-  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
+  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa">;
   certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "find" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
@@ -37,7 +38,8 @@ export const certificateAuthorityCrlServiceFactory = ({
     const caCrl = await certificateAuthorityCrlDAL.findById(crlId);
     if (!caCrl) throw new NotFoundError({ message: `CRL with ID '${crlId}' not found` });
 
-    const ca = await certificateAuthorityDAL.findById(caCrl.caId);
+    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(caCrl.caId);
+    if (!ca?.internalCa?.id) throw new NotFoundError({ message: `Internal CA with ID '${caCrl.caId}' not found` });
 
     const keyId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
@@ -54,7 +56,7 @@ export const certificateAuthorityCrlServiceFactory = ({
     const crl = new x509.X509Crl(decryptedCrl);
 
     return {
-      ca,
+      ca: expandInternalCa(ca),
       caCrl,
       crl: crl.rawData
     };
@@ -64,8 +66,8 @@ export const certificateAuthorityCrlServiceFactory = ({
    * Returns a list of CRL ids for CA with id [caId]
    */
   const getCaCrls = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCrlsDTO) => {
-    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
+    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(caId);
+    if (!ca?.internalCa?.id) throw new NotFoundError({ message: `Internal CA with ID '${caId}' not found` });
 
     const { permission } = await permissionService.getProjectPermission({
       actor,
@@ -108,7 +110,7 @@ export const certificateAuthorityCrlServiceFactory = ({
     );
 
     return {
-      ca,
+      ca: expandInternalCa(ca),
       crls: decryptedCrls
     };
   };

backend/src/ee/services/certificate-est/certificate-est-service.ts

@@ -6,7 +6,7 @@ import { isCertChainValid } from "@app/services/certificate/certificate-fns";
 import { TCertificateAuthorityCertDALFactory } from "@app/services/certificate-authority/certificate-authority-cert-dal";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
 import { getCaCertChain, getCaCertChains } from "@app/services/certificate-authority/certificate-authority-fns";
-import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
+import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { TCertificateTemplateDALFactory } from "@app/services/certificate-template/certificate-template-dal";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -16,10 +16,10 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { convertRawCertsToPkcs7 } from "./certificate-est-fns";
 
 type TCertificateEstServiceFactoryDep = {
-  certificateAuthorityService: Pick<TCertificateAuthorityServiceFactory, "signCertFromCa">;
+  internalCertificateAuthorityService: Pick<TInternalCertificateAuthorityServiceFactory, "signCertFromCa">;
   certificateTemplateService: Pick<TCertificateTemplateServiceFactory, "getEstConfiguration">;
   certificateTemplateDAL: Pick<TCertificateTemplateDALFactory, "findById">;
-  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
+  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById" | "findByIdWithAssociatedCa">;
   certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "find" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
@@ -29,7 +29,7 @@ type TCertificateEstServiceFactoryDep = {
 export type TCertificateEstServiceFactory = ReturnType<typeof certificateEstServiceFactory>;
 
 export const certificateEstServiceFactory = ({
-  certificateAuthorityService,
+  internalCertificateAuthorityService,
   certificateTemplateService,
   certificateTemplateDAL,
   certificateAuthorityCertDAL,
@@ -127,7 +127,7 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    const { certificate } = await certificateAuthorityService.signCertFromCa({
+    const { certificate } = await internalCertificateAuthorityService.signCertFromCa({
       isInternal: true,
       certificateTemplateId,
       csr
@@ -188,7 +188,7 @@ export const certificateEstServiceFactory = ({
       }
     }
 
-    const { certificate } = await certificateAuthorityService.signCertFromCa({
+    const { certificate } = await internalCertificateAuthorityService.signCertFromCa({
       isInternal: true,
       certificateTemplateId,
       csr
@@ -227,15 +227,15 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    const ca = await certificateAuthorityDAL.findById(certTemplate.caId);
-    if (!ca) {
+    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(certTemplate.caId);
+    if (!ca?.internalCa?.id) {
       throw new NotFoundError({
-        message: `Certificate Authority with ID '${certTemplate.caId}' not found`
+        message: `Internal Certificate Authority with ID '${certTemplate.caId}' not found`
       });
     }
 
     const { caCert, caCertChain } = await getCaCertChain({
-      caCertId: ca.activeCaCertId as string,
+      caCertId: ca.internalCa.activeCaCertId as string,
       certificateAuthorityDAL,
       certificateAuthorityCertDAL,
       projectDAL,

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -6,6 +6,7 @@ import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
+import { KubernetesProvider } from "./kubernetes";
 import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./models";
 import { MongoAtlasProvider } from "./mongo-atlas";
@@ -38,5 +39,6 @@ export const buildDynamicSecretProviders = ({
   [DynamicSecretProviders.SapHana]: SapHanaProvider(),
   [DynamicSecretProviders.Snowflake]: SnowflakeProvider(),
   [DynamicSecretProviders.Totp]: TotpProvider(),
-  [DynamicSecretProviders.SapAse]: SapAseProvider()
+  [DynamicSecretProviders.SapAse]: SapAseProvider(),
+  [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService })
 });

backend/src/ee/services/dynamic-secret/providers/kubernetes.ts

@@ -0,0 +1,199 @@
+import axios from "axios";
+import https from "https";
+
+import { InternalServerError } from "@app/lib/errors";
+import { withGatewayProxy } from "@app/lib/gateway";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { TKubernetesTokenRequest } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-types";
+
+import { TGatewayServiceFactory } from "../../gateway/gateway-service";
+import { DynamicSecretKubernetesSchema, TDynamicProviderFns } from "./models";
+
+const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
+
+type TKubernetesProviderDTO = {
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
+};
+
+export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretKubernetesSchema.parseAsync(inputs);
+    if (!providerInputs.gatewayId) {
+      await blockLocalAndPrivateIpAddresses(providerInputs.url);
+    }
+
+    return providerInputs;
+  };
+
+  const $gatewayProxyWrapper = async <T>(
+    inputs: {
+      gatewayId: string;
+      targetHost: string;
+      targetPort: number;
+    },
+    gatewayCallback: (host: string, port: number) => Promise<T>
+  ): Promise<T> => {
+    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(inputs.gatewayId);
+    const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
+
+    const callbackResult = await withGatewayProxy(
+      async (port) => {
+        // Needs to be https protocol or the kubernetes API server will fail with "Client sent an HTTP request to an HTTPS server"
+        const res = await gatewayCallback("https://localhost", port);
+        return res;
+      },
+      {
+        targetHost: inputs.targetHost,
+        targetPort: inputs.targetPort,
+        relayHost,
+        relayPort: Number(relayPort),
+        identityId: relayDetails.identityId,
+        orgId: relayDetails.orgId,
+        tlsOptions: {
+          ca: relayDetails.certChain,
+          cert: relayDetails.certificate,
+          key: relayDetails.privateKey.toString()
+        }
+      }
+    );
+
+    return callbackResult;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const serviceAccountGetCallback = async (host: string, port: number) => {
+      const baseUrl = port ? `${host}:${port}` : host;
+
+      await axios.get(
+        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${providerInputs.serviceAccountName}`,
+        {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${providerInputs.clusterToken}`
+          },
+          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+          timeout: EXTERNAL_REQUEST_TIMEOUT,
+          httpsAgent: new https.Agent({
+            ca: providerInputs.ca,
+            rejectUnauthorized: providerInputs.sslEnabled
+          })
+        }
+      );
+    };
+
+    const url = new URL(providerInputs.url);
+    const k8sPort = url.port ? Number(url.port) : 443;
+
+    try {
+      if (providerInputs.gatewayId) {
+        const k8sHost = url.hostname;
+
+        await $gatewayProxyWrapper(
+          {
+            gatewayId: providerInputs.gatewayId,
+            targetHost: k8sHost,
+            targetPort: k8sPort
+          },
+          serviceAccountGetCallback
+        );
+      } else {
+        const k8sHost = `${url.protocol}//${url.hostname}`;
+        await serviceAccountGetCallback(k8sHost, k8sPort);
+      }
+
+      return true;
+    } catch (error) {
+      let errorMessage = error instanceof Error ? error.message : "Unknown error";
+      if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
+        errorMessage = (error.response?.data as { message: string }).message;
+      }
+
+      throw new InternalServerError({
+        message: `Failed to validate connection: ${errorMessage}`
+      });
+    }
+  };
+
+  const create = async (inputs: unknown, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const tokenRequestCallback = async (host: string, port: number) => {
+      const baseUrl = port ? `${host}:${port}` : host;
+
+      const res = await axios.post<TKubernetesTokenRequest>(
+        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${providerInputs.serviceAccountName}/token`,
+        {
+          spec: {
+            expirationSeconds: Math.floor((expireAt - Date.now()) / 1000),
+            ...(providerInputs.audiences?.length ? { audiences: providerInputs.audiences } : {})
+          }
+        },
+        {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${providerInputs.clusterToken}`
+          },
+          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+          timeout: EXTERNAL_REQUEST_TIMEOUT,
+          httpsAgent: new https.Agent({
+            ca: providerInputs.ca,
+            rejectUnauthorized: providerInputs.sslEnabled
+          })
+        }
+      );
+
+      return res.data;
+    };
+
+    const url = new URL(providerInputs.url);
+    const k8sHost = `${url.protocol}//${url.hostname}`;
+    const k8sGatewayHost = url.hostname;
+    const k8sPort = url.port ? Number(url.port) : 443;
+
+    try {
+      const tokenData = providerInputs.gatewayId
+        ? await $gatewayProxyWrapper(
+            {
+              gatewayId: providerInputs.gatewayId,
+              targetHost: k8sGatewayHost,
+              targetPort: k8sPort
+            },
+            tokenRequestCallback
+          )
+        : await tokenRequestCallback(k8sHost, k8sPort);
+
+      return {
+        entityId: providerInputs.serviceAccountName,
+        data: { TOKEN: tokenData.status.token }
+      };
+    } catch (error) {
+      let errorMessage = error instanceof Error ? error.message : "Unknown error";
+      if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
+        errorMessage = (error.response?.data as { message: string }).message;
+      }
+
+      throw new InternalServerError({
+        message: `Failed to create dynamic secret: ${errorMessage}`
+      });
+    }
+  };
+
+  const revoke = async (_inputs: unknown, entityId: string) => {
+    return { entityId };
+  };
+
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -29,6 +29,10 @@ export enum LdapCredentialType {
   Static = "static"
 }
 
+export enum KubernetesCredentialType {
+  Static = "static"
+}
+
 export enum TotpConfigType {
   URL = "url",
   MANUAL = "manual"
@@ -277,6 +281,18 @@ export const LdapSchema = z.union([
   })
 ]);
 
+export const DynamicSecretKubernetesSchema = z.object({
+  url: z.string().url().trim().min(1),
+  gatewayId: z.string().nullable().optional(),
+  sslEnabled: z.boolean().default(true),
+  clusterToken: z.string().trim().min(1),
+  ca: z.string().optional(),
+  serviceAccountName: z.string().trim().min(1),
+  credentialType: z.literal(KubernetesCredentialType.Static),
+  namespace: z.string().trim().min(1),
+  audiences: z.array(z.string().trim().min(1))
+});
+
 export const DynamicSecretTotpSchema = z.discriminatedUnion("configType", [
   z.object({
     configType: z.literal(TotpConfigType.URL),
@@ -320,7 +336,8 @@ export enum DynamicSecretProviders {
   SapHana = "sap-hana",
   Snowflake = "snowflake",
   Totp = "totp",
-  SapAse = "sap-ase"
+  SapAse = "sap-ase",
+  Kubernetes = "kubernetes"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -338,7 +355,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Snowflake), inputs: DynamicSecretSnowflakeSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/license/license-fns.ts

@@ -60,12 +60,19 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   enterpriseAppConnections: false
 });
 
-export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {
+export const setupLicenseRequestWithStore = (
+  baseURL: string,
+  refreshUrl: string,
+  licenseKey: string,
+  region?: string
+) => {
   let token: string;
   const licenseReq = axios.create({
     baseURL,
-    timeout: 35 * 1000
-    // signal: AbortSignal.timeout(60 * 1000)
+    timeout: 35 * 1000,
+    headers: {
+      "x-region": region
+    }
   });
 
   const refreshLicense = async () => {

backend/src/ee/services/license/license-service.ts

@@ -17,7 +17,7 @@ import { TIdentityOrgDALFactory } from "@app/services/identity/identity-org-dal"
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
-import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { OrgPermissionBillingActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { BillingPlanRows, BillingPlanTableHead } from "./licence-enums";
 import { TLicenseDALFactory } from "./license-dal";
@@ -77,13 +77,15 @@ export const licenseServiceFactory = ({
   const licenseServerCloudApi = setupLicenseRequestWithStore(
     appCfg.LICENSE_SERVER_URL || "",
     LICENSE_SERVER_CLOUD_LOGIN,
-    appCfg.LICENSE_SERVER_KEY || ""
+    appCfg.LICENSE_SERVER_KEY || "",
+    appCfg.INTERNAL_REGION
   );
 
   const licenseServerOnPremApi = setupLicenseRequestWithStore(
     appCfg.LICENSE_SERVER_URL || "",
     LICENSE_SERVER_ON_PREM_LOGIN,
-    appCfg.LICENSE_KEY || ""
+    appCfg.LICENSE_KEY || "",
+    appCfg.INTERNAL_REGION
   );
 
   const syncLicenseKeyOnPremFeatures = async (shouldThrow: boolean = false) => {
@@ -286,7 +288,7 @@ export const licenseServiceFactory = ({
     billingCycle
   }: TOrgPlansTableDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
     const { data } = await licenseServerCloudApi.request.get(
       `/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
     );
@@ -308,8 +310,10 @@ export const licenseServiceFactory = ({
     success_url
   }: TStartOrgTrialDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -336,8 +340,10 @@ export const licenseServiceFactory = ({
     actorOrgId
   }: TCreateOrgPortalSession) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -383,7 +389,7 @@ export const licenseServiceFactory = ({
 
   const getOrgBillingInfo = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -411,7 +417,7 @@ export const licenseServiceFactory = ({
   // returns org current plan feature table
   const getOrgPlanTable = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -482,7 +488,7 @@ export const licenseServiceFactory = ({
 
   const getOrgBillingDetails = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -507,7 +513,10 @@ export const licenseServiceFactory = ({
     email
   }: TUpdateOrgBillingDetailsDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -527,7 +536,7 @@ export const licenseServiceFactory = ({
 
   const getOrgPmtMethods = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgPmtMethodsDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -554,7 +563,10 @@ export const licenseServiceFactory = ({
     cancel_url
   }: TAddOrgPmtMethodDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -583,7 +595,10 @@ export const licenseServiceFactory = ({
     pmtMethodId
   }: TDelOrgPmtMethodDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -600,7 +615,7 @@ export const licenseServiceFactory = ({
 
   const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -618,7 +633,10 @@ export const licenseServiceFactory = ({
 
   const addOrgTaxId = async ({ actorId, actor, actorAuthMethod, actorOrgId, orgId, type, value }: TAddOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -639,7 +657,10 @@ export const licenseServiceFactory = ({
 
   const delOrgTaxId = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId, taxId }: TDelOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -656,7 +677,7 @@ export const licenseServiceFactory = ({
 
   const getOrgTaxInvoices = async ({ actorId, actor, actorOrgId, actorAuthMethod, orgId }: TOrgInvoiceDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -673,7 +694,7 @@ export const licenseServiceFactory = ({
 
   const getOrgLicenses = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgLicensesDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {

backend/src/ee/services/permission/default-roles.ts

@@ -2,7 +2,6 @@ import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability"
 
 import {
   ProjectPermissionActions,
-  ProjectPermissionApprovalActions,
   ProjectPermissionCertificateActions,
   ProjectPermissionCmekActions,
   ProjectPermissionDynamicSecretActions,
@@ -11,6 +10,7 @@ import {
   ProjectPermissionKmipActions,
   ProjectPermissionMemberActions,
   ProjectPermissionPkiSubscriberActions,
+  ProjectPermissionPkiTemplateActions,
   ProjectPermissionSecretActions,
   ProjectPermissionSecretRotationActions,
   ProjectPermissionSecretSyncActions,
@@ -36,7 +36,6 @@ const buildAdminPermissionRules = () => {
     ProjectPermissionSub.AuditLogs,
     ProjectPermissionSub.IpAllowList,
     ProjectPermissionSub.CertificateAuthorities,
-    ProjectPermissionSub.CertificateTemplates,
     ProjectPermissionSub.PkiAlerts,
     ProjectPermissionSub.PkiCollections,
     ProjectPermissionSub.SshCertificateAuthorities,
@@ -57,12 +56,22 @@ const buildAdminPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionApprovalActions.Read,
-      ProjectPermissionApprovalActions.Edit,
-      ProjectPermissionApprovalActions.Create,
-      ProjectPermissionApprovalActions.Delete,
-      ProjectPermissionApprovalActions.AllowChangeBypass,
-      ProjectPermissionApprovalActions.AllowAccessBypass
+      ProjectPermissionPkiTemplateActions.Read,
+      ProjectPermissionPkiTemplateActions.Edit,
+      ProjectPermissionPkiTemplateActions.Create,
+      ProjectPermissionPkiTemplateActions.Delete,
+      ProjectPermissionPkiTemplateActions.IssueCert,
+      ProjectPermissionPkiTemplateActions.ListCerts
+    ],
+    ProjectPermissionSub.CertificateTemplates
+  );
+
+  can(
+    [
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
     ],
     ProjectPermissionSub.SecretApproval
   );
@@ -255,7 +264,7 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.SecretImports
   );
 
-  can([ProjectPermissionApprovalActions.Read], ProjectPermissionSub.SecretApproval);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
   can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
 
   can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
@@ -351,7 +360,7 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.Certificates
   );
 
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateTemplates);
+  can([ProjectPermissionPkiTemplateActions.Read], ProjectPermissionSub.CertificateTemplates);
 
   can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
   can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
@@ -403,7 +412,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
   can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
-  can(ProjectPermissionApprovalActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionSecretRotationActions.Read, ProjectPermissionSub.SecretRotation);
   can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
@@ -420,6 +429,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
   can(ProjectPermissionCertificateActions.Read, ProjectPermissionSub.Certificates);
+  can(ProjectPermissionPkiTemplateActions.Read, ProjectPermissionSub.CertificateTemplates);
   can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);

backend/src/ee/services/permission/org-permission.ts

@@ -67,6 +67,11 @@ export enum OrgPermissionGroupActions {
   RemoveMembers = "remove-members"
 }
 
+export enum OrgPermissionBillingActions {
+  Read = "read",
+  ManageBilling = "manage-billing"
+}
+
 export enum OrgPermissionSubjects {
   Workspace = "workspace",
   Role = "role",
@@ -107,7 +112,7 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
   | [OrgPermissionGroupActions, OrgPermissionSubjects.Groups]
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
-  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
+  | [OrgPermissionBillingActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionIdentityActions, OrgPermissionSubjects.Identity]
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
@@ -298,10 +303,8 @@ const buildAdminPermission = () => {
   can(OrgPermissionGroupActions.AddMembers, OrgPermissionSubjects.Groups);
   can(OrgPermissionGroupActions.RemoveMembers, OrgPermissionSubjects.Groups);
 
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Billing);
+  can(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+  can(OrgPermissionBillingActions.ManageBilling, OrgPermissionSubjects.Billing);
 
   can(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
   can(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
@@ -362,7 +365,7 @@ const buildMemberPermission = () => {
   can(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Settings);
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+  can(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.IncidentAccount);
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);

backend/src/ee/services/permission/project-permission.ts

@@ -34,15 +34,6 @@ export enum ProjectPermissionSecretActions {
   Delete = "delete"
 }
 
-export enum ProjectPermissionApprovalActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  AllowChangeBypass = "allow-change-bypass",
-  AllowAccessBypass = "allow-access-bypass"
-}
-
 export enum ProjectPermissionCmekActions {
   Read = "read",
   Create = "create",
@@ -96,6 +87,15 @@ export enum ProjectPermissionSshHostActions {
   IssueHostCert = "issue-host-cert"
 }
 
+export enum ProjectPermissionPkiTemplateActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  IssueCert = "issue-cert",
+  ListCerts = "list-certs"
+}
+
 export enum ProjectPermissionPkiSubscriberActions {
   Read = "read",
   Create = "create",
@@ -209,6 +209,11 @@ export type SshHostSubjectFields = {
   hostname: string;
 };
 
+export type PkiTemplateSubjectFields = {
+  name: string;
+  // (dangtony98): consider adding [commonName] as a subject field in the future
+};
+
 export type PkiSubscriberSubjectFields = {
   name: string;
   // (dangtony98): consider adding [commonName] as a subject field in the future
@@ -251,7 +256,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
   | [ProjectPermissionActions, ProjectPermissionSub.Settings]
   | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
-  | [ProjectPermissionApprovalActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
   | [
       ProjectPermissionSecretRotationActions,
       (
@@ -265,7 +270,13 @@ export type ProjectPermissionSet =
     ]
   | [ProjectPermissionActions, ProjectPermissionSub.CertificateAuthorities]
   | [ProjectPermissionCertificateActions, ProjectPermissionSub.Certificates]
-  | [ProjectPermissionActions, ProjectPermissionSub.CertificateTemplates]
+  | [
+      ProjectPermissionPkiTemplateActions,
+      (
+        | ProjectPermissionSub.CertificateTemplates
+        | (ForcedSubject<ProjectPermissionSub.CertificateTemplates> & PkiTemplateSubjectFields)
+      )
+    ]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateAuthorities]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificates]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
@@ -445,10 +456,25 @@ const PkiSubscriberConditionSchema = z
   })
   .partial();
 
+const PkiTemplateConditionSchema = z
+  .object({
+    name: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+        })
+        .partial()
+    ])
+  })
+  .partial();
+
 const GeneralPermissionSchema = [
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionApprovalActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
       "Describe what action an entity can take."
     )
   }),
@@ -536,12 +562,6 @@ const GeneralPermissionSchema = [
       "Describe what action an entity can take."
     )
   }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.CertificateTemplates).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-      "Describe what action an entity can take."
-    )
-  }),
   z.object({
     subject: z
       .literal(ProjectPermissionSub.SshCertificateAuthorities)
@@ -719,6 +739,16 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.CertificateTemplates).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionPkiTemplateActions).describe(
+      "Describe what action an entity can take."
+    ),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
+    conditions: PkiTemplateConditionSchema.describe(
+      "When specified, only matching conditions will be allowed to access given resource."
+    ).optional()
+  }),
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretRotation).describe("The entity this permission pertains to."),
     inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
@@ -729,6 +759,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
+
   ...GeneralPermissionSchema
 ]);
 

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -9,6 +9,7 @@ import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/per
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 
+import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
 import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import {
@@ -16,6 +17,7 @@ import {
   ProjectPermissionSet,
   ProjectPermissionSub
 } from "../permission/project-permission";
+import { ApprovalStatus } from "../secret-approval-request/secret-approval-request-types";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "./project-user-additional-privilege-dal";
 import {
   ProjectUserAdditionalPrivilegeTemporaryMode,
@@ -30,6 +32,7 @@ type TProjectUserAdditionalPrivilegeServiceFactoryDep = {
   projectUserAdditionalPrivilegeDAL: TProjectUserAdditionalPrivilegeDALFactory;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById" | "findOne">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update">;
 };
 
 export type TProjectUserAdditionalPrivilegeServiceFactory = ReturnType<
@@ -44,7 +47,8 @@ const unpackPermissions = (permissions: unknown) =>
 export const projectUserAdditionalPrivilegeServiceFactory = ({
   projectUserAdditionalPrivilegeDAL,
   projectMembershipDAL,
-  permissionService
+  permissionService,
+  accessApprovalRequestDAL
 }: TProjectUserAdditionalPrivilegeServiceFactoryDep) => {
   const create = async ({
     slug,
@@ -279,6 +283,15 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
 
+    await accessApprovalRequestDAL.update(
+      {
+        privilegeId: userPrivilege.id
+      },
+      {
+        privilegeDeletedAt: new Date(),
+        status: ApprovalStatus.REJECTED
+      }
+    );
     const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
     return {
       ...deletedPrivilege,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-approver-dal.ts

@@ -8,3 +8,10 @@ export const secretApprovalPolicyApproverDALFactory = (db: TDbClient) => {
   const sapApproverOrm = ormify(db, TableName.SecretApprovalPolicyApprover);
   return sapApproverOrm;
 };
+
+export type TSecretApprovalPolicyBypasserDALFactory = ReturnType<typeof secretApprovalPolicyBypasserDALFactory>;
+
+export const secretApprovalPolicyBypasserDALFactory = (db: TDbClient) => {
+  const sapBypasserOrm = ormify(db, TableName.SecretApprovalPolicyBypasser);
+  return sapBypasserOrm;
+};

backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts

@@ -1,11 +1,17 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { SecretApprovalPoliciesSchema, TableName, TSecretApprovalPolicies, TUsers } from "@app/db/schemas";
+import {
+  SecretApprovalPoliciesSchema,
+  TableName,
+  TSecretApprovalPolicies,
+  TUserGroupMembership,
+  TUsers
+} from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
-import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
+import { ApproverType, BypasserType } from "../access-approval-policy/access-approval-policy-types";
 
 export type TSecretApprovalPolicyDALFactory = ReturnType<typeof secretApprovalPolicyDALFactory>;
 
@@ -43,6 +49,22 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
         "secretApprovalPolicyApproverUser.id"
       )
+      // Bypasser
+      .leftJoin(
+        TableName.SecretApprovalPolicyBypasser,
+        `${TableName.SecretApprovalPolicy}.id`,
+        `${TableName.SecretApprovalPolicyBypasser}.policyId`
+      )
+      .leftJoin<TUserGroupMembership>(
+        db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
+        `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
+        `bypasserUserGroupMembership.groupId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("secretApprovalPolicyBypasserUser"),
+        `${TableName.SecretApprovalPolicyBypasser}.bypasserUserId`,
+        "secretApprovalPolicyBypasserUser.id"
+      )
       .leftJoin<TUsers>(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
       .select(
         tx.ref("id").withSchema("secretApprovalPolicyApproverUser").as("approverUserId"),
@@ -58,6 +80,20 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
         tx.ref("firstName").withSchema(TableName.Users).as("approverGroupFirstName"),
         tx.ref("lastName").withSchema(TableName.Users).as("approverGroupLastName")
       )
+      .select(
+        tx.ref("id").withSchema("secretApprovalPolicyBypasserUser").as("bypasserUserId"),
+        tx.ref("email").withSchema("secretApprovalPolicyBypasserUser").as("bypasserEmail"),
+        tx.ref("firstName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserFirstName"),
+        tx.ref("username").withSchema("secretApprovalPolicyBypasserUser").as("bypasserUsername"),
+        tx.ref("lastName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserLastName")
+      )
+      .select(
+        tx.ref("bypasserGroupId").withSchema(TableName.SecretApprovalPolicyBypasser),
+        tx.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
+        tx.ref("email").withSchema(TableName.Users).as("bypasserGroupEmail"),
+        tx.ref("firstName").withSchema(TableName.Users).as("bypasserGroupFirstName"),
+        tx.ref("lastName").withSchema(TableName.Users).as("bypasserGroupLastName")
+      )
       .select(
         tx.ref("name").withSchema(TableName.Environment).as("envName"),
         tx.ref("slug").withSchema(TableName.Environment).as("envSlug"),
@@ -143,7 +179,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
             label: "approvers" as const,
             mapper: ({ approverUserId: id, approverUsername }) => ({
               type: ApproverType.User,
-              name: approverUsername,
+              username: approverUsername,
               id
             })
           },
@@ -155,6 +191,23 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
               id
             })
           },
+          {
+            key: "bypasserUserId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserUserId: id, bypasserUsername }) => ({
+              type: BypasserType.User,
+              username: bypasserUsername,
+              id
+            })
+          },
+          {
+            key: "bypasserGroupId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserGroupId: id }) => ({
+              type: BypasserType.Group,
+              id
+            })
+          },
           {
             key: "approverUserId",
             label: "userApprovers" as const,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -3,18 +3,21 @@ import picomatch from "picomatch";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { containsGlobPatterns } from "@app/lib/picomatch";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
-import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
+import { ApproverType, BypasserType } from "../access-approval-policy/access-approval-policy-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
 import { RequestState } from "../secret-approval-request/secret-approval-request-types";
-import { TSecretApprovalPolicyApproverDALFactory } from "./secret-approval-policy-approver-dal";
+import {
+  TSecretApprovalPolicyApproverDALFactory,
+  TSecretApprovalPolicyBypasserDALFactory
+} from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
 import {
   TCreateSapDTO,
@@ -36,6 +39,7 @@ type TSecretApprovalPolicyServiceFactoryDep = {
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   userDAL: Pick<TUserDALFactory, "find">;
   secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
+  secretApprovalPolicyBypasserDAL: TSecretApprovalPolicyBypasserDALFactory;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "update">;
 };
@@ -46,6 +50,7 @@ export const secretApprovalPolicyServiceFactory = ({
   secretApprovalPolicyDAL,
   permissionService,
   secretApprovalPolicyApproverDAL,
+  secretApprovalPolicyBypasserDAL,
   projectEnvDAL,
   userDAL,
   licenseService,
@@ -59,6 +64,7 @@ export const secretApprovalPolicyServiceFactory = ({
     actorAuthMethod,
     approvals,
     approvers,
+    bypassers,
     projectId,
     secretPath,
     environment,
@@ -74,7 +80,7 @@ export const secretApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
       .filter(Boolean) as string[];
 
     if (!groupApprovers.length && approvals > approvers.length)
@@ -89,7 +95,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Create,
+      ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -107,6 +113,44 @@ export const secretApprovalPolicyServiceFactory = ({
         message: `Environment with slug '${environment}' not found in project with ID ${projectId}`
       });
 
+    let groupBypassers: string[] = [];
+    let bypasserUserIds: string[] = [];
+
+    if (bypassers && bypassers.length) {
+      groupBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.Group)
+        .map((bypasser) => bypasser.id) as string[];
+
+      const userBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.User)
+        .map((bypasser) => bypasser.id)
+        .filter(Boolean) as string[];
+
+      const userBypasserNames = bypassers
+        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
+        .filter(Boolean) as string[];
+
+      bypasserUserIds = userBypassers;
+      if (userBypasserNames.length) {
+        const bypasserUsers = await userDAL.find({
+          $in: {
+            username: userBypasserNames
+          }
+        });
+
+        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
+        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
+
+        if (invalidUsernames.length) {
+          throw new BadRequestError({
+            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
+          });
+        }
+
+        bypasserUserIds = bypasserUserIds.concat(bypasserUsers.map((user) => user.id));
+      }
+    }
+
     const secretApproval = await secretApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await secretApprovalPolicyDAL.create(
         {
@@ -158,6 +202,27 @@ export const secretApprovalPolicyServiceFactory = ({
         })),
         tx
       );
+
+      if (bypasserUserIds.length) {
+        await secretApprovalPolicyBypasserDAL.insertMany(
+          bypasserUserIds.map((userId) => ({
+            bypasserUserId: userId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
+      if (groupBypassers.length) {
+        await secretApprovalPolicyBypasserDAL.insertMany(
+          groupBypassers.map((groupId) => ({
+            bypasserGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
       return doc;
     });
 
@@ -166,6 +231,7 @@ export const secretApprovalPolicyServiceFactory = ({
 
   const updateSecretApprovalPolicy = async ({
     approvers,
+    bypassers,
     secretPath,
     name,
     actorId,
@@ -186,7 +252,7 @@ export const secretApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
       .filter(Boolean) as string[];
 
     const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
@@ -204,10 +270,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Edit,
-      ProjectPermissionSub.SecretApproval
-    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.secretApproval) {
@@ -217,6 +280,44 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
+    let groupBypassers: string[] = [];
+    let bypasserUserIds: string[] = [];
+
+    if (bypassers && bypassers.length) {
+      groupBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.Group)
+        .map((bypasser) => bypasser.id) as string[];
+
+      const userBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.User)
+        .map((bypasser) => bypasser.id)
+        .filter(Boolean) as string[];
+
+      const userBypasserNames = bypassers
+        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
+        .filter(Boolean) as string[];
+
+      bypasserUserIds = userBypassers;
+      if (userBypasserNames.length) {
+        const bypasserUsers = await userDAL.find({
+          $in: {
+            username: userBypasserNames
+          }
+        });
+
+        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
+        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
+
+        if (invalidUsernames.length) {
+          throw new BadRequestError({
+            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
+          });
+        }
+
+        bypasserUserIds = bypasserUserIds.concat(bypasserUsers.map((user) => user.id));
+      }
+    }
+
     const updatedSap = await secretApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await secretApprovalPolicyDAL.updateById(
         secretApprovalPolicy.id,
@@ -275,6 +376,28 @@ export const secretApprovalPolicyServiceFactory = ({
         );
       }
 
+      await secretApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
+
+      if (bypasserUserIds.length) {
+        await secretApprovalPolicyBypasserDAL.insertMany(
+          bypasserUserIds.map((userId) => ({
+            bypasserUserId: userId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
+      if (groupBypassers.length) {
+        await secretApprovalPolicyBypasserDAL.insertMany(
+          groupBypassers.map((groupId) => ({
+            bypasserGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
       return doc;
     });
     return {
@@ -304,7 +427,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Delete,
+      ProjectPermissionActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -343,10 +466,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Read,
-      ProjectPermissionSub.SecretApproval
-    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
     const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
     return sapPolicies;
@@ -419,10 +539,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Read,
-      ProjectPermissionSub.SecretApproval
-    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
     return sapPolicy;
   };

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -1,12 +1,16 @@
 import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
 
-import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
+import { ApproverType, BypasserType } from "../access-approval-policy/access-approval-policy-types";
 
 export type TCreateSapDTO = {
   approvals: number;
   secretPath?: string | null;
   environment: string;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
+  bypassers?: (
+    | { type: BypasserType.Group; id: string }
+    | { type: BypasserType.User; id?: string; username?: string }
+  )[];
   projectId: string;
   name: string;
   enforcementLevel: EnforcementLevel;
@@ -17,7 +21,11 @@ export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
   secretPath?: string | null;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
+  bypassers?: (
+    | { type: BypasserType.Group; id: string }
+    | { type: BypasserType.User; id?: string; username?: string }
+  )[];
   name?: string;
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals?: boolean;

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -6,6 +6,7 @@ import {
   TableName,
   TSecretApprovalRequests,
   TSecretApprovalRequestsSecrets,
+  TUserGroupMembership,
   TUsers
 } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
@@ -58,16 +59,36 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
         "secretApprovalPolicyApproverUser.id"
       )
-      .leftJoin(
-        TableName.UserGroupMembership,
+      .leftJoin<TUserGroupMembership>(
+        db(TableName.UserGroupMembership).as("approverUserGroupMembership"),
         `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
-        `${TableName.UserGroupMembership}.groupId`
+        `approverUserGroupMembership.groupId`
       )
       .leftJoin<TUsers>(
         db(TableName.Users).as("secretApprovalPolicyGroupApproverUser"),
-        `${TableName.UserGroupMembership}.userId`,
+        `approverUserGroupMembership.userId`,
         `secretApprovalPolicyGroupApproverUser.id`
       )
+      .leftJoin(
+        TableName.SecretApprovalPolicyBypasser,
+        `${TableName.SecretApprovalPolicy}.id`,
+        `${TableName.SecretApprovalPolicyBypasser}.policyId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("secretApprovalPolicyBypasserUser"),
+        `${TableName.SecretApprovalPolicyBypasser}.bypasserUserId`,
+        "secretApprovalPolicyBypasserUser.id"
+      )
+      .leftJoin<TUserGroupMembership>(
+        db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
+        `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
+        `bypasserUserGroupMembership.groupId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("secretApprovalPolicyGroupBypasserUser"),
+        `bypasserUserGroupMembership.userId`,
+        `secretApprovalPolicyGroupBypasserUser.id`
+      )
       .leftJoin(
         TableName.SecretApprovalRequestReviewer,
         `${TableName.SecretApprovalRequest}.id`,
@@ -81,7 +102,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
       .select(selectAllTableCols(TableName.SecretApprovalRequest))
       .select(
         tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
-        tx.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
+        tx.ref("userId").withSchema("approverUserGroupMembership").as("approverGroupUserId"),
         tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
         tx.ref("email").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
         tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
@@ -90,6 +111,20 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("firstName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupFirstName"),
         tx.ref("lastName").withSchema("secretApprovalPolicyApproverUser").as("approverLastName"),
         tx.ref("lastName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupLastName"),
+
+        // Bypasser fields
+        tx.ref("bypasserUserId").withSchema(TableName.SecretApprovalPolicyBypasser),
+        tx.ref("bypasserGroupId").withSchema(TableName.SecretApprovalPolicyBypasser),
+        tx.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
+        tx.ref("email").withSchema("secretApprovalPolicyBypasserUser").as("bypasserEmail"),
+        tx.ref("email").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupEmail"),
+        tx.ref("username").withSchema("secretApprovalPolicyBypasserUser").as("bypasserUsername"),
+        tx.ref("username").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupUsername"),
+        tx.ref("firstName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserFirstName"),
+        tx.ref("firstName").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupFirstName"),
+        tx.ref("lastName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserLastName"),
+        tx.ref("lastName").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupLastName"),
+
         tx.ref("email").withSchema("statusChangedByUser").as("statusChangedByUserEmail"),
         tx.ref("username").withSchema("statusChangedByUser").as("statusChangedByUserUsername"),
         tx.ref("firstName").withSchema("statusChangedByUser").as("statusChangedByUserFirstName"),
@@ -121,7 +156,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
     try {
       const sql = findQuery({ [`${TableName.SecretApprovalRequest}.id` as "id"]: id }, tx || db.replicaNode());
       const docs = await sql;
-      const formatedDoc = sqlNestRelationships({
+      const formattedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -203,13 +238,51 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
               lastName,
               username
             })
+          },
+          {
+            key: "bypasserUserId",
+            label: "bypassers" as const,
+            mapper: ({
+              bypasserUserId: userId,
+              bypasserEmail: email,
+              bypasserUsername: username,
+              bypasserLastName: lastName,
+              bypasserFirstName: firstName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
+          },
+          {
+            key: "bypasserGroupUserId",
+            label: "bypassers" as const,
+            mapper: ({
+              bypasserGroupUserId: userId,
+              bypasserGroupEmail: email,
+              bypasserGroupUsername: username,
+              bypasserGroupLastName: lastName,
+              bypasserGroupFirstName: firstName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
           }
         ]
       });
-      if (!formatedDoc?.[0]) return;
+      if (!formattedDoc?.[0]) return;
       return {
-        ...formatedDoc[0],
-        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
+        ...formattedDoc[0],
+        policy: {
+          ...formattedDoc[0].policy,
+          approvers: formattedDoc[0].approvers,
+          bypassers: formattedDoc[0].bypassers
+        }
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "FindByIdSAR" });
@@ -291,6 +364,16 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
           `${TableName.UserGroupMembership}.groupId`
         )
+        .leftJoin(
+          TableName.SecretApprovalPolicyBypasser,
+          `${TableName.SecretApprovalPolicy}.id`,
+          `${TableName.SecretApprovalPolicyBypasser}.policyId`
+        )
+        .leftJoin<TUserGroupMembership>(
+          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
+          `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
+          `bypasserUserGroupMembership.groupId`
+        )
         .join<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
@@ -342,6 +425,11 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
+
+          // Bypasser fields
+          db.ref("bypasserUserId").withSchema(TableName.SecretApprovalPolicyBypasser),
+          db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
+
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
           db.ref("username").withSchema("committerUser").as("committerUserUsername"),
           db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@@ -355,7 +443,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         .from<Awaited<typeof query>[number]>("w")
         .where("w.rank", ">=", offset)
         .andWhere("w.rank", "<", offset + limit);
-      const formatedDoc = sqlNestRelationships({
+      const formattedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -403,12 +491,22 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             key: "approverGroupUserId",
             label: "approvers" as const,
             mapper: ({ approverGroupUserId }) => ({ userId: approverGroupUserId })
+          },
+          {
+            key: "bypasserUserId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserUserId }) => ({ userId: bypasserUserId })
+          },
+          {
+            key: "bypasserGroupUserId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserGroupUserId }) => ({ userId: bypasserGroupUserId })
           }
         ]
       });
-      return formatedDoc.map((el) => ({
+      return formattedDoc.map((el) => ({
         ...el,
-        policy: { ...el.policy, approvers: el.approvers }
+        policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "FindSAR" });
@@ -440,6 +538,16 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
           `${TableName.UserGroupMembership}.groupId`
         )
+        .leftJoin(
+          TableName.SecretApprovalPolicyBypasser,
+          `${TableName.SecretApprovalPolicy}.id`,
+          `${TableName.SecretApprovalPolicyBypasser}.policyId`
+        )
+        .leftJoin<TUserGroupMembership>(
+          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
+          `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
+          `bypasserUserGroupMembership.groupId`
+        )
         .join<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
@@ -491,6 +599,11 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
+
+          // Bypasser
+          db.ref("bypasserUserId").withSchema(TableName.SecretApprovalPolicyBypasser),
+          db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
+
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
           db.ref("username").withSchema("committerUser").as("committerUserUsername"),
           db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@@ -504,7 +617,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         .from<Awaited<typeof query>[number]>("w")
         .where("w.rank", ">=", offset)
         .andWhere("w.rank", "<", offset + limit);
-      const formatedDoc = sqlNestRelationships({
+      const formattedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -554,12 +667,24 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             mapper: ({ approverGroupUserId }) => ({
               userId: approverGroupUserId
             })
+          },
+          {
+            key: "bypasserUserId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserUserId }) => ({ userId: bypasserUserId })
+          },
+          {
+            key: "bypasserGroupUserId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserGroupUserId }) => ({
+              userId: bypasserGroupUserId
+            })
           }
         ]
       });
-      return formatedDoc.map((el) => ({
+      return formattedDoc.map((el) => ({
         ...el,
-        policy: { ...el.policy, approvers: el.approvers }
+        policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "FindSAR" });

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -62,11 +62,7 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import {
-  ProjectPermissionApprovalActions,
-  ProjectPermissionSecretActions,
-  ProjectPermissionSub
-} from "../permission/project-permission";
+import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
@@ -501,14 +497,14 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { policy, folderId, projectId } = secretApprovalRequest;
+    const { policy, folderId, projectId, bypassers } = secretApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this secret approval request has been deleted."
       });
     }
 
-    const { hasRole, permission } = await permissionService.getProjectPermission({
+    const { hasRole } = await permissionService.getProjectPermission({
       actor: ActorType.USER,
       actorId,
       projectId,
@@ -534,14 +530,9 @@ export const secretApprovalRequestServiceFactory = ({
         approverId ? reviewers[approverId] === ApprovalStatus.APPROVED : false
       ).length;
     const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;
+    const canBypass = !bypassers.length || bypassers.some((bypasser) => bypasser.userId === actorId);
 
-    if (
-      !hasMinApproval &&
-      !(
-        isSoftEnforcement &&
-        permission.can(ProjectPermissionApprovalActions.AllowChangeBypass, ProjectPermissionSub.SecretApproval)
-      )
-    )
+    if (!hasMinApproval && !(isSoftEnforcement && canBypass))
       throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
 
     const { botKey, shouldUseSecretV2Bridge, project } = await projectBotService.getBotKey(projectId);

backend/src/ee/services/secret-rotation-v2/mysql-credentials/index.ts

@@ -0,0 +1,3 @@
+export * from "./mysql-credentials-rotation-constants";
+export * from "./mysql-credentials-rotation-schemas";
+export * from "./mysql-credentials-rotation-types";

backend/src/ee/services/secret-rotation-v2/mysql-credentials/mysql-credentials-rotation-constants.ts

@@ -0,0 +1,23 @@
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const MYSQL_CREDENTIALS_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
+  name: "MySQL Credentials",
+  type: SecretRotation.MySqlCredentials,
+  connection: AppConnection.MySql,
+  template: {
+    createUserStatement: `-- create user
+CREATE USER 'infisical_user'@'%' IDENTIFIED BY 'temporary_password';
+
+-- grant all privileges
+GRANT ALL PRIVILEGES ON my_database.* TO 'infisical_user'@'%';
+
+-- apply the privilege changes
+FLUSH PRIVILEGES;`,
+    secretsMapping: {
+      username: "MYSQL_USERNAME",
+      password: "MYSQL_PASSWORD"
+    }
+  }
+};

backend/src/ee/services/secret-rotation-v2/mysql-credentials/mysql-credentials-rotation-schemas.ts

@@ -0,0 +1,41 @@
+import { z } from "zod";
+
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import {
+  BaseCreateSecretRotationSchema,
+  BaseSecretRotationSchema,
+  BaseUpdateSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
+import {
+  SqlCredentialsRotationParametersSchema,
+  SqlCredentialsRotationSecretsMappingSchema,
+  SqlCredentialsRotationTemplateSchema
+} from "@app/ee/services/secret-rotation-v2/shared/sql-credentials";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const MySqlCredentialsRotationSchema = BaseSecretRotationSchema(SecretRotation.MySqlCredentials).extend({
+  type: z.literal(SecretRotation.MySqlCredentials),
+  parameters: SqlCredentialsRotationParametersSchema,
+  secretsMapping: SqlCredentialsRotationSecretsMappingSchema
+});
+
+export const CreateMySqlCredentialsRotationSchema = BaseCreateSecretRotationSchema(
+  SecretRotation.MySqlCredentials
+).extend({
+  parameters: SqlCredentialsRotationParametersSchema,
+  secretsMapping: SqlCredentialsRotationSecretsMappingSchema
+});
+
+export const UpdateMySqlCredentialsRotationSchema = BaseUpdateSecretRotationSchema(
+  SecretRotation.MySqlCredentials
+).extend({
+  parameters: SqlCredentialsRotationParametersSchema.optional(),
+  secretsMapping: SqlCredentialsRotationSecretsMappingSchema.optional()
+});
+
+export const MySqlCredentialsRotationListItemSchema = z.object({
+  name: z.literal("MySQL Credentials"),
+  connection: z.literal(AppConnection.MySql),
+  type: z.literal(SecretRotation.MySqlCredentials),
+  template: SqlCredentialsRotationTemplateSchema
+});

backend/src/ee/services/secret-rotation-v2/mysql-credentials/mysql-credentials-rotation-types.ts

@@ -0,0 +1,19 @@
+import { z } from "zod";
+
+import { TMySqlConnection } from "@app/services/app-connection/mysql";
+
+import {
+  CreateMySqlCredentialsRotationSchema,
+  MySqlCredentialsRotationListItemSchema,
+  MySqlCredentialsRotationSchema
+} from "./mysql-credentials-rotation-schemas";
+
+export type TMySqlCredentialsRotation = z.infer<typeof MySqlCredentialsRotationSchema>;
+
+export type TMySqlCredentialsRotationInput = z.infer<typeof CreateMySqlCredentialsRotationSchema>;
+
+export type TMySqlCredentialsRotationListItem = z.infer<typeof MySqlCredentialsRotationListItemSchema>;
+
+export type TMySqlCredentialsRotationWithConnection = TMySqlCredentialsRotation & {
+  connection: TMySqlConnection;
+};

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts

@@ -1,6 +1,7 @@
 export enum SecretRotation {
   PostgresCredentials = "postgres-credentials",
   MsSqlCredentials = "mssql-credentials",
+  MySqlCredentials = "mysql-credentials",
   Auth0ClientSecret = "auth0-client-secret",
   AzureClientSecret = "azure-client-secret",
   AwsIamUserSecret = "aws-iam-user-secret",

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -9,6 +9,7 @@ import { AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION } from "./aws-iam-user-secret"
 import { AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./azure-client-secret";
 import { LDAP_PASSWORD_ROTATION_LIST_OPTION, TLdapPasswordRotation } from "./ldap-password";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
+import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
 import { TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
@@ -23,6 +24,7 @@ import {
 const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2ListItem> = {
   [SecretRotation.PostgresCredentials]: POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION,
   [SecretRotation.MsSqlCredentials]: MSSQL_CREDENTIALS_ROTATION_LIST_OPTION,
+  [SecretRotation.MySqlCredentials]: MYSQL_CREDENTIALS_ROTATION_LIST_OPTION,
   [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AzureClientSecret]: AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AwsIamUserSecret]: AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts

@@ -4,6 +4,7 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
   [SecretRotation.PostgresCredentials]: "PostgreSQL Credentials",
   [SecretRotation.MsSqlCredentials]: "Microsoft SQL Server Credentials",
+  [SecretRotation.MySqlCredentials]: "MySQL Credentials",
   [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret",
   [SecretRotation.AzureClientSecret]: "Azure Client Secret",
   [SecretRotation.AwsIamUserSecret]: "AWS IAM User Secret",
@@ -13,6 +14,7 @@ export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
 export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnection> = {
   [SecretRotation.PostgresCredentials]: AppConnection.Postgres,
   [SecretRotation.MsSqlCredentials]: AppConnection.MsSql,
+  [SecretRotation.MySqlCredentials]: AppConnection.MySql,
   [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0,
   [SecretRotation.AzureClientSecret]: AppConnection.AzureClientSecrets,
   [SecretRotation.AwsIamUserSecret]: AppConnection.AWS,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -120,6 +120,7 @@ type TRotationFactoryImplementation = TRotationFactory<
 const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplementation> = {
   [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.MsSqlCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
+  [SecretRotation.MySqlCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AzureClientSecret]: azureClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AwsIamUserSecret]: awsIamUserSecretRotationFactory as TRotationFactoryImplementation,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts

@@ -39,6 +39,12 @@ import {
   TMsSqlCredentialsRotationListItem,
   TMsSqlCredentialsRotationWithConnection
 } from "./mssql-credentials";
+import {
+  TMySqlCredentialsRotation,
+  TMySqlCredentialsRotationInput,
+  TMySqlCredentialsRotationListItem,
+  TMySqlCredentialsRotationWithConnection
+} from "./mysql-credentials";
 import {
   TPostgresCredentialsRotation,
   TPostgresCredentialsRotationInput,
@@ -51,6 +57,7 @@ import { SecretRotation } from "./secret-rotation-v2-enums";
 export type TSecretRotationV2 =
   | TPostgresCredentialsRotation
   | TMsSqlCredentialsRotation
+  | TMySqlCredentialsRotation
   | TAuth0ClientSecretRotation
   | TAzureClientSecretRotation
   | TLdapPasswordRotation
@@ -59,6 +66,7 @@ export type TSecretRotationV2 =
 export type TSecretRotationV2WithConnection =
   | TPostgresCredentialsRotationWithConnection
   | TMsSqlCredentialsRotationWithConnection
+  | TMySqlCredentialsRotationWithConnection
   | TAuth0ClientSecretRotationWithConnection
   | TAzureClientSecretRotationWithConnection
   | TLdapPasswordRotationWithConnection
@@ -74,6 +82,7 @@ export type TSecretRotationV2GeneratedCredentials =
 export type TSecretRotationV2Input =
   | TPostgresCredentialsRotationInput
   | TMsSqlCredentialsRotationInput
+  | TMySqlCredentialsRotationInput
   | TAuth0ClientSecretRotationInput
   | TAzureClientSecretRotationInput
   | TLdapPasswordRotationInput
@@ -82,6 +91,7 @@ export type TSecretRotationV2Input =
 export type TSecretRotationV2ListItem =
   | TPostgresCredentialsRotationListItem
   | TMsSqlCredentialsRotationListItem
+  | TMySqlCredentialsRotationListItem
   | TAuth0ClientSecretRotationListItem
   | TAzureClientSecretRotationListItem
   | TLdapPasswordRotationListItem

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts

@@ -4,6 +4,7 @@ import { Auth0ClientSecretRotationSchema } from "@app/ee/services/secret-rotatio
 import { AzureClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/azure-client-secret";
 import { LdapPasswordRotationSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
+import { MySqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
 import { PostgresCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 
 import { AwsIamUserSecretRotationSchema } from "./aws-iam-user-secret";
@@ -11,6 +12,7 @@ import { AwsIamUserSecretRotationSchema } from "./aws-iam-user-secret";
 export const SecretRotationV2Schema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationSchema,
   MsSqlCredentialsRotationSchema,
+  MySqlCredentialsRotationSchema,
   Auth0ClientSecretRotationSchema,
   AzureClientSecretRotationSchema,
   LdapPasswordRotationSchema,

backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-types.ts

@@ -1,13 +1,15 @@
 import { z } from "zod";
 
 import { TMsSqlCredentialsRotationWithConnection } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
+import { TMySqlCredentialsRotationWithConnection } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
 import { TPostgresCredentialsRotationWithConnection } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 
 import { SqlCredentialsRotationGeneratedCredentialsSchema } from "./sql-credentials-rotation-schemas";
 
 export type TSqlCredentialsRotationWithConnection =
   | TPostgresCredentialsRotationWithConnection
-  | TMsSqlCredentialsRotationWithConnection;
+  | TMsSqlCredentialsRotationWithConnection
+  | TMySqlCredentialsRotationWithConnection;
 
 export type TSqlCredentialsRotationGeneratedCredentials = z.infer<
   typeof SqlCredentialsRotationGeneratedCredentialsSchema

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -171,6 +171,13 @@ export const getDbSetQuery = (db: TDbProviderClients, variables: { username: str
     };
   }
 
+  if (db === TDbProviderClients.MySql) {
+    return {
+      query: `ALTER USER ??@'%' IDENTIFIED BY '${variables.password}'`,
+      variables: [variables.username]
+    };
+  }
+
   // add more based on client
   return {
     query: `ALTER USER ?? IDENTIFIED BY '${variables.password}'`,

backend/src/keystore/keystore.ts

@@ -1,5 +1,4 @@
-import { Redis } from "ioredis";
-
+import { buildRedisFromConfig, TRedisConfigKeys } from "@app/lib/config/redis";
 import { pgAdvisoryLockHashText } from "@app/lib/crypto/hashtext";
 import { applyJitter } from "@app/lib/dates";
 import { delay as delayMs } from "@app/lib/delay";
@@ -37,6 +36,8 @@ export const KeyStorePrefixes = {
     `sync-integration-last-run-${projectId}-${environmentSlug}-${secretPath}` as const,
   SecretSyncLock: (syncId: string) => `secret-sync-mutex-${syncId}` as const,
   SecretRotationLock: (rotationId: string) => `secret-rotation-v2-mutex-${rotationId}` as const,
+  CaOrderCertificateForSubscriberLock: (subscriberId: string) =>
+    `ca-order-certificate-for-subscriber-lock-${subscriberId}` as const,
   SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
   IdentityAccessTokenStatusUpdate: (identityAccessTokenId: string) =>
     `identity-access-token-status:${identityAccessTokenId}`,
@@ -66,8 +67,8 @@ type TWaitTillReady = {
   jitter?: number;
 };
 
-export const keyStoreFactory = (redisUrl: string) => {
-  const redis = new Redis(redisUrl);
+export const keyStoreFactory = (redisConfigKeys: TRedisConfigKeys) => {
+  const redis = buildRedisFromConfig(redisConfigKeys);
   const redisLock = new Redlock([redis], { retryCount: 2, retryDelay: 200 });
 
   const setItem = async (key: string, value: string | number | Buffer, prefix?: string) =>

backend/src/lib/api-docs/constants.ts

@@ -5,6 +5,8 @@ import {
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-maps";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+import { CERTIFICATE_AUTHORITIES_TYPE_MAP } from "@app/services/certificate-authority/certificate-authority-maps";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 
@@ -145,7 +147,9 @@ export const UNIVERSAL_AUTH = {
     accessTokenMaxTTL:
       "The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.",
     accessTokenNumUsesLimit:
-      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses."
+      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses.",
+    accessTokenPeriod:
+      "The period for an access token in seconds. This value will be referenced at renewal time. Default value is 0."
   },
   RETRIEVE: {
     identityId: "The ID of the identity to retrieve the auth method for."
@@ -159,7 +163,8 @@ export const UNIVERSAL_AUTH = {
     accessTokenTrustedIps: "The new list of IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The new lifetime for an access token in seconds.",
     accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
-    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
+    accessTokenPeriod: "The new period for an access token in seconds."
   },
   CREATE_CLIENT_SECRET: {
     identityId: "The ID of the identity to create a client secret for.",
@@ -1707,6 +1712,19 @@ export const CERTIFICATES = {
     certificateChain: "The certificate chain of the certificate.",
     serialNumberRes: "The serial number of the certificate.",
     privateKey: "The private key of the certificate."
+  },
+  IMPORT: {
+    projectSlug: "Slug of the project to import the certificate into.",
+    certificatePem: "The PEM-encoded leaf certificate.",
+    privateKeyPem: "The PEM-encoded private key corresponding to the certificate.",
+    chainPem: "The PEM-encoded chain of intermediate certificates.",
+    friendlyName: "A friendly name for the certificate.",
+    pkiCollectionId: "The ID of the PKI collection to add the certificate to.",
+
+    certificate: "The issued certificate.",
+    certificateChain: "The certificate chain of the issued certificate.",
+    privateKey: "The private key of the issued certificate.",
+    serialNumber: "The serial number of the issued certificate."
   }
 };
 
@@ -1778,6 +1796,14 @@ export const PKI_SUBSCRIBERS = {
     subscriberName: "The name of the PKI subscriber to get.",
     projectId: "The ID of the project to get the PKI subscriber for."
   },
+  GET_LATEST_CERT_BUNDLE: {
+    subscriberName: "The name of the PKI subscriber to get the active certificate bundle for.",
+    projectId: "The ID of the project to get the active certificate bundle for.",
+    certificate: "The active certificate for the subscriber.",
+    certificateChain: "The certificate chain of the active certificate for the subscriber.",
+    privateKey: "The private key of the active certificate for the subscriber.",
+    serialNumber: "The serial number of the active certificate for the subscriber."
+  },
   CREATE: {
     projectId: "The ID of the project to create the PKI subscriber in.",
     caId: "The ID of the CA that will issue certificates for the PKI subscriber.",
@@ -1788,7 +1814,9 @@ export const PKI_SUBSCRIBERS = {
     subjectAlternativeNames:
       "A list of Subject Alternative Names (SANs) to be used on certificates issued for this subscriber; these can be host names or email addresses.",
     keyUsages: "The key usage extension to be used on certificates issued for this subscriber.",
-    extendedKeyUsages: "The extended key usage extension to be used on certificates issued for this subscriber."
+    extendedKeyUsages: "The extended key usage extension to be used on certificates issued for this subscriber.",
+    enableAutoRenewal: "Whether or not to enable auto renewal for the PKI subscriber.",
+    autoRenewalPeriodInDays: "The period in days to auto renew the PKI subscriber's certificates."
   },
   UPDATE: {
     projectId: "The ID of the project to update the PKI subscriber in.",
@@ -1802,7 +1830,9 @@ export const PKI_SUBSCRIBERS = {
       "A comma-delimited list of Subject Alternative Names (SANs) to be used on certificates issued for this subscriber; these can be host names or email addresses.",
     keyUsages: "The key usage extension to be used on certificates issued for this subscriber to update to.",
     extendedKeyUsages:
-      "The extended key usage extension to be used on certificates issued for this subscriber to update to."
+      "The extended key usage extension to be used on certificates issued for this subscriber to update to.",
+    enableAutoRenewal: "Whether or not to enable auto renewal for the PKI subscriber.",
+    autoRenewalPeriodInDays: "The period in days to auto renew the PKI subscriber's certificates."
   },
   DELETE: {
     subscriberName: "The name of the PKI subscriber to delete.",
@@ -1991,6 +2021,47 @@ export const ProjectTemplates = {
   }
 };
 
+export const CertificateAuthorities = {
+  CREATE: (type: CaType) => ({
+    name: `The name of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority to create. Must be slug-friendly.`,
+    projectId: `The ID of the project to create the Certificate Authority in.`,
+    enableDirectIssuance: `Whether or not to enable direct issuance of certificates for the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`,
+    status: `The status of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`
+  }),
+  UPDATE: (type: CaType) => ({
+    caId: `The ID of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority to update.`,
+    projectId: `The ID of the project to update the Certificate Authority in.`,
+    name: `The updated name of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority. Must be slug-friendly.`,
+    enableDirectIssuance: `Whether or not to enable direct issuance of certificates for the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`,
+    status: `The updated status of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`
+  }),
+  CONFIGURATIONS: {
+    ACME: {
+      dnsAppConnectionId: `The ID of the App Connection to use for creating and managing DNS TXT records required for ACME domain validation. This connection must have permissions to create and delete TXT records in your DNS provider (e.g., Route53) for the ACME challenge process.`,
+      directoryUrl: `The directory URL for the ACME Certificate Authority.`,
+      accountEmail: `The email address for the ACME Certificate Authority.`,
+      provider: `The DNS provider for the ACME Certificate Authority.`,
+      hostedZoneId: `The hosted zone ID for the ACME Certificate Authority.`
+    },
+    INTERNAL: {
+      type: "The type of CA to create.",
+      friendlyName: "A friendly name for the CA.",
+      organization: "The organization (O) for the CA.",
+      ou: "The organization unit (OU) for the CA.",
+      country: "The country name (C) for the CA.",
+      province: "The state of province name for the CA.",
+      locality: "The locality name for the CA.",
+      commonName: "The common name (CN) for the CA.",
+      notBefore: "The date and time when the CA becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format.",
+      notAfter: "The date and time when the CA expires in YYYY-MM-DDTHH:mm:ss.sssZ format.",
+      maxPathLength:
+        "The maximum number of intermediate CAs that may follow this CA in the certificate / CA chain. A maxPathLength of -1 implies no path limit on the chain.",
+      keyAlgorithm:
+        "The type of public key algorithm and size, in bits, of the key pair for the CA; when you create an intermediate CA, you must use a key algorithm supported by the parent CA."
+    }
+  }
+};
+
 export const AppConnections = {
   GET_BY_ID: (app: AppConnection) => ({
     connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to retrieve.`

backend/src/lib/config/env.ts

@@ -30,7 +30,19 @@ const envSchema = z
       .enum(["true", "false"])
       .default("false")
       .transform((el) => el === "true"),
-    REDIS_URL: zpStr(z.string()),
+    REDIS_URL: zpStr(z.string().optional()),
+    REDIS_SENTINEL_HOSTS: zpStr(
+      z
+        .string()
+        .optional()
+        .describe("Comma-separated list of Sentinel host:port pairs. Eg: 192.168.65.254:26379,192.168.65.254:26380")
+    ),
+    REDIS_SENTINEL_MASTER_NAME: zpStr(
+      z.string().optional().default("mymaster").describe("The name of the Redis master set monitored by Sentinel")
+    ),
+    REDIS_SENTINEL_ENABLE_TLS: zodStrBool.optional().describe("Whether to use TLS/SSL for Redis Sentinel connection"),
+    REDIS_SENTINEL_USERNAME: zpStr(z.string().optional().describe("Authentication username for Redis Sentinel")),
+    REDIS_SENTINEL_PASSWORD: zpStr(z.string().optional().describe("Authentication password for Redis Sentinel")),
     HOST: zpStr(z.string().default("localhost")),
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
       `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
@@ -233,7 +245,6 @@ const envSchema = z
     DATADOG_HOSTNAME: zpStr(z.string().optional()),
 
     /* CORS ----------------------------------------------------------------------------- */
-
     CORS_ALLOWED_ORIGINS: zpStr(
       z
         .string()
@@ -243,7 +254,6 @@ const envSchema = z
           return JSON.parse(val) as string[];
         })
     ),
-
     CORS_ALLOWED_HEADERS: zpStr(
       z
         .string()
@@ -252,33 +262,44 @@ const envSchema = z
           if (!val) return undefined;
           return JSON.parse(val) as string[];
         })
-    )
+    ),
+
+    /* INTERNAL ----------------------------------------------------------------------------- */
+    INTERNAL_REGION: zpStr(z.enum(["us", "eu"]).optional())
   })
   // To ensure that basic encryption is always possible.
   .refine(
     (data) => Boolean(data.ENCRYPTION_KEY) || Boolean(data.ROOT_ENCRYPTION_KEY),
     "Either ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY must be defined."
   )
+  .refine(
+    (data) => Boolean(data.REDIS_URL) || Boolean(data.REDIS_SENTINEL_HOSTS),
+    "Either REDIS_URL or REDIS_SENTINEL_HOSTS must be defined."
+  )
   .transform((data) => ({
     ...data,
-
     DB_READ_REPLICAS: data.DB_READ_REPLICAS
       ? databaseReadReplicaSchema.parse(JSON.parse(data.DB_READ_REPLICAS))
       : undefined,
     isCloud: Boolean(data.LICENSE_SERVER_KEY),
     isSmtpConfigured: Boolean(data.SMTP_HOST),
-    isRedisConfigured: Boolean(data.REDIS_URL),
+    isRedisConfigured: Boolean(data.REDIS_URL || data.REDIS_SENTINEL_HOSTS),
     isDevelopmentMode: data.NODE_ENV === "development",
     isRotationDevelopmentMode: data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE,
     isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
-
+    isRedisSentinelMode: Boolean(data.REDIS_SENTINEL_HOSTS),
+    REDIS_SENTINEL_HOSTS: data.REDIS_SENTINEL_HOSTS?.trim()
+      ?.split(",")
+      .map((el) => {
+        const [host, port] = el.trim().split(":");
+        return { host: host.trim(), port: Number(port.trim()) };
+      }),
     isSecretScanningConfigured:
       Boolean(data.SECRET_SCANNING_GIT_APP_ID) &&
       Boolean(data.SECRET_SCANNING_PRIVATE_KEY) &&
       Boolean(data.SECRET_SCANNING_WEBHOOK_SECRET),
     isHsmConfigured:
       Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined,
-
     samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG,
     SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(",")
   }));

backend/src/lib/config/redis.ts

@@ -0,0 +1,24 @@
+import { Redis } from "ioredis";
+
+export type TRedisConfigKeys = Partial<{
+  REDIS_URL: string;
+  REDIS_SENTINEL_HOSTS: { host: string; port: number }[];
+  REDIS_SENTINEL_MASTER_NAME: string;
+  REDIS_SENTINEL_ENABLE_TLS: boolean;
+  REDIS_SENTINEL_USERNAME: string;
+  REDIS_SENTINEL_PASSWORD: string;
+}>;
+
+export const buildRedisFromConfig = (cfg: TRedisConfigKeys) => {
+  if (cfg.REDIS_URL) return new Redis(cfg.REDIS_URL, { maxRetriesPerRequest: null });
+
+  return new Redis({
+    // refine at tope will catch this case
+    sentinels: cfg.REDIS_SENTINEL_HOSTS!,
+    name: cfg.REDIS_SENTINEL_MASTER_NAME!,
+    maxRetriesPerRequest: null,
+    sentinelUsername: cfg.REDIS_SENTINEL_USERNAME,
+    sentinelPassword: cfg.REDIS_SENTINEL_PASSWORD,
+    enableTLSForSentinelMode: cfg.REDIS_SENTINEL_ENABLE_TLS
+  });
+};

backend/src/lib/gateway/index.ts

@@ -3,6 +3,7 @@ import crypto from "node:crypto";
 import net from "node:net";
 
 import quicDefault, * as quicModule from "@infisical/quic";
+import axios from "axios";
 
 import { BadRequestError } from "../errors";
 import { logger } from "../logger";
@@ -378,7 +379,12 @@ export const withGatewayProxy = async <T>(
       logger.error(new Error(proxyErrorMessage), "Failed to proxy");
     }
     logger.error(err, "Failed to do gateway");
-    throw new BadRequestError({ message: proxyErrorMessage || (err as Error)?.message });
+    let errorMessage = proxyErrorMessage || (err as Error)?.message;
+    if (axios.isAxiosError(err) && (err.response?.data as { message?: string })?.message) {
+      errorMessage = (err.response?.data as { message: string }).message;
+    }
+
+    throw new BadRequestError({ message: errorMessage });
   } finally {
     // Ensure cleanup happens regardless of success or failure
     await cleanup();

backend/src/main.ts

@@ -1,7 +1,6 @@
 import "./lib/telemetry/instrumentation";
 
 import dotenv from "dotenv";
-import { Redis } from "ioredis";
 
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 
@@ -9,6 +8,7 @@ import { runMigrations } from "./auto-start-migrations";
 import { initAuditLogDbConnection, initDbConnection } from "./db";
 import { keyStoreFactory } from "./keystore/keystore";
 import { formatSmtpConfig, initEnvConfig } from "./lib/config/env";
+import { buildRedisFromConfig } from "./lib/config/redis";
 import { removeTemporaryBaseDirectory } from "./lib/files";
 import { initLogger } from "./lib/logger";
 import { queueServiceFactory } from "./queue";
@@ -44,15 +44,15 @@ const run = async () => {
 
   const smtp = smtpServiceFactory(formatSmtpConfig());
 
-  const queue = queueServiceFactory(envConfig.REDIS_URL, {
+  const queue = queueServiceFactory(envConfig, {
     dbConnectionUrl: envConfig.DB_CONNECTION_URI,
     dbRootCert: envConfig.DB_ROOT_CERT
   });
 
   await queue.initialize();
 
-  const keyStore = keyStoreFactory(envConfig.REDIS_URL);
-  const redis = new Redis(envConfig.REDIS_URL);
+  const keyStore = keyStoreFactory(envConfig);
+  const redis = buildRedisFromConfig(envConfig);
 
   const hsmModule = initializeHsmModule(envConfig);
   hsmModule.initialize();

backend/src/queue/queue-service.ts

@@ -1,5 +1,4 @@
 import { Job, JobsOptions, Queue, QueueOptions, RepeatOptions, Worker, WorkerListener } from "bullmq";
-import Redis from "ioredis";
 import PgBoss, { WorkOptions } from "pg-boss";
 
 import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
@@ -13,7 +12,9 @@ import {
   TScanPushEventPayload
 } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
 import { getConfig } from "@app/lib/config/env";
+import { buildRedisFromConfig, TRedisConfigKeys } from "@app/lib/config/redis";
 import { logger } from "@app/lib/logger";
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
 import {
   TFailedIntegrationSyncEmailsPayload,
   TIntegrationSyncPayload,
@@ -36,6 +37,7 @@ export enum QueueName {
   AuditLogPrune = "audit-log-prune",
   DailyResourceCleanUp = "daily-resource-cleanup",
   DailyExpiringPkiItemAlert = "daily-expiring-pki-item-alert",
+  PkiSubscriber = "pki-subscriber",
   TelemetryInstanceStats = "telemtry-self-hosted-stats",
   IntegrationSync = "sync-integrations",
   SecretWebhook = "secret-webhook",
@@ -44,6 +46,7 @@ export enum QueueName {
   UpgradeProjectToGhost = "upgrade-project-to-ghost",
   DynamicSecretRevocation = "dynamic-secret-revocation",
   CaCrlRotation = "ca-crl-rotation",
+  CaLifecycle = "ca-lifecycle", // parent queue to ca-order-certificate-for-subscriber
   SecretReplication = "secret-replication",
   SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
   ProjectV3Migration = "project-v3-migration",
@@ -84,7 +87,9 @@ export enum QueueJobs {
   SecretRotationV2QueueRotations = "secret-rotation-v2-queue-rotations",
   SecretRotationV2RotateSecrets = "secret-rotation-v2-rotate-secrets",
   SecretRotationV2SendNotification = "secret-rotation-v2-send-notification",
-  InvalidateCache = "invalidate-cache"
+  InvalidateCache = "invalidate-cache",
+  CaOrderCertificateForSubscriber = "ca-order-certificate-for-subscriber",
+  PkiSubscriberDailyAutoRenewal = "pki-subscriber-daily-auto-renewal"
 }
 
 export type TQueueJobTypes = {
@@ -245,14 +250,25 @@ export type TQueueJobTypes = {
       };
     };
   };
+  [QueueName.CaLifecycle]: {
+    name: QueueJobs.CaOrderCertificateForSubscriber;
+    payload: {
+      subscriberId: string;
+      caType: CaType;
+    };
+  };
+  [QueueName.PkiSubscriber]: {
+    name: QueueJobs.PkiSubscriberDailyAutoRenewal;
+    payload: undefined;
+  };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
 export const queueServiceFactory = (
-  redisUrl: string,
+  redisCfg: TRedisConfigKeys,
   { dbConnectionUrl, dbRootCert }: { dbConnectionUrl: string; dbRootCert?: string }
 ) => {
-  const connection = new Redis(redisUrl, { maxRetriesPerRequest: null });
+  const connection = buildRedisFromConfig(redisCfg);
   const queueContainer = {} as Record<
     QueueName,
     Queue<TQueueJobTypes[QueueName]["payload"], void, TQueueJobTypes[QueueName]["name"]>

backend/src/server/boot-strap-check.ts

@@ -1,9 +1,9 @@
 /* eslint-disable no-console */
-import { Redis } from "ioredis";
 import { Knex } from "knex";
 import { createTransport } from "nodemailer";
 
 import { formatSmtpConfig, getConfig } from "@app/lib/config/env";
+import { buildRedisFromConfig } from "@app/lib/config/redis";
 import { logger } from "@app/lib/logger";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 
@@ -65,12 +65,15 @@ export const bootstrapCheck = async ({ db }: BootstrapOpt) => {
     });
 
   console.log("Testing redis connection");
-  const redis = new Redis(appCfg.REDIS_URL);
+  const redis = buildRedisFromConfig(appCfg);
   const redisPing = await redis?.ping();
   if (!redisPing) {
     console.error("Redis - Failed to connect");
   } else {
-    console.error("Redis successfully connected");
+    console.log("Redis successfully connected");
+    if (appCfg.isRedisSentinelMode) {
+      console.log("Redis Sentinel Mode");
+    }
     redis.disconnect();
   }
 

backend/src/server/config/rateLimiter.ts

@@ -1,14 +1,12 @@
 import type { RateLimitOptions, RateLimitPluginOptions } from "@fastify/rate-limit";
-import { Redis } from "ioredis";
 
 import { getConfig } from "@app/lib/config/env";
+import { buildRedisFromConfig } from "@app/lib/config/redis";
 import { RateLimitError } from "@app/lib/errors";
 
 export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
   const appCfg = getConfig();
-  const redis = appCfg.isRedisConfigured
-    ? new Redis(appCfg.REDIS_URL, { connectTimeout: 500, maxRetriesPerRequest: 1 })
-    : null;
+  const redis = appCfg.isRedisConfigured ? buildRedisFromConfig(appCfg) : null;
 
   return {
     errorResponseBuilder: (_, context) => {

backend/src/server/routes/index.ts

@@ -6,7 +6,10 @@ import { z } from "zod";
 import { registerCertificateEstRouter } from "@app/ee/routes/est/certificate-est-router";
 import { registerV1EERoutes } from "@app/ee/routes/v1";
 import { registerV2EERoutes } from "@app/ee/routes/v2";
-import { accessApprovalPolicyApproverDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
+import {
+  accessApprovalPolicyApproverDALFactory,
+  accessApprovalPolicyBypasserDALFactory
+} from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
 import { accessApprovalPolicyDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-dal";
 import { accessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
 import { accessApprovalRequestDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-dal";
@@ -67,7 +70,10 @@ import { samlConfigDALFactory } from "@app/ee/services/saml-config/saml-config-d
 import { samlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { scimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { scimServiceFactory } from "@app/ee/services/scim/scim-service";
-import { secretApprovalPolicyApproverDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-approver-dal";
+import {
+  secretApprovalPolicyApproverDALFactory,
+  secretApprovalPolicyBypasserDALFactory
+} from "@app/ee/services/secret-approval-policy/secret-approval-policy-approver-dal";
 import { secretApprovalPolicyDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-dal";
 import { secretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { secretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
@@ -132,6 +138,10 @@ import { certificateAuthorityDALFactory } from "@app/services/certificate-author
 import { certificateAuthorityQueueFactory } from "@app/services/certificate-authority/certificate-authority-queue";
 import { certificateAuthoritySecretDALFactory } from "@app/services/certificate-authority/certificate-authority-secret-dal";
 import { certificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
+import { externalCertificateAuthorityDALFactory } from "@app/services/certificate-authority/external-certificate-authority-dal";
+import { internalCertificateAuthorityDALFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-dal";
+import { InternalCertificateAuthorityFns } from "@app/services/certificate-authority/internal/internal-certificate-authority-fns";
+import { internalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { certificateTemplateDALFactory } from "@app/services/certificate-template/certificate-template-dal";
 import { certificateTemplateEstConfigDALFactory } from "@app/services/certificate-template/certificate-template-est-config-dal";
 import { certificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
@@ -199,7 +209,10 @@ import { pkiCollectionDALFactory } from "@app/services/pki-collection/pki-collec
 import { pkiCollectionItemDALFactory } from "@app/services/pki-collection/pki-collection-item-dal";
 import { pkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
 import { pkiSubscriberDALFactory } from "@app/services/pki-subscriber/pki-subscriber-dal";
+import { pkiSubscriberQueueServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-queue";
 import { pkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
+import { pkiTemplatesDALFactory } from "@app/services/pki-templates/pki-templates-dal";
+import { pkiTemplatesServiceFactory } from "@app/services/pki-templates/pki-templates-service";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
 import { projectServiceFactory } from "@app/services/project/project-service";
@@ -380,9 +393,11 @@ export const registerRoutes = async (
   const accessApprovalPolicyDAL = accessApprovalPolicyDALFactory(db);
   const accessApprovalRequestDAL = accessApprovalRequestDALFactory(db);
   const accessApprovalPolicyApproverDAL = accessApprovalPolicyApproverDALFactory(db);
+  const accessApprovalPolicyBypasserDAL = accessApprovalPolicyBypasserDALFactory(db);
   const accessApprovalRequestReviewerDAL = accessApprovalRequestReviewerDALFactory(db);
 
   const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
+  const sapBypasserDAL = secretApprovalPolicyBypasserDALFactory(db);
   const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
   const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
   const secretApprovalRequestReviewerDAL = secretApprovalRequestReviewerDALFactory(db);
@@ -514,6 +529,7 @@ export const registerRoutes = async (
   const secretApprovalPolicyService = secretApprovalPolicyServiceFactory({
     projectEnvDAL,
     secretApprovalPolicyApproverDAL: sapApproverDAL,
+    secretApprovalPolicyBypasserDAL: sapBypasserDAL,
     permissionService,
     secretApprovalPolicyDAL,
     licenseService,
@@ -789,7 +805,8 @@ export const registerRoutes = async (
   const projectUserAdditionalPrivilegeService = projectUserAdditionalPrivilegeServiceFactory({
     permissionService,
     projectMembershipDAL,
-    projectUserAdditionalPrivilegeDAL
+    projectUserAdditionalPrivilegeDAL,
+    accessApprovalRequestDAL
   });
   const projectKeyService = projectKeyServiceFactory({
     permissionService,
@@ -817,6 +834,8 @@ export const registerRoutes = async (
   });
 
   const certificateAuthorityDAL = certificateAuthorityDALFactory(db);
+  const internalCertificateAuthorityDAL = internalCertificateAuthorityDALFactory(db);
+  const externalCertificateAuthorityDAL = externalCertificateAuthorityDALFactory(db);
   const certificateAuthorityCertDAL = certificateAuthorityCertDALFactory(db);
   const certificateAuthoritySecretDAL = certificateAuthoritySecretDALFactory(db);
   const certificateAuthorityCrlDAL = certificateAuthorityCrlDALFactory(db);
@@ -831,6 +850,7 @@ export const registerRoutes = async (
   const pkiCollectionDAL = pkiCollectionDALFactory(db);
   const pkiCollectionItemDAL = pkiCollectionItemDALFactory(db);
   const pkiSubscriberDAL = pkiSubscriberDALFactory(db);
+  const pkiTemplatesDAL = pkiTemplatesDALFactory(db);
 
   const certificateService = certificateServiceFactory({
     certificateDAL,
@@ -842,17 +862,9 @@ export const registerRoutes = async (
     certificateAuthoritySecretDAL,
     projectDAL,
     kmsService,
-    permissionService
-  });
-
-  const certificateAuthorityQueue = certificateAuthorityQueueFactory({
-    certificateAuthorityCrlDAL,
-    certificateAuthorityDAL,
-    certificateAuthoritySecretDAL,
-    certificateDAL,
-    projectDAL,
-    kmsService,
-    queueService
+    permissionService,
+    pkiCollectionDAL,
+    pkiCollectionItemDAL
   });
 
   const sshCertificateAuthorityService = sshCertificateAuthorityServiceFactory({
@@ -901,23 +913,6 @@ export const registerRoutes = async (
     groupDAL
   });
 
-  const certificateAuthorityService = certificateAuthorityServiceFactory({
-    certificateAuthorityDAL,
-    certificateAuthorityCertDAL,
-    certificateAuthoritySecretDAL,
-    certificateAuthorityCrlDAL,
-    certificateTemplateDAL,
-    certificateAuthorityQueue,
-    certificateDAL,
-    certificateBodyDAL,
-    certificateSecretDAL,
-    pkiCollectionDAL,
-    pkiCollectionItemDAL,
-    projectDAL,
-    kmsService,
-    permissionService
-  });
-
   const certificateAuthorityCrlService = certificateAuthorityCrlServiceFactory({
     certificateAuthorityDAL,
     certificateAuthorityCrlDAL,
@@ -937,17 +932,6 @@ export const registerRoutes = async (
     licenseService
   });
 
-  const certificateEstService = certificateEstServiceFactory({
-    certificateAuthorityService,
-    certificateTemplateService,
-    certificateTemplateDAL,
-    certificateAuthorityCertDAL,
-    certificateAuthorityDAL,
-    projectDAL,
-    kmsService,
-    licenseService
-  });
-
   const pkiAlertService = pkiAlertServiceFactory({
     pkiAlertDAL,
     pkiCollectionDAL,
@@ -965,20 +949,6 @@ export const registerRoutes = async (
     projectDAL
   });
 
-  const pkiSubscriberService = pkiSubscriberServiceFactory({
-    pkiSubscriberDAL,
-    certificateAuthorityDAL,
-    certificateAuthorityCertDAL,
-    certificateAuthoritySecretDAL,
-    certificateAuthorityCrlDAL,
-    certificateDAL,
-    certificateBodyDAL,
-    certificateSecretDAL,
-    projectDAL,
-    kmsService,
-    permissionService
-  });
-
   const projectTemplateService = projectTemplateServiceFactory({
     licenseService,
     permissionService,
@@ -1261,6 +1231,7 @@ export const registerRoutes = async (
   const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
     accessApprovalPolicyDAL,
     accessApprovalPolicyApproverDAL,
+    accessApprovalPolicyBypasserDAL,
     groupDAL,
     permissionService,
     projectEnvDAL,
@@ -1269,7 +1240,8 @@ export const registerRoutes = async (
     userDAL,
     accessApprovalRequestDAL,
     additionalPrivilegeDAL: projectUserAdditionalPrivilegeDAL,
-    accessApprovalRequestReviewerDAL
+    accessApprovalRequestReviewerDAL,
+    orgMembershipDAL
   });
 
   const accessApprovalRequestService = accessApprovalRequestServiceFactory({
@@ -1648,6 +1620,52 @@ export const registerRoutes = async (
     licenseService
   });
 
+  const certificateAuthorityQueue = certificateAuthorityQueueFactory({
+    certificateAuthorityCrlDAL,
+    certificateAuthorityDAL,
+    certificateAuthoritySecretDAL,
+    certificateDAL,
+    projectDAL,
+    kmsService,
+    queueService,
+    pkiSubscriberDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    externalCertificateAuthorityDAL,
+    keyStore,
+    appConnectionDAL,
+    appConnectionService
+  });
+
+  const internalCertificateAuthorityService = internalCertificateAuthorityServiceFactory({
+    certificateAuthorityDAL,
+    certificateAuthorityCertDAL,
+    certificateAuthoritySecretDAL,
+    certificateAuthorityCrlDAL,
+    certificateTemplateDAL,
+    certificateAuthorityQueue,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    pkiCollectionDAL,
+    pkiCollectionItemDAL,
+    projectDAL,
+    internalCertificateAuthorityDAL,
+    kmsService,
+    permissionService
+  });
+
+  const certificateEstService = certificateEstServiceFactory({
+    internalCertificateAuthorityService,
+    certificateTemplateService,
+    certificateTemplateDAL,
+    certificateAuthorityCertDAL,
+    certificateAuthorityDAL,
+    projectDAL,
+    kmsService,
+    licenseService
+  });
+
   const kmipService = kmipServiceFactory({
     kmipClientDAL,
     permissionService,
@@ -1687,6 +1705,74 @@ export const registerRoutes = async (
     appConnectionDAL
   });
 
+  const certificateAuthorityService = certificateAuthorityServiceFactory({
+    certificateAuthorityDAL,
+    projectDAL,
+    permissionService,
+    appConnectionDAL,
+    appConnectionService,
+    externalCertificateAuthorityDAL,
+    internalCertificateAuthorityService,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    kmsService,
+    pkiSubscriberDAL
+  });
+
+  const internalCaFns = InternalCertificateAuthorityFns({
+    certificateAuthorityDAL,
+    certificateAuthorityCertDAL,
+    certificateAuthoritySecretDAL,
+    certificateAuthorityCrlDAL,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    projectDAL,
+    kmsService
+  });
+
+  const pkiSubscriberQueue = pkiSubscriberQueueServiceFactory({
+    queueService,
+    pkiSubscriberDAL,
+    certificateAuthorityDAL,
+    certificateAuthorityQueue,
+    certificateDAL,
+    auditLogService,
+    internalCaFns
+  });
+
+  const pkiSubscriberService = pkiSubscriberServiceFactory({
+    pkiSubscriberDAL,
+    certificateAuthorityDAL,
+    certificateAuthorityCertDAL,
+    certificateAuthoritySecretDAL,
+    certificateAuthorityCrlDAL,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    projectDAL,
+    kmsService,
+    permissionService,
+    certificateAuthorityQueue,
+    internalCaFns
+  });
+
+  const pkiTemplateService = pkiTemplatesServiceFactory({
+    pkiTemplatesDAL,
+    certificateAuthorityDAL,
+    certificateAuthorityCertDAL,
+    certificateAuthoritySecretDAL,
+    certificateAuthorityCrlDAL,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    projectDAL,
+    kmsService,
+    permissionService,
+    internalCaFns
+  });
+
   await secretRotationV2QueueServiceFactory({
     secretRotationV2Service,
     secretRotationV2DAL,
@@ -1707,6 +1793,7 @@ export const registerRoutes = async (
   await telemetryQueue.startTelemetryCheck();
   await dailyResourceCleanUp.startCleanUp();
   await dailyExpiringPkiItemAlert.startSendingAlerts();
+  await pkiSubscriberQueue.startDailyAutoRenewalJob();
   await kmsService.startService();
   await microsoftTeamsService.start();
 
@@ -1772,12 +1859,14 @@ export const registerRoutes = async (
     sshHost: sshHostService,
     sshHostGroup: sshHostGroupService,
     certificateAuthority: certificateAuthorityService,
+    internalCertificateAuthority: internalCertificateAuthorityService,
     certificateTemplate: certificateTemplateService,
     certificateAuthorityCrl: certificateAuthorityCrlService,
     certificateEst: certificateEstService,
     pkiAlert: pkiAlertService,
     pkiCollection: pkiCollectionService,
     pkiSubscriber: pkiSubscriberService,
+    pkiTemplate: pkiTemplateService,
     secretScanning: secretScanningService,
     license: licenseService,
     trustedIp: trustedIpService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -1,9 +1,11 @@
 import { z } from "zod";
 
 import {
+  CertificateAuthoritiesSchema,
   DynamicSecretsSchema,
   IdentityProjectAdditionalPrivilegeSchema,
   IntegrationAuthsSchema,
+  InternalCertificateAuthoritiesSchema,
   ProjectRolesSchema,
   ProjectsSchema,
   SecretApprovalPoliciesSchema,
@@ -272,3 +274,15 @@ export const SanitizedTagSchema = SecretTagsSchema.pick({
 }).extend({
   name: z.string()
 });
+
+export const InternalCertificateAuthorityResponseSchema = CertificateAuthoritiesSchema.merge(
+  InternalCertificateAuthoritiesSchema.omit({
+    caId: true,
+    notAfter: true,
+    notBefore: true
+  })
+).extend({
+  requireTemplateForIssuance: z.boolean().optional(),
+  notAfter: z.string().optional(),
+  notBefore: z.string().optional()
+});

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -43,6 +43,7 @@ import {
 } from "@app/services/app-connection/humanitec";
 import { LdapConnectionListItemSchema, SanitizedLdapConnectionSchema } from "@app/services/app-connection/ldap";
 import { MsSqlConnectionListItemSchema, SanitizedMsSqlConnectionSchema } from "@app/services/app-connection/mssql";
+import { MySqlConnectionListItemSchema, SanitizedMySqlConnectionSchema } from "@app/services/app-connection/mysql";
 import {
   PostgresConnectionListItemSchema,
   SanitizedPostgresConnectionSchema
@@ -75,6 +76,7 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedVercelConnectionSchema.options,
   ...SanitizedPostgresConnectionSchema.options,
   ...SanitizedMsSqlConnectionSchema.options,
+  ...SanitizedMySqlConnectionSchema.options,
   ...SanitizedCamundaConnectionSchema.options,
   ...SanitizedAuth0ConnectionSchema.options,
   ...SanitizedHCVaultConnectionSchema.options,
@@ -98,6 +100,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   VercelConnectionListItemSchema,
   PostgresConnectionListItemSchema,
   MsSqlConnectionListItemSchema,
+  MySqlConnectionListItemSchema,
   CamundaConnectionListItemSchema,
   Auth0ConnectionListItemSchema,
   HCVaultConnectionListItemSchema,

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -15,6 +15,7 @@ import { registerHCVaultConnectionRouter } from "./hc-vault-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
 import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
+import { registerMySqlConnectionRouter } from "./mysql-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
 import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
@@ -37,6 +38,7 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Vercel]: registerVercelConnectionRouter,
     [AppConnection.Postgres]: registerPostgresConnectionRouter,
     [AppConnection.MsSql]: registerMsSqlConnectionRouter,
+    [AppConnection.MySql]: registerMySqlConnectionRouter,
     [AppConnection.Camunda]: registerCamundaConnectionRouter,
     [AppConnection.Windmill]: registerWindmillConnectionRouter,
     [AppConnection.Auth0]: registerAuth0ConnectionRouter,

backend/src/server/routes/v1/app-connection-routers/mysql-connection-router.ts

@@ -0,0 +1,18 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateMySqlConnectionSchema,
+  SanitizedMySqlConnectionSchema,
+  UpdateMySqlConnectionSchema
+} from "@app/services/app-connection/mysql";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerMySqlConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.MySql,
+    server,
+    sanitizedResponseSchema: SanitizedMySqlConnectionSchema,
+    createSchema: CreateMySqlConnectionSchema,
+    updateSchema: UpdateMySqlConnectionSchema
+  });
+};

backend/src/server/routes/v1/certificate-authority-router.ts

@@ -1,7 +1,7 @@
 /* eslint-disable @typescript-eslint/no-floating-promises */
 import { z } from "zod";
 
-import { CertificateAuthoritiesSchema, CertificateTemplatesSchema } from "@app/db/schemas";
+import { CertificateTemplatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
@@ -10,13 +10,19 @@ import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
-import { CaRenewalType, CaStatus, CaType } from "@app/services/certificate-authority/certificate-authority-types";
+import {
+  CaRenewalType,
+  CaStatus,
+  InternalCaType
+} from "@app/services/certificate-authority/certificate-authority-enums";
 import {
   validateAltNamesField,
   validateCaDateField
 } from "@app/services/certificate-authority/certificate-authority-validators";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
+import { InternalCertificateAuthorityResponseSchema } from "../sanitizedSchemas";
+
 export const registerCaRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -32,7 +38,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       body: z
         .object({
           projectSlug: z.string().trim().describe(CERTIFICATE_AUTHORITIES.CREATE.projectSlug),
-          type: z.nativeEnum(CaType).describe(CERTIFICATE_AUTHORITIES.CREATE.type),
+          type: z.nativeEnum(InternalCaType).describe(CERTIFICATE_AUTHORITIES.CREATE.type),
           friendlyName: z.string().optional().describe(CERTIFICATE_AUTHORITIES.CREATE.friendlyName),
           commonName: z.string().trim().describe(CERTIFICATE_AUTHORITIES.CREATE.commonName),
           organization: z.string().trim().describe(CERTIFICATE_AUTHORITIES.CREATE.organization),
@@ -68,16 +74,18 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         ),
       response: {
         200: z.object({
-          ca: CertificateAuthoritiesSchema
+          ca: InternalCertificateAuthorityResponseSchema
         })
       }
     },
     handler: async (req) => {
-      const ca = await server.services.certificateAuthority.createCa({
+      const ca = await server.services.internalCertificateAuthority.createCa({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
+        isInternal: false,
         actorOrgId: req.permission.orgId,
+        enableDirectIssuance: !req.body.requireTemplateForIssuance,
         ...req.body
       });
 
@@ -87,6 +95,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         event: {
           type: EventType.CREATE_CA,
           metadata: {
+            name: ca.name,
             caId: ca.id,
             dn: ca.dn
           }
@@ -115,12 +124,12 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          ca: CertificateAuthoritiesSchema
+          ca: InternalCertificateAuthorityResponseSchema
         })
       }
     },
     handler: async (req) => {
-      const ca = await server.services.certificateAuthority.getCaById({
+      const ca = await server.services.internalCertificateAuthority.getCaById({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -135,6 +144,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
           type: EventType.GET_CA,
           metadata: {
             caId: ca.id,
+            name: ca.name,
             dn: ca.dn
           }
         }
@@ -167,7 +177,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req, res) => {
-      const caCert = await server.services.certificateAuthority.getCaCertById(req.params);
+      const caCert = await server.services.internalCertificateAuthority.getCaCertById(req.params);
 
       res.header("Content-Type", "application/pkix-cert");
 
@@ -198,17 +208,19 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          ca: CertificateAuthoritiesSchema
+          ca: InternalCertificateAuthorityResponseSchema
         })
       }
     },
     handler: async (req) => {
-      const ca = await server.services.certificateAuthority.updateCaById({
+      const ca = await server.services.internalCertificateAuthority.updateCaById({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
+        isInternal: false,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
+        enableDirectIssuance: !req.body.requireTemplateForIssuance,
         ...req.body
       });
 
@@ -220,6 +232,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
           metadata: {
             caId: ca.id,
             dn: ca.dn,
+            name: ca.name,
             status: ca.status as CaStatus
           }
         }
@@ -247,12 +260,12 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          ca: CertificateAuthoritiesSchema
+          ca: InternalCertificateAuthorityResponseSchema
         })
       }
     },
     handler: async (req) => {
-      const ca = await server.services.certificateAuthority.deleteCaById({
+      const ca = await server.services.internalCertificateAuthority.deleteCaById({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -266,6 +279,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         event: {
           type: EventType.DELETE_CA,
           metadata: {
+            name: ca.name,
             caId: ca.id,
             dn: ca.dn
           }
@@ -299,7 +313,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { ca, csr } = await server.services.certificateAuthority.getCaCsr({
+      const { ca, csr } = await server.services.internalCertificateAuthority.getCaCsr({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -353,7 +367,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, serialNumber, ca } =
-        await server.services.certificateAuthority.renewCaCert({
+        await server.services.internalCertificateAuthority.renewCaCert({
           caId: req.params.caId,
           actor: req.permission.type,
           actorId: req.permission.id,
@@ -408,7 +422,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { caCerts, ca } = await server.services.certificateAuthority.getCaCerts({
+      const { caCerts, ca } = await server.services.internalCertificateAuthority.getCaCerts({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -455,13 +469,14 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { certificate, certificateChain, serialNumber, ca } = await server.services.certificateAuthority.getCaCert({
-        caId: req.params.caId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
+      const { certificate, certificateChain, serialNumber, ca } =
+        await server.services.internalCertificateAuthority.getCaCert({
+          caId: req.params.caId,
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId
+        });
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -517,7 +532,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca } =
-        await server.services.certificateAuthority.signIntermediate({
+        await server.services.internalCertificateAuthority.signIntermediate({
           caId: req.params.caId,
           actor: req.permission.type,
           actorId: req.permission.id,
@@ -574,7 +589,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { ca } = await server.services.certificateAuthority.importCertToCa({
+      const { ca } = await server.services.internalCertificateAuthority.importCertToCa({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -653,7 +668,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, issuingCaCertificate, privateKey, serialNumber, ca } =
-        await server.services.certificateAuthority.issueCertFromCa({
+        await server.services.internalCertificateAuthority.issueCertFromCa({
           caId: req.params.caId,
           actor: req.permission.type,
           actorId: req.permission.id,
@@ -746,7 +761,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca, commonName } =
-        await server.services.certificateAuthority.signCertFromCa({
+        await server.services.internalCertificateAuthority.signCertFromCa({
           isInternal: false,
           caId: req.params.caId,
           actor: req.permission.type,
@@ -809,13 +824,15 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { certificateTemplates, ca } = await server.services.certificateAuthority.getCaCertificateTemplates({
-        caId: req.params.caId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
+      const { certificateTemplates, ca } = await server.services.internalCertificateAuthority.getCaCertificateTemplates(
+        {
+          caId: req.params.caId,
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId
+        }
+      );
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,

backend/src/server/routes/v1/certificate-authority-routers/acme-certificate-authority-router.ts

@@ -0,0 +1,18 @@
+import {
+  AcmeCertificateAuthoritySchema,
+  CreateAcmeCertificateAuthoritySchema,
+  UpdateAcmeCertificateAuthoritySchema
+} from "@app/services/certificate-authority/acme/acme-certificate-authority-schemas";
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+
+import { registerCertificateAuthorityEndpoints } from "./certificate-authority-endpoints";
+
+export const registerAcmeCertificateAuthorityRouter = async (server: FastifyZodProvider) => {
+  registerCertificateAuthorityEndpoints({
+    caType: CaType.ACME,
+    server,
+    responseSchema: AcmeCertificateAuthoritySchema,
+    createSchema: CreateAcmeCertificateAuthoritySchema,
+    updateSchema: UpdateAcmeCertificateAuthoritySchema
+  });
+};

backend/src/server/routes/v1/certificate-authority-routers/certificate-authority-endpoints.ts

@@ -0,0 +1,258 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ApiDocsTags } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { CaStatus, CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+import {
+  TCertificateAuthority,
+  TCertificateAuthorityInput
+} from "@app/services/certificate-authority/certificate-authority-types";
+
+export const registerCertificateAuthorityEndpoints = <
+  T extends TCertificateAuthority,
+  I extends TCertificateAuthorityInput
+>({
+  server,
+  caType,
+  createSchema,
+  updateSchema,
+  responseSchema
+}: {
+  caType: CaType;
+  server: FastifyZodProvider;
+  createSchema: z.ZodType<{
+    name: string;
+    projectId: string;
+    status: CaStatus;
+    configuration: I["configuration"];
+    enableDirectIssuance: boolean;
+  }>;
+  updateSchema: z.ZodType<{
+    projectId: string;
+    name?: string;
+    status?: CaStatus;
+    configuration?: I["configuration"];
+    enableDirectIssuance?: boolean;
+  }>;
+  responseSchema: z.ZodTypeAny;
+}) => {
+  server.route({
+    method: "GET",
+    url: `/`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required")
+      }),
+      response: {
+        200: responseSchema.array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId }
+      } = req;
+
+      const certificateAuthorities = (await server.services.certificateAuthority.listCertificateAuthoritiesByProjectId(
+        { projectId, type: caType },
+        req.permission
+      )) as T[];
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.GET_CAS,
+          metadata: {
+            caIds: certificateAuthorities.map((ca) => ca.id)
+          }
+        }
+      });
+
+      return certificateAuthorities;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:caName",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
+      params: z.object({
+        caName: z.string()
+      }),
+      querystring: z.object({
+        projectId: z.string().uuid()
+      }),
+      response: {
+        200: responseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { caName } = req.params;
+      const { projectId } = req.query;
+
+      const certificateAuthority =
+        (await server.services.certificateAuthority.findCertificateAuthorityByNameAndProjectId(
+          { caName, type: caType, projectId },
+          req.permission
+        )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: certificateAuthority.projectId,
+        event: {
+          type: EventType.GET_CA,
+          metadata: {
+            caId: certificateAuthority.id,
+            name: certificateAuthority.name
+          }
+        }
+      });
+
+      return certificateAuthority;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
+      body: createSchema,
+      response: {
+        200: responseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const certificateAuthority = (await server.services.certificateAuthority.createCertificateAuthority(
+        { ...req.body, type: caType },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: certificateAuthority.projectId,
+        event: {
+          type: EventType.CREATE_CA,
+          metadata: {
+            name: certificateAuthority.name,
+            caId: certificateAuthority.id
+          }
+        }
+      });
+
+      return certificateAuthority;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:caName",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
+      params: z.object({
+        caName: z.string()
+      }),
+      body: updateSchema,
+      response: {
+        200: responseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { caName } = req.params;
+
+      const certificateAuthority = (await server.services.certificateAuthority.updateCertificateAuthority(
+        {
+          ...req.body,
+          type: caType,
+          caName
+        },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: certificateAuthority.projectId,
+        event: {
+          type: EventType.UPDATE_CA,
+          metadata: {
+            name: certificateAuthority.name,
+            caId: certificateAuthority.id,
+            status: certificateAuthority.status
+          }
+        }
+      });
+
+      return certificateAuthority;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:caName",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
+      params: z.object({
+        caName: z.string()
+      }),
+      body: z.object({
+        projectId: z.string().uuid()
+      }),
+      response: {
+        200: responseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { caName } = req.params;
+      const { projectId } = req.body;
+
+      const certificateAuthority = (await server.services.certificateAuthority.deleteCertificateAuthority(
+        { caName, type: caType, projectId },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: certificateAuthority.projectId,
+        event: {
+          type: EventType.DELETE_CA,
+          metadata: {
+            name: certificateAuthority.name,
+            caId: certificateAuthority.id
+          }
+        }
+      });
+
+      return certificateAuthority;
+    }
+  });
+};

backend/src/server/routes/v1/certificate-authority-routers/index.ts

@@ -0,0 +1,12 @@
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+
+import { registerAcmeCertificateAuthorityRouter } from "./acme-certificate-authority-router";
+import { registerInternalCertificateAuthorityRouter } from "./internal-certificate-authority-router";
+
+export * from "./internal-certificate-authority-router";
+
+export const CERTIFICATE_AUTHORITY_REGISTER_ROUTER_MAP: Record<CaType, (server: FastifyZodProvider) => Promise<void>> =
+  {
+    [CaType.INTERNAL]: registerInternalCertificateAuthorityRouter,
+    [CaType.ACME]: registerAcmeCertificateAuthorityRouter
+  };

backend/src/server/routes/v1/certificate-authority-routers/internal-certificate-authority-router.ts

@@ -0,0 +1,18 @@
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+import {
+  CreateInternalCertificateAuthoritySchema,
+  InternalCertificateAuthoritySchema,
+  UpdateInternalCertificateAuthoritySchema
+} from "@app/services/certificate-authority/internal/internal-certificate-authority-schemas";
+
+import { registerCertificateAuthorityEndpoints } from "./certificate-authority-endpoints";
+
+export const registerInternalCertificateAuthorityRouter = async (server: FastifyZodProvider) => {
+  registerCertificateAuthorityEndpoints({
+    caType: CaType.INTERNAL,
+    server,
+    responseSchema: InternalCertificateAuthoritySchema,
+    createSchema: CreateInternalCertificateAuthoritySchema,
+    updateSchema: UpdateInternalCertificateAuthoritySchema
+  });
+};

backend/src/server/routes/v1/certificate-router.ts

@@ -39,7 +39,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { cert, ca } = await server.services.certificate.getCert({
+      const { cert } = await server.services.certificate.getCert({
         serialNumber: req.params.serialNumber,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -49,7 +49,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        projectId: ca.projectId,
+        projectId: cert.projectId,
         event: {
           type: EventType.GET_CERT,
           metadata: {
@@ -86,7 +86,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req, reply) => {
-      const { ca, cert, certPrivateKey } = await server.services.certificate.getCertPrivateKey({
+      const { cert, certPrivateKey } = await server.services.certificate.getCertPrivateKey({
         serialNumber: req.params.serialNumber,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -96,7 +96,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        projectId: ca.projectId,
+        projectId: cert.projectId,
         event: {
           type: EventType.GET_CERT_PRIVATE_KEY,
           metadata: {
@@ -138,7 +138,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req, reply) => {
-      const { certificate, certificateChain, serialNumber, cert, ca, privateKey } =
+      const { certificate, certificateChain, serialNumber, cert, privateKey } =
         await server.services.certificate.getCertBundle({
           serialNumber: req.params.serialNumber,
           actor: req.permission.type,
@@ -149,7 +149,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        projectId: ca.projectId,
+        projectId: cert.projectId,
         event: {
           type: EventType.GET_CERT_BUNDLE,
           metadata: {
@@ -242,7 +242,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, issuingCaCertificate, privateKey, serialNumber, ca } =
-        await server.services.certificateAuthority.issueCertFromCa({
+        await server.services.internalCertificateAuthority.issueCertFromCa({
           actor: req.permission.type,
           actorId: req.permission.id,
           actorAuthMethod: req.permission.authMethod,
@@ -284,6 +284,68 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "POST",
+    url: "/import-certificate",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificates],
+      description: "Import certificate",
+      body: z.object({
+        projectSlug: z.string().trim().min(1).describe(CERTIFICATES.IMPORT.projectSlug),
+
+        certificatePem: z.string().trim().min(1).describe(CERTIFICATES.IMPORT.certificatePem),
+        privateKeyPem: z.string().trim().min(1).describe(CERTIFICATES.IMPORT.privateKeyPem),
+        chainPem: z.string().trim().min(1).describe(CERTIFICATES.IMPORT.chainPem),
+
+        friendlyName: z.string().trim().optional().describe(CERTIFICATES.IMPORT.friendlyName),
+        pkiCollectionId: z.string().trim().optional().describe(CERTIFICATES.IMPORT.pkiCollectionId)
+      }),
+      response: {
+        200: z.object({
+          certificate: z.string().trim().describe(CERTIFICATES.IMPORT.certificate),
+          certificateChain: z.string().trim().describe(CERTIFICATES.IMPORT.certificateChain),
+          privateKey: z.string().trim().describe(CERTIFICATES.IMPORT.privateKey),
+          serialNumber: z.string().trim().describe(CERTIFICATES.IMPORT.serialNumber)
+        })
+      }
+    },
+    handler: async (req) => {
+      const { certificate, certificateChain, privateKey, serialNumber, cert } =
+        await server.services.certificate.importCert({
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          ...req.body
+        });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: cert.projectId,
+        event: {
+          type: EventType.IMPORT_CERT,
+          metadata: {
+            certId: cert.id,
+            cn: cert.commonName,
+            serialNumber
+          }
+        }
+      });
+
+      return {
+        certificate,
+        certificateChain,
+        privateKey,
+        serialNumber
+      };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/sign-certificate",
@@ -355,7 +417,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca, commonName } =
-        await server.services.certificateAuthority.signCertFromCa({
+        await server.services.internalCertificateAuthority.signCertFromCa({
           isInternal: false,
           actor: req.permission.type,
           actorId: req.permission.id,
@@ -474,7 +536,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { deletedCert, ca } = await server.services.certificate.deleteCert({
+      const { deletedCert } = await server.services.certificate.deleteCert({
         serialNumber: req.params.serialNumber,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -484,7 +546,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        projectId: ca.projectId,
+        projectId: deletedCert.projectId,
         event: {
           type: EventType.DELETE_CERT,
           metadata: {
@@ -524,7 +586,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { certificate, certificateChain, serialNumber, cert, ca } = await server.services.certificate.getCertBody({
+      const { certificate, certificateChain, serialNumber, cert } = await server.services.certificate.getCertBody({
         serialNumber: req.params.serialNumber,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -534,7 +596,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        projectId: ca.projectId,
+        projectId: cert.projectId,
         event: {
           type: EventType.GET_CERT_BODY,
           metadata: {

backend/src/server/routes/v1/certificate-template-router.ts

@@ -5,6 +5,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyUsage } from "@app/services/certificate/certificate-types";
@@ -72,7 +73,7 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
       body: z.object({
         caId: z.string().describe(CERTIFICATE_TEMPLATES.CREATE.caId),
         pkiCollectionId: z.string().optional().describe(CERTIFICATE_TEMPLATES.CREATE.pkiCollectionId),
-        name: z.string().min(1).describe(CERTIFICATE_TEMPLATES.CREATE.name),
+        name: slugSchema().describe(CERTIFICATE_TEMPLATES.CREATE.name),
         commonName: validateTemplateRegexField.describe(CERTIFICATE_TEMPLATES.CREATE.commonName),
         subjectAlternativeName: validateTemplateRegexField.describe(
           CERTIFICATE_TEMPLATES.CREATE.subjectAlternativeName
@@ -141,7 +142,7 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
       body: z.object({
         caId: z.string().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.caId),
         pkiCollectionId: z.string().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.pkiCollectionId),
-        name: z.string().min(1).optional().describe(CERTIFICATE_TEMPLATES.UPDATE.name),
+        name: slugSchema().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.name),
         commonName: validateTemplateRegexField.optional().describe(CERTIFICATE_TEMPLATES.UPDATE.commonName),
         subjectAlternativeName: validateTemplateRegexField
           .optional()

backend/src/server/routes/v1/identity-universal-auth-router.ts

@@ -47,8 +47,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { identityUa, accessToken, identityAccessToken, validClientSecretInfo, identityMembershipOrg } =
-        await server.services.identityUa.login(req.body.clientId, req.body.clientSecret, req.realIp);
+      const {
+        identityUa,
+        accessToken,
+        identityAccessToken,
+        validClientSecretInfo,
+        identityMembershipOrg,
+        accessTokenTTL,
+        accessTokenMaxTTL
+      } = await server.services.identityUa.login(req.body.clientId, req.body.clientSecret, req.realIp);
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -63,11 +70,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           }
         }
       });
+
       return {
         accessToken,
         tokenType: "Bearer" as const,
-        expiresIn: identityUa.accessTokenTTL,
-        accessTokenMaxTTL: identityUa.accessTokenMaxTTL
+        expiresIn: accessTokenTTL,
+        accessTokenMaxTTL
       };
     }
   });
@@ -128,7 +136,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
             .int()
             .min(0)
             .default(0)
-            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
+            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit),
+          accessTokenPeriod: z.number().int().min(0).default(0).describe(UNIVERSAL_AUTH.ATTACH.accessTokenPeriod)
         })
         .refine(
           (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
@@ -227,7 +236,14 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
             .min(0)
             .max(315360000)
             .optional()
-            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL),
+          accessTokenPeriod: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .optional()
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenPeriod)
         })
         .refine(
           (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),