Merge branch 'main' into docs/update-net-sdk

backend/src/@types/fastify.d.ts

@@ -83,7 +83,6 @@ import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-servi
 import { TPkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-service";
 import { TPkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
 import { TPkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
-import { TPkiTemplatesServiceFactory } from "@app/services/pki-templates/pki-templates-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@@ -272,7 +271,6 @@ declare module "fastify" {
       assumePrivileges: TAssumePrivilegeServiceFactory;
       githubOrgSync: TGithubOrgSyncServiceFactory;
       internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
-      pkiTemplate: TPkiTemplatesServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -6,9 +6,6 @@ import {
   TAccessApprovalPoliciesApprovers,
   TAccessApprovalPoliciesApproversInsert,
   TAccessApprovalPoliciesApproversUpdate,
-  TAccessApprovalPoliciesBypassers,
-  TAccessApprovalPoliciesBypassersInsert,
-  TAccessApprovalPoliciesBypassersUpdate,
   TAccessApprovalPoliciesInsert,
   TAccessApprovalPoliciesUpdate,
   TAccessApprovalRequests,
@@ -279,9 +276,6 @@ import {
   TSecretApprovalPoliciesApprovers,
   TSecretApprovalPoliciesApproversInsert,
   TSecretApprovalPoliciesApproversUpdate,
-  TSecretApprovalPoliciesBypassers,
-  TSecretApprovalPoliciesBypassersInsert,
-  TSecretApprovalPoliciesBypassersUpdate,
   TSecretApprovalPoliciesInsert,
   TSecretApprovalPoliciesUpdate,
   TSecretApprovalRequests,
@@ -826,12 +820,6 @@ declare module "knex/types/tables" {
       TAccessApprovalPoliciesApproversUpdate
     >;
 
-    [TableName.AccessApprovalPolicyBypasser]: KnexOriginal.CompositeTableType<
-      TAccessApprovalPoliciesBypassers,
-      TAccessApprovalPoliciesBypassersInsert,
-      TAccessApprovalPoliciesBypassersUpdate
-    >;
-
     [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
       TAccessApprovalRequests,
       TAccessApprovalRequestsInsert,
@@ -855,11 +843,6 @@ declare module "knex/types/tables" {
       TSecretApprovalPoliciesApproversInsert,
       TSecretApprovalPoliciesApproversUpdate
     >;
-    [TableName.SecretApprovalPolicyBypasser]: KnexOriginal.CompositeTableType<
-      TSecretApprovalPoliciesBypassers,
-      TSecretApprovalPoliciesBypassersInsert,
-      TSecretApprovalPoliciesBypassersUpdate
-    >;
     [TableName.SecretApprovalRequest]: KnexOriginal.CompositeTableType<
       TSecretApprovalRequests,
       TSecretApprovalRequestsInsert,

backend/src/db/migrations/20250527030702_policy-bypassers.ts

@@ -1,48 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyBypasser))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicyBypasser, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("bypasserGroupId").nullable();
-      t.foreign("bypasserGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-
-      t.uuid("bypasserUserId").nullable();
-      t.foreign("bypasserUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyBypasser);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicyBypasser))) {
-    await knex.schema.createTable(TableName.SecretApprovalPolicyBypasser, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("bypasserGroupId").nullable();
-      t.foreign("bypasserGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-
-      t.uuid("bypasserUserId").nullable();
-      t.foreign("bypasserUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.SecretApprovalPolicy).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicyBypasser);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicyBypasser);
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyBypasser);
-
-  await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicyBypasser);
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyBypasser);
-}

backend/src/db/migrations/20250528145356_add-template-slug.ts

@@ -1,24 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasNameCol = await knex.schema.hasColumn(TableName.CertificateTemplate, "name");
-  if (hasNameCol) {
-    const templates = await knex(TableName.CertificateTemplate).select("id", "name");
-    await Promise.all(
-      templates.map((el) => {
-        const slugifiedName = el.name
-          ? slugify(`${el.name.slice(0, 16)}-${alphaNumericNanoId(8)}`)
-          : slugify(alphaNumericNanoId(12));
-
-        return knex(TableName.CertificateTemplate).where({ id: el.id }).update({ name: slugifiedName });
-      })
-    );
-  }
-}
-
-export async function down(): Promise<void> {}

backend/src/db/migrations/20250530152721_add-access-approval-request-deleted-at.ts

@@ -1,63 +0,0 @@
-import { Knex } from "knex";
-
-import { ApprovalStatus } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasPrivilegeDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalRequest,
-    "privilegeDeletedAt"
-  );
-  const hasStatusColumn = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "status");
-
-  if (!hasPrivilegeDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.timestamp("privilegeDeletedAt").nullable();
-    });
-  }
-
-  if (!hasStatusColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.string("status").defaultTo(ApprovalStatus.PENDING).notNullable();
-    });
-
-    // Update existing rows based on business logic
-    // If privilegeId is not null, set status to "approved"
-    await knex(TableName.AccessApprovalRequest).whereNotNull("privilegeId").update({ status: ApprovalStatus.APPROVED });
-
-    // If privilegeId is null and there's a rejected reviewer, set to "rejected"
-    const rejectedRequestIds = await knex(TableName.AccessApprovalRequestReviewer)
-      .select("requestId")
-      .where("status", "rejected")
-      .distinct()
-      .pluck("requestId");
-
-    if (rejectedRequestIds.length > 0) {
-      await knex(TableName.AccessApprovalRequest)
-        .whereNull("privilegeId")
-        .whereIn("id", rejectedRequestIds)
-        .update({ status: ApprovalStatus.REJECTED });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasPrivilegeDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalRequest,
-    "privilegeDeletedAt"
-  );
-  const hasStatusColumn = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "status");
-
-  if (hasPrivilegeDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.dropColumn("privilegeDeletedAt");
-    });
-  }
-
-  if (hasStatusColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.dropColumn("status");
-    });
-  }
-}

backend/src/db/schemas/access-approval-policies-bypassers.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalPoliciesBypassersSchema = z.object({
-  id: z.string().uuid(),
-  bypasserGroupId: z.string().uuid().nullable().optional(),
-  bypasserUserId: z.string().uuid().nullable().optional(),
-  policyId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalPoliciesBypassers = z.infer<typeof AccessApprovalPoliciesBypassersSchema>;
-export type TAccessApprovalPoliciesBypassersInsert = Omit<
-  z.input<typeof AccessApprovalPoliciesBypassersSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalPoliciesBypassersUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalPoliciesBypassersSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-requests.ts

@@ -18,9 +18,7 @@ export const AccessApprovalRequestsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   requestedByUserId: z.string().uuid(),
-  note: z.string().nullable().optional(),
-  privilegeDeletedAt: z.date().nullable().optional(),
-  status: z.string().default("pending")
+  note: z.string().nullable().optional()
 });
 
 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;

backend/src/db/schemas/index.ts

@@ -1,6 +1,5 @@
 export * from "./access-approval-policies";
 export * from "./access-approval-policies-approvers";
-export * from "./access-approval-policies-bypassers";
 export * from "./access-approval-requests";
 export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
@@ -93,7 +92,6 @@ export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
 export * from "./secret-approval-policies-approvers";
-export * from "./secret-approval-policies-bypassers";
 export * from "./secret-approval-request-secret-tags";
 export * from "./secret-approval-request-secret-tags-v2";
 export * from "./secret-approval-requests";

backend/src/db/schemas/models.ts

@@ -95,12 +95,10 @@ export enum TableName {
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",
-  AccessApprovalPolicyBypasser = "access_approval_policies_bypassers",
   AccessApprovalRequest = "access_approval_requests",
   AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
-  SecretApprovalPolicyBypasser = "secret_approval_policies_bypassers",
   SecretApprovalRequest = "secret_approval_requests",
   SecretApprovalRequestReviewer = "secret_approval_requests_reviewers",
   SecretApprovalRequestSecret = "secret_approval_requests_secrets",

backend/src/db/schemas/secret-approval-policies-bypassers.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretApprovalPoliciesBypassersSchema = z.object({
-  id: z.string().uuid(),
-  bypasserGroupId: z.string().uuid().nullable().optional(),
-  bypasserUserId: z.string().uuid().nullable().optional(),
-  policyId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretApprovalPoliciesBypassers = z.infer<typeof SecretApprovalPoliciesBypassersSchema>;
-export type TSecretApprovalPoliciesBypassersInsert = Omit<
-  z.input<typeof SecretApprovalPoliciesBypassersSchema>,
-  TImmutableDBKeys
->;
-export type TSecretApprovalPoliciesBypassersUpdate = Partial<
-  Omit<z.input<typeof SecretApprovalPoliciesBypassersSchema>, TImmutableDBKeys>
->;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -1,7 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
-import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -24,19 +24,10 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
           ])
           .array()
-          .max(100, "Cannot have more than 100 approvers")
           .min(1, { message: "At least one approver should be provided" }),
-        bypassers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 bypassers")
-          .optional(),
         approvals: z.number().min(1).default(1),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -81,8 +72,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
                 .object({ type: z.nativeEnum(ApproverType), id: z.string().nullable().optional() })
                 .array()
                 .nullable()
-                .optional(),
-              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array()
+                .optional()
             })
             .array()
             .nullable()
@@ -153,19 +143,10 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" })
-          .max(100, "Cannot have more than 100 approvers"),
-        bypassers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 bypassers")
-          .optional(),
+          .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).optional(),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -239,15 +220,6 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
               })
               .array()
               .nullable()
-              .optional(),
-            bypassers: z
-              .object({
-                type: z.nativeEnum(BypasserType),
-                id: z.string().nullable().optional(),
-                name: z.string().nullable().optional()
-              })
-              .array()
-              .nullable()
               .optional()
           })
         })

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -113,7 +113,6 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               name: z.string(),
               approvals: z.number(),
               approvers: z.string().array(),
-              bypassers: z.string().array(),
               secretPath: z.string().nullish(),
               envId: z.string(),
               enforcementLevel: z.string(),

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -1,7 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
-import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -30,19 +30,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" })
-          .max(100, "Cannot have more than 100 approvers"),
-        bypassers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 bypassers")
-          .optional(),
+          .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).default(1),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -84,19 +75,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" })
-          .max(100, "Cannot have more than 100 approvers"),
-        bypassers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 bypassers")
-          .optional(),
+          .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).default(1),
         secretPath: z
           .string()
@@ -175,12 +157,6 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
                   id: z.string().nullable().optional(),
                   type: z.nativeEnum(ApproverType)
                 })
-                .array(),
-              bypassers: z
-                .object({
-                  id: z.string().nullable().optional(),
-                  type: z.nativeEnum(BypasserType)
-                })
                 .array()
             })
             .array()
@@ -217,14 +193,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
               .object({
                 id: z.string().nullable().optional(),
                 type: z.nativeEnum(ApproverType),
-                username: z.string().nullable().optional()
-              })
-              .array(),
-            bypassers: z
-              .object({
-                id: z.string().nullable().optional(),
-                type: z.nativeEnum(BypasserType),
-                username: z.string().nullable().optional()
+                name: z.string().nullable().optional()
               })
               .array()
           })

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -47,11 +47,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                   userId: z.string().nullable().optional()
                 })
                 .array(),
-              bypassers: z
-                .object({
-                  userId: z.string().nullable().optional()
-                })
-                .array(),
               secretPath: z.string().optional().nullable(),
               enforcementLevel: z.string(),
               deletedAt: z.date().nullish(),
@@ -271,7 +266,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 name: z.string(),
                 approvals: z.number(),
                 approvers: approvalRequestUser.array(),
-                bypassers: approvalRequestUser.array(),
                 secretPath: z.string().optional().nullable(),
                 enforcementLevel: z.string(),
                 deletedAt: z.date().nullish(),

backend/src/ee/services/access-approval-policy/access-approval-policy-approver-dal.ts

@@ -8,10 +8,3 @@ export const accessApprovalPolicyApproverDALFactory = (db: TDbClient) => {
   const accessApprovalPolicyApproverOrm = ormify(db, TableName.AccessApprovalPolicyApprover);
   return { ...accessApprovalPolicyApproverOrm };
 };
-
-export type TAccessApprovalPolicyBypasserDALFactory = ReturnType<typeof accessApprovalPolicyBypasserDALFactory>;
-
-export const accessApprovalPolicyBypasserDALFactory = (db: TDbClient) => {
-  const accessApprovalPolicyBypasserOrm = ormify(db, TableName.AccessApprovalPolicyBypasser);
-  return { ...accessApprovalPolicyBypasserOrm };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -1,11 +1,11 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies, TUsers } from "@app/db/schemas";
+import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
-import { ApproverType, BypasserType } from "./access-approval-policy-types";
+import { ApproverType } from "./access-approval-policy-types";
 
 export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;
 
@@ -34,22 +34,9 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicyApprover}.policyId`
       )
       .leftJoin(TableName.Users, `${TableName.AccessApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
-      .leftJoin(
-        TableName.AccessApprovalPolicyBypasser,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyBypasser}.policyId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("bypasserUsers"),
-        `${TableName.AccessApprovalPolicyBypasser}.bypasserUserId`,
-        `bypasserUsers.id`
-      )
       .select(tx.ref("username").withSchema(TableName.Users).as("approverUsername"))
-      .select(tx.ref("username").withSchema("bypasserUsers").as("bypasserUsername"))
       .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
       .select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
-      .select(tx.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
-      .select(tx.ref("bypasserGroupId").withSchema(TableName.AccessApprovalPolicyBypasser))
       .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
       .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
       .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@@ -142,23 +129,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
               id,
               type: ApproverType.Group
             })
-          },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserUserId: id, bypasserUsername }) => ({
-              id,
-              type: BypasserType.User,
-              name: bypasserUsername
-            })
-          },
-          {
-            key: "bypasserGroupId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupId: id }) => ({
-              id,
-              type: BypasserType.Group
-            })
           }
         ]
       });
@@ -174,28 +144,5 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
     return softDeletedPolicy;
   };
 
-  const findLastValidPolicy = async ({ envId, secretPath }: { envId: string; secretPath: string }, tx?: Knex) => {
-    try {
-      const result = await (tx || db.replicaNode())(TableName.AccessApprovalPolicy)
-        .where(
-          // eslint-disable-next-line @typescript-eslint/no-misused-promises
-          buildFindFilter(
-            {
-              envId,
-              secretPath
-            },
-            TableName.AccessApprovalPolicy
-          )
-        )
-        .orderBy("deletedAt", "desc")
-        .orderByRaw(`"deletedAt" IS NULL`)
-        .first();
-
-      return result;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindLastValidPolicy" });
-    }
-  };
-
-  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById, findLastValidPolicy };
+  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById };
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -2,9 +2,8 @@ import { ForbiddenError } from "@casl/ability";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -15,14 +14,10 @@ import { TAccessApprovalRequestReviewerDALFactory } from "../access-approval-req
 import { ApprovalStatus } from "../access-approval-request/access-approval-request-types";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
-import {
-  TAccessApprovalPolicyApproverDALFactory,
-  TAccessApprovalPolicyBypasserDALFactory
-} from "./access-approval-policy-approver-dal";
+import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
 import {
   ApproverType,
-  BypasserType,
   TCreateAccessApprovalPolicy,
   TDeleteAccessApprovalPolicy,
   TGetAccessApprovalPolicyByIdDTO,
@@ -37,14 +32,12 @@ type TAccessApprovalPolicyServiceFactoryDep = {
   accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
   accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
-  accessApprovalPolicyBypasserDAL: TAccessApprovalPolicyBypasserDALFactory;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
   groupDAL: TGroupDALFactory;
   userDAL: Pick<TUserDALFactory, "find">;
   accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update" | "find">;
   additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
   accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update">;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find">;
 };
 
 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@@ -52,7 +45,6 @@ export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprov
 export const accessApprovalPolicyServiceFactory = ({
   accessApprovalPolicyDAL,
   accessApprovalPolicyApproverDAL,
-  accessApprovalPolicyBypasserDAL,
   groupDAL,
   permissionService,
   projectEnvDAL,
@@ -60,8 +52,7 @@ export const accessApprovalPolicyServiceFactory = ({
   userDAL,
   accessApprovalRequestDAL,
   additionalPrivilegeDAL,
-  accessApprovalRequestReviewerDAL,
-  orgMembershipDAL
+  accessApprovalRequestReviewerDAL
 }: TAccessApprovalPolicyServiceFactoryDep) => {
   const createAccessApprovalPolicy = async ({
     name,
@@ -72,7 +63,6 @@ export const accessApprovalPolicyServiceFactory = ({
     actorAuthMethod,
     approvals,
     approvers,
-    bypassers,
     projectSlug,
     environment,
     enforcementLevel,
@@ -92,7 +82,7 @@ export const accessApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
       .filter(Boolean) as string[];
 
     if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
@@ -108,7 +98,7 @@ export const accessApprovalPolicyServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
+      ProjectPermissionApprovalActions.Create,
       ProjectPermissionSub.SecretApproval
     );
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
@@ -157,44 +147,6 @@ export const accessApprovalPolicyServiceFactory = ({
       .map((user) => user.id);
     verifyAllApprovers.push(...verifyGroupApprovers);
 
-    let groupBypassers: string[] = [];
-    let bypasserUserIds: string[] = [];
-
-    if (bypassers && bypassers.length) {
-      groupBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.Group)
-        .map((bypasser) => bypasser.id) as string[];
-
-      const userBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.User)
-        .map((bypasser) => bypasser.id)
-        .filter(Boolean) as string[];
-
-      const userBypasserNames = bypassers
-        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
-        .filter(Boolean) as string[];
-
-      bypasserUserIds = userBypassers;
-      if (userBypasserNames.length) {
-        const bypasserUsers = await userDAL.find({
-          $in: {
-            username: userBypasserNames
-          }
-        });
-
-        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
-        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
-
-        if (invalidUsernames.length) {
-          throw new BadRequestError({
-            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
-          });
-        }
-
-        bypasserUserIds = bypasserUserIds.concat(bypasserUsers.map((user) => user.id));
-      }
-    }
-
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
@@ -207,7 +159,6 @@ export const accessApprovalPolicyServiceFactory = ({
         },
         tx
       );
-
       if (approverUserIds.length) {
         await accessApprovalPolicyApproverDAL.insertMany(
           approverUserIds.map((userId) => ({
@@ -228,29 +179,8 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
-      if (bypasserUserIds.length) {
-        await accessApprovalPolicyBypasserDAL.insertMany(
-          bypasserUserIds.map((userId) => ({
-            bypasserUserId: userId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
-      if (groupBypassers.length) {
-        await accessApprovalPolicyBypasserDAL.insertMany(
-          groupBypassers.map((groupId) => ({
-            bypasserGroupId: groupId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
       return doc;
     });
-
     return { ...accessApproval, environment: env, projectId: project.id };
   };
 
@@ -281,7 +211,6 @@ export const accessApprovalPolicyServiceFactory = ({
   const updateAccessApprovalPolicy = async ({
     policyId,
     approvers,
-    bypassers,
     secretPath,
     name,
     actorId,
@@ -302,15 +231,15 @@ export const accessApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
       .filter(Boolean) as string[];
 
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    const currentApprovals = approvals || accessApprovalPolicy.approvals;
+    const currentAppovals = approvals || accessApprovalPolicy.approvals;
     if (
       groupApprovers?.length === 0 &&
       userApprovers &&
-      currentApprovals > userApprovers.length + userApproverNames.length
+      currentAppovals > userApprovers.length + userApproverNames.length
     ) {
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
@@ -327,79 +256,10 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
-
-    let groupBypassers: string[] = [];
-    let bypasserUserIds: string[] = [];
-
-    if (bypassers && bypassers.length) {
-      groupBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.Group)
-        .map((bypasser) => bypasser.id) as string[];
-
-      groupBypassers = [...new Set(groupBypassers)];
-
-      const userBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.User)
-        .map((bypasser) => bypasser.id)
-        .filter(Boolean) as string[];
-
-      const userBypasserNames = bypassers
-        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
-        .filter(Boolean) as string[];
-
-      bypasserUserIds = userBypassers;
-      if (userBypasserNames.length) {
-        const bypasserUsers = await userDAL.find({
-          $in: {
-            username: userBypasserNames
-          }
-        });
-
-        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
-        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
-
-        if (invalidUsernames.length) {
-          throw new BadRequestError({
-            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
-          });
-        }
-
-        bypasserUserIds = [...new Set(bypasserUserIds.concat(bypasserUsers.map((user) => user.id)))];
-      }
-
-      // Validate user bypassers
-      if (bypasserUserIds.length > 0) {
-        const orgMemberships = await orgMembershipDAL.find({
-          $in: { userId: bypasserUserIds },
-          orgId: actorOrgId
-        });
-
-        if (orgMemberships.length !== bypasserUserIds.length) {
-          const foundUserIdsInOrg = new Set(orgMemberships.map((mem) => mem.userId));
-          const missingUserIds = bypasserUserIds.filter((id) => !foundUserIdsInOrg.has(id));
-          throw new BadRequestError({
-            message: `One or more specified bypasser users are not part of the organization or do not exist. Invalid or non-member user IDs: ${missingUserIds.join(", ")}`
-          });
-        }
-      }
-
-      // Validate group bypassers
-      if (groupBypassers.length > 0) {
-        const orgGroups = await groupDAL.find({
-          $in: { id: groupBypassers },
-          orgId: actorOrgId
-        });
-
-        if (orgGroups.length !== groupBypassers.length) {
-          const foundGroupIdsInOrg = new Set(orgGroups.map((group) => group.id));
-          const missingGroupIds = groupBypassers.filter((id) => !foundGroupIdsInOrg.has(id));
-          throw new BadRequestError({
-            message: `One or more specified bypasser groups are not part of the organization or do not exist. Invalid or non-member group IDs: ${missingGroupIds.join(", ")}`
-          });
-        }
-      }
-    }
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.updateById(
@@ -456,28 +316,6 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
-      await accessApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
-
-      if (bypasserUserIds.length) {
-        await accessApprovalPolicyBypasserDAL.insertMany(
-          bypasserUserIds.map((userId) => ({
-            bypasserUserId: userId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
-      if (groupBypassers.length) {
-        await accessApprovalPolicyBypasserDAL.insertMany(
-          groupBypassers.map((groupId) => ({
-            bypasserGroupId: groupId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
       return doc;
     });
     return {
@@ -506,7 +344,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
+      ProjectPermissionApprovalActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -597,7 +435,10 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     return policy;
   };

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -18,20 +18,11 @@ export enum ApproverType {
   User = "user"
 }
 
-export enum BypasserType {
-  Group = "group",
-  User = "user"
-}
-
 export type TCreateAccessApprovalPolicy = {
   approvals: number;
   secretPath: string;
   environment: string;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
-  bypassers?: (
-    | { type: BypasserType.Group; id: string }
-    | { type: BypasserType.User; id?: string; username?: string }
-  )[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   projectSlug: string;
   name: string;
   enforcementLevel: EnforcementLevel;
@@ -41,11 +32,7 @@ export type TCreateAccessApprovalPolicy = {
 export type TUpdateAccessApprovalPolicy = {
   policyId: string;
   approvals?: number;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
-  bypassers?: (
-    | { type: BypasserType.Group; id: string }
-    | { type: BypasserType.User; id?: string; username?: string }
-  )[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   secretPath?: string;
   name?: string;
   enforcementLevel?: EnforcementLevel;

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -1,13 +1,7 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import {
-  AccessApprovalRequestsSchema,
-  TableName,
-  TAccessApprovalRequests,
-  TUserGroupMembership,
-  TUsers
-} from "@app/db/schemas";
+import { AccessApprovalRequestsSchema, TableName, TAccessApprovalRequests, TUsers } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
@@ -34,12 +28,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.AccessApprovalRequest}.policyId`,
           `${TableName.AccessApprovalPolicy}.id`
         )
+
         .leftJoin(
           TableName.AccessApprovalRequestReviewer,
           `${TableName.AccessApprovalRequest}.id`,
           `${TableName.AccessApprovalRequestReviewer}.requestId`
         )
-
         .leftJoin(
           TableName.AccessApprovalPolicyApprover,
           `${TableName.AccessApprovalPolicy}.id`,
@@ -52,17 +46,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         )
         .leftJoin(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
 
-        .leftJoin(
-          TableName.AccessApprovalPolicyBypasser,
-          `${TableName.AccessApprovalPolicy}.id`,
-          `${TableName.AccessApprovalPolicyBypasser}.policyId`
-        )
-        .leftJoin<TUserGroupMembership>(
-          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-          `${TableName.AccessApprovalPolicyBypasser}.bypasserGroupId`,
-          `bypasserUserGroupMembership.groupId`
-        )
-
         .join<TUsers>(
           db(TableName.Users).as("requestedByUser"),
           `${TableName.AccessApprovalRequest}.requestedByUserId`,
@@ -86,9 +69,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
         .select(db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"))
 
-        .select(db.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
-        .select(db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"))
-
         .select(
           db.ref("projectId").withSchema(TableName.Environment),
           db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
@@ -165,7 +145,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
               }
             : null,
 
-          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId || doc.status !== ApprovalStatus.PENDING
+          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId
         }),
         childrenMapper: [
           {
@@ -178,12 +158,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             key: "approverGroupUserId",
             label: "approvers" as const,
             mapper: ({ approverGroupUserId }) => approverGroupUserId
-          },
-          { key: "bypasserUserId", label: "bypassers" as const, mapper: ({ bypasserUserId }) => bypasserUserId },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupUserId }) => bypasserGroupUserId
           }
         ]
       });
@@ -192,7 +166,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
 
       return formattedDocs.map((doc) => ({
         ...doc,
-        policy: { ...doc.policy, approvers: doc.approvers, bypassers: doc.bypassers }
+        policy: { ...doc.policy, approvers: doc.approvers }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "FindRequestsWithPrivilege" });
@@ -219,6 +193,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicy}.id`,
         `${TableName.AccessApprovalPolicyApprover}.policyId`
       )
+
       .leftJoin<TUsers>(
         db(TableName.Users).as("accessApprovalPolicyApproverUser"),
         `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
@@ -229,33 +204,13 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
         `${TableName.UserGroupMembership}.groupId`
       )
+
       .leftJoin<TUsers>(
         db(TableName.Users).as("accessApprovalPolicyGroupApproverUser"),
         `${TableName.UserGroupMembership}.userId`,
         "accessApprovalPolicyGroupApproverUser.id"
       )
 
-      .leftJoin(
-        TableName.AccessApprovalPolicyBypasser,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyBypasser}.policyId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("accessApprovalPolicyBypasserUser"),
-        `${TableName.AccessApprovalPolicyBypasser}.bypasserUserId`,
-        "accessApprovalPolicyBypasserUser.id"
-      )
-      .leftJoin<TUserGroupMembership>(
-        db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-        `${TableName.AccessApprovalPolicyBypasser}.bypasserGroupId`,
-        `bypasserUserGroupMembership.groupId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("accessApprovalPolicyGroupBypasserUser"),
-        `bypasserUserGroupMembership.userId`,
-        "accessApprovalPolicyGroupBypasserUser.id"
-      )
-
       .leftJoin(
         TableName.AccessApprovalRequestReviewer,
         `${TableName.AccessApprovalRequest}.id`,
@@ -286,18 +241,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("firstName").withSchema("requestedByUser").as("requestedByUserFirstName"),
         tx.ref("lastName").withSchema("requestedByUser").as("requestedByUserLastName"),
 
-        // Bypassers
-        tx.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser),
-        tx.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
-        tx.ref("email").withSchema("accessApprovalPolicyBypasserUser").as("bypasserEmail"),
-        tx.ref("email").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupEmail"),
-        tx.ref("username").withSchema("accessApprovalPolicyBypasserUser").as("bypasserUsername"),
-        tx.ref("username").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupUsername"),
-        tx.ref("firstName").withSchema("accessApprovalPolicyBypasserUser").as("bypasserFirstName"),
-        tx.ref("firstName").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupFirstName"),
-        tx.ref("lastName").withSchema("accessApprovalPolicyBypasserUser").as("bypasserLastName"),
-        tx.ref("lastName").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupLastName"),
-
         tx.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer),
 
         tx.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"),
@@ -322,7 +265,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
     try {
       const sql = findQuery({ [`${TableName.AccessApprovalRequest}.id` as "id"]: id }, tx || db.replicaNode());
       const docs = await sql;
-      const formattedDoc = sqlNestRelationships({
+      const formatedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -392,51 +335,13 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
               lastName,
               username
             })
-          },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({
-              bypasserUserId,
-              bypasserEmail: email,
-              bypasserUsername: username,
-              bypasserLastName: lastName,
-              bypasserFirstName: firstName
-            }) => ({
-              userId: bypasserUserId,
-              email,
-              firstName,
-              lastName,
-              username
-            })
-          },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({
-              userId,
-              bypasserGroupEmail: email,
-              bypasserGroupUsername: username,
-              bypasserGroupLastName: lastName,
-              bypasserFirstName: firstName
-            }) => ({
-              userId,
-              email,
-              firstName,
-              lastName,
-              username
-            })
           }
         ]
       });
-      if (!formattedDoc?.[0]) return;
+      if (!formatedDoc?.[0]) return;
       return {
-        ...formattedDoc[0],
-        policy: {
-          ...formattedDoc[0].policy,
-          approvers: formattedDoc[0].approvers,
-          bypassers: formattedDoc[0].bypassers
-        }
+        ...formatedDoc[0],
+        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "FindByIdAccessApprovalRequest" });
@@ -487,20 +392,14 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         ]
       });
 
-      // an approval is pending if there is no reviewer rejections, no privilege ID is set and the status is pending
+      // an approval is pending if there is no reviewer rejections and no privilege ID is set
       const pendingApprovals = formattedRequests.filter(
-        (req) =>
-          !req.privilegeId &&
-          !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) &&
-          req.status === ApprovalStatus.PENDING
+        (req) => !req.privilegeId && !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
       );
 
-      // an approval is finalized if there are any rejections, a privilege ID is set or the number of approvals is equal to the number of approvals required
+      // an approval is finalized if there are any rejections or a privilege ID is set
       const finalizedApprovals = formattedRequests.filter(
-        (req) =>
-          req.privilegeId ||
-          req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) ||
-          req.status !== ApprovalStatus.PENDING
+        (req) => req.privilegeId || req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
       );
 
       return { pendingCount: pendingApprovals.length, finalizedCount: finalizedApprovals.length };

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -23,6 +23,7 @@ import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-poli
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
 import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
@@ -56,7 +57,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
     | "findOne"
     | "getCount"
   >;
-  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find" | "findLastValidPolicy">;
+  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find">;
   accessApprovalRequestReviewerDAL: Pick<
     TAccessApprovalRequestReviewerDALFactory,
     "create" | "find" | "findOne" | "transaction"
@@ -131,7 +132,7 @@ export const accessApprovalRequestServiceFactory = ({
 
     if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });
 
-    const policy = await accessApprovalPolicyDAL.findLastValidPolicy({
+    const policy = await accessApprovalPolicyDAL.findOne({
       envId: environment.id,
       secretPath
     });
@@ -203,7 +204,7 @@ export const accessApprovalRequestServiceFactory = ({
 
           const isRejected = reviewers.some((reviewer) => reviewer.status === ApprovalStatus.REJECTED);
 
-          if (!isRejected && duplicateRequest.status === ApprovalStatus.PENDING) {
+          if (!isRejected) {
             throw new BadRequestError({ message: "You already have a pending access request with the same criteria" });
           }
         }
@@ -339,7 +340,7 @@ export const accessApprovalRequestServiceFactory = ({
       });
     }
 
-    const { membership, hasRole } = await permissionService.getProjectPermission({
+    const { membership, hasRole, permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
@@ -354,13 +355,13 @@ export const accessApprovalRequestServiceFactory = ({
 
     const isSelfApproval = actorId === accessApprovalRequest.requestedByUserId;
     const isSoftEnforcement = policy.enforcementLevel === EnforcementLevel.Soft;
-    const canBypass = !policy.bypassers.length || policy.bypassers.some((bypasser) => bypasser.userId === actorId);
-    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypass);
+    const canBypassApproval = permission.can(
+      ProjectPermissionApprovalActions.AllowAccessBypass,
+      ProjectPermissionSub.SecretApproval
+    );
+    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypassApproval);
 
-    const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
-
-    // If user is (not an approver OR cant self approve) AND can't bypass policy
-    if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
+    if (!policy.allowedSelfApprovals && isSelfApproval && cannotBypassUnderSoftEnforcement) {
       throw new BadRequestError({
         message: "Failed to review access approval request. Users are not authorized to review their own request."
       });
@@ -369,7 +370,7 @@ export const accessApprovalRequestServiceFactory = ({
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
-      !isApprover // The request isn't performed by an assigned approver
+      !policy.approvers.find((approver) => approver.userId === actorId) // The request isn't performed by an assigned approver
     ) {
       throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
     }
@@ -477,11 +478,7 @@ export const accessApprovalRequestServiceFactory = ({
             );
             privilegeIdToSet = privilege.id;
           }
-          await accessApprovalRequestDAL.updateById(
-            accessApprovalRequest.id,
-            { privilegeId: privilegeIdToSet, status: ApprovalStatus.APPROVED },
-            tx
-          );
+          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId: privilegeIdToSet }, tx);
         }
       }
 

backend/src/ee/services/license/license-service.ts

@@ -17,7 +17,7 @@ import { TIdentityOrgDALFactory } from "@app/services/identity/identity-org-dal"
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
-import { OrgPermissionBillingActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { BillingPlanRows, BillingPlanTableHead } from "./licence-enums";
 import { TLicenseDALFactory } from "./license-dal";
@@ -288,7 +288,7 @@ export const licenseServiceFactory = ({
     billingCycle
   }: TOrgPlansTableDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
     const { data } = await licenseServerCloudApi.request.get(
       `/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
     );
@@ -310,10 +310,8 @@ export const licenseServiceFactory = ({
     success_url
   }: TStartOrgTrialDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -340,10 +338,8 @@ export const licenseServiceFactory = ({
     actorOrgId
   }: TCreateOrgPortalSession) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -389,7 +385,7 @@ export const licenseServiceFactory = ({
 
   const getOrgBillingInfo = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -417,7 +413,7 @@ export const licenseServiceFactory = ({
   // returns org current plan feature table
   const getOrgPlanTable = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -488,7 +484,7 @@ export const licenseServiceFactory = ({
 
   const getOrgBillingDetails = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -513,10 +509,7 @@ export const licenseServiceFactory = ({
     email
   }: TUpdateOrgBillingDetailsDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -536,7 +529,7 @@ export const licenseServiceFactory = ({
 
   const getOrgPmtMethods = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgPmtMethodsDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -563,10 +556,7 @@ export const licenseServiceFactory = ({
     cancel_url
   }: TAddOrgPmtMethodDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -595,10 +585,7 @@ export const licenseServiceFactory = ({
     pmtMethodId
   }: TDelOrgPmtMethodDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -615,7 +602,7 @@ export const licenseServiceFactory = ({
 
   const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -633,10 +620,7 @@ export const licenseServiceFactory = ({
 
   const addOrgTaxId = async ({ actorId, actor, actorAuthMethod, actorOrgId, orgId, type, value }: TAddOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -657,10 +641,7 @@ export const licenseServiceFactory = ({
 
   const delOrgTaxId = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId, taxId }: TDelOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -677,7 +658,7 @@ export const licenseServiceFactory = ({
 
   const getOrgTaxInvoices = async ({ actorId, actor, actorOrgId, actorAuthMethod, orgId }: TOrgInvoiceDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -694,7 +675,7 @@ export const licenseServiceFactory = ({
 
   const getOrgLicenses = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgLicensesDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -44,6 +44,7 @@ import {
   TOidcLoginDTO,
   TUpdateOidcCfgDTO
 } from "./oidc-config-types";
+import { logger } from "@app/lib/logger";
 
 type TOidcConfigServiceFactoryDep = {
   userDAL: Pick<
@@ -699,6 +700,7 @@ export const oidcConfigServiceFactory = ({
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       (_req: any, tokenSet: TokenSet, cb: any) => {
         const claims = tokenSet.claims();
+        logger.info(`User OIDC claims received for [orgId=${org.id}] [claims=${JSON.stringify(claims)}]`);
         if (!claims.email || !claims.given_name) {
           throw new BadRequestError({
             message: "Invalid request. Missing email or first name"

backend/src/ee/services/permission/default-roles.ts

@@ -2,6 +2,7 @@ import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability"
 
 import {
   ProjectPermissionActions,
+  ProjectPermissionApprovalActions,
   ProjectPermissionCertificateActions,
   ProjectPermissionCmekActions,
   ProjectPermissionDynamicSecretActions,
@@ -10,7 +11,6 @@ import {
   ProjectPermissionKmipActions,
   ProjectPermissionMemberActions,
   ProjectPermissionPkiSubscriberActions,
-  ProjectPermissionPkiTemplateActions,
   ProjectPermissionSecretActions,
   ProjectPermissionSecretRotationActions,
   ProjectPermissionSecretSyncActions,
@@ -36,6 +36,7 @@ const buildAdminPermissionRules = () => {
     ProjectPermissionSub.AuditLogs,
     ProjectPermissionSub.IpAllowList,
     ProjectPermissionSub.CertificateAuthorities,
+    ProjectPermissionSub.CertificateTemplates,
     ProjectPermissionSub.PkiAlerts,
     ProjectPermissionSub.PkiCollections,
     ProjectPermissionSub.SshCertificateAuthorities,
@@ -56,22 +57,12 @@ const buildAdminPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionPkiTemplateActions.Read,
-      ProjectPermissionPkiTemplateActions.Edit,
-      ProjectPermissionPkiTemplateActions.Create,
-      ProjectPermissionPkiTemplateActions.Delete,
-      ProjectPermissionPkiTemplateActions.IssueCert,
-      ProjectPermissionPkiTemplateActions.ListCerts
-    ],
-    ProjectPermissionSub.CertificateTemplates
-  );
-
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionApprovalActions.Create,
+      ProjectPermissionApprovalActions.Delete,
+      ProjectPermissionApprovalActions.AllowChangeBypass,
+      ProjectPermissionApprovalActions.AllowAccessBypass
     ],
     ProjectPermissionSub.SecretApproval
   );
@@ -264,7 +255,7 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.SecretImports
   );
 
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
+  can([ProjectPermissionApprovalActions.Read], ProjectPermissionSub.SecretApproval);
   can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
 
   can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
@@ -360,7 +351,7 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.Certificates
   );
 
-  can([ProjectPermissionPkiTemplateActions.Read], ProjectPermissionSub.CertificateTemplates);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateTemplates);
 
   can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
   can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
@@ -412,7 +403,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
   can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionApprovalActions.Read, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionSecretRotationActions.Read, ProjectPermissionSub.SecretRotation);
   can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
@@ -429,7 +420,6 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
   can(ProjectPermissionCertificateActions.Read, ProjectPermissionSub.Certificates);
-  can(ProjectPermissionPkiTemplateActions.Read, ProjectPermissionSub.CertificateTemplates);
   can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);

backend/src/ee/services/permission/org-permission.ts

@@ -67,11 +67,6 @@ export enum OrgPermissionGroupActions {
   RemoveMembers = "remove-members"
 }
 
-export enum OrgPermissionBillingActions {
-  Read = "read",
-  ManageBilling = "manage-billing"
-}
-
 export enum OrgPermissionSubjects {
   Workspace = "workspace",
   Role = "role",
@@ -112,7 +107,7 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
   | [OrgPermissionGroupActions, OrgPermissionSubjects.Groups]
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
-  | [OrgPermissionBillingActions, OrgPermissionSubjects.Billing]
+  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionIdentityActions, OrgPermissionSubjects.Identity]
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
@@ -303,8 +298,10 @@ const buildAdminPermission = () => {
   can(OrgPermissionGroupActions.AddMembers, OrgPermissionSubjects.Groups);
   can(OrgPermissionGroupActions.RemoveMembers, OrgPermissionSubjects.Groups);
 
-  can(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
-  can(OrgPermissionBillingActions.ManageBilling, OrgPermissionSubjects.Billing);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Billing);
 
   can(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
   can(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
@@ -365,7 +362,7 @@ const buildMemberPermission = () => {
   can(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Settings);
-  can(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.IncidentAccount);
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);

backend/src/ee/services/permission/project-permission.ts

@@ -34,6 +34,15 @@ export enum ProjectPermissionSecretActions {
   Delete = "delete"
 }
 
+export enum ProjectPermissionApprovalActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  AllowChangeBypass = "allow-change-bypass",
+  AllowAccessBypass = "allow-access-bypass"
+}
+
 export enum ProjectPermissionCmekActions {
   Read = "read",
   Create = "create",
@@ -87,15 +96,6 @@ export enum ProjectPermissionSshHostActions {
   IssueHostCert = "issue-host-cert"
 }
 
-export enum ProjectPermissionPkiTemplateActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  IssueCert = "issue-cert",
-  ListCerts = "list-certs"
-}
-
 export enum ProjectPermissionPkiSubscriberActions {
   Read = "read",
   Create = "create",
@@ -209,11 +209,6 @@ export type SshHostSubjectFields = {
   hostname: string;
 };
 
-export type PkiTemplateSubjectFields = {
-  name: string;
-  // (dangtony98): consider adding [commonName] as a subject field in the future
-};
-
 export type PkiSubscriberSubjectFields = {
   name: string;
   // (dangtony98): consider adding [commonName] as a subject field in the future
@@ -256,7 +251,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
   | [ProjectPermissionActions, ProjectPermissionSub.Settings]
   | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
-  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionApprovalActions, ProjectPermissionSub.SecretApproval]
   | [
       ProjectPermissionSecretRotationActions,
       (
@@ -270,13 +265,7 @@ export type ProjectPermissionSet =
     ]
   | [ProjectPermissionActions, ProjectPermissionSub.CertificateAuthorities]
   | [ProjectPermissionCertificateActions, ProjectPermissionSub.Certificates]
-  | [
-      ProjectPermissionPkiTemplateActions,
-      (
-        | ProjectPermissionSub.CertificateTemplates
-        | (ForcedSubject<ProjectPermissionSub.CertificateTemplates> & PkiTemplateSubjectFields)
-      )
-    ]
+  | [ProjectPermissionActions, ProjectPermissionSub.CertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateAuthorities]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificates]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
@@ -456,25 +445,10 @@ const PkiSubscriberConditionSchema = z
   })
   .partial();
 
-const PkiTemplateConditionSchema = z
-  .object({
-    name: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-        })
-        .partial()
-    ])
-  })
-  .partial();
-
 const GeneralPermissionSchema = [
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionApprovalActions).describe(
       "Describe what action an entity can take."
     )
   }),
@@ -562,6 +536,12 @@ const GeneralPermissionSchema = [
       "Describe what action an entity can take."
     )
   }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.CertificateTemplates).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+      "Describe what action an entity can take."
+    )
+  }),
   z.object({
     subject: z
       .literal(ProjectPermissionSub.SshCertificateAuthorities)
@@ -739,16 +719,6 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.CertificateTemplates).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionPkiTemplateActions).describe(
-      "Describe what action an entity can take."
-    ),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    conditions: PkiTemplateConditionSchema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretRotation).describe("The entity this permission pertains to."),
     inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
@@ -759,7 +729,6 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
-
   ...GeneralPermissionSchema
 ]);
 

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -9,7 +9,6 @@ import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/per
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 
-import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
 import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import {
@@ -17,7 +16,6 @@ import {
   ProjectPermissionSet,
   ProjectPermissionSub
 } from "../permission/project-permission";
-import { ApprovalStatus } from "../secret-approval-request/secret-approval-request-types";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "./project-user-additional-privilege-dal";
 import {
   ProjectUserAdditionalPrivilegeTemporaryMode,
@@ -32,7 +30,6 @@ type TProjectUserAdditionalPrivilegeServiceFactoryDep = {
   projectUserAdditionalPrivilegeDAL: TProjectUserAdditionalPrivilegeDALFactory;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById" | "findOne">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update">;
 };
 
 export type TProjectUserAdditionalPrivilegeServiceFactory = ReturnType<
@@ -47,8 +44,7 @@ const unpackPermissions = (permissions: unknown) =>
 export const projectUserAdditionalPrivilegeServiceFactory = ({
   projectUserAdditionalPrivilegeDAL,
   projectMembershipDAL,
-  permissionService,
-  accessApprovalRequestDAL
+  permissionService
 }: TProjectUserAdditionalPrivilegeServiceFactoryDep) => {
   const create = async ({
     slug,
@@ -283,15 +279,6 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
 
-    await accessApprovalRequestDAL.update(
-      {
-        privilegeId: userPrivilege.id
-      },
-      {
-        privilegeDeletedAt: new Date(),
-        status: ApprovalStatus.REJECTED
-      }
-    );
     const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
     return {
       ...deletedPrivilege,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-approver-dal.ts

@@ -8,10 +8,3 @@ export const secretApprovalPolicyApproverDALFactory = (db: TDbClient) => {
   const sapApproverOrm = ormify(db, TableName.SecretApprovalPolicyApprover);
   return sapApproverOrm;
 };
-
-export type TSecretApprovalPolicyBypasserDALFactory = ReturnType<typeof secretApprovalPolicyBypasserDALFactory>;
-
-export const secretApprovalPolicyBypasserDALFactory = (db: TDbClient) => {
-  const sapBypasserOrm = ormify(db, TableName.SecretApprovalPolicyBypasser);
-  return sapBypasserOrm;
-};

backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts

@@ -1,17 +1,11 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import {
-  SecretApprovalPoliciesSchema,
-  TableName,
-  TSecretApprovalPolicies,
-  TUserGroupMembership,
-  TUsers
-} from "@app/db/schemas";
+import { SecretApprovalPoliciesSchema, TableName, TSecretApprovalPolicies, TUsers } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
-import { ApproverType, BypasserType } from "../access-approval-policy/access-approval-policy-types";
+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
 
 export type TSecretApprovalPolicyDALFactory = ReturnType<typeof secretApprovalPolicyDALFactory>;
 
@@ -49,22 +43,6 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
         "secretApprovalPolicyApproverUser.id"
       )
-      // Bypasser
-      .leftJoin(
-        TableName.SecretApprovalPolicyBypasser,
-        `${TableName.SecretApprovalPolicy}.id`,
-        `${TableName.SecretApprovalPolicyBypasser}.policyId`
-      )
-      .leftJoin<TUserGroupMembership>(
-        db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-        `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
-        `bypasserUserGroupMembership.groupId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("secretApprovalPolicyBypasserUser"),
-        `${TableName.SecretApprovalPolicyBypasser}.bypasserUserId`,
-        "secretApprovalPolicyBypasserUser.id"
-      )
       .leftJoin<TUsers>(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
       .select(
         tx.ref("id").withSchema("secretApprovalPolicyApproverUser").as("approverUserId"),
@@ -80,20 +58,6 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
         tx.ref("firstName").withSchema(TableName.Users).as("approverGroupFirstName"),
         tx.ref("lastName").withSchema(TableName.Users).as("approverGroupLastName")
       )
-      .select(
-        tx.ref("id").withSchema("secretApprovalPolicyBypasserUser").as("bypasserUserId"),
-        tx.ref("email").withSchema("secretApprovalPolicyBypasserUser").as("bypasserEmail"),
-        tx.ref("firstName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserFirstName"),
-        tx.ref("username").withSchema("secretApprovalPolicyBypasserUser").as("bypasserUsername"),
-        tx.ref("lastName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserLastName")
-      )
-      .select(
-        tx.ref("bypasserGroupId").withSchema(TableName.SecretApprovalPolicyBypasser),
-        tx.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
-        tx.ref("email").withSchema(TableName.Users).as("bypasserGroupEmail"),
-        tx.ref("firstName").withSchema(TableName.Users).as("bypasserGroupFirstName"),
-        tx.ref("lastName").withSchema(TableName.Users).as("bypasserGroupLastName")
-      )
       .select(
         tx.ref("name").withSchema(TableName.Environment).as("envName"),
         tx.ref("slug").withSchema(TableName.Environment).as("envSlug"),
@@ -179,7 +143,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
             label: "approvers" as const,
             mapper: ({ approverUserId: id, approverUsername }) => ({
               type: ApproverType.User,
-              username: approverUsername,
+              name: approverUsername,
               id
             })
           },
@@ -191,23 +155,6 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
               id
             })
           },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserUserId: id, bypasserUsername }) => ({
-              type: BypasserType.User,
-              username: bypasserUsername,
-              id
-            })
-          },
-          {
-            key: "bypasserGroupId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupId: id }) => ({
-              type: BypasserType.Group,
-              id
-            })
-          },
           {
             key: "approverUserId",
             label: "userApprovers" as const,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -3,21 +3,18 @@ import picomatch from "picomatch";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { containsGlobPatterns } from "@app/lib/picomatch";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
-import { ApproverType, BypasserType } from "../access-approval-policy/access-approval-policy-types";
+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
 import { RequestState } from "../secret-approval-request/secret-approval-request-types";
-import {
-  TSecretApprovalPolicyApproverDALFactory,
-  TSecretApprovalPolicyBypasserDALFactory
-} from "./secret-approval-policy-approver-dal";
+import { TSecretApprovalPolicyApproverDALFactory } from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
 import {
   TCreateSapDTO,
@@ -39,7 +36,6 @@ type TSecretApprovalPolicyServiceFactoryDep = {
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   userDAL: Pick<TUserDALFactory, "find">;
   secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
-  secretApprovalPolicyBypasserDAL: TSecretApprovalPolicyBypasserDALFactory;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "update">;
 };
@@ -50,7 +46,6 @@ export const secretApprovalPolicyServiceFactory = ({
   secretApprovalPolicyDAL,
   permissionService,
   secretApprovalPolicyApproverDAL,
-  secretApprovalPolicyBypasserDAL,
   projectEnvDAL,
   userDAL,
   licenseService,
@@ -64,7 +59,6 @@ export const secretApprovalPolicyServiceFactory = ({
     actorAuthMethod,
     approvals,
     approvers,
-    bypassers,
     projectId,
     secretPath,
     environment,
@@ -80,7 +74,7 @@ export const secretApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
       .filter(Boolean) as string[];
 
     if (!groupApprovers.length && approvals > approvers.length)
@@ -95,7 +89,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
+      ProjectPermissionApprovalActions.Create,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -113,44 +107,6 @@ export const secretApprovalPolicyServiceFactory = ({
         message: `Environment with slug '${environment}' not found in project with ID ${projectId}`
       });
 
-    let groupBypassers: string[] = [];
-    let bypasserUserIds: string[] = [];
-
-    if (bypassers && bypassers.length) {
-      groupBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.Group)
-        .map((bypasser) => bypasser.id) as string[];
-
-      const userBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.User)
-        .map((bypasser) => bypasser.id)
-        .filter(Boolean) as string[];
-
-      const userBypasserNames = bypassers
-        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
-        .filter(Boolean) as string[];
-
-      bypasserUserIds = userBypassers;
-      if (userBypasserNames.length) {
-        const bypasserUsers = await userDAL.find({
-          $in: {
-            username: userBypasserNames
-          }
-        });
-
-        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
-        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
-
-        if (invalidUsernames.length) {
-          throw new BadRequestError({
-            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
-          });
-        }
-
-        bypasserUserIds = bypasserUserIds.concat(bypasserUsers.map((user) => user.id));
-      }
-    }
-
     const secretApproval = await secretApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await secretApprovalPolicyDAL.create(
         {
@@ -202,27 +158,6 @@ export const secretApprovalPolicyServiceFactory = ({
         })),
         tx
       );
-
-      if (bypasserUserIds.length) {
-        await secretApprovalPolicyBypasserDAL.insertMany(
-          bypasserUserIds.map((userId) => ({
-            bypasserUserId: userId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
-      if (groupBypassers.length) {
-        await secretApprovalPolicyBypasserDAL.insertMany(
-          groupBypassers.map((groupId) => ({
-            bypasserGroupId: groupId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
       return doc;
     });
 
@@ -231,7 +166,6 @@ export const secretApprovalPolicyServiceFactory = ({
 
   const updateSecretApprovalPolicy = async ({
     approvers,
-    bypassers,
     secretPath,
     name,
     actorId,
@@ -252,7 +186,7 @@ export const secretApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
       .filter(Boolean) as string[];
 
     const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
@@ -270,7 +204,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.secretApproval) {
@@ -280,44 +217,6 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    let groupBypassers: string[] = [];
-    let bypasserUserIds: string[] = [];
-
-    if (bypassers && bypassers.length) {
-      groupBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.Group)
-        .map((bypasser) => bypasser.id) as string[];
-
-      const userBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.User)
-        .map((bypasser) => bypasser.id)
-        .filter(Boolean) as string[];
-
-      const userBypasserNames = bypassers
-        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
-        .filter(Boolean) as string[];
-
-      bypasserUserIds = userBypassers;
-      if (userBypasserNames.length) {
-        const bypasserUsers = await userDAL.find({
-          $in: {
-            username: userBypasserNames
-          }
-        });
-
-        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
-        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
-
-        if (invalidUsernames.length) {
-          throw new BadRequestError({
-            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
-          });
-        }
-
-        bypasserUserIds = bypasserUserIds.concat(bypasserUsers.map((user) => user.id));
-      }
-    }
-
     const updatedSap = await secretApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await secretApprovalPolicyDAL.updateById(
         secretApprovalPolicy.id,
@@ -376,28 +275,6 @@ export const secretApprovalPolicyServiceFactory = ({
         );
       }
 
-      await secretApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
-
-      if (bypasserUserIds.length) {
-        await secretApprovalPolicyBypasserDAL.insertMany(
-          bypasserUserIds.map((userId) => ({
-            bypasserUserId: userId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
-      if (groupBypassers.length) {
-        await secretApprovalPolicyBypasserDAL.insertMany(
-          groupBypassers.map((groupId) => ({
-            bypasserGroupId: groupId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
       return doc;
     });
     return {
@@ -427,7 +304,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
+      ProjectPermissionApprovalActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -466,7 +343,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
     return sapPolicies;
@@ -539,7 +419,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     return sapPolicy;
   };

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -1,16 +1,12 @@
 import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
 
-import { ApproverType, BypasserType } from "../access-approval-policy/access-approval-policy-types";
+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
 
 export type TCreateSapDTO = {
   approvals: number;
   secretPath?: string | null;
   environment: string;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
-  bypassers?: (
-    | { type: BypasserType.Group; id: string }
-    | { type: BypasserType.User; id?: string; username?: string }
-  )[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   projectId: string;
   name: string;
   enforcementLevel: EnforcementLevel;
@@ -21,11 +17,7 @@ export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
   secretPath?: string | null;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
-  bypassers?: (
-    | { type: BypasserType.Group; id: string }
-    | { type: BypasserType.User; id?: string; username?: string }
-  )[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   name?: string;
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals?: boolean;

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -6,7 +6,6 @@ import {
   TableName,
   TSecretApprovalRequests,
   TSecretApprovalRequestsSecrets,
-  TUserGroupMembership,
   TUsers
 } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
@@ -59,36 +58,16 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
         "secretApprovalPolicyApproverUser.id"
       )
-      .leftJoin<TUserGroupMembership>(
-        db(TableName.UserGroupMembership).as("approverUserGroupMembership"),
+      .leftJoin(
+        TableName.UserGroupMembership,
         `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
-        `approverUserGroupMembership.groupId`
+        `${TableName.UserGroupMembership}.groupId`
       )
       .leftJoin<TUsers>(
         db(TableName.Users).as("secretApprovalPolicyGroupApproverUser"),
-        `approverUserGroupMembership.userId`,
+        `${TableName.UserGroupMembership}.userId`,
         `secretApprovalPolicyGroupApproverUser.id`
       )
-      .leftJoin(
-        TableName.SecretApprovalPolicyBypasser,
-        `${TableName.SecretApprovalPolicy}.id`,
-        `${TableName.SecretApprovalPolicyBypasser}.policyId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("secretApprovalPolicyBypasserUser"),
-        `${TableName.SecretApprovalPolicyBypasser}.bypasserUserId`,
-        "secretApprovalPolicyBypasserUser.id"
-      )
-      .leftJoin<TUserGroupMembership>(
-        db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-        `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
-        `bypasserUserGroupMembership.groupId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("secretApprovalPolicyGroupBypasserUser"),
-        `bypasserUserGroupMembership.userId`,
-        `secretApprovalPolicyGroupBypasserUser.id`
-      )
       .leftJoin(
         TableName.SecretApprovalRequestReviewer,
         `${TableName.SecretApprovalRequest}.id`,
@@ -102,7 +81,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
       .select(selectAllTableCols(TableName.SecretApprovalRequest))
       .select(
         tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
-        tx.ref("userId").withSchema("approverUserGroupMembership").as("approverGroupUserId"),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
         tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
         tx.ref("email").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
         tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
@@ -111,20 +90,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("firstName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupFirstName"),
         tx.ref("lastName").withSchema("secretApprovalPolicyApproverUser").as("approverLastName"),
         tx.ref("lastName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupLastName"),
-
-        // Bypasser fields
-        tx.ref("bypasserUserId").withSchema(TableName.SecretApprovalPolicyBypasser),
-        tx.ref("bypasserGroupId").withSchema(TableName.SecretApprovalPolicyBypasser),
-        tx.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
-        tx.ref("email").withSchema("secretApprovalPolicyBypasserUser").as("bypasserEmail"),
-        tx.ref("email").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupEmail"),
-        tx.ref("username").withSchema("secretApprovalPolicyBypasserUser").as("bypasserUsername"),
-        tx.ref("username").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupUsername"),
-        tx.ref("firstName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserFirstName"),
-        tx.ref("firstName").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupFirstName"),
-        tx.ref("lastName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserLastName"),
-        tx.ref("lastName").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupLastName"),
-
         tx.ref("email").withSchema("statusChangedByUser").as("statusChangedByUserEmail"),
         tx.ref("username").withSchema("statusChangedByUser").as("statusChangedByUserUsername"),
         tx.ref("firstName").withSchema("statusChangedByUser").as("statusChangedByUserFirstName"),
@@ -156,7 +121,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
     try {
       const sql = findQuery({ [`${TableName.SecretApprovalRequest}.id` as "id"]: id }, tx || db.replicaNode());
       const docs = await sql;
-      const formattedDoc = sqlNestRelationships({
+      const formatedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -238,51 +203,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
               lastName,
               username
             })
-          },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({
-              bypasserUserId: userId,
-              bypasserEmail: email,
-              bypasserUsername: username,
-              bypasserLastName: lastName,
-              bypasserFirstName: firstName
-            }) => ({
-              userId,
-              email,
-              firstName,
-              lastName,
-              username
-            })
-          },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({
-              bypasserGroupUserId: userId,
-              bypasserGroupEmail: email,
-              bypasserGroupUsername: username,
-              bypasserGroupLastName: lastName,
-              bypasserGroupFirstName: firstName
-            }) => ({
-              userId,
-              email,
-              firstName,
-              lastName,
-              username
-            })
           }
         ]
       });
-      if (!formattedDoc?.[0]) return;
+      if (!formatedDoc?.[0]) return;
       return {
-        ...formattedDoc[0],
-        policy: {
-          ...formattedDoc[0].policy,
-          approvers: formattedDoc[0].approvers,
-          bypassers: formattedDoc[0].bypassers
-        }
+        ...formatedDoc[0],
+        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "FindByIdSAR" });
@@ -364,16 +291,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
           `${TableName.UserGroupMembership}.groupId`
         )
-        .leftJoin(
-          TableName.SecretApprovalPolicyBypasser,
-          `${TableName.SecretApprovalPolicy}.id`,
-          `${TableName.SecretApprovalPolicyBypasser}.policyId`
-        )
-        .leftJoin<TUserGroupMembership>(
-          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-          `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
-          `bypasserUserGroupMembership.groupId`
-        )
         .join<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
@@ -425,11 +342,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
-
-          // Bypasser fields
-          db.ref("bypasserUserId").withSchema(TableName.SecretApprovalPolicyBypasser),
-          db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
-
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
           db.ref("username").withSchema("committerUser").as("committerUserUsername"),
           db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@@ -443,7 +355,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         .from<Awaited<typeof query>[number]>("w")
         .where("w.rank", ">=", offset)
         .andWhere("w.rank", "<", offset + limit);
-      const formattedDoc = sqlNestRelationships({
+      const formatedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -491,22 +403,12 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             key: "approverGroupUserId",
             label: "approvers" as const,
             mapper: ({ approverGroupUserId }) => ({ userId: approverGroupUserId })
-          },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserUserId }) => ({ userId: bypasserUserId })
-          },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupUserId }) => ({ userId: bypasserGroupUserId })
           }
         ]
       });
-      return formattedDoc.map((el) => ({
+      return formatedDoc.map((el) => ({
         ...el,
-        policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
+        policy: { ...el.policy, approvers: el.approvers }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "FindSAR" });
@@ -538,16 +440,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
           `${TableName.UserGroupMembership}.groupId`
         )
-        .leftJoin(
-          TableName.SecretApprovalPolicyBypasser,
-          `${TableName.SecretApprovalPolicy}.id`,
-          `${TableName.SecretApprovalPolicyBypasser}.policyId`
-        )
-        .leftJoin<TUserGroupMembership>(
-          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-          `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
-          `bypasserUserGroupMembership.groupId`
-        )
         .join<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
@@ -599,11 +491,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
-
-          // Bypasser
-          db.ref("bypasserUserId").withSchema(TableName.SecretApprovalPolicyBypasser),
-          db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
-
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
           db.ref("username").withSchema("committerUser").as("committerUserUsername"),
           db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@@ -617,7 +504,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         .from<Awaited<typeof query>[number]>("w")
         .where("w.rank", ">=", offset)
         .andWhere("w.rank", "<", offset + limit);
-      const formattedDoc = sqlNestRelationships({
+      const formatedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -667,24 +554,12 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             mapper: ({ approverGroupUserId }) => ({
               userId: approverGroupUserId
             })
-          },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserUserId }) => ({ userId: bypasserUserId })
-          },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupUserId }) => ({
-              userId: bypasserGroupUserId
-            })
           }
         ]
       });
-      return formattedDoc.map((el) => ({
+      return formatedDoc.map((el) => ({
         ...el,
-        policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
+        policy: { ...el.policy, approvers: el.approvers }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "FindSAR" });

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -62,7 +62,11 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
+import {
+  ProjectPermissionApprovalActions,
+  ProjectPermissionSecretActions,
+  ProjectPermissionSub
+} from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
@@ -497,14 +501,14 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { policy, folderId, projectId, bypassers } = secretApprovalRequest;
+    const { policy, folderId, projectId } = secretApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this secret approval request has been deleted."
       });
     }
 
-    const { hasRole } = await permissionService.getProjectPermission({
+    const { hasRole, permission } = await permissionService.getProjectPermission({
       actor: ActorType.USER,
       actorId,
       projectId,
@@ -530,9 +534,14 @@ export const secretApprovalRequestServiceFactory = ({
         approverId ? reviewers[approverId] === ApprovalStatus.APPROVED : false
       ).length;
     const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;
-    const canBypass = !bypassers.length || bypassers.some((bypasser) => bypasser.userId === actorId);
 
-    if (!hasMinApproval && !(isSoftEnforcement && canBypass))
+    if (
+      !hasMinApproval &&
+      !(
+        isSoftEnforcement &&
+        permission.can(ProjectPermissionApprovalActions.AllowChangeBypass, ProjectPermissionSub.SecretApproval)
+      )
+    )
       throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
 
     const { botKey, shouldUseSecretV2Bridge, project } = await projectBotService.getBotKey(projectId);

backend/src/server/routes/index.ts

@@ -6,10 +6,7 @@ import { z } from "zod";
 import { registerCertificateEstRouter } from "@app/ee/routes/est/certificate-est-router";
 import { registerV1EERoutes } from "@app/ee/routes/v1";
 import { registerV2EERoutes } from "@app/ee/routes/v2";
-import {
-  accessApprovalPolicyApproverDALFactory,
-  accessApprovalPolicyBypasserDALFactory
-} from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
+import { accessApprovalPolicyApproverDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
 import { accessApprovalPolicyDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-dal";
 import { accessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
 import { accessApprovalRequestDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-dal";
@@ -70,10 +67,7 @@ import { samlConfigDALFactory } from "@app/ee/services/saml-config/saml-config-d
 import { samlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { scimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { scimServiceFactory } from "@app/ee/services/scim/scim-service";
-import {
-  secretApprovalPolicyApproverDALFactory,
-  secretApprovalPolicyBypasserDALFactory
-} from "@app/ee/services/secret-approval-policy/secret-approval-policy-approver-dal";
+import { secretApprovalPolicyApproverDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-approver-dal";
 import { secretApprovalPolicyDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-dal";
 import { secretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { secretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
@@ -211,8 +205,6 @@ import { pkiCollectionServiceFactory } from "@app/services/pki-collection/pki-co
 import { pkiSubscriberDALFactory } from "@app/services/pki-subscriber/pki-subscriber-dal";
 import { pkiSubscriberQueueServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-queue";
 import { pkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
-import { pkiTemplatesDALFactory } from "@app/services/pki-templates/pki-templates-dal";
-import { pkiTemplatesServiceFactory } from "@app/services/pki-templates/pki-templates-service";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
 import { projectServiceFactory } from "@app/services/project/project-service";
@@ -393,11 +385,9 @@ export const registerRoutes = async (
   const accessApprovalPolicyDAL = accessApprovalPolicyDALFactory(db);
   const accessApprovalRequestDAL = accessApprovalRequestDALFactory(db);
   const accessApprovalPolicyApproverDAL = accessApprovalPolicyApproverDALFactory(db);
-  const accessApprovalPolicyBypasserDAL = accessApprovalPolicyBypasserDALFactory(db);
   const accessApprovalRequestReviewerDAL = accessApprovalRequestReviewerDALFactory(db);
 
   const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
-  const sapBypasserDAL = secretApprovalPolicyBypasserDALFactory(db);
   const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
   const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
   const secretApprovalRequestReviewerDAL = secretApprovalRequestReviewerDALFactory(db);
@@ -529,7 +519,6 @@ export const registerRoutes = async (
   const secretApprovalPolicyService = secretApprovalPolicyServiceFactory({
     projectEnvDAL,
     secretApprovalPolicyApproverDAL: sapApproverDAL,
-    secretApprovalPolicyBypasserDAL: sapBypasserDAL,
     permissionService,
     secretApprovalPolicyDAL,
     licenseService,
@@ -805,8 +794,7 @@ export const registerRoutes = async (
   const projectUserAdditionalPrivilegeService = projectUserAdditionalPrivilegeServiceFactory({
     permissionService,
     projectMembershipDAL,
-    projectUserAdditionalPrivilegeDAL,
-    accessApprovalRequestDAL
+    projectUserAdditionalPrivilegeDAL
   });
   const projectKeyService = projectKeyServiceFactory({
     permissionService,
@@ -850,7 +838,6 @@ export const registerRoutes = async (
   const pkiCollectionDAL = pkiCollectionDALFactory(db);
   const pkiCollectionItemDAL = pkiCollectionItemDALFactory(db);
   const pkiSubscriberDAL = pkiSubscriberDALFactory(db);
-  const pkiTemplatesDAL = pkiTemplatesDALFactory(db);
 
   const certificateService = certificateServiceFactory({
     certificateDAL,
@@ -1231,7 +1218,6 @@ export const registerRoutes = async (
   const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
     accessApprovalPolicyDAL,
     accessApprovalPolicyApproverDAL,
-    accessApprovalPolicyBypasserDAL,
     groupDAL,
     permissionService,
     projectEnvDAL,
@@ -1240,8 +1226,7 @@ export const registerRoutes = async (
     userDAL,
     accessApprovalRequestDAL,
     additionalPrivilegeDAL: projectUserAdditionalPrivilegeDAL,
-    accessApprovalRequestReviewerDAL,
-    orgMembershipDAL
+    accessApprovalRequestReviewerDAL
   });
 
   const accessApprovalRequestService = accessApprovalRequestServiceFactory({
@@ -1758,21 +1743,6 @@ export const registerRoutes = async (
     internalCaFns
   });
 
-  const pkiTemplateService = pkiTemplatesServiceFactory({
-    pkiTemplatesDAL,
-    certificateAuthorityDAL,
-    certificateAuthorityCertDAL,
-    certificateAuthoritySecretDAL,
-    certificateAuthorityCrlDAL,
-    certificateDAL,
-    certificateBodyDAL,
-    certificateSecretDAL,
-    projectDAL,
-    kmsService,
-    permissionService,
-    internalCaFns
-  });
-
   await secretRotationV2QueueServiceFactory({
     secretRotationV2Service,
     secretRotationV2DAL,
@@ -1866,7 +1836,6 @@ export const registerRoutes = async (
     pkiAlert: pkiAlertService,
     pkiCollection: pkiCollectionService,
     pkiSubscriber: pkiSubscriberService,
-    pkiTemplate: pkiTemplateService,
     secretScanning: secretScanningService,
     license: licenseService,
     trustedIp: trustedIpService,

backend/src/server/routes/v1/certificate-template-router.ts

@@ -5,7 +5,6 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyUsage } from "@app/services/certificate/certificate-types";
@@ -73,7 +72,7 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
       body: z.object({
         caId: z.string().describe(CERTIFICATE_TEMPLATES.CREATE.caId),
         pkiCollectionId: z.string().optional().describe(CERTIFICATE_TEMPLATES.CREATE.pkiCollectionId),
-        name: slugSchema().describe(CERTIFICATE_TEMPLATES.CREATE.name),
+        name: z.string().min(1).describe(CERTIFICATE_TEMPLATES.CREATE.name),
         commonName: validateTemplateRegexField.describe(CERTIFICATE_TEMPLATES.CREATE.commonName),
         subjectAlternativeName: validateTemplateRegexField.describe(
           CERTIFICATE_TEMPLATES.CREATE.subjectAlternativeName
@@ -142,7 +141,7 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
       body: z.object({
         caId: z.string().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.caId),
         pkiCollectionId: z.string().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.pkiCollectionId),
-        name: slugSchema().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.name),
+        name: z.string().min(1).optional().describe(CERTIFICATE_TEMPLATES.UPDATE.name),
         commonName: validateTemplateRegexField.optional().describe(CERTIFICATE_TEMPLATES.UPDATE.commonName),
         subjectAlternativeName: validateTemplateRegexField
           .optional()

backend/src/server/routes/v2/index.ts

@@ -5,7 +5,6 @@ import { registerIdentityProjectRouter } from "./identity-project-router";
 import { registerMfaRouter } from "./mfa-router";
 import { registerOrgRouter } from "./organization-router";
 import { registerPasswordRouter } from "./password-router";
-import { registerPkiTemplatesRouter } from "./pki-templates-router";
 import { registerProjectMembershipRouter } from "./project-membership-router";
 import { registerProjectRouter } from "./project-router";
 import { registerServiceTokenRouter } from "./service-token-router";
@@ -16,15 +15,7 @@ export const registerV2Routes = async (server: FastifyZodProvider) => {
   await server.register(registerUserRouter, { prefix: "/users" });
   await server.register(registerServiceTokenRouter, { prefix: "/service-token" });
   await server.register(registerPasswordRouter, { prefix: "/password" });
-
-  await server.register(
-    async (pkiRouter) => {
-      await pkiRouter.register(registerCaRouter, { prefix: "/ca" });
-      await pkiRouter.register(registerPkiTemplatesRouter, { prefix: "/certificate-templates" });
-    },
-    { prefix: "/pki" }
-  );
-
+  await server.register(registerCaRouter, { prefix: "/pki/ca" });
   await server.register(
     async (orgRouter) => {
       await orgRouter.register(registerOrgRouter);

backend/src/server/routes/v2/pki-templates-router.ts

@@ -1,309 +0,0 @@
-import { z } from "zod";
-
-import { CertificateTemplatesSchema } from "@app/db/schemas";
-import { ApiDocsTags } from "@app/lib/api-docs";
-import { ms } from "@app/lib/ms";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { slugSchema } from "@app/server/lib/schemas";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { CertExtendedKeyUsage, CertKeyUsage } from "@app/services/certificate/certificate-types";
-import {
-  validateAltNamesField,
-  validateCaDateField
-} from "@app/services/certificate-authority/certificate-authority-validators";
-import { validateTemplateRegexField } from "@app/services/certificate-template/certificate-template-validators";
-
-export const registerPkiTemplatesRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      body: z.object({
-        name: slugSchema(),
-        caName: slugSchema({ field: "caName" }),
-        projectId: z.string(),
-        commonName: validateTemplateRegexField,
-        subjectAlternativeName: validateTemplateRegexField,
-        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
-        keyUsages: z
-          .nativeEnum(CertKeyUsage)
-          .array()
-          .optional()
-          .default([CertKeyUsage.DIGITAL_SIGNATURE, CertKeyUsage.KEY_ENCIPHERMENT]),
-        extendedKeyUsages: z.nativeEnum(CertExtendedKeyUsage).array().optional().default([])
-      }),
-      response: {
-        200: z.object({
-          certificateTemplate: CertificateTemplatesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificateTemplate = await server.services.pkiTemplate.createTemplate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      return { certificateTemplate };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:templateName",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      params: z.object({
-        templateName: slugSchema()
-      }),
-      body: z.object({
-        name: slugSchema().optional(),
-        caName: slugSchema(),
-        projectId: z.string(),
-        commonName: validateTemplateRegexField.optional(),
-        subjectAlternativeName: validateTemplateRegexField.optional(),
-        ttl: z
-          .string()
-          .refine((val) => ms(val) > 0, "TTL must be a positive number")
-          .optional(),
-        keyUsages: z
-          .nativeEnum(CertKeyUsage)
-          .array()
-          .optional()
-          .default([CertKeyUsage.DIGITAL_SIGNATURE, CertKeyUsage.KEY_ENCIPHERMENT]),
-        extendedKeyUsages: z.nativeEnum(CertExtendedKeyUsage).array().optional().default([])
-      }),
-      response: {
-        200: z.object({
-          certificateTemplate: CertificateTemplatesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificateTemplate = await server.services.pkiTemplate.updateTemplate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        templateName: req.params.templateName,
-        ...req.body
-      });
-
-      return { certificateTemplate };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:templateName",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      params: z.object({
-        templateName: z.string().min(1)
-      }),
-      body: z.object({
-        projectId: z.string()
-      }),
-      response: {
-        200: z.object({
-          certificateTemplate: CertificateTemplatesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificateTemplate = await server.services.pkiTemplate.deleteTemplate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        templateName: req.params.templateName,
-        projectId: req.body.projectId
-      });
-
-      return { certificateTemplate };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:templateName",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      params: z.object({
-        templateName: slugSchema()
-      }),
-      querystring: z.object({
-        projectId: z.string()
-      }),
-      response: {
-        200: z.object({
-          certificateTemplate: CertificateTemplatesSchema.extend({
-            ca: z.object({ id: z.string(), name: z.string() })
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificateTemplate = await server.services.pkiTemplate.getTemplateByName({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        templateName: req.params.templateName,
-        projectId: req.query.projectId
-      });
-
-      return { certificateTemplate };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      querystring: z.object({
-        projectId: z.string(),
-        limit: z.coerce.number().default(100),
-        offset: z.coerce.number().default(0)
-      }),
-      response: {
-        200: z.object({
-          certificateTemplates: CertificateTemplatesSchema.extend({
-            ca: z.object({ id: z.string(), name: z.string() })
-          }).array(),
-          totalCount: z.number()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { certificateTemplates, totalCount } = await server.services.pkiTemplate.listTemplate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.query
-      });
-
-      return { certificateTemplates, totalCount };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:templateName/issue-certificate",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      params: z.object({
-        templateName: slugSchema()
-      }),
-      body: z.object({
-        projectId: z.string(),
-        commonName: validateTemplateRegexField,
-        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
-        keyUsages: z.nativeEnum(CertKeyUsage).array().optional(),
-        extendedKeyUsages: z.nativeEnum(CertExtendedKeyUsage).array().optional(),
-        notBefore: validateCaDateField.optional(),
-        notAfter: validateCaDateField.optional(),
-        altNames: validateAltNamesField
-      }),
-      response: {
-        200: z.object({
-          certificate: z.string().trim(),
-          issuingCaCertificate: z.string().trim(),
-          certificateChain: z.string().trim(),
-          privateKey: z.string().trim(),
-          serialNumber: z.string().trim()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const data = await server.services.pkiTemplate.issueCertificate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        templateName: req.params.templateName,
-        ...req.body
-      });
-
-      return data;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:templateName/sign-certificate",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      params: z.object({
-        templateName: slugSchema()
-      }),
-      body: z.object({
-        projectId: z.string(),
-        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
-        csr: z.string().trim().min(1).max(4096)
-      }),
-      response: {
-        200: z.object({
-          certificate: z.string().trim(),
-          issuingCaCertificate: z.string().trim(),
-          certificateChain: z.string().trim(),
-          serialNumber: z.string().trim()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const data = await server.services.pkiTemplate.signCertificate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        templateName: req.params.templateName,
-        ...req.body
-      });
-
-      return data;
-    }
-  });
-};

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -311,6 +311,7 @@ export const certificateAuthorityServiceFactory = ({
       }
 
       const updatedCa = await internalCertificateAuthorityService.updateCaById({
+        ...configuration,
         isInternal: true,
         enableDirectIssuance,
         caId: certificateAuthority.id,

backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts

@@ -1,10 +1,8 @@
-/* eslint-disable no-bitwise */
 import * as x509 from "@peculiar/x509";
 import { KeyObject } from "crypto";
-import RE2 from "re2";
 import { z } from "zod";
 
-import { TCertificateTemplates, TPkiSubscribers } from "@app/db/schemas";
+import { TPkiSubscribers } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
@@ -33,7 +31,6 @@ import {
   keyAlgorithmToAlgCfg
 } from "../certificate-authority-fns";
 import { TCertificateAuthoritySecretDALFactory } from "../certificate-authority-secret-dal";
-import { TIssueCertWithTemplateDTO } from "./internal-certificate-authority-types";
 
 type TInternalCertificateAuthorityFnsDeps = {
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa" | "findById">;
@@ -260,274 +257,7 @@ export const InternalCertificateAuthorityFns = ({
     };
   };
 
-  const issueCertificateWithTemplate = async (
-    ca: Awaited<ReturnType<TCertificateAuthorityDALFactory["findByIdWithAssociatedCa"]>>,
-    certificateTemplate: TCertificateTemplates,
-    { altNames, commonName, ttl, extendedKeyUsages, keyUsages, notAfter, notBefore }: TIssueCertWithTemplateDTO
-  ) => {
-    if (ca.status !== CaStatus.ACTIVE) throw new BadRequestError({ message: "CA is not active" });
-    if (!ca.internalCa?.activeCaCertId)
-      throw new BadRequestError({ message: "CA does not have a certificate installed" });
-
-    const caCert = await certificateAuthorityCertDAL.findById(ca.internalCa.activeCaCertId);
-
-    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
-      projectId: ca.projectId,
-      projectDAL,
-      kmsService
-    });
-
-    const kmsDecryptor = await kmsService.decryptWithKmsKey({
-      kmsId: certificateManagerKmsId
-    });
-
-    const decryptedCaCert = await kmsDecryptor({
-      cipherTextBlob: caCert.encryptedCertificate
-    });
-
-    const caCertObj = new x509.X509Certificate(decryptedCaCert);
-    const notBeforeDate = notBefore ? new Date(notBefore) : new Date();
-
-    let notAfterDate = new Date(new Date().setFullYear(new Date().getFullYear() + 1));
-    if (notAfter) {
-      notAfterDate = new Date(notAfter);
-    } else if (ttl) {
-      notAfterDate = new Date(new Date().getTime() + ms(ttl));
-    }
-
-    const caCertNotBeforeDate = new Date(caCertObj.notBefore);
-    const caCertNotAfterDate = new Date(caCertObj.notAfter);
-
-    // check not before constraint
-    if (notBeforeDate < caCertNotBeforeDate) {
-      throw new BadRequestError({ message: "notBefore date is before CA certificate's notBefore date" });
-    }
-
-    // check not after constraint
-    if (notAfterDate > caCertNotAfterDate) {
-      throw new BadRequestError({ message: "notAfter date is after CA certificate's notAfter date" });
-    }
-
-    const commonNameRegex = new RE2(certificateTemplate.commonName);
-    if (!commonNameRegex.test(commonName)) {
-      throw new BadRequestError({
-        message: "Invalid common name based on template policy"
-      });
-    }
-
-    if (notAfterDate.getTime() - notBeforeDate.getTime() > ms(certificateTemplate.ttl)) {
-      throw new BadRequestError({
-        message: "Invalid validity date based on template policy"
-      });
-    }
-
-    const subjectAlternativeNameRegex = new RE2(certificateTemplate.subjectAlternativeName);
-    altNames.split(",").forEach((altName) => {
-      if (!subjectAlternativeNameRegex.test(altName)) {
-        throw new BadRequestError({
-          message: "Invalid subject alternative name based on template policy"
-        });
-      }
-    });
-
-    const alg = keyAlgorithmToAlgCfg(ca.internalCa.keyAlgorithm as CertKeyAlgorithm);
-    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-
-    const csrObj = await x509.Pkcs10CertificateRequestGenerator.create({
-      name: `CN=${commonName}`,
-      keys: leafKeys,
-      signingAlgorithm: alg,
-      extensions: [
-        // eslint-disable-next-line no-bitwise
-        new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment)
-      ],
-      attributes: [new x509.ChallengePasswordAttribute("password")]
-    });
-
-    const { caPrivateKey, caSecret } = await getCaCredentials({
-      caId: ca.id,
-      certificateAuthorityDAL,
-      certificateAuthoritySecretDAL,
-      projectDAL,
-      kmsService
-    });
-
-    const caCrl = await certificateAuthorityCrlDAL.findOne({ caSecretId: caSecret.id });
-    const appCfg = getConfig();
-
-    const distributionPointUrl = `${appCfg.SITE_URL}/api/v1/pki/crl/${caCrl.id}/der`;
-    const caIssuerUrl = `${appCfg.SITE_URL}/api/v1/pki/ca/${ca.id}/certificates/${caCert.id}/der`;
-
-    const extensions: x509.Extension[] = [
-      new x509.BasicConstraintsExtension(false),
-      new x509.CRLDistributionPointsExtension([distributionPointUrl]),
-      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
-      await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey),
-      new x509.AuthorityInfoAccessExtension({
-        caIssuers: new x509.GeneralName("url", caIssuerUrl)
-      }),
-      new x509.CertificatePolicyExtension(["2.5.29.32.0"]) // anyPolicy
-    ];
-
-    let selectedKeyUsages: CertKeyUsage[] = keyUsages ?? [];
-    if (keyUsages === undefined && !certificateTemplate) {
-      selectedKeyUsages = [CertKeyUsage.DIGITAL_SIGNATURE, CertKeyUsage.KEY_ENCIPHERMENT];
-    }
-
-    if (keyUsages === undefined && certificateTemplate) {
-      selectedKeyUsages = (certificateTemplate.keyUsages ?? []) as CertKeyUsage[];
-    }
-
-    if (keyUsages?.length && certificateTemplate) {
-      const validKeyUsages = certificateTemplate.keyUsages || [];
-      if (keyUsages.some((keyUsage) => !validKeyUsages.includes(keyUsage))) {
-        throw new BadRequestError({
-          message: "Invalid key usage value based on template policy"
-        });
-      }
-      selectedKeyUsages = keyUsages;
-    }
-
-    const keyUsagesBitValue = selectedKeyUsages.reduce((accum, keyUsage) => accum | x509.KeyUsageFlags[keyUsage], 0);
-    if (keyUsagesBitValue) {
-      extensions.push(new x509.KeyUsagesExtension(keyUsagesBitValue, true));
-    }
-
-    // handle extended key usages
-    let selectedExtendedKeyUsages: CertExtendedKeyUsage[] = extendedKeyUsages ?? [];
-    if (extendedKeyUsages === undefined && certificateTemplate) {
-      selectedExtendedKeyUsages = (certificateTemplate.extendedKeyUsages ?? []) as CertExtendedKeyUsage[];
-    }
-
-    if (extendedKeyUsages?.length && certificateTemplate) {
-      const validExtendedKeyUsages = certificateTemplate.extendedKeyUsages || [];
-      if (extendedKeyUsages.some((eku) => !validExtendedKeyUsages.includes(eku))) {
-        throw new BadRequestError({
-          message: "Invalid extended key usage value based on template policy"
-        });
-      }
-      selectedExtendedKeyUsages = extendedKeyUsages;
-    }
-
-    if (selectedExtendedKeyUsages.length) {
-      extensions.push(
-        new x509.ExtendedKeyUsageExtension(
-          selectedExtendedKeyUsages.map((eku) => x509.ExtendedKeyUsage[eku]),
-          true
-        )
-      );
-    }
-
-    let altNamesArray: { type: "email" | "dns"; value: string }[] = [];
-
-    if (altNames) {
-      altNamesArray = altNames.split(",").map((altName) => {
-        if (z.string().email().safeParse(altName).success) {
-          return { type: "email", value: altName };
-        }
-
-        if (isFQDN(altName, { allow_wildcard: true })) {
-          return { type: "dns", value: altName };
-        }
-
-        throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
-      });
-
-      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
-      extensions.push(altNamesExtension);
-    }
-
-    const serialNumber = createSerialNumber();
-    const leafCert = await x509.X509CertificateGenerator.create({
-      serialNumber,
-      subject: csrObj.subject,
-      issuer: caCertObj.subject,
-      notBefore: notBeforeDate,
-      notAfter: notAfterDate,
-      signingKey: caPrivateKey,
-      publicKey: csrObj.publicKey,
-      signingAlgorithm: alg,
-      extensions
-    });
-
-    const skLeafObj = KeyObject.from(leafKeys.privateKey);
-    const skLeaf = skLeafObj.export({ format: "pem", type: "pkcs8" }) as string;
-
-    const kmsEncryptor = await kmsService.encryptWithKmsKey({
-      kmsId: certificateManagerKmsId
-    });
-    const { cipherTextBlob: encryptedCertificate } = await kmsEncryptor({
-      plainText: Buffer.from(new Uint8Array(leafCert.rawData))
-    });
-    const { cipherTextBlob: encryptedPrivateKey } = await kmsEncryptor({
-      plainText: Buffer.from(skLeaf)
-    });
-
-    const { caCert: issuingCaCertificate, caCertChain } = await getCaCertChain({
-      caCertId: caCert.id,
-      certificateAuthorityDAL,
-      certificateAuthorityCertDAL,
-      projectDAL,
-      kmsService
-    });
-
-    const certificateChainPem = `${issuingCaCertificate}\n${caCertChain}`.trim();
-
-    const { cipherTextBlob: encryptedCertificateChain } = await kmsEncryptor({
-      plainText: Buffer.from(certificateChainPem)
-    });
-
-    await certificateDAL.transaction(async (tx) => {
-      const cert = await certificateDAL.create(
-        {
-          caId: ca.id,
-          caCertId: caCert.id,
-          status: CertStatus.ACTIVE,
-          friendlyName: commonName,
-          commonName,
-          altNames,
-          serialNumber,
-          notBefore: notBeforeDate,
-          notAfter: notAfterDate,
-          keyUsages: selectedKeyUsages,
-          extendedKeyUsages: selectedExtendedKeyUsages,
-          projectId: ca.projectId,
-          certificateTemplateId: certificateTemplate.id
-        },
-        tx
-      );
-
-      await certificateBodyDAL.create(
-        {
-          certId: cert.id,
-          encryptedCertificate,
-          encryptedCertificateChain
-        },
-        tx
-      );
-
-      await certificateSecretDAL.create(
-        {
-          certId: cert.id,
-          encryptedPrivateKey
-        },
-        tx
-      );
-    });
-
-    return {
-      certificate: leafCert.toString("pem"),
-      certificateChain: certificateChainPem,
-      issuingCaCertificate,
-      privateKey: skLeaf,
-      serialNumber,
-      ca,
-      template: certificateTemplate
-    };
-  };
-
   return {
-    issueCertificate,
-    issueCertificateWithTemplate
+    issueCertificate
   };
 };

backend/src/services/certificate-authority/internal/internal-certificate-authority-schemas.ts

@@ -55,4 +55,8 @@ export const CreateInternalCertificateAuthoritySchema = GenericCreateCertificate
   configuration: InternalCertificateAuthorityConfigurationSchema
 });
 
-export const UpdateInternalCertificateAuthoritySchema = GenericUpdateCertificateAuthorityFieldsSchema(CaType.INTERNAL);
+export const UpdateInternalCertificateAuthoritySchema = GenericUpdateCertificateAuthorityFieldsSchema(
+  CaType.INTERNAL
+).extend({
+  configuration: InternalCertificateAuthorityConfigurationSchema.optional()
+});

backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts

@@ -1,5 +1,5 @@
 /* eslint-disable no-bitwise */
-import { ForbiddenError, subject } from "@casl/ability";
+import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import slugify from "@sindresorhus/slugify";
 import crypto, { KeyObject } from "crypto";
@@ -16,7 +16,6 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import {
   ProjectPermissionActions,
   ProjectPermissionCertificateActions,
-  ProjectPermissionPkiTemplateActions,
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 import { extractX509CertFromChain } from "@app/lib/certificates/extract-certificate";
@@ -1953,15 +1952,15 @@ export const internalCertificateAuthorityServiceFactory = ({
       actionProjectType: ActionProjectType.CertificateManager
     });
 
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      ProjectPermissionSub.CertificateTemplates
+    );
+
     const certificateTemplates = await certificateTemplateDAL.find({ caId });
 
     return {
-      certificateTemplates: certificateTemplates.filter((el) =>
-        permission.can(
-          ProjectPermissionPkiTemplateActions.Read,
-          subject(ProjectPermissionSub.CertificateTemplates, { name: el.name })
-        )
-      ),
+      certificateTemplates,
       ca: expandInternalCa(ca)
     };
   };

backend/src/services/certificate-authority/internal/internal-certificate-authority-types.ts

@@ -221,13 +221,3 @@ export type TOrderCertificateForSubscriberDTO = {
   subscriberId: string;
   caType: CaType;
 };
-
-export type TIssueCertWithTemplateDTO = {
-  commonName: string;
-  altNames: string;
-  ttl: string;
-  notBefore?: string;
-  notAfter?: string;
-  keyUsages?: CertKeyUsage[];
-  extendedKeyUsages?: CertExtendedKeyUsage[];
-};

backend/src/services/certificate-template/certificate-template-schema.ts

@@ -18,20 +18,3 @@ export const sanitizedCertificateTemplate = CertificateTemplatesSchema.pick({
     caName: z.string()
   })
 );
-
-export const sanitizedCertificateTemplateV2 = CertificateTemplatesSchema.pick({
-  id: true,
-  caId: true,
-  name: true,
-  commonName: true,
-  subjectAlternativeName: true,
-  pkiCollectionId: true,
-  ttl: true,
-  keyUsages: true,
-  extendedKeyUsages: true
-}).merge(
-  z.object({
-    projectId: z.string(),
-    caName: z.string()
-  })
-);

backend/src/services/certificate-template/certificate-template-service.ts

@@ -1,14 +1,11 @@
-import { ForbiddenError, subject } from "@casl/ability";
+import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import bcrypt from "bcrypt";
 
 import { ActionProjectType, TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import {
-  ProjectPermissionPkiTemplateActions,
-  ProjectPermissionSub
-} from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { extractX509CertFromChain } from "@app/lib/certificates/extract-certificate";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -81,8 +78,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Create,
-      subject(ProjectPermissionSub.CertificateTemplates, { name })
+      ProjectPermissionActions.Create,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     return certificateTemplateDAL.transaction(async (tx) => {
@@ -143,8 +140,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Edit,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+      ProjectPermissionActions.Edit,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     if (caId) {
@@ -156,13 +153,6 @@ export const certificateTemplateServiceFactory = ({
       }
     }
 
-    if (name) {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionPkiTemplateActions.Create,
-        subject(ProjectPermissionSub.CertificateTemplates, { name })
-      );
-    }
-
     return certificateTemplateDAL.transaction(async (tx) => {
       await certificateTemplateDAL.updateById(
         certTemplate.id,
@@ -208,8 +198,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Delete,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+      ProjectPermissionActions.Delete,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     await certificateTemplateDAL.deleteById(certTemplate.id);
@@ -235,8 +225,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Read,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+      ProjectPermissionActions.Read,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     return certTemplate;
@@ -277,8 +267,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Edit,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+      ProjectPermissionActions.Edit,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     const appCfg = getConfig();
@@ -360,8 +350,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Edit,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+      ProjectPermissionActions.Edit,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     const originalCaEstConfig = await certificateTemplateEstConfigDAL.findOne({
@@ -440,8 +430,8 @@ export const certificateTemplateServiceFactory = ({
       });
 
       ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionPkiTemplateActions.Edit,
-        subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+        ProjectPermissionActions.Edit,
+        ProjectPermissionSub.CertificateTemplates
       );
     }
 

backend/src/services/pki-subscriber/pki-subscriber-service.ts

@@ -137,15 +137,6 @@ export const pkiSubscriberServiceFactory = ({
       }
     }
 
-    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) {
-      throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
-    }
-
-    if (ca.projectId !== projectId) {
-      throw new BadRequestError({ message: "CA does not belong to the project" });
-    }
-
     const newSubscriber = await pkiSubscriberDAL.create({
       caId,
       projectId,
@@ -254,17 +245,6 @@ export const pkiSubscriberServiceFactory = ({
       }
     }
 
-    if (caId) {
-      const ca = await certificateAuthorityDAL.findById(caId);
-      if (!ca) {
-        throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
-      }
-
-      if (ca.projectId !== projectId) {
-        throw new BadRequestError({ message: "CA does not belong to the project" });
-      }
-    }
-
     const updatedSubscriber = await pkiSubscriberDAL.updateById(subscriber.id, {
       caId,
       name,

backend/src/services/pki-templates/pki-templates-dal.ts

@@ -1,102 +0,0 @@
-import { Knex } from "knex";
-import { Tables } from "knex/types/tables";
-
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, ormify, selectAllTableCols, TFindFilter, TFindOpt, TFindReturn } from "@app/lib/knex";
-
-export type TPkiTemplatesDALFactory = ReturnType<typeof pkiTemplatesDALFactory>;
-
-export const pkiTemplatesDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.CertificateTemplate);
-
-  const findOne = async (
-    filter: Partial<Tables[TableName.CertificateTemplate]["base"] & { projectId: string }>,
-    tx?: Knex
-  ) => {
-    try {
-      const { projectId, ...templateFilters } = filter;
-      const res = await (tx || db.replicaNode())(TableName.CertificateTemplate)
-        .join(
-          TableName.CertificateAuthority,
-          `${TableName.CertificateAuthority}.id`,
-          `${TableName.CertificateTemplate}.caId`
-        )
-        // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter(templateFilters, TableName.CertificateTemplate))
-        .where((qb) => {
-          if (projectId) {
-            // eslint-disable-next-line @typescript-eslint/no-misused-promises
-            void qb.where(buildFindFilter({ projectId }, TableName.CertificateAuthority));
-          }
-        })
-        .select(selectAllTableCols(TableName.CertificateTemplate))
-        .select(db.ref("name").withSchema(TableName.CertificateAuthority).as("caName"))
-        .select(db.ref("projectId").withSchema(TableName.CertificateAuthority))
-        .first();
-
-      if (!res) return undefined;
-
-      return { ...res, ca: { id: res.caId, name: res.caName } };
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find one" });
-    }
-  };
-
-  const find = async <
-    TCount extends boolean = false,
-    TCountDistinct extends keyof Tables[TableName.CertificateTemplate]["base"] | undefined = undefined
-  >(
-    filter: TFindFilter<Tables[TableName.CertificateTemplate]["base"]> & { projectId: string },
-    {
-      offset,
-      limit,
-      sort,
-      count,
-      tx,
-      countDistinct
-    }: TFindOpt<Tables[TableName.CertificateTemplate]["base"], TCount, TCountDistinct> = {}
-  ) => {
-    try {
-      const { projectId, ...templateFilters } = filter;
-
-      const query = (tx || db.replicaNode())(TableName.CertificateTemplate)
-        .join(
-          TableName.CertificateAuthority,
-          `${TableName.CertificateAuthority}.id`,
-          `${TableName.CertificateTemplate}.caId`
-        )
-        // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter(templateFilters, TableName.CertificateTemplate))
-        .where((qb) => {
-          if (projectId) {
-            // eslint-disable-next-line @typescript-eslint/no-misused-promises
-            void qb.where(buildFindFilter({ projectId }, TableName.CertificateAuthority));
-          }
-        })
-        .select(selectAllTableCols(TableName.CertificateTemplate))
-        .select(db.ref("projectId").withSchema(TableName.CertificateAuthority))
-        .select(db.ref("name").withSchema(TableName.CertificateAuthority).as("caName"));
-
-      if (countDistinct) {
-        void query.countDistinct(countDistinct);
-      } else if (count) {
-        void query.select(db.raw("COUNT(*) OVER() AS count"));
-      }
-
-      if (limit) void query.limit(limit);
-      if (offset) void query.offset(offset);
-      if (sort) {
-        void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
-      }
-
-      const res = (await query) as TFindReturn<typeof query, TCountDistinct extends undefined ? TCount : true>;
-      return res.map((el) => ({ ...el, ca: { id: el.caId, name: el.caName } }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find one" });
-    }
-  };
-
-  return { ...orm, find, findOne };
-};

backend/src/services/pki-templates/pki-templates-service.ts

@@ -1,644 +0,0 @@
-/* eslint-disable no-bitwise */
-import { ForbiddenError, subject } from "@casl/ability";
-import * as x509 from "@peculiar/x509";
-import RE2 from "re2";
-
-import { ActionProjectType } from "@app/db/schemas";
-import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import {
-  ProjectPermissionPkiTemplateActions,
-  ProjectPermissionSub
-} from "@app/ee/services/permission/project-permission";
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { ms } from "@app/lib/ms";
-
-import { TCertificateBodyDALFactory } from "../certificate/certificate-body-dal";
-import { TCertificateDALFactory } from "../certificate/certificate-dal";
-import { TCertificateSecretDALFactory } from "../certificate/certificate-secret-dal";
-import {
-  CertExtendedKeyUsage,
-  CertExtendedKeyUsageOIDToName,
-  CertKeyAlgorithm,
-  CertKeyUsage,
-  CertStatus
-} from "../certificate/certificate-types";
-import { TCertificateAuthorityCertDALFactory } from "../certificate-authority/certificate-authority-cert-dal";
-import { TCertificateAuthorityDALFactory } from "../certificate-authority/certificate-authority-dal";
-import { CaStatus } from "../certificate-authority/certificate-authority-enums";
-import {
-  createSerialNumber,
-  expandInternalCa,
-  getCaCertChain,
-  getCaCredentials,
-  keyAlgorithmToAlgCfg,
-  parseDistinguishedName
-} from "../certificate-authority/certificate-authority-fns";
-import { TCertificateAuthoritySecretDALFactory } from "../certificate-authority/certificate-authority-secret-dal";
-import { InternalCertificateAuthorityFns } from "../certificate-authority/internal/internal-certificate-authority-fns";
-import { TKmsServiceFactory } from "../kms/kms-service";
-import { TProjectDALFactory } from "../project/project-dal";
-import { getProjectKmsCertificateKeyId } from "../project/project-fns";
-import { TPkiTemplatesDALFactory } from "./pki-templates-dal";
-import {
-  TCreatePkiTemplateDTO,
-  TDeletePkiTemplateDTO,
-  TGetPkiTemplateDTO,
-  TIssueCertPkiTemplateDTO,
-  TListPkiTemplateDTO,
-  TSignCertPkiTemplateDTO,
-  TUpdatePkiTemplateDTO
-} from "./pki-templates-types";
-
-type TPkiTemplatesServiceFactoryDep = {
-  pkiTemplatesDAL: TPkiTemplatesDALFactory;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  certificateAuthorityDAL: Pick<
-    TCertificateAuthorityDALFactory,
-    | "findByIdWithAssociatedCa"
-    | "findById"
-    | "transaction"
-    | "create"
-    | "updateById"
-    | "findWithAssociatedCa"
-    | "findOne"
-  >;
-  internalCaFns: ReturnType<typeof InternalCertificateAuthorityFns>;
-  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "decryptWithKmsKey" | "encryptWithKmsKey">;
-  certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "findById">;
-  certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
-  certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "findOne">;
-  certificateDAL: Pick<
-    TCertificateDALFactory,
-    "create" | "transaction" | "countCertificatesForPkiSubscriber" | "findLatestActiveCertForSubscriber" | "find"
-  >;
-  certificateSecretDAL: Pick<TCertificateSecretDALFactory, "create" | "findOne">;
-  certificateBodyDAL: Pick<TCertificateBodyDALFactory, "create" | "findOne">;
-  projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction" | "findById" | "find">;
-};
-
-export type TPkiTemplatesServiceFactory = ReturnType<typeof pkiTemplatesServiceFactory>;
-
-export const pkiTemplatesServiceFactory = ({
-  pkiTemplatesDAL,
-  permissionService,
-  internalCaFns,
-  certificateAuthorityDAL,
-  certificateAuthorityCertDAL,
-  certificateAuthoritySecretDAL,
-  certificateAuthorityCrlDAL,
-  certificateDAL,
-  certificateBodyDAL,
-  kmsService,
-  projectDAL
-}: TPkiTemplatesServiceFactoryDep) => {
-  const createTemplate = async ({
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId,
-    caName,
-    commonName,
-    extendedKeyUsages,
-    keyUsages,
-    name,
-    subjectAlternativeName,
-    ttl,
-    projectId
-  }: TCreatePkiTemplateDTO) => {
-    const ca = await certificateAuthorityDAL.findOne({ name: caName, projectId });
-    if (!ca) {
-      throw new NotFoundError({
-        message: `CA with name ${caName} not found`
-      });
-    }
-
-    const { permission } = await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: ca.projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Create,
-      subject(ProjectPermissionSub.CertificateTemplates, { name })
-    );
-
-    const existingTemplate = await pkiTemplatesDAL.findOne({ name, projectId: ca.projectId });
-    if (existingTemplate) {
-      throw new BadRequestError({ message: `Template with name ${name} already exists.` });
-    }
-
-    const newTemplate = await pkiTemplatesDAL.create({
-      caId: ca.id,
-      name,
-      commonName,
-      subjectAlternativeName,
-      ttl,
-      keyUsages,
-      extendedKeyUsages
-    });
-    return newTemplate;
-  };
-
-  const updateTemplate = async ({
-    templateName,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId,
-    caName,
-    commonName,
-    extendedKeyUsages,
-    keyUsages,
-    name,
-    subjectAlternativeName,
-    ttl,
-    projectId
-  }: TUpdatePkiTemplateDTO) => {
-    const certTemplate = await pkiTemplatesDAL.findOne({ name: templateName, projectId });
-    if (!certTemplate) {
-      throw new NotFoundError({
-        message: `Certificate template with name ${templateName} not found`
-      });
-    }
-
-    const { permission } = await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: certTemplate.projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Edit,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: templateName })
-    );
-
-    let caId;
-    if (caName) {
-      const ca = await certificateAuthorityDAL.findOne({ name: caName, projectId });
-      if (!ca || ca.projectId !== certTemplate.projectId) {
-        throw new NotFoundError({
-          message: `CA with name ${caName} not found`
-        });
-      }
-      caId = ca.id;
-    }
-
-    if (name) {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionPkiTemplateActions.Edit,
-        subject(ProjectPermissionSub.CertificateTemplates, { name })
-      );
-
-      const existingTemplate = await pkiTemplatesDAL.findOne({ name, projectId });
-      if (existingTemplate && existingTemplate.id !== certTemplate.id) {
-        throw new BadRequestError({ message: `Template with name ${name} already exists.` });
-      }
-    }
-
-    const updatedTemplate = await pkiTemplatesDAL.updateById(certTemplate.id, {
-      caId,
-      name,
-      commonName,
-      subjectAlternativeName,
-      ttl,
-      keyUsages,
-      extendedKeyUsages
-    });
-    return updatedTemplate;
-  };
-
-  const deleteTemplate = async ({
-    templateName,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId,
-    projectId
-  }: TDeletePkiTemplateDTO) => {
-    const certTemplate = await pkiTemplatesDAL.findOne({ name: templateName, projectId });
-    if (!certTemplate) {
-      throw new NotFoundError({
-        message: `Certificate template with name ${templateName} not found`
-      });
-    }
-
-    const { permission } = await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: certTemplate.projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Delete,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: templateName })
-    );
-
-    const deletedTemplate = await pkiTemplatesDAL.deleteById(certTemplate.id);
-    return deletedTemplate;
-  };
-
-  const getTemplateByName = async ({
-    templateName,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId,
-    projectId
-  }: TGetPkiTemplateDTO) => {
-    const certTemplate = await pkiTemplatesDAL.findOne({ name: templateName, projectId });
-    if (!certTemplate) {
-      throw new NotFoundError({
-        message: `Certificate template with name ${templateName} not found`
-      });
-    }
-
-    const { permission } = await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: certTemplate.projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Read,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: templateName })
-    );
-
-    return certTemplate;
-  };
-
-  const listTemplate = async ({
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId,
-    projectId,
-    limit,
-    offset
-  }: TListPkiTemplateDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
-
-    const certTemplate = await pkiTemplatesDAL.find({ projectId }, { limit, offset, count: true });
-    return {
-      certificateTemplates: certTemplate.filter((el) =>
-        permission.can(
-          ProjectPermissionPkiTemplateActions.Read,
-          subject(ProjectPermissionSub.CertificateTemplates, { name: el.name })
-        )
-      ),
-      totalCount: Number(certTemplate?.[0]?.count ?? 0)
-    };
-  };
-
-  const issueCertificate = async ({
-    templateName,
-    projectId,
-    commonName,
-    altNames,
-    ttl,
-    notBefore,
-    notAfter,
-    actorId,
-    actorAuthMethod,
-    actor,
-    actorOrgId,
-    keyUsages,
-    extendedKeyUsages
-  }: TIssueCertPkiTemplateDTO) => {
-    const certTemplate = await pkiTemplatesDAL.findOne({ name: templateName, projectId });
-    if (!certTemplate) {
-      throw new NotFoundError({
-        message: `Certificate template with name ${templateName} not found`
-      });
-    }
-
-    const { permission } = await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: certTemplate.projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.IssueCert,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: templateName })
-    );
-
-    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(certTemplate.caId);
-    if (ca.internalCa?.id) {
-      return internalCaFns.issueCertificateWithTemplate(ca, certTemplate, {
-        altNames,
-        commonName,
-        ttl,
-        extendedKeyUsages,
-        keyUsages,
-        notAfter,
-        notBefore
-      });
-    }
-
-    throw new BadRequestError({ message: "CA does not support immediate issuance of certificates" });
-  };
-
-  const signCertificate = async ({
-    templateName,
-    csr,
-    projectId,
-    actorId,
-    actorAuthMethod,
-    actor,
-    actorOrgId,
-    ttl
-  }: TSignCertPkiTemplateDTO) => {
-    const certTemplate = await pkiTemplatesDAL.findOne({ name: templateName, projectId });
-    if (!certTemplate) {
-      throw new NotFoundError({
-        message: `Certificate template with name ${templateName} not found`
-      });
-    }
-
-    const { permission } = await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: certTemplate.projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.IssueCert,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: templateName })
-    );
-
-    const appCfg = getConfig();
-
-    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(certTemplate.caId);
-    if (!ca?.internalCa) throw new NotFoundError({ message: `CA with ID '${certTemplate.caId}' not found` });
-
-    if (ca.status !== CaStatus.ACTIVE) throw new BadRequestError({ message: "CA is not active" });
-    if (!ca.internalCa?.activeCaCertId)
-      throw new BadRequestError({ message: "CA does not have a certificate installed" });
-
-    const caCert = await certificateAuthorityCertDAL.findById(ca.internalCa.activeCaCertId);
-
-    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
-      projectId: ca.projectId,
-      projectDAL,
-      kmsService
-    });
-    const kmsDecryptor = await kmsService.decryptWithKmsKey({
-      kmsId: certificateManagerKmsId
-    });
-
-    const decryptedCaCert = await kmsDecryptor({
-      cipherTextBlob: caCert.encryptedCertificate
-    });
-
-    const caCertObj = new x509.X509Certificate(decryptedCaCert);
-    const notBeforeDate = new Date();
-    const notAfterDate = new Date(new Date().getTime() + ms(ttl ?? "0"));
-    const caCertNotBeforeDate = new Date(caCertObj.notBefore);
-    const caCertNotAfterDate = new Date(caCertObj.notAfter);
-
-    // check not before constraint
-    if (notBeforeDate < caCertNotBeforeDate) {
-      throw new BadRequestError({ message: "notBefore date is before CA certificate's notBefore date" });
-    }
-
-    // check not after constraint
-    if (notAfterDate > caCertNotAfterDate) {
-      throw new BadRequestError({ message: "notAfter date is after CA certificate's notAfter date" });
-    }
-
-    const alg = keyAlgorithmToAlgCfg(ca.internalCa.keyAlgorithm as CertKeyAlgorithm);
-
-    const csrObj = new x509.Pkcs10CertificateRequest(csr);
-    const dn = parseDistinguishedName(csrObj.subject);
-    const cn = dn.commonName;
-    if (!cn)
-      throw new BadRequestError({
-        message: "Missing common name on CSR"
-      });
-
-    const commonNameRegex = new RE2(certTemplate.commonName);
-    if (!commonNameRegex.test(cn)) {
-      throw new BadRequestError({
-        message: "Invalid common name based on template policy"
-      });
-    }
-
-    if (ms(ttl) > ms(certTemplate.ttl)) {
-      throw new BadRequestError({
-        message: "Invalid validity date based on template policy"
-      });
-    }
-
-    const { caPrivateKey, caSecret } = await getCaCredentials({
-      caId: ca.id,
-      certificateAuthorityDAL,
-      certificateAuthoritySecretDAL,
-      projectDAL,
-      kmsService
-    });
-
-    const caCrl = await certificateAuthorityCrlDAL.findOne({ caSecretId: caSecret.id });
-    const distributionPointUrl = `${appCfg.SITE_URL}/api/v1/pki/crl/${caCrl.id}/der`;
-    const caIssuerUrl = `${appCfg.SITE_URL}/api/v1/pki/ca/${ca.id}/certificates/${caCert.id}/der`;
-
-    const extensions: x509.Extension[] = [
-      new x509.BasicConstraintsExtension(false),
-      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
-      await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey),
-      new x509.CRLDistributionPointsExtension([distributionPointUrl]),
-      new x509.AuthorityInfoAccessExtension({
-        caIssuers: new x509.GeneralName("url", caIssuerUrl)
-      }),
-      new x509.CertificatePolicyExtension(["2.5.29.32.0"]) // anyPolicy
-    ];
-
-    // handle key usages
-    const csrKeyUsageExtension = csrObj.getExtension("2.5.29.15") as x509.KeyUsagesExtension | undefined; // Better to type as optional
-    let selectedKeyUsages: CertKeyUsage[] = [];
-    if (csrKeyUsageExtension && csrKeyUsageExtension.usages) {
-      selectedKeyUsages = Object.values(CertKeyUsage).filter(
-        (keyUsage) => (x509.KeyUsageFlags[keyUsage] & csrKeyUsageExtension.usages) !== 0
-      );
-      const validKeyUsages = certTemplate.keyUsages || [];
-      if (selectedKeyUsages.some((keyUsage) => !validKeyUsages.includes(keyUsage))) {
-        throw new BadRequestError({
-          message: "Invalid key usage value based on template policy"
-        });
-      }
-
-      const keyUsagesBitValue = selectedKeyUsages.reduce((accum, keyUsage) => accum | x509.KeyUsageFlags[keyUsage], 0);
-      if (keyUsagesBitValue) {
-        extensions.push(new x509.KeyUsagesExtension(keyUsagesBitValue, true));
-      }
-    }
-
-    // handle extended key usage
-    const csrExtendedKeyUsageExtension = csrObj.getExtension("2.5.29.37") as x509.ExtendedKeyUsageExtension | undefined;
-    let selectedExtendedKeyUsages: CertExtendedKeyUsage[] = [];
-    if (csrExtendedKeyUsageExtension && csrExtendedKeyUsageExtension.usages.length > 0) {
-      selectedExtendedKeyUsages = csrExtendedKeyUsageExtension.usages.map(
-        (ekuOid) => CertExtendedKeyUsageOIDToName[ekuOid as string]
-      );
-
-      if (selectedExtendedKeyUsages.some((eku) => !certTemplate?.extendedKeyUsages?.includes(eku))) {
-        throw new BadRequestError({
-          message: "Invalid extended key usage value based on subscriber's specified extended key usages"
-        });
-      }
-
-      if (selectedExtendedKeyUsages.length) {
-        extensions.push(
-          new x509.ExtendedKeyUsageExtension(
-            selectedExtendedKeyUsages.map((eku) => x509.ExtendedKeyUsage[eku]),
-            true
-          )
-        );
-      }
-    }
-
-    // attempt to read from CSR if altNames is not explicitly provided
-    let altNamesArray: {
-      type: "email" | "dns";
-      value: string;
-    }[] = [];
-
-    const sanExtension = csrObj.extensions.find((ext) => ext.type === "2.5.29.17");
-    if (sanExtension) {
-      const sanNames = new x509.GeneralNames(sanExtension.value);
-
-      altNamesArray = sanNames.items
-        .filter((value) => value.type === "email" || value.type === "dns")
-        .map((name) => ({
-          type: name.type as "email" | "dns",
-          value: name.value
-        }));
-    }
-
-    if (altNamesArray.length) {
-      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
-      extensions.push(altNamesExtension);
-    }
-
-    const subjectAlternativeNameRegex = new RE2(certTemplate.subjectAlternativeName);
-    altNamesArray.forEach((altName) => {
-      if (!subjectAlternativeNameRegex.test(altName.value)) {
-        throw new BadRequestError({
-          message: "Invalid subject alternative name based on template policy"
-        });
-      }
-    });
-
-    const serialNumber = createSerialNumber();
-    const leafCert = await x509.X509CertificateGenerator.create({
-      serialNumber,
-      subject: csrObj.subject,
-      issuer: caCertObj.subject,
-      notBefore: notBeforeDate,
-      notAfter: notAfterDate,
-      signingKey: caPrivateKey,
-      publicKey: csrObj.publicKey,
-      signingAlgorithm: alg,
-      extensions
-    });
-
-    const kmsEncryptor = await kmsService.encryptWithKmsKey({
-      kmsId: certificateManagerKmsId
-    });
-    const { cipherTextBlob: encryptedCertificate } = await kmsEncryptor({
-      plainText: Buffer.from(new Uint8Array(leafCert.rawData))
-    });
-
-    const { caCert: issuingCaCertificate, caCertChain } = await getCaCertChain({
-      caCertId: ca.internalCa.activeCaCertId,
-      certificateAuthorityDAL,
-      certificateAuthorityCertDAL,
-      projectDAL,
-      kmsService
-    });
-
-    const certificateChainPem = `${issuingCaCertificate}\n${caCertChain}`.trim();
-
-    const { cipherTextBlob: encryptedCertificateChain } = await kmsEncryptor({
-      plainText: Buffer.from(certificateChainPem)
-    });
-
-    await certificateDAL.transaction(async (tx) => {
-      const cert = await certificateDAL.create(
-        {
-          caId: ca.id,
-          caCertId: caCert.id,
-          status: CertStatus.ACTIVE,
-          friendlyName: cn,
-          commonName: cn,
-          altNames: altNamesArray.map((el) => el.value).join(","),
-          serialNumber,
-          notBefore: notBeforeDate,
-          notAfter: notAfterDate,
-          keyUsages: selectedKeyUsages,
-          extendedKeyUsages: selectedExtendedKeyUsages,
-          projectId
-        },
-        tx
-      );
-
-      await certificateBodyDAL.create(
-        {
-          certId: cert.id,
-          encryptedCertificate,
-          encryptedCertificateChain
-        },
-        tx
-      );
-
-      return cert;
-    });
-
-    return {
-      certificate: leafCert.toString("pem"),
-      certificateChain: `${issuingCaCertificate}\n${caCertChain}`.trim(),
-      issuingCaCertificate,
-      serialNumber,
-      ca: expandInternalCa(ca),
-      commonName: cn,
-      template: certTemplate
-    };
-  };
-
-  return {
-    createTemplate,
-    updateTemplate,
-    getTemplateByName,
-    listTemplate,
-    deleteTemplate,
-    signCertificate,
-    issueCertificate
-  };
-};

backend/src/services/pki-templates/pki-templates-types.ts

@@ -1,53 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-import { CertExtendedKeyUsage, CertKeyUsage } from "@app/services/certificate/certificate-types";
-
-export type TCreatePkiTemplateDTO = {
-  caName: string;
-  name: string;
-  commonName: string;
-  subjectAlternativeName: string;
-  ttl: string;
-  keyUsages: CertKeyUsage[];
-  extendedKeyUsages: CertExtendedKeyUsage[];
-} & TProjectPermission;
-
-export type TUpdatePkiTemplateDTO = {
-  templateName: string;
-  caName?: string;
-  name?: string;
-  commonName?: string;
-  subjectAlternativeName?: string;
-  ttl?: string;
-  keyUsages?: CertKeyUsage[];
-  extendedKeyUsages?: CertExtendedKeyUsage[];
-} & TProjectPermission;
-
-export type TListPkiTemplateDTO = {
-  limit?: number;
-  offset?: number;
-} & TProjectPermission;
-
-export type TGetPkiTemplateDTO = {
-  templateName: string;
-} & TProjectPermission;
-
-export type TDeletePkiTemplateDTO = {
-  templateName: string;
-} & TProjectPermission;
-
-export type TIssueCertPkiTemplateDTO = {
-  templateName: string;
-  commonName: string;
-  altNames: string;
-  ttl: string;
-  notBefore?: string;
-  notAfter?: string;
-  keyUsages?: CertKeyUsage[];
-  extendedKeyUsages?: CertExtendedKeyUsage[];
-} & TProjectPermission;
-
-export type TSignCertPkiTemplateDTO = {
-  templateName: string;
-  csr: string;
-  ttl: string;
-} & TProjectPermission;

backend/src/services/project/project-service.ts

@@ -17,7 +17,6 @@ import {
   ProjectPermissionActions,
   ProjectPermissionCertificateActions,
   ProjectPermissionPkiSubscriberActions,
-  ProjectPermissionPkiTemplateActions,
   ProjectPermissionSecretActions,
   ProjectPermissionSshHostActions,
   ProjectPermissionSub
@@ -1132,15 +1131,15 @@ export const projectServiceFactory = ({
       actionProjectType: ActionProjectType.CertificateManager
     });
 
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      ProjectPermissionSub.CertificateTemplates
+    );
+
     const certificateTemplates = await certificateTemplateDAL.getCertTemplatesByProjectId(projectId);
 
     return {
-      certificateTemplates: certificateTemplates.filter((el) =>
-        permission.can(
-          ProjectPermissionPkiTemplateActions.Read,
-          subject(ProjectPermissionSub.CertificateTemplates, { name: el.name })
-        )
-      )
+      certificateTemplates
     };
   };
 

docs/documentation/platform/pki/integration-guides/gloo-mesh.mdx

@@ -1,39 +0,0 @@
----
-title: "Gloo Mesh Integration"
-description: "Learn how to automatically provision and manage Istio intermediate CA certificates for Gloo Mesh using Infisical PKI"
----
-
-This guide will provide a high level overview on how you can use Infisical PKI and cert-manager to issue Istio intermediate CA certificates for your Gloo Mesh workload clusters. For more background about Istio certificates, see the [Istio CA overview](https://istio.io/latest/docs/concepts/security/#pki).
-
-## Overview
-
-In this setup, we will use Infisical PKI to generate and store your root CA and subordinate CAs that are used to generate Istio intermediate CAs for your Gloo Mesh workload clusters. 
-To manage the lifecycle of Istio intermediate CA certificates, you'll also install [cert-manager](https://cert-manager.io/). 
-Cert-manager is a Kubernetes controller that helps you automate the process of obtaining and renewing certificates from various PKI providers.
-
-With this approach, you get the following benefits:
-
-- Securely store your root CA certificates and private keys.
-- Leverage Infisical subordinate CAs for an extra layer of protection beneath your root CA.
-- Use cert-manager to automatically issue and renew Istio intermediate CA certificates from the same root, ensuring cross-cluster workload communication.
-- Increased auditability of private key infrastructure.
-
-
-## General Setup
-The certificate provisioning workflow begins with setting up your PKI hierarchy in Infisical, where you create root and subordinate certificate authorities.
-When you deploy a `Certificate` CRD in your workload cluster, `cert-manager` uses the Infisical PKI Issuer controller to authenticate with Infisical using machine identity credentials and request an intermediate CA certificate. 
-Infisical verifies the request against your certificate templates and returns the signed certificate.
-From there, Istio's control plane will automatically use this intermediate CA to sign leaf certificates for workloads in the service mesh, enabling secure mTLS communication across your entire Gloo Mesh infrastructure.
-
-Follow the [Infisical PKI Issuer guide](/documentation/platform/pki/pki-issuer) for detailed instructions on how to set up the Infisical PKI Issuer and cert-manager for your Istio intermediate CA certificates in Gloo Mesh clusters.
-
-For Gloo Mesh-specific configuration, ensure that:
-
-- The Certificate resource targets the `istio-system` namespace with `secretName: cacerts`
-- Certificate templates in Infisical PKI are configured for intermediate CA usage with appropriate key usage and constraints
-- Multiple workload clusters use the same Infisical PKI root to enable cross-cluster mTLS communication
-
-## Using the certificates
-
-Once the `cacerts` Kubernetes secret is created in the `istio-system` namespace, Istio automatically uses the custom CA certificate instead of the default self-signed certificate. 
-When you deploy applications to your Gloo Mesh service mesh, the workloads will receive leaf certificates signed by your Infisical PKI intermediate CA, enabling secure mTLS communication across your entire mesh infrastructure.

docs/documentation/platform/pki/pki-issuer.mdx

@@ -1,6 +1,7 @@
 ---
-title: "Cert Manager Issuer"
-description: "Learn how to automatically provision and manage TLS certificates in Kubernetes using Infisical PKI"
+title: "Kubernetes Issuer"
+sidebarTitle: "Certificates for Kubernetes"
+description: "Learn how to automatically provision and manage TLS certificates for in Kubernetes using Infisical PKI"
 ---
 
 ## Concept
@@ -20,21 +21,20 @@ A typical workflow for using the Infisical PKI Issuer to issue certificates for
 3. Installing `cert-manager` into your Kubernetes cluster.
 4. Installing the Infisical PKI Issuer controller into your Kubernetes cluster.
 5. Creating an `Issuer` or `ClusterIssuer` resource in your Kubernetes cluster to represent the Infisical PKI issuer you wish to use.
-6. Create the approver policy to accept certificate request.
-7. Creating a `Certificate` resource in your Kubernetes cluster to represent a certificate you wish to issue. As part of this step, you specify the Kubernetes `Secret` to create and store the issued certificate and private key.
-8. Consuming the issued certificate across your Kubernetes resources from the specified Kubernetes `Secret`.
+6. Creating a `Certificate` resource in your Kubernetes cluster to represent a certificate you wish to issue. As part of this step, you specify the Kubernetes `Secret` to create and store the issued certificate and private key.
+7. Consuming the issued certificate across your Kubernetes resources from the specified Kubernetes `Secret`.
 
 ## Guide
 
-In the following steps, we explore how to install the Infisical PKI Issuer using [kubectl](https://github.com/kubernetes/kubectl) and use it to obtain certificates for your Kubernetes resources.
+In the following steps, we explore how to install the Infisical PKI Issuer using [kubectl](https://github.com/kubernetes/kubectl) and use it to obtain certificates for your Kubernetes resources. 
 
 <Steps>
     <Step title="Create an identity in Infisical">
-
+        
         Follow the instructions [here](/documentation/platform/identities/universal-auth) to configure a [machine identity](/documentation/platform/identities/machine-identities) in Infisical with Universal Auth.
-
+        
         By the end of this step, you should have a **Client ID** and **Client Secret** on hand as part of the Universal Auth configuration for the Infisical PKI Issuer to authenticate with Infisical; this will be useful in steps 4 and 5.
-
+        
         <Note>
             Currently, the Infisical PKI Issuer only supports authenticating with Infisical via the [Universal Auth](/documentation/platform/identities/universal-auth) authentication method.
 
@@ -43,14 +43,14 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
     </Step>
     <Step title="Install cert-manager">
         Install `cert-manager` into your Kubernetes cluster by following the instructions [here](https://cert-manager.io/docs/installation/) or by running the following command:
-
+        
         ```bash
         kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml
         ```
     </Step>
     <Step title="Install the Issuer Controller">
         Install the Infisical PKI Issuer controller into your Kubernetes cluster by running the following command:
-
+        
         ```bash
         kubectl apply -f https://raw.githubusercontent.com/Infisical/infisical-issuer/main/build/install.yaml
         ```
@@ -76,7 +76,7 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
                 data:
                     clientSecret: <client_secret>
                 ```
-
+                
                 ```bash
                 kubectl apply -f secret-issuer.yaml
                 ```
@@ -84,7 +84,7 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
         </Tabs>
     </Step>
     <Step title="Create Infisical PKI Issuer">
-        Next, create the Infisical PKI Issuer by filling out `url`, `clientId`, `projectId` or `certificateTemplateName`, and applying the following configuration file for the `Issuer` resource.
+        Next, create the Infisical PKI Issuer by filling out `url`, `clientId`, either `caId` or `certificateTemplateId`, and applying the following configuration file for the `Issuer` resource.
         This configuration file specifies the connection details to your Infisical PKI CA to be used for issuing certificates.
 
         ```yaml infisical-issuer.yaml
@@ -95,8 +95,8 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
             namespace: <namespace_you_want_to_issue_certificates_in>
         spec:
             url: "https://app.infisical.com" # the URL of your Infisical instance
-            projectId: <project_id> # the ID of the project you want to use to issue certificates
-            certificateTemplateName: <certificate_template_name> # the name of the certificate template you want to use to issue certificates against
+            caId: <ca_id> # the ID of the CA you want to use to issue certificates
+            certificateTemplateId: <certificate_template_id> # the ID of the certificate template you want to use to issue certificates against
             authentication:
                 universalAuth:
                     clientId: <client_id> # the Client ID from step 1
@@ -104,11 +104,20 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
                         name: "issuer-infisical-client-secret"
                         key: "clientSecret"
         ```
-
+        
         ```
         kubectl apply -f infisical-issuer.yaml
         ```
-
+        
+        <Warning>
+            The Infisical PKI Issuer supports issuing certificates against a specific CA or a specific certificate template.
+            
+            For this reason, you should only fill in the `caId` or the `certificateTemplateId` field but not both.
+            
+            We recommend using the `certificateTemplateId` field to issue certificates against a specific [certificate template](/documentation/platform/pki/certificate-templates)
+            since templates let you enforce constraints on issued certificates and may have alerting policies bound to them.
+        </Warning>
+        
         You can check that the issuer was created successfully by running the following command:
 
         ```bash
@@ -119,60 +128,16 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
         NAME               AGE
         issuer-infisical   21h
         ```
-
+        
         <Note>
             An `Issuer` is a namespaced resource, and it is not possible to issue certificates from an `Issuer` in a different namespace.
             This means you will need to create an `Issuer` in each namespace you wish to obtain `Certificates` in.
 
             If you want to create a single `Issuer` that can be consumed in multiple namespaces, you should consider creating a `ClusterIssuer` resource. This is almost identical to the `Issuer` resource, however is non-namespaced so it can be used to issue `Certificates` across all namespaces.
-
+            
             You can read more about the `Issuer` and `ClusterIssuer` resources [here](https://cert-manager.io/docs/configuration/).
         </Note>
     </Step>
-    <Step title="Create Approver Policy">
-      If you create a `CertificateRequest` now, you'll notice it's neither approved nor denied. This is expected because by default cert-manager approver controller requires an approver-policy.
-
-      To enable approval, create the following YAML file and apply it:
-
-       ```yaml infisical-approver-policy.yaml
-      apiVersion: rbac.authorization.k8s.io/v1
-      kind: ClusterRole
-      metadata:
-        name: infisical-issuer-approver
-      rules:
-        # Permission to approve or deny CertificateRequests for signers in cert-manager.io API group
-        - apiGroups: ['cert-manager.io']
-          resources: ['signers']
-          verbs: ['approve']
-          resourceNames:
-            # Grant approval permissions for namespaced issuers
-            - "issuers.infisical-issuer.infisical.com/default.issuer-infisical"
-            # Grant approval permissions for cluster-scoped issuers
-            - "clusterissuers.infisical-issuer.infisical.com/clusterissuer-infisical"
-      ---
-      # Bind the cert-manager service account to the new role
-      apiVersion: rbac.authorization.k8s.io/v1
-      kind: ClusterRoleBinding
-      metadata:
-        name: infisical-issuer-approver-binding
-      subjects:
-        - kind: ServiceAccount
-          name: cert-manager
-          namespace: cert-manager
-      roleRef:
-        apiGroup: rbac.authorization.k8s.io
-        kind: ClusterRole
-        name: infisical-issuer-approver
-        ```
-
-        ```
-        kubectl apply -f infisical-approver-policy.yaml
-        ```
-
-        This configuration creates a `ClusterRole` named `infisical-issuer-approver` that grants approval permissions for specific Infisical issuer types. It then binds this role to the cert-manager service account, allowing it to approve certificate requests from your Infisical issuers.
-
-        For information, check out [cert manager approval policy doc](https://cert-manager.io/docs/policy/approval/approver-policy/).
-    </Step>
     <Step title="Create Certificate">
 
         Finally, create a `Certificate` by applying the following configuration file.
@@ -197,7 +162,7 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
             duration: 48h # the ttl for the certificate
             renewBefore: 12h # the time before the certificate expiry that the certificate should be automatically renewed
         ```
-
+        
         The above sample configuration file specifies a certificate to be issued with the common name `certificate-by-issuer.example.com` and ECDSA private key using the P-256 curve, valid for 48 hours; the certificate will be automatically renewed by `cert-manager` 12 hours before expiry.
         The certificate is issued by the issuer `issuer-infisical` created in the previous step and the resulting certificate and private key will be stored in a secret named `certificate-by-issuer`.
 
@@ -216,7 +181,7 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
     </Step>
     <Step title="Use Certificate in Kubernetes Secret">
         Since the actual certificate and private key are stored in a Kubernetes secret, we can check that the secret was created successfully by running the following command:
-
+        
         ```bash
         kubectl get secret certificate-by-issuer -n <namespace_of_your_certificate>
         ```
@@ -225,9 +190,9 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
         NAME                    TYPE                DATA   AGE
         certificate-by-issuer   kubernetes.io/tls   2      26h
         ```
-
+        
         We can `describe` the secret to get more information about it:
-
+        
         ```bash
         kubectl describe secret certificate-by-issuer -n default
         ```
@@ -236,14 +201,14 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
         Name:         certificate-by-issuer
         Namespace:    default
         Labels:       controller.cert-manager.io/fao=true
-        Annotations:  cert-manager.io/alt-names:
+        Annotations:  cert-manager.io/alt-names: 
                     cert-manager.io/certificate-name: certificate-by-issuer
                     cert-manager.io/common-name: certificate-by-issuer.example.com
-                    cert-manager.io/ip-sans:
+                    cert-manager.io/ip-sans: 
                     cert-manager.io/issuer-group: infisical-issuer.infisical.com
                     cert-manager.io/issuer-kind: Issuer
                     cert-manager.io/issuer-name: issuer-infisical
-                    cert-manager.io/uri-sans:
+                    cert-manager.io/uri-sans: 
 
         Type:  kubernetes.io/tls
 
@@ -253,18 +218,17 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
         tls.crt: 2380 bytes
         tls.key:  227 bytes
         ```
-
+        
         Here, `ca.crt` is the Root CA certificate, `tls.crt` is the requested certificate followed by the certificate chain, and `tls.key` is the private key for the certificate.
-
+        
         We can decode the certificate and print it out using `openssl`:
 
         ```bash
         kubectl get secret certificate-by-issuer -n default -o jsonpath='{.data.tls\.crt}' | base64 --decode | openssl x509 -text -noout
         ```
-
+        
         In any case, the certificate is ready to be used as Kubernetes Secret by your Kubernetes resources.
     </Step>
-
 </Steps>
 
 ## FAQ
@@ -272,24 +236,15 @@ In the following steps, we explore how to install the Infisical PKI Issuer using
 <AccordionGroup>
 <Accordion title="What fields can be configured on the Certificate resource?">
     The full list of the fields supported on the `Certificate` resource can be found in the API reference documentation [here](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec).
-
+    
     <Note>
         Currently, not all fields are supported by the Infisical PKI Issuer.
     </Note>
-
 </Accordion>
 <Accordion title="Can certificates be renewed automatically?">
     Yes. `cert-manager` will automatically renew certificates according to the `renewBefore` threshold of expiry as
     specified in the corresponding `Certificate` resource.
-
+    
     You can read more about the `renewBefore` field [here](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec).
-
 </Accordion>
-<Accordion title="Why is my CertificateRequest not being approved, showing 'CertificateRequest has not been approved yet. Ignoring.'?">
-    If you see log messages similar to:
-    ```
-    "CertificateRequest has not been approved yet. Ignoring.","controller":"certificaterequest","controllerGroup":"cert-manager.io","controllerKind":"CertificateRequest","CertificateRequest":{"name":"skynet-infisical-rta-rsa2048-1","namespace":"infisical-system"},"namespace":"infisical-system","name":"skynet-infisical-rta-rsa2048-1","reconcileID":"bfb7cad9-d867-45b5-b3a3-0139e731b7a6"}
-    ```
-    This indicates that the `CertificateRequest` has been created, but `cert-manager` has not yet approved it. This typically occurs because a necessary approver policy is missing. Refer to the documentation above to create an approver policy.
-</Accordion>
-</AccordionGroup>
+</AccordionGroup>

docs/documentation/platform/pr-workflows.mdx

@@ -37,10 +37,6 @@ The enforcement level determines how strict the policy is. A **Hard** enforcemen
     Enabling the "Bypass Approvals" toggle during policy creation will create a **Soft** enforcement level. Disabling the toggle makes the enforcement level **Hard**.
 </Note>
 
-If you choose to allow approval bypasses (Soft Enforcement), you may select specific users or groups that can perform the bypass for that specific policy. Not choosing users or groups will allow anyone to bypass the policy.
-
-A policy bypasser cannot bypass requests from others; the bypass action can only be performed by the request creator.
-
 ### Self approvals
 
 If the **Self Approvals** option is enabled, users who are designated as approvers on the policy can approve requests that they themselves have submitted.

docs/internals/bug-bounty.mdx

@@ -27,7 +27,7 @@ Bounties are based on severity, impact, and exploitability, as well as whether t
 | --- | --- | --- |
 | **Critical** | Full unauthorized access to secrets, authentication bypass, cross-tenant access, RCE, full compromise, etc | $2,000 - $5,000 |
 | **High** | Privilege escalation, project-level access without authorization, persistent DoS | $750 - $2,000 |
-| **Medium** | Info disclosure, scoped DoS (e.g. ReDoS with auth), or minor access control issues | $100 - $1,000 |
+| **Medium** | Info disclosure, scoped DoS (e.g. ReDoS with auth), or minor access control issues | $250 - $1,000 |
 | **Low / Informational** | Missing headers, CSP warnings, theoretical flaws, self-hosting misconfigurations | Recognition only |
 
 

docs/internals/permissions/organization-permissions.mdx

@@ -142,10 +142,12 @@ Below is a comprehensive list of all available organization-level subjects and t
 
 #### Subject: `billing`
 
-| Action           | Description                                      |
-| ---------------- | ------------------------------------------------ |
-| `read`           | View billing information and subscription status |
-| `manage-billing` | Manage billing details and subscription plans    |
+| Action   | Description                                      |
+| -------- | ------------------------------------------------ |
+| `read`   | View billing information and subscription status |
+| `create` | Set up new payment methods or subscriptions      |
+| `edit`   | Modify billing details or subscription plans     |
+| `delete` | Remove payment methods or cancel subscriptions   |
 
 ### Templates & Automation
 

docs/mint.json

@@ -116,15 +116,9 @@
             "documentation/platform/pki/subscribers",
             "documentation/platform/pki/certificates",
             "documentation/platform/pki/acme-ca",
+            "documentation/platform/pki/pki-issuer",
             "documentation/platform/pki/est",
-            "documentation/platform/pki/alerting",
-            {
-              "group": "Integrations",
-              "pages": [
-                "documentation/platform/pki/pki-issuer",
-                "documentation/platform/pki/integration-guides/gloo-mesh"
-              ]
-            }
+            "documentation/platform/pki/alerting"
           ]
         },
         {

docs/sdks/languages/csharp.mdx

@@ -4,10 +4,10 @@ sidebarTitle: ".NET"
 icon: "bars"
 ---
 
-If you're working with C#, the official [Infisical C# SDK](https://github.com/Infisical/sdk/tree/main/languages/csharp) package is the easiest way to fetch and work with secrets for your application.
+If you're working with C#, the official [Infisical C# SDK](https://github.com/Infisical/infisical-dotnet-configuration) package is the easiest way to fetch and work with secrets for your application.
 
 - [Nuget Package](https://www.nuget.org/packages/Infisical.Sdk)
-- [Github Repository](https://github.com/Infisical/sdk/tree/main/languages/csharp)
+- [Github Repository](https://github.com/Infisical/infisical-dotnet-configuration)
 
 <Warning>
   **Deprecation Notice**

frontend/package-lock.json

@@ -25,7 +25,6 @@
         "@hookform/resolvers": "^3.9.1",
         "@lexical/react": "^0.29.0",
         "@lottiefiles/dotlottie-react": "^0.12.0",
-        "@lottiefiles/dotlottie-web": "^0.38.2",
         "@octokit/rest": "^21.0.2",
         "@peculiar/x509": "^1.12.3",
         "@radix-ui/react-accordion": "^1.2.2",

frontend/package.json

@@ -29,7 +29,6 @@
     "@hookform/resolvers": "^3.9.1",
     "@lexical/react": "^0.29.0",
     "@lottiefiles/dotlottie-react": "^0.12.0",
-    "@lottiefiles/dotlottie-web": "^0.38.2",
     "@octokit/rest": "^21.0.2",
     "@peculiar/x509": "^1.12.3",
     "@radix-ui/react-accordion": "^1.2.2",

frontend/src/context/OrgPermissionContext/index.tsx

@@ -2,7 +2,6 @@ export { useOrgPermission } from "./OrgPermissionContext";
 export type { TOrgPermission } from "./types";
 export {
   OrgPermissionActions,
-  OrgPermissionBillingActions,
   OrgPermissionGroupActions,
   OrgPermissionIdentityActions,
   OrgPermissionSubjects

frontend/src/context/OrgPermissionContext/types.ts

@@ -7,11 +7,6 @@ export enum OrgPermissionActions {
   Delete = "delete"
 }
 
-export enum OrgPermissionBillingActions {
-  Read = "read",
-  ManageBilling = "manage-billing"
-}
-
 export enum OrgGatewayPermissionActions {
   // is there a better word for this. This mean can an identity be a gateway
   CreateGateways = "create-gateways",
@@ -105,7 +100,7 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
   | [OrgPermissionGroupActions, OrgPermissionSubjects.Groups]
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
-  | [OrgPermissionBillingActions, OrgPermissionSubjects.Billing]
+  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]

frontend/src/context/ProjectPermissionContext/index.tsx

@@ -2,6 +2,7 @@ export { useProjectPermission } from "./ProjectPermissionContext";
 export type { ProjectPermissionSet, TProjectPermission } from "./types";
 export {
   ProjectPermissionActions,
+  ProjectPermissionApprovalActions,
   ProjectPermissionCertificateActions,
   ProjectPermissionCmekActions,
   ProjectPermissionDynamicSecretActions,
@@ -10,7 +11,6 @@ export {
   ProjectPermissionKmipActions,
   ProjectPermissionMemberActions,
   ProjectPermissionPkiSubscriberActions,
-  ProjectPermissionPkiTemplateActions,
   ProjectPermissionSshHostActions,
   ProjectPermissionSub
 } from "./types";

frontend/src/context/ProjectPermissionContext/types.ts

@@ -24,6 +24,15 @@ export enum ProjectPermissionSecretActions {
   Delete = "delete"
 }
 
+export enum ProjectPermissionApprovalActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  AllowChangeBypass = "allow-change-bypass",
+  AllowAccessBypass = "allow-access-bypass"
+}
+
 export enum ProjectPermissionDynamicSecretActions {
   ReadRootCredential = "read-root-credential",
   CreateRootCredential = "create-root-credential",
@@ -104,15 +113,6 @@ export enum ProjectPermissionPkiSubscriberActions {
   ListCerts = "list-certs"
 }
 
-export enum ProjectPermissionPkiTemplateActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  IssueCert = "issue-cert",
-  ListCerts = "list-certs"
-}
-
 export enum ProjectPermissionSecretRotationActions {
   Read = "read",
   ReadGeneratedCredentials = "read-generated-credentials",
@@ -247,11 +247,6 @@ export type PkiSubscriberSubjectFields = {
   name: string;
 };
 
-export type PkiTemplateSubjectFields = {
-  name: string;
-  // (dangtony98): consider adding [commonName] as a subject field in the future
-};
-
 export type ProjectPermissionSet =
   | [
       ProjectPermissionSecretActions,
@@ -299,7 +294,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
   | [ProjectPermissionActions, ProjectPermissionSub.Settings]
   | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
-  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionApprovalActions, ProjectPermissionSub.SecretApproval]
   | [
       ProjectPermissionIdentityActions,
       (
@@ -309,13 +304,7 @@ export type ProjectPermissionSet =
     ]
   | [ProjectPermissionActions, ProjectPermissionSub.CertificateAuthorities]
   | [ProjectPermissionCertificateActions, ProjectPermissionSub.Certificates]
-  | [
-      ProjectPermissionPkiTemplateActions,
-      (
-        | ProjectPermissionSub.CertificateTemplates
-        | (ForcedSubject<ProjectPermissionSub.CertificateTemplates> & PkiTemplateSubjectFields)
-      )
-    ]
+  | [ProjectPermissionActions, ProjectPermissionSub.CertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateAuthorities]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificates]

frontend/src/context/index.tsx

@@ -2,7 +2,6 @@ export { useOrganization } from "./OrganizationContext";
 export type { TOrgPermission } from "./OrgPermissionContext";
 export {
   OrgPermissionActions,
-  OrgPermissionBillingActions,
   OrgPermissionGroupActions,
   OrgPermissionIdentityActions,
   OrgPermissionSubjects,
@@ -11,6 +10,7 @@ export {
 export type { TProjectPermission } from "./ProjectPermissionContext";
 export {
   ProjectPermissionActions,
+  ProjectPermissionApprovalActions,
   ProjectPermissionCertificateActions,
   ProjectPermissionCmekActions,
   ProjectPermissionDynamicSecretActions,
@@ -19,7 +19,6 @@ export {
   ProjectPermissionKmipActions,
   ProjectPermissionMemberActions,
   ProjectPermissionPkiSubscriberActions,
-  ProjectPermissionPkiTemplateActions,
   ProjectPermissionSshHostActions,
   ProjectPermissionSub,
   useProjectPermission

frontend/src/hooks/api/accessApproval/mutation.tsx

@@ -21,7 +21,6 @@ export const useCreateAccessApprovalPolicy = () => {
       projectSlug,
       approvals,
       approvers,
-      bypassers,
       name,
       secretPath,
       enforcementLevel,
@@ -31,7 +30,6 @@ export const useCreateAccessApprovalPolicy = () => {
         environment,
         projectSlug,
         approvals,
-        bypassers,
         approvers,
         secretPath,
         name,
@@ -55,7 +53,6 @@ export const useUpdateAccessApprovalPolicy = () => {
     mutationFn: async ({
       id,
       approvers,
-      bypassers,
       approvals,
       name,
       secretPath,
@@ -65,7 +62,6 @@ export const useUpdateAccessApprovalPolicy = () => {
       const { data } = await apiRequest.patch(`/api/v1/access-approvals/policies/${id}`, {
         approvals,
         approvers,
-        bypassers,
         secretPath,
         name,
         enforcementLevel,

frontend/src/hooks/api/accessApproval/types.ts

@@ -16,7 +16,6 @@ export type TAccessApprovalPolicy = {
   enforcementLevel: EnforcementLevel;
   updatedAt: Date;
   approvers?: Approver[];
-  bypassers?: Bypasser[];
   allowedSelfApprovals: boolean;
 };
 
@@ -25,21 +24,11 @@ export enum ApproverType {
   Group = "group"
 }
 
-export enum BypasserType {
-  User = "user",
-  Group = "group"
-}
-
 export type Approver = {
   id: string;
   type: ApproverType;
 };
 
-export type Bypasser = {
-  id: string;
-  type: BypasserType;
-};
-
 export type TAccessApprovalRequest = {
   id: string;
   policyId: string;
@@ -79,7 +68,6 @@ export type TAccessApprovalRequest = {
     name: string;
     approvals: number;
     approvers: string[];
-    bypassers: string[];
     secretPath?: string | null;
     envId: string;
     enforcementLevel: EnforcementLevel;
@@ -158,7 +146,6 @@ export type TCreateAccessPolicyDTO = {
   name?: string;
   environment: string;
   approvers?: Approver[];
-  bypassers?: Bypasser[];
   approvals?: number;
   secretPath?: string;
   enforcementLevel?: EnforcementLevel;
@@ -169,7 +156,6 @@ export type TUpdateAccessPolicyDTO = {
   id: string;
   name?: string;
   approvers?: Approver[];
-  bypassers?: Bypasser[];
   secretPath?: string;
   environment?: string;
   approvals?: number;

frontend/src/hooks/api/ca/mutations.tsx

@@ -31,14 +31,10 @@ export const useUpdateCa = () => {
 
       return data;
     },
-    onSuccess: ({ projectId, type }, { caName }) => {
-      caKeys.getCaByNameAndProjectId(caName, projectId);
+    onSuccess: ({ projectId, type }) => {
       queryClient.invalidateQueries({
         queryKey: caKeys.listCasByTypeAndProjectId(type, projectId)
       });
-      queryClient.invalidateQueries({
-        queryKey: caKeys.getCaByNameAndProjectId(caName, projectId)
-      });
     }
   });
 };

frontend/src/hooks/api/certificateTemplates/index.tsx

@@ -1,11 +1,8 @@
 export {
   useCreateCertTemplate,
-  useCreateCertTemplateV2,
   useCreateEstConfig,
   useDeleteCertTemplate,
-  useDeleteCertTemplateV2,
   useUpdateCertTemplate,
-  useUpdateCertTemplateV2,
   useUpdateEstConfig
 } from "./mutations";
-export { useGetCertTemplate, useGetEstConfig, useListCertificateTemplates } from "./queries";
+export { useGetCertTemplate, useGetEstConfig } from "./queries";

frontend/src/hooks/api/certificateTemplates/mutations.tsx

@@ -8,12 +8,9 @@ import { certTemplateKeys } from "./queries";
 import {
   TCertificateTemplate,
   TCreateCertificateTemplateDTO,
-  TCreateCertificateTemplateV2DTO,
   TCreateEstConfigDTO,
   TDeleteCertificateTemplateDTO,
-  TDeleteCertificateTemplateV2DTO,
   TUpdateCertificateTemplateDTO,
-  TUpdateCertificateTemplateV2DTO,
   TUpdateEstConfigDTO
 } from "./types";
 
@@ -76,58 +73,6 @@ export const useDeleteCertTemplate = () => {
   });
 };
 
-export const useCreateCertTemplateV2 = () => {
-  const queryClient = useQueryClient();
-  return useMutation<TCertificateTemplate, object, TCreateCertificateTemplateV2DTO>({
-    mutationFn: async (dto) => {
-      const { data } = await apiRequest.post<{
-        certificateTemplate: TCertificateTemplate;
-      }>("/api/v2/pki/certificate-templates", dto);
-      return data.certificateTemplate;
-    },
-    onSuccess: (_, { projectId }) => {
-      queryClient.invalidateQueries({ queryKey: certTemplateKeys.listTemplates({ projectId }) });
-    }
-  });
-};
-
-export const useUpdateCertTemplateV2 = () => {
-  const queryClient = useQueryClient();
-  return useMutation<TCertificateTemplate, object, TUpdateCertificateTemplateV2DTO>({
-    mutationFn: async (dto) => {
-      const { data } = await apiRequest.patch<{ certificateTemplate: TCertificateTemplate }>(
-        `/api/v2/pki/certificate-templates/${dto.templateName}`,
-        dto
-      );
-
-      return data.certificateTemplate;
-    },
-    onSuccess: (_, { projectId }) => {
-      queryClient.invalidateQueries({ queryKey: certTemplateKeys.listTemplates({ projectId }) });
-    }
-  });
-};
-
-export const useDeleteCertTemplateV2 = () => {
-  const queryClient = useQueryClient();
-  return useMutation<TCertificateTemplate, object, TDeleteCertificateTemplateV2DTO>({
-    mutationFn: async (dto) => {
-      const { data } = await apiRequest.delete<{ certificateTemplate: TCertificateTemplate }>(
-        `/api/v2/pki/certificate-templates/${dto.templateName}`,
-        {
-          data: {
-            projectId: dto.projectId
-          }
-        }
-      );
-      return data.certificateTemplate;
-    },
-    onSuccess: (_, { projectId }) => {
-      queryClient.invalidateQueries({ queryKey: certTemplateKeys.listTemplates({ projectId }) });
-    }
-  });
-};
-
 export const useCreateEstConfig = () => {
   const queryClient = useQueryClient();
   return useMutation<object, object, TCreateEstConfigDTO>({

frontend/src/hooks/api/certificateTemplates/queries.tsx

@@ -2,20 +2,10 @@ import { useQuery } from "@tanstack/react-query";
 
 import { apiRequest } from "@app/config/request";
 
-import {
-  TCertificateTemplate,
-  TCertificateTemplateV2,
-  TEstConfig,
-  TListCertificateTemplatesDTO
-} from "./types";
+import { TCertificateTemplate, TEstConfig } from "./types";
 
 export const certTemplateKeys = {
   getCertTemplateById: (id: string) => [{ id }, "cert-template"],
-  listTemplates: ({ projectId, ...el }: { limit?: number; offset?: number; projectId: string }) => [
-    "list-template",
-    projectId,
-    el
-  ],
   getEstConfig: (id: string) => [{ id }, "cert-template-est-config"]
 };
 
@@ -32,29 +22,6 @@ export const useGetCertTemplate = (id: string) => {
   });
 };
 
-export const useListCertificateTemplates = ({
-  limit = 100,
-  offset = 0,
-  projectId
-}: TListCertificateTemplatesDTO) => {
-  return useQuery({
-    queryKey: certTemplateKeys.listTemplates({ limit, offset, projectId }),
-    queryFn: async () => {
-      const { data } = await apiRequest.get<{
-        certificateTemplates: TCertificateTemplateV2[];
-        totalCount?: number;
-      }>("/api/v2/pki/certificate-templates", {
-        params: {
-          limit,
-          offset,
-          projectId
-        }
-      });
-      return data;
-    }
-  });
-};
-
 export const useGetEstConfig = (certificateTemplateId: string) => {
   return useQuery({
     queryKey: certTemplateKeys.getEstConfig(certificateTemplateId),

frontend/src/hooks/api/certificateTemplates/types.ts

@@ -14,26 +14,6 @@ export type TCertificateTemplate = {
   extendedKeyUsages: CertExtendedKeyUsage[];
 };
 
-export type TCertificateTemplateV2 = {
-  id: string;
-  caId: string;
-  caName: string;
-  projectId: string;
-  pkiCollectionId?: string;
-  name: string;
-  commonName: string;
-  subjectAlternativeName: string;
-  ttl: string;
-  keyUsages: CertKeyUsage[];
-  extendedKeyUsages: CertExtendedKeyUsage[];
-  updatedAt: string;
-  createdAt: string;
-  ca: {
-    name: string;
-    id: string;
-  };
-};
-
 export type TCreateCertificateTemplateDTO = {
   caId: string;
   pkiCollectionId?: string;
@@ -64,34 +44,6 @@ export type TDeleteCertificateTemplateDTO = {
   projectId: string;
 };
 
-export type TCreateCertificateTemplateV2DTO = {
-  caName: string;
-  name: string;
-  commonName: string;
-  subjectAlternativeName: string;
-  ttl: string;
-  projectId: string;
-  keyUsages: CertKeyUsage[];
-  extendedKeyUsages: CertExtendedKeyUsage[];
-};
-
-export type TUpdateCertificateTemplateV2DTO = {
-  templateName: string;
-  caName?: string;
-  name?: string;
-  commonName?: string;
-  subjectAlternativeName?: string;
-  ttl?: string;
-  projectId: string;
-  keyUsages?: CertKeyUsage[];
-  extendedKeyUsages?: CertExtendedKeyUsage[];
-};
-
-export type TDeleteCertificateTemplateV2DTO = {
-  templateName: string;
-  projectId: string;
-};
-
 export type TCreateEstConfigDTO = {
   certificateTemplateId: string;
   caChain?: string;
@@ -115,9 +67,3 @@ export type TEstConfig = {
   isEnabled: boolean;
   disableBootstrapCertValidation: boolean;
 };
-
-export type TListCertificateTemplatesDTO = {
-  limit?: number;
-  offset?: number;
-  projectId: string;
-};

frontend/src/hooks/api/secretApproval/mutation.tsx

@@ -14,7 +14,6 @@ export const useCreateSecretApprovalPolicy = () => {
       workspaceId,
       approvals,
       approvers,
-      bypassers,
       secretPath,
       name,
       enforcementLevel,
@@ -25,7 +24,6 @@ export const useCreateSecretApprovalPolicy = () => {
         workspaceId,
         approvals,
         approvers,
-        bypassers,
         secretPath,
         name,
         enforcementLevel,
@@ -48,7 +46,6 @@ export const useUpdateSecretApprovalPolicy = () => {
     mutationFn: async ({
       id,
       approvers,
-      bypassers,
       approvals,
       secretPath,
       name,
@@ -58,7 +55,6 @@ export const useUpdateSecretApprovalPolicy = () => {
       const { data } = await apiRequest.patch(`/api/v1/secret-approvals/${id}`, {
         approvals,
         approvers,
-        bypassers,
         secretPath,
         name,
         enforcementLevel,

frontend/src/hooks/api/secretApproval/types.ts

@@ -25,16 +25,6 @@ export type Approver = {
   type: ApproverType;
 };
 
-export enum BypasserType {
-  User = "user",
-  Group = "group"
-}
-
-export type Bypasser = {
-  id: string;
-  type: BypasserType;
-};
-
 export type TGetSecretApprovalPoliciesDTO = {
   workspaceId: string;
 };
@@ -51,7 +41,6 @@ export type TCreateSecretPolicyDTO = {
   environment: string;
   secretPath?: string | null;
   approvers?: Approver[];
-  bypassers?: Bypasser[];
   approvals?: number;
   enforcementLevel: EnforcementLevel;
   allowedSelfApprovals: boolean;
@@ -61,7 +50,6 @@ export type TUpdateSecretPolicyDTO = {
   id: string;
   name?: string;
   approvers?: Approver[];
-  bypassers?: Bypasser[];
   secretPath?: string | null;
   approvals?: number;
   allowedSelfApprovals?: boolean;

frontend/src/hooks/api/secretApprovalRequest/types.ts

@@ -57,7 +57,7 @@ export type TSecretApprovalRequest = {
   secretPath: string;
   hasMerged: boolean;
   status: "open" | "close";
-  policy: Omit<TSecretApprovalPolicy, "approvers" | "bypassers"> & {
+  policy: Omit<TSecretApprovalPolicy, "approvers"> & {
     approvers: {
       userId: string;
       email: string;
@@ -65,13 +65,6 @@ export type TSecretApprovalRequest = {
       lastName: string;
       username: string;
     }[];
-    bypassers: {
-      userId: string;
-      email: string;
-      firstName: string;
-      lastName: string;
-      username: string;
-    }[];
   };
   statusChangedByUserId: string;
   statusChangedByUser?: {

frontend/src/layouts/ProjectLayout/ProjectLayout.tsx

@@ -117,24 +117,6 @@ export const ProjectLayout = () => {
                               </MenuItem>
                             )}
                           </Link>
-                          <Link
-                            to={
-                              `/${ProjectType.CertificateManager}/$projectId/certificate-templates` as const
-                            }
-                            params={{
-                              projectId: currentWorkspace.id
-                            }}
-                          >
-                            {({ isActive }) => (
-                              <MenuItem
-                                iconMode="reverse"
-                                isSelected={isActive}
-                                icon="pki-template"
-                              >
-                                Certificate Templates
-                              </MenuItem>
-                            )}
-                          </Link>
                           <Link
                             to={
                               `/${ProjectType.CertificateManager}/$projectId/certificates` as const

frontend/src/main.tsx

@@ -1,7 +1,5 @@
 import { StrictMode } from "react";
 import ReactDOM from "react-dom/client";
-import { setWasmUrl } from "@lottiefiles/dotlottie-react";
-import lottieWasmUrl from "@lottiefiles/dotlottie-web/dist/dotlottie-player.wasm?url";
 import { createRouter, RouterProvider } from "@tanstack/react-router";
 import NProgress from "nprogress";
 
@@ -24,9 +22,6 @@ import "./translation";
 // have a look at the Quick start guide
 // for passing in lng and translations on init/
 
-// Configure Lottie player to use local WASM file
-setWasmUrl(lottieWasmUrl);
-
 // Create a new router instance
 NProgress.configure({ showSpinner: false });
 

frontend/src/pages/cert-manager/CertAuthDetailsByIDPage/CertAuthDetailsByIDPage.tsx

@@ -23,6 +23,7 @@ import { usePopUp } from "@app/hooks/usePopUp";
 
 import { CaInstallCertModal } from "../CertificateAuthoritiesPage/components/CaInstallCertModal";
 import { CaModal } from "../CertificateAuthoritiesPage/components/CaModal";
+import { CertificateTemplatesSection } from "../CertificatesPage/components/CertificateTemplatesSection";
 import {
   CaCertificatesSection,
   CaCrlsSection,
@@ -125,6 +126,7 @@ const Page = () => {
             </div>
             <div className="w-full">
               <CaCertificatesSection caId={data.id} />
+              <CertificateTemplatesSection caId={data.id} />
               <CaCrlsSection caId={data.id} />
             </div>
           </div>

frontend/src/pages/cert-manager/CertificateAuthoritiesPage/components/CaModal.tsx

@@ -188,7 +188,11 @@ export const CaModal = ({ popUp, handlePopUpToggle }: Props) => {
           name,
           type: CaType.INTERNAL,
           status,
-          enableDirectIssuance
+          enableDirectIssuance,
+          configuration: {
+            ...configuration,
+            maxPathLength: Number(configuration.maxPathLength)
+          }
         });
       } else {
         // create

frontend/src/pages/cert-manager/CertificatesPage/components/CertificateTemplatesSection.tsx

@@ -9,11 +9,7 @@ import { UpgradePlanModal } from "@app/components/license/UpgradePlanModal";
 import { createNotification } from "@app/components/notifications";
 import { ProjectPermissionCan } from "@app/components/permissions";
 import { DeleteActionModal, IconButton } from "@app/components/v2";
-import {
-  ProjectPermissionPkiTemplateActions,
-  ProjectPermissionSub,
-  useWorkspace
-} from "@app/context";
+import { ProjectPermissionActions, ProjectPermissionSub, useWorkspace } from "@app/context";
 import { usePopUp } from "@app/hooks";
 import { useDeleteCertTemplate } from "@app/hooks/api";
 
@@ -67,7 +63,7 @@ export const CertificateTemplatesSection = ({ caId }: Props) => {
       <div className="flex items-center justify-between border-b border-mineshaft-400 pb-4">
         <h3 className="text-lg font-semibold text-mineshaft-100">Certificate Templates</h3>
         <ProjectPermissionCan
-          I={ProjectPermissionPkiTemplateActions.Create}
+          I={ProjectPermissionActions.Create}
           a={ProjectPermissionSub.CertificateTemplates}
         >
           {(isAllowed) => (

frontend/src/pages/cert-manager/CertificatesPage/components/CertificateTemplatesTable.tsx

@@ -19,11 +19,7 @@ import {
   Tooltip,
   Tr
 } from "@app/components/v2";
-import {
-  ProjectPermissionPkiTemplateActions,
-  ProjectPermissionSub,
-  useSubscription
-} from "@app/context";
+import { ProjectPermissionActions, ProjectPermissionSub, useSubscription } from "@app/context";
 import { useGetCaCertTemplates } from "@app/hooks/api";
 import { UsePopUpState } from "@app/hooks/usePopUp";
 
@@ -83,7 +79,7 @@ export const CertificateTemplatesTable = ({ handlePopUpOpen, caId }: Props) => {
                             Manage Policies
                           </DropdownMenuItem>
                           <ProjectPermissionCan
-                            I={ProjectPermissionPkiTemplateActions.Edit}
+                            I={ProjectPermissionActions.Edit}
                             a={ProjectPermissionSub.CertificateTemplates}
                           >
                             {(isAllowed) => (
@@ -109,7 +105,7 @@ export const CertificateTemplatesTable = ({ handlePopUpOpen, caId }: Props) => {
                             )}
                           </ProjectPermissionCan>
                           <ProjectPermissionCan
-                            I={ProjectPermissionPkiTemplateActions.Delete}
+                            I={ProjectPermissionActions.Delete}
                             a={ProjectPermissionSub.CertificateTemplates}
                           >
                             {(isAllowed) => (

frontend/src/pages/cert-manager/PkiTemplateListPage/PkiTemplateListPage.tsx

@@ -1,257 +0,0 @@
-import { useState } from "react";
-import { Helmet } from "react-helmet";
-import { useTranslation } from "react-i18next";
-import {
-  faCertificate,
-  faEllipsis,
-  faPencil,
-  faPlus,
-  faTrash
-} from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-import { format } from "date-fns";
-import { twMerge } from "tailwind-merge";
-
-import { createNotification } from "@app/components/notifications";
-import { ProjectPermissionCan } from "@app/components/permissions";
-import {
-  Button,
-  DeleteActionModal,
-  DropdownMenu,
-  DropdownMenuContent,
-  DropdownMenuItem,
-  DropdownMenuTrigger,
-  EmptyState,
-  Modal,
-  ModalContent,
-  PageHeader,
-  Pagination,
-  Table,
-  TableContainer,
-  TableSkeleton,
-  Tag,
-  TBody,
-  Td,
-  Th,
-  THead,
-  Tooltip,
-  Tr
-} from "@app/components/v2";
-import {
-  ProjectPermissionPkiTemplateActions,
-  ProjectPermissionSub,
-  useWorkspace
-} from "@app/context";
-import { usePopUp } from "@app/hooks";
-import { useDeleteCertTemplateV2 } from "@app/hooks/api";
-import { useListCertificateTemplates } from "@app/hooks/api/certificateTemplates/queries";
-
-import { PkiTemplateForm } from "./components/PkiTemplateForm";
-
-const PER_PAGE_INIT = 25;
-export const PkiTemplateListPage = () => {
-  const { t } = useTranslation();
-  const { currentWorkspace } = useWorkspace();
-  const [page, setPage] = useState(1);
-  const [perPage, setPerPage] = useState(PER_PAGE_INIT);
-  const { handlePopUpToggle, popUp, handlePopUpOpen, handlePopUpClose } = usePopUp([
-    "certificateTemplate",
-    "deleteTemplate"
-  ] as const);
-
-  const { data, isPending } = useListCertificateTemplates({
-    projectId: currentWorkspace.id,
-    offset: (page - 1) * perPage,
-    limit: perPage
-  });
-
-  const deleteCertTemplate = useDeleteCertTemplateV2();
-
-  const onRemovePkiSubscriberSubmit = async () => {
-    try {
-      const pkiTemplate = await deleteCertTemplate.mutateAsync({
-        projectId: currentWorkspace.id,
-        templateName: popUp?.deleteTemplate?.data?.name
-      });
-
-      createNotification({
-        text: `Successfully deleted PKI template: ${pkiTemplate.name}`,
-        type: "success"
-      });
-
-      handlePopUpClose("deleteTemplate");
-    } catch (err) {
-      console.error(err);
-      createNotification({
-        text: "Failed to delete PKI subscriber",
-        type: "error"
-      });
-    }
-  };
-
-  return (
-    <>
-      <Helmet>
-        <title>{t("common.head-title", { title: "PKI Subscribers" })}</title>
-      </Helmet>
-      <div className="h-full bg-bunker-800">
-        <div className="container mx-auto flex flex-col justify-between text-white">
-          <div className="mx-auto mb-6 w-full max-w-7xl">
-            <PageHeader
-              title="Certificate Templates"
-              description="Manage certificate template to request and issue dynamic certificates following a strict format."
-            />
-          </div>
-          <div className="container mx-auto mb-6 max-w-7xl rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
-            <div className="mb-4 flex justify-between">
-              <p className="text-xl font-semibold text-mineshaft-100">Templates</p>
-              <div className="flex w-full justify-end">
-                <ProjectPermissionCan
-                  I={ProjectPermissionPkiTemplateActions.Create}
-                  a={ProjectPermissionSub.CertificateTemplates}
-                >
-                  {(isAllowed) => (
-                    <Button
-                      colorSchema="primary"
-                      type="submit"
-                      leftIcon={<FontAwesomeIcon icon={faPlus} />}
-                      onClick={() => handlePopUpOpen("certificateTemplate")}
-                      isDisabled={!isAllowed}
-                      className="ml-4"
-                    >
-                      Add Template
-                    </Button>
-                  )}
-                </ProjectPermissionCan>
-              </div>
-            </div>
-            <TableContainer>
-              <Table>
-                <THead>
-                  <Tr>
-                    <Th>Name</Th>
-                    <Th>Issuing CA</Th>
-                    <Th className="w-64">Last Updated At</Th>
-                    <Th />
-                  </Tr>
-                </THead>
-                <TBody>
-                  {isPending && <TableSkeleton columns={4} innerKey="project-cert-templates" />}
-                  {!isPending &&
-                    data?.certificateTemplates?.map((template) => {
-                      return (
-                        <Tr className="h-10" key={`certificate-template-${template.id}`}>
-                          <Td>{template.name}</Td>
-                          <Td>
-                            <Tag size="xs">{template.ca.name}</Tag>
-                          </Td>
-                          <Td>{format(new Date(template.updatedAt), "yyyy-MM-dd | HH:mm:ss")}</Td>
-                          <Td className="text-right align-middle">
-                            <DropdownMenu>
-                              <DropdownMenuTrigger asChild className="rounded-lg">
-                                <div className="hover:text-primary-400 data-[state=open]:text-primary-400">
-                                  <Tooltip content="More options">
-                                    <FontAwesomeIcon size="lg" icon={faEllipsis} />
-                                  </Tooltip>
-                                </div>
-                              </DropdownMenuTrigger>
-                              <DropdownMenuContent align="start" className="p-1">
-                                <ProjectPermissionCan
-                                  I={ProjectPermissionPkiTemplateActions.Edit}
-                                  a={ProjectPermissionSub.CertificateTemplates}
-                                >
-                                  {(isAllowed) => (
-                                    <DropdownMenuItem
-                                      className={twMerge(
-                                        !isAllowed &&
-                                          "pointer-events-none cursor-not-allowed opacity-50"
-                                      )}
-                                      onClick={(e) => {
-                                        e.stopPropagation();
-                                        handlePopUpOpen("certificateTemplate", template);
-                                      }}
-                                      disabled={!isAllowed}
-                                      icon={<FontAwesomeIcon icon={faPencil} />}
-                                    >
-                                      Edit Template
-                                    </DropdownMenuItem>
-                                  )}
-                                </ProjectPermissionCan>
-
-                                <ProjectPermissionCan
-                                  I={ProjectPermissionPkiTemplateActions.Delete}
-                                  a={ProjectPermissionSub.CertificateTemplates}
-                                >
-                                  {(isAllowed) => (
-                                    <DropdownMenuItem
-                                      className={twMerge(
-                                        !isAllowed &&
-                                          "pointer-events-none cursor-not-allowed opacity-50"
-                                      )}
-                                      onClick={(e) => {
-                                        e.stopPropagation();
-                                        handlePopUpOpen("deleteTemplate", template);
-                                      }}
-                                      disabled={!isAllowed}
-                                      icon={<FontAwesomeIcon icon={faTrash} />}
-                                    >
-                                      Delete Template
-                                    </DropdownMenuItem>
-                                  )}
-                                </ProjectPermissionCan>
-                              </DropdownMenuContent>
-                            </DropdownMenu>
-                          </Td>
-                        </Tr>
-                      );
-                    })}
-                  {!isPending && !data?.certificateTemplates?.length && (
-                    <Tr>
-                      <Td colSpan={4}>
-                        <EmptyState title="No certificate templates found" icon={faCertificate} />
-                      </Td>
-                    </Tr>
-                  )}
-                </TBody>
-              </Table>
-              {!isPending && data?.totalCount !== undefined && data.totalCount >= PER_PAGE_INIT && (
-                <Pagination
-                  count={data.totalCount}
-                  page={page}
-                  perPage={perPage}
-                  onChangePage={(newPage) => setPage(newPage)}
-                  onChangePerPage={(newPerPage) => setPerPage(newPerPage)}
-                />
-              )}
-            </TableContainer>
-            <DeleteActionModal
-              isOpen={popUp.deleteTemplate.isOpen}
-              title="Are you sure you want to remove the PKI Template?"
-              onChange={(isOpen) => handlePopUpToggle("deleteTemplate", isOpen)}
-              deleteKey="confirm"
-              onDeleteApproved={() => onRemovePkiSubscriberSubmit()}
-            />
-          </div>
-          <div className="container mx-auto max-w-7xl" />
-        </div>
-        <Modal
-          isOpen={popUp?.certificateTemplate?.isOpen}
-          onOpenChange={(isOpen) => handlePopUpToggle("certificateTemplate", isOpen)}
-        >
-          <ModalContent
-            title={
-              popUp.certificateTemplate?.data
-                ? "Certificate Template"
-                : "Create Certificate Template"
-            }
-          >
-            <PkiTemplateForm
-              certTemplate={popUp?.certificateTemplate?.data}
-              handlePopUpToggle={(isOpen) => handlePopUpToggle("certificateTemplate", isOpen)}
-            />
-          </ModalContent>
-        </Modal>
-      </div>
-    </>
-  );
-};

frontend/src/pages/cert-manager/PkiTemplateListPage/components/PkiTemplateForm.tsx

@@ -1,408 +0,0 @@
-import { Controller, useForm } from "react-hook-form";
-
-import { faQuestionCircle } from "@fortawesome/free-regular-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { z } from "zod";
-
-import { createNotification } from "@app/components/notifications";
-import {
-  Accordion,
-  AccordionContent,
-  AccordionItem,
-  AccordionTrigger,
-  Button,
-  Checkbox,
-  FilterableSelect,
-  FormControl,
-  FormLabel,
-  Input,
-  Tooltip
-} from "@app/components/v2";
-import { useWorkspace } from "@app/context";
-import {
-  useCreateCertTemplateV2,
-  useListCasByProjectId,
-  useUpdateCertTemplateV2
-} from "@app/hooks/api";
-import {
-  EXTENDED_KEY_USAGES_OPTIONS,
-  KEY_USAGES_OPTIONS
-} from "@app/hooks/api/certificates/constants";
-import { CertExtendedKeyUsage, CertKeyUsage } from "@app/hooks/api/certificates/enums";
-import { TCertificateTemplateV2 } from "@app/hooks/api/certificateTemplates/types";
-import { slugSchema } from "@app/lib/schemas";
-
-const validateTemplateRegexField = z.string().trim().min(1).max(100);
-
-const schema = z.object({
-  ca: z.object({
-    name: z.string(),
-    id: z.string()
-  }),
-  name: slugSchema(),
-  commonName: validateTemplateRegexField,
-  subjectAlternativeName: validateTemplateRegexField,
-  ttl: z.string().trim().min(1),
-  keyUsages: z.object({
-    [CertKeyUsage.DIGITAL_SIGNATURE]: z.boolean().optional(),
-    [CertKeyUsage.KEY_ENCIPHERMENT]: z.boolean().optional(),
-    [CertKeyUsage.NON_REPUDIATION]: z.boolean().optional(),
-    [CertKeyUsage.DATA_ENCIPHERMENT]: z.boolean().optional(),
-    [CertKeyUsage.KEY_AGREEMENT]: z.boolean().optional(),
-    [CertKeyUsage.KEY_CERT_SIGN]: z.boolean().optional(),
-    [CertKeyUsage.CRL_SIGN]: z.boolean().optional(),
-    [CertKeyUsage.ENCIPHER_ONLY]: z.boolean().optional(),
-    [CertKeyUsage.DECIPHER_ONLY]: z.boolean().optional()
-  }),
-  extendedKeyUsages: z.object({
-    [CertExtendedKeyUsage.CLIENT_AUTH]: z.boolean().optional(),
-    [CertExtendedKeyUsage.CODE_SIGNING]: z.boolean().optional(),
-    [CertExtendedKeyUsage.EMAIL_PROTECTION]: z.boolean().optional(),
-    [CertExtendedKeyUsage.OCSP_SIGNING]: z.boolean().optional(),
-    [CertExtendedKeyUsage.SERVER_AUTH]: z.boolean().optional(),
-    [CertExtendedKeyUsage.TIMESTAMPING]: z.boolean().optional()
-  })
-});
-
-export type FormData = z.infer<typeof schema>;
-
-type Props = {
-  certTemplate?: TCertificateTemplateV2;
-  handlePopUpToggle: (state?: boolean) => void;
-};
-
-export const PkiTemplateForm = ({ certTemplate, handlePopUpToggle }: Props) => {
-  const { currentWorkspace } = useWorkspace();
-
-  const { data: cas, isPending: isCaLoading } = useListCasByProjectId(currentWorkspace.id);
-
-  const { mutateAsync: createCertTemplate } = useCreateCertTemplateV2();
-  const { mutateAsync: updateCertTemplate } = useUpdateCertTemplateV2();
-
-  const {
-    control,
-    handleSubmit,
-    reset,
-    formState: { isSubmitting }
-  } = useForm<FormData>({
-    resolver: zodResolver(schema),
-    defaultValues: async () => {
-      if (certTemplate) {
-        return {
-          ca: certTemplate.ca,
-          name: certTemplate.name,
-          commonName: certTemplate.commonName,
-          subjectAlternativeName: certTemplate.subjectAlternativeName,
-          ttl: certTemplate.ttl,
-          keyUsages: Object.fromEntries(certTemplate.keyUsages.map((name) => [name, true]) ?? []),
-          extendedKeyUsages: Object.fromEntries(
-            certTemplate.extendedKeyUsages.map((name) => [name, true]) ?? []
-          )
-        };
-      }
-      return {
-        ca: { name: "", id: "" },
-        name: "",
-        subjectAlternativeName: "",
-        commonName: "",
-        ttl: "",
-        keyUsages: {
-          [CertKeyUsage.DIGITAL_SIGNATURE]: true,
-          [CertKeyUsage.KEY_ENCIPHERMENT]: true
-        },
-        extendedKeyUsages: {}
-      };
-    }
-  });
-
-  const onFormSubmit = async ({
-    name,
-    commonName,
-    subjectAlternativeName,
-    ttl,
-    keyUsages,
-    extendedKeyUsages,
-    ca
-  }: FormData) => {
-    if (!currentWorkspace?.id) {
-      return;
-    }
-
-    try {
-      if (certTemplate) {
-        await updateCertTemplate({
-          templateName: certTemplate.name,
-          projectId: currentWorkspace.id,
-          caName: ca.name,
-          name,
-          commonName,
-          subjectAlternativeName,
-          ttl,
-          keyUsages: Object.entries(keyUsages)
-            .filter(([, value]) => value)
-            .map(([key]) => key as CertKeyUsage),
-          extendedKeyUsages: Object.entries(extendedKeyUsages)
-            .filter(([, value]) => value)
-            .map(([key]) => key as CertExtendedKeyUsage)
-        });
-
-        createNotification({
-          text: "Successfully updated certificate template",
-          type: "success"
-        });
-      } else {
-        await createCertTemplate({
-          projectId: currentWorkspace.id,
-          caName: ca.name,
-          name,
-          commonName,
-          subjectAlternativeName,
-          ttl,
-          keyUsages: Object.entries(keyUsages)
-            .filter(([, value]) => value)
-            .map(([key]) => key as CertKeyUsage),
-          extendedKeyUsages: Object.entries(extendedKeyUsages)
-            .filter(([, value]) => value)
-            .map(([key]) => key as CertExtendedKeyUsage)
-        });
-
-        createNotification({
-          text: "Successfully created certificate template",
-          type: "success"
-        });
-      }
-
-      reset();
-      handlePopUpToggle(false);
-    } catch (err) {
-      console.error(err);
-      createNotification({
-        text: "Failed to save changes",
-        type: "error"
-      });
-    }
-  };
-
-  return (
-    <form onSubmit={handleSubmit(onFormSubmit)}>
-      {certTemplate && (
-        <FormControl label="Certificate Template ID">
-          <Input value={certTemplate.id} isDisabled className="bg-white/[0.07]" />
-        </FormControl>
-      )}
-      <Controller
-        control={control}
-        defaultValue=""
-        name="name"
-        render={({ field, fieldState: { error } }) => (
-          <FormControl
-            label="Template Name"
-            isError={Boolean(error)}
-            errorText={error?.message}
-            isRequired
-          >
-            <Input {...field} placeholder="my-template" />
-          </FormControl>
-        )}
-      />
-      <Controller
-        render={({ field: { value, onChange }, fieldState: { error } }) => (
-          <FormControl
-            label="Issuing CA"
-            errorText={error?.message}
-            isError={Boolean(error)}
-            isRequired
-          >
-            <FilterableSelect
-              options={cas || []}
-              isLoading={isCaLoading}
-              placeholder="Select CA..."
-              onChange={onChange}
-              value={value}
-              getOptionValue={(option) => option.id}
-              getOptionLabel={(option) => option.name}
-            />
-          </FormControl>
-        )}
-        control={control}
-        name="ca"
-      />
-      <Controller
-        control={control}
-        defaultValue=""
-        name="commonName"
-        render={({ field, fieldState: { error } }) => (
-          <FormControl
-            label={
-              <div>
-                <FormLabel
-                  isRequired
-                  label="Common Name (CN)"
-                  icon={
-                    <Tooltip
-                      className="text-center"
-                      content={
-                        <span>
-                          This field accepts limited regular expressions: spaces, *, ., @, -, \ (for
-                          escaping), and alphanumeric characters only
-                        </span>
-                      }
-                    >
-                      <FontAwesomeIcon icon={faQuestionCircle} size="sm" />
-                    </Tooltip>
-                  }
-                />
-              </div>
-            }
-            isError={Boolean(error)}
-            errorText={error?.message}
-            isRequired
-          >
-            <Input {...field} placeholder=".*\.acme.com" />
-          </FormControl>
-        )}
-      />
-      <Controller
-        control={control}
-        defaultValue=""
-        name="subjectAlternativeName"
-        render={({ field, fieldState: { error } }) => (
-          <FormControl
-            label={
-              <div>
-                <FormLabel
-                  isRequired
-                  label="Alternative Names (SAN)"
-                  icon={
-                    <Tooltip
-                      className="text-center"
-                      content={
-                        <span>
-                          This field accepts limited regular expressions: spaces, *, ., @, -, \ (for
-                          escaping), and alphanumeric characters only
-                        </span>
-                      }
-                    >
-                      <FontAwesomeIcon icon={faQuestionCircle} size="sm" />
-                    </Tooltip>
-                  }
-                />
-              </div>
-            }
-            isError={Boolean(error)}
-            errorText={error?.message}
-            isRequired
-          >
-            <Input {...field} placeholder="service\.acme.\..*" />
-          </FormControl>
-        )}
-      />
-      <Controller
-        control={control}
-        name="ttl"
-        render={({ field, fieldState: { error } }) => (
-          <FormControl
-            label="Max TTL"
-            isError={Boolean(error)}
-            errorText={error?.message}
-            isRequired
-          >
-            <Input {...field} placeholder="2 days, 1d, 2h, 1y, ..." />
-          </FormControl>
-        )}
-      />
-      <Accordion type="single" collapsible className="w-full">
-        <AccordionItem value="key-usages" className="data-[state=open]:border-none">
-          <AccordionTrigger className="h-fit flex-none pl-1 text-sm">
-            <div className="order-1 ml-3">Key Usage</div>
-          </AccordionTrigger>
-          <AccordionContent>
-            <Controller
-              control={control}
-              name="keyUsages"
-              render={({ field: { onChange, value }, fieldState: { error } }) => {
-                return (
-                  <FormControl
-                    label="Key Usage"
-                    errorText={error?.message}
-                    isError={Boolean(error)}
-                  >
-                    <div className="mb-7 mt-2 grid grid-cols-2 gap-2">
-                      {KEY_USAGES_OPTIONS.map(({ label, value: optionValue }) => {
-                        return (
-                          <Checkbox
-                            id={optionValue}
-                            key={optionValue}
-                            className="data-[state=checked]:bg-primary"
-                            isChecked={value[optionValue]}
-                            onCheckedChange={(state) => {
-                              onChange({
-                                ...value,
-                                [optionValue]: state
-                              });
-                            }}
-                          >
-                            {label}
-                          </Checkbox>
-                        );
-                      })}
-                    </div>
-                  </FormControl>
-                );
-              }}
-            />
-            <Controller
-              control={control}
-              name="extendedKeyUsages"
-              render={({ field: { onChange, value }, fieldState: { error } }) => {
-                return (
-                  <FormControl
-                    label="Extended Key Usage"
-                    errorText={error?.message}
-                    isError={Boolean(error)}
-                  >
-                    <div className="mb-7 mt-2 grid grid-cols-2 gap-2">
-                      {EXTENDED_KEY_USAGES_OPTIONS.map(({ label, value: optionValue }) => {
-                        return (
-                          <Checkbox
-                            id={optionValue}
-                            key={optionValue}
-                            className="data-[state=checked]:bg-primary"
-                            isChecked={value[optionValue]}
-                            onCheckedChange={(state) => {
-                              onChange({
-                                ...value,
-                                [optionValue]: state
-                              });
-                            }}
-                          >
-                            {label}
-                          </Checkbox>
-                        );
-                      })}
-                    </div>
-                  </FormControl>
-                );
-              }}
-            />
-          </AccordionContent>
-        </AccordionItem>
-      </Accordion>
-      <div className="mt-4 flex items-center">
-        <Button
-          className="mr-4"
-          size="sm"
-          type="submit"
-          isLoading={isSubmitting}
-          isDisabled={isSubmitting}
-        >
-          Save
-        </Button>
-        <Button colorSchema="secondary" variant="plain" onClick={() => handlePopUpToggle(false)}>
-          Cancel
-        </Button>
-      </div>
-    </form>
-  );
-};

frontend/src/pages/cert-manager/PkiTemplateListPage/route.tsx

@@ -1,9 +0,0 @@
-import { createFileRoute } from "@tanstack/react-router";
-
-import { PkiTemplateListPage } from "./PkiTemplateListPage";
-
-export const Route = createFileRoute(
-  "/_authenticate/_inject-org-details/_org-layout/cert-manager/$projectId/_cert-manager-layout/certificate-templates/"
-)({
-  component: PkiTemplateListPage
-});

frontend/src/pages/organization/BillingPage/BillingPage.tsx

@@ -2,7 +2,7 @@ import { Helmet } from "react-helmet";
 import { useTranslation } from "react-i18next";
 
 import { OrgPermissionCan } from "@app/components/permissions";
-import { OrgPermissionBillingActions, OrgPermissionSubjects } from "@app/context";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/context";
 
 import { BillingTabGroup } from "./components";
 
@@ -24,7 +24,7 @@ export const BillingPage = () => {
           </div>
           <OrgPermissionCan
             passThrough={false}
-            I={OrgPermissionBillingActions.Read}
+            I={OrgPermissionActions.Read}
             a={OrgPermissionSubjects.Billing}
           >
             <BillingTabGroup />

frontend/src/pages/organization/BillingPage/components/BillingCloudTab/PreviewSection.tsx

@@ -4,7 +4,7 @@ import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { OrgPermissionCan } from "@app/components/permissions";
 import { Button } from "@app/components/v2";
 import {
-  OrgPermissionBillingActions,
+  OrgPermissionActions,
   OrgPermissionSubjects,
   useOrganization,
   useSubscription
@@ -112,10 +112,7 @@ export const PreviewSection = () => {
                   Get unlimited members, projects, RBAC, smart alerts, and so much more.
                 </p>
               </div>
-              <OrgPermissionCan
-                I={OrgPermissionBillingActions.ManageBilling}
-                a={OrgPermissionSubjects.Billing}
-              >
+              <OrgPermissionCan I={OrgPermissionActions.Create} a={OrgPermissionSubjects.Billing}>
                 {(isAllowed) => (
                   <Button
                     onClick={() => handleUpgradeBtnClick()}
@@ -159,10 +156,7 @@ export const PreviewSection = () => {
               }`}
             </p>
             {isInfisicalCloud() && (
-              <OrgPermissionCan
-                I={OrgPermissionBillingActions.ManageBilling}
-                a={OrgPermissionSubjects.Billing}
-              >
+              <OrgPermissionCan I={OrgPermissionActions.Edit} a={OrgPermissionSubjects.Billing}>
                 {(isAllowed) => (
                   <button
                     type="button"

frontend/src/pages/organization/BillingPage/components/BillingDetailsTab/CompanyNameSection.tsx

@@ -6,7 +6,7 @@ import { z } from "zod";
 import { createNotification } from "@app/components/notifications";
 import { OrgPermissionCan } from "@app/components/permissions";
 import { Button, FormControl, Input } from "@app/components/v2";
-import { OrgPermissionBillingActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { OrgPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
 import { useGetOrgBillingDetails, useUpdateOrgBillingDetails } from "@app/hooks/api";
 
 const schema = z
@@ -74,10 +74,7 @@ export const CompanyNameSection = () => {
           name="name"
         />
       </div>
-      <OrgPermissionCan
-        I={OrgPermissionBillingActions.ManageBilling}
-        a={OrgPermissionSubjects.Billing}
-      >
+      <OrgPermissionCan I={OrgPermissionActions.Edit} a={OrgPermissionSubjects.Billing}>
         {(isAllowed) => (
           <Button
             type="submit"

frontend/src/pages/organization/BillingPage/components/BillingDetailsTab/InvoiceEmailSection.tsx

@@ -6,7 +6,7 @@ import { z } from "zod";
 import { createNotification } from "@app/components/notifications";
 import { OrgPermissionCan } from "@app/components/permissions";
 import { Button, FormControl, Input } from "@app/components/v2";
-import { OrgPermissionBillingActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { OrgPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
 import { useGetOrgBillingDetails, useUpdateOrgBillingDetails } from "@app/hooks/api";
 
 const schema = z
@@ -75,10 +75,7 @@ export const InvoiceEmailSection = () => {
           name="email"
         />
       </div>
-      <OrgPermissionCan
-        I={OrgPermissionBillingActions.ManageBilling}
-        a={OrgPermissionSubjects.Billing}
-      >
+      <OrgPermissionCan I={OrgPermissionActions.Edit} a={OrgPermissionSubjects.Billing}>
         {(isAllowed) => (
           <Button
             type="submit"

frontend/src/pages/organization/BillingPage/components/BillingDetailsTab/PmtMethodsSection.tsx

@@ -3,7 +3,7 @@ import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { OrgPermissionCan } from "@app/components/permissions";
 import { Button } from "@app/components/v2";
-import { OrgPermissionBillingActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { OrgPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
 import { useAddOrgPmtMethod } from "@app/hooks/api";
 
 import { PmtMethodsTable } from "./PmtMethodsTable";
@@ -27,10 +27,7 @@ export const PmtMethodsSection = () => {
     <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
       <div className="mb-8 flex items-center">
         <h2 className="flex-1 text-xl font-semibold text-white">Payment methods</h2>
-        <OrgPermissionCan
-          I={OrgPermissionBillingActions.ManageBilling}
-          a={OrgPermissionSubjects.Billing}
-        >
+        <OrgPermissionCan I={OrgPermissionActions.Create} a={OrgPermissionSubjects.Billing}>
           {(isAllowed) => (
             <Button
               onClick={handleAddPmtMethodBtnClick}

frontend/src/pages/organization/BillingPage/components/BillingDetailsTab/PmtMethodsTable.tsx

@@ -16,7 +16,7 @@ import {
   THead,
   Tr
 } from "@app/components/v2";
-import { OrgPermissionBillingActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { OrgPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
 import { usePopUp } from "@app/hooks";
 import { useDeleteOrgPmtMethod, useGetOrgPmtMethods } from "@app/hooks/api";
 
@@ -75,7 +75,7 @@ export const PmtMethodsTable = () => {
                   <Td>{`${exp_month}/${exp_year}`}</Td>
                   <Td>
                     <OrgPermissionCan
-                      I={OrgPermissionBillingActions.ManageBilling}
+                      I={OrgPermissionActions.Delete}
                       a={OrgPermissionSubjects.Billing}
                     >
                       {(isAllowed) => (

frontend/src/pages/organization/BillingPage/components/BillingDetailsTab/TaxIDSection.tsx

@@ -3,7 +3,7 @@ import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { OrgPermissionCan } from "@app/components/permissions";
 import { Button } from "@app/components/v2";
-import { OrgPermissionBillingActions, OrgPermissionSubjects } from "@app/context";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/context";
 import { usePopUp } from "@app/hooks/usePopUp";
 
 import { TaxIDModal } from "./TaxIDModal";
@@ -18,10 +18,7 @@ export const TaxIDSection = () => {
     <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
       <div className="mb-8 flex items-center">
         <h2 className="flex-1 text-xl font-semibold text-white">Tax ID</h2>
-        <OrgPermissionCan
-          I={OrgPermissionBillingActions.ManageBilling}
-          a={OrgPermissionSubjects.Billing}
-        >
+        <OrgPermissionCan I={OrgPermissionActions.Edit} a={OrgPermissionSubjects.Billing}>
           {(isAllowed) => (
             <Button
               onClick={() => handlePopUpOpen("addTaxID")}

frontend/src/pages/organization/BillingPage/components/BillingDetailsTab/TaxIDTable.tsx

@@ -14,7 +14,7 @@ import {
   THead,
   Tr
 } from "@app/components/v2";
-import { OrgPermissionBillingActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { OrgPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
 import { useDeleteOrgTaxId, useGetOrgTaxIds } from "@app/hooks/api";
 
 const taxIDTypeLabelMap: { [key: string]: string } = {
@@ -103,7 +103,7 @@ export const TaxIDTable = () => {
                 <Td>{value}</Td>
                 <Td>
                   <OrgPermissionCan
-                    I={OrgPermissionBillingActions.ManageBilling}
+                    I={OrgPermissionActions.Delete}
                     a={OrgPermissionSubjects.Billing}
                   >
                     {(isAllowed) => (

frontend/src/pages/organization/BillingPage/components/BillingTabGroup/BillingTabGroup.tsx

@@ -1,5 +1,5 @@
 import { Tab, TabList, TabPanel, Tabs } from "@app/components/v2";
-import { OrgPermissionBillingActions, OrgPermissionSubjects } from "@app/context";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/context";
 import { isInfisicalCloud } from "@app/helpers/platform";
 import { withPermission } from "@app/hoc";
 
@@ -47,5 +47,5 @@ export const BillingTabGroup = withPermission(
       </Tabs>
     );
   },
-  { action: OrgPermissionBillingActions.Read, subject: OrgPermissionSubjects.Billing }
+  { action: OrgPermissionActions.Read, subject: OrgPermissionSubjects.Billing }
 );

frontend/src/pages/organization/RoleByIDPage/components/OrgRoleModifySection.utils.ts

@@ -5,7 +5,6 @@ import { OrgPermissionSubjects } from "@app/context";
 import {
   OrgGatewayPermissionActions,
   OrgPermissionAppConnectionActions,
-  OrgPermissionBillingActions,
   OrgPermissionGroupActions,
   OrgPermissionIdentityActions,
   OrgPermissionKmipActions,
@@ -22,13 +21,6 @@ const generalPermissionSchema = z
   })
   .optional();
 
-const billingPermissionSchema = z
-  .object({
-    [OrgPermissionBillingActions.Read]: z.boolean().optional(),
-    [OrgPermissionBillingActions.ManageBilling]: z.boolean().optional()
-  })
-  .optional();
-
 const appConnectionsPermissionSchema = z
   .object({
     [OrgPermissionAppConnectionActions.Read]: z.boolean().optional(),
@@ -121,7 +113,7 @@ export const formSchema = z.object({
       scim: generalPermissionSchema,
       [OrgPermissionSubjects.GithubOrgSync]: generalPermissionSchema,
       ldap: generalPermissionSchema,
-      billing: billingPermissionSchema,
+      billing: generalPermissionSchema,
       identity: identityPermissionSchema,
       "organization-admin-console": adminConsolePermissionSchmea,
       [OrgPermissionSubjects.Kms]: generalPermissionSchema,

frontend/src/pages/organization/RoleByIDPage/components/RolePermissionsSection/OrgPermissionBillingRow.tsx

@@ -1,174 +0,0 @@
-import { useEffect, useMemo } from "react";
-import { Control, Controller, UseFormSetValue, useWatch } from "react-hook-form";
-import { faChevronDown, faChevronRight } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-
-import { createNotification } from "@app/components/notifications";
-import { Checkbox, Select, SelectItem, Td, Tr } from "@app/components/v2";
-import { OrgPermissionBillingActions } from "@app/context/OrgPermissionContext/types";
-import { useToggle } from "@app/hooks";
-
-import { TFormSchema } from "../OrgRoleModifySection.utils";
-
-const PERMISSION_ACTIONS = [
-  { action: OrgPermissionBillingActions.Read, label: "View bills" },
-  { action: OrgPermissionBillingActions.ManageBilling, label: "Manage billing" }
-] as const;
-
-type Props = {
-  isEditable: boolean;
-  setValue: UseFormSetValue<TFormSchema>;
-  control: Control<TFormSchema>;
-};
-
-enum Permission {
-  NoAccess = "no-access",
-  ReadOnly = "read-only",
-  FullAccess = "full-access",
-  Custom = "custom"
-}
-
-export const OrgPermissionBillingRow = ({ isEditable, control, setValue }: Props) => {
-  const [isRowExpanded, setIsRowExpanded] = useToggle();
-  const [isCustom, setIsCustom] = useToggle();
-
-  const rule = useWatch({
-    control,
-    name: "permissions.billing"
-  });
-
-  const selectedPermissionCategory = useMemo(() => {
-    const actions = Object.keys(rule || {}) as Array<keyof typeof rule>;
-    const totalActions = PERMISSION_ACTIONS.length;
-    const score = actions.map((key) => (rule?.[key] ? 1 : 0)).reduce((a, b) => a + b, 0 as number);
-
-    if (isCustom) return Permission.Custom;
-    if (score === 0) return Permission.NoAccess;
-    if (score === totalActions) return Permission.FullAccess;
-    if (score === 1 && rule?.[OrgPermissionBillingActions.Read]) return Permission.ReadOnly;
-    return Permission.Custom;
-  }, [rule, isCustom]);
-
-  useEffect(() => {
-    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
-    else setIsCustom.off();
-  }, [selectedPermissionCategory]);
-
-  const handlePermissionChange = (val: Permission) => {
-    if (val === Permission.Custom) {
-      setIsRowExpanded.on();
-      setIsCustom.on();
-      return;
-    }
-    setIsCustom.off();
-
-    switch (val) {
-      case Permission.NoAccess:
-        setValue(
-          "permissions.billing",
-          {
-            [OrgPermissionBillingActions.Read]: false,
-            [OrgPermissionBillingActions.ManageBilling]: false
-          },
-          { shouldDirty: true }
-        );
-        break;
-      case Permission.ReadOnly:
-        setValue(
-          "permissions.billing",
-          {
-            [OrgPermissionBillingActions.Read]: true,
-            [OrgPermissionBillingActions.ManageBilling]: false
-          },
-          { shouldDirty: true }
-        );
-        break;
-      case Permission.FullAccess:
-        setValue(
-          "permissions.billing",
-          {
-            [OrgPermissionBillingActions.Read]: true,
-            [OrgPermissionBillingActions.ManageBilling]: true
-          },
-          { shouldDirty: true }
-        );
-        break;
-      default:
-        setValue(
-          "permissions.billing",
-          {
-            [OrgPermissionBillingActions.Read]: false,
-            [OrgPermissionBillingActions.ManageBilling]: false
-          },
-          { shouldDirty: true }
-        );
-        break;
-    }
-  };
-
-  return (
-    <>
-      <Tr
-        className="h-10 cursor-pointer transition-colors duration-100 hover:bg-mineshaft-700"
-        onClick={() => setIsRowExpanded.toggle()}
-      >
-        <Td>
-          <FontAwesomeIcon icon={isRowExpanded ? faChevronDown : faChevronRight} />
-        </Td>
-        <Td>Billing</Td>
-        <Td>
-          <Select
-            value={selectedPermissionCategory}
-            className="w-40 bg-mineshaft-600"
-            dropdownContainerClassName="border border-mineshaft-600 bg-mineshaft-800"
-            onValueChange={handlePermissionChange}
-            isDisabled={!isEditable}
-          >
-            <SelectItem value={Permission.NoAccess}>No Access</SelectItem>
-            <SelectItem value={Permission.ReadOnly}>Read Only</SelectItem>
-            <SelectItem value={Permission.FullAccess}>Full Access</SelectItem>
-            <SelectItem value={Permission.Custom}>Custom</SelectItem>
-          </Select>
-        </Td>
-      </Tr>
-      {isRowExpanded && (
-        <Tr>
-          <Td
-            colSpan={3}
-            className={`bg-bunker-600 px-0 py-0 ${isRowExpanded && "border-mineshaft-500 p-8"}`}
-          >
-            <div className="grid grid-cols-3 gap-4">
-              {PERMISSION_ACTIONS.map(({ action, label }) => {
-                return (
-                  <Controller
-                    name={`permissions.billing.${action}`}
-                    key={`permissions.billing.${action}`}
-                    control={control}
-                    render={({ field }) => (
-                      <Checkbox
-                        isChecked={field.value}
-                        onCheckedChange={(e) => {
-                          if (!isEditable) {
-                            createNotification({
-                              type: "error",
-                              text: "Failed to update default role"
-                            });
-                            return;
-                          }
-                          field.onChange(e);
-                        }}
-                        id={`permissions.billing.${action}`}
-                      >
-                        {label}
-                      </Checkbox>
-                    )}
-                  />
-                );
-              })}
-            </div>
-          </Td>
-        </Tr>
-      )}
-    </>
-  );
-};

frontend/src/pages/organization/RoleByIDPage/components/RolePermissionsSection/RolePermissionRow.tsx

@@ -38,6 +38,13 @@ const MEMBERS_PERMISSIONS = [
   { action: "delete", label: "Remove members" }
 ] as const;
 
+const BILLING_PERMISSIONS = [
+  { action: "read", label: "View bills" },
+  { action: "create", label: "Add payment methods" },
+  { action: "edit", label: "Edit payments" },
+  { action: "delete", label: "Remove payments" }
+] as const;
+
 const PROJECT_TEMPLATES_PERMISSIONS = [
   { action: "read", label: "View & Apply" },
   { action: "create", label: "Create" },
@@ -45,16 +52,18 @@ const PROJECT_TEMPLATES_PERMISSIONS = [
   { action: "delete", label: "Remove" }
 ] as const;
 
-const getPermissionList = (formName: Props["formName"]) => {
-  switch (formName) {
+const getPermissionList = (option: string) => {
+  switch (option) {
+    case "secret-scanning":
+      return SECRET_SCANNING_PERMISSIONS;
+    case "billing":
+      return BILLING_PERMISSIONS;
+    case "incident-contact":
+      return INCIDENT_CONTACTS_PERMISSIONS;
     case "member":
       return MEMBERS_PERMISSIONS;
     case OrgPermissionSubjects.ProjectTemplates:
       return PROJECT_TEMPLATES_PERMISSIONS;
-    case "secret-scanning":
-      return SECRET_SCANNING_PERMISSIONS;
-    case "incident-contact":
-      return INCIDENT_CONTACTS_PERMISSIONS;
     default:
       return PERMISSIONS;
   }
@@ -65,7 +74,7 @@ type Props = {
   title: string;
   formName: keyof Omit<
     Exclude<TFormSchema["permissions"], undefined>,
-    "workspace" | "organization-admin-console" | "kmip" | "gateway" | "secret-share" | "billing"
+    "workspace" | "organization-admin-console" | "kmip" | "gateway" | "secret-share"
   >;
   setValue: UseFormSetValue<TFormSchema>;
   control: Control<TFormSchema>;

frontend/src/pages/organization/RoleByIDPage/components/RolePermissionsSection/RolePermissionsSection.tsx

@@ -14,7 +14,6 @@ import {
   TFormSchema
 } from "../OrgRoleModifySection.utils";
 import { OrgPermissionAdminConsoleRow } from "./OrgPermissionAdminConsoleRow";
-import { OrgPermissionBillingRow } from "./OrgPermissionBillingRow";
 import { OrgGatewayPermissionRow } from "./OrgPermissionGatewayRow";
 import { OrgPermissionGroupRow } from "./OrgPermissionGroupRow";
 import { OrgPermissionIdentityRow } from "./OrgPermissionIdentityRow";
@@ -28,6 +27,10 @@ const SIMPLE_PERMISSION_OPTIONS = [
     title: "User Management",
     formName: "member"
   },
+  {
+    title: "Usage & Billing",
+    formName: "billing"
+  },
   {
     title: "Role Management",
     formName: "role"
@@ -183,11 +186,6 @@ export const RolePermissionsSection = ({ roleId }: Props) => {
                 setValue={setValue}
                 isEditable={isCustomRole}
               />
-              <OrgPermissionBillingRow
-                control={control}
-                setValue={setValue}
-                isEditable={isCustomRole}
-              />
               <OrgPermissionSecretShareRow
                 control={control}
                 setValue={setValue}

frontend/src/pages/project/RoleDetailsBySlugPage/components/PkiTemplatePermissionConditions.tsx

@@ -1,173 +0,0 @@
-import { Controller, useFieldArray, useFormContext } from "react-hook-form";
-import { faInfoCircle, faPlus, faTrash, faWarning } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-
-import {
-  Button,
-  FormControl,
-  IconButton,
-  Input,
-  Select,
-  SelectItem,
-  Tooltip
-} from "@app/components/v2";
-import {
-  PermissionConditionOperators,
-  ProjectPermissionSub
-} from "@app/context/ProjectPermissionContext/types";
-
-import { getConditionOperatorHelperInfo } from "./PermissionConditionHelpers";
-import { TFormSchema } from "./ProjectRoleModifySection.utils";
-
-type Props = {
-  position?: number;
-  isDisabled?: boolean;
-};
-
-export const PkiTemplatePermissionConditions = ({ position = 0, isDisabled }: Props) => {
-  const {
-    control,
-    watch,
-    formState: { errors }
-  } = useFormContext<TFormSchema>();
-
-  const permissionSubject = ProjectPermissionSub.CertificateTemplates;
-  const items = useFieldArray({
-    control,
-    name: `permissions.${permissionSubject}.${position}.conditions`
-  });
-
-  return (
-    <div className="mt-6 border-t border-t-mineshaft-600 bg-mineshaft-800 pt-2">
-      <p className="mt-2 text-gray-300">Conditions</p>
-      <p className="text-sm text-mineshaft-400">
-        Conditions determine when a policy will be applied (always if no conditions are present).
-      </p>
-      <p className="mb-3 text-sm leading-4 text-mineshaft-400">
-        All conditions must evaluate to true for the policy to take effect.
-      </p>
-      <div className="mt-2 flex flex-col space-y-2">
-        {items.fields.map((el, index) => {
-          const condition =
-            (watch(`permissions.${permissionSubject}.${position}.conditions.${index}`) as {
-              lhs: string;
-              rhs: string;
-              operator: string;
-            }) || {};
-
-          return (
-            <div
-              key={el.id}
-              className="flex gap-2 bg-mineshaft-800 first:rounded-t-md last:rounded-b-md"
-            >
-              <div className="w-1/4">
-                <Controller
-                  control={control}
-                  name={`permissions.${permissionSubject}.${position}.conditions.${index}.lhs`}
-                  render={({ field, fieldState: { error } }) => (
-                    <FormControl
-                      isError={Boolean(error?.message)}
-                      errorText={error?.message}
-                      className="mb-0"
-                    >
-                      <Select
-                        defaultValue={field.value}
-                        {...field}
-                        onValueChange={(e) => field.onChange(e)}
-                        className="w-full"
-                      >
-                        <SelectItem value="name">Name</SelectItem>
-                      </Select>
-                    </FormControl>
-                  )}
-                />
-              </div>
-              <div className="flex w-36 items-center space-x-2">
-                <Controller
-                  control={control}
-                  name={`permissions.${permissionSubject}.${position}.conditions.${index}.operator`}
-                  render={({ field, fieldState: { error } }) => (
-                    <FormControl
-                      isError={Boolean(error?.message)}
-                      errorText={error?.message}
-                      className="mb-0 flex-grow"
-                    >
-                      <Select
-                        defaultValue={field.value}
-                        {...field}
-                        onValueChange={(e) => field.onChange(e)}
-                        className="w-full"
-                      >
-                        <SelectItem value={PermissionConditionOperators.$EQ}>Equals</SelectItem>
-                        <SelectItem value={PermissionConditionOperators.$GLOB}>Glob</SelectItem>
-                        <SelectItem value={PermissionConditionOperators.$IN}>In</SelectItem>
-                      </Select>
-                    </FormControl>
-                  )}
-                />
-                <Tooltip
-                  asChild
-                  content={getConditionOperatorHelperInfo(
-                    condition?.operator as PermissionConditionOperators
-                  )}
-                  className="max-w-xs"
-                >
-                  <FontAwesomeIcon icon={faInfoCircle} size="xs" className="text-gray-400" />
-                </Tooltip>
-              </div>
-              <div className="flex-grow">
-                <Controller
-                  control={control}
-                  name={`permissions.${permissionSubject}.${position}.conditions.${index}.rhs`}
-                  render={({ field, fieldState: { error } }) => (
-                    <FormControl
-                      isError={Boolean(error?.message)}
-                      errorText={error?.message}
-                      className="mb-0 flex-grow"
-                    >
-                      <Input {...field} />
-                    </FormControl>
-                  )}
-                />
-              </div>
-              <div>
-                <IconButton
-                  ariaLabel="delete"
-                  variant="outline_bg"
-                  className="p-2.5"
-                  onClick={() => items.remove(index)}
-                >
-                  <FontAwesomeIcon icon={faTrash} />
-                </IconButton>
-              </div>
-            </div>
-          );
-        })}
-      </div>
-      {errors?.permissions?.[permissionSubject]?.[position]?.conditions?.message && (
-        <div className="flex items-center space-x-2 py-2 text-sm text-gray-400">
-          <FontAwesomeIcon icon={faWarning} className="text-red" />
-          <span>{errors?.permissions?.[permissionSubject]?.[position]?.conditions?.message}</span>
-        </div>
-      )}
-      <div>
-        <Button
-          leftIcon={<FontAwesomeIcon icon={faPlus} />}
-          variant="star"
-          size="xs"
-          className="mt-3"
-          isDisabled={isDisabled}
-          onClick={() =>
-            items.append({
-              lhs: "name",
-              operator: PermissionConditionOperators.$EQ,
-              rhs: ""
-            })
-          }
-        >
-          Add Condition
-        </Button>
-      </div>
-    </div>
-  );
-};

frontend/src/pages/project/RoleDetailsBySlugPage/components/ProjectRoleModifySection.utils.tsx

@@ -12,13 +12,13 @@ import {
 } from "@app/context";
 import {
   PermissionConditionOperators,
+  ProjectPermissionApprovalActions,
   ProjectPermissionDynamicSecretActions,
   ProjectPermissionGroupActions,
   ProjectPermissionIdentityActions,
   ProjectPermissionKmipActions,
   ProjectPermissionMemberActions,
   ProjectPermissionPkiSubscriberActions,
-  ProjectPermissionPkiTemplateActions,
   ProjectPermissionSecretActions,
   ProjectPermissionSecretRotationActions,
   ProjectPermissionSecretSyncActions,
@@ -54,10 +54,12 @@ const SecretPolicyActionSchema = z.object({
 });
 
 const ApprovalPolicyActionSchema = z.object({
-  [ProjectPermissionActions.Read]: z.boolean().optional(),
-  [ProjectPermissionActions.Edit]: z.boolean().optional(),
-  [ProjectPermissionActions.Delete]: z.boolean().optional(),
-  [ProjectPermissionActions.Create]: z.boolean().optional()
+  [ProjectPermissionApprovalActions.Read]: z.boolean().optional(),
+  [ProjectPermissionApprovalActions.Edit]: z.boolean().optional(),
+  [ProjectPermissionApprovalActions.Delete]: z.boolean().optional(),
+  [ProjectPermissionApprovalActions.Create]: z.boolean().optional(),
+  [ProjectPermissionApprovalActions.AllowChangeBypass]: z.boolean().optional(),
+  [ProjectPermissionApprovalActions.AllowAccessBypass]: z.boolean().optional()
 });
 
 const CmekPolicyActionSchema = z.object({
@@ -149,15 +151,6 @@ const PkiSubscriberPolicyActionSchema = z.object({
   [ProjectPermissionPkiSubscriberActions.ListCerts]: z.boolean().optional()
 });
 
-const PkiTemplatePolicyActionSchema = z.object({
-  [ProjectPermissionPkiTemplateActions.Read]: z.boolean().optional(),
-  [ProjectPermissionPkiTemplateActions.Create]: z.boolean().optional(),
-  [ProjectPermissionPkiTemplateActions.Edit]: z.boolean().optional(),
-  [ProjectPermissionPkiTemplateActions.Delete]: z.boolean().optional(),
-  [ProjectPermissionPkiTemplateActions.IssueCert]: z.boolean().optional(),
-  [ProjectPermissionPkiTemplateActions.ListCerts]: z.boolean().optional()
-});
-
 const SecretRollbackPolicyActionSchema = z.object({
   read: z.boolean().optional(),
   create: z.boolean().optional()
@@ -265,12 +258,7 @@ export const projectRoleFormSchema = z.object({
         .default([]),
       [ProjectPermissionSub.PkiAlerts]: GeneralPolicyActionSchema.array().default([]),
       [ProjectPermissionSub.PkiCollections]: GeneralPolicyActionSchema.array().default([]),
-      [ProjectPermissionSub.CertificateTemplates]: PkiTemplatePolicyActionSchema.extend({
-        inverted: z.boolean().optional(),
-        conditions: ConditionSchema
-      })
-        .array()
-        .default([]),
+      [ProjectPermissionSub.CertificateTemplates]: GeneralPolicyActionSchema.array().default([]),
       [ProjectPermissionSub.SshCertificateAuthorities]: GeneralPolicyActionSchema.array().default(
         []
       ),
@@ -310,7 +298,6 @@ type TConditionalFields =
   | ProjectPermissionSub.SecretImports
   | ProjectPermissionSub.DynamicSecrets
   | ProjectPermissionSub.PkiSubscribers
-  | ProjectPermissionSub.CertificateTemplates
   | ProjectPermissionSub.SshHosts
   | ProjectPermissionSub.SecretRotation
   | ProjectPermissionSub.Identity;
@@ -325,8 +312,7 @@ export const isConditionalSubjects = (
   subject === ProjectPermissionSub.Identity ||
   subject === ProjectPermissionSub.SshHosts ||
   subject === ProjectPermissionSub.SecretRotation ||
-  subject === ProjectPermissionSub.PkiSubscribers ||
-  subject === ProjectPermissionSub.CertificateTemplates;
+  subject === ProjectPermissionSub.PkiSubscribers;
 
 const convertCaslConditionToFormOperator = (caslConditions: TPermissionCondition) => {
   const formConditions: z.infer<typeof ConditionSchema> = [];
@@ -425,6 +411,7 @@ export const rolePermission2Form = (permissions: TProjectPermission[] = []) => {
         ProjectPermissionSub.CertificateAuthorities,
         ProjectPermissionSub.PkiAlerts,
         ProjectPermissionSub.PkiCollections,
+        ProjectPermissionSub.CertificateTemplates,
         ProjectPermissionSub.Tags,
         ProjectPermissionSub.SecretRotation,
         ProjectPermissionSub.Kms,
@@ -587,18 +574,24 @@ export const rolePermission2Form = (permissions: TProjectPermission[] = []) => {
     }
 
     if (subject === ProjectPermissionSub.SecretApproval) {
-      const canCreate = action.includes(ProjectPermissionActions.Create);
-      const canDelete = action.includes(ProjectPermissionActions.Delete);
-      const canEdit = action.includes(ProjectPermissionActions.Edit);
-      const canRead = action.includes(ProjectPermissionActions.Read);
+      const canCreate = action.includes(ProjectPermissionApprovalActions.Create);
+      const canDelete = action.includes(ProjectPermissionApprovalActions.Delete);
+      const canEdit = action.includes(ProjectPermissionApprovalActions.Edit);
+      const canRead = action.includes(ProjectPermissionApprovalActions.Read);
+      const canChangeBypass = action.includes(ProjectPermissionApprovalActions.AllowChangeBypass);
+      const canAccessBypass = action.includes(ProjectPermissionApprovalActions.AllowAccessBypass);
 
       if (!formVal[subject]) formVal[subject] = [{}];
 
       // Map actions to the keys defined in ApprovalPolicyActionSchema
-      if (canCreate) formVal[subject]![0][ProjectPermissionActions.Create] = true;
-      if (canDelete) formVal[subject]![0][ProjectPermissionActions.Delete] = true;
-      if (canEdit) formVal[subject]![0][ProjectPermissionActions.Edit] = true;
-      if (canRead) formVal[subject]![0][ProjectPermissionActions.Read] = true;
+      if (canCreate) formVal[subject]![0][ProjectPermissionApprovalActions.Create] = true;
+      if (canDelete) formVal[subject]![0][ProjectPermissionApprovalActions.Delete] = true;
+      if (canEdit) formVal[subject]![0][ProjectPermissionApprovalActions.Edit] = true;
+      if (canRead) formVal[subject]![0][ProjectPermissionApprovalActions.Read] = true;
+      if (canChangeBypass)
+        formVal[subject]![0][ProjectPermissionApprovalActions.AllowChangeBypass] = true;
+      if (canAccessBypass)
+        formVal[subject]![0][ProjectPermissionApprovalActions.AllowAccessBypass] = true;
       return;
     }
 
@@ -797,34 +790,6 @@ export const rolePermission2Form = (permissions: TProjectPermission[] = []) => {
         conditions: conditions ? convertCaslConditionToFormOperator(conditions) : [],
         inverted
       });
-      return;
-    }
-
-    if (subject === ProjectPermissionSub.CertificateTemplates) {
-      if (!formVal[subject]) formVal[subject] = [];
-
-      formVal[subject]!.push({
-        [ProjectPermissionPkiTemplateActions.Edit]: action.includes(
-          ProjectPermissionPkiTemplateActions.Edit
-        ),
-        [ProjectPermissionPkiTemplateActions.Delete]: action.includes(
-          ProjectPermissionPkiTemplateActions.Delete
-        ),
-        [ProjectPermissionPkiTemplateActions.Create]: action.includes(
-          ProjectPermissionPkiTemplateActions.Create
-        ),
-        [ProjectPermissionPkiTemplateActions.Read]: action.includes(
-          ProjectPermissionPkiTemplateActions.Read
-        ),
-        [ProjectPermissionPkiTemplateActions.IssueCert]: action.includes(
-          ProjectPermissionPkiTemplateActions.IssueCert
-        ),
-        [ProjectPermissionPkiTemplateActions.ListCerts]: action.includes(
-          ProjectPermissionPkiTemplateActions.ListCerts
-        ),
-        conditions: conditions ? convertCaslConditionToFormOperator(conditions) : [],
-        inverted
-      });
     }
   });
 
@@ -1163,12 +1128,10 @@ export const PROJECT_PERMISSION_OBJECT: TProjectPermissionObject = {
   [ProjectPermissionSub.CertificateTemplates]: {
     title: "Certificate Templates",
     actions: [
-      { label: "Read", value: ProjectPermissionPkiTemplateActions.Read },
-      { label: "Create", value: ProjectPermissionPkiTemplateActions.Create },
-      { label: "Modify", value: ProjectPermissionPkiTemplateActions.Edit },
-      { label: "Remove", value: ProjectPermissionPkiTemplateActions.Delete },
-      { label: "Issue Certificates", value: ProjectPermissionPkiTemplateActions.IssueCert },
-      { label: "List Certificates", value: ProjectPermissionPkiTemplateActions.ListCerts }
+      { label: "Read", value: "read" },
+      { label: "Create", value: "create" },
+      { label: "Modify", value: "edit" },
+      { label: "Remove", value: "delete" }
     ]
   },
   [ProjectPermissionSub.SshCertificateAuthorities]: {
@@ -1249,10 +1212,12 @@ export const PROJECT_PERMISSION_OBJECT: TProjectPermissionObject = {
   [ProjectPermissionSub.SecretApproval]: {
     title: "Secret Approval Policies",
     actions: [
-      { label: "Read", value: ProjectPermissionActions.Read },
-      { label: "Create", value: ProjectPermissionActions.Create },
-      { label: "Modify", value: ProjectPermissionActions.Edit },
-      { label: "Remove", value: ProjectPermissionActions.Delete }
+      { label: "Read", value: ProjectPermissionApprovalActions.Read },
+      { label: "Create", value: ProjectPermissionApprovalActions.Create },
+      { label: "Modify", value: ProjectPermissionApprovalActions.Edit },
+      { label: "Remove", value: ProjectPermissionApprovalActions.Delete },
+      { label: "Allow Change Bypass", value: ProjectPermissionApprovalActions.AllowChangeBypass },
+      { label: "Allow Access Bypass", value: ProjectPermissionApprovalActions.AllowAccessBypass }
     ]
   },
   [ProjectPermissionSub.SecretRotation]: {
@@ -1729,7 +1694,7 @@ export const RoleTemplates: Record<ProjectType, RoleTemplate[]> = {
       },
       {
         subject: ProjectPermissionSub.SecretApproval,
-        actions: Object.values(ProjectPermissionActions)
+        actions: Object.values(ProjectPermissionApprovalActions)
       },
       {
         subject: ProjectPermissionSub.ServiceTokens,

frontend/src/pages/project/RoleDetailsBySlugPage/components/RolePermissionsSection.tsx

@@ -23,7 +23,6 @@ import { GeneralPermissionPolicies } from "./GeneralPermissionPolicies";
 import { IdentityManagementPermissionConditions } from "./IdentityManagementPermissionConditions";
 import { PermissionEmptyState } from "./PermissionEmptyState";
 import { PkiSubscriberPermissionConditions } from "./PkiSubscriberPermissionConditions";
-import { PkiTemplatePermissionConditions } from "./PkiTemplatePermissionConditions";
 import {
   formRolePermission2API,
   isConditionalSubjects,
@@ -64,10 +63,6 @@ export const renderConditionalComponents = (
       return <PkiSubscriberPermissionConditions isDisabled={isDisabled} />;
     }
 
-    if (subject === ProjectPermissionSub.CertificateTemplates) {
-      return <PkiTemplatePermissionConditions isDisabled={isDisabled} />;
-    }
-
     return <GeneralPermissionConditions isDisabled={isDisabled} type={subject} />;
   }
 

frontend/src/pages/secret-manager/SecretApprovalsPage/components/AccessApprovalRequest/AccessApprovalRequest.tsx

@@ -25,6 +25,7 @@ import {
 } from "@app/components/v2";
 import { Badge } from "@app/components/v2/Badge";
 import {
+  ProjectPermissionApprovalActions,
   ProjectPermissionMemberActions,
   ProjectPermissionSub,
   useProjectPermission,
@@ -101,6 +102,11 @@ export const AccessApprovalRequest = ({
   const { subscription } = useSubscription();
   const { currentWorkspace } = useWorkspace();
 
+  const canBypassApprovalPermission = permission.can(
+    ProjectPermissionApprovalActions.AllowAccessBypass,
+    ProjectPermissionSub.SecretApproval
+  );
+
   const { data: members } = useGetWorkspaceUsers(projectId, true);
   const membersGroupById = members?.reduce<Record<string, TWorkspaceUser>>(
     (prev, curr) => ({ ...prev, [curr.user.id]: curr }),
@@ -157,8 +163,6 @@ export const AccessApprovalRequest = ({
       const isRequestedByCurrentUser = request.requestedByUserId === user.id;
       const isSelfApproveAllowed = request.policy.allowedSelfApprovals;
       const userReviewStatus = request.reviewers.find(({ member }) => member === user.id)?.status;
-      const canBypass =
-        !request.policy.bypassers.length || request.policy.bypassers.includes(user.id);
 
       let displayData: { label: string; type: "primary" | "danger" | "success" } = {
         label: "",
@@ -194,7 +198,6 @@ export const AccessApprovalRequest = ({
         userReviewStatus,
         isAccepted,
         isSoftEnforcement,
-        canBypass,
         isRequestedByCurrentUser,
         isSelfApproveAllowed
       };
@@ -212,7 +215,9 @@ export const AccessApprovalRequest = ({
 
       // Whether the current user can bypass policy
       const canBypass =
-        details.isSoftEnforcement && details.isRequestedByCurrentUser && details.canBypass;
+        details.isSoftEnforcement &&
+        details.isRequestedByCurrentUser &&
+        canBypassApprovalPermission;
 
       // Whether the current user can approve
       const canApprove =
@@ -235,7 +240,14 @@ export const AccessApprovalRequest = ({
 
       handlePopUpOpen("reviewRequest");
     },
-    [generateRequestDetails, membersGroupById, user, setSelectedRequest, handlePopUpOpen]
+    [
+      generateRequestDetails,
+      canBypassApprovalPermission,
+      membersGroupById,
+      user,
+      setSelectedRequest,
+      handlePopUpOpen
+    ]
   );
 
   return (
@@ -459,7 +471,7 @@ export const AccessApprovalRequest = ({
             setSelectedRequest(null);
             refetchRequests();
           }}
-          canBypass={generateRequestDetails(selectedRequest).canBypass}
+          canBypassApprovalPermission={canBypassApprovalPermission}
         />
       )}
 

frontend/src/pages/secret-manager/SecretApprovalsPage/components/AccessApprovalRequest/components/ReviewAccessModal.tsx

@@ -19,7 +19,7 @@ export const ReviewAccessRequestModal = ({
   projectSlug,
   selectedRequester,
   selectedEnvSlug,
-  canBypass
+  canBypassApprovalPermission
 }: {
   isOpen: boolean;
   onOpenChange: (isOpen: boolean) => void;
@@ -32,7 +32,7 @@ export const ReviewAccessRequestModal = ({
   projectSlug: string;
   selectedRequester: string | undefined;
   selectedEnvSlug: string | undefined;
-  canBypass: boolean;
+  canBypassApprovalPermission: boolean;
 }) => {
   const [isLoading, setIsLoading] = useState<"approved" | "rejected" | null>(null);
   const [bypassApproval, setBypassApproval] = useState(false);
@@ -208,7 +208,7 @@ export const ReviewAccessRequestModal = ({
           {isSoftEnforcement &&
             request.isRequestedByCurrentUser &&
             !(request.isApprover && request.isSelfApproveAllowed) &&
-            canBypass && (
+            canBypassApprovalPermission && (
               <div className="mt-2 flex flex-col space-y-2">
                 <Checkbox
                   onCheckedChange={(checked) => setBypassApproval(checked === true)}