misc: add onUpdate trigger to oidc config

doc: added guide for configuring certs

.github/workflows/build-staging-and-deploy-aws.yml

@@ -56,7 +56,7 @@ jobs:
           # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
           #
           # Required
-          service-key: ${{ secrets.TWINGATE_GAMMA_SERVICE_KEY }}
+          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
       - name: Checkout code
         uses: actions/checkout@v2
       - name: Setup Node.js environment

backend/src/db/migrations/20240624221840_certificate-alt-names.ts

@@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    const hasAltNamesColumn = await knex.schema.hasColumn(TableName.Certificate, "altNames");
+    if (!hasAltNamesColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("altNames").defaultTo("");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    if (await knex.schema.hasColumn(TableName.Certificate, "altNames")) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.dropColumn("altNames");
+      });
+    }
+  }
+}

backend/src/db/migrations/20240626171758_add-ldap-unique-user-attribute.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.LdapConfig, "uniqueUserAttribute"))) {
+    await knex.schema.alterTable(TableName.LdapConfig, (tb) => {
+      tb.string("uniqueUserAttribute").notNullable().defaultTo("");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.LdapConfig, "uniqueUserAttribute")) {
+    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+      t.dropColumn("uniqueUserAttribute");
+    });
+  }
+}

backend/src/db/migrations/20240626171943_configurable-audit-log-retention.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Project, "auditLogsRetentionDays"))) {
+    await knex.schema.alterTable(TableName.Project, (tb) => {
+      tb.integer("auditLogsRetentionDays").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Project, "auditLogsRetentionDays")) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("auditLogsRetentionDays");
+    });
+  }
+}

backend/src/db/migrations/20240627115024_add-oidc-updated-at-trigger.ts

@@ -0,0 +1,12 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  await createOnUpdateTrigger(knex, TableName.OidcConfig);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.OidcConfig);
+}

backend/src/db/schemas/certificates.ts

@@ -19,7 +19,8 @@ export const CertificatesSchema = z.object({
   notBefore: z.date(),
   notAfter: z.date(),
   revokedAt: z.date().nullable().optional(),
-  revocationReason: z.number().nullable().optional()
+  revocationReason: z.number().nullable().optional(),
+  altNames: z.string().default("").nullable().optional()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/ldap-configs.ts

@@ -26,7 +26,8 @@ export const LdapConfigsSchema = z.object({
   updatedAt: z.date(),
   groupSearchBase: z.string().default(""),
   groupSearchFilter: z.string().default(""),
-  searchFilter: z.string().default("")
+  searchFilter: z.string().default(""),
+  uniqueUserAttribute: z.string().default("")
 });
 
 export type TLdapConfigs = z.infer<typeof LdapConfigsSchema>;

backend/src/db/schemas/projects.ts

@@ -17,8 +17,9 @@ export const ProjectsSchema = z.object({
   updatedAt: z.date(),
   version: z.number().default(1),
   upgradeStatus: z.string().nullable().optional(),
+  pitVersionLimit: z.number().default(10),
   kmsCertificateKeyId: z.string().uuid().nullable().optional(),
-  pitVersionLimit: z.number().default(10)
+  auditLogsRetentionDays: z.number().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/ee/routes/v1/ldap-router.ts

@@ -70,10 +70,13 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
             groups = await searchGroups(ldapConfig, groupSearchFilter, ldapConfig.groupSearchBase);
           }
 
+          const externalId = ldapConfig.uniqueUserAttribute ? user[ldapConfig.uniqueUserAttribute] : user.uidNumber;
+          const username = ldapConfig.uniqueUserAttribute ? externalId : user.uid;
+
           const { isUserCompleted, providerAuthToken } = await server.services.ldap.ldapLogin({
+            externalId,
+            username,
             ldapConfigId: ldapConfig.id,
-            externalId: user.uidNumber,
-            username: user.uid,
             firstName: user.givenName ?? user.cn ?? "",
             lastName: user.sn ?? "",
             email: user.mail,
@@ -138,6 +141,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
           url: z.string(),
           bindDN: z.string(),
           bindPass: z.string(),
+          uniqueUserAttribute: z.string(),
           searchBase: z.string(),
           searchFilter: z.string(),
           groupSearchBase: z.string(),
@@ -172,6 +176,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
         url: z.string().trim(),
         bindDN: z.string().trim(),
         bindPass: z.string().trim(),
+        uniqueUserAttribute: z.string().trim().default("uidNumber"),
         searchBase: z.string().trim(),
         searchFilter: z.string().trim().default("(uid={{username}})"),
         groupSearchBase: z.string().trim(),
@@ -213,6 +218,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
           url: z.string().trim(),
           bindDN: z.string().trim(),
           bindPass: z.string().trim(),
+          uniqueUserAttribute: z.string().trim(),
           searchBase: z.string().trim(),
           searchFilter: z.string().trim(),
           groupSearchBase: z.string().trim(),

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -45,18 +45,29 @@ export const auditLogQueueServiceFactory = ({
     const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
     let { orgId } = job.data;
     const MS_IN_DAY = 24 * 60 * 60 * 1000;
+    let project;
 
     if (!orgId) {
       // it will never be undefined for both org and project id
       // TODO(akhilmhdh): use caching here in dal to avoid db calls
-      const project = await projectDAL.findById(projectId as string);
+      project = await projectDAL.findById(projectId as string);
       orgId = project.orgId;
     }
 
     const plan = await licenseService.getPlan(orgId);
-    const ttl = plan.auditLogsRetentionDays * MS_IN_DAY;
+    if (plan.auditLogsRetentionDays === 0) {
       // skip inserting if audit log retention is 0 meaning its not supported
-    if (ttl === 0) return;
+      return;
+    }
+
+    // For project actions, set TTL to project-level audit log retention config
+    // This condition ensures that the plan's audit log retention days cannot be bypassed
+    const ttlInDays =
+      project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
+        ? project.auditLogsRetentionDays
+        : plan.auditLogsRetentionDays;
+
+    const ttl = ttlInDays * MS_IN_DAY;
 
     const auditLog = await auditLogDAL.create({
       actor: actor.type,

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -65,25 +65,31 @@ export enum EventType {
   ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
   UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
   GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
+  REVOKE_IDENTITY_UNIVERSAL_AUTH = "revoke-identity-universal-auth",
   LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
   ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
   UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
   GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
+  REVOKE_IDENTITY_KUBERNETES_AUTH = "revoke-identity-kubernetes-auth",
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
+  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID = "get-identity-universal-auth-client-secret-by-id",
   LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
   ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
   UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
+  REVOKE_IDENTITY_GCP_AUTH = "revoke-identity-gcp-auth",
   GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
   LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
   ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
   UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
+  REVOKE_IDENTITY_AWS_AUTH = "revoke-identity-aws-auth",
   GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
   LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
   ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
   UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
   GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
+  REVOKE_IDENTITY_AZURE_AUTH = "revoke-identity-azure-auth",
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
@@ -434,6 +440,13 @@ interface GetIdentityUniversalAuthEvent {
   };
 }
 
+interface DeleteIdentityUniversalAuthEvent {
+  type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityKubernetesAuthEvent {
   type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH;
   metadata: {
@@ -457,6 +470,13 @@ interface AddIdentityKubernetesAuthEvent {
   };
 }
 
+interface DeleteIdentityKubernetesAuthEvent {
+  type: EventType.REVOKE_IDENTITY_KUBERNETES_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityKubernetesAuthEvent {
   type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH;
   metadata: {
@@ -493,6 +513,14 @@ interface GetIdentityUniversalAuthClientSecretsEvent {
   };
 }
 
+interface GetIdentityUniversalAuthClientSecretByIdEvent {
+  type: EventType.GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID;
+  metadata: {
+    identityId: string;
+    clientSecretId: string;
+  };
+}
+
 interface RevokeIdentityUniversalAuthClientSecretEvent {
   type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET;
   metadata: {
@@ -525,6 +553,13 @@ interface AddIdentityGcpAuthEvent {
   };
 }
 
+interface DeleteIdentityGcpAuthEvent {
+  type: EventType.REVOKE_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityGcpAuthEvent {
   type: EventType.UPDATE_IDENTITY_GCP_AUTH;
   metadata: {
@@ -570,6 +605,13 @@ interface AddIdentityAwsAuthEvent {
   };
 }
 
+interface DeleteIdentityAwsAuthEvent {
+  type: EventType.REVOKE_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityAwsAuthEvent {
   type: EventType.UPDATE_IDENTITY_AWS_AUTH;
   metadata: {
@@ -613,6 +655,13 @@ interface AddIdentityAzureAuthEvent {
   };
 }
 
+interface DeleteIdentityAzureAuthEvent {
+  type: EventType.REVOKE_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityAzureAuthEvent {
   type: EventType.UPDATE_IDENTITY_AZURE_AUTH;
   metadata: {
@@ -1003,24 +1052,30 @@ export type Event =
   | LoginIdentityUniversalAuthEvent
   | AddIdentityUniversalAuthEvent
   | UpdateIdentityUniversalAuthEvent
+  | DeleteIdentityUniversalAuthEvent
   | GetIdentityUniversalAuthEvent
   | LoginIdentityKubernetesAuthEvent
+  | DeleteIdentityKubernetesAuthEvent
   | AddIdentityKubernetesAuthEvent
   | UpdateIdentityKubernetesAuthEvent
   | GetIdentityKubernetesAuthEvent
   | CreateIdentityUniversalAuthClientSecretEvent
   | GetIdentityUniversalAuthClientSecretsEvent
+  | GetIdentityUniversalAuthClientSecretByIdEvent
   | RevokeIdentityUniversalAuthClientSecretEvent
   | LoginIdentityGcpAuthEvent
   | AddIdentityGcpAuthEvent
+  | DeleteIdentityGcpAuthEvent
   | UpdateIdentityGcpAuthEvent
   | GetIdentityGcpAuthEvent
   | LoginIdentityAwsAuthEvent
   | AddIdentityAwsAuthEvent
   | UpdateIdentityAwsAuthEvent
   | GetIdentityAwsAuthEvent
+  | DeleteIdentityAwsAuthEvent
   | LoginIdentityAzureAuthEvent
   | AddIdentityAzureAuthEvent
+  | DeleteIdentityAzureAuthEvent
   | UpdateIdentityAzureAuthEvent
   | GetIdentityAzureAuthEvent
   | CreateEnvironmentEvent

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -122,6 +122,7 @@ export const ldapConfigServiceFactory = ({
     url,
     bindDN,
     bindPass,
+    uniqueUserAttribute,
     searchBase,
     searchFilter,
     groupSearchBase,
@@ -200,6 +201,7 @@ export const ldapConfigServiceFactory = ({
       encryptedBindPass,
       bindPassIV,
       bindPassTag,
+      uniqueUserAttribute,
       searchBase,
       searchFilter,
       groupSearchBase,
@@ -222,6 +224,7 @@ export const ldapConfigServiceFactory = ({
     url,
     bindDN,
     bindPass,
+    uniqueUserAttribute,
     searchBase,
     searchFilter,
     groupSearchBase,
@@ -244,7 +247,8 @@ export const ldapConfigServiceFactory = ({
       searchBase,
       searchFilter,
       groupSearchBase,
-      groupSearchFilter
+      groupSearchFilter,
+      uniqueUserAttribute
     };
 
     const orgBot = await orgBotDAL.findOne({ orgId });
@@ -345,6 +349,7 @@ export const ldapConfigServiceFactory = ({
       url: ldapConfig.url,
       bindDN,
       bindPass,
+      uniqueUserAttribute: ldapConfig.uniqueUserAttribute,
       searchBase: ldapConfig.searchBase,
       searchFilter: ldapConfig.searchFilter,
       groupSearchBase: ldapConfig.groupSearchBase,
@@ -381,6 +386,7 @@ export const ldapConfigServiceFactory = ({
         url: ldapConfig.url,
         bindDN: ldapConfig.bindDN,
         bindCredentials: ldapConfig.bindPass,
+        uniqueUserAttribute: ldapConfig.uniqueUserAttribute,
         searchBase: ldapConfig.searchBase,
         searchFilter: ldapConfig.searchFilter || "(uid={{username}})",
         // searchAttributes: ["uid", "uidNumber", "givenName", "sn", "mail"],

backend/src/ee/services/ldap-config/ldap-config-types.ts

@@ -7,6 +7,7 @@ export type TLDAPConfig = {
   url: string;
   bindDN: string;
   bindPass: string;
+  uniqueUserAttribute: string;
   searchBase: string;
   groupSearchBase: string;
   groupSearchFilter: string;
@@ -19,6 +20,7 @@ export type TCreateLdapCfgDTO = {
   url: string;
   bindDN: string;
   bindPass: string;
+  uniqueUserAttribute: string;
   searchBase: string;
   searchFilter: string;
   groupSearchBase: string;
@@ -33,6 +35,7 @@ export type TUpdateLdapCfgDTO = {
   url: string;
   bindDN: string;
   bindPass: string;
+  uniqueUserAttribute: string;
   searchBase: string;
   searchFilter: string;
   groupSearchBase: string;

backend/src/lib/api-docs/constants.ts

@@ -42,6 +42,13 @@ export const IDENTITIES = {
   },
   DELETE: {
     identityId: "The ID of the identity to delete."
+  },
+  GET_BY_ID: {
+    identityId: "The ID of the identity to get details.",
+    orgId: "The ID of the org of the identity"
+  },
+  LIST: {
+    orgId: "The ID of the organization to list identities."
   }
 } as const;
 
@@ -65,6 +72,9 @@ export const UNIVERSAL_AUTH = {
   RETRIEVE: {
     identityId: "The ID of the identity to retrieve."
   },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  },
   UPDATE: {
     identityId: "The ID of the identity to update.",
     clientSecretTrustedIps: "The new list of IPs or CIDR ranges that the Client Secret can be used from.",
@@ -83,6 +93,10 @@ export const UNIVERSAL_AUTH = {
   LIST_CLIENT_SECRETS: {
     identityId: "The ID of the identity to list client secrets for."
   },
+  GET_CLIENT_SECRET: {
+    identityId: "The ID of the identity to get the client secret from.",
+    clientSecretId: "The ID of the client secret to get details."
+  },
   REVOKE_CLIENT_SECRET: {
     identityId: "The ID of the identity to revoke the client secret from.",
     clientSecretId: "The ID of the client secret to revoke."
@@ -104,6 +118,27 @@ export const AWS_AUTH = {
     iamRequestBody:
       "The base64-encoded body of the signed request. Most likely, the base64-encoding of Action=GetCallerIdentity&Version=2011-06-15.",
     iamRequestHeaders: "The base64-encoded headers of the sts:GetCallerIdentity signed request."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const AZURE_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const GCP_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const KUBERNETES_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
   }
 } as const;
 
@@ -805,6 +840,8 @@ export const CERTIFICATE_AUTHORITIES = {
     caId: "The ID of the CA to issue the certificate from",
     friendlyName: "A friendly name for the certificate",
     commonName: "The common name (CN) for the certificate",
+    altNames:
+      "A comma-delimited list of Subject Alternative Names (SANs) for the certificate; these can be host names or email addresses.",
     ttl: "The time to live for the certificate such as 1m, 1h, 1d, 1y, ...",
     notBefore: "The date and time when the certificate becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
     notAfter: "The date and time when the certificate expires in YYYY-MM-DDTHH:mm:ss.sssZ format",

backend/src/server/routes/v1/certificate-authority-router.ts

@@ -9,7 +9,10 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus, CaType } from "@app/services/certificate-authority/certificate-authority-types";
-import { validateCaDateField } from "@app/services/certificate-authority/certificate-authority-validators";
+import {
+  validateAltNamesField,
+  validateCaDateField
+} from "@app/services/certificate-authority/certificate-authority-validators";
 
 export const registerCaRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -452,6 +455,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         .object({
           friendlyName: z.string().optional().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.friendlyName),
           commonName: z.string().trim().min(1).describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.commonName),
+          altNames: validateAltNamesField.describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.altNames),
           ttl: z
             .string()
             .refine((val) => ms(val) > 0, "TTL must be a positive number")

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -266,4 +266,51 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
       return { identityAwsAuth };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/aws-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete AWS Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(AWS_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityAwsAuth: IdentityAwsAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAwsAuth = await server.services.identityAwsAuth.revokeIdentityAwsAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAwsAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_AWS_AUTH,
+          metadata: {
+            identityId: identityAwsAuth.identityId
+          }
+        }
+      });
+
+      return { identityAwsAuth };
+    }
+  });
 };

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 import { IdentityAzureAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { AZURE_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -259,4 +260,51 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
       return { identityAzureAuth };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/azure-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Azure Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(AZURE_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityAzureAuth: IdentityAzureAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAzureAuth = await server.services.identityAzureAuth.revokeIdentityAzureAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAzureAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId
+          }
+        }
+      });
+
+      return { identityAzureAuth };
+    }
+  });
 };

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 import { IdentityGcpAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { GCP_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -265,4 +266,51 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
       return { identityGcpAuth };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete GCP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(GCP_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.revokeIdentityGcpAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
 };

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KUBERNETES_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -280,4 +281,54 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
       return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/kubernetes-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Kubernetes Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(KUBERNETES_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.omit({
+            caCert: true,
+            tokenReviewerJwt: true
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityKubernetesAuth = await server.services.identityKubernetesAuth.revokeIdentityKubernetesAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityKubernetesAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_KUBERNETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId
+          }
+        }
+      });
+
+      return { identityKubernetesAuth };
+    }
+  });
 };

backend/src/server/routes/v1/identity-router.ts

@@ -1,9 +1,9 @@
 import { z } from "zod";
 
-import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
+import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgMembershipRole, OrgRolesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { IDENTITIES } from "@app/lib/api-docs";
-import { creationLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -170,4 +170,94 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
       return { identity };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Get an identity by id",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(IDENTITIES.GET_BY_ID.identityId)
+      }),
+      response: {
+        200: z.object({
+          identity: IdentityOrgMembershipsSchema.extend({
+            customRole: OrgRolesSchema.pick({
+              id: true,
+              name: true,
+              slug: true,
+              permissions: true,
+              description: true
+            }).optional(),
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identity = await server.services.identity.getIdentityById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.identityId
+      });
+
+      return { identity };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "List identities",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        orgId: z.string().describe(IDENTITIES.LIST.orgId)
+      }),
+      response: {
+        200: z.object({
+          identities: IdentityOrgMembershipsSchema.extend({
+            customRole: OrgRolesSchema.pick({
+              id: true,
+              name: true,
+              slug: true,
+              permissions: true,
+              description: true
+            }).optional(),
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+          }).array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const identities = await server.services.identity.listOrgIdentities({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.query.orgId
+      });
+
+      return { identities };
+    }
+  });
 };

backend/src/server/routes/v1/identity-universal-auth-router.ts

@@ -134,7 +134,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.attachUa({
+      const identityUniversalAuth = await server.services.identityUa.attachUniversalAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
@@ -219,7 +219,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.updateUa({
+      const identityUniversalAuth = await server.services.identityUa.updateUniversalAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
@@ -272,7 +272,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.getIdentityUa({
+      const identityUniversalAuth = await server.services.identityUa.getIdentityUniversalAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -295,6 +295,53 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "DELETE",
+    url: "/universal-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Universal Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(UNIVERSAL_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityUniversalAuth: IdentityUniversalAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityUniversalAuth = await server.services.identityUa.revokeIdentityUniversalAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityUniversalAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH,
+          metadata: {
+            identityId: identityUniversalAuth.identityId
+          }
+        }
+      });
+
+      return { identityUniversalAuth };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/universal-auth/identities/:identityId/client-secrets",
@@ -325,7 +372,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { clientSecret, clientSecretData, orgId } = await server.services.identityUa.createUaClientSecret({
+      const { clientSecret, clientSecretData, orgId } =
+        await server.services.identityUa.createUniversalAuthClientSecret({
           actor: req.permission.type,
           actorId: req.permission.id,
           actorAuthMethod: req.permission.authMethod,
@@ -374,13 +422,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUaClientSecrets({
+      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUniversalAuthClientSecrets(
+        {
           actor: req.permission.type,
           actorId: req.permission.id,
           actorAuthMethod: req.permission.authMethod,
           actorOrgId: req.permission.orgId,
           identityId: req.params.identityId
-      });
+        }
+      );
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -396,6 +446,56 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Get Universal Auth Client Secret for identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(UNIVERSAL_AUTH.GET_CLIENT_SECRET.identityId),
+        clientSecretId: z.string().describe(UNIVERSAL_AUTH.GET_CLIENT_SECRET.clientSecretId)
+      }),
+      response: {
+        200: z.object({
+          clientSecretData: sanitizedClientSecretSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const clientSecretData = await server.services.identityUa.getUniversalAuthClientSecretById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId,
+        clientSecretId: req.params.clientSecretId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: clientSecretData.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET,
+          metadata: {
+            identityId: clientSecretData.identityId,
+            clientSecretId: clientSecretData.id
+          }
+        }
+      });
+
+      return { clientSecretData };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId/revoke",
@@ -421,7 +521,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const clientSecretData = await server.services.identityUa.revokeUaClientSecret({
+      const clientSecretData = await server.services.identityUa.revokeUniversalAuthClientSecret({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,

backend/src/server/routes/v1/index.ts

@@ -9,7 +9,7 @@ import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityRouter } from "./identity-router";
-import { registerIdentityUaRouter } from "./identity-ua";
+import { registerIdentityUaRouter } from "./identity-universal-auth-router";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
 import { registerIntegrationRouter } from "./integration-router";
 import { registerInviteOrgRouter } from "./invite-org-router";

backend/src/server/routes/v1/project-router.ts

@@ -372,6 +372,44 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "PUT",
+    url: "/:workspaceSlug/audit-logs-retention",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        workspaceSlug: z.string().trim()
+      }),
+      body: z.object({
+        auditLogsRetentionDays: z.number().min(0)
+      }),
+      response: {
+        200: z.object({
+          message: z.string(),
+          workspace: ProjectsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const workspace = await server.services.project.updateAuditLogsRetention({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        workspaceSlug: req.params.workspaceSlug,
+        auditLogsRetentionDays: req.body.auditLogsRetentionDays
+      });
+
+      return {
+        message: "Successfully updated project's audit logs retention period",
+        workspace
+      };
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/:workspaceId/integrations",

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -3,6 +3,7 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import crypto, { KeyObject } from "crypto";
 import ms from "ms";
+import { z } from "zod";
 
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -38,6 +39,7 @@ import {
   TSignIntermediateDTO,
   TUpdateCaDTO
 } from "./certificate-authority-types";
+import { hostnameRegex } from "./certificate-authority-validators";
 
 type TCertificateAuthorityServiceFactoryDep = {
   certificateAuthorityDAL: Pick<
@@ -653,6 +655,7 @@ export const certificateAuthorityServiceFactory = ({
     caId,
     friendlyName,
     commonName,
+    altNames,
     ttl,
     notBefore,
     notAfter,
@@ -738,6 +741,45 @@ export const certificateAuthorityServiceFactory = ({
       kmsService
     });
 
+    const extensions: x509.Extension[] = [
+      new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment, true),
+      new x509.BasicConstraintsExtension(false),
+      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
+      await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey)
+    ];
+
+    if (altNames) {
+      const altNamesArray: {
+        type: "email" | "dns";
+        value: string;
+      }[] = altNames
+        .split(",")
+        .map((name) => name.trim())
+        .map((altName) => {
+          // check if the altName is a valid email
+          if (z.string().email().safeParse(altName).success) {
+            return {
+              type: "email",
+              value: altName
+            };
+          }
+
+          // check if the altName is a valid hostname
+          if (hostnameRegex.test(altName)) {
+            return {
+              type: "dns",
+              value: altName
+            };
+          }
+
+          // If altName is neither a valid email nor a valid hostname, throw an error or handle it accordingly
+          throw new Error(`Invalid altName: ${altName}`);
+        });
+
+      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
+      extensions.push(altNamesExtension);
+    }
+
     const serialNumber = crypto.randomBytes(32).toString("hex");
     const leafCert = await x509.X509CertificateGenerator.create({
       serialNumber,
@@ -748,12 +790,7 @@ export const certificateAuthorityServiceFactory = ({
       signingKey: caPrivateKey,
       publicKey: csrObj.publicKey,
       signingAlgorithm: alg,
-      extensions: [
+      extensions
-        new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment, true),
-        new x509.BasicConstraintsExtension(false),
-        await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
-        await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey)
-      ]
     });
 
     const skLeafObj = KeyObject.from(leafKeys.privateKey);
@@ -771,6 +808,7 @@ export const certificateAuthorityServiceFactory = ({
           status: CertStatus.ACTIVE,
           friendlyName: friendlyName || commonName,
           commonName,
+          altNames,
           serialNumber,
           notBefore: notBeforeDate,
           notAfter: notAfterDate

backend/src/services/certificate-authority/certificate-authority-types.ts

@@ -75,6 +75,7 @@ export type TIssueCertFromCaDTO = {
   caId: string;
   friendlyName?: string;
   commonName: string;
+  altNames: string;
   ttl: string;
   notBefore?: string;
   notAfter?: string;

backend/src/services/certificate-authority/certificate-authority-validators.ts

@@ -6,3 +6,29 @@ const isValidDate = (dateString: string) => {
 };
 
 export const validateCaDateField = z.string().trim().refine(isValidDate, { message: "Invalid date format" });
+
+export const hostnameRegex = /^(?!:\/\/)([a-zA-Z0-9-_]{1,63}\.?)+(?!:\/\/)([a-zA-Z]{2,63})$/;
+export const validateAltNamesField = z
+  .string()
+  .trim()
+  .default("")
+  .transform((data) => {
+    if (data === "") return "";
+    // Trim each alt name and join with ', ' to ensure formatting
+    return data
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  })
+  .refine(
+    (data) => {
+      if (data === "") return true;
+      // Split and validate each alt name
+      return data.split(", ").every((name) => {
+        return hostnameRegex.test(name) || z.string().email().safeParse(name).success;
+      });
+    },
+    {
+      message: "Each alt name must be a valid hostname or email address"
+    }
+  );

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -7,11 +7,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@@ -24,12 +25,13 @@ import {
   TGetAwsAuthDTO,
   TGetCallerIdentityResponse,
   TLoginAwsAuthDTO,
+  TRevokeAwsAuthDTO,
   TUpdateAwsAuthDTO
 } from "./identity-aws-auth-types";
 
 type TIdentityAwsAuthServiceFactoryDep = {
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityDAL: Pick<TIdentityDALFactory, "updateById">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -301,10 +303,54 @@ export const identityAwsAuthServiceFactory = ({
     return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
   };
 
+  const revokeIdentityAwsAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeAwsAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have aws auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke aws auth of identity with more privileged role"
+      });
+
+    const revokedIdentityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
+      const deletedAwsAuth = await identityAwsAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedAwsAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityAwsAuth;
+  };
+
   return {
     login,
     attachAwsAuth,
     updateAwsAuth,
-    getAwsAuth
+    getAwsAuth,
+    revokeIdentityAwsAuth
   };
 };

backend/src/services/identity-aws-auth/identity-aws-auth-types.ts

@@ -52,3 +52,7 @@ export type TGetCallerIdentityResponse = {
     ResponseMetadata: { RequestId: string };
   };
 };
+
+export type TRevokeAwsAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity-azure-auth/identity-azure-auth-service.ts

@@ -5,11 +5,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@@ -20,11 +21,15 @@ import {
   TAttachAzureAuthDTO,
   TGetAzureAuthDTO,
   TLoginAzureAuthDTO,
+  TRevokeAzureAuthDTO,
   TUpdateAzureAuthDTO
 } from "./identity-azure-auth-types";
 
 type TIdentityAzureAuthServiceFactoryDep = {
-  identityAzureAuthDAL: Pick<TIdentityAzureAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAzureAuthDAL: Pick<
+    TIdentityAzureAuthDALFactory,
+    "findOne" | "transaction" | "create" | "updateById" | "delete"
+  >;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
   identityDAL: Pick<TIdentityDALFactory, "updateById">;
@@ -277,10 +282,54 @@ export const identityAzureAuthServiceFactory = ({
     return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
   };
 
+  const revokeIdentityAzureAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeAzureAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have azure auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke azure auth of identity with more privileged role"
+      });
+
+    const revokedIdentityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
+      const deletedAzureAuth = await identityAzureAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedAzureAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityAzureAuth;
+  };
+
   return {
     login,
     attachAzureAuth,
     updateAzureAuth,
-    getAzureAuth
+    getAzureAuth,
+    revokeIdentityAzureAuth
   };
 };

backend/src/services/identity-azure-auth/identity-azure-auth-types.ts

@@ -118,3 +118,7 @@ export type TDecodedAzureAuthJwt = {
     [key: string]: string;
   };
 };
+
+export type TRevokeAzureAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -5,11 +5,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@@ -21,11 +22,12 @@ import {
   TGcpIdentityDetails,
   TGetGcpAuthDTO,
   TLoginGcpAuthDTO,
+  TRevokeGcpAuthDTO,
   TUpdateGcpAuthDTO
 } from "./identity-gcp-auth-types";
 
 type TIdentityGcpAuthServiceFactoryDep = {
-  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
   identityDAL: Pick<TIdentityDALFactory, "updateById">;
@@ -315,10 +317,54 @@ export const identityGcpAuthServiceFactory = ({
     return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
   };
 
+  const revokeIdentityGcpAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have gcp auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke gcp auth of identity with more privileged role"
+      });
+
+    const revokedIdentityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
+      const deletedGcpAuth = await identityGcpAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedGcpAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityGcpAuth;
+  };
+
   return {
     login,
     attachGcpAuth,
     updateGcpAuth,
-    getGcpAuth
+    getGcpAuth,
+    revokeIdentityGcpAuth
   };
 };

backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts

@@ -76,3 +76,7 @@ export type TDecodedGcpIamAuthJwt = {
     [key: string]: string;
   };
 };
+
+export type TRevokeGcpAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -7,6 +7,7 @@ import { IdentityAuthMethod, SecretKeyEncoding, TIdentityKubernetesAuthsUpdate }
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import {
   decryptSymmetric,
@@ -16,11 +17,11 @@ import {
   infisicalSymmetricDecrypt,
   infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 
-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@@ -32,13 +33,14 @@ import {
   TCreateTokenReviewResponse,
   TGetKubernetesAuthDTO,
   TLoginKubernetesAuthDTO,
+  TRevokeKubernetesAuthDTO,
   TUpdateKubernetesAuthDTO
 } from "./identity-kubernetes-auth-types";
 
 type TIdentityKubernetesAuthServiceFactoryDep = {
   identityKubernetesAuthDAL: Pick<
     TIdentityKubernetesAuthDALFactory,
-    "create" | "findOne" | "transaction" | "updateById"
+    "create" | "findOne" | "transaction" | "updateById" | "delete"
   >;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
@@ -533,10 +535,54 @@ export const identityKubernetesAuthServiceFactory = ({
     return { ...identityKubernetesAuth, caCert, tokenReviewerJwt, orgId: identityMembershipOrg.orgId };
   };
 
+  const revokeIdentityKubernetesAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeKubernetesAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have kubenetes auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke kubenetes auth of identity with more privileged role"
+      });
+
+    const revokedIdentityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
+      const deletedKubernetesAuth = await identityKubernetesAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedKubernetesAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityKubernetesAuth;
+  };
+
   return {
     login,
     attachKubernetesAuth,
     updateKubernetesAuth,
-    getKubernetesAuth
+    getKubernetesAuth,
+    revokeIdentityKubernetesAuth
   };
 };

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts

@@ -59,3 +59,7 @@ export type TCreateTokenReviewResponse = {
   };
   status: TCreateTokenReviewSuccessResponse | TCreateTokenReviewErrorResponse;
 };
+
+export type TRevokeKubernetesAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity-ua/identity-ua-service.ts

@@ -25,7 +25,9 @@ import {
   TCreateUaClientSecretDTO,
   TGetUaClientSecretsDTO,
   TGetUaDTO,
+  TGetUniversalAuthClientSecretByIdDTO,
   TRevokeUaClientSecretDTO,
+  TRevokeUaDTO,
   TUpdateUaDTO
 } from "./identity-ua-types";
 
@@ -136,7 +138,7 @@ export const identityUaServiceFactory = ({
     return { accessToken, identityUa, validClientSecretInfo, identityAccessToken, identityMembershipOrg };
   };
 
-  const attachUa = async ({
+  const attachUniversalAuth = async ({
     accessTokenMaxTTL,
     identityId,
     accessTokenNumUsesLimit,
@@ -227,7 +229,7 @@ export const identityUaServiceFactory = ({
     return { ...identityUa, orgId: identityMembershipOrg.orgId };
   };
 
-  const updateUa = async ({
+  const updateUniversalAuth = async ({
     accessTokenMaxTTL,
     identityId,
     accessTokenNumUsesLimit,
@@ -312,7 +314,7 @@ export const identityUaServiceFactory = ({
     return { ...updatedUaAuth, orgId: identityMembershipOrg.orgId };
   };
 
-  const getIdentityUa = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetUaDTO) => {
+  const getIdentityUniversalAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetUaDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
     if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
@@ -333,7 +335,50 @@ export const identityUaServiceFactory = ({
     return { ...uaIdentityAuth, orgId: identityMembershipOrg.orgId };
   };
 
-  const createUaClientSecret = async ({
+  const revokeIdentityUniversalAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeUaDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+      throw new BadRequestError({
+        message: "The identity does not have universal auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke universal auth of identity with more privileged role"
+      });
+
+    const revokedIdentityUniversalAuth = await identityUaDAL.transaction(async (tx) => {
+      const deletedUniversalAuth = await identityUaDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedUniversalAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityUniversalAuth;
+  };
+
+  const createUniversalAuthClientSecret = async ({
     actor,
     actorId,
     actorOrgId,
@@ -396,7 +441,7 @@ export const identityUaServiceFactory = ({
     };
   };
 
-  const getUaClientSecrets = async ({
+  const getUniversalAuthClientSecrets = async ({
     actor,
     actorId,
     actorOrgId,
@@ -442,7 +487,47 @@ export const identityUaServiceFactory = ({
     return { clientSecrets, orgId: identityMembershipOrg.orgId };
   };
 
-  const revokeUaClientSecret = async ({
+  const getUniversalAuthClientSecretById = async ({
+    identityId,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    clientSecretId
+  }: TGetUniversalAuthClientSecretByIdDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+      throw new BadRequestError({
+        message: "The identity does not have universal auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to read identity client secret of project with more privileged role"
+      });
+
+    const clientSecret = await identityUaClientSecretDAL.findById(clientSecretId);
+    return { ...clientSecret, identityId, orgId: identityMembershipOrg.orgId };
+  };
+
+  const revokeUniversalAuthClientSecret = async ({
     identityId,
     actorId,
     actor,
@@ -475,7 +560,7 @@ export const identityUaServiceFactory = ({
     const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
     if (!hasPriviledge)
       throw new ForbiddenRequestError({
-        message: "Failed to add identity to project with more privileged role"
+        message: "Failed to revoke identity client secret with more privileged role"
       });
 
     const clientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
@@ -486,11 +571,13 @@ export const identityUaServiceFactory = ({
 
   return {
     login,
-    attachUa,
+    attachUniversalAuth,
-    updateUa,
+    updateUniversalAuth,
-    getIdentityUa,
+    getIdentityUniversalAuth,
-    createUaClientSecret,
+    revokeIdentityUniversalAuth,
-    getUaClientSecrets,
+    createUniversalAuthClientSecret,
-    revokeUaClientSecret
+    getUniversalAuthClientSecrets,
+    revokeUniversalAuthClientSecret,
+    getUniversalAuthClientSecretById
   };
 };

backend/src/services/identity-ua/identity-ua-types.ts

@@ -22,6 +22,10 @@ export type TGetUaDTO = {
   identityId: string;
 } & Omit<TProjectPermission, "projectId">;
 
+export type TRevokeUaDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TCreateUaClientSecretDTO = {
   identityId: string;
   description: string;
@@ -37,3 +41,8 @@ export type TRevokeUaClientSecretDTO = {
   identityId: string;
   clientSecretId: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TGetUniversalAuthClientSecretByIdDTO = {
+  identityId: string;
+  clientSecretId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity/identity-org-dal.ts

@@ -27,10 +27,10 @@ export const identityOrgDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findByOrgId = async (orgId: string, tx?: Knex) => {
+  const find = async (filter: Partial<TIdentityOrgMemberships>, tx?: Knex) => {
     try {
       const docs = await (tx || db)(TableName.IdentityOrgMembership)
-        .where(`${TableName.IdentityOrgMembership}.orgId`, orgId)
+        .where(filter)
         .join(TableName.Identity, `${TableName.IdentityOrgMembership}.identityId`, `${TableName.Identity}.id`)
         .leftJoin(TableName.OrgRoles, `${TableName.IdentityOrgMembership}.roleId`, `${TableName.OrgRoles}.id`)
         .select(selectAllTableCols(TableName.IdentityOrgMembership))
@@ -79,5 +79,5 @@ export const identityOrgDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...identityOrgOrm, findOne, findByOrgId };
+  return { ...identityOrgOrm, find, findOne };
 };

backend/src/services/identity/identity-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
+import { OrgMembershipRole, TableName, TOrgRoles } from "@app/db/schemas";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
@@ -10,7 +10,7 @@ import { TOrgPermission } from "@app/lib/types";
 import { ActorType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "./identity-dal";
 import { TIdentityOrgDALFactory } from "./identity-org-dal";
-import { TCreateIdentityDTO, TDeleteIdentityDTO, TUpdateIdentityDTO } from "./identity-types";
+import { TCreateIdentityDTO, TDeleteIdentityDTO, TGetIdentityByIdDTO, TUpdateIdentityDTO } from "./identity-types";
 
 type TIdentityServiceFactoryDep = {
   identityDAL: TIdentityDALFactory;
@@ -126,6 +126,24 @@ export const identityServiceFactory = ({
     return { ...identity, orgId: identityOrgMembership.orgId };
   };
 
+  const getIdentityById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TGetIdentityByIdDTO) => {
+    const doc = await identityOrgMembershipDAL.find({
+      [`${TableName.IdentityOrgMembership}.identityId` as "identityId"]: id
+    });
+    const identity = doc[0];
+    if (!identity) throw new BadRequestError({ message: `Failed to find identity with id ${id}` });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identity.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    return identity;
+  };
+
   const deleteIdentity = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TDeleteIdentityDTO) => {
     const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: id });
     if (!identityOrgMembership) throw new BadRequestError({ message: `Failed to find identity with id ${id}` });
@@ -157,7 +175,9 @@ export const identityServiceFactory = ({
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
-    const identityMemberships = await identityOrgMembershipDAL.findByOrgId(orgId);
+    const identityMemberships = await identityOrgMembershipDAL.find({
+      [`${TableName.IdentityOrgMembership}.orgId` as "orgId"]: orgId
+    });
     return identityMemberships;
   };
 
@@ -165,6 +185,7 @@ export const identityServiceFactory = ({
     createIdentity,
     updateIdentity,
     deleteIdentity,
-    listOrgIdentities
+    listOrgIdentities,
+    getIdentityById
   };
 };

backend/src/services/identity/identity-types.ts

@@ -16,6 +16,10 @@ export type TDeleteIdentityDTO = {
   id: string;
 } & Omit<TOrgPermission, "orgId">;
 
+export type TGetIdentityByIdDTO = {
+  id: string;
+} & Omit<TOrgPermission, "orgId">;
+
 export interface TIdentityTrustedIp {
   ipAddress: string;
   type: IPType;

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -257,14 +257,27 @@ const syncSecretsGCPSecretManager = async ({
 const syncSecretsAzureKeyVault = async ({
   integration,
   secrets,
-  accessToken
+  accessToken,
+  createManySecretsRawFn,
+  updateManySecretsRawFn
 }: {
-  integration: TIntegrations;
+  integration: TIntegrations & {
+    projectId: string;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    secretPath: string;
+  };
   secrets: Record<string, { value: string; comment?: string }>;
   accessToken: string;
+  createManySecretsRawFn: (params: TCreateManySecretsRawFn) => Promise<Array<TSecrets & { _id: string }>>;
+  updateManySecretsRawFn: (params: TUpdateManySecretsRawFn) => Promise<Array<TSecrets & { _id: string }>>;
 }) => {
   interface GetAzureKeyVaultSecret {
     id: string; // secret URI
+    value: string;
     attributes: {
       enabled: true;
       created: number;
@@ -361,6 +374,83 @@ const syncSecretsAzureKeyVault = async ({
     }
   });
 
+  const secretsToAdd: { [key: string]: string } = {};
+  const secretsToUpdate: { [key: string]: string } = {};
+  const secretKeysToRemoveFromDelete = new Set<string>();
+
+  const metadata = IntegrationMetadataSchema.parse(integration.metadata);
+  if (!integration.lastUsed) {
+    Object.keys(res).forEach((key) => {
+      // first time using integration
+      const underscoredKey = key.replace(/-/g, "_");
+
+      // -> apply initial sync behavior
+      switch (metadata.initialSyncBehavior) {
+        case IntegrationInitialSyncBehavior.PREFER_TARGET: {
+          if (!(underscoredKey in secrets)) {
+            secretsToAdd[underscoredKey] = res[key].value;
+            setSecrets.push({
+              key,
+              value: res[key].value
+            });
+          } else if (secrets[underscoredKey]?.value !== res[key].value) {
+            secretsToUpdate[underscoredKey] = res[key].value;
+            const toEditSecretIndex = setSecrets.findIndex((secret) => secret.key === key);
+            if (toEditSecretIndex >= 0) {
+              setSecrets[toEditSecretIndex].value = res[key].value;
+            }
+          }
+
+          secretKeysToRemoveFromDelete.add(key);
+
+          break;
+        }
+        case IntegrationInitialSyncBehavior.PREFER_SOURCE: {
+          if (!(underscoredKey in secrets)) {
+            secretsToAdd[underscoredKey] = res[key].value;
+            setSecrets.push({
+              key,
+              value: res[key].value
+            });
+          }
+
+          secretKeysToRemoveFromDelete.add(key);
+          break;
+        }
+        default:
+          break;
+      }
+    });
+  }
+
+  if (Object.keys(secretsToUpdate).length) {
+    await updateManySecretsRawFn({
+      projectId: integration.projectId,
+      environment: integration.environment.slug,
+      path: integration.secretPath,
+      secrets: Object.keys(secretsToUpdate).map((key) => ({
+        secretName: key,
+        secretValue: secretsToUpdate[key],
+        type: SecretType.Shared,
+        secretComment: ""
+      }))
+    });
+  }
+
+  if (Object.keys(secretsToAdd).length) {
+    await createManySecretsRawFn({
+      projectId: integration.projectId,
+      environment: integration.environment.slug,
+      path: integration.secretPath,
+      secrets: Object.keys(secretsToAdd).map((key) => ({
+        secretName: key,
+        secretValue: secretsToAdd[key],
+        type: SecretType.Shared,
+        secretComment: ""
+      }))
+    });
+  }
+
   const setSecretAzureKeyVault = async ({
     key,
     value,
@@ -428,7 +518,7 @@ const syncSecretsAzureKeyVault = async ({
     });
   }
 
-  for await (const deleteSecret of deleteSecrets) {
+  for await (const deleteSecret of deleteSecrets.filter((secret) => !secretKeysToRemoveFromDelete.has(secret.key))) {
     const { key } = deleteSecret;
     await request.delete(`${integration.app}/secrets/${key}?api-version=7.3`, {
       headers: {
@@ -3512,7 +3602,9 @@ export const syncIntegrationSecrets = async ({
       await syncSecretsAzureKeyVault({
         integration,
         secrets,
-        accessToken
+        accessToken,
+        createManySecretsRawFn,
+        updateManySecretsRawFn
       });
       break;
     case Integrations.AWS_PARAMETER_STORE:

backend/src/services/project/project-service.ts

@@ -11,7 +11,7 @@ import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { createSecretBlindIndex } from "@app/lib/crypto";
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TProjectPermission } from "@app/lib/types";
 
@@ -41,6 +41,7 @@ import {
   TListProjectCasDTO,
   TListProjectCertsDTO,
   TToggleProjectAutoCapitalizationDTO,
+  TUpdateAuditLogsRetentionDTO,
   TUpdateProjectDTO,
   TUpdateProjectNameDTO,
   TUpdateProjectVersionLimitDTO,
@@ -446,6 +447,43 @@ export const projectServiceFactory = ({
     return projectDAL.updateById(project.id, { pitVersionLimit });
   };
 
+  const updateAuditLogsRetention = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    auditLogsRetentionDays,
+    workspaceSlug
+  }: TUpdateAuditLogsRetentionDTO) => {
+    const project = await projectDAL.findProjectBySlug(workspaceSlug, actorOrgId);
+    if (!project) {
+      throw new NotFoundError({
+        message: "Project not found."
+      });
+    }
+
+    const { hasRole } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    if (!hasRole(ProjectMembershipRole.Admin)) {
+      throw new BadRequestError({ message: "Only admins are allowed to take this action" });
+    }
+
+    const plan = await licenseService.getPlan(project.orgId);
+    if (!plan.auditLogs || auditLogsRetentionDays > plan.auditLogsRetentionDays) {
+      throw new BadRequestError({
+        message: "Failed to update audit logs retention due to plan limit reached. Upgrade plan to increase."
+      });
+    }
+
+    return projectDAL.updateById(project.id, { auditLogsRetentionDays });
+  };
+
   const updateName = async ({
     projectId,
     actor,
@@ -621,6 +659,7 @@ export const projectServiceFactory = ({
     upgradeProject,
     listProjectCas,
     listProjectCertificates,
-    updateVersionLimit
+    updateVersionLimit,
+    updateAuditLogsRetention
   };
 };

backend/src/services/project/project-types.ts

@@ -49,6 +49,11 @@ export type TUpdateProjectVersionLimitDTO = {
   workspaceSlug: string;
 } & Omit<TProjectPermission, "projectId">;
 
+export type TUpdateAuditLogsRetentionDTO = {
+  auditLogsRetentionDays: number;
+  workspaceSlug: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TUpdateProjectNameDTO = {
   name: string;
 } & TProjectPermission;

backend/src/services/secret-blind-index/secret-blind-index-dal.ts

@@ -30,7 +30,6 @@ export const secretBlindIndexDALFactory = (db: TDbClient) => {
         .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.Secret}.folderId`)
         .leftJoin(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
         .where({ projectId })
-        .whereNull("secretBlindIndex")
         .select(selectAllTableCols(TableName.Secret))
         .select(
           db.ref("slug").withSchema(TableName.Environment).as("environment"),
@@ -49,7 +48,6 @@ export const secretBlindIndexDALFactory = (db: TDbClient) => {
         .leftJoin(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
         .where({ projectId })
         .whereIn(`${TableName.Secret}.id`, secretIds)
-        .whereNull("secretBlindIndex")
         .select(selectAllTableCols(TableName.Secret))
         .select(
           db.ref("slug").withSchema(TableName.Environment).as("environment"),

cli/packages/cmd/secrets.go

@@ -73,6 +73,11 @@ var secretsCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
+		plainOutput, err := cmd.Flags().GetBool("plain")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
 		request := models.GetAllSecretsParameters{
 			Environment:   environmentName,
 			WorkspaceId:   projectId,
@@ -100,7 +105,6 @@ var secretsCmd = &cobra.Command{
 		}
 
 		if shouldExpandSecrets {
-
 			authParams := models.ExpandSecretsAuthentication{}
 			if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
 				authParams.InfisicalToken = token.Token
@@ -114,7 +118,14 @@ var secretsCmd = &cobra.Command{
 		// Sort the secrets by key so we can create a consistent output
 		secrets = util.SortSecretsByKeys(secrets)
 
+		if plainOutput {
+			for _, secret := range secrets {
+				fmt.Println(secret.Value)
+			}
+		} else {
 			visualize.PrintAllSecretDetails(secrets)
+		}
+
 		Telemetry.CaptureEvent("cli-command:secrets", posthog.NewProperties().Set("secretCount", len(secrets)).Set("version", util.CLI_VERSION))
 	},
 }
@@ -325,9 +336,20 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse recursive flag")
 	}
 
+	// deprecated, in favor of --plain
 	showOnlyValue, err := cmd.Flags().GetBool("raw-value")
 	if err != nil {
-		util.HandleError(err, "Unable to parse path flag")
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	plainOutput, err := cmd.Flags().GetBool("plain")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	includeImports, err := cmd.Flags().GetBool("include-imports")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
 	}
 
 	request := models.GetAllSecretsParameters{
@@ -335,7 +357,7 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		WorkspaceId:   projectId,
 		TagSlugs:      tagSlugs,
 		SecretsPath:   secretsPath,
-		IncludeImport: true,
+		IncludeImport: includeImports,
 		Recursive:     recursive,
 	}
 
@@ -377,15 +399,15 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		}
 	}
 
-	if showOnlyValue && len(requestedSecrets) > 1 {
+	// showOnlyValue deprecated in favor of --plain, below only for backward compatibility
-		util.PrintErrorMessageAndExit("--raw-value only works with one secret.")
+	if plainOutput || showOnlyValue {
+		for _, secret := range requestedSecrets {
+			fmt.Println(secret.Value)
 		}
-
-	if showOnlyValue {
-		fmt.Printf(requestedSecrets[0].Value)
 	} else {
 		visualize.PrintAllSecretDetails(requestedSecrets)
 	}
+
 	Telemetry.CaptureEvent("cli-command:secrets get", posthog.NewProperties().Set("secretCount", len(secrets)).Set("version", util.CLI_VERSION))
 }
 
@@ -639,11 +661,12 @@ func init() {
 	secretsGetCmd.Flags().String("token", "", "Fetch secrets using service token or machine identity access token")
 	secretsGetCmd.Flags().String("projectId", "", "manually set the project ID to fetch secrets from when using machine identity based auth")
 	secretsGetCmd.Flags().String("path", "/", "get secrets within a folder path")
-	secretsGetCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
+	secretsGetCmd.Flags().Bool("plain", false, "print values without formatting, one per line")
-	secretsGetCmd.Flags().Bool("raw-value", false, "Returns only the value of secret, only works with one secret")
+	secretsGetCmd.Flags().Bool("raw-value", false, "deprecated. Returns only the value of secret, only works with one secret. Use --plain instead")
+	secretsGetCmd.Flags().Bool("include-imports", true, "Imported linked secrets ")
+	secretsGetCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets, and process your referenced secrets")
 	secretsGetCmd.Flags().Bool("recursive", false, "Fetch secrets from all sub-folders")
 	secretsCmd.AddCommand(secretsGetCmd)
-
 	secretsCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
 	secretsCmd.AddCommand(secretsSetCmd)
 	secretsSetCmd.Flags().String("token", "", "Fetch secrets using service token or machine identity access token")
@@ -687,10 +710,11 @@ func init() {
 	secretsCmd.Flags().String("token", "", "Fetch secrets using service token or machine identity access token")
 	secretsCmd.Flags().String("projectId", "", "manually set the projectId to fetch secrets when using machine identity based auth")
 	secretsCmd.PersistentFlags().String("env", "dev", "Used to select the environment name on which actions should be taken on")
-	secretsCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
+	secretsCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets, and process your referenced secrets")
 	secretsCmd.Flags().Bool("include-imports", true, "Imported linked secrets ")
 	secretsCmd.Flags().Bool("recursive", false, "Fetch secrets from all sub-folders")
 	secretsCmd.PersistentFlags().StringP("tags", "t", "", "filter secrets by tag slugs")
 	secretsCmd.Flags().String("path", "/", "get secrets within a folder path")
+	secretsCmd.Flags().Bool("plain", false, "print values without formatting, one per line")
 	rootCmd.AddCommand(secretsCmd)
 }

docs/api-reference/endpoints/identities/get-by-id.mdx

@@ -0,0 +1,5 @@
+---
+title: "Get By ID"
+openapi: "GET /api/v1/identities/{identityId}"
+---
+

docs/api-reference/endpoints/identities/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/identities"
+---

docs/api-reference/endpoints/universal-auth/get-client-secret-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get Client Secret By ID"
+openapi: "GET /api/v1/auth/universal-auth/identities/{identityId}/client-secrets/{clientSecretId}"
+---

docs/api-reference/endpoints/universal-auth/revoke.mdx

@@ -0,0 +1,4 @@
+---
+title: "Revoke"
+openapi: "DELETE /api/v1/auth/universal-auth/identities/{identityId}"
+---

docs/cli/commands/secrets.mdx

@@ -88,6 +88,27 @@ $ infisical secrets
     ```
 
   </Accordion>
+  <Accordion title="--plain">
+    The `--plain` flag will output all your secret values without formatting, one per line.
+
+    ```bash
+    # Example
+    infisical secrets --plain --silent
+    ```
+
+  </Accordion>
+
+  <Accordion title="--silent">
+    The `--silent` flag disables output of tip/info messages. Useful when running in scripts or CI/CD pipelines.
+
+    ```bash
+    # Example
+    infisical secrets --silent
+    ```
+
+    Can be used inline to replace `INFISICAL_DISABLE_UPDATE_CHECK`
+
+  </Accordion>
 
 </Accordion>
 
@@ -99,6 +120,7 @@ $ infisical secrets get <secret-name-a> <secret-name-b> ...
 
 # Example
 $ infisical secrets get DOMAIN
+$ infisical secrets get DOMAIN PORT
 
 ```
 
@@ -111,7 +133,41 @@ $ infisical secrets get DOMAIN
 
   </Accordion>
 
-  <Accordion title="--raw-value">
+  <Accordion title="--plain">
+    The `--plain` flag will output all your requested secret values without formatting, one per line.
+
+    Default value: `false`
+
+    ```bash
+    # Example
+    infisical secrets get FOO --plain
+    infisical secrets get FOO BAR --plain
+
+    # Fetch a single value and assign it to a variable
+    API_KEY=$(infisical secrets get FOO --plain --silent)
+    ```
+
+    <Tip>
+      When running in CI/CD environments or in a script, set `INFISICAL_DISABLE_UPDATE_CHECK=true` or add the `--silent` flag. This will help hide any CLI info/debug output and only show the secret value.
+    </Tip>
+
+  </Accordion>
+
+  <Accordion title="--silent">
+    The `--silent` flag disables output of tip/info messages. Useful when running in scripts or CI/CD pipelines.
+
+    ```bash
+    # Example
+    infisical secrets get FOO --plain --silent
+    ```
+
+    Can be used inline to replace `INFISICAL_DISABLE_UPDATE_CHECK`
+
+  </Accordion>
+
+  <Accordion title="--raw-value (deprecated)">
+    Use `--plain` instead, as it supports single and multiple secrets.
+
     Used to print the plain value of a single requested secret without any table style.
 
     Default value: `false`
@@ -119,10 +175,11 @@ $ infisical secrets get DOMAIN
     Example: `infisical secrets get DOMAIN --raw-value`
 
     <Tip>
-      When running in CI/CD environments or in a script, set `INFISICAL_DISABLE_UPDATE_CHECK` env to `true`. This will help hide any CLI update messages and only show the secret value.
+      When running in CI/CD environments or in a script, set `INFISICAL_DISABLE_UPDATE_CHECK=true` or add the `--silent` flag. This will help hide any CLI info/debug output and only show the secret value.
     </Tip>
 
   </Accordion>
+
 </Accordion>
 
 <Accordion title="infisical secrets set">

docs/documentation/platform/ldap/general.mdx

@@ -30,6 +30,7 @@ Prerequisites:
         - Bind DN: The distinguished name of object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`.
         - Bind Pass: The password to use along with `Bind DN` when performing the user search.
         - User Search Base / User DN: Base DN under which to perform user search such as `ou=Users,dc=acme,dc=com`.
+        - Unique User Attribute: The attribute to use as the unique identifier of LDAP users such as `sAMAccountName`, `cn`, `uid`, `objectGUID` ... If left blank, defaults to `uidNumber`
         - User Search Filter (optional): Template used to construct the LDAP user search filter such as `(uid={{username}})`; use literal `{{username}}` to have the given username used in the search. The default is `(uid={{username}})` which is compatible with several common directory schemas.
         - Group Search Base / Group DN (optional): LDAP search base to use for group membership search such as `ou=Groups,dc=acme,dc=com`.
         - Group Filter (optional): Template used when constructing the group membership query such as `(&(objectClass=posixGroup)(memberUid={{.Username}}))`. The template can access the following context variables: [`UserDN`, `UserName`]. The default is `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))` which is compatible with several common directory schemas.

docs/documentation/platform/ldap/jumpcloud.mdx

@@ -39,6 +39,7 @@ Prerequisites:
             - Bind DN: The distinguished name of object to bind when performing the user search (`uid=<ldap-user-username>,ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
             - Bind Pass: The password to use along with `Bind DN` when performing the user search.
             - User Search Base / User DN: Base DN under which to perform user search (`ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+            - Unique User Attribute: The attribute to use as the unique identifier of LDAP users such as `sAMAccountName`, `cn`, `uid`, `objectGUID` ... If left blank, defaults to `uidNumber`
             - User Search Filter (optional): Template used to construct the LDAP user search filter (`(uid={{username}})`).
             - Group Search Base / Group DN (optional): LDAP search base to use for group membership search (`ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
             - Group Filter (optional): Template used when constructing the group membership query (`(&(objectClass=groupOfNames)(member=uid={{.Username}},ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com))`)

docs/documentation/platform/pki/certificates.mdx

@@ -56,9 +56,9 @@ In the following steps, we explore how to issue a X.509 certificate under a CA.
 
     - Issuing CA: The CA under which to issue the certificate.
     - Friendly Name: A friendly name for the certificate; this is only for display and defaults to the common name of the certificate if left empty.
-    - Common Name (CN): The (common) name of the certificate.
+    - Common Name (CN): The (common) name for the certificate like `service.acme.com`.
+    - Alternative Names (SANs): A comma-delimited list of Subject Alternative Names (SANs) for the certificate; these can be host names or email addresses like `app1.acme.com, app2.acme.com`.
     - TTL: The lifetime of the certificate in seconds.
-    - Valid Until: The date until which the certificate is valid in the date time string format specified [here](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date#date_time_string_format). For example, the following formats would be valid: `YYYY`, `YYYY-MM`, `YYYY-MM-DD`, `YYYY-MM-DDTHH:mm:ss.sssZ`.
 
   </Step>
   <Step title="Copying the certificate details">

docs/integrations/cicd/bitbucket.mdx

@@ -7,6 +7,8 @@ Prerequisites:
 
 - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
 
+<AccordionGroup>
+  <Accordion title="Push secrets to Bitbucket from Infisical">
     <Steps>
       <Step title="Authorize Infisical for Bitbucket">
         Navigate to your project's integrations tab in Infisical.
@@ -17,12 +19,6 @@ Prerequisites:
 
         ![integrations bitbucket authorization](../../images/integrations/bitbucket/integrations-bitbucket-auth.png)
 
-    <Info>
-      If this is your project's first cloud integration, then you'll have to grant
-      Infisical access to your project's environment variables. Although this step
-      breaks E2EE, it's necessary for Infisical to sync the environment variables to
-      the cloud platform.
-    </Info>
       </Step>
       <Step title="Start integration">
         Select which Infisical environment secrets you want to sync to which Bitbucket repo and press start integration to start syncing secrets to the repo.
@@ -30,3 +26,43 @@ Prerequisites:
         ![integrations bitbucket](../../images/integrations/bitbucket/integrations-bitbucket.png)
       </Step>
     </Steps>
+
+  </Accordion>
+  <Accordion title="Pull secrets in Bitbucket pipelines from Infisical">
+    <Steps>
+      <Step title="Configure Infisical Access">
+        Configure a [Machine Identity](https://infisical.com/docs/documentation/platform/identities/universal-auth) for your project and give it permissions to read secrets from your desired Infisical projects and environments.
+      </Step>
+      <Step title="Initialize Bitbucket variables">
+      Create Bitbucket variables (can be either workspace, repository, or deployment-level) to store Machine Identity Client ID and Client Secret.
+      
+      ![integrations bitbucket](../../images/integrations/bitbucket/integrations-bitbucket-env.png)
+      </Step>
+      <Step title="Integrate Infisical secrets into the pipeline">
+        Edit your Bitbucket pipeline YAML file to include the use of the Infisical CLI to fetch and inject secrets into any script or command within the pipeline.
+        
+        #### Example
+
+        ```yaml
+        image: atlassian/default-image:3
+
+        pipelines:
+          default:
+            - step:
+                name: Build application with secrets from Infisical
+                script:
+                  - apt update && apt install -y curl
+                  - curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash
+                  - apt-get update && apt-get install -y infisical
+                  - export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_CLIENT_ID --client-secret=$INFISICAL_CLIENT_SECRET --silent --plain)
+                  - infisical run --projectId=1d0443c1-cd43-4b3a-91a3-9d5f81254a89 --env=dev -- npm run build
+        ```
+
+      <Tip>
+        Set the values of `projectId` and `env` flags in the `infisical run` command to your intended source path. For more options, refer to the CLI command reference [here](https://infisical.com/docs/cli/commands/run).
+      </Tip>
+      </Step>
+    </Steps>
+
+  </Accordion>
+</AccordionGroup>

docs/integrations/cicd/gitlab.mdx

@@ -77,11 +77,12 @@ description: "How to sync secrets from Infisical to GitLab"
         </Steps>
       </Accordion>
     </AccordionGroup>
+
   </Tab>
   <Tab title="Self-Hosted Setup">
     Using the GitLab integration on a self-hosted instance of Infisical requires configuring an application in GitLab
     and registering your instance with it.
-    
+    <Tip>If you're self-hosting Gitlab with custom certificates, you will have to configure your Infisical instance to trust these certificates. To learn how, please follow [this guide](../../self-hosting/guides/custom-certificates).</Tip>
     <Steps>
       <Step title="Create an OAuth application in GitLab">
         Navigate to your user Settings > Applications to create a new GitLab application.
@@ -111,6 +112,6 @@ description: "How to sync secrets from Infisical to GitLab"
         Once added, restart your Infisical instance and use the GitLab integration.
       </Step>
     </Steps>
+
   </Tab>
 </Tabs>
-

docs/mint.json

@@ -222,7 +222,8 @@
           "group": "Guides",
           "pages": [
             "self-hosting/configuration/schema-migrations",
-            "self-hosting/guides/mongo-to-postgres"
+            "self-hosting/guides/mongo-to-postgres",
+            "self-hosting/guides/custom-certificates"
           ]
         },
         {
@@ -419,7 +420,9 @@
           "pages": [
             "api-reference/endpoints/identities/create",
             "api-reference/endpoints/identities/update",
-            "api-reference/endpoints/identities/delete"
+            "api-reference/endpoints/identities/delete",
+            "api-reference/endpoints/identities/get-by-id",
+            "api-reference/endpoints/identities/list"
           ]
         },
         {
@@ -429,9 +432,11 @@
             "api-reference/endpoints/universal-auth/attach",
             "api-reference/endpoints/universal-auth/retrieve",
             "api-reference/endpoints/universal-auth/update",
+            "api-reference/endpoints/universal-auth/revoke",
             "api-reference/endpoints/universal-auth/create-client-secret",
             "api-reference/endpoints/universal-auth/list-client-secrets",
             "api-reference/endpoints/universal-auth/revoke-client-secret",
+            "api-reference/endpoints/universal-auth/get-client-secret-by-id",
             "api-reference/endpoints/universal-auth/renew-access-token",
             "api-reference/endpoints/universal-auth/revoke-access-token"
           ]

docs/sdks/overview.mdx

@@ -19,7 +19,7 @@ From local development to production, Infisical SDKs provide the easiest way for
     <Card href="/sdks/languages/java" title="Java" icon="java" color="#e41f23">
         Manage secrets for your Java application on demand
     </Card>
-    <Card href="/sdks/languages/go" title="Go icon="golang" color="#367B99">
+    <Card href="/sdks/languages/go" title="Go" icon="golang" color="#367B99">
         Manage secrets for your Go application on demand
     </Card>
     <Card href="/sdks/languages/csharp" title="C#" icon="bars" color="#368833">

docs/self-hosting/deployment-options/docker-swarm.mdx

@@ -82,6 +82,13 @@ The [Docker stack file](https://github.com/Infisical/infisical/tree/main/docker-
 ## Deployment instructions
 
 <Steps>
+  <Step title="Install Docker on nodes">
+    Run the following on each node to install the Docker engine.
+
+    ```
+   curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh 
+   ```
+  </Step>
   <Step title="Initialize Docker Swarm on one of the VMs by running the following command">
     ```
    docker swarm init 
@@ -161,7 +168,12 @@ The [Docker stack file](https://github.com/Infisical/infisical/tree/main/docker-
   <Step title="Run schema migrations">
     Run the schema migration to initialize the database. Follow the [guide here](/self-hosting/configuration/schema-migrations) to learn how. 
 
-    To connect to the Postgres database, use the following default credentials defined in the Docker swarm: username: `postgres`,  password: `postgres` and database: `postgres`. 
+    To run the migrations, you'll need to connect to the Postgres instance deployed on your Docker swarm. The default Postgres user credentials are defined in the Docker swarm: username: `postgres`,  password: `postgres` and database: `postgres`.
+    We recommend you change these credentials when deploying to production and creating a separate DB for Infisical. 
+
+    <Info>
+      After running the schema migrations, be sure to update the `.env` file to have the correct `DB_CONNECTION_URI`.
+    </Info> 
   </Step>
 
   <Step title="View service status">

docs/self-hosting/guides/custom-certificates.mdx

@@ -0,0 +1,26 @@
+---
+title: "Adding Custom Certificates"
+description: "Learn how to configure Infisical with custom certificates"
+---
+
+By default, the Infisical Docker image includes certificates from well-known public certificate authorities.
+However, some integrations with Infisical may need to communicate with your internal services that use private certificate authorities. 
+To configure trust for custom certificates, follow these steps. This is particularly useful for connecting Infisical with self-hosted services like GitLab.
+
+## Prerequisites
+
+- Docker
+- Standalone [Infisical image](https://hub.docker.com/r/infisical/infisical)
+- Certificate public key `.pem` files
+
+## Setup
+
+1. Place all your public key `.pem` files into a single directory.
+2. Mount the directory containing the `.pem` files to the `usr/local/share/ca-certificates/` path in the Infisical container.
+3. Set the following environment variable on your Infisical container:
+   ```
+   NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
+   ```
+4. Start the Infisical container.
+
+By following these steps, your Infisical container will trust the specified certificates, allowing you to securely connect Infisical to your internal services.

frontend/src/hooks/api/ca/types.ts

@@ -81,6 +81,7 @@ export type TCreateCertificateDTO = {
   caId: string;
   friendlyName?: string;
   commonName: string;
+  altNames: string; // sans
   ttl: string; // string compatible with ms
   notBefore?: string;
   notAfter?: string;

frontend/src/hooks/api/certificates/types.ts

@@ -6,6 +6,7 @@ export type TCertificate = {
   status: CertStatus;
   friendlyName: string;
   commonName: string;
+  altNames: string;
   serialNumber: string;
   notBefore: string;
   notAfter: string;

frontend/src/hooks/api/ldapConfig/mutations.tsx

@@ -13,6 +13,7 @@ export const useCreateLDAPConfig = () => {
       url,
       bindDN,
       bindPass,
+      uniqueUserAttribute,
       searchBase,
       searchFilter,
       groupSearchBase,
@@ -24,6 +25,7 @@ export const useCreateLDAPConfig = () => {
       url: string;
       bindDN: string;
       bindPass: string;
+      uniqueUserAttribute: string;
       searchBase: string;
       searchFilter: string;
       groupSearchBase: string;
@@ -36,6 +38,7 @@ export const useCreateLDAPConfig = () => {
         url,
         bindDN,
         bindPass,
+        uniqueUserAttribute,
         searchBase,
         searchFilter,
         groupSearchBase,
@@ -60,6 +63,7 @@ export const useUpdateLDAPConfig = () => {
       url,
       bindDN,
       bindPass,
+      uniqueUserAttribute,
       searchBase,
       searchFilter,
       groupSearchBase,
@@ -71,6 +75,7 @@ export const useUpdateLDAPConfig = () => {
       url?: string;
       bindDN?: string;
       bindPass?: string;
+      uniqueUserAttribute?: string;
       searchBase?: string;
       searchFilter?: string;
       groupSearchBase?: string;
@@ -83,6 +88,7 @@ export const useUpdateLDAPConfig = () => {
         url,
         bindDN,
         bindPass,
+        uniqueUserAttribute,
         searchBase,
         searchFilter,
         groupSearchBase,

frontend/src/hooks/api/workspace/queries.tsx

@@ -22,6 +22,7 @@ import {
   ToggleAutoCapitalizationDTO,
   TUpdateWorkspaceIdentityRoleDTO,
   TUpdateWorkspaceUserRoleDTO,
+  UpdateAuditLogsRetentionDTO,
   UpdateEnvironmentDTO,
   UpdatePitVersionLimitDTO,
   Workspace
@@ -284,6 +285,21 @@ export const useUpdateWorkspaceVersionLimit = () => {
   });
 };
 
+export const useUpdateWorkspaceAuditLogsRetention = () => {
+  const queryClient = useQueryClient();
+
+  return useMutation<{}, {}, UpdateAuditLogsRetentionDTO>({
+    mutationFn: ({ projectSlug, auditLogsRetentionDays }) => {
+      return apiRequest.put(`/api/v1/workspace/${projectSlug}/audit-logs-retention`, {
+        auditLogsRetentionDays
+      });
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries(workspaceKeys.getAllUserWorkspace);
+    }
+  });
+};
+
 export const useDeleteWorkspace = () => {
   const queryClient = useQueryClient();
 

frontend/src/hooks/api/workspace/types.ts

@@ -18,6 +18,7 @@ export type Workspace = {
   autoCapitalization: boolean;
   environments: WorkspaceEnv[];
   pitVersionLimit: number;
+  auditLogsRetentionDays: number;
   slug: string;
 };
 
@@ -51,6 +52,7 @@ export type CreateWorkspaceDTO = {
 
 export type RenameWorkspaceDTO = { workspaceID: string; newWorkspaceName: string };
 export type UpdatePitVersionLimitDTO = { projectSlug: string; pitVersionLimit: number };
+export type UpdateAuditLogsRetentionDTO = { projectSlug: string; auditLogsRetentionDays: number };
 export type ToggleAutoCapitalizationDTO = { workspaceID: string; state: boolean };
 
 export type DeleteWorkspaceDTO = { workspaceID: string };

frontend/src/pages/integrations/azure-key-vault/create.tsx

@@ -3,6 +3,7 @@ import { useRouter } from "next/router";
 import queryString from "query-string";
 
 import { useCreateIntegration } from "@app/hooks/api";
+import { IntegrationSyncBehavior } from "@app/hooks/api/integrations/types";
 
 import {
   Button,
@@ -16,6 +17,18 @@ import {
 import { useGetIntegrationAuthById } from "../../../hooks/api/integrationAuth";
 import { useGetWorkspaceById } from "../../../hooks/api/workspace";
 
+const initialSyncBehaviors = [
+  {
+    label: "No Import - Overwrite all values in Azure Vault",
+    value: IntegrationSyncBehavior.OVERWRITE_TARGET
+  },
+  {
+    label: "Import - Prefer values from Azure Vault",
+    value: IntegrationSyncBehavior.PREFER_TARGET
+  },
+  { label: "Import - Prefer values from Infisical", value: IntegrationSyncBehavior.PREFER_SOURCE }
+];
+
 export default function AzureKeyVaultCreateIntegrationPage() {
   const router = useRouter();
   const { mutateAsync } = useCreateIntegration();
@@ -30,6 +43,9 @@ export default function AzureKeyVaultCreateIntegrationPage() {
 
   const [vaultBaseUrl, setVaultBaseUrl] = useState("");
   const [vaultBaseUrlErrorText, setVaultBaseUrlErrorText] = useState("");
+  const [initialSyncBehavior, setInitialSyncBehavior] = useState(
+    IntegrationSyncBehavior.PREFER_SOURCE
+  );
 
   const [isLoading, setIsLoading] = useState(false);
 
@@ -59,7 +75,10 @@ export default function AzureKeyVaultCreateIntegrationPage() {
         isActive: true,
         app: vaultBaseUrl,
         sourceEnvironment: selectedSourceEnvironment,
-        secretPath
+        secretPath,
+        metadata: {
+          initialSyncBehavior
+        }
       });
       setIsLoading(false);
 
@@ -107,6 +126,21 @@ export default function AzureKeyVaultCreateIntegrationPage() {
             onChange={(e) => setVaultBaseUrl(e.target.value)}
           />
         </FormControl>
+        <FormControl label="Initial Sync Behavior">
+          <Select
+            value={initialSyncBehavior}
+            onValueChange={(e) => setInitialSyncBehavior(e as IntegrationSyncBehavior)}
+            className="w-full"
+          >
+            {initialSyncBehaviors.map((b) => {
+              return (
+                <SelectItem value={b.value} key={`sync-behavior-${b.value}`}>
+                  {b.label}
+                </SelectItem>
+              );
+            })}
+          </Select>
+        </FormControl>
         <Button
           onClick={handleButtonClick}
           color="mineshaft"

frontend/src/views/IntegrationsPage/components/IntegrationsSection/IntegrationsSection.tsx

@@ -297,6 +297,7 @@ export const IntegrationsSection = ({
           (popUp?.deleteConfirmation?.data as TIntegration)?.app ||
           (popUp?.deleteConfirmation?.data as TIntegration)?.owner ||
           (popUp?.deleteConfirmation?.data as TIntegration)?.path ||
+          (popUp?.deleteConfirmation?.data as TIntegration)?.integration ||
           ""
         }
         onDeleteApproved={async () =>

frontend/src/views/Project/CertificatesPage/components/CertificatesTab/components/CertificateModal.tsx

@@ -24,6 +24,7 @@ const schema = z.object({
   caId: z.string(),
   friendlyName: z.string(),
   commonName: z.string().trim().min(1),
+  altNames: z.string(),
   ttl: z.string().trim()
 });
 
@@ -71,6 +72,7 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
         caId: cert.caId,
         friendlyName: cert.friendlyName,
         commonName: cert.commonName,
+        altNames: cert.altNames,
         ttl: ""
       });
     } else {
@@ -78,12 +80,13 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
         caId: "",
         friendlyName: "",
         commonName: "",
+        altNames: "",
         ttl: ""
       });
     }
   }, [cert]);
 
-  const onFormSubmit = async ({ caId, friendlyName, commonName, ttl }: FormData) => {
+  const onFormSubmit = async ({ caId, friendlyName, commonName, altNames, ttl }: FormData) => {
     try {
       if (!currentWorkspace?.slug) return;
 
@@ -92,6 +95,7 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
         caId,
         friendlyName,
         commonName,
+        altNames,
         ttl
       });
 
@@ -192,6 +196,24 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
                 </FormControl>
               )}
             />
+            <Controller
+              control={control}
+              defaultValue=""
+              name="altNames"
+              render={({ field, fieldState: { error } }) => (
+                <FormControl
+                  label="Alternative Names (SANs)"
+                  isError={Boolean(error)}
+                  errorText={error?.message}
+                >
+                  <Input
+                    {...field}
+                    placeholder="app1.acme.com, app2.acme.com, ..."
+                    isDisabled={Boolean(cert)}
+                  />
+                </FormControl>
+              )}
+            />
             <Controller
               control={control}
               name="ttl"

frontend/src/views/SecretMainPage/components/SecretListView/SecretDetaiSidebar.tsx

@@ -7,6 +7,7 @@ import {
   faCircleDot,
   faClock,
   faPlus,
+  faShare,
   faTag
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
@@ -57,6 +58,7 @@ type Props = {
   ) => Promise<void>;
   tags: WsTag[];
   onCreateTag: () => void;
+  handleSecretShare: (value: string) => void;
 };
 
 export const SecretDetailSidebar = ({
@@ -69,7 +71,8 @@ export const SecretDetailSidebar = ({
   tags,
   onCreateTag,
   environment,
-  secretPath
+  secretPath,
+  handleSecretShare
 }: Props) => {
   const {
     register,
@@ -381,7 +384,7 @@ export const SecretDetailSidebar = ({
                   rows={5}
                 />
               </FormControl>
-              <div className="my-2 mb-6 border-b border-mineshaft-600 pb-4">
+              <div className="my-2 mb-4 border-b border-mineshaft-600 pb-4">
                 <Controller
                   control={control}
                   name="skipMultilineEncoding"
@@ -412,7 +415,17 @@ export const SecretDetailSidebar = ({
                   )}
                 />
               </div>
-              <div className="dark mb-4 flex-grow text-sm text-bunker-300">
+              <div className="ml-1 flex items-center space-x-2">
+                <Button
+                  className="px-2 py-1"
+                  variant="outline_bg"
+                  leftIcon={<FontAwesomeIcon icon={faShare} />}
+                  onClick={() => handleSecretShare(secret.valueOverride ?? secret.value)}
+                >
+                  Share Secret
+                </Button>
+              </div>
+              <div className="dark mt-4 mb-4 flex-grow text-sm text-bunker-300">
                 <div className="mb-2">Version History</div>
                 <div className="flex h-48 flex-col space-y-2 overflow-y-auto overflow-x-hidden rounded-md border border-mineshaft-600 bg-bunker-800 p-2 dark:[color-scheme:dark]">
                   {secretVersion?.map(({ createdAt, value, id }, i) => (

frontend/src/views/SecretMainPage/components/SecretListView/SecretItem.tsx

@@ -61,6 +61,7 @@ type Props = {
   onCreateTag: () => void;
   environment: string;
   secretPath: string;
+  handleSecretShare: () => void;
 };
 
 export const SecretItem = memo(
@@ -75,7 +76,8 @@ export const SecretItem = memo(
     onCreateTag,
     onToggleSecretSelect,
     environment,
-    secretPath
+    secretPath,
+    handleSecretShare
   }: Props) => {
     const { currentWorkspace } = useWorkspace();
     const { permission } = useProjectPermission();
@@ -420,7 +422,8 @@ export const SecretItem = memo(
                       <Tooltip
                         content={
                           secretReminderRepeatDays && secretReminderRepeatDays > 0
-                            ? `Every ${secretReminderRepeatDays} day${Number(secretReminderRepeatDays) > 1 ? "s" : ""
+                            ? `Every ${secretReminderRepeatDays} day${
+                                Number(secretReminderRepeatDays) > 1 ? "s" : ""
                               }
                           `
                             : "Reminder"
@@ -461,6 +464,20 @@ export const SecretItem = memo(
                         </PopoverTrigger>
                       )}
                     </ProjectPermissionCan>
+                    <IconButton
+                      className="w-0 overflow-hidden p-0 group-hover:mr-2 group-hover:w-5 data-[state=open]:w-6"
+                      variant="plain"
+                      size="md"
+                      ariaLabel="share-secret"
+                      onClick={handleSecretShare}
+                    >
+                      <Tooltip content="Share Secret">
+                        <FontAwesomeSymbol
+                          className="h-3.5 w-3.5"
+                          symbolName={FontAwesomeSpriteName.ShareSecret}
+                        />
+                      </Tooltip>
+                    </IconButton>
                     <PopoverContent
                       className="w-auto border border-mineshaft-600 bg-mineshaft-800 p-2 drop-shadow-2xl"
                       sticky="always"

frontend/src/views/SecretMainPage/components/SecretListView/SecretListView.tsx

@@ -13,6 +13,7 @@ import { secretKeys } from "@app/hooks/api/secrets/queries";
 import { DecryptedSecret, SecretType } from "@app/hooks/api/secrets/types";
 import { secretSnapshotKeys } from "@app/hooks/api/secretSnapshots/queries";
 import { UserWsKeyPair, WsTag } from "@app/hooks/api/types";
+import { AddShareSecretModal } from "@app/views/ShareSecretPage/components/AddShareSecretModal";
 
 import { useSelectedSecretActions, useSelectedSecrets } from "../../SecretMainPage.store";
 import { Filter, GroupBy, SortDir } from "../../SecretMainPage.types";
@@ -95,7 +96,8 @@ export const SecretListView = ({
   const { popUp, handlePopUpToggle, handlePopUpOpen, handlePopUpClose } = usePopUp([
     "deleteSecret",
     "secretDetail",
-    "createTag"
+    "createTag",
+    "createSharedSecret"
   ] as const);
 
   // strip of side effect queries
@@ -365,6 +367,11 @@ export const SecretListView = ({
                   onDeleteSecret={onDeleteSecret}
                   onDetailViewSecret={onDetailViewSecret}
                   onCreateTag={onCreateTag}
+                  handleSecretShare={() =>
+                    handlePopUpOpen("createSharedSecret", {
+                      value: secret.valueOverride ?? secret.value
+                    })
+                  }
                 />
               ))}
             </div>
@@ -391,11 +398,18 @@ export const SecretListView = ({
         onSaveSecret={handleSaveSecret}
         tags={wsTags}
         onCreateTag={() => handlePopUpOpen("createTag")}
+        handleSecretShare={(value: string) => handlePopUpOpen("createSharedSecret", { value })}
       />
       <CreateTagModal
         isOpen={popUp.createTag.isOpen}
         onToggle={(isOpen) => handlePopUpToggle("createTag", isOpen)}
       />
+      <AddShareSecretModal
+        popUp={popUp}
+        handlePopUpToggle={handlePopUpToggle}
+        isPublic={false}
+        inModal
+      />
     </>
   );
 };

frontend/src/views/SecretMainPage/components/SecretListView/SecretListView.utils.ts

@@ -10,6 +10,7 @@ import {
   faCopy,
   faEllipsis,
   faKey,
+  faShare,
   faTags
 } from "@fortawesome/free-solid-svg-icons";
 import { z } from "zod";
@@ -66,7 +67,8 @@ export enum FontAwesomeSpriteName {
   Override = "secret-override",
   Close = "close",
   CheckedCircle = "check-circle",
-  ReplicatedSecretKey = "secret-replicated"
+  ReplicatedSecretKey = "secret-replicated",
+  ShareSecret = "share-secret"
 }
 
 // this is an optimization technique
@@ -82,5 +84,6 @@ export const FontAwesomeSpriteSymbols = [
   { icon: faCodeBranch, symbol: FontAwesomeSpriteName.Override },
   { icon: faClose, symbol: FontAwesomeSpriteName.Close },
   { icon: faCheckCircle, symbol: FontAwesomeSpriteName.CheckedCircle },
-  { icon: faClone, symbol: FontAwesomeSpriteName.ReplicatedSecretKey }
+  { icon: faClone, symbol: FontAwesomeSpriteName.ReplicatedSecretKey },
+  { icon: faShare, symbol: FontAwesomeSpriteName.ShareSecret }
 ];

frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/LDAPModal.tsx

@@ -20,6 +20,7 @@ const LDAPFormSchema = z.object({
   bindPass: z.string().default(""),
   searchBase: z.string().default(""),
   searchFilter: z.string().default(""),
+  uniqueUserAttribute: z.string().default(""),
   groupSearchBase: z.string().default(""),
   groupSearchFilter: z.string().default(""),
   caCert: z.string().optional()
@@ -53,6 +54,7 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
   const watchGroupSearchBase = watch("groupSearchBase");
   const watchGroupSearchFilter = watch("groupSearchFilter");
   const watchCaCert = watch("caCert");
+  const watchUniqueUserAttribute = watch("uniqueUserAttribute");
 
   useEffect(() => {
     if (data) {
@@ -64,7 +66,8 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
         searchFilter: data?.searchFilter ?? "",
         groupSearchBase: data?.groupSearchBase ?? "",
         groupSearchFilter: data?.groupSearchFilter ?? "",
-        caCert: data?.caCert ?? ""
+        caCert: data?.caCert ?? "",
+        uniqueUserAttribute: data?.uniqueUserAttribute ?? ""
       });
     }
   }, [data]);
@@ -73,6 +76,7 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
     url,
     bindDN,
     bindPass,
+    uniqueUserAttribute,
     searchBase,
     searchFilter,
     groupSearchBase,
@@ -92,6 +96,7 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
           bindPass,
           searchBase,
           searchFilter,
+          uniqueUserAttribute,
           groupSearchBase,
           groupSearchFilter,
           caCert
@@ -105,6 +110,7 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
           bindPass,
           searchBase,
           searchFilter,
+          uniqueUserAttribute,
           groupSearchBase,
           groupSearchFilter,
           caCert
@@ -138,6 +144,7 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
         searchFilter: watchSearchFilter,
         groupSearchBase: watchGroupSearchBase,
         groupSearchFilter: watchGroupSearchFilter,
+        uniqueUserAttribute: watchUniqueUserAttribute,
         caCert: watchCaCert,
         shouldCloseModal: false
       });
@@ -217,6 +224,19 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
               </FormControl>
             )}
           />
+          <Controller
+            control={control}
+            name="uniqueUserAttribute"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl
+                label="Unique User Attribute (Optional)"
+                errorText={error?.message}
+                isError={Boolean(error)}
+              >
+                <Input {...field} placeholder="uidNumber" />
+              </FormControl>
+            )}
+          />
           <Controller
             control={control}
             name="searchFilter"

frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgLDAPSection.tsx

@@ -67,6 +67,7 @@ export const OrgLDAPSection = (): JSX.Element => {
             url: "",
             bindDN: "",
             bindPass: "",
+            uniqueUserAttribute: "",
             searchBase: "",
             searchFilter: "",
             groupSearchBase: "",

frontend/src/views/Settings/ProjectSettingsPage/components/AuditLogsRetentionSection/AuditLogsRetentionSection.tsx

@@ -0,0 +1,128 @@
+import { Controller, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, FormControl, Input, UpgradePlanModal } from "@app/components/v2";
+import { useProjectPermission, useSubscription, useWorkspace } from "@app/context";
+import { usePopUp } from "@app/hooks";
+import { ProjectMembershipRole } from "@app/hooks/api/roles/types";
+import { useUpdateWorkspaceAuditLogsRetention } from "@app/hooks/api/workspace/queries";
+
+const formSchema = z.object({
+  auditLogsRetentionDays: z.coerce.number().min(0)
+});
+
+type TForm = z.infer<typeof formSchema>;
+
+export const AuditLogsRetentionSection = () => {
+  const { mutateAsync: updateAuditLogsRetention } = useUpdateWorkspaceAuditLogsRetention();
+
+  const { currentWorkspace } = useWorkspace();
+  const { membership } = useProjectPermission();
+  const { subscription } = useSubscription();
+  const { popUp, handlePopUpOpen, handlePopUpToggle } = usePopUp(["upgradePlan"] as const);
+
+  const {
+    control,
+    formState: { isSubmitting, isDirty },
+    handleSubmit
+  } = useForm<TForm>({
+    resolver: zodResolver(formSchema),
+    values: {
+      auditLogsRetentionDays:
+        currentWorkspace?.auditLogsRetentionDays ?? subscription?.auditLogsRetentionDays ?? 0
+    }
+  });
+
+  if (!currentWorkspace) return null;
+
+  const handleAuditLogsRetentionSubmit = async ({ auditLogsRetentionDays }: TForm) => {
+    try {
+      if (!subscription?.auditLogs) {
+        handlePopUpOpen("upgradePlan", {
+          description: "You can only configure audit logs retention if you upgrade your plan."
+        });
+
+        return;
+      }
+
+      if (subscription && auditLogsRetentionDays > subscription?.auditLogsRetentionDays) {
+        handlePopUpOpen("upgradePlan", {
+          description:
+            "To update your audit logs retention period to a higher value, upgrade your plan."
+        });
+
+        return;
+      }
+
+      await updateAuditLogsRetention({
+        auditLogsRetentionDays,
+        projectSlug: currentWorkspace.slug
+      });
+
+      createNotification({
+        text: "Successfully updated audit logs retention period",
+        type: "success"
+      });
+    } catch (err) {
+      createNotification({
+        text: "Failed updating audit logs retention period",
+        type: "error"
+      });
+    }
+  };
+
+  // render only for dedicated/self-hosted instances of Infisical
+  if (
+    window.location.origin.includes("https://app.infisical.com") ||
+    window.location.origin.includes("https://gamma.infisical.com")
+  ) {
+    return null;
+  }
+
+  const isAdmin = membership.roles.includes(ProjectMembershipRole.Admin);
+  return (
+    <>
+      <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+        <div className="flex w-full items-center justify-between">
+          <p className="text-xl font-semibold">Audit Logs Retention</p>
+        </div>
+        <p className="mb-4 mt-2 max-w-2xl text-sm text-gray-400">
+          Set the number of days to keep your project audit logs.
+        </p>
+        <form onSubmit={handleSubmit(handleAuditLogsRetentionSubmit)} autoComplete="off">
+          <div className="max-w-xs">
+            <Controller
+              control={control}
+              defaultValue={0}
+              name="auditLogsRetentionDays"
+              render={({ field, fieldState: { error } }) => (
+                <FormControl
+                  isError={Boolean(error)}
+                  errorText={error?.message}
+                  label="Number of days"
+                >
+                  <Input {...field} type="number" min={1} step={1} isDisabled={!isAdmin} />
+                </FormControl>
+              )}
+            />
+          </div>
+          <Button
+            colorSchema="secondary"
+            type="submit"
+            isLoading={isSubmitting}
+            disabled={!isAdmin || !isDirty}
+          >
+            Save
+          </Button>
+        </form>
+      </div>
+      <UpgradePlanModal
+        isOpen={popUp.upgradePlan.isOpen}
+        onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
+        text={(popUp.upgradePlan?.data as { description: string })?.description}
+      />
+    </>
+  );
+};

frontend/src/views/Settings/ProjectSettingsPage/components/AuditLogsRetentionSection/index.tsx

@@ -0,0 +1 @@
+export { AuditLogsRetentionSection } from "./AuditLogsRetentionSection";

frontend/src/views/Settings/ProjectSettingsPage/components/ProjectGeneralTab/ProjectGeneralTab.tsx

@@ -1,3 +1,4 @@
+import { AuditLogsRetentionSection } from "../AuditLogsRetentionSection";
 import { AutoCapitalizationSection } from "../AutoCapitalizationSection";
 import { BackfillSecretReferenceSecretion } from "../BackfillSecretReferenceSection";
 import { DeleteProjectSection } from "../DeleteProjectSection";
@@ -5,6 +6,7 @@ import { E2EESection } from "../E2EESection";
 import { EnvironmentSection } from "../EnvironmentSection";
 import { PointInTimeVersionLimitSection } from "../PointInTimeVersionLimitSection";
 import { ProjectNameChangeSection } from "../ProjectNameChangeSection";
+import { RebuildSecretIndicesSection } from "../RebuildSecretIndicesSection/RebuildSecretIndicesSection";
 import { SecretTagsSection } from "../SecretTagsSection";
 
 export const ProjectGeneralTab = () => {
@@ -16,7 +18,9 @@ export const ProjectGeneralTab = () => {
       <AutoCapitalizationSection />
       <E2EESection />
       <PointInTimeVersionLimitSection />
+      <AuditLogsRetentionSection />
       <BackfillSecretReferenceSecretion />
+      <RebuildSecretIndicesSection />
       <DeleteProjectSection />
     </div>
   );

frontend/src/views/Settings/ProjectSettingsPage/components/RebuildSecretIndicesSection/RebuildSecretIndicesSection.tsx

@@ -0,0 +1,93 @@
+import { createNotification } from "@app/components/notifications";
+import {
+  decryptAssymmetric,
+  decryptSymmetric
+} from "@app/components/utilities/cryptography/crypto";
+import { Button } from "@app/components/v2";
+import { useProjectPermission, useWorkspace } from "@app/context";
+import { useToggle } from "@app/hooks";
+import { useGetUserWsKey, useNameWorkspaceSecrets } from "@app/hooks/api";
+import { ProjectMembershipRole } from "@app/hooks/api/roles/types";
+import { fetchWorkspaceSecrets } from "@app/hooks/api/workspace/queries";
+
+export const RebuildSecretIndicesSection = () => {
+  const { currentWorkspace } = useWorkspace();
+  const { membership } = useProjectPermission();
+  const nameWorkspaceSecrets = useNameWorkspaceSecrets();
+
+  const [isIndexing, setIsIndexing] = useToggle();
+  const { data: decryptFileKey } = useGetUserWsKey(currentWorkspace?.id!);
+
+  if (!currentWorkspace) return null;
+
+  const onRebuildIndices = async () => {
+    if (!currentWorkspace?.id) return;
+    setIsIndexing.on();
+    try {
+      const encryptedSecrets = await fetchWorkspaceSecrets(currentWorkspace.id);
+
+      if (!currentWorkspace || !decryptFileKey) {
+        return;
+      }
+
+      const key = decryptAssymmetric({
+        ciphertext: decryptFileKey.encryptedKey,
+        nonce: decryptFileKey.nonce,
+        publicKey: decryptFileKey.sender.publicKey,
+        privateKey: localStorage.getItem("PRIVATE_KEY") as string
+      });
+
+      const secretsToUpdate = encryptedSecrets.map((encryptedSecret) => {
+        const secretName = decryptSymmetric({
+          ciphertext: encryptedSecret.secretKeyCiphertext,
+          iv: encryptedSecret.secretKeyIV,
+          tag: encryptedSecret.secretKeyTag,
+          key
+        });
+
+        return {
+          secretName,
+          secretId: encryptedSecret.id
+        };
+      });
+      await nameWorkspaceSecrets.mutateAsync({
+        workspaceId: currentWorkspace.id,
+        secretsToUpdate
+      });
+
+      createNotification({
+        text: "Successfully rebuilt secret indices",
+        type: "success"
+      });
+    } catch (err) {
+      console.log(err);
+    } finally {
+      setIsIndexing.off();
+    }
+  };
+
+  const isAdmin = membership.roles.includes(ProjectMembershipRole.Admin);
+
+  if (!isAdmin) {
+    return null;
+  }
+
+  return (
+    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+      <div className="flex w-full items-center justify-between">
+        <p className="text-xl font-semibold">Rebuild Secret Indices</p>
+      </div>
+      <p className="mb-4 mt-2 max-w-2xl text-sm text-gray-400">
+        This will rebuild indices of all secrets in the project.
+      </p>
+      <Button
+        variant="outline_bg"
+        isLoading={isIndexing}
+        onClick={onRebuildIndices}
+        isDisabled={!isAdmin}
+      >
+        Rebuild Secret Indices
+      </Button>
+    </div>
+  );
+};

frontend/src/views/ShareSecretPage/components/AddShareSecretForm.tsx

@@ -6,14 +6,7 @@ import * as yup from "yup";
 
 import { createNotification } from "@app/components/notifications";
 import { encryptSymmetric } from "@app/components/utilities/cryptography/crypto";
-import {
+import { Button, FormControl, Input, ModalClose, Select, SelectItem } from "@app/components/v2";
-  Button,
-  FormControl,
-  Input,
-  ModalClose,
-  Select,
-  SelectItem
-} from "@app/components/v2";
 import { useCreatePublicSharedSecret, useCreateSharedSecret } from "@app/hooks/api/secretSharing";
 
 const schema = yup.object({
@@ -31,7 +24,8 @@ export const AddShareSecretForm = ({
   handleSubmit,
   control,
   isSubmitting,
-  setNewSharedSecret
+  setNewSharedSecret,
+  isInputDisabled
 }: {
   isPublic: boolean;
   inModal: boolean;
@@ -39,6 +33,7 @@ export const AddShareSecretForm = ({
   control: any;
   isSubmitting: boolean;
   setNewSharedSecret: (value: string) => void;
+  isInputDisabled?: boolean;
 }) => {
   const publicSharedSecretCreator = useCreatePublicSharedSecret();
   const privateSharedSecretCreator = useCreateSharedSecret();
@@ -124,12 +119,13 @@ export const AddShareSecretForm = ({
   };
   return (
     <form className="flex w-full flex-col items-center" onSubmit={handleSubmit(onFormSubmit)}>
-      <div className={`${!inModal && "border border-mineshaft-600 bg-mineshaft-800 rounded-md p-6"}`}>
+      <div
+        className={`${!inModal && "rounded-md border border-mineshaft-600 bg-mineshaft-800 p-6"}`}
+      >
         <div className="mb-4">
           <Controller
             control={control}
             name="value"
-            defaultValue=""
             render={({ field, fieldState: { error } }) => (
               <FormControl
                 label="Shared Secret"
@@ -137,16 +133,17 @@ export const AddShareSecretForm = ({
                 errorText={error?.message}
               >
                 <textarea
+                  disabled={isInputDisabled}
                   placeholder="Enter sensitive data to share via an encrypted link..."
                   {...field}
-                  className="py-1.5 w-full h-40 placeholder:text-mineshaft-400 rounded-md transition-all group-hover:mr-2 text-bunker-300 hover:border-primary-400/30 focus:border-primary-400/50 outline-none border border-mineshaft-600 bg-mineshaft-900 px-2 min-h-[70px]"
+                  className="h-40 min-h-[70px] w-full rounded-md border border-mineshaft-600 bg-mineshaft-900 py-1.5 px-2 text-bunker-300 outline-none transition-all placeholder:text-mineshaft-400 hover:border-primary-400/30 focus:border-primary-400/50 group-hover:mr-2"
                 />
               </FormControl>
             )}
           />
         </div>
         <div className="flex w-full flex-row justify-center">
-          <div className="hidden sm:block sm:w-2/6 flex">
+          <div className="flex hidden sm:block sm:w-2/6">
             <Controller
               control={control}
               name="expiresAfterViews"
@@ -163,12 +160,12 @@ export const AddShareSecretForm = ({
               )}
             />
           </div>
-          <div className="hidden sm:flex sm:w-1/7 items-center justify-center px-2 mx-auto">
+          <div className="sm:w-1/7 mx-auto hidden items-center justify-center px-2 sm:flex">
             <p className="px-4 text-sm text-gray-400">OR</p>
           </div>
-          <div className="w-full sm:w-3/6 flex justify-end">
+          <div className="flex w-full justify-end sm:w-3/6">
             <div className="flex justify-start">
-              <div className="flex w-full pr-2 justify-center">
+              <div className="flex w-full justify-center pr-2">
                 <Controller
                   control={control}
                   name="expiresInValue"

frontend/src/views/ShareSecretPage/components/AddShareSecretModal.tsx

@@ -34,6 +34,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
     control,
     reset,
     handleSubmit,
+    setValue,
     formState: { isSubmitting }
   } = useForm<FormData>({
     resolver: yupResolver(schema)
@@ -45,6 +46,8 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
     initialState: false
   });
 
+  const [isSecretInputDisabled, setIsSecretInputDisabled] = useState(false);
+
   const copyUrlToClipboard = () => {
     navigator.clipboard.writeText(newSharedSecret);
     setIsUrlCopied(true);
@@ -55,6 +58,13 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
     }
   }, [isUrlCopied]);
 
+  useEffect(() => {
+    if (popUp.createSharedSecret.data) {
+      setValue("value", (popUp.createSharedSecret.data as { value: string }).value);
+      setIsSecretInputDisabled(true);
+    }
+  }, [popUp.createSharedSecret.data]);
+
   // eslint-disable-next-line no-nested-ternary
   return inModal ? (
     <Modal
@@ -63,6 +73,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
         handlePopUpToggle("createSharedSecret", open);
         reset();
         setNewSharedSecret("");
+        setIsSecretInputDisabled(false);
       }}
     >
       <ModalContent
@@ -77,6 +88,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
             handleSubmit={handleSubmit}
             isSubmitting={isSubmitting}
             setNewSharedSecret={setNewSharedSecret}
+            isInputDisabled={isSecretInputDisabled}
           />
         ) : (
           <ViewAndCopySharedSecret
@@ -96,6 +108,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
       handleSubmit={handleSubmit}
       isSubmitting={isSubmitting}
       setNewSharedSecret={setNewSharedSecret}
+      isInputDisabled={isSecretInputDisabled}
     />
   ) : (
     <ViewAndCopySharedSecret