Update secret-approval-request-service.ts

Feat: Scoped JWT tokens

.env.example

@@ -3,6 +3,9 @@
 # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
+# Required
+DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+
 # JWT
 # Required secrets to sign JWT tokens
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
@@ -13,9 +16,6 @@ POSTGRES_PASSWORD=infisical
 POSTGRES_USER=infisical
 POSTGRES_DB=infisical
 
-# Required
-DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
-
 # Redis
 REDIS_URL=redis://redis:6379
 

.github/workflows/build-docker-image-to-prod.yml

@@ -41,7 +41,6 @@ jobs:
           load: true
           context: backend
           tags: infisical/infisical:test
-          platforms: linux/amd64,linux/arm64
       - name: ⏻ Spawn backend container and dependencies
         run: |
           docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
@@ -93,7 +92,6 @@ jobs:
           project: 64mmf0n610
           context: frontend
           tags: infisical/frontend:test
-          platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
             NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}

.github/workflows/build-staging-and-deploy-aws.yml

@@ -1,140 +0,0 @@
-name: Deployment pipeline
-on: [workflow_dispatch]
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  infisical-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 🏗️ Build backend and push to docker hub
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: |
-            infisical/staging_infisical:${{ steps.commit.outputs.short }}
-            infisical/staging_infisical:latest
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }}
-    
-  gamma-deployment:
-    name: Deploy to gamma
-    runs-on: ubuntu-latest
-    needs: [infisical-image]
-    environment:
-      name: Gamma
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      - name: Configure AWS Credentials 
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          audience: sts.amazonaws.com
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: Download task definition
-        run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
-      - name: Render Amazon ECS task definition
-        id: render-web-container
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: task-definition.json
-          container-name: infisical-prod-platform
-          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-          environment-variables: "LOG_LEVEL=info"
-      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-        with:
-          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
-          wait-for-service-stability: true
-
-  production-postgres-deployment:
-    name: Deploy to production
-    runs-on: ubuntu-latest
-    needs: [gamma-deployment]
-    environment:
-      name: Production
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      - name: Configure AWS Credentials 
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          audience: sts.amazonaws.com
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: Download task definition
-        run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
-      - name: Render Amazon ECS task definition
-        id: render-web-container
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: task-definition.json
-          container-name: infisical-prod-platform
-          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-          environment-variables: "LOG_LEVEL=info"
-      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-        with:
-          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
-          wait-for-service-stability: true

.github/workflows/build-staging-and-deploy.yml

@@ -0,0 +1,120 @@
+name: Build, Publish and Deploy to Gamma
+on: [workflow_dispatch]
+
+jobs:
+  infisical-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          load: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: infisical/infisical:test
+      # - name: ⏻ Spawn backend container and dependencies
+      #   run: |
+      #     docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
+      # - name: 🧪 Test backend image
+      #   run: |
+      #     ./.github/resources/healthcheck.sh infisical-backend-test
+      # - name: ⏻ Shut down backend container and dependencies
+      #   run: |
+      #     docker compose -f .github/resources/docker-compose.be-test.yml down
+      - name: 🏗️ Build backend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: |
+            infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            infisical/staging_infisical:latest
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+  postgres-migration:
+    name: Run latest migration files
+    runs-on: ubuntu-latest
+    needs: [infisical-image]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      # - name: Run postgres DB migration files
+      #   env:
+      #     DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+      #   run: npm run migration:latest
+  gamma-deployment:
+    name: Deploy to gamma
+    runs-on: ubuntu-latest
+    needs: [postgres-migration]
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+      - name: Install infisical helm chart
+        run: |
+          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
+          helm repo update
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v3
+      - name: Install doctl
+        uses: digitalocean/action-doctl@v2
+        with:
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+      - name: Save DigitalOcean kubeconfig with short-lived credentials
+        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 infisical-gamma-postgres
+      - name: switch to gamma namespace
+        run: kubectl config set-context --current --namespace=gamma
+      - name: test kubectl
+        run: kubectl get ingress
+      - name: Download helm values to file and upgrade gamma deploy
+        run: |
+          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
+          helm upgrade infisical infisical-helm-charts/infisical-standalone  --values values.yaml --wait --install
+          if [[ $(helm status infisical) == *"FAILED"* ]]; then
+            echo "Helm upgrade failed"
+            exit 1
+          else
+            echo "Helm upgrade was successful"
+          fi

Dockerfile.standalone-infisical

@@ -118,6 +118,9 @@ WORKDIR /backend
 
 ENV TELEMETRY_ENABLED true
 
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
+  CMD node healthcheck.js
+
 EXPOSE 8080
 EXPOSE 443
 

README.md

@@ -10,8 +10,7 @@
   <a href="https://infisical.com/">Infisical Cloud</a> |
   <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
   <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
-  <a href="https://www.infisical.com">Website</a> |
-  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
+  <a href="https://www.infisical.com">Website</a>
 </h4>
 
 <p align="center">

backend/src/@types/fastify.d.ts

@@ -3,8 +3,6 @@ import "fastify";
 import { TUsers } from "@app/db/schemas";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
-import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
-import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -64,7 +62,7 @@ declare module "fastify" {
       authMethod: ActorAuthMethod;
       type: ActorType;
       id: string;
-      orgId: string;
+      orgId?: string;
     };
     // passport data
     passportUser: {
@@ -119,8 +117,6 @@ declare module "fastify" {
       trustedIp: TTrustedIpServiceFactory;
       secretBlindIndex: TSecretBlindIndexServiceFactory;
       telemetry: TTelemetryServiceFactory;
-      dynamicSecret: TDynamicSecretServiceFactory;
-      dynamicSecretLease: TDynamicSecretLeaseServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -17,12 +17,6 @@ import {
   TBackupPrivateKey,
   TBackupPrivateKeyInsert,
   TBackupPrivateKeyUpdate,
-  TDynamicSecretLeases,
-  TDynamicSecretLeasesInsert,
-  TDynamicSecretLeasesUpdate,
-  TDynamicSecrets,
-  TDynamicSecretsInsert,
-  TDynamicSecretsUpdate,
   TGitAppInstallSessions,
   TGitAppInstallSessionsInsert,
   TGitAppInstallSessionsUpdate,
@@ -346,12 +340,6 @@ declare module "knex/types/tables" {
       TSecretSnapshotFoldersInsert,
       TSecretSnapshotFoldersUpdate
     >;
-    [TableName.DynamicSecret]: Knex.CompositeTableType<TDynamicSecrets, TDynamicSecretsInsert, TDynamicSecretsUpdate>;
-    [TableName.DynamicSecretLease]: Knex.CompositeTableType<
-      TDynamicSecretLeases,
-      TDynamicSecretLeasesInsert,
-      TDynamicSecretLeasesUpdate
-    >;
     [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
     [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
     [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;

backend/src/db/migrations/20240318164718_dynamic-secret.ts

@@ -1,58 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesTableExist = await knex.schema.hasTable(TableName.DynamicSecret);
-  if (!doesTableExist) {
-    await knex.schema.createTable(TableName.DynamicSecret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.integer("version").notNullable();
-      t.string("type").notNullable();
-      t.string("defaultTTL").notNullable();
-      t.string("maxTTL");
-      t.string("inputIV").notNullable();
-      t.text("inputCiphertext").notNullable();
-      t.string("inputTag").notNullable();
-      t.string("algorithm").notNullable().defaultTo(SecretEncryptionAlgo.AES_256_GCM);
-      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
-      t.uuid("folderId").notNullable();
-      // for background process communication
-      t.string("status");
-      t.string("statusDetails");
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-      t.unique(["name", "folderId"]);
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.DynamicSecret);
-
-  const doesTableDynamicSecretLease = await knex.schema.hasTable(TableName.DynamicSecretLease);
-  if (!doesTableDynamicSecretLease) {
-    await knex.schema.createTable(TableName.DynamicSecretLease, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").notNullable();
-      t.string("externalEntityId").notNullable();
-      t.datetime("expireAt").notNullable();
-      // for background process communication
-      t.string("status");
-      t.string("statusDetails");
-      t.uuid("dynamicSecretId").notNullable();
-      t.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.DynamicSecretLease);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.DynamicSecretLease);
-  await knex.schema.dropTableIfExists(TableName.DynamicSecretLease);
-
-  await dropOnUpdateTrigger(knex, TableName.DynamicSecret);
-  await knex.schema.dropTableIfExists(TableName.DynamicSecret);
-}

backend/src/db/schemas/dynamic-secret-leases.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const DynamicSecretLeasesSchema = z.object({
-  id: z.string().uuid(),
-  version: z.number(),
-  externalEntityId: z.string(),
-  expireAt: z.date(),
-  status: z.string().nullable().optional(),
-  statusDetails: z.string().nullable().optional(),
-  dynamicSecretId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TDynamicSecretLeases = z.infer<typeof DynamicSecretLeasesSchema>;
-export type TDynamicSecretLeasesInsert = Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>;
-export type TDynamicSecretLeasesUpdate = Partial<Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/dynamic-secrets.ts

@@ -1,31 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const DynamicSecretsSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  version: z.number(),
-  type: z.string(),
-  defaultTTL: z.string(),
-  maxTTL: z.string().nullable().optional(),
-  inputIV: z.string(),
-  inputCiphertext: z.string(),
-  inputTag: z.string(),
-  algorithm: z.string().default("aes-256-gcm"),
-  keyEncoding: z.string().default("utf8"),
-  folderId: z.string().uuid(),
-  status: z.string().nullable().optional(),
-  statusDetails: z.string().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;
-export type TDynamicSecretsInsert = Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>;
-export type TDynamicSecretsUpdate = Partial<Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -3,8 +3,6 @@ export * from "./audit-logs";
 export * from "./auth-token-sessions";
 export * from "./auth-tokens";
 export * from "./backup-private-key";
-export * from "./dynamic-secret-leases";
-export * from "./dynamic-secrets";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./identities";

backend/src/db/schemas/models.ts

@@ -59,8 +59,6 @@ export enum TableName {
   GitAppOrg = "git_app_org",
   SecretScanningGitRisk = "secret_scanning_git_risks",
   TrustedIps = "trusted_ips",
-  DynamicSecret = "dynamic_secrets",
-  DynamicSecretLease = "dynamic_secret_leases",
   // junction tables with tags
   JnSecretTag = "secret_tag_junction",
   SecretVersionTag = "secret_version_tag_junction"

backend/src/ee/routes/v1/dynamic-secret-lease-router.ts

@@ -1,184 +0,0 @@
-import ms from "ms";
-import { z } from "zod";
-
-import { DynamicSecretLeasesSchema } from "@app/db/schemas";
-import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
-import { daysToMillisecond } from "@app/lib/dates";
-import { removeTrailingSlash } from "@app/lib/fn";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/",
-    method: "POST",
-    schema: {
-      body: z.object({
-        dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
-        ttl: z
-          .string()
-          .optional()
-          .describe(DYNAMIC_SECRET_LEASES.CREATE.ttl)
-          .superRefine((val, ctx) => {
-            if (!val) return;
-            const valMs = ms(val);
-            if (valMs < 60 * 1000)
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-            if (valMs > daysToMillisecond(1))
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-          }),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRET_LEASES.CREATE.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.path)
-      }),
-      response: {
-        200: z.object({
-          lease: DynamicSecretLeasesSchema,
-          dynamicSecret: SanitizedDynamicSecretSchema,
-          data: z.unknown()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { data, lease, dynamicSecret } = await server.services.dynamicSecretLease.create({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.body.dynamicSecretName,
-        ...req.body
-      });
-      return { lease, data, dynamicSecret };
-    }
-  });
-
-  server.route({
-    url: "/:leaseId",
-    method: "DELETE",
-    schema: {
-      params: z.object({
-        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.leaseId)
-      }),
-      body: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.projectSlug),
-        path: z
-          .string()
-          .min(1)
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRET_LEASES.DELETE.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.environmentSlug),
-        isForced: z.boolean().default(false).describe(DYNAMIC_SECRET_LEASES.DELETE.isForced)
-      }),
-      response: {
-        200: z.object({
-          lease: DynamicSecretLeasesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const lease = await server.services.dynamicSecretLease.revokeLease({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        leaseId: req.params.leaseId,
-        ...req.body
-      });
-      return { lease };
-    }
-  });
-
-  server.route({
-    url: "/:leaseId/renew",
-    method: "POST",
-    schema: {
-      params: z.object({
-        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.leaseId)
-      }),
-      body: z.object({
-        ttl: z
-          .string()
-          .describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
-          .optional()
-          .superRefine((val, ctx) => {
-            if (!val) return;
-            const valMs = ms(val);
-            if (valMs < 60 * 1000)
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-            if (valMs > daysToMillisecond(1))
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-          }),
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.projectSlug),
-        path: z
-          .string()
-          .min(1)
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRET_LEASES.RENEW.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
-      }),
-      response: {
-        200: z.object({
-          lease: DynamicSecretLeasesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const lease = await server.services.dynamicSecretLease.renewLease({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        leaseId: req.params.leaseId,
-        ...req.body
-      });
-      return { lease };
-    }
-  });
-
-  server.route({
-    url: "/:leaseId",
-    method: "GET",
-    schema: {
-      params: z.object({
-        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.leaseId)
-      }),
-      querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.projectSlug),
-        path: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.environmentSlug)
-      }),
-      response: {
-        200: z.object({
-          lease: DynamicSecretLeasesSchema.extend({
-            dynamicSecret: SanitizedDynamicSecretSchema
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const lease = await server.services.dynamicSecretLease.getLeaseDetails({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        leaseId: req.params.leaseId,
-        ...req.query
-      });
-      return { lease };
-    }
-  });
-};

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -1,271 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import ms from "ms";
-import { z } from "zod";
-
-import { DynamicSecretLeasesSchema } from "@app/db/schemas";
-import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/providers/models";
-import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
-import { daysToMillisecond } from "@app/lib/dates";
-import { removeTrailingSlash } from "@app/lib/fn";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/",
-    method: "POST",
-    schema: {
-      body: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.CREATE.projectSlug),
-        provider: DynamicSecretProviderSchema.describe(DYNAMIC_SECRETS.CREATE.provider),
-        defaultTTL: z
-          .string()
-          .describe(DYNAMIC_SECRETS.CREATE.defaultTTL)
-          .superRefine((val, ctx) => {
-            const valMs = ms(val);
-            if (valMs < 60 * 1000)
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-            if (valMs > daysToMillisecond(1))
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-          }),
-        maxTTL: z
-          .string()
-          .describe(DYNAMIC_SECRETS.CREATE.maxTTL)
-          .optional()
-          .superRefine((val, ctx) => {
-            if (!val) return;
-            const valMs = ms(val);
-            if (valMs < 60 * 1000)
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-            if (valMs > daysToMillisecond(1))
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-          })
-          .nullable(),
-        path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
-        environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
-        name: z
-          .string()
-          .describe(DYNAMIC_SECRETS.CREATE.name)
-          .min(1)
-          .toLowerCase()
-          .max(64)
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid"
-          })
-      }),
-      response: {
-        200: z.object({
-          dynamicSecret: SanitizedDynamicSecretSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const dynamicSecretCfg = await server.services.dynamicSecret.create({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-      return { dynamicSecret: dynamicSecretCfg };
-    }
-  });
-
-  server.route({
-    url: "/:name",
-    method: "PATCH",
-    schema: {
-      params: z.object({
-        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.UPDATE.name)
-      }),
-      body: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.UPDATE.projectSlug),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.UPDATE.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.UPDATE.environmentSlug),
-        data: z.object({
-          inputs: z.any().optional().describe(DYNAMIC_SECRETS.UPDATE.inputs),
-          defaultTTL: z
-            .string()
-            .describe(DYNAMIC_SECRETS.UPDATE.defaultTTL)
-            .optional()
-            .superRefine((val, ctx) => {
-              if (!val) return;
-              const valMs = ms(val);
-              if (valMs < 60 * 1000)
-                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-              if (valMs > daysToMillisecond(1))
-                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-            }),
-          maxTTL: z
-            .string()
-            .describe(DYNAMIC_SECRETS.UPDATE.maxTTL)
-            .optional()
-            .superRefine((val, ctx) => {
-              if (!val) return;
-              const valMs = ms(val);
-              if (valMs < 60 * 1000)
-                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-              if (valMs > daysToMillisecond(1))
-                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-            })
-            .nullable(),
-          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional()
-        })
-      }),
-      response: {
-        200: z.object({
-          dynamicSecret: SanitizedDynamicSecretSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const dynamicSecretCfg = await server.services.dynamicSecret.updateByName({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.params.name,
-        path: req.body.path,
-        projectSlug: req.body.projectSlug,
-        environmentSlug: req.body.environmentSlug,
-        ...req.body.data
-      });
-      return { dynamicSecret: dynamicSecretCfg };
-    }
-  });
-
-  server.route({
-    url: "/:name",
-    method: "DELETE",
-    schema: {
-      params: z.object({
-        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.DELETE.name)
-      }),
-      body: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.DELETE.projectSlug),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.DELETE.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.DELETE.environmentSlug),
-        isForced: z.boolean().default(false).describe(DYNAMIC_SECRETS.DELETE.isForced)
-      }),
-      response: {
-        200: z.object({
-          dynamicSecret: SanitizedDynamicSecretSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const dynamicSecretCfg = await server.services.dynamicSecret.deleteByName({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.params.name,
-        ...req.body
-      });
-      return { dynamicSecret: dynamicSecretCfg };
-    }
-  });
-
-  server.route({
-    url: "/:name",
-    method: "GET",
-    schema: {
-      params: z.object({
-        name: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.name)
-      }),
-      querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.projectSlug),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.GET_BY_NAME.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.environmentSlug)
-      }),
-      response: {
-        200: z.object({
-          dynamicSecret: SanitizedDynamicSecretSchema.extend({
-            inputs: z.unknown()
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const dynamicSecretCfg = await server.services.dynamicSecret.getDetails({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.params.name,
-        ...req.query
-      });
-      return { dynamicSecret: dynamicSecretCfg };
-    }
-  });
-
-  server.route({
-    url: "/",
-    method: "GET",
-    schema: {
-      querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.projectSlug),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.LIST.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.environmentSlug)
-      }),
-      response: {
-        200: z.object({
-          dynamicSecrets: SanitizedDynamicSecretSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const dynamicSecretCfgs = await server.services.dynamicSecret.list({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.query
-      });
-      return { dynamicSecrets: dynamicSecretCfgs };
-    }
-  });
-
-  server.route({
-    url: "/:name/leases",
-    method: "GET",
-    schema: {
-      params: z.object({
-        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.name)
-      }),
-      querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.projectSlug),
-        path: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.environmentSlug)
-      }),
-      response: {
-        200: z.object({
-          leases: DynamicSecretLeasesSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const leases = await server.services.dynamicSecretLease.listLeases({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.params.name,
-        ...req.query
-      });
-      return { leases };
-    }
-  });
-};

backend/src/ee/routes/v1/index.ts

@@ -1,5 +1,3 @@
-import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
-import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOrgRoleRouter } from "./org-role-router";
@@ -36,15 +34,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerSecretRotationProviderRouter, {
     prefix: "/secret-rotation-providers"
   });
-
-  await server.register(
-    async (dynamicSecretRouter) => {
-      await dynamicSecretRouter.register(registerDynamicSecretRouter);
-      await dynamicSecretRouter.register(registerDynamicSecretLeaseRouter, { prefix: "/leases" });
-    },
-    { prefix: "/dynamic-secrets" }
-  );
-
   await server.register(registerSamlRouter, { prefix: "/sso" });
   await server.register(registerScimRouter, { prefix: "/scim" });
   await server.register(registerLdapRouter, { prefix: "/ldap" });

backend/src/ee/routes/v1/org-role-router.ts

@@ -19,7 +19,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           .min(1)
           .trim()
           .refine(
-            (val) => !Object.keys(OrgMembershipRole).includes(val),
+            (val) => Object.keys(OrgMembershipRole).includes(val),
             "Please choose a different slug, the slug you have entered is reserved"
           )
           .refine((v) => slugify(v) === v, {

backend/src/ee/routes/v1/project-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
-import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,13 +19,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_SNAPSHOTS.workspaceId)
+        workspaceId: z.string().trim()
       }),
       querystring: z.object({
-        environment: z.string().trim().describe(PROJECTS.GET_SNAPSHOTS.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(PROJECTS.GET_SNAPSHOTS.path),
-        offset: z.coerce.number().default(0).describe(PROJECTS.GET_SNAPSHOTS.offset),
-        limit: z.coerce.number().default(20).describe(PROJECTS.GET_SNAPSHOTS.limit)
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        offset: z.coerce.number().default(0),
+        limit: z.coerce.number().default(20)
       }),
       response: {
         200: z.object({
@@ -92,16 +91,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.workspaceId)
+        workspaceId: z.string().trim()
       }),
       querystring: z.object({
-        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
-        userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
-        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
-        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
-        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
-        limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
-        actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
+        eventType: z.nativeEnum(EventType).optional(),
+        userAgentType: z.nativeEnum(UserAgentType).optional(),
+        startDate: z.string().datetime().optional(),
+        endDate: z.string().datetime().optional(),
+        offset: z.coerce.number().default(0),
+        limit: z.coerce.number().default(20),
+        actor: z.string().optional()
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/scim-router.ts

@@ -146,7 +146,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
         offset: req.query.startIndex,
         limit: req.query.count,
         filter: req.query.filter,
-        orgId: req.permission.orgId
+        orgId: req.permission.orgId as string
       });
       return users;
     }
@@ -184,7 +184,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const user = await req.server.services.scim.getScimUser({
         userId: req.params.userId,
-        orgId: req.permission.orgId
+        orgId: req.permission.orgId as string
       });
       return user;
     }
@@ -243,7 +243,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
         email: primaryEmail,
         firstName: req.body.name.givenName,
         lastName: req.body.name.familyName,
-        orgId: req.permission.orgId
+        orgId: req.permission.orgId as string
       });
 
       return user;
@@ -280,7 +280,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const user = await req.server.services.scim.updateScimUser({
         userId: req.params.userId,
-        orgId: req.permission.orgId,
+        orgId: req.permission.orgId as string,
         operations: req.body.Operations
       });
       return user;
@@ -330,7 +330,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const user = await req.server.services.scim.replaceScimUser({
         userId: req.params.userId,
-        orgId: req.permission.orgId,
+        orgId: req.permission.orgId as string,
         active: req.body.active
       });
       return user;

backend/src/ee/routes/v1/snapshot-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { SecretSnapshotsSchema, SecretTagsSchema, SecretVersionsSchema } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -67,7 +66,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretSnapshotId: z.string().trim().describe(PROJECTS.ROLLBACK_TO_SNAPSHOT.secretSnapshotId)
+        secretSnapshotId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal.ts

@@ -1,80 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { DynamicSecretLeasesSchema, TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
-
-export type TDynamicSecretLeaseDALFactory = ReturnType<typeof dynamicSecretLeaseDALFactory>;
-
-export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.DynamicSecretLease);
-
-  const countLeasesForDynamicSecret = async (dynamicSecretId: string, tx?: Knex) => {
-    try {
-      const doc = await (tx || db)(TableName.DynamicSecretLease).count("*").where({ dynamicSecretId }).first();
-      return parseInt(doc || "0", 10);
-    } catch (error) {
-      throw new DatabaseError({ error, name: "DynamicSecretCountLeases" });
-    }
-  };
-
-  const findById = async (id: string, tx?: Knex) => {
-    try {
-      const doc = await (tx || db)(TableName.DynamicSecretLease)
-        .where({ [`${TableName.DynamicSecretLease}.id` as "id"]: id })
-        .first()
-        .join(
-          TableName.DynamicSecret,
-          `${TableName.DynamicSecretLease}.dynamicSecretId`,
-          `${TableName.DynamicSecret}.id`
-        )
-        .select(selectAllTableCols(TableName.DynamicSecretLease))
-        .select(
-          db.ref("id").withSchema(TableName.DynamicSecret).as("dynId"),
-          db.ref("name").withSchema(TableName.DynamicSecret).as("dynName"),
-          db.ref("version").withSchema(TableName.DynamicSecret).as("dynVersion"),
-          db.ref("type").withSchema(TableName.DynamicSecret).as("dynType"),
-          db.ref("defaultTTL").withSchema(TableName.DynamicSecret).as("dynDefaultTTL"),
-          db.ref("maxTTL").withSchema(TableName.DynamicSecret).as("dynMaxTTL"),
-          db.ref("inputIV").withSchema(TableName.DynamicSecret).as("dynInputIV"),
-          db.ref("inputTag").withSchema(TableName.DynamicSecret).as("dynInputTag"),
-          db.ref("inputCiphertext").withSchema(TableName.DynamicSecret).as("dynInputCiphertext"),
-          db.ref("algorithm").withSchema(TableName.DynamicSecret).as("dynAlgorithm"),
-          db.ref("keyEncoding").withSchema(TableName.DynamicSecret).as("dynKeyEncoding"),
-          db.ref("folderId").withSchema(TableName.DynamicSecret).as("dynFolderId"),
-          db.ref("status").withSchema(TableName.DynamicSecret).as("dynStatus"),
-          db.ref("statusDetails").withSchema(TableName.DynamicSecret).as("dynStatusDetails"),
-          db.ref("createdAt").withSchema(TableName.DynamicSecret).as("dynCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.DynamicSecret).as("dynUpdatedAt")
-        );
-      if (!doc) return;
-
-      return {
-        ...DynamicSecretLeasesSchema.parse(doc),
-        dynamicSecret: {
-          id: doc.dynId,
-          name: doc.dynName,
-          version: doc.dynVersion,
-          type: doc.dynType,
-          defaultTTL: doc.dynDefaultTTL,
-          maxTTL: doc.dynMaxTTL,
-          inputIV: doc.dynInputIV,
-          inputTag: doc.dynInputTag,
-          inputCiphertext: doc.dynInputCiphertext,
-          algorithm: doc.dynAlgorithm,
-          keyEncoding: doc.dynKeyEncoding,
-          folderId: doc.dynFolderId,
-          status: doc.dynStatus,
-          statusDetails: doc.dynStatusDetails,
-          createdAt: doc.dynCreatedAt,
-          updatedAt: doc.dynUpdatedAt
-        }
-      };
-    } catch (error) {
-      throw new DatabaseError({ error, name: "DynamicSecretLeaseFindById" });
-    }
-  };
-
-  return { ...orm, findById, countLeasesForDynamicSecret };
-};

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts

@@ -1,159 +0,0 @@
-import { SecretKeyEncoding } from "@app/db/schemas";
-import { DisableRotationErrors } from "@app/ee/services/secret-rotation/secret-rotation-queue";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { logger } from "@app/lib/logger";
-import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
-
-import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
-import { DynamicSecretStatus } from "../dynamic-secret/dynamic-secret-types";
-import { DynamicSecretProviders, TDynamicProviderFns } from "../dynamic-secret/providers/models";
-import { TDynamicSecretLeaseDALFactory } from "./dynamic-secret-lease-dal";
-
-type TDynamicSecretLeaseQueueServiceFactoryDep = {
-  queueService: TQueueServiceFactory;
-  dynamicSecretLeaseDAL: Pick<TDynamicSecretLeaseDALFactory, "findById" | "deleteById" | "find" | "updateById">;
-  dynamicSecretDAL: Pick<TDynamicSecretDALFactory, "findById" | "deleteById" | "updateById">;
-  dynamicSecretProviders: Record<DynamicSecretProviders, TDynamicProviderFns>;
-};
-
-export type TDynamicSecretLeaseQueueServiceFactory = ReturnType<typeof dynamicSecretLeaseQueueServiceFactory>;
-
-export const dynamicSecretLeaseQueueServiceFactory = ({
-  queueService,
-  dynamicSecretDAL,
-  dynamicSecretProviders,
-  dynamicSecretLeaseDAL
-}: TDynamicSecretLeaseQueueServiceFactoryDep) => {
-  const pruneDynamicSecret = async (dynamicSecretCfgId: string) => {
-    await queueService.queue(
-      QueueName.DynamicSecretRevocation,
-      QueueJobs.DynamicSecretPruning,
-      { dynamicSecretCfgId },
-      {
-        jobId: dynamicSecretCfgId,
-        backoff: {
-          type: "exponential",
-          delay: 3000
-        },
-        removeOnFail: {
-          count: 3
-        },
-        removeOnComplete: true
-      }
-    );
-  };
-
-  const setLeaseRevocation = async (leaseId: string, expiry: number) => {
-    await queueService.queue(
-      QueueName.DynamicSecretRevocation,
-      QueueJobs.DynamicSecretRevocation,
-      { leaseId },
-      {
-        jobId: leaseId,
-        backoff: {
-          type: "exponential",
-          delay: 3000
-        },
-        delay: expiry,
-        removeOnFail: {
-          count: 3
-        },
-        removeOnComplete: true
-      }
-    );
-  };
-
-  const unsetLeaseRevocation = async (leaseId: string) => {
-    await queueService.stopJobById(QueueName.DynamicSecretRevocation, leaseId);
-  };
-
-  queueService.start(QueueName.DynamicSecretRevocation, async (job) => {
-    try {
-      if (job.name === QueueJobs.DynamicSecretRevocation) {
-        const { leaseId } = job.data as { leaseId: string };
-        logger.info("Dynamic secret lease revocation started: ", leaseId, job.id);
-
-        const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-        if (!dynamicSecretLease) throw new DisableRotationErrors({ message: "Dynamic secret lease not found" });
-
-        const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
-        const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-        const decryptedStoredInput = JSON.parse(
-          infisicalSymmetricDecrypt({
-            keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-            ciphertext: dynamicSecretCfg.inputCiphertext,
-            tag: dynamicSecretCfg.inputTag,
-            iv: dynamicSecretCfg.inputIV
-          })
-        ) as object;
-
-        await selectedProvider.revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId);
-        await dynamicSecretLeaseDAL.deleteById(dynamicSecretLease.id);
-        return;
-      }
-
-      if (job.name === QueueJobs.DynamicSecretPruning) {
-        const { dynamicSecretCfgId } = job.data as { dynamicSecretCfgId: string };
-        logger.info("Dynamic secret pruning started: ", dynamicSecretCfgId, job.id);
-        const dynamicSecretCfg = await dynamicSecretDAL.findById(dynamicSecretCfgId);
-        if (!dynamicSecretCfg) throw new DisableRotationErrors({ message: "Dynamic secret not found" });
-        if ((dynamicSecretCfg.status as DynamicSecretStatus) !== DynamicSecretStatus.Deleting)
-          throw new DisableRotationErrors({ message: "Document not deleted" });
-
-        const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfgId });
-        if (dynamicSecretLeases.length) {
-          const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-          const decryptedStoredInput = JSON.parse(
-            infisicalSymmetricDecrypt({
-              keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-              ciphertext: dynamicSecretCfg.inputCiphertext,
-              tag: dynamicSecretCfg.inputTag,
-              iv: dynamicSecretCfg.inputIV
-            })
-          ) as object;
-
-          await Promise.all(dynamicSecretLeases.map(({ id }) => unsetLeaseRevocation(id)));
-          await Promise.all(
-            dynamicSecretLeases.map(({ externalEntityId }) =>
-              selectedProvider.revoke(decryptedStoredInput, externalEntityId)
-            )
-          );
-        }
-
-        await dynamicSecretDAL.deleteById(dynamicSecretCfgId);
-      }
-      logger.info("Finished dynamic secret job", job.id);
-    } catch (error) {
-      logger.error(error);
-
-      if (job?.name === QueueJobs.DynamicSecretPruning) {
-        const { dynamicSecretCfgId } = job.data as { dynamicSecretCfgId: string };
-        await dynamicSecretDAL.updateById(dynamicSecretCfgId, {
-          status: DynamicSecretStatus.FailedDeletion,
-          statusDetails: (error as Error)?.message?.slice(0, 255)
-        });
-      }
-
-      if (job?.name === QueueJobs.DynamicSecretRevocation) {
-        const { leaseId } = job.data as { leaseId: string };
-        await dynamicSecretLeaseDAL.updateById(leaseId, {
-          status: DynamicSecretStatus.FailedDeletion,
-          statusDetails: (error as Error)?.message?.slice(0, 255)
-        });
-      }
-      if (error instanceof DisableRotationErrors) {
-        if (job.id) {
-          await queueService.stopRepeatableJobByJobId(QueueName.DynamicSecretRevocation, job.id);
-        }
-      }
-      // propogate to next part
-      throw error;
-    }
-  });
-
-  return {
-    pruneDynamicSecret,
-    setLeaseRevocation,
-    unsetLeaseRevocation
-  };
-};

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,343 +0,0 @@
-import { ForbiddenError, subject } from "@casl/ability";
-import ms from "ms";
-
-import { SecretKeyEncoding } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { getConfig } from "@app/lib/config/env";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
-import { logger } from "@app/lib/logger";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
-
-import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
-import { DynamicSecretProviders, TDynamicProviderFns } from "../dynamic-secret/providers/models";
-import { TDynamicSecretLeaseDALFactory } from "./dynamic-secret-lease-dal";
-import { TDynamicSecretLeaseQueueServiceFactory } from "./dynamic-secret-lease-queue";
-import {
-  DynamicSecretLeaseStatus,
-  TCreateDynamicSecretLeaseDTO,
-  TDeleteDynamicSecretLeaseDTO,
-  TDetailsDynamicSecretLeaseDTO,
-  TListDynamicSecretLeasesDTO,
-  TRenewDynamicSecretLeaseDTO
-} from "./dynamic-secret-lease-types";
-
-type TDynamicSecretLeaseServiceFactoryDep = {
-  dynamicSecretLeaseDAL: TDynamicSecretLeaseDALFactory;
-  dynamicSecretDAL: Pick<TDynamicSecretDALFactory, "findOne">;
-  dynamicSecretProviders: Record<DynamicSecretProviders, TDynamicProviderFns>;
-  dynamicSecretQueueService: TDynamicSecretLeaseQueueServiceFactory;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-};
-
-export type TDynamicSecretLeaseServiceFactory = ReturnType<typeof dynamicSecretLeaseServiceFactory>;
-
-export const dynamicSecretLeaseServiceFactory = ({
-  dynamicSecretLeaseDAL,
-  dynamicSecretProviders,
-  dynamicSecretDAL,
-  folderDAL,
-  permissionService,
-  dynamicSecretQueueService,
-  projectDAL,
-  licenseService
-}: TDynamicSecretLeaseServiceFactoryDep) => {
-  const create = async ({
-    environmentSlug,
-    path,
-    name,
-    projectSlug,
-    actor,
-    actorId,
-    actorOrgId,
-    actorAuthMethod,
-    ttl
-  }: TCreateDynamicSecretLeaseDTO) => {
-    const appCfg = getConfig();
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan?.dynamicSecret) {
-      throw new BadRequestError({
-        message: "Failed to create lease due to plan restriction. Upgrade plan to create dynamic secret."
-      });
-    }
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-
-    const totalLeasesTaken = await dynamicSecretLeaseDAL.countLeasesForDynamicSecret(dynamicSecretCfg.id);
-    if (totalLeasesTaken >= appCfg.MAX_LEASE_LIMIT)
-      throw new BadRequestError({ message: `Max lease limit reached. Limit: ${appCfg.MAX_LEASE_LIMIT}` });
-
-    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const decryptedStoredInput = JSON.parse(
-      infisicalSymmetricDecrypt({
-        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-        ciphertext: dynamicSecretCfg.inputCiphertext,
-        tag: dynamicSecretCfg.inputTag,
-        iv: dynamicSecretCfg.inputIV
-      })
-    ) as object;
-
-    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
-    const { maxTTL } = dynamicSecretCfg;
-    const expireAt = new Date(new Date().getTime() + ms(selectedTTL));
-    if (maxTTL) {
-      const maxExpiryDate = new Date(new Date().getTime() + ms(maxTTL));
-      if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max TTL" });
-    }
-
-    const { entityId, data } = await selectedProvider.create(decryptedStoredInput, expireAt.getTime());
-    const dynamicSecretLease = await dynamicSecretLeaseDAL.create({
-      expireAt,
-      version: 1,
-      dynamicSecretId: dynamicSecretCfg.id,
-      externalEntityId: entityId
-    });
-    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
-    return { lease: dynamicSecretLease, dynamicSecret: dynamicSecretCfg, data };
-  };
-
-  const renewLease = async ({
-    ttl,
-    actorAuthMethod,
-    actorOrgId,
-    actorId,
-    actor,
-    projectSlug,
-    path,
-    environmentSlug,
-    leaseId
-  }: TRenewDynamicSecretLeaseDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan?.dynamicSecret) {
-      throw new BadRequestError({
-        message: "Failed to renew lease due to plan restriction. Upgrade plan to create dynamic secret."
-      });
-    }
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
-
-    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
-    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const decryptedStoredInput = JSON.parse(
-      infisicalSymmetricDecrypt({
-        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-        ciphertext: dynamicSecretCfg.inputCiphertext,
-        tag: dynamicSecretCfg.inputTag,
-        iv: dynamicSecretCfg.inputIV
-      })
-    ) as object;
-
-    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
-    const { maxTTL } = dynamicSecretCfg;
-    const expireAt = new Date(dynamicSecretLease.expireAt.getTime() + ms(selectedTTL));
-    if (maxTTL) {
-      const maxExpiryDate = new Date(dynamicSecretLease.createdAt.getTime() + ms(maxTTL));
-      if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max ttl" });
-    }
-
-    const { entityId } = await selectedProvider.renew(
-      decryptedStoredInput,
-      dynamicSecretLease.externalEntityId,
-      expireAt.getTime()
-    );
-
-    await dynamicSecretQueueService.unsetLeaseRevocation(dynamicSecretLease.id);
-    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
-    const updatedDynamicSecretLease = await dynamicSecretLeaseDAL.updateById(dynamicSecretLease.id, {
-      expireAt,
-      externalEntityId: entityId
-    });
-    return updatedDynamicSecretLease;
-  };
-
-  const revokeLease = async ({
-    leaseId,
-    environmentSlug,
-    path,
-    projectSlug,
-    actor,
-    actorId,
-    actorOrgId,
-    actorAuthMethod,
-    isForced
-  }: TDeleteDynamicSecretLeaseDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
-
-    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
-    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const decryptedStoredInput = JSON.parse(
-      infisicalSymmetricDecrypt({
-        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-        ciphertext: dynamicSecretCfg.inputCiphertext,
-        tag: dynamicSecretCfg.inputTag,
-        iv: dynamicSecretCfg.inputIV
-      })
-    ) as object;
-
-    const revokeResponse = await selectedProvider
-      .revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId)
-      .catch(async (err) => {
-        // only propogate this error if forced is false
-        if (!isForced) return { error: err as Error };
-      });
-
-    if ((revokeResponse as { error?: Error })?.error) {
-      const { error } = revokeResponse as { error?: Error };
-      logger.error("Failed to revoke lease", { error: error?.message });
-      const deletedDynamicSecretLease = await dynamicSecretLeaseDAL.updateById(dynamicSecretLease.id, {
-        status: DynamicSecretLeaseStatus.FailedDeletion,
-        statusDetails: error?.message?.slice(0, 255)
-      });
-      return deletedDynamicSecretLease;
-    }
-
-    await dynamicSecretQueueService.unsetLeaseRevocation(dynamicSecretLease.id);
-    const deletedDynamicSecretLease = await dynamicSecretLeaseDAL.deleteById(dynamicSecretLease.id);
-    return deletedDynamicSecretLease;
-  };
-
-  const listLeases = async ({
-    path,
-    name,
-    actor,
-    actorId,
-    projectSlug,
-    actorOrgId,
-    environmentSlug,
-    actorAuthMethod
-  }: TListDynamicSecretLeasesDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-
-    const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
-    return dynamicSecretLeases;
-  };
-
-  const getLeaseDetails = async ({
-    projectSlug,
-    actorOrgId,
-    path,
-    environmentSlug,
-    actor,
-    actorId,
-    leaseId,
-    actorAuthMethod
-  }: TDetailsDynamicSecretLeaseDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
-
-    return dynamicSecretLease;
-  };
-
-  return {
-    create,
-    listLeases,
-    revokeLease,
-    renewLease,
-    getLeaseDetails
-  };
-};

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-types.ts

@@ -1,43 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-
-export enum DynamicSecretLeaseStatus {
-  FailedDeletion = "Failed to delete"
-}
-
-export type TCreateDynamicSecretLeaseDTO = {
-  name: string;
-  path: string;
-  environmentSlug: string;
-  ttl?: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDetailsDynamicSecretLeaseDTO = {
-  leaseId: string;
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TListDynamicSecretLeasesDTO = {
-  name: string;
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDeleteDynamicSecretLeaseDTO = {
-  leaseId: string;
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-  isForced?: boolean;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TRenewDynamicSecretLeaseDTO = {
-  leaseId: string;
-  path: string;
-  environmentSlug: string;
-  ttl?: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory>;
-
-export const dynamicSecretDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.DynamicSecret);
-  return orm;
-};

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,341 +0,0 @@
-import { ForbiddenError, subject } from "@casl/ability";
-
-import { SecretKeyEncoding } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
-
-import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
-import { TDynamicSecretLeaseQueueServiceFactory } from "../dynamic-secret-lease/dynamic-secret-lease-queue";
-import { TDynamicSecretDALFactory } from "./dynamic-secret-dal";
-import {
-  DynamicSecretStatus,
-  TCreateDynamicSecretDTO,
-  TDeleteDynamicSecretDTO,
-  TDetailsDynamicSecretDTO,
-  TListDynamicSecretsDTO,
-  TUpdateDynamicSecretDTO
-} from "./dynamic-secret-types";
-import { DynamicSecretProviders, TDynamicProviderFns } from "./providers/models";
-
-type TDynamicSecretServiceFactoryDep = {
-  dynamicSecretDAL: TDynamicSecretDALFactory;
-  dynamicSecretLeaseDAL: Pick<TDynamicSecretLeaseDALFactory, "find">;
-  dynamicSecretProviders: Record<DynamicSecretProviders, TDynamicProviderFns>;
-  dynamicSecretQueueService: Pick<
-    TDynamicSecretLeaseQueueServiceFactory,
-    "pruneDynamicSecret" | "unsetLeaseRevocation"
-  >;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-};
-
-export type TDynamicSecretServiceFactory = ReturnType<typeof dynamicSecretServiceFactory>;
-
-export const dynamicSecretServiceFactory = ({
-  dynamicSecretDAL,
-  dynamicSecretLeaseDAL,
-  licenseService,
-  folderDAL,
-  dynamicSecretProviders,
-  permissionService,
-  dynamicSecretQueueService,
-  projectDAL
-}: TDynamicSecretServiceFactoryDep) => {
-  const create = async ({
-    path,
-    actor,
-    name,
-    actorId,
-    maxTTL,
-    provider,
-    environmentSlug,
-    projectSlug,
-    actorOrgId,
-    defaultTTL,
-    actorAuthMethod
-  }: TCreateDynamicSecretDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan?.dynamicSecret) {
-      throw new BadRequestError({
-        message: "Failed to create dynamic secret due to plan restriction. Upgrade plan to create dynamic secret."
-      });
-    }
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const existingDynamicSecret = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (existingDynamicSecret)
-      throw new BadRequestError({ message: "Provided dynamic secret already exist under the folder" });
-
-    const selectedProvider = dynamicSecretProviders[provider.type];
-    const inputs = await selectedProvider.validateProviderInputs(provider.inputs);
-
-    const isConnected = await selectedProvider.validateConnection(provider.inputs);
-    if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
-
-    const encryptedInput = infisicalSymmetricEncypt(JSON.stringify(inputs));
-    const dynamicSecretCfg = await dynamicSecretDAL.create({
-      type: provider.type,
-      version: 1,
-      inputIV: encryptedInput.iv,
-      inputTag: encryptedInput.tag,
-      inputCiphertext: encryptedInput.ciphertext,
-      algorithm: encryptedInput.algorithm,
-      keyEncoding: encryptedInput.encoding,
-      maxTTL,
-      defaultTTL,
-      folderId: folder.id,
-      name
-    });
-    return dynamicSecretCfg;
-  };
-
-  const updateByName = async ({
-    name,
-    maxTTL,
-    defaultTTL,
-    inputs,
-    environmentSlug,
-    projectSlug,
-    path,
-    actor,
-    actorId,
-    newName,
-    actorOrgId,
-    actorAuthMethod
-  }: TUpdateDynamicSecretDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan?.dynamicSecret) {
-      throw new BadRequestError({
-        message: "Failed to update dynamic secret due to plan restriction. Upgrade plan to create dynamic secret."
-      });
-    }
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-
-    if (newName) {
-      const existingDynamicSecret = await dynamicSecretDAL.findOne({ name: newName, folderId: folder.id });
-      if (existingDynamicSecret)
-        throw new BadRequestError({ message: "Provided dynamic secret already exist under the folder" });
-    }
-
-    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const decryptedStoredInput = JSON.parse(
-      infisicalSymmetricDecrypt({
-        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-        ciphertext: dynamicSecretCfg.inputCiphertext,
-        tag: dynamicSecretCfg.inputTag,
-        iv: dynamicSecretCfg.inputIV
-      })
-    ) as object;
-    const newInput = { ...decryptedStoredInput, ...(inputs || {}) };
-    const updatedInput = await selectedProvider.validateProviderInputs(newInput);
-
-    const isConnected = await selectedProvider.validateConnection(newInput);
-    if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
-
-    const encryptedInput = infisicalSymmetricEncypt(JSON.stringify(updatedInput));
-    const updatedDynamicCfg = await dynamicSecretDAL.updateById(dynamicSecretCfg.id, {
-      inputIV: encryptedInput.iv,
-      inputTag: encryptedInput.tag,
-      inputCiphertext: encryptedInput.ciphertext,
-      algorithm: encryptedInput.algorithm,
-      keyEncoding: encryptedInput.encoding,
-      maxTTL,
-      defaultTTL,
-      name: newName ?? name,
-      status: null,
-      statusDetails: null
-    });
-
-    return updatedDynamicCfg;
-  };
-
-  const deleteByName = async ({
-    actorAuthMethod,
-    actorOrgId,
-    actorId,
-    actor,
-    projectSlug,
-    name,
-    path,
-    environmentSlug,
-    isForced
-  }: TDeleteDynamicSecretDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-
-    const leases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
-    // when not forced we check with the external system to first remove the things
-    // we introduce a forced concept because consider the external lease got deleted by some other external like a human or another system
-    // this allows user to clean up it from infisical
-    if (isForced) {
-      // clear all queues for lease revocations
-      await Promise.all(leases.map(({ id: leaseId }) => dynamicSecretQueueService.unsetLeaseRevocation(leaseId)));
-
-      const deletedDynamicSecretCfg = await dynamicSecretDAL.deleteById(dynamicSecretCfg.id);
-      return deletedDynamicSecretCfg;
-    }
-    // if leases exist we should flag it as deleting and then remove leases in background
-    // then delete the main one
-    if (leases.length) {
-      const updatedDynamicSecretCfg = await dynamicSecretDAL.updateById(dynamicSecretCfg.id, {
-        status: DynamicSecretStatus.Deleting
-      });
-      await dynamicSecretQueueService.pruneDynamicSecret(updatedDynamicSecretCfg.id);
-      return updatedDynamicSecretCfg;
-    }
-    // if no leases just delete the config
-    const deletedDynamicSecretCfg = await dynamicSecretDAL.deleteById(dynamicSecretCfg.id);
-    return deletedDynamicSecretCfg;
-  };
-
-  const getDetails = async ({
-    name,
-    projectSlug,
-    path,
-    environmentSlug,
-    actorAuthMethod,
-    actorOrgId,
-    actorId,
-    actor
-  }: TDetailsDynamicSecretDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-    const decryptedStoredInput = JSON.parse(
-      infisicalSymmetricDecrypt({
-        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-        ciphertext: dynamicSecretCfg.inputCiphertext,
-        tag: dynamicSecretCfg.inputTag,
-        iv: dynamicSecretCfg.inputIV
-      })
-    ) as object;
-    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput)) as object;
-    return { ...dynamicSecretCfg, inputs: providerInputs };
-  };
-
-  const list = async ({
-    actorAuthMethod,
-    actorOrgId,
-    actorId,
-    actor,
-    projectSlug,
-    path,
-    environmentSlug
-  }: TListDynamicSecretsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.find({ folderId: folder.id });
-    return dynamicSecretCfg;
-  };
-
-  return {
-    create,
-    updateByName,
-    deleteByName,
-    getDetails,
-    list
-  };
-};

backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts

@@ -1,54 +0,0 @@
-import { z } from "zod";
-
-import { TProjectPermission } from "@app/lib/types";
-
-import { DynamicSecretProviderSchema } from "./providers/models";
-
-// various status for dynamic secret that happens in background
-export enum DynamicSecretStatus {
-  Deleting = "Revocation in process",
-  FailedDeletion = "Failed to delete"
-}
-
-type TProvider = z.infer<typeof DynamicSecretProviderSchema>;
-export type TCreateDynamicSecretDTO = {
-  provider: TProvider;
-  defaultTTL: string;
-  maxTTL?: string | null;
-  path: string;
-  environmentSlug: string;
-  name: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TUpdateDynamicSecretDTO = {
-  name: string;
-  newName?: string;
-  defaultTTL?: string;
-  maxTTL?: string | null;
-  path: string;
-  environmentSlug: string;
-  inputs?: TProvider["inputs"];
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDeleteDynamicSecretDTO = {
-  name: string;
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-  isForced?: boolean;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDetailsDynamicSecretDTO = {
-  name: string;
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TListDynamicSecretsDTO = {
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -1,6 +0,0 @@
-import { DynamicSecretProviders } from "./models";
-import { SqlDatabaseProvider } from "./sql-database";
-
-export const buildDynamicSecretProviders = () => ({
-  [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider()
-});

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -1,34 +0,0 @@
-import { z } from "zod";
-
-export enum SqlProviders {
-  Postgres = "postgres"
-}
-
-export const DynamicSecretSqlDBSchema = z.object({
-  client: z.nativeEnum(SqlProviders),
-  host: z.string().toLowerCase(),
-  port: z.number(),
-  database: z.string(),
-  username: z.string(),
-  password: z.string(),
-  creationStatement: z.string(),
-  revocationStatement: z.string(),
-  renewStatement: z.string(),
-  ca: z.string().optional()
-});
-
-export enum DynamicSecretProviders {
-  SqlDatabase = "sql-database"
-}
-
-export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
-  z.object({ type: z.literal(DynamicSecretProviders.SqlDatabase), inputs: DynamicSecretSqlDBSchema })
-]);
-
-export type TDynamicProviderFns = {
-  create: (inputs: unknown, expireAt: number) => Promise<{ entityId: string; data: unknown }>;
-  validateConnection: (inputs: unknown) => Promise<boolean>;
-  validateProviderInputs: (inputs: object) => Promise<unknown>;
-  revoke: (inputs: unknown, entityId: string) => Promise<{ entityId: string }>;
-  renew: (inputs: unknown, entityId: string, expireAt: number) => Promise<{ entityId: string }>;
-};

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -1,123 +0,0 @@
-import handlebars from "handlebars";
-import knex from "knex";
-import { customAlphabet } from "nanoid";
-import { z } from "zod";
-
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
-import { getDbConnectionHost } from "@app/lib/knex";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { DynamicSecretSqlDBSchema, TDynamicProviderFns } from "./models";
-
-const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
-
-const generatePassword = (size?: number) => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
-  return customAlphabet(charset, 48)(size);
-};
-
-export const SqlDatabaseProvider = (): TDynamicProviderFns => {
-  const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
-    const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-
-    const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
-    if (
-      // localhost
-      providerInputs.host === "localhost" ||
-      providerInputs.host === "127.0.0.1" ||
-      // database infisical uses
-      dbHost === providerInputs.host ||
-      // internal ips
-      providerInputs.host === "host.docker.internal" ||
-      providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-      providerInputs.host.match(/^192\.168\.\d+\.\d+/)
-    )
-      throw new BadRequestError({ message: "Invalid db host" });
-    return providerInputs;
-  };
-
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
-    const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
-    const db = knex({
-      client: providerInputs.client,
-      connection: {
-        database: providerInputs.database,
-        port: providerInputs.port,
-        host: providerInputs.host,
-        user: providerInputs.username,
-        password: providerInputs.password,
-        connectionTimeoutMillis: EXTERNAL_REQUEST_TIMEOUT,
-        ssl,
-        pool: { min: 0, max: 1 }
-      }
-    });
-    return db;
-  };
-
-  const validateConnection = async (inputs: unknown) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
-    const isConnected = await db
-      .raw("SELECT NOW()")
-      .then(() => true)
-      .catch(() => false);
-    await db.destroy();
-    return isConnected;
-  };
-
-  const create = async (inputs: unknown, expireAt: number) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
-
-    const username = alphaNumericNanoId(32);
-    const password = generatePassword();
-    const expiration = new Date(expireAt).toISOString();
-
-    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
-      username,
-      password,
-      expiration
-    });
-
-    await db.raw(creationStatement.toString());
-    await db.destroy();
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
-  };
-
-  const revoke = async (inputs: unknown, entityId: string) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
-
-    const username = entityId;
-
-    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
-    await db.raw(revokeStatement);
-
-    await db.destroy();
-    return { entityId: username };
-  };
-
-  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
-
-    const username = entityId;
-    const expiration = new Date(expireAt).toISOString();
-
-    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration });
-    await db.raw(renewStatement);
-
-    await db.destroy();
-    return { entityId: username };
-  };
-
-  return {
-    validateProviderInputs,
-    validateConnection,
-    create,
-    revoke,
-    renew
-  };
-};

backend/src/ee/services/license/licence-fns.ts

@@ -15,7 +15,6 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   membersUsed: 0,
   environmentLimit: null,
   environmentsUsed: 0,
-  dynamicSecret: false,
   secretVersioning: true,
   pitRecovery: false,
   ipAllowlisting: false,

backend/src/ee/services/license/license-service.ts

@@ -8,7 +8,6 @@ import { ForbiddenError } from "@casl/ability";
 
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
-import { verifyOfflineLicense } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -27,7 +26,6 @@ import {
   TFeatureSet,
   TGetOrgBillInfoDTO,
   TGetOrgTaxIdDTO,
-  TOfflineLicenseContents,
   TOrgInvoiceDTO,
   TOrgLicensesDTO,
   TOrgPlanDTO,
@@ -98,36 +96,6 @@ export const licenseServiceFactory = ({
         }
         return;
       }
-
-      if (appCfg.LICENSE_KEY_OFFLINE) {
-        let isValidOfflineLicense = true;
-        const contents: TOfflineLicenseContents = JSON.parse(
-          Buffer.from(appCfg.LICENSE_KEY_OFFLINE, "base64").toString("utf8")
-        );
-        const isVerified = await verifyOfflineLicense(JSON.stringify(contents.license), contents.signature);
-
-        if (!isVerified) {
-          isValidOfflineLicense = false;
-          logger.warn(`Infisical EE offline license verification failed`);
-        }
-
-        if (contents.license.terminatesAt) {
-          const terminationDate = new Date(contents.license.terminatesAt);
-          if (terminationDate < new Date()) {
-            isValidOfflineLicense = false;
-            logger.warn(`Infisical EE offline license has expired`);
-          }
-        }
-
-        if (isValidOfflineLicense) {
-          onPremFeatures = contents.license.features;
-          instanceType = InstanceType.EnterpriseOnPrem;
-          logger.info(`Instance type: ${InstanceType.EnterpriseOnPrem}`);
-          isValidLicense = true;
-          return;
-        }
-      }
-
       // this means this is self hosted oss version
       // else it would reach catch statement
       isValidLicense = true;

backend/src/ee/services/license/license-types.ts

@@ -6,28 +6,12 @@ export enum InstanceType {
   Cloud = "cloud"
 }
 
-export type TOfflineLicenseContents = {
-  license: TOfflineLicense;
-  signature: string;
-};
-
-export type TOfflineLicense = {
-  issuedTo: string;
-  licenseId: string;
-  customerId: string | null;
-  issuedAt: string;
-  expiresAt: string | null;
-  terminatesAt: string | null;
-  features: TFeatureSet;
-};
-
 export type TFeatureSet = {
   _id: null;
   slug: null;
   tier: -1;
   workspaceLimit: null;
   workspacesUsed: 0;
-  dynamicSecret: false;
   memberLimit: null;
   membersUsed: 0;
   environmentLimit: null;

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -9,7 +9,6 @@ import jmespath from "jmespath";
 import knex from "knex";
 
 import { getConfig } from "@app/lib/config/env";
-import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { TAssignOp, TDbProviderClients, TDirectAssignOp, THttpProviderFunction } from "../templates/types";
@@ -90,17 +89,7 @@ export const secretRotationDbFn = async ({
   const appCfg = getConfig();
 
   const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
-  const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-  if (
-    host === "localhost" ||
-    host === "127.0.0.1" ||
-    // database infisical uses
-    dbHost === host ||
-    // internal ips
-    host === "host.docker.internal" ||
-    host.match(/^10\.\d+\.\d+\.\d+/) ||
-    host.match(/^192\.168\.\d+\.\d+/)
-  )
+  if (host === "localhost" || host === "127.0.0.1" || appCfg.DB_CONNECTION_URI.includes(host))
     throw new Error("Invalid db host");
 
   const db = knex({

backend/src/lib/api-docs/constants.ts

@@ -1,399 +0,0 @@
-export const IDENTITIES = {
-  CREATE: {
-    name: "The name of the identity to create.",
-    organizationId: "The organization ID to which the identity belongs.",
-    role: "The role of the identity. Possible values are 'no-access', 'member', and 'admin'."
-  },
-  UPDATE: {
-    identityId: "The ID of the identity to update.",
-    name: "The new name of the identity.",
-    role: "The new role of the identity."
-  },
-  DELETE: {
-    identityId: "The ID of the identity to delete."
-  }
-} as const;
-
-export const UNIVERSAL_AUTH = {
-  LOGIN: {
-    clientId: "Your Machine Identity Client ID.",
-    clientSecret: "Your Machine Identity Client Secret."
-  },
-  ATTACH: {
-    identityId: "The ID of the identity to attach the configuration onto.",
-    clientSecretTrustedIps:
-      "A list of IPs or CIDR ranges that the Client Secret can be used from together with the Client ID to get back an access token. You can use 0.0.0.0/0, to allow usage from any network address.",
-    accessTokenTrustedIps:
-      "A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.",
-    accessTokenTTL: "The lifetime for an access token in seconds. This value will be referenced at renewal time.",
-    accessTokenMaxTTL:
-      "The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.",
-    accessTokenNumUsesLimit:
-      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses."
-  },
-  RETRIEVE: {
-    identityId: "The ID of the identity to retrieve."
-  },
-  UPDATE: {
-    identityId: "The ID of the identity to update.",
-    clientSecretTrustedIps: "The new list of IPs or CIDR ranges that the Client Secret can be used from.",
-    accessTokenTrustedIps: "The new list of IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The new lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
-    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
-  },
-  CREATE_CLIENT_SECRET: {
-    identityId: "The ID of the identity to create a client secret for.",
-    description: "The description of the client secret.",
-    numUsesLimit:
-      "The maximum number of times that the client secret can be used; a value of 0 implies infinite number of uses.",
-    ttl: "The lifetime for the client secret in seconds."
-  },
-  LIST_CLIENT_SECRETS: {
-    identityId: "The ID of the identity to list client secrets for."
-  },
-  REVOKE_CLIENT_SECRET: {
-    identityId: "The ID of the identity to revoke the client secret from.",
-    clientSecretId: "The ID of the client secret to revoke."
-  },
-  RENEW_ACCESS_TOKEN: {
-    accessToken: "The access token to renew."
-  }
-} as const;
-
-export const ORGANIZATIONS = {
-  LIST_USER_MEMBERSHIPS: {
-    organizationId: "The ID of the organization to get memberships from."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    organizationId: "The ID of the organization to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    role: "The new role of the membership."
-  },
-  DELETE_USER_MEMBERSHIP: {
-    organizationId: "The ID of the organization to delete the membership from.",
-    membershipId: "The ID of the membership to delete."
-  },
-  LIST_IDENTITY_MEMBERSHIPS: {
-    orgId: "The ID of the organization to get identity memberships from."
-  },
-  GET_PROJECTS: {
-    organizationId: "The ID of the organization to get projects from."
-  }
-} as const;
-
-export const PROJECTS = {
-  CREATE: {
-    organizationSlug: "The slug of the organization to create the project in.",
-    projectName: "The name of the project to create.",
-    slug: "An optional slug for the project."
-  },
-  DELETE: {
-    workspaceId: "The ID of the project to delete."
-  },
-  GET: {
-    workspaceId: "The ID of the project."
-  },
-  UPDATE: {
-    workspaceId: "The ID of the project to update.",
-    name: "The new name of the project.",
-    autoCapitalization: "Disable or enable auto-capitalization for the project."
-  },
-  INVITE_MEMBER: {
-    projectId: "The ID of the project to invite the member to.",
-    emails: "A list of organization member emails to invite to the project.",
-    usernames: "A list of usernames to invite to the project."
-  },
-  REMOVE_MEMBER: {
-    projectId: "The ID of the project to remove the member from.",
-    emails: "A list of organization member emails to remove from the project.",
-    usernames: "A list of usernames to remove from the project."
-  },
-  GET_USER_MEMBERSHIPS: {
-    workspaceId: "The ID of the project to get memberships from."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    roles: "A list of roles to update the membership to."
-  },
-  LIST_IDENTITY_MEMBERSHIPS: {
-    projectId: "The ID of the project to get identity memberships from."
-  },
-  UPDATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to update the identity membership for.",
-    identityId: "The ID of the identity to update the membership for.",
-    roles: "A list of roles to update the membership to."
-  },
-  DELETE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to delete the identity membership from.",
-    identityId: "The ID of the identity to delete the membership from."
-  },
-  GET_KEY: {
-    workspaceId: "The ID of the project to get the key from."
-  },
-  GET_SNAPSHOTS: {
-    workspaceId: "The ID of the project to get snapshots from.",
-    environment: "The environment to get snapshots from.",
-    path: "The secret path to get snapshots from.",
-    offset: "The offset to start from. If you enter 10, it will start from the 10th snapshot.",
-    limit: "The number of snapshots to return."
-  },
-  ROLLBACK_TO_SNAPSHOT: {
-    secretSnapshotId: "The ID of the snapshot to rollback to."
-  }
-} as const;
-
-export const ENVIRONMENTS = {
-  CREATE: {
-    workspaceId: "The ID of the project to create the environment in.",
-    name: "The name of the environment to create.",
-    slug: "The slug of the environment to create."
-  },
-  UPDATE: {
-    workspaceId: "The ID of the project to update the environment in.",
-    id: "The ID of the environment to update.",
-    name: "The new name of the environment.",
-    slug: "The new slug of the environment.",
-    position: "The new position of the environment. The lowest number will be displayed as the first environment."
-  },
-  DELETE: {
-    workspaceId: "The ID of the project to delete the environment from.",
-    id: "The ID of the environment to delete."
-  }
-} as const;
-
-export const FOLDERS = {
-  LIST: {
-    workspaceId: "The ID of the project to list folders from.",
-    environment: "The slug of the environment to list folders from.",
-    path: "The path to list folders from.",
-    directory: "The directory to list folders from. (Deprecated in favor of path)"
-  },
-  CREATE: {
-    workspaceId: "The ID of the project to create the folder in.",
-    environment: "The slug of the environment to create the folder in.",
-    name: "The name of the folder to create.",
-    path: "The path of the folder to create.",
-    directory: "The directory of the folder to create. (Deprecated in favor of path)"
-  },
-  UPDATE: {
-    folderId: "The ID of the folder to update.",
-    environment: "The slug of the environment where the folder is located.",
-    name: "The new name of the folder.",
-    path: "The path of the folder to update.",
-    directory: "The new directory of the folder to update. (Deprecated in favor of path)",
-    workspaceId: "The ID of the project where the folder is located."
-  },
-  DELETE: {
-    folderIdOrName: "The ID or name of the folder to delete.",
-    workspaceId: "The ID of the project to delete the folder from.",
-    environment: "The slug of the environment where the folder is located.",
-    directory: "The directory of the folder to delete. (Deprecated in favor of path)",
-    path: "The path of the folder to delete."
-  }
-} as const;
-
-export const SECRETS = {
-  ATTACH_TAGS: {
-    secretName: "The name of the secret to attach tags to.",
-    secretPath: "The path of the secret to attach tags to.",
-    type: "The type of the secret to attach tags to. (shared/personal)",
-    environment: "The slug of the environment where the secret is located",
-    projectSlug: "The slug of the project where the secret is located",
-    tagSlugs: "An array of existing tag slugs to attach to the secret."
-  },
-  DETACH_TAGS: {
-    secretName: "The name of the secret to detach tags from.",
-    secretPath: "The path of the secret to detach tags from.",
-    type: "The type of the secret to attach tags to. (shared/personal)",
-    environment: "The slug of the environment where the secret is located",
-    projectSlug: "The slug of the project where the secret is located",
-    tagSlugs: "An array of existing tag slugs to detach from the secret."
-  }
-} as const;
-
-export const RAW_SECRETS = {
-  LIST: {
-    workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
-    environment: "The slug of the environment to list secrets from.",
-    secretPath: "The secret path to list secrets from.",
-    includeImports: "Weather to include imported secrets or not."
-  },
-  CREATE: {
-    secretName: "The name of the secret to create.",
-    environment: "The slug of the environment to create the secret in.",
-    secretComment: "Attach a comment to the secret.",
-    secretPath: "The path to create the secret in.",
-    secretValue: "The value of the secret to create.",
-    skipMultilineEncoding: "Skip multiline encoding for the secret value.",
-    type: "The type of the secret to create.",
-    workspaceId: "The ID of the project to create the secret in."
-  },
-  GET: {
-    secretName: "The name of the secret to get.",
-    workspaceId: "The ID of the project to get the secret from.",
-    environment: "The slug of the environment to get the secret from.",
-    secretPath: "The path of the secret to get.",
-    version: "The version of the secret to get.",
-    type: "The type of the secret to get.",
-    includeImports: "Weather to include imported secrets or not."
-  },
-  UPDATE: {
-    secretName: "The name of the secret to update.",
-    environment: "The slug of the environment where the secret is located.",
-    secretPath: "The path of the secret to update",
-    secretValue: "The new value of the secret.",
-    skipMultilineEncoding: "Skip multiline encoding for the secret value.",
-    type: "The type of the secret to update.",
-    workspaceId: "The ID of the project to update the secret in."
-  },
-  DELETE: {
-    secretName: "The name of the secret to delete.",
-    environment: "The slug of the environment where the secret is located.",
-    secretPath: "The path of the secret.",
-    type: "The type of the secret to delete.",
-    workspaceId: "The ID of the project where the secret is located."
-  }
-} as const;
-
-export const SECRET_IMPORTS = {
-  LIST: {
-    workspaceId: "The ID of the project to list secret imports from.",
-    environment: "The slug of the environment to list secret imports from.",
-    path: "The path to list secret imports from."
-  },
-  CREATE: {
-    environment: "The slug of the environment to import into.",
-    path: "The path to import into.",
-    workspaceId: "The ID of the project you are working in.",
-    import: {
-      environment: "The slug of the environment to import from.",
-      path: "The path to import from."
-    }
-  },
-  UPDATE: {
-    secretImportId: "The ID of the secret import to update.",
-    environment: "The slug of the environment where the secret import is located.",
-    import: {
-      environment: "The new environment slug to import from.",
-      path: "The new path to import from.",
-      position: "The new position of the secret import. The lowest number will be displayed as the first import."
-    },
-    path: "The path of the secret import to update.",
-    workspaceId: "The ID of the project where the secret import is located."
-  },
-  DELETE: {
-    workspaceId: "The ID of the project to delete the secret import from.",
-    secretImportId: "The ID of the secret import to delete.",
-    environment: "The slug of the environment where the secret import is located.",
-    path: "The path of the secret import to delete."
-  }
-} as const;
-
-export const AUDIT_LOGS = {
-  EXPORT: {
-    workspaceId: "The ID of the project to export audit logs from.",
-    eventType: "The type of the event to export.",
-    userAgentType: "Choose which consuming application to export audit logs for.",
-    startDate: "The date to start the export from.",
-    endDate: "The date to end the export at.",
-    offset: "The offset to start from. If you enter 10, it will start from the 10th audit log.",
-    limit: "The number of audit logs to return.",
-    actor: "The actor to filter the audit logs by."
-  }
-} as const;
-
-export const DYNAMIC_SECRETS = {
-  LIST: {
-    projectSlug: "The slug of the project to create dynamic secret in.",
-    environmentSlug: "The slug of the environment to list folders from.",
-    path: "The path to list folders from."
-  },
-  LIST_LEAES_BY_NAME: {
-    projectSlug: "The slug of the project to create dynamic secret in.",
-    environmentSlug: "The slug of the environment to list folders from.",
-    path: "The path to list folders from.",
-    name: "The name of the dynamic secret."
-  },
-  GET_BY_NAME: {
-    projectSlug: "The slug of the project to create dynamic secret in.",
-    environmentSlug: "The slug of the environment to list folders from.",
-    path: "The path to list folders from.",
-    name: "The name of the dynamic secret."
-  },
-  CREATE: {
-    projectSlug: "The slug of the project to create dynamic secret in.",
-    environmentSlug: "The slug of the environment to create the dynamic secret in.",
-    path: "The path to create the dynamic secret in.",
-    name: "The name of the dynamic secret.",
-    provider: "The type of dynamic secret.",
-    defaultTTL: "The default TTL that will be applied for all the leases.",
-    maxTTL: "The maximum limit a TTL can be leases or renewed."
-  },
-  UPDATE: {
-    projectSlug: "The slug of the project to update dynamic secret in.",
-    environmentSlug: "The slug of the environment to update the dynamic secret in.",
-    path: "The path to update the dynamic secret in.",
-    name: "The name of the dynamic secret.",
-    inputs: "The new partial values for the configurated provider of the dynamic secret",
-    defaultTTL: "The default TTL that will be applied for all the leases.",
-    maxTTL: "The maximum limit a TTL can be leases or renewed.",
-    newName: "The new name for the dynamic secret."
-  },
-  DELETE: {
-    projectSlug: "The slug of the project to delete dynamic secret in.",
-    environmentSlug: "The slug of the environment to delete the dynamic secret in.",
-    path: "The path to delete the dynamic secret in.",
-    name: "The name of the dynamic secret.",
-    isForced:
-      "A boolean flag to delete the the dynamic secret from infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
-  }
-} as const;
-
-export const DYNAMIC_SECRET_LEASES = {
-  GET_BY_LEASEID: {
-    projectSlug: "The slug of the project to create dynamic secret in.",
-    environmentSlug: "The slug of the environment to list folders from.",
-    path: "The path to list folders from.",
-    leaseId: "The ID of the dynamic secret lease."
-  },
-  CREATE: {
-    projectSlug: "The slug of the project of the dynamic secret in.",
-    environmentSlug: "The slug of the environment of the dynamic secret in.",
-    path: "The path of the dynamic secret in.",
-    dynamicSecretName: "The name of the dynamic secret.",
-    ttl: "The lease lifetime ttl. If not provided the default TTL of dynamic secret will be used."
-  },
-  RENEW: {
-    projectSlug: "The slug of the project of the dynamic secret in.",
-    environmentSlug: "The slug of the environment of the dynamic secret in.",
-    path: "The path of the dynamic secret in.",
-    leaseId: "The ID of the dynamic secret lease.",
-    ttl: "The renew TTL that gets added with current expiry (ensure it's below max TTL) for a total less than creation time + max TTL."
-  },
-  DELETE: {
-    projectSlug: "The slug of the project of the dynamic secret in.",
-    environmentSlug: "The slug of the environment of the dynamic secret in.",
-    path: "The path of the dynamic secret in.",
-    leaseId: "The ID of the dynamic secret lease.",
-    isForced:
-      "A boolean flag to delete the the dynamic secret from infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
-  }
-} as const;
-export const SECRET_TAGS = {
-  LIST: {
-    projectId: "The ID of the project to list tags from."
-  },
-  CREATE: {
-    projectId: "The ID of the project to create the tag in.",
-    name: "The name of the tag to create.",
-    slug: "The slug of the tag to create.",
-    color: "The color of the tag to create."
-  },
-  DELETE: {
-    tagId: "The ID of the tag to delete.",
-    projectId: "The ID of the project to delete the tag from."
-  }
-} as const;

backend/src/lib/api-docs/index.ts

@@ -1 +0,0 @@
-export * from "./constants";

backend/src/lib/config/env.ts

@@ -18,7 +18,6 @@ const envSchema = z
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
       `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
     ),
-    MAX_LEASE_LIMIT: z.coerce.number().default(10000),
     DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
     DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
     DB_PORT: zpStr(z.string().describe("Postgres database port").optional()).default("5432"),
@@ -107,15 +106,13 @@ const envSchema = z
     LICENSE_SERVER_URL: zpStr(z.string().optional().default("https://portal.infisical.com")),
     LICENSE_SERVER_KEY: zpStr(z.string().optional()),
     LICENSE_KEY: zpStr(z.string().optional()),
-    LICENSE_KEY_OFFLINE: zpStr(z.string().optional()),
 
     // GENERIC
     STANDALONE_MODE: z
       .enum(["true", "false"])
       .transform((val) => val === "true")
       .optional(),
-    INFISICAL_CLOUD: zodStrBool.default("false"),
-    MAINTENANCE_MODE: zodStrBool.default("false")
+    INFISICAL_CLOUD: zodStrBool.default("false")
   })
   .transform((data) => ({
     ...data,

backend/src/lib/crypto/index.ts

@@ -17,5 +17,4 @@ export {
   decryptSecrets,
   decryptSecretVersions
 } from "./secret-encryption";
-export { verifyOfflineLicense } from "./signing";
 export { generateSrpServerKey, srpCheckClientProof } from "./srp";

backend/src/lib/crypto/license_public_key.pem

@@ -1,8 +0,0 @@
------BEGIN RSA PUBLIC KEY-----
-MIIBCgKCAQEApchBY3BXTu4zWGBguB7nM/pjpVLY3V7VGZOAxmR5ueQTJOwiGM13
-5HN3EM9fDlQnZu9VSc0OFqRM/bUeUaI1oLPE6WzTHjdHyKjDI/S+TLx3VGEsvhM1
-uukZpYX+3KX2w4wzRHBaBWyglFy0CVNth9UJhhpD+KKfv7dzcRmsbyoUWi9wGfJu
-wLYCwaCwZRXIt1sLGmMncPz14vfwdnm2a5Tj1Jbt0GTyBl+1/ZqLbO6SsslLg2G+
-o7FfGS9z8OUTkvDdu16qxL+p2wCEFZMnOz5BB4oakuT2gS9iOO2l5AOPcT4WzPzy
-PYbX3d7cN9BkOY9I5z0cX4wzqHjQTvGNLQIDAQAB
------END RSA PUBLIC KEY-----

backend/src/lib/crypto/signing.ts

@@ -1,22 +0,0 @@
-import crypto, { KeyObject } from "crypto";
-import fs from "fs/promises";
-import path from "path";
-
-export const verifySignature = (data: string, signature: Buffer, publicKey: KeyObject) => {
-  const verify = crypto.createVerify("SHA256");
-  verify.update(data);
-  verify.end();
-  return verify.verify(publicKey, signature);
-};
-
-export const verifyOfflineLicense = async (licenseContents: string, signature: string) => {
-  const publicKeyPem = await fs.readFile(path.join(__dirname, "license_public_key.pem"), "utf8");
-
-  const publicKey = crypto.createPublicKey({
-    key: publicKeyPem,
-    format: "pem",
-    type: "pkcs1"
-  });
-
-  return verifySignature(licenseContents, Buffer.from(signature, "base64"), publicKey);
-};

backend/src/lib/errors/index.ts

@@ -59,18 +59,6 @@ export class BadRequestError extends Error {
   }
 }
 
-export class DisableRotationErrors extends Error {
-  name: string;
-
-  error: unknown;
-
-  constructor({ name, error, message }: { message: string; name?: string; error?: unknown }) {
-    super(message);
-    this.name = name || "DisableRotationErrors";
-    this.error = error;
-  }
-}
-
 export class ScimRequestError extends Error {
   name: string;
 

backend/src/lib/knex/connection.ts

@@ -1,11 +0,0 @@
-import { URL } from "url"; // Import the URL class
-
-export const getDbConnectionHost = (urlString: string) => {
-  try {
-    const url = new URL(urlString);
-    // Split hostname and port (if provided)
-    return url.hostname.split(":")[0];
-  } catch (error) {
-    return null;
-  }
-};

backend/src/lib/knex/index.ts

@@ -4,7 +4,6 @@ import { Tables } from "knex/types/tables";
 
 import { DatabaseError } from "../errors";
 
-export * from "./connection";
 export * from "./join";
 export * from "./select";
 

backend/src/lib/types/index.ts

@@ -13,7 +13,7 @@ export type TProjectPermission = {
   actorId: string;
   projectId: string;
   actorAuthMethod: ActorAuthMethod;
-  actorOrgId: string;
+  actorOrgId: string | undefined;
 };
 
 export type RequiredKeys<T> = {

backend/src/queue/queue-service.ts

@@ -18,8 +18,7 @@ export enum QueueName {
   SecretWebhook = "secret-webhook",
   SecretFullRepoScan = "secret-full-repo-scan",
   SecretPushEventScan = "secret-push-event-scan",
-  UpgradeProjectToGhost = "upgrade-project-to-ghost",
-  DynamicSecretRevocation = "dynamic-secret-revocation"
+  UpgradeProjectToGhost = "upgrade-project-to-ghost"
 }
 
 export enum QueueJobs {
@@ -31,9 +30,7 @@ export enum QueueJobs {
   TelemetryInstanceStats = "telemetry-self-hosted-stats",
   IntegrationSync = "secret-integration-pull",
   SecretScan = "secret-scan",
-  UpgradeProjectToGhost = "upgrade-project-to-ghost-job",
-  DynamicSecretRevocation = "dynamic-secret-revocation",
-  DynamicSecretPruning = "dynamic-secret-pruning"
+  UpgradeProjectToGhost = "upgrade-project-to-ghost-job"
 }
 
 export type TQueueJobTypes = {
@@ -89,19 +86,6 @@ export type TQueueJobTypes = {
     name: QueueJobs.TelemetryInstanceStats;
     payload: undefined;
   };
-  [QueueName.DynamicSecretRevocation]:
-    | {
-        name: QueueJobs.DynamicSecretRevocation;
-        payload: {
-          leaseId: string;
-        };
-      }
-    | {
-        name: QueueJobs.DynamicSecretPruning;
-        payload: {
-          dynamicSecretCfgId: string;
-        };
-      };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;

backend/src/server/app.ts

@@ -24,7 +24,6 @@ import { fastifyErrHandler } from "./plugins/error-handler";
 import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
 import { fastifyIp } from "./plugins/ip";
-import { maintenanceMode } from "./plugins/maintenanceMode";
 import { fastifySwagger } from "./plugins/swagger";
 import { registerRoutes } from "./routes";
 
@@ -73,8 +72,6 @@ export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {
     }
     await server.register(helmet, { contentSecurityPolicy: false });
 
-    await server.register(maintenanceMode);
-
     await server.register(registerRoutes, { smtp, queue, db, keyStore });
 
     if (appCfg.isProductionMode) {

backend/src/server/plugins/auth/inject-identity.ts

@@ -16,7 +16,7 @@ export type TAuthMode =
       userId: string;
       tokenVersionId: string; // the session id of token used
       user: TUsers;
-      orgId: string;
+      orgId?: string;
       authMethod: AuthMethod;
     }
   | {
@@ -119,7 +119,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
           userId: user.id,
           tokenVersionId,
           actor,
-          orgId: orgId as string,
+          orgId,
           authMethod: token.authMethod
         };
         break;

backend/src/server/plugins/maintenanceMode.ts

@@ -1,12 +0,0 @@
-import fp from "fastify-plugin";
-
-import { getConfig } from "@app/lib/config/env";
-
-export const maintenanceMode = fp(async (fastify) => {
-  fastify.addHook("onRequest", async (req) => {
-    const serverEnvs = getConfig();
-    if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET" && serverEnvs.MAINTENANCE_MODE) {
-      throw new Error("Infisical is in maintenance mode. Please try again later.");
-    }
-  });
-});

backend/src/server/plugins/swagger.ts

@@ -14,13 +14,13 @@ export const fastifySwagger = fp(async (fastify) => {
         version: "0.0.1"
       },
       servers: [
-        {
-          url: "https://app.infisical.com",
-          description: "Production server"
-        },
         {
           url: "http://localhost:8080",
           description: "Local server"
+        },
+        {
+          url: "https://app.infisical.com",
+          description: "Production server"
         }
       ],
       components: {

backend/src/server/routes/index.ts

@@ -5,12 +5,6 @@ import { registerV1EERoutes } from "@app/ee/routes/v1";
 import { auditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
 import { auditLogQueueServiceFactory } from "@app/ee/services/audit-log/audit-log-queue";
 import { auditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
-import { dynamicSecretDALFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-dal";
-import { dynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
-import { buildDynamicSecretProviders } from "@app/ee/services/dynamic-secret/providers";
-import { dynamicSecretLeaseDALFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal";
-import { dynamicSecretLeaseQueueServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue";
-import { dynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
 import { ldapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { licenseDALFactory } from "@app/ee/services/license/license-dal";
@@ -202,8 +196,6 @@ export const registerRoutes = async (
   const gitAppOrgDAL = gitAppDALFactory(db);
   const secretScanningDAL = secretScanningDALFactory(db);
   const licenseDAL = licenseDALFactory(db);
-  const dynamicSecretDAL = dynamicSecretDALFactory(db);
-  const dynamicSecretLeaseDAL = dynamicSecretLeaseDALFactory(db);
 
   const permissionService = permissionServiceFactory({
     permissionDAL,
@@ -558,34 +550,6 @@ export const registerRoutes = async (
     licenseService
   });
 
-  const dynamicSecretProviders = buildDynamicSecretProviders();
-  const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
-    queueService,
-    dynamicSecretLeaseDAL,
-    dynamicSecretProviders,
-    dynamicSecretDAL
-  });
-  const dynamicSecretService = dynamicSecretServiceFactory({
-    projectDAL,
-    dynamicSecretQueueService,
-    dynamicSecretDAL,
-    dynamicSecretLeaseDAL,
-    dynamicSecretProviders,
-    folderDAL,
-    permissionService,
-    licenseService
-  });
-  const dynamicSecretLeaseService = dynamicSecretLeaseServiceFactory({
-    projectDAL,
-    permissionService,
-    dynamicSecretQueueService,
-    dynamicSecretDAL,
-    dynamicSecretLeaseDAL,
-    dynamicSecretProviders,
-    folderDAL,
-    licenseService
-  });
-
   await superAdminService.initServerCfg();
   //
   // setup the communication with license key server
@@ -627,8 +591,6 @@ export const registerRoutes = async (
     secretApprovalPolicy: sapService,
     secretApprovalRequest: sarService,
     secretRotation: secretRotationService,
-    dynamicSecret: dynamicSecretService,
-    dynamicSecretLease: dynamicSecretLeaseService,
     snapshot: snapshotService,
     saml: samlService,
     ldap: ldapService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -1,11 +1,6 @@
 import { z } from "zod";
 
-import {
-  DynamicSecretsSchema,
-  IntegrationAuthsSchema,
-  SecretApprovalPoliciesSchema,
-  UsersSchema
-} from "@app/db/schemas";
+import { IntegrationAuthsSchema, SecretApprovalPoliciesSchema, UsersSchema } from "@app/db/schemas";
 
 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@@ -61,11 +56,3 @@ export const secretRawSchema = z.object({
   secretValue: z.string(),
   secretComment: z.string().optional()
 });
-
-export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
-  inputIV: true,
-  inputTag: true,
-  inputCiphertext: true,
-  keyEncoding: true,
-  algorithm: true
-});

backend/src/server/routes/v1/admin-router.ts

@@ -16,16 +16,13 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).merge(
-            z.object({ isMigrationModeOn: z.boolean() })
-          )
+          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true })
         })
       }
     },
     handler: async () => {
       const config = await getServerCfg();
-      const serverEnvs = getConfig();
-      return { config: { ...config, isMigrationModeOn: serverEnvs.MAINTENANCE_MODE } };
+      return { config };
     }
   });
 

backend/src/server/routes/v1/identity-access-token-router.ts

@@ -1,7 +1,5 @@
 import { z } from "zod";
 
-import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
-
 export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/token/renew",
@@ -9,7 +7,7 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
     schema: {
       description: "Renew access token",
       body: z.object({
-        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.RENEW_ACCESS_TOKEN.accessToken)
+        accessToken: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { IDENTITIES } from "@app/lib/api-docs";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -21,9 +20,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         }
       ],
       body: z.object({
-        name: z.string().trim().describe(IDENTITIES.CREATE.name),
-        organizationId: z.string().trim().describe(IDENTITIES.CREATE.organizationId),
-        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(IDENTITIES.CREATE.role)
+        name: z.string().trim(),
+        organizationId: z.string().trim(),
+        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess)
       }),
       response: {
         200: z.object({
@@ -80,11 +79,11 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(IDENTITIES.UPDATE.identityId)
+        identityId: z.string()
       }),
       body: z.object({
-        name: z.string().trim().optional().describe(IDENTITIES.UPDATE.name),
-        role: z.string().trim().min(1).optional().describe(IDENTITIES.UPDATE.role)
+        name: z.string().trim().optional(),
+        role: z.string().trim().min(1).optional()
       }),
       response: {
         200: z.object({
@@ -130,7 +129,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(IDENTITIES.DELETE.identityId)
+        identityId: z.string()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-ua.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { IdentityUaClientSecretsSchema, IdentityUniversalAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
@@ -27,8 +26,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
     schema: {
       description: "Login with Universal Auth",
       body: z.object({
-        clientId: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientId),
-        clientSecret: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientSecret)
+        clientId: z.string().trim(),
+        clientSecret: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -77,7 +76,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().trim().describe(UNIVERSAL_AUTH.ATTACH.identityId)
+        identityId: z.string().trim()
       }),
       body: z.object({
         clientSecretTrustedIps: z
@@ -86,16 +85,14 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
         accessTokenTTL: z
           .number()
           .int()
@@ -103,22 +100,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           .refine((value) => value !== 0, {
             message: "accessTokenTTL must have a non zero number"
           })
-          .default(2592000)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
+          .default(2592000),
         accessTokenMaxTTL: z
           .number()
           .int()
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
-          .default(2592000)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
-        accessTokenNumUsesLimit: z
-          .number()
-          .int()
-          .min(0)
-          .default(0)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
+          .default(2592000), // 30 days
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
       }),
       response: {
         200: z.object({
@@ -167,7 +157,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.UPDATE.identityId)
+        identityId: z.string()
       }),
       body: z.object({
         clientSecretTrustedIps: z
@@ -176,23 +166,16 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           })
           .array()
           .min(1)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
+          .optional(),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenTTL: z.number().int().min(0).optional().describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
-        accessTokenNumUsesLimit: z
-          .number()
-          .int()
-          .min(0)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
         accessTokenMaxTTL: z
           .number()
           .int()
@@ -200,7 +183,6 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
             message: "accessTokenMaxTTL must have a non zero number"
           })
           .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
       }),
       response: {
         200: z.object({
@@ -250,7 +232,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.RETRIEVE.identityId)
+        identityId: z.string()
       }),
       response: {
         200: z.object({
@@ -294,12 +276,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.identityId)
+        identityId: z.string()
       }),
       body: z.object({
-        description: z.string().trim().default("").describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.description),
-        numUsesLimit: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.numUsesLimit),
-        ttl: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.ttl)
+        description: z.string().trim().default(""),
+        numUsesLimit: z.number().min(0).default(0),
+        ttl: z.number().min(0).default(0)
       }),
       response: {
         200: z.object({
@@ -346,7 +328,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.LIST_CLIENT_SECRETS.identityId)
+        identityId: z.string()
       }),
       response: {
         200: z.object({
@@ -389,8 +371,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.REVOKE_CLIENT_SECRET.identityId),
-        clientSecretId: z.string().describe(UNIVERSAL_AUTH.REVOKE_CLIENT_SECRET.clientSecretId)
+        identityId: z.string(),
+        clientSecretId: z.string()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/integration-auth-router.ts

@@ -352,68 +352,6 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
     }
   });
 
-  server.route({
-    url: "/:integrationAuthId/github/orgs",
-    method: "GET",
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      params: z.object({
-        integrationAuthId: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          orgs: z.object({ name: z.string(), orgId: z.string() }).array()
-        })
-      }
-    },
-    handler: async (req) => {
-      const orgs = await server.services.integrationAuth.getGithubOrgs({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        id: req.params.integrationAuthId
-      });
-      if (!orgs) throw new Error("No organization found.");
-
-      return { orgs };
-    }
-  });
-
-  server.route({
-    url: "/:integrationAuthId/github/envs",
-    method: "GET",
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      params: z.object({
-        integrationAuthId: z.string().trim()
-      }),
-      querystring: z.object({
-        repoOwner: z.string().trim(),
-        repoName: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          envs: z.object({ name: z.string(), envId: z.string() }).array()
-        })
-      }
-    },
-    handler: async (req) => {
-      const envs = await server.services.integrationAuth.getGithubEnvs({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        id: req.params.integrationAuthId,
-        actorAuthMethod: req.permission.authMethod,
-        repoName: req.query.repoName,
-        repoOwner: req.query.repoOwner
-      });
-      if (!envs) throw new Error("No organization found.");
-
-      return { envs };
-    }
-  });
-
   server.route({
     url: "/:integrationAuthId/qovery/orgs",
     method: "GET",

backend/src/server/routes/v1/integration-router.ts

@@ -33,7 +33,6 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
             secretPrefix: z.string().optional(),
             secretSuffix: z.string().optional(),
             initialSyncBehavior: z.string().optional(),
-            shouldAutoRedeploy: z.boolean().optional(),
             secretGCPLabel: z
               .object({
                 labelName: z.string(),

backend/src/server/routes/v1/project-env-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { ENVIRONMENTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -19,11 +18,11 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(ENVIRONMENTS.CREATE.workspaceId)
+        workspaceId: z.string().trim()
       }),
       body: z.object({
-        name: z.string().trim().describe(ENVIRONMENTS.CREATE.name),
-        slug: z.string().trim().describe(ENVIRONMENTS.CREATE.slug)
+        name: z.string().trim(),
+        slug: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -75,13 +74,13 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(ENVIRONMENTS.UPDATE.workspaceId),
-        id: z.string().trim().describe(ENVIRONMENTS.UPDATE.id)
+        workspaceId: z.string().trim(),
+        id: z.string().trim()
       }),
       body: z.object({
-        slug: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.slug),
-        name: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.name),
-        position: z.number().optional().describe(ENVIRONMENTS.UPDATE.position)
+        slug: z.string().trim().optional(),
+        name: z.string().trim().optional(),
+        position: z.number().optional()
       }),
       response: {
         200: z.object({
@@ -139,8 +138,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(ENVIRONMENTS.DELETE.workspaceId),
-        id: z.string().trim().describe(ENVIRONMENTS.DELETE.id)
+        workspaceId: z.string().trim(),
+        id: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/project-membership-router.ts

@@ -9,7 +9,6 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@@ -27,7 +26,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_USER_MEMBERSHIPS.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -137,8 +136,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.workspaceId),
-        membershipId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.membershipId)
+        workspaceId: z.string().trim(),
+        membershipId: z.string().trim()
       }),
       body: z.object({
         roles: z
@@ -159,7 +158,6 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
           )
           .min(1)
           .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least long lived role is required")
-          .describe(PROJECTS.UPDATE_USER_MEMBERSHIP.roles)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/project-router.ts

@@ -7,7 +7,6 @@ import {
   UserEncryptionKeysSchema,
   UsersSchema
 } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
@@ -129,7 +128,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     schema: {
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -158,7 +157,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "DELETE",
     schema: {
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.DELETE.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -221,16 +220,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "PATCH",
     schema: {
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.UPDATE.workspaceId)
+        workspaceId: z.string().trim()
       }),
       body: z.object({
-        name: z
-          .string()
-          .trim()
-          .max(64, { message: "Name must be 64 or fewer characters" })
-          .optional()
-          .describe(PROJECTS.UPDATE.name),
-        autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization)
+        name: z.string().trim().max(64, { message: "Name must be 64 or fewer characters" }).optional(),
+        autoCapitalization: z.boolean().optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-folder-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { FOLDERS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,12 +19,12 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         }
       ],
       body: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.CREATE.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.CREATE.environment),
-        name: z.string().trim().describe(FOLDERS.CREATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        name: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -75,15 +74,15 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       ],
       params: z.object({
         // old way this was name
-        folderId: z.string().describe(FOLDERS.UPDATE.folderId)
+        folderId: z.string()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.UPDATE.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
-        name: z.string().trim().describe(FOLDERS.UPDATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        name: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -122,7 +121,6 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
     }
   });
 
-  // TODO(daniel): Expose this route in api reference and write docs for it.
   server.route({
     url: "/:folderIdOrName",
     method: "DELETE",
@@ -135,14 +133,14 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        folderIdOrName: z.string().describe(FOLDERS.DELETE.folderIdOrName)
+        folderIdOrName: z.string()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.DELETE.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.DELETE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // keep this here as cli need directory
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -192,11 +190,11 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         }
       ],
       querystring: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.LIST.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.LIST.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-import-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { SecretImportsSchema, SecretsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SECRET_IMPORTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,12 +19,12 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       body: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.CREATE.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.CREATE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.CREATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         import: z.object({
-          environment: z.string().trim().describe(SECRET_IMPORTS.CREATE.import.environment),
-          path: z.string().trim().transform(removeTrailingSlash).describe(SECRET_IMPORTS.CREATE.import.path)
+          environment: z.string().trim(),
+          path: z.string().trim().transform(removeTrailingSlash)
         })
       }),
       response: {
@@ -82,21 +81,20 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        secretImportId: z.string().trim().describe(SECRET_IMPORTS.UPDATE.secretImportId)
+        secretImportId: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.UPDATE.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.UPDATE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.UPDATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         import: z.object({
-          environment: z.string().trim().optional().describe(SECRET_IMPORTS.UPDATE.import.environment),
+          environment: z.string().trim().optional(),
           path: z
             .string()
             .trim()
             .optional()
-            .transform((val) => (val ? removeTrailingSlash(val) : val))
-            .describe(SECRET_IMPORTS.UPDATE.import.path),
-          position: z.number().optional().describe(SECRET_IMPORTS.UPDATE.import.position)
+            .transform((val) => (val ? removeTrailingSlash(val) : val)),
+          position: z.number().optional()
         })
       }),
       response: {
@@ -154,12 +152,12 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        secretImportId: z.string().trim().describe(SECRET_IMPORTS.DELETE.secretImportId)
+        secretImportId: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.DELETE.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.DELETE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.DELETE.path)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -215,9 +213,9 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       querystring: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.LIST.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.LIST.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.LIST.path)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-tag-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { SecretTagsSchema } from "@app/db/schemas";
-import { SECRET_TAGS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -11,7 +10,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     schema: {
       params: z.object({
-        projectId: z.string().trim().describe(SECRET_TAGS.LIST.projectId)
+        projectId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -37,12 +36,12 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     schema: {
       params: z.object({
-        projectId: z.string().trim().describe(SECRET_TAGS.CREATE.projectId)
+        projectId: z.string().trim()
       }),
       body: z.object({
-        name: z.string().trim().describe(SECRET_TAGS.CREATE.name),
-        slug: z.string().trim().describe(SECRET_TAGS.CREATE.slug),
-        color: z.string().trim().describe(SECRET_TAGS.CREATE.color)
+        name: z.string().trim(),
+        slug: z.string().trim(),
+        color: z.string()
       }),
       response: {
         200: z.object({
@@ -69,8 +68,8 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
     method: "DELETE",
     schema: {
       params: z.object({
-        projectId: z.string().trim().describe(SECRET_TAGS.DELETE.projectId),
-        tagId: z.string().trim().describe(SECRET_TAGS.DELETE.tagId)
+        projectId: z.string().trim(),
+        tagId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/identity-org-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
-import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -19,7 +18,7 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        orgId: z.string().trim().describe(ORGANIZATIONS.LIST_IDENTITY_MEMBERSHIPS.orgId)
+        orgId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/identity-project-router.ts

@@ -7,7 +7,6 @@ import {
   ProjectMembershipRole,
   ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@@ -57,8 +56,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim(),
+        identityId: z.string().trim()
       }),
       body: z.object({
         roles: z
@@ -78,7 +77,6 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
             ])
           )
           .min(1)
-          .describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.roles)
       }),
       response: {
         200: z.object({
@@ -112,8 +110,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim(),
+        identityId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -146,7 +144,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.LIST_IDENTITY_MEMBERSHIPS.projectId)
+        projectId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/organization-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { OrganizationsSchema, OrgMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
-import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 
@@ -18,7 +17,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.LIST_USER_MEMBERSHIPS.organizationId)
+        organizationId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -64,7 +63,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.GET_PROJECTS.organizationId)
+        organizationId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -109,12 +108,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
           apiKeyAuth: []
         }
       ],
-      params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.organizationId),
-        membershipId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.membershipId)
-      }),
+      params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
       body: z.object({
-        role: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.role)
+        role: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -149,10 +145,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
           apiKeyAuth: []
         }
       ],
-      params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.organizationId),
-        membershipId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.membershipId)
-      }),
+      params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
       response: {
         200: z.object({
           membership: OrgMembershipsSchema

backend/src/server/routes/v2/project-membership-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -12,11 +11,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     url: "/:projectId/memberships",
     schema: {
       params: z.object({
-        projectId: z.string().describe(PROJECTS.INVITE_MEMBER.projectId)
+        projectId: z.string().describe("The ID of the project.")
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECTS.INVITE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECTS.INVITE_MEMBER.usernames)
+        emails: z.string().email().array().default([]).describe("Emails of the users to add to the project."),
+        usernames: z.string().array().default([]).describe("Usernames of the users to add to the project.")
       }),
       response: {
         200: z.object({
@@ -58,12 +57,12 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     url: "/:projectId/memberships",
     schema: {
       params: z.object({
-        projectId: z.string().describe(PROJECTS.REMOVE_MEMBER.projectId)
+        projectId: z.string().describe("The ID of the project.")
       }),
 
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECTS.REMOVE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECTS.REMOVE_MEMBER.usernames)
+        emails: z.string().email().array().default([]).describe("Emails of the users to remove from the project."),
+        usernames: z.string().array().default([]).describe("Usernames of the users to remove from the project.")
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/project-router.ts

@@ -3,7 +3,6 @@ import { z } from "zod";
 
 import { ProjectKeysSchema, ProjectsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
 import { authRateLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -39,7 +38,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_KEY.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: ProjectKeysSchema.merge(
@@ -141,16 +140,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       body: z.object({
-        projectName: z.string().trim().describe(PROJECTS.CREATE.projectName),
-        slug: z
-          .string()
-          .min(5)
-          .max(36)
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
+        projectName: z.string().trim().describe("Name of the project you're creating"),
+        slug: slugSchema
           .optional()
-          .describe(PROJECTS.CREATE.slug)
+          .describe("An optional slug for the project. If not provided, it will be auto-generated"),
+        organizationSlug: z.string().trim().describe("The slug of the organization to create the project in")
       }),
       response: {
         200: z.object({
@@ -165,6 +159,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
+        orgSlug: req.body.organizationSlug,
         workspaceName: req.body.projectName,
         slug: req.body.slug
       });

backend/src/server/routes/v3/secret-router.ts

@@ -10,7 +10,6 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CommitType } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
-import { RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -23,124 +22,6 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 import { secretRawSchema } from "../sanitizedSchemas";
 
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/tags/:secretName",
-    method: "POST",
-    schema: {
-      description: "Attach tags to a secret",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        secretName: z.string().trim().describe(SECRETS.ATTACH_TAGS.secretName)
-      }),
-      body: z.object({
-        projectSlug: z.string().trim().describe(SECRETS.ATTACH_TAGS.projectSlug),
-        environment: z.string().trim().describe(SECRETS.ATTACH_TAGS.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(SECRETS.ATTACH_TAGS.secretPath),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(SECRETS.ATTACH_TAGS.type),
-        tagSlugs: z.string().array().min(1).describe(SECRETS.ATTACH_TAGS.tagSlugs)
-      }),
-      response: {
-        200: z.object({
-          secret: SecretsSchema.omit({ secretBlindIndex: true }).merge(
-            z.object({
-              tags: SecretTagsSchema.pick({
-                id: true,
-                slug: true,
-                name: true,
-                color: true
-              }).array()
-            })
-          )
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const secret = await server.services.secret.attachTags({
-        secretName: req.params.secretName,
-        tagSlugs: req.body.tagSlugs,
-        path: req.body.secretPath,
-        environment: req.body.environment,
-        type: req.body.type,
-        projectSlug: req.body.projectSlug,
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return { secret };
-    }
-  });
-
-  server.route({
-    url: "/tags/:secretName",
-    method: "DELETE",
-    schema: {
-      description: "Detach tags from a secret",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        secretName: z.string().trim().describe(SECRETS.DETACH_TAGS.secretName)
-      }),
-      body: z.object({
-        projectSlug: z.string().trim().describe(SECRETS.DETACH_TAGS.projectSlug),
-        environment: z.string().trim().describe(SECRETS.DETACH_TAGS.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(SECRETS.DETACH_TAGS.secretPath),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(SECRETS.DETACH_TAGS.type),
-        tagSlugs: z.string().array().min(1).describe(SECRETS.DETACH_TAGS.tagSlugs)
-      }),
-      response: {
-        200: z.object({
-          secret: SecretsSchema.omit({ secretBlindIndex: true }).merge(
-            z.object({
-              tags: SecretTagsSchema.pick({
-                id: true,
-                slug: true,
-                name: true,
-                color: true
-              }).array()
-            })
-          )
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const secret = await server.services.secret.detachTags({
-        secretName: req.params.secretName,
-        tagSlugs: req.body.tagSlugs,
-        path: req.body.secretPath,
-        environment: req.body.environment,
-        type: req.body.type,
-        projectSlug: req.body.projectSlug,
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return { secret };
-    }
-  });
-
   server.route({
     url: "/raw",
     method: "GET",
@@ -153,15 +34,20 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       querystring: z.object({
-        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceId),
-        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceSlug),
-        environment: z.string().trim().optional().describe(RAW_SECRETS.LIST.environment),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.LIST.secretPath),
+        workspaceId: z.string().trim().optional(),
+        workspaceSlug: z
+          .string()
+          .trim()
+          .optional()
+          .describe(
+            "The slug of the workspace. This is only supported when authenticating Machine Identity's. Either the project ID or project slug has to be present in the request."
+          ),
+        environment: z.string().trim().optional(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
         include_imports: z
           .enum(["true", "false"])
           .default("false")
           .transform((value) => value === "true")
-          .describe(RAW_SECRETS.LIST.includeImports)
       }),
       response: {
         200: z.object({
@@ -262,19 +148,18 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.GET.secretName)
+        secretName: z.string().trim()
       }),
       querystring: z.object({
-        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
-        environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
-        version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.GET.type),
+        workspaceId: z.string().trim().optional(),
+        environment: z.string().trim().optional(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        version: z.coerce.number().optional(),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared),
         include_imports: z
           .enum(["true", "false"])
           .default("false")
           .transform((value) => value === "true")
-          .describe(RAW_SECRETS.GET.includeImports)
       }),
       response: {
         200: z.object({
@@ -354,24 +239,16 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.CREATE.secretName)
+        secretName: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.CREATE.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.CREATE.secretPath),
-        secretValue: z
-          .string()
-          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-          .describe(RAW_SECRETS.CREATE.secretValue),
-        secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
-        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.CREATE.type)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
+        secretComment: z.string().trim().optional().default(""),
+        skipMultilineEncoding: z.boolean().optional(),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared)
       }),
       response: {
         200: z.object({
@@ -440,23 +317,15 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName)
+        secretName: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.UPDATE.environment),
-        secretValue: z
-          .string()
-          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-          .describe(RAW_SECRETS.UPDATE.secretValue),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.UPDATE.secretPath),
-        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        skipMultilineEncoding: z.boolean().optional(),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared)
       }),
       response: {
         200: z.object({
@@ -523,18 +392,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
+        secretName: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.DELETE.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.DELETE.secretPath),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.DELETE.type)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared)
       }),
       response: {
         200: z.object({

backend/src/services/integration-auth/integration-app-list.ts

@@ -260,44 +260,20 @@ const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
  * Return list of services for Render integration
  */
 const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
-  const apps: Array<{ name: string; appId: string }> = [];
-  let hasMorePages = true;
-  const perPage = 100;
-  let cursor;
+  const res = (
+    await request.get<{ service: { name: string; id: string } }[]>(`${IntegrationUrls.RENDER_API_URL}/v1/services`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json",
+        "Accept-Encoding": "application/json"
+      }
+    })
+  ).data;
 
-  interface RenderService {
-    cursor: string;
-    service: { name: string; id: string };
-  }
-
-  while (hasMorePages) {
-    const res: RenderService[] = (
-      await request.get<RenderService[]>(`${IntegrationUrls.RENDER_API_URL}/v1/services`, {
-        params: new URLSearchParams({
-          ...(cursor ? { cursor: String(cursor) } : {}),
-          limit: String(perPage)
-        }),
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          Accept: "application/json",
-          "Accept-Encoding": "application/json"
-        }
-      })
-    ).data;
-
-    res.forEach((a) => {
-      apps.push({
-        name: a.service.name,
-        appId: a.service.id
-      });
-    });
-
-    if (res.length < perPage) {
-      hasMorePages = false;
-    } else {
-      cursor = res[res.length - 1].cursor;
-    }
-  }
+  const apps = res.map((a) => ({
+    name: a.service.name,
+    appId: a.service.id
+  }));
 
   return apps;
 };

backend/src/services/integration-auth/integration-auth-service.ts

@@ -1,5 +1,4 @@
 import { ForbiddenError } from "@casl/ability";
-import { Octokit } from "@octokit/rest";
 
 import { SecretEncryptionAlgo, SecretKeyEncoding, TIntegrationAuths, TIntegrationAuthsInsert } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -25,8 +24,6 @@ import {
   TIntegrationAuthAppsDTO,
   TIntegrationAuthBitbucketWorkspaceDTO,
   TIntegrationAuthChecklyGroupsDTO,
-  TIntegrationAuthGithubEnvsDTO,
-  TIntegrationAuthGithubOrgsDTO,
   TIntegrationAuthHerokuPipelinesDTO,
   TIntegrationAuthNorthflankSecretGroupDTO,
   TIntegrationAuthQoveryEnvironmentsDTO,
@@ -438,75 +435,6 @@ export const integrationAuthServiceFactory = ({
     return [];
   };
 
-  const getGithubOrgs = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TIntegrationAuthGithubOrgsDTO) => {
-    const integrationAuth = await integrationAuthDAL.findById(id);
-    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      integrationAuth.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
-    const botKey = await projectBotService.getBotKey(integrationAuth.projectId);
-    const { accessToken } = await getIntegrationAccessToken(integrationAuth, botKey);
-
-    const octokit = new Octokit({
-      auth: accessToken
-    });
-
-    const { data } = await octokit.request("GET /user/orgs", {
-      headers: {
-        "X-GitHub-Api-Version": "2022-11-28"
-      }
-    });
-    if (!data) return [];
-
-    return data.map(({ login: name, id: orgId }) => ({ name, orgId: String(orgId) }));
-  };
-
-  const getGithubEnvs = async ({
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    id,
-    repoOwner,
-    repoName
-  }: TIntegrationAuthGithubEnvsDTO) => {
-    const integrationAuth = await integrationAuthDAL.findById(id);
-    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      integrationAuth.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
-    const botKey = await projectBotService.getBotKey(integrationAuth.projectId);
-    const { accessToken } = await getIntegrationAccessToken(integrationAuth, botKey);
-
-    const octokit = new Octokit({
-      auth: accessToken
-    });
-
-    const {
-      data: { environments }
-    } = await octokit.request("GET /repos/{owner}/{repo}/environments", {
-      headers: {
-        "X-GitHub-Api-Version": "2022-11-28"
-      },
-      owner: repoOwner,
-      repo: repoName
-    });
-    if (!environments) return [];
-    return environments.map(({ id: envId, name }) => ({ name, envId: String(envId) }));
-  };
-
   const getQoveryOrgs = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TIntegrationAuthQoveryOrgsDTO) => {
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });
@@ -1133,8 +1061,6 @@ export const integrationAuthServiceFactory = ({
     getIntegrationApps,
     getVercelBranches,
     getApps,
-    getGithubOrgs,
-    getGithubEnvs,
     getChecklyGroups,
     getQoveryApps,
     getQoveryEnvs,

backend/src/services/integration-auth/integration-auth-types.ts

@@ -44,16 +44,6 @@ export type TIntegrationAuthChecklyGroupsDTO = {
   accountId: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TIntegrationAuthGithubOrgsDTO = {
-  id: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TIntegrationAuthGithubEnvsDTO = {
-  id: string;
-  repoName: string;
-  repoOwner: string;
-} & Omit<TProjectPermission, "projectId">;
-
 export type TIntegrationAuthQoveryOrgsDTO = {
   id: string;
 } & Omit<TProjectPermission, "projectId">;

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -459,7 +459,7 @@ const syncSecretsAWSParameterStore = async ({
 
   const params = {
     Path: integration.path as string,
-    Recursive: false,
+    Recursive: true,
     WithDecryption: true
   };
 
@@ -1110,176 +1110,98 @@ const syncSecretsGitHub = async ({
   interface GitHubRepoKey {
     key_id: string;
     key: string;
-    id?: number | undefined;
-    url?: string | undefined;
-    title?: string | undefined;
-    created_at?: string | undefined;
   }
 
   interface GitHubSecret {
     name: string;
     created_at: string;
     updated_at: string;
-    visibility?: "all" | "private" | "selected";
-    selected_repositories_url?: string | undefined;
+  }
+
+  interface GitHubSecretRes {
+    [index: string]: GitHubSecret;
   }
 
   const octokit = new Octokit({
     auth: accessToken
   });
 
-  enum GithubScope {
-    Repo = "github-repo",
-    Org = "github-org",
-    Env = "github-env"
-  }
-
-  let repoPublicKey: GitHubRepoKey;
-
-  switch (integration.scope) {
-    case GithubScope.Org: {
-      const { data } = await octokit.request("GET /orgs/{org}/actions/secrets/public-key", {
-        org: integration.owner as string
-      });
-      repoPublicKey = data;
-      break;
-    }
-    case GithubScope.Env: {
-      const { data } = await octokit.request(
-        "GET /repositories/{repository_id}/environments/{environment_name}/secrets/public-key",
-        {
-          repository_id: Number(integration.appId),
-          environment_name: integration.targetEnvironmentId as string
-        }
-      );
-      repoPublicKey = data;
-      break;
-    }
-    default: {
-      const { data } = await octokit.request("GET /repos/{owner}/{repo}/actions/secrets/public-key", {
-        owner: integration.owner as string,
-        repo: integration.app as string
-      });
-      repoPublicKey = data;
-      break;
-    }
-  }
+  // const user = (await octokit.request('GET /user', {})).data;
+  const repoPublicKey: GitHubRepoKey = (
+    await octokit.request("GET /repos/{owner}/{repo}/actions/secrets/public-key", {
+      owner: integration.owner as string,
+      repo: integration.app as string
+    })
+  ).data;
 
   // Get local copy of decrypted secrets. We cannot decrypt them as we dont have access to GH private key
-  let encryptedSecrets: GitHubSecret[];
+  let encryptedSecrets: GitHubSecretRes = (
+    await octokit.request("GET /repos/{owner}/{repo}/actions/secrets", {
+      owner: integration.owner as string,
+      repo: integration.app as string
+    })
+  ).data.secrets.reduce(
+    (obj, secret) => ({
+      ...obj,
+      [secret.name]: secret
+    }),
+    {}
+  );
 
-  switch (integration.scope) {
-    case GithubScope.Org: {
-      encryptedSecrets = (
-        await octokit.request("GET /orgs/{org}/actions/secrets", {
-          org: integration.owner as string
-        })
-      ).data.secrets;
-      break;
-    }
-    case GithubScope.Env: {
-      encryptedSecrets = (
-        await octokit.request("GET /repositories/{repository_id}/environments/{environment_name}/secrets", {
-          repository_id: Number(integration.appId),
-          environment_name: integration.targetEnvironmentId as string
-        })
-      ).data.secrets;
-      break;
-    }
-    default: {
-      encryptedSecrets = (
-        await octokit.request("GET /repos/{owner}/{repo}/actions/secrets", {
+  encryptedSecrets = Object.keys(encryptedSecrets).reduce(
+    (
+      result: {
+        [key: string]: GitHubSecret;
+      },
+      key
+    ) => {
+      if (
+        (appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) &&
+        (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)
+      ) {
+        result[key] = encryptedSecrets[key];
+      }
+      return result;
+    },
+    {}
+  );
+
+  await Promise.all(
+    Object.keys(encryptedSecrets).map(async (key) => {
+      if (!(key in secrets)) {
+        return octokit.request("DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
           owner: integration.owner as string,
-          repo: integration.app as string
-        })
-      ).data.secrets;
-      break;
-    }
-  }
-
-  for await (const encryptedSecret of encryptedSecrets) {
-    if (
-      !(encryptedSecret.name in secrets) &&
-      !(appendices?.prefix !== undefined && !encryptedSecret.name.startsWith(appendices?.prefix)) &&
-      !(appendices?.suffix !== undefined && !encryptedSecret.name.endsWith(appendices?.suffix))
-    ) {
-      switch (integration.scope) {
-        case GithubScope.Org: {
-          await octokit.request("DELETE /orgs/{org}/actions/secrets/{secret_name}", {
-            org: integration.owner as string,
-            secret_name: encryptedSecret.name
-          });
-          break;
-        }
-        case GithubScope.Env: {
-          await octokit.request(
-            "DELETE /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}",
-            {
-              repository_id: Number(integration.appId),
-              environment_name: integration.targetEnvironmentId as string,
-              secret_name: encryptedSecret.name
-            }
-          );
-          break;
-        }
-        default: {
-          await octokit.request("DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
-            owner: integration.owner as string,
-            repo: integration.app as string,
-            secret_name: encryptedSecret.name
-          });
-          break;
-        }
+          repo: integration.app as string,
+          secret_name: key
+        });
       }
-    }
-  }
+    })
+  );
 
-  await sodium.ready.then(async () => {
-    for await (const key of Object.keys(secrets)) {
-      // convert secret & base64 key to Uint8Array.
-      const binkey = sodium.from_base64(repoPublicKey.key, sodium.base64_variants.ORIGINAL);
-      const binsec = sodium.from_string(secrets[key].value);
+  await Promise.all(
+    Object.keys(secrets).map((key) => {
+      // let encryptedSecret;
+      return sodium.ready.then(async () => {
+        // convert secret & base64 key to Uint8Array.
+        const binkey = sodium.from_base64(repoPublicKey.key, sodium.base64_variants.ORIGINAL);
+        const binsec = sodium.from_string(secrets[key].value);
 
-      // encrypt secret using libsodium
-      const encBytes = sodium.crypto_box_seal(binsec, binkey);
+        // encrypt secret using libsodium
+        const encBytes = sodium.crypto_box_seal(binsec, binkey);
 
-      // convert encrypted Uint8Array to base64
-      const encryptedSecret = sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
+        // convert encrypted Uint8Array to base64
+        const encryptedSecret = sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
 
-      switch (integration.scope) {
-        case GithubScope.Org:
-          await octokit.request("PUT /orgs/{org}/actions/secrets/{secret_name}", {
-            org: integration.owner as string,
-            secret_name: key,
-            visibility: "all",
-            encrypted_value: encryptedSecret,
-            key_id: repoPublicKey.key_id
-          });
-          break;
-        case GithubScope.Env:
-          await octokit.request(
-            "PUT /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}",
-            {
-              repository_id: Number(integration.appId),
-              environment_name: integration.targetEnvironmentId as string,
-              secret_name: key,
-              encrypted_value: encryptedSecret,
-              key_id: repoPublicKey.key_id
-            }
-          );
-          break;
-        default:
-          await octokit.request("PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
-            owner: integration.owner as string,
-            repo: integration.app as string,
-            secret_name: key,
-            encrypted_value: encryptedSecret,
-            key_id: repoPublicKey.key_id
-          });
-          break;
-      }
-    }
-  });
+        await octokit.request("PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
+          owner: integration.owner as string,
+          repo: integration.app as string,
+          secret_name: key,
+          encrypted_value: encryptedSecret,
+          key_id: repoPublicKey.key_id
+        });
+      });
+    })
+  );
 };
 
 /**
@@ -1307,22 +1229,6 @@ const syncSecretsRender = async ({
       }
     }
   );
-
-  if (integration.metadata) {
-    const metadata = z.record(z.any()).parse(integration.metadata);
-    if (metadata.shouldAutoRedeploy === true) {
-      await request.post(
-        `${IntegrationUrls.RENDER_API_URL}/v1/services/${integration.appId}/deploys`,
-        {},
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-            "Accept-Encoding": "application/json"
-          }
-        }
-      );
-    }
-  }
 };
 
 /**

backend/src/services/project-membership/project-membership-service.ts

@@ -328,7 +328,7 @@ export const projectMembershipServiceFactory = ({
     );
     const hasCustomRole = Boolean(customInputRoles.length);
     if (hasCustomRole) {
-      const plan = await licenseService.getPlan(actorOrgId);
+      const plan = await licenseService.getPlan(actorOrgId as string);
       if (!plan?.rbac)
         throw new BadRequestError({
           message: "Failed to assign custom role due to RBAC restriction. Upgrade plan to assign custom role to member."

backend/src/services/project/project-dal.ts

@@ -168,12 +168,8 @@ export const projectDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findProjectBySlug = async (slug: string, orgId: string | undefined) => {
+  const findProjectBySlug = async (slug: string, orgId: string) => {
     try {
-      if (!orgId) {
-        throw new BadRequestError({ message: "Organization ID is required when querying with slugs" });
-      }
-
       const projects = await db(TableName.ProjectMembership)
         .where(`${TableName.Project}.slug`, slug)
         .where(`${TableName.Project}.orgId`, orgId)

backend/src/services/project/project-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
-import { OrgMembershipRole, ProjectMembershipRole, ProjectVersion } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectVersion } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -92,6 +92,7 @@ export const projectServiceFactory = ({
    * Create workspace. Make user the admin
    * */
   const createProject = async ({
+    orgSlug,
     actor,
     actorId,
     actorOrgId,
@@ -99,7 +100,13 @@ export const projectServiceFactory = ({
     workspaceName,
     slug: projectSlug
   }: TCreateProjectDTO) => {
-    const organization = await orgDAL.findOne({ id: actorOrgId });
+    if (!orgSlug) {
+      throw new BadRequestError({
+        message: "Must provide organization slug to create project"
+      });
+    }
+
+    const organization = await orgDAL.findOne({ slug: orgSlug });
 
     const { permission, membership: orgMembership } = await permissionService.getOrgPermission(
       actor,
@@ -284,11 +291,10 @@ export const projectServiceFactory = ({
 
         // Get the role permission for the identity
         const { permission: rolePermission, role: customRole } = await permissionService.getOrgPermissionByRole(
-          OrgMembershipRole.Member,
+          ProjectMembershipRole.Admin,
           organization.id
         );
 
-        // Identity has to be at least a member in order to create projects
         const hasPrivilege = isAtLeastAsPrivileged(permission, rolePermission);
         if (!hasPrivilege)
           throw new ForbiddenRequestError({

backend/src/services/project/project-types.ts

@@ -24,6 +24,7 @@ export type TCreateProjectDTO = {
   actorAuthMethod: ActorAuthMethod;
   actorId: string;
   actorOrgId?: string;
+  orgSlug: string;
   workspaceName: string;
   slug?: string;
 };

backend/src/services/secret-folder/secret-folder-service.ts

@@ -232,7 +232,6 @@ export const secretFolderServiceFactory = ({
     if (!parentFolder) return [];
 
     const folders = await folderDAL.find({ envId: env.id, parentId: parentFolder.id });
-
     return folders;
   };
 

backend/src/services/secret/secret-dal.ts

@@ -150,27 +150,6 @@ export const secretDALFactory = (db: TDbClient) => {
     }
   };
 
-  const getSecretTags = async (secretId: string, tx?: Knex) => {
-    try {
-      const tags = await (tx || db)(TableName.JnSecretTag)
-        .join(TableName.SecretTag, `${TableName.JnSecretTag}.${TableName.SecretTag}Id`, `${TableName.SecretTag}.id`)
-        .where({ [`${TableName.Secret}Id` as const]: secretId })
-        .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
-        .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
-        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
-        .select(db.ref("name").withSchema(TableName.SecretTag).as("tagName"));
-
-      return tags.map((el) => ({
-        id: el.tagId,
-        color: el.tagColor,
-        slug: el.tagSlug,
-        name: el.tagName
-      }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "get secret tags" });
-    }
-  };
-
   const findByBlindIndexes = async (
     folderId: string,
     blindIndexes: Array<{ blindIndex: string; type: SecretType }>,
@@ -205,7 +184,6 @@ export const secretDALFactory = (db: TDbClient) => {
     bulkUpdate,
     deleteMany,
     bulkUpdateNoVersionIncrement,
-    getSecretTags,
     findByFolderId,
     findByBlindIndexes
   };

backend/src/services/secret/secret-queue.ts

@@ -229,6 +229,7 @@ export const secretQueueFactory = ({
 
   const getIntegrationSecrets = async (dto: TGetSecrets & { folderId: string }, key: string) => {
     const secrets = await secretDAL.findByFolderId(dto.folderId);
+    if (!secrets.length) return {};
 
     // get imported secrets
     const secretImport = await secretImportDAL.find({ folderId: dto.folderId });
@@ -237,9 +238,6 @@ export const secretQueueFactory = ({
       secretDAL,
       folderDAL
     });
-
-    if (!secrets.length && !importedSecrets.length) return {};
-
     const content: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }> = {};
 
     importedSecrets.forEach(({ secrets: secs }) => {

backend/src/services/secret/secret-service.ts

@@ -22,7 +22,6 @@ import { TSecretDALFactory } from "./secret-dal";
 import { decryptSecretRaw, fnSecretBlindIndexCheck, fnSecretBulkInsert, fnSecretBulkUpdate } from "./secret-fns";
 import { TSecretQueueFactory } from "./secret-queue";
 import {
-  TAttachSecretTagsDTO,
   TCreateBulkSecretDTO,
   TCreateSecretDTO,
   TCreateSecretRawDTO,
@@ -48,7 +47,7 @@ type TSecretServiceFactoryDep = {
   secretTagDAL: TSecretTagDALFactory;
   secretVersionDAL: TSecretVersionDALFactory;
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath">;
-  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findProjectBySlug">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
   secretBlindIndexDAL: TSecretBlindIndexDALFactory;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
@@ -308,7 +307,6 @@ export const secretServiceFactory = ({
     if ((inputSecret.tags || []).length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
 
     const { secretName, ...el } = inputSecret;
-
     const updatedSecret = await secretDAL.transaction(async (tx) =>
       fnSecretBulkUpdate({
         folderId,
@@ -444,7 +442,6 @@ export const secretServiceFactory = ({
     const folderId = folder.id;
 
     const secrets = await secretDAL.findByFolderId(folderId, actorId);
-
     if (includeImports) {
       const secretImports = await secretImportDAL.find({ folderId });
       const allowedImports = secretImports.filter(({ importEnv, importPath }) =>
@@ -997,209 +994,7 @@ export const secretServiceFactory = ({
     return secretVersions;
   };
 
-  const attachTags = async ({
-    secretName,
-    tagSlugs,
-    path: secretPath,
-    environment,
-    type,
-    projectSlug,
-    actor,
-    actorAuthMethod,
-    actorOrgId,
-    actorId
-  }: TAttachSecretTagsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
-
-    await projectDAL.checkProjectUpgradeStatus(project.id);
-
-    const secret = await getSecretByName({
-      actorId,
-      actor,
-      actorOrgId,
-      actorAuthMethod,
-      projectId: project.id,
-      environment,
-      path: secretPath,
-      secretName,
-      type
-    });
-
-    if (!secret) {
-      throw new BadRequestError({ message: "Secret not found" });
-    }
-    const folder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
-
-    if (!folder) {
-      throw new BadRequestError({ message: "Folder not found" });
-    }
-
-    const tags = await secretTagDAL.find({
-      projectId: project.id,
-      $in: {
-        slug: tagSlugs
-      }
-    });
-
-    if (tags.length !== tagSlugs.length) {
-      throw new BadRequestError({ message: "One or more tags not found." });
-    }
-
-    const existingSecretTags = await secretDAL.getSecretTags(secret.id);
-
-    if (existingSecretTags.some((tag) => tagSlugs.includes(tag.slug))) {
-      throw new BadRequestError({ message: "One or more tags already exist on the secret" });
-    }
-
-    const combinedTags = new Set([...existingSecretTags.map((tag) => tag.id), ...tags.map((el) => el.id)]);
-
-    const updatedSecret = await secretDAL.transaction(async (tx) =>
-      fnSecretBulkUpdate({
-        folderId: folder.id,
-        projectId: project.id,
-        inputSecrets: [
-          {
-            filter: { id: secret.id },
-            data: {
-              tags: Array.from(combinedTags)
-            }
-          }
-        ],
-        secretDAL,
-        secretVersionDAL,
-        secretTagDAL,
-        secretVersionTagDAL,
-        tx
-      })
-    );
-
-    await snapshotService.performSnapshot(folder.id);
-    await secretQueueService.syncSecrets({ secretPath, projectId: project.id, environment });
-
-    return {
-      ...updatedSecret[0],
-      tags: [...existingSecretTags, ...tags].map((t) => ({ id: t.id, slug: t.slug, name: t.name, color: t.color }))
-    };
-  };
-
-  const detachTags = async ({
-    secretName,
-    tagSlugs,
-    path: secretPath,
-    environment,
-    type,
-    projectSlug,
-    actor,
-    actorAuthMethod,
-    actorOrgId,
-    actorId
-  }: TAttachSecretTagsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
-
-    await projectDAL.checkProjectUpgradeStatus(project.id);
-
-    const secret = await getSecretByName({
-      actorId,
-      actor,
-      actorOrgId,
-      actorAuthMethod,
-      projectId: project.id,
-      environment,
-      path: secretPath,
-      secretName,
-      type
-    });
-
-    if (!secret) {
-      throw new BadRequestError({ message: "Secret not found" });
-    }
-    const folder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
-
-    if (!folder) {
-      throw new BadRequestError({ message: "Folder not found" });
-    }
-
-    const tags = await secretTagDAL.find({
-      projectId: project.id,
-      $in: {
-        slug: tagSlugs
-      }
-    });
-
-    if (tags.length !== tagSlugs.length) {
-      throw new BadRequestError({ message: "One or more tags not found." });
-    }
-
-    const existingSecretTags = await secretDAL.getSecretTags(secret.id);
-
-    // Make sure all the tags exist on the secret
-    const tagIdsToRemove = tags.map((tag) => tag.id);
-    const secretTagIds = existingSecretTags.map((tag) => tag.id);
-
-    if (!tagIdsToRemove.every((el) => secretTagIds.includes(el))) {
-      throw new BadRequestError({ message: "One or more tags not found on the secret" });
-    }
-
-    const newTags = existingSecretTags.filter((tag) => !tagIdsToRemove.includes(tag.id));
-
-    const updatedSecret = await secretDAL.transaction(async (tx) =>
-      fnSecretBulkUpdate({
-        folderId: folder.id,
-        projectId: project.id,
-        inputSecrets: [
-          {
-            filter: { id: secret.id },
-            data: {
-              tags: newTags.map((tag) => tag.id)
-            }
-          }
-        ],
-        secretDAL,
-        secretVersionDAL,
-        secretTagDAL,
-        secretVersionTagDAL,
-        tx
-      })
-    );
-
-    await snapshotService.performSnapshot(folder.id);
-    await secretQueueService.syncSecrets({ secretPath, projectId: project.id, environment });
-
-    return {
-      ...updatedSecret[0],
-      tags: newTags
-    };
-  };
-
   return {
-    attachTags,
-    detachTags,
     createSecret,
     deleteSecret,
     updateSecret,

backend/src/services/secret/secret-types.ts

@@ -206,15 +206,6 @@ export type TFnSecretBulkUpdate = {
   tx?: Knex;
 };
 
-export type TAttachSecretTagsDTO = {
-  projectSlug: string;
-  secretName: string;
-  tagSlugs: string[];
-  environment: string;
-  path: string;
-  type: SecretType;
-} & Omit<TProjectPermission, "projectId">;
-
 export type TFnSecretBulkDelete = {
   folderId: string;
   projectId: string;

backend/tsup.config.js

@@ -23,8 +23,7 @@ export default defineConfig({
   loader: {
     ".handlebars": "copy",
     ".md": "copy",
-    ".txt": "copy",
-    ".pem": "copy"
+    ".txt": "copy"
   },
   external: ["../../../frontend/node_modules/next/dist/server/next-server.js"],
   outDir: "dist",

cli/.gitignore

@@ -1,3 +1,2 @@
 .infisical.json
 dist/
-agent-config.test.yaml

cli/packages/api/api.go

@@ -406,14 +406,14 @@ func CallDeleteSecretsV3(httpClient *resty.Client, request DeleteSecretV3Request
 	return nil
 }
 
-func CallUpdateSecretsV3(httpClient *resty.Client, request UpdateSecretByNameV3Request, secretName string) error {
+func CallUpdateSecretsV3(httpClient *resty.Client, request UpdateSecretByNameV3Request) error {
 	var secretsResponse GetEncryptedSecretsV3Response
 	response, err := httpClient.
 		R().
 		SetResult(&secretsResponse).
 		SetHeader("User-Agent", USER_AGENT).
 		SetBody(request).
-		Patch(fmt.Sprintf("%v/v3/secrets/%s", config.INFISICAL_URL, secretName))
+		Patch(fmt.Sprintf("%v/v3/secrets/%s", config.INFISICAL_URL, request.SecretName))
 
 	if err != nil {
 		return fmt.Errorf("CallUpdateSecretsV3: Unable to complete api request [err=%s]", err)
@@ -535,23 +535,3 @@ func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Reques
 
 	return getRawSecretsV3Response, nil
 }
-
-func CallCreateDynamicSecretLeaseV1(httpClient *resty.Client, request CreateDynamicSecretLeaseV1Request) (CreateDynamicSecretLeaseV1Response, error) {
-	var createDynamicSecretLeaseResponse CreateDynamicSecretLeaseV1Response
-	response, err := httpClient.
-		R().
-		SetResult(&createDynamicSecretLeaseResponse).
-		SetHeader("User-Agent", USER_AGENT).
-		SetBody(request).
-		Post(fmt.Sprintf("%v/v1/dynamic-secrets/leases", config.INFISICAL_URL))
-
-	if err != nil {
-		return CreateDynamicSecretLeaseV1Response{}, fmt.Errorf("CreateDynamicSecretLeaseV1: Unable to complete api request [err=%w]", err)
-	}
-
-	if response.IsError() {
-		return CreateDynamicSecretLeaseV1Response{}, fmt.Errorf("CreateDynamicSecretLeaseV1: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
-	}
-
-	return createDynamicSecretLeaseResponse, nil
-}

cli/packages/api/model.go

@@ -401,6 +401,7 @@ type DeleteSecretV3Request struct {
 }
 
 type UpdateSecretByNameV3Request struct {
+	SecretName            string `json:"secretName"`
 	WorkspaceID           string `json:"workspaceId"`
 	Environment           string `json:"environment"`
 	Type                  string `json:"type"`
@@ -500,28 +501,6 @@ type UniversalAuthRefreshResponse struct {
 	AccessTokenMaxTTL int    `json:"accessTokenMaxTTL"`
 }
 
-type CreateDynamicSecretLeaseV1Request struct {
-	Environment string `json:"environment"`
-	ProjectSlug string `json:"projectSlug"`
-	SecretPath  string `json:"secretPath,omitempty"`
-	Slug        string `json:"slug"`
-	TTL         string `json:"ttl,omitempty"`
-}
-
-type CreateDynamicSecretLeaseV1Response struct {
-	Lease struct {
-		Id       string `json:"id"`
-		ExpireAt time.Time `json:"expireAt"`
-	} `json:"lease"`
-	DynamicSecret struct {
-		Id         string `json:"id"`
-		DefaultTTL string `json:"defaultTTL"`
-		MaxTTL     string `json:"maxTTL"`
-		Type       string `json:"type"`
-	} `json:"dynamicSecret"`
-	Data map[string]interface{} `json:"data"`
-}
-
 type GetRawSecretsV3Request struct {
 	Environment   string `json:"environment"`
 	WorkspaceId   string `json:"workspaceId"`

cli/packages/cmd/agent.go

@@ -14,7 +14,6 @@ import (
 	"os/signal"
 	"path"
 	"runtime"
-	"slices"
 	"strings"
 	"sync"
 	"syscall"
@@ -34,9 +33,6 @@ import (
 
 const DEFAULT_INFISICAL_CLOUD_URL = "https://app.infisical.com"
 
-// duration to reduce from expiry of dynamic leases so that it gets triggered before expiry
-const DYNAMIC_SECRET_PRUNE_EXPIRE_BUFFER = -15
-
 type Config struct {
 	Infisical InfisicalConfig `yaml:"infisical"`
 	Auth      AuthConfig      `yaml:"auth"`
@@ -88,115 +84,6 @@ type Template struct {
 	} `yaml:"config"`
 }
 
-func newAgentTemplateChannels(templates []Template) map[string]chan bool {
-	// we keep each destination as an identifier for various channel
-	templateChannel := make(map[string]chan bool)
-	for _, template := range templates {
-		templateChannel[template.DestinationPath] = make(chan bool)
-	}
-	return templateChannel
-}
-
-type DynamicSecretLease struct {
-	LeaseID     string
-	ExpireAt    time.Time
-	Environment string
-	SecretPath  string
-	Slug        string
-	ProjectSlug string
-	Data        map[string]interface{}
-	TemplateIDs []int
-}
-
-type DynamicSecretLeaseManager struct {
-	leases []DynamicSecretLease
-	mutex  sync.Mutex
-}
-
-func (d *DynamicSecretLeaseManager) Prune() {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	d.leases = slices.DeleteFunc(d.leases, func(s DynamicSecretLease) bool {
-		return time.Now().After(s.ExpireAt.Add(DYNAMIC_SECRET_PRUNE_EXPIRE_BUFFER * time.Second))
-	})
-}
-
-func (d *DynamicSecretLeaseManager) Append(lease DynamicSecretLease) {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	index := slices.IndexFunc(d.leases, func(s DynamicSecretLease) bool {
-		if lease.SecretPath == s.SecretPath && lease.Environment == s.Environment && lease.ProjectSlug == s.ProjectSlug && lease.Slug == s.Slug {
-			return true
-		}
-		return false
-	})
-
-	if index != -1 {
-		d.leases[index].TemplateIDs = append(d.leases[index].TemplateIDs, lease.TemplateIDs...)
-		return
-	}
-	d.leases = append(d.leases, lease)
-}
-
-func (d *DynamicSecretLeaseManager) RegisterTemplate(projectSlug, environment, secretPath, slug string, templateId int) {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	index := slices.IndexFunc(d.leases, func(lease DynamicSecretLease) bool {
-		if lease.SecretPath == secretPath && lease.Environment == environment && lease.ProjectSlug == projectSlug && lease.Slug == slug {
-			return true
-		}
-		return false
-	})
-
-	if index != -1 {
-		d.leases[index].TemplateIDs = append(d.leases[index].TemplateIDs, templateId)
-	}
-}
-
-func (d *DynamicSecretLeaseManager) GetLease(projectSlug, environment, secretPath, slug string) *DynamicSecretLease {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	for _, lease := range d.leases {
-		if lease.SecretPath == secretPath && lease.Environment == environment && lease.ProjectSlug == projectSlug && lease.Slug == slug {
-			return &lease
-		}
-	}
-
-	return nil
-}
-
-// for a given template find the first expiring lease
-// The bool indicates whether it contains valid expiry list
-func (d *DynamicSecretLeaseManager) GetFirstExpiringLeaseTime(templateId int) (time.Time, bool) {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	if len(d.leases) == 0 {
-		return time.Time{}, false
-	}
-
-	var firstExpiry time.Time
-	for i, el := range d.leases {
-		if i == 0 {
-			firstExpiry = el.ExpireAt
-		}
-		newLeaseTime := el.ExpireAt.Add(DYNAMIC_SECRET_PRUNE_EXPIRE_BUFFER * time.Second)
-		if newLeaseTime.Before(firstExpiry) {
-			firstExpiry = newLeaseTime
-		}
-	}
-	return firstExpiry, true
-}
-
-func NewDynamicSecretLeaseManager(sigChan chan os.Signal) *DynamicSecretLeaseManager {
-	manager := &DynamicSecretLeaseManager{}
-	return manager
-}
-
 func ReadFile(filePath string) ([]byte, error) {
 	return ioutil.ReadFile(filePath)
 }
@@ -347,43 +234,15 @@ func secretTemplateFunction(accessToken string, existingEtag string, currentEtag
 	}
 }
 
-func dynamicSecretTemplateFunction(accessToken string, dynamicSecretManager *DynamicSecretLeaseManager, templateId int) func(...string) (map[string]interface{}, error) {
-	return func(args ...string) (map[string]interface{}, error) {
-		argLength := len(args)
-		if argLength != 4 && argLength != 5 {
-			return nil, fmt.Errorf("Invalid arguments found for dynamic-secret function. Check template %i", templateId)
-		}
-
-		projectSlug, envSlug, secretPath, slug, ttl := args[0], args[1], args[2], args[3], ""
-		if argLength == 5 {
-			ttl = args[4]
-		}
-		dynamicSecretData := dynamicSecretManager.GetLease(projectSlug, envSlug, secretPath, slug)
-		if dynamicSecretData != nil {
-			dynamicSecretManager.RegisterTemplate(projectSlug, envSlug, secretPath, slug, templateId)
-			return dynamicSecretData.Data, nil
-		}
-
-		res, err := util.CreateDynamicSecretLease(accessToken, projectSlug, envSlug, secretPath, slug, ttl)
-		if err != nil {
-			return nil, err
-		}
-
-		dynamicSecretManager.Append(DynamicSecretLease{LeaseID: res.Lease.Id, ExpireAt: res.Lease.ExpireAt, Environment: envSlug, SecretPath: secretPath, Slug: slug, ProjectSlug: projectSlug, Data: res.Data, TemplateIDs: []int{templateId}})
-		return res.Data, nil
-	}
-}
-
-func ProcessTemplate(templateId int, templatePath string, data interface{}, accessToken string, existingEtag string, currentEtag *string, dynamicSecretManager *DynamicSecretLeaseManager) (*bytes.Buffer, error) {
+func ProcessTemplate(templatePath string, data interface{}, accessToken string, existingEtag string, currentEtag *string) (*bytes.Buffer, error) {
 	// custom template function to fetch secrets from Infisical
 	secretFunction := secretTemplateFunction(accessToken, existingEtag, currentEtag)
-	dynamicSecretFunction := dynamicSecretTemplateFunction(accessToken, dynamicSecretManager, templateId)
 	funcs := template.FuncMap{
-		"secret":         secretFunction,
-		"dynamic_secret": dynamicSecretFunction,
+		"secret": secretFunction,
 	}
 
 	templateName := path.Base(templatePath)
+
 	tmpl, err := template.New(templateName).Funcs(funcs).ParseFiles(templatePath)
 	if err != nil {
 		return nil, err
@@ -397,7 +256,7 @@ func ProcessTemplate(templateId int, templatePath string, data interface{}, acce
 	return &buf, nil
 }
 
-func ProcessBase64Template(templateId int, encodedTemplate string, data interface{}, accessToken string, existingEtag string, currentEtag *string, dynamicSecretLeaser *DynamicSecretLeaseManager) (*bytes.Buffer, error) {
+func ProcessBase64Template(encodedTemplate string, data interface{}, accessToken string, existingEtag string, currentEtag *string) (*bytes.Buffer, error) {
 	// custom template function to fetch secrets from Infisical
 	decoded, err := base64.StdEncoding.DecodeString(encodedTemplate)
 	if err != nil {
@@ -407,10 +266,8 @@ func ProcessBase64Template(templateId int, encodedTemplate string, data interfac
 	templateString := string(decoded)
 
 	secretFunction := secretTemplateFunction(accessToken, existingEtag, currentEtag) // TODO: Fix this
-	dynamicSecretFunction := dynamicSecretTemplateFunction(accessToken, dynamicSecretLeaser, templateId)
 	funcs := template.FuncMap{
-		"secret":         secretFunction,
-		"dynamic_secret": dynamicSecretFunction,
+		"secret": secretFunction,
 	}
 
 	templateName := "base64Template"
@@ -428,7 +285,7 @@ func ProcessBase64Template(templateId int, encodedTemplate string, data interfac
 	return &buf, nil
 }
 
-type AgentManager struct {
+type TokenManager struct {
 	accessToken                    string
 	accessTokenTTL                 time.Duration
 	accessTokenMaxTTL              time.Duration
@@ -437,7 +294,6 @@ type AgentManager struct {
 	mutex                          sync.Mutex
 	filePaths                      []Sink // Store file paths if needed
 	templates                      []Template
-	dynamicSecretLeases            *DynamicSecretLeaseManager
 	clientIdPath                   string
 	clientSecretPath               string
 	newAccessTokenNotificationChan chan bool
@@ -446,8 +302,8 @@ type AgentManager struct {
 	exitAfterAuth                  bool
 }
 
-func NewAgentManager(fileDeposits []Sink, templates []Template, clientIdPath string, clientSecretPath string, newAccessTokenNotificationChan chan bool, removeClientSecretOnRead bool, exitAfterAuth bool) *AgentManager {
-	return &AgentManager{
+func NewTokenManager(fileDeposits []Sink, templates []Template, clientIdPath string, clientSecretPath string, newAccessTokenNotificationChan chan bool, removeClientSecretOnRead bool, exitAfterAuth bool) *TokenManager {
+	return &TokenManager{
 		filePaths:                      fileDeposits,
 		templates:                      templates,
 		clientIdPath:                   clientIdPath,
@@ -459,7 +315,7 @@ func NewAgentManager(fileDeposits []Sink, templates []Template, clientIdPath str
 
 }
 
-func (tm *AgentManager) SetToken(token string, accessTokenTTL time.Duration, accessTokenMaxTTL time.Duration) {
+func (tm *TokenManager) SetToken(token string, accessTokenTTL time.Duration, accessTokenMaxTTL time.Duration) {
 	tm.mutex.Lock()
 	defer tm.mutex.Unlock()
 
@@ -470,7 +326,7 @@ func (tm *AgentManager) SetToken(token string, accessTokenTTL time.Duration, acc
 	tm.newAccessTokenNotificationChan <- true
 }
 
-func (tm *AgentManager) GetToken() string {
+func (tm *TokenManager) GetToken() string {
 	tm.mutex.Lock()
 	defer tm.mutex.Unlock()
 
@@ -478,7 +334,7 @@ func (tm *AgentManager) GetToken() string {
 }
 
 // Fetches a new access token using client credentials
-func (tm *AgentManager) FetchNewAccessToken() error {
+func (tm *TokenManager) FetchNewAccessToken() error {
 	clientID := os.Getenv("INFISICAL_UNIVERSAL_AUTH_CLIENT_ID")
 	if clientID == "" {
 		clientIDAsByte, err := ReadFile(tm.clientIdPath)
@@ -528,7 +384,7 @@ func (tm *AgentManager) FetchNewAccessToken() error {
 }
 
 // Refreshes the existing access token
-func (tm *AgentManager) RefreshAccessToken() error {
+func (tm *TokenManager) RefreshAccessToken() error {
 	httpClient := resty.New()
 	httpClient.SetRetryCount(10000).
 		SetRetryMaxWaitTime(20 * time.Second).
@@ -549,7 +405,7 @@ func (tm *AgentManager) RefreshAccessToken() error {
 	return nil
 }
 
-func (tm *AgentManager) ManageTokenLifecycle() {
+func (tm *TokenManager) ManageTokenLifecycle() {
 	for {
 		accessTokenMaxTTLExpiresInTime := tm.accessTokenFetchedTime.Add(tm.accessTokenMaxTTL - (5 * time.Second))
 		accessTokenRefreshedTime := tm.accessTokenRefreshedTime
@@ -617,7 +473,7 @@ func (tm *AgentManager) ManageTokenLifecycle() {
 	}
 }
 
-func (tm *AgentManager) WriteTokenToFiles() {
+func (tm *TokenManager) WriteTokenToFiles() {
 	token := tm.GetToken()
 	for _, sinkFile := range tm.filePaths {
 		if sinkFile.Type == "file" {
@@ -634,7 +490,7 @@ func (tm *AgentManager) WriteTokenToFiles() {
 	}
 }
 
-func (tm *AgentManager) WriteTemplateToFile(bytes *bytes.Buffer, template *Template) {
+func (tm *TokenManager) WriteTemplateToFile(bytes *bytes.Buffer, template *Template) {
 	if err := WriteBytesToFile(bytes, template.DestinationPath); err != nil {
 		log.Error().Msgf("template engine: unable to write secrets to path because %s. Will try again on next cycle", err)
 		return
@@ -642,7 +498,7 @@ func (tm *AgentManager) WriteTemplateToFile(bytes *bytes.Buffer, template *Templ
 	log.Info().Msgf("template engine: secret template at path %s has been rendered and saved to path %s", template.SourcePath, template.DestinationPath)
 }
 
-func (tm *AgentManager) MonitorSecretChanges(secretTemplate Template, templateId int, sigChan chan os.Signal) {
+func (tm *TokenManager) MonitorSecretChanges(secretTemplate Template, sigChan chan os.Signal) {
 
 	pollingInterval := time.Duration(5 * time.Minute)
 
@@ -667,61 +523,47 @@ func (tm *AgentManager) MonitorSecretChanges(secretTemplate Template, templateId
 	execCommand := secretTemplate.Config.Execute.Command
 
 	for {
-		select {
-		case <-sigChan:
-			return
-		default:
-			{
-				tm.dynamicSecretLeases.Prune()
-				token := tm.GetToken()
-				if token != "" {
-					var processedTemplate *bytes.Buffer
-					var err error
+		token := tm.GetToken()
 
-					if secretTemplate.SourcePath != "" {
-						processedTemplate, err = ProcessTemplate(templateId, secretTemplate.SourcePath, nil, token, existingEtag, &currentEtag, tm.dynamicSecretLeases)
-					} else {
-						processedTemplate, err = ProcessBase64Template(templateId, secretTemplate.Base64TemplateContent, nil, token, existingEtag, &currentEtag, tm.dynamicSecretLeases)
-					}
+		if token != "" {
 
-					if err != nil {
-						log.Error().Msgf("unable to process template because %v", err)
-					} else {
-						if (existingEtag != currentEtag) || firstRun {
+			var processedTemplate *bytes.Buffer
+			var err error
 
-							tm.WriteTemplateToFile(processedTemplate, &secretTemplate)
-							existingEtag = currentEtag
+			if secretTemplate.SourcePath != "" {
+				processedTemplate, err = ProcessTemplate(secretTemplate.SourcePath, nil, token, existingEtag, &currentEtag)
+			} else {
+				processedTemplate, err = ProcessBase64Template(secretTemplate.Base64TemplateContent, nil, token, existingEtag, &currentEtag)
+			}
 
-							if !firstRun && execCommand != "" {
-								log.Info().Msgf("executing command: %s", execCommand)
-								err := ExecuteCommandWithTimeout(execCommand, execTimeout)
+			if err != nil {
+				log.Error().Msgf("unable to process template because %v", err)
+			} else {
+				if (existingEtag != currentEtag) || firstRun {
 
-								if err != nil {
-									log.Error().Msgf("unable to execute command because %v", err)
-								}
+					tm.WriteTemplateToFile(processedTemplate, &secretTemplate)
+					existingEtag = currentEtag
 
-							}
-							if firstRun {
-								firstRun = false
-							}
+					if !firstRun && execCommand != "" {
+						log.Info().Msgf("executing command: %s", execCommand)
+						err := ExecuteCommandWithTimeout(execCommand, execTimeout)
+
+						if err != nil {
+							log.Error().Msgf("unable to execute command because %v", err)
 						}
-					}
 
-					// now the idea is we pick the next sleep time in which the one shorter out of
-					// - polling time
-					// - first lease that's gonna get expired in the template
-					firstLeaseExpiry, isValid := tm.dynamicSecretLeases.GetFirstExpiringLeaseTime(templateId)
-					var waitTime = pollingInterval
-					if isValid && firstLeaseExpiry.Sub(time.Now()) < pollingInterval {
-						waitTime = firstLeaseExpiry.Sub(time.Now())
 					}
-					time.Sleep(waitTime)
-				} else {
-					// It fails to get the access token. So we will re-try in 3 seconds. We do this because if we don't, the user will have to wait for the next polling interval to get the first secret render.
-					time.Sleep(3 * time.Second)
+					if firstRun {
+						firstRun = false
+					}
 				}
 			}
+			time.Sleep(pollingInterval)
+		} else {
+			// It fails to get the access token. So we will re-try in 3 seconds. We do this because if we don't, the user will have to wait for the next polling interval to get the first secret render.
+			time.Sleep(3 * time.Second)
 		}
+
 	}
 }
 
@@ -803,14 +645,13 @@ var agentCmd = &cobra.Command{
 		signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
 
 		filePaths := agentConfig.Sinks
-		tm := NewAgentManager(filePaths, agentConfig.Templates, configUniversalAuthType.ClientIDPath, configUniversalAuthType.ClientSecretPath, tokenRefreshNotifier, configUniversalAuthType.RemoveClientSecretOnRead, agentConfig.Infisical.ExitAfterAuth)
-		tm.dynamicSecretLeases = NewDynamicSecretLeaseManager(sigChan)
+		tm := NewTokenManager(filePaths, agentConfig.Templates, configUniversalAuthType.ClientIDPath, configUniversalAuthType.ClientSecretPath, tokenRefreshNotifier, configUniversalAuthType.RemoveClientSecretOnRead, agentConfig.Infisical.ExitAfterAuth)
 
 		go tm.ManageTokenLifecycle()
 
 		for i, template := range agentConfig.Templates {
 			log.Info().Msgf("template engine started for template %v...", i+1)
-			go tm.MonitorSecretChanges(template, i, sigChan)
+			go tm.MonitorSecretChanges(template, sigChan)
 		}
 
 		for {

cli/packages/cmd/secrets.go

@@ -297,6 +297,7 @@ var secretsSetCmd = &cobra.Command{
 			updateSecretRequest := api.UpdateSecretByNameV3Request{
 				WorkspaceID:           workspaceFile.WorkspaceId,
 				Environment:           environmentName,
+				SecretName:            secret.PlainTextKey,
 				SecretValueCiphertext: secret.SecretValueCiphertext,
 				SecretValueIV:         secret.SecretValueIV,
 				SecretValueTag:        secret.SecretValueTag,
@@ -304,7 +305,7 @@ var secretsSetCmd = &cobra.Command{
 				SecretPath:            secretsPath,
 			}
 
-			err = api.CallUpdateSecretsV3(httpClient, updateSecretRequest, secret.PlainTextKey)
+			err = api.CallUpdateSecretsV3(httpClient, updateSecretRequest)
 			if err != nil {
 				util.HandleError(err, "Unable to process secret update request")
 				return
@@ -418,7 +419,7 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse path flag")
 	}
 
-	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: true}, "")
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath}, "")
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}
@@ -476,7 +477,7 @@ func generateExampleEnv(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
-	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: true}, "")
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath}, "")
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}

cli/packages/models/cli.go

@@ -1,7 +1,5 @@
 package models
 
-import "time"
-
 type UserCredentials struct {
 	Email        string `json:"email"`
 	PrivateKey   string `json:"privateKey"`
@@ -42,23 +40,6 @@ type PlaintextSecretResult struct {
 	Etag    string
 }
 
-type DynamicSecret struct {
-	Id         string `json:"id"`
-	DefaultTTL string `json:"defaultTTL"`
-	MaxTTL     string `json:"maxTTL"`
-	Type       string `json:"type"`
-}
-
-type DynamicSecretLease struct {
-	Lease struct {
-		Id       string    `json:"id"`
-		ExpireAt time.Time `json:"expireAt"`
-	} `json:"lease"`
-	DynamicSecret DynamicSecret `json:"dynamicSecret"`
-	// this is a varying dict based on provider
-	Data map[string]interface{} `json:"data"`
-}
-
 type SingleFolder struct {
 	ID   string `json:"_id"`
 	Name string `json:"name"`

cli/packages/util/secrets.go

@@ -195,31 +195,6 @@ func GetPlainTextSecretsViaMachineIdentity(accessToken string, workspaceId strin
 	}, nil
 }
 
-func CreateDynamicSecretLease(accessToken string, projectSlug string, environmentName string, secretsPath string, slug string, ttl string) (models.DynamicSecretLease, error) {
-	httpClient := resty.New()
-	httpClient.SetAuthToken(accessToken).
-		SetHeader("Accept", "application/json")
-
-	dynamicSecretRequest := api.CreateDynamicSecretLeaseV1Request{
-		ProjectSlug: projectSlug,
-		Environment: environmentName,
-		SecretPath:  secretsPath,
-		Slug:        slug,
-		TTL:         ttl,
-	}
-
-	dynamicSecret, err := api.CallCreateDynamicSecretLeaseV1(httpClient, dynamicSecretRequest)
-	if err != nil {
-		return models.DynamicSecretLease{}, err
-	}
-
-	return models.DynamicSecretLease{
-		Lease:         dynamicSecret.Lease,
-		Data:          dynamicSecret.Data,
-		DynamicSecret: dynamicSecret.DynamicSecret,
-	}, nil
-}
-
 func InjectImportedSecret(plainTextWorkspaceKey []byte, secrets []models.SingleEnvironmentVariable, importedSecrets []api.ImportedSecretV3) ([]models.SingleEnvironmentVariable, error) {
 	if importedSecrets == nil {
 		return secrets, nil

docs/api-reference/endpoints/folders/delete.mdx

@@ -1,4 +1,4 @@
 ---
 title: "Delete"
-openapi: "DELETE /api/v1/folders/{folderIdOrName}"
+openapi: "DELETE /api/v1/folders/{folderId}"
 ---

docs/api-reference/endpoints/secret-tags/create.mdx

@@ -1,4 +0,0 @@
----
-title: "Create"
-openapi: "POST /api/v1/workspace/{projectId}/tags"
----

docs/api-reference/endpoints/secret-tags/delete.mdx

@@ -1,4 +0,0 @@
----
-title: "Delete"
-openapi: "DELETE /api/v1/workspace/{projectId}/tags/{tagId}"
----

docs/api-reference/endpoints/secret-tags/list.mdx

@@ -1,4 +0,0 @@
----
-title: "List"
-openapi: "GET /api/v1/workspace/{projectId}/tags"
----

docs/api-reference/endpoints/secrets/attach-tags.mdx

@@ -1,4 +0,0 @@
----
-title: "Attach tags"
-openapi: "POST /api/v3/secrets/tags/{secretName}"
----

docs/api-reference/endpoints/secrets/detach-tags.mdx

@@ -1,4 +0,0 @@
----
-title: "Detach tags"
-openapi: "DELETE /api/v3/secrets/tags/{secretName}"
----

docs/documentation/getting-started/sdks.mdx

@@ -18,4 +18,4 @@ Follow the instructions for your language use the SDK for it:
 - [Java SDK](https://infisical.com/docs/sdks/languages/java)
 - [.NET SDK](https://infisical.com/docs/sdks/languages/csharp)
 
-Missing a language? [Throw in a request here](https://github.com/Infisical/infisical/issues).
+Missing a language? [Throw in a request](https://github.com/Infisical/infisical/issues).

docs/documentation/platform/dynamic-secrets/overview.mdx

@@ -1,30 +0,0 @@
----
-title: "Overview"
-description: "Learn how to generate secrets dynamically on-demand."
----
-
-## Introduction
-
-Contrary to static key-value secrets, which require manual input of data into the secure Infisical storage, dynamic secrets are generated on-demand upon access. 
-
-Dynamic secrets are unique to every identity using them. Such secrets come are generated only at the moment they are retrieved, eliminating the possibility of theft or reuse by another identity. Thanks to Infisical's integrated revocation capabilities, dynamic secrets can be promptly invalidated post-use, significantly reducing their lifespan.
-
-## Benefits of Dynamic Secrets
-
-This approach offers several advantages in terms of security and management:
-
-- **Enhanced Security**: By frequently changing secrets, dynamic secrets minimize the risk associated with secret compromise. Even if an attacker manages to obtain a secret, it would likely be invalid by the time they attempt to use it.
-
-- **Reduced Secret Lifetime**: The limited validity period of dynamic secrets means that they are less valuable targets for attackers. This inherently reduces the time window during which a secret can be exploited.
-
-- **Automated Management**: Dynamic secrets enable automated systems to handle the generation, distribution, revocation, and rotation of secrets without human intervention, thus reducing the risk of human error.
-
-- **Auditing and Traceability**: The generation of dynamic secrets can be tightly controlled and monitored. This allows for detailed auditing of who accessed what secret and when, improving overall security posture and compliance with regulatory standards.
-
-- **Scalability**: Dynamic secret management systems can scale more effectively to handle a large number of services and applications, as they automate much of the overhead associated with manual secret management.
-
-Dynamic secrets are particularly useful in environments with stringent security requirements, such as cloud environments, distributed systems, and microservices architectures, where they help to manage database credentials, API keys, service tokens, and other types of secrets.
-
-## Infisical Dynamic Secret Templates
-
-1. [PostgreSQL](./postgresql)

docs/documentation/platform/dynamic-secrets/postgresql.mdx

@@ -1,98 +0,0 @@
----
-title: "PostgreSQL"
-description: "Learn how to dynamically generate PostgreSQL Database user passwords."
----
-
-The Infisical MySQL secret rotation allows you to automatically rotate your MySQL database user's password at a predefined interval.
-
-
-## Prerequisite
-
-1. Create a user with the required permission in your SQL instance.
-
-
-## Set up Dynamic Secrets with PostgreSQL
-
-<Steps>
-  <Step title="Open Secret Overview Dashboard">
-	Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
-  </Step>
-  <Step title="Click on the `Add Dynamic Secret` button">
-	![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
-  </Step>
-  <Step title="Select `SQL Database`">
-	![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-modal.png)
-  </Step>
-  <Step title="Provide the inputs for dynamic secret parameters">
-	<ParamField path="Secret Name" type="string" required>
-		Name by which you want the secret to be referenced
-	</ParamField>
-
-	<ParamField path="Default TTL" type="string" required>
-		Default time-to-live for a generated secret (it is possible to modify this value when a secret is generate)
-	</ParamField>
-
-	<ParamField path="Max TTL" type="string" required>
-		Maximum time-to-live for a generated secret
-	</ParamField>
-
-	<ParamField path="Service" type="string" required>
-		Choose the service you want to generate dynamic secrets for
-	</ParamField>
-
-	<ParamField path="Host" type="string" required>
-		Database host
-	</ParamField>
-
-	<ParamField path="Port" type="number" required>
-		Database port
-	</ParamField>
-
-	<ParamField path="User" type="string" required>
-		Username that will be used to create dynamic secrets
-	</ParamField>
-
-	<ParamField path="Password" type="string" required>
-		Password that will be used to create dynamic secrets
-	</ParamField>
-
-	<ParamField path="Database Name" type="string" required>
-		Name of the database for which you want to create dynamic secrets
-	</ParamField>
- 
-	<ParamField path="CA(SSL)" type="string">
-		A CA may be required if your DB requires it for incoming connections. AWS RDS instances with default settings will requires a CA which can be downloaded [here](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions).
-	</ParamField>
-
-	![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-setup-modal.png)
-
-  </Step>
-  <Step title="(Optional) Modify SQL Statements">
-  	If you want to provide specific privileges for the future generated dynamic secrets, you are able to specify them as SQL statements. 
-
-	![Modify SQL Statements Modal](../../../images/platform/dynamic-secrets/modify-sql-statements.png)
-  </Step>
-  <Step title="Click `Submit`">
-  	After submitting the form, you will see a dynamic secret creates in the dashboard. 
-
-	<Note>
-		If this step fails, you might have to add the CA certficate. 
-	</Note>
-
-	![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret.png)
-  </Step>
-  <Step title="Generate dynamic secrets">
-	Now that the dynamic secret is created, you can start generating unique secret values by specifying the Time-to-live within the predefined range. 
-
-	![Provision Lease](../../../images/platform/dynamic-secrets/provision-lease.png)
-
-	After you click the `Submit` button, a new secret lease will be generated and the Database User and Database Password will be shown. 
-
-	![Provision Lease](../../../images/platform/dynamic-secrets/lease-values.png)
-  </Step>
-  <Step title="Audit or Revoke Leases">
-	As soon as you have generated a few secret leases, you will be able to access them by clicking `Generate` on the dynamic secret row. In this modal, you are able to see the expiration time or delete a secret preemptively.
-
-	![Provision Lease](../../../images/platform/dynamic-secrets/lease-data.png)
-  </Step>
-</Steps>

docs/documentation/platform/identities/overview.mdx

@@ -4,7 +4,7 @@ description: "Programmatically interact with Infisical"
 ---
 
 <Note>
-  Currently, identities can only be used to make authenticated requests to the Infisical API, SDKs, Terraform, K8s Operator, and Agent. They do not work with clients such as CLI, Ansible look up plugin, etc.
+  Currently, identities can only be used to make authenticated requests to the Infisical API, SDKs, and Agent. They do not work with clients such as CLI, K8s Operator, Terraform Provider, etc.
 
   We will be releasing compatibility with it across clients in the coming quarter.
 </Note>