Merge branch 'main' into docs/update-net-sdk

feat: add kubernetes dynamic secret

backend/e2e-test/vitest-environment-knex.ts

@@ -15,8 +15,8 @@ import { mockSmtpServer } from "./mocks/smtp";
 import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
-import { Redis } from "ioredis";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
+import { buildRedisFromConfig } from "@app/lib/config/redis";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -30,7 +30,7 @@ export default {
       dbRootCert: envConfig.DB_ROOT_CERT
     });
 
-    const redis = new Redis(envConfig.REDIS_URL);
+    const redis = buildRedisFromConfig(envConfig);
     await redis.flushdb("SYNC");
 
     try {
@@ -55,8 +55,8 @@ export default {
       });
 
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig.REDIS_URL, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig.REDIS_URL);
+      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envConfig);
 
       const hsmModule = initializeHsmModule(envConfig);
       hsmModule.initialize();

backend/package.json

@@ -131,6 +131,7 @@
     "@aws-sdk/client-elasticache": "^3.637.0",
     "@aws-sdk/client-iam": "^3.525.0",
     "@aws-sdk/client-kms": "^3.609.0",
+    "@aws-sdk/client-route-53": "^3.810.0",
     "@aws-sdk/client-secrets-manager": "^3.504.0",
     "@aws-sdk/client-sts": "^3.600.0",
     "@casl/ability": "^6.5.0",
@@ -174,6 +175,7 @@
     "@slack/oauth": "^3.0.2",
     "@slack/web-api": "^7.8.0",
     "@ucast/mongo2js": "^1.3.4",
+    "acme-client": "^5.4.0",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
     "aws-sdk": "^2.1553.0",

backend/src/@types/fastify.d.ts

@@ -53,6 +53,7 @@ import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
+import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
@@ -68,6 +69,7 @@ import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
+import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
@@ -109,6 +111,7 @@ import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integ
 declare module "@fastify/request-context" {
   interface RequestContextData {
     reqId: string;
+    orgId?: string;
     identityAuthInfo?: {
       identityId: string;
       oidc?: {
@@ -209,6 +212,7 @@ declare module "fastify" {
       identityGcpAuth: TIdentityGcpAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
+      identityOciAuth: TIdentityOciAuthServiceFactory;
       identityOidcAuth: TIdentityOidcAuthServiceFactory;
       identityJwtAuth: TIdentityJwtAuthServiceFactory;
       identityLdapAuth: TIdentityLdapAuthServiceFactory;
@@ -266,6 +270,7 @@ declare module "fastify" {
       microsoftTeams: TMicrosoftTeamsServiceFactory;
       assumePrivileges: TAssumePrivilegeServiceFactory;
       githubOrgSync: TGithubOrgSyncServiceFactory;
+      internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -68,6 +68,9 @@ import {
   TDynamicSecrets,
   TDynamicSecretsInsert,
   TDynamicSecretsUpdate,
+  TExternalCertificateAuthorities,
+  TExternalCertificateAuthoritiesInsert,
+  TExternalCertificateAuthoritiesUpdate,
   TExternalGroupOrgRoleMappings,
   TExternalGroupOrgRoleMappingsInsert,
   TExternalGroupOrgRoleMappingsUpdate,
@@ -119,6 +122,9 @@ import {
   TIdentityMetadata,
   TIdentityMetadataInsert,
   TIdentityMetadataUpdate,
+  TIdentityOciAuths,
+  TIdentityOciAuthsInsert,
+  TIdentityOciAuthsUpdate,
   TIdentityOidcAuths,
   TIdentityOidcAuthsInsert,
   TIdentityOidcAuthsUpdate,
@@ -152,6 +158,9 @@ import {
   TIntegrations,
   TIntegrationsInsert,
   TIntegrationsUpdate,
+  TInternalCertificateAuthorities,
+  TInternalCertificateAuthoritiesInsert,
+  TInternalCertificateAuthoritiesUpdate,
   TInternalKms,
   TInternalKmsInsert,
   TInternalKmsUpdate,
@@ -535,6 +544,16 @@ declare module "knex/types/tables" {
       TCertificateAuthorityCrlInsert,
       TCertificateAuthorityCrlUpdate
     >;
+    [TableName.InternalCertificateAuthority]: KnexOriginal.CompositeTableType<
+      TInternalCertificateAuthorities,
+      TInternalCertificateAuthoritiesInsert,
+      TInternalCertificateAuthoritiesUpdate
+    >;
+    [TableName.ExternalCertificateAuthority]: KnexOriginal.CompositeTableType<
+      TExternalCertificateAuthorities,
+      TExternalCertificateAuthoritiesInsert,
+      TExternalCertificateAuthoritiesUpdate
+    >;
     [TableName.Certificate]: KnexOriginal.CompositeTableType<TCertificates, TCertificatesInsert, TCertificatesUpdate>;
     [TableName.CertificateTemplate]: KnexOriginal.CompositeTableType<
       TCertificateTemplates,
@@ -738,6 +757,11 @@ declare module "knex/types/tables" {
       TIdentityAzureAuthsInsert,
       TIdentityAzureAuthsUpdate
     >;
+    [TableName.IdentityOciAuth]: KnexOriginal.CompositeTableType<
+      TIdentityOciAuths,
+      TIdentityOciAuthsInsert,
+      TIdentityOciAuthsUpdate
+    >;
     [TableName.IdentityOidcAuth]: KnexOriginal.CompositeTableType<
       TIdentityOidcAuths,
       TIdentityOidcAuthsInsert,

backend/src/db/migrations/20250429203304_certificates-ca-relation-removal.ts

@@ -0,0 +1,44 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.Certificate, "projectId");
+    if (!hasProjectIdColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("projectId", 36).nullable();
+        t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      });
+
+      await knex.raw(`
+          UPDATE "${TableName.Certificate}" cert
+          SET "projectId" = ca."projectId"
+          FROM "${TableName.CertificateAuthority}" ca
+          WHERE cert."caId" = ca.id
+        `);
+
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("projectId").notNullable().alter();
+      });
+    }
+
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.uuid("caId").nullable().alter();
+      t.uuid("caCertId").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    if (await knex.schema.hasColumn(TableName.Certificate, "projectId")) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.dropForeign("projectId");
+        t.dropColumn("projectId");
+      });
+    }
+  }
+
+  // Altering back to notNullable for caId and caCertId will fail
+}

backend/src/db/migrations/20250430174352_email-case-change.ts

@@ -0,0 +1,47 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEmail = await knex.schema.hasColumn(TableName.Users, "email");
+  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
+  if (hasEmail) {
+    await knex(TableName.Users)
+      .where({ isGhost: false })
+      .update({
+        // @ts-expect-error email assume string this is expected
+        email: knex.raw("lower(email)")
+      });
+  }
+  if (hasUsername) {
+    await knex.schema.raw(`
+      CREATE INDEX IF NOT EXISTS ${TableName.Users}_lower_username_idx 
+      ON ${TableName.Users} (LOWER(username))
+    `);
+
+    const duplicatesSubquery = knex(TableName.Users)
+      .select(knex.raw("lower(username) as lowercase_username"))
+      .groupBy("lowercase_username")
+      .having(knex.raw("count(*)"), ">", 1);
+
+    // Update usernames to lowercase where they won't create duplicates
+    await knex(TableName.Users)
+      .where({ isGhost: false })
+      .whereRaw("username <> lower(username)") // Only update if not already lowercase
+      // @ts-expect-error username assume string this is expected
+      .whereNotIn(knex.raw("lower(username)"), duplicatesSubquery)
+      .update({
+        // @ts-expect-error username assume string this is expected
+        username: knex.raw("lower(username)")
+      });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
+  if (hasUsername) {
+    await knex.schema.raw(`
+  DROP INDEX IF EXISTS ${TableName.Users}_lower_username_idx
+`);
+  }
+}

backend/src/db/migrations/20250508210717_identity-oci-auth.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityOciAuth))) {
+    await knex.schema.createTable(TableName.IdentityOciAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+
+      t.string("tenancyOcid").notNullable();
+      t.string("allowedUsernames").nullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityOciAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityOciAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityOciAuth);
+}

backend/src/db/migrations/20250512103022_identity-kubernetes-auth-gateway.ts

@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
+
+  if (!hasGatewayIdColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.uuid("gatewayId").nullable();
+      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
+
+  if (hasGatewayIdColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.dropForeign("gatewayId");
+      table.dropColumn("gatewayId");
+    });
+  }
+}

backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts

@@ -0,0 +1,110 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+// Note(daniel): We aren't dropping tables or columns in this migrations so we can easily rollback if needed.
+// In the future we need to drop the projectGatewayId on the dynamic secrets table, and drop the project_gateways table entirely.
+
+const BATCH_SIZE = 500;
+
+export async function up(knex: Knex): Promise<void> {
+  // eslint-disable-next-line no-param-reassign
+  knex.replicaNode = () => {
+    return knex;
+  };
+
+  if (!(await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId"))) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
+      table.uuid("gatewayId").nullable();
+      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
+
+      table.index("gatewayId");
+    });
+
+    const existingDynamicSecretsWithProjectGatewayId = await knex(TableName.DynamicSecret)
+      .select(selectAllTableCols(TableName.DynamicSecret))
+      .whereNotNull(`${TableName.DynamicSecret}.projectGatewayId`)
+      .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.id`, `${TableName.DynamicSecret}.projectGatewayId`)
+      .whereNotNull(`${TableName.ProjectGateway}.gatewayId`)
+      .select(
+        knex.ref("projectId").withSchema(TableName.ProjectGateway).as("projectId"),
+        knex.ref("gatewayId").withSchema(TableName.ProjectGateway).as("projectGatewayGatewayId")
+      );
+
+    initLogger();
+    const envConfig = getMigrationEnvConfig();
+    const keyStore = inMemoryKeyStore();
+    const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
+    const updatedDynamicSecrets = await Promise.all(
+      existingDynamicSecretsWithProjectGatewayId.map(async (existingDynamicSecret) => {
+        if (!existingDynamicSecret.projectGatewayGatewayId) {
+          const result = {
+            ...existingDynamicSecret,
+            gatewayId: null
+          };
+
+          const { projectId, projectGatewayGatewayId, ...rest } = result;
+          return rest;
+        }
+
+        const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+          type: KmsDataKey.SecretManager,
+          projectId: existingDynamicSecret.projectId
+        });
+        const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
+          type: KmsDataKey.SecretManager,
+          projectId: existingDynamicSecret.projectId
+        });
+
+        let decryptedStoredInput = JSON.parse(
+          secretManagerDecryptor({ cipherTextBlob: Buffer.from(existingDynamicSecret.encryptedInput) }).toString()
+        ) as object;
+
+        // We're not removing the existing projectGatewayId from the input so we can easily rollback without having to re-encrypt the input
+        decryptedStoredInput = {
+          ...decryptedStoredInput,
+          gatewayId: existingDynamicSecret.projectGatewayGatewayId
+        };
+
+        const encryptedInput = secretManagerEncryptor({
+          plainText: Buffer.from(JSON.stringify(decryptedStoredInput))
+        }).cipherTextBlob;
+
+        const result = {
+          ...existingDynamicSecret,
+          encryptedInput,
+          gatewayId: existingDynamicSecret.projectGatewayGatewayId
+        };
+
+        const { projectId, projectGatewayGatewayId, ...rest } = result;
+        return rest;
+      })
+    );
+
+    for (let i = 0; i < updatedDynamicSecrets.length; i += BATCH_SIZE) {
+      // eslint-disable-next-line no-await-in-loop
+      await knex(TableName.DynamicSecret)
+        .insert(updatedDynamicSecrets.slice(i, i + BATCH_SIZE))
+        .onConflict("id")
+        .merge();
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // no re-encryption needed as we keep the old projectGatewayId in the input
+  if (await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId")) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
+      table.dropForeign("gatewayId");
+      table.dropColumn("gatewayId");
+    });
+  }
+}

backend/src/db/migrations/20250515164622_select-org-products.ts

@@ -0,0 +1,53 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const columns = await knex.table(TableName.Organization).columnInfo();
+
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (!columns.secretsProductEnabled) {
+      t.boolean("secretsProductEnabled").defaultTo(true);
+    }
+    if (!columns.pkiProductEnabled) {
+      t.boolean("pkiProductEnabled").defaultTo(true);
+    }
+    if (!columns.kmsProductEnabled) {
+      t.boolean("kmsProductEnabled").defaultTo(true);
+    }
+    if (!columns.sshProductEnabled) {
+      t.boolean("sshProductEnabled").defaultTo(true);
+    }
+    if (!columns.scannerProductEnabled) {
+      t.boolean("scannerProductEnabled").defaultTo(true);
+    }
+    if (!columns.shareSecretsProductEnabled) {
+      t.boolean("shareSecretsProductEnabled").defaultTo(true);
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const columns = await knex.table(TableName.Organization).columnInfo();
+
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (columns.secretsProductEnabled) {
+      t.dropColumn("secretsProductEnabled");
+    }
+    if (columns.pkiProductEnabled) {
+      t.dropColumn("pkiProductEnabled");
+    }
+    if (columns.kmsProductEnabled) {
+      t.dropColumn("kmsProductEnabled");
+    }
+    if (columns.sshProductEnabled) {
+      t.dropColumn("sshProductEnabled");
+    }
+    if (columns.scannerProductEnabled) {
+      t.dropColumn("scannerProductEnabled");
+    }
+    if (columns.shareSecretsProductEnabled) {
+      t.dropColumn("shareSecretsProductEnabled");
+    }
+  });
+}

backend/src/db/migrations/20250516021501_toggle-secret-sharing-on-project.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
+  if (!hasSecretSharingColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.boolean("secretSharing").notNullable().defaultTo(true);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
+  if (hasSecretSharingColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.dropColumn("secretSharing");
+    });
+  }
+}

backend/src/db/migrations/20250516192508_secret-sharing-limits-for-org.ts

@@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
+  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
+
+  if (!hasLifetimeColumn || !hasViewLimitColumn) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      if (!hasLifetimeColumn) {
+        t.integer("maxSharedSecretLifetime").nullable().defaultTo(2592000); // 30 days in seconds
+      }
+      if (!hasViewLimitColumn) {
+        t.integer("maxSharedSecretViewLimit").nullable();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
+  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
+
+  if (hasLifetimeColumn || hasViewLimitColumn) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      if (hasLifetimeColumn) {
+        t.dropColumn("maxSharedSecretLifetime");
+      }
+      if (hasViewLimitColumn) {
+        t.dropColumn("maxSharedSecretViewLimit");
+      }
+    });
+  }
+}

backend/src/db/migrations/20250517002223_secret-share-to-specific-emails.ts

@@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
+
+    if (!hasEncryptedSalt || !hasAuthorizedEmails) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        // These two columns are only needed when secrets are shared with a specific list of emails
+
+        if (!hasEncryptedSalt) {
+          t.binary("encryptedSalt").nullable();
+        }
+
+        if (!hasAuthorizedEmails) {
+          t.json("authorizedEmails").nullable();
+        }
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
+
+    if (hasEncryptedSalt || hasAuthorizedEmails) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        if (hasEncryptedSalt) {
+          t.dropColumn("encryptedSalt");
+        }
+
+        if (hasAuthorizedEmails) {
+          t.dropColumn("authorizedEmails");
+        }
+      });
+    }
+  }
+}

backend/src/db/migrations/20250521061831_increase-name-sizes.ts

@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.SecretSync, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+  await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+  await knex.schema.alterTable(TableName.AppConnection, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+  await knex.schema.alterTable(TableName.SecretRotationV2, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+}
+
+export async function down(): Promise<void> {
+  // No down migration or it will error
+}

backend/src/db/migrations/20250521110635_add-external-ca-pki.ts

@@ -0,0 +1,205 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
+  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
+  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
+
+  if (hasCATable && !hasInternalCATable) {
+    await knex.schema.createTableLike(TableName.InternalCertificateAuthority, TableName.CertificateAuthority, (t) => {
+      t.uuid("caId").nullable();
+    });
+
+    // @ts-expect-error intentional: migration
+    await knex(TableName.InternalCertificateAuthority).insert(knex(TableName.CertificateAuthority).select("*"));
+    await knex(TableName.InternalCertificateAuthority).update("caId", knex.ref("id"));
+
+    await knex.schema.alterTable(TableName.InternalCertificateAuthority, (t) => {
+      t.dropColumn("projectId");
+      t.dropColumn("requireTemplateForIssuance");
+      t.dropColumn("createdAt");
+      t.dropColumn("updatedAt");
+      t.dropColumn("status");
+      t.uuid("parentCaId")
+        .nullable()
+        .references("id")
+        .inTable(TableName.CertificateAuthority)
+        .onDelete("CASCADE")
+        .alter();
+      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert).alter();
+      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE").alter();
+    });
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.renameColumn("requireTemplateForIssuance", "enableDirectIssuance");
+      t.string("name").nullable();
+    });
+
+    // prefill name for existing internal CAs and flip enableDirectIssuance
+    const cas = await knex(TableName.CertificateAuthority).select("id", "friendlyName", "enableDirectIssuance");
+    await Promise.all(
+      cas.map((ca) => {
+        const slugifiedName = ca.friendlyName
+          ? slugify(`${ca.friendlyName.slice(0, 16)}-${alphaNumericNanoId(8)}`)
+          : slugify(alphaNumericNanoId(12));
+
+        return knex(TableName.CertificateAuthority)
+          .where({ id: ca.id })
+          .update({ name: slugifiedName, enableDirectIssuance: !ca.enableDirectIssuance });
+      })
+    );
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.dropColumn("parentCaId");
+      t.dropColumn("type");
+      t.dropColumn("friendlyName");
+      t.dropColumn("organization");
+      t.dropColumn("ou");
+      t.dropColumn("country");
+      t.dropColumn("province");
+      t.dropColumn("locality");
+      t.dropColumn("commonName");
+      t.dropColumn("dn");
+      t.dropColumn("serialNumber");
+      t.dropColumn("maxPathLength");
+      t.dropColumn("keyAlgorithm");
+      t.dropColumn("notBefore");
+      t.dropColumn("notAfter");
+      t.dropColumn("activeCaCertId");
+      t.boolean("enableDirectIssuance").notNullable().defaultTo(true).alter();
+      t.string("name").notNullable().alter();
+      t.unique(["name", "projectId"]);
+    });
+  }
+
+  if (!hasExternalCATable) {
+    await knex.schema.createTable(TableName.ExternalCertificateAuthority, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("type").notNullable();
+      t.uuid("appConnectionId").nullable();
+      t.foreign("appConnectionId").references("id").inTable(TableName.AppConnection);
+      t.uuid("dnsAppConnectionId").nullable();
+      t.foreign("dnsAppConnectionId").references("id").inTable(TableName.AppConnection);
+      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.binary("credentials");
+      t.json("configuration");
+    });
+  }
+
+  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.string("ttl").nullable().alter();
+
+      t.boolean("enableAutoRenewal").notNullable().defaultTo(false);
+      t.integer("autoRenewalPeriodInDays");
+      t.datetime("lastAutoRenewAt");
+
+      t.string("lastOperationStatus");
+      t.text("lastOperationMessage");
+      t.dateTime("lastOperationAt");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
+  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
+  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
+
+  if (hasCATable && hasInternalCATable) {
+    // First add all columns as nullable
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.uuid("parentCaId").nullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.string("type").nullable();
+      t.string("friendlyName").nullable();
+      t.string("organization").nullable();
+      t.string("ou").nullable();
+      t.string("country").nullable();
+      t.string("province").nullable();
+      t.string("locality").nullable();
+      t.string("commonName").nullable();
+      t.string("dn").nullable();
+      t.string("serialNumber").nullable().unique();
+      t.integer("maxPathLength").nullable();
+      t.string("keyAlgorithm").nullable();
+      t.timestamp("notBefore").nullable();
+      t.timestamp("notAfter").nullable();
+      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert);
+      t.renameColumn("enableDirectIssuance", "requireTemplateForIssuance");
+      t.dropColumn("name");
+    });
+
+    // flip requireTemplateForIssuance for existing internal CAs
+    const cas = await knex(TableName.CertificateAuthority).select("id", "requireTemplateForIssuance");
+    await Promise.all(
+      cas.map((ca) => {
+        return (
+          knex(TableName.CertificateAuthority)
+            .where({ id: ca.id })
+            // @ts-expect-error intentional: migration
+            .update({ requireTemplateForIssuance: !ca.requireTemplateForIssuance })
+        );
+      })
+    );
+
+    await knex.raw(`
+      UPDATE ${TableName.CertificateAuthority} ca
+      SET
+        type = ica.type,
+        "friendlyName" = ica."friendlyName",
+        organization = ica.organization,
+        ou = ica.ou,
+        country = ica.country,
+        province = ica.province,
+        locality = ica.locality,
+        "commonName" = ica."commonName",
+        dn = ica.dn,
+        "parentCaId" = ica."parentCaId",
+        "serialNumber" = ica."serialNumber",
+        "maxPathLength" = ica."maxPathLength",
+        "keyAlgorithm" = ica."keyAlgorithm",
+        "notBefore" = ica."notBefore",
+        "notAfter" = ica."notAfter",
+        "activeCaCertId" = ica."activeCaCertId"
+      FROM ${TableName.InternalCertificateAuthority} ica
+      WHERE ca.id = ica."caId"
+    `);
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.string("type").notNullable().alter();
+      t.string("friendlyName").notNullable().alter();
+      t.string("organization").notNullable().alter();
+      t.string("ou").notNullable().alter();
+      t.string("country").notNullable().alter();
+      t.string("province").notNullable().alter();
+      t.string("locality").notNullable().alter();
+      t.string("commonName").notNullable().alter();
+      t.string("dn").notNullable().alter();
+      t.string("keyAlgorithm").notNullable().alter();
+      t.boolean("requireTemplateForIssuance").notNullable().defaultTo(false).alter();
+    });
+
+    await knex.schema.dropTable(TableName.InternalCertificateAuthority);
+  }
+
+  if (hasExternalCATable) {
+    await knex.schema.dropTable(TableName.ExternalCertificateAuthority);
+  }
+
+  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.dropColumn("enableAutoRenewal");
+      t.dropColumn("autoRenewalPeriodInDays");
+      t.dropColumn("lastAutoRenewAt");
+
+      t.dropColumn("lastOperationStatus");
+      t.dropColumn("lastOperationMessage");
+      t.dropColumn("lastOperationAt");
+    });
+  }
+}

backend/src/db/migrations/20250527164523_add-mi-access-token-period.ts

@@ -0,0 +1,139 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+}

backend/src/db/migrations/20250528183744_remove-encrypted-salt-from-shared-secret.ts

@@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+
+    if (hasEncryptedSalt) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.dropColumn("encryptedSalt");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+
+    if (!hasEncryptedSalt) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.binary("encryptedSalt").nullable();
+      });
+    }
+  }
+}

backend/src/db/schemas/certificate-authorities.ts

@@ -11,25 +11,10 @@ export const CertificateAuthoritiesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  parentCaId: z.string().uuid().nullable().optional(),
   projectId: z.string(),
-  type: z.string(),
+  enableDirectIssuance: z.boolean().default(true),
   status: z.string(),
-  friendlyName: z.string(),
-  organization: z.string(),
-  ou: z.string(),
-  country: z.string(),
-  province: z.string(),
-  locality: z.string(),
-  commonName: z.string(),
-  dn: z.string(),
-  serialNumber: z.string().nullable().optional(),
-  maxPathLength: z.number().nullable().optional(),
-  keyAlgorithm: z.string(),
-  notBefore: z.date().nullable().optional(),
-  notAfter: z.date().nullable().optional(),
-  activeCaCertId: z.string().uuid().nullable().optional(),
-  requireTemplateForIssuance: z.boolean().default(false)
+  name: z.string()
 });
 
 export type TCertificateAuthorities = z.infer<typeof CertificateAuthoritiesSchema>;

backend/src/db/schemas/certificates.ts

@@ -11,7 +11,7 @@ export const CertificatesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  caId: z.string().uuid(),
+  caId: z.string().uuid().nullable().optional(),
   status: z.string(),
   serialNumber: z.string(),
   friendlyName: z.string(),
@@ -21,11 +21,12 @@ export const CertificatesSchema = z.object({
   revokedAt: z.date().nullable().optional(),
   revocationReason: z.number().nullable().optional(),
   altNames: z.string().nullable().optional(),
-  caCertId: z.string().uuid(),
+  caCertId: z.string().uuid().nullable().optional(),
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
   extendedKeyUsages: z.string().array().nullable().optional(),
-  pkiSubscriberId: z.string().uuid().nullable().optional()
+  pkiSubscriberId: z.string().uuid().nullable().optional(),
+  projectId: z.string()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/dynamic-secrets.ts

@@ -27,7 +27,8 @@ export const DynamicSecretsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedInput: zodBuffer,
-  projectGatewayId: z.string().uuid().nullable().optional()
+  projectGatewayId: z.string().uuid().nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional()
 });
 
 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;

backend/src/db/schemas/external-certificate-authorities.ts

@@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ExternalCertificateAuthoritiesSchema = z.object({
+  id: z.string().uuid(),
+  type: z.string(),
+  appConnectionId: z.string().uuid().nullable().optional(),
+  dnsAppConnectionId: z.string().uuid().nullable().optional(),
+  caId: z.string().uuid(),
+  credentials: zodBuffer.nullable().optional(),
+  configuration: z.unknown().nullable().optional()
+});
+
+export type TExternalCertificateAuthorities = z.infer<typeof ExternalCertificateAuthoritiesSchema>;
+export type TExternalCertificateAuthoritiesInsert = Omit<
+  z.input<typeof ExternalCertificateAuthoritiesSchema>,
+  TImmutableDBKeys
+>;
+export type TExternalCertificateAuthoritiesUpdate = Partial<
+  Omit<z.input<typeof ExternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/identity-access-tokens.ts

@@ -21,7 +21,8 @@ export const IdentityAccessTokensSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   name: z.string().nullable().optional(),
-  authMethod: z.string()
+  authMethod: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAccessTokens = z.infer<typeof IdentityAccessTokensSchema>;

backend/src/db/schemas/identity-aws-auths.ts

@@ -19,7 +19,8 @@ export const IdentityAwsAuthsSchema = z.object({
   type: z.string(),
   stsEndpoint: z.string(),
   allowedPrincipalArns: z.string(),
-  allowedAccountIds: z.string()
+  allowedAccountIds: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;

backend/src/db/schemas/identity-azure-auths.ts

@@ -18,7 +18,8 @@ export const IdentityAzureAuthsSchema = z.object({
   identityId: z.string().uuid(),
   tenantId: z.string(),
   resource: z.string(),
-  allowedServicePrincipalIds: z.string()
+  allowedServicePrincipalIds: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -19,7 +19,8 @@ export const IdentityGcpAuthsSchema = z.object({
   type: z.string(),
   allowedServiceAccounts: z.string().nullable().optional(),
   allowedProjects: z.string().nullable().optional(),
-  allowedZones: z.string().nullable().optional()
+  allowedZones: z.string().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;

backend/src/db/schemas/identity-jwt-auths.ts

@@ -25,7 +25,8 @@ export const IdentityJwtAuthsSchema = z.object({
   boundClaims: z.unknown(),
   boundSubject: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityJwtAuths = z.infer<typeof IdentityJwtAuthsSchema>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -29,7 +29,9 @@ export const IdentityKubernetesAuthsSchema = z.object({
   allowedNames: z.string(),
   allowedAudience: z.string(),
   encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
-  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
+  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;

backend/src/db/schemas/identity-ldap-auths.ts

@@ -24,7 +24,8 @@ export const IdentityLdapAuthsSchema = z.object({
   searchFilter: z.string(),
   allowedFields: z.unknown().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityLdapAuths = z.infer<typeof IdentityLdapAuthsSchema>;

backend/src/db/schemas/identity-oci-auths.ts

@@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityOciAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  tenancyOcid: z.string(),
+  allowedUsernames: z.string().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
+});
+
+export type TIdentityOciAuths = z.infer<typeof IdentityOciAuthsSchema>;
+export type TIdentityOciAuthsInsert = Omit<z.input<typeof IdentityOciAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityOciAuthsUpdate = Partial<Omit<z.input<typeof IdentityOciAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-oidc-auths.ts

@@ -27,7 +27,8 @@ export const IdentityOidcAuthsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedCaCertificate: zodBuffer.nullable().optional(),
-  claimMetadataMapping: z.unknown().nullable().optional()
+  claimMetadataMapping: z.unknown().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/identity-token-auths.ts

@@ -15,7 +15,8 @@ export const IdentityTokenAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityTokenAuths = z.infer<typeof IdentityTokenAuthsSchema>;

backend/src/db/schemas/identity-universal-auths.ts

@@ -17,7 +17,8 @@ export const IdentityUniversalAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityUniversalAuths = z.infer<typeof IdentityUniversalAuthsSchema>;

backend/src/db/schemas/index.ts

@@ -20,6 +20,7 @@ export * from "./certificate-templates";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
+export * from "./external-certificate-authorities";
 export * from "./external-group-org-role-mappings";
 export * from "./external-kms";
 export * from "./gateways";
@@ -37,6 +38,7 @@ export * from "./identity-gcp-auths";
 export * from "./identity-jwt-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
+export * from "./identity-oci-auths";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
@@ -48,6 +50,7 @@ export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
+export * from "./internal-certificate-authorities";
 export * from "./internal-kms";
 export * from "./kmip-client-certificates";
 export * from "./kmip-clients";

backend/src/db/schemas/internal-certificate-authorities.ts

@@ -0,0 +1,38 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const InternalCertificateAuthoritiesSchema = z.object({
+  id: z.string().uuid(),
+  parentCaId: z.string().uuid().nullable().optional(),
+  type: z.string(),
+  friendlyName: z.string(),
+  organization: z.string(),
+  ou: z.string(),
+  country: z.string(),
+  province: z.string(),
+  locality: z.string(),
+  commonName: z.string(),
+  dn: z.string(),
+  serialNumber: z.string().nullable().optional(),
+  maxPathLength: z.number().nullable().optional(),
+  keyAlgorithm: z.string(),
+  notBefore: z.date().nullable().optional(),
+  notAfter: z.date().nullable().optional(),
+  activeCaCertId: z.string().uuid().nullable().optional(),
+  caId: z.string().uuid()
+});
+
+export type TInternalCertificateAuthorities = z.infer<typeof InternalCertificateAuthoritiesSchema>;
+export type TInternalCertificateAuthoritiesInsert = Omit<
+  z.input<typeof InternalCertificateAuthoritiesSchema>,
+  TImmutableDBKeys
+>;
+export type TInternalCertificateAuthoritiesUpdate = Partial<
+  Omit<z.input<typeof InternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/models.ts

@@ -13,6 +13,8 @@ export enum TableName {
   SshCertificate = "ssh_certificates",
   SshCertificateBody = "ssh_certificate_bodies",
   CertificateAuthority = "certificate_authorities",
+  ExternalCertificateAuthority = "external_certificate_authorities",
+  InternalCertificateAuthority = "internal_certificate_authorities",
   CertificateTemplateEstConfig = "certificate_template_est_configs",
   CertificateAuthorityCert = "certificate_authority_certs",
   CertificateAuthoritySecret = "certificate_authority_secret",
@@ -79,6 +81,7 @@ export enum TableName {
   IdentityAzureAuth = "identity_azure_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
   IdentityAwsAuth = "identity_aws_auths",
+  IdentityOciAuth = "identity_oci_auths",
   IdentityOidcAuth = "identity_oidc_auths",
   IdentityJwtAuth = "identity_jwt_auths",
   IdentityLdapAuth = "identity_ldap_auths",
@@ -233,6 +236,7 @@ export enum IdentityAuthMethod {
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",
   AZURE_AUTH = "azure-auth",
+  OCI_AUTH = "oci-auth",
   OIDC_AUTH = "oidc-auth",
   JWT_AUTH = "jwt-auth",
   LDAP_AUTH = "ldap-auth"

backend/src/db/schemas/organizations.ts

@@ -28,7 +28,15 @@ export const OrganizationsSchema = z.object({
   privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
   privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
   bypassOrgAuthEnabled: z.boolean().default(false),
-  userTokenExpiration: z.string().nullable().optional()
+  userTokenExpiration: z.string().nullable().optional(),
+  secretsProductEnabled: z.boolean().default(true).nullable().optional(),
+  pkiProductEnabled: z.boolean().default(true).nullable().optional(),
+  kmsProductEnabled: z.boolean().default(true).nullable().optional(),
+  sshProductEnabled: z.boolean().default(true).nullable().optional(),
+  scannerProductEnabled: z.boolean().default(true).nullable().optional(),
+  shareSecretsProductEnabled: z.boolean().default(true).nullable().optional(),
+  maxSharedSecretLifetime: z.number().default(2592000).nullable().optional(),
+  maxSharedSecretViewLimit: z.number().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/pki-subscribers.ts

@@ -16,10 +16,16 @@ export const PkiSubscribersSchema = z.object({
   name: z.string(),
   commonName: z.string(),
   subjectAlternativeNames: z.string().array(),
-  ttl: z.string(),
+  ttl: z.string().nullable().optional(),
   keyUsages: z.string().array(),
   extendedKeyUsages: z.string().array(),
-  status: z.string()
+  status: z.string(),
+  enableAutoRenewal: z.boolean().default(false),
+  autoRenewalPeriodInDays: z.number().nullable().optional(),
+  lastAutoRenewAt: z.date().nullable().optional(),
+  lastOperationStatus: z.string().nullable().optional(),
+  lastOperationMessage: z.string().nullable().optional(),
+  lastOperationAt: z.date().nullable().optional()
 });
 
 export type TPkiSubscribers = z.infer<typeof PkiSubscribersSchema>;

backend/src/db/schemas/projects.ts

@@ -27,7 +27,8 @@ export const ProjectsSchema = z.object({
   description: z.string().nullable().optional(),
   type: z.string(),
   enforceCapitalization: z.boolean().default(false),
-  hasDeleteProtection: z.boolean().default(false).nullable().optional()
+  hasDeleteProtection: z.boolean().default(false).nullable().optional(),
+  secretSharing: z.boolean().default(true)
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -27,7 +27,8 @@ export const SecretSharingSchema = z.object({
   password: z.string().nullable().optional(),
   encryptedSecret: zodBuffer.nullable().optional(),
   identifier: z.string().nullable().optional(),
-  type: z.string().default("share")
+  type: z.string().default("share"),
+  authorizedEmails: z.unknown().nullable().optional()
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -154,7 +154,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         requestId: z.string().trim()
       }),
       body: z.object({
-        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
+        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED]),
+        bypassReason: z.string().min(10).max(1000).optional()
       }),
       response: {
         200: z.object({
@@ -170,7 +171,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         requestId: req.params.requestId,
-        status: req.body.status
+        status: req.body.status,
+        bypassReason: req.body.bypassReason
       });
 
       return { review };

backend/src/ee/routes/v1/app-connection-routers/oci-connection-router.ts

@@ -1,16 +1,16 @@
 import z from "zod";
 
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
   CreateOCIConnectionSchema,
   SanitizedOCIConnectionSchema,
   UpdateOCIConnectionSchema
-} from "@app/services/app-connection/oci";
+} from "@app/ee/services/app-connections/oci";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { AuthMode } from "@app/services/auth/auth-type";
 
-import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+import { registerAppConnectionEndpoints } from "../../../../server/routes/v1/app-connection-routers/app-connection-endpoints";
 
 export const registerOCIConnectionRouter = async (server: FastifyZodProvider) => {
   registerAppConnectionEndpoints({

backend/src/ee/routes/v1/gateway-router.ts

@@ -121,14 +121,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
             identity: z.object({
               name: z.string(),
               id: z.string()
-            }),
-            projects: z
-              .object({
-                name: z.string(),
-                id: z.string(),
-                slug: z.string()
-              })
-              .array()
+            })
           }).array()
         })
       }
@@ -158,17 +151,15 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
             identity: z.object({
               name: z.string(),
               id: z.string()
-            }),
-            projectGatewayId: z.string()
+            })
           }).array()
         })
       }
     },
     onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
     handler: async (req) => {
-      const gateways = await server.services.gateway.getProjectGateways({
-        projectId: req.params.projectId,
-        projectPermission: req.permission
+      const gateways = await server.services.gateway.listGateways({
+        orgPermission: req.permission
       });
       return { gateways };
     }
@@ -216,8 +207,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
         id: z.string()
       }),
       body: z.object({
-        name: slugSchema({ field: "name" }).optional(),
-        projectIds: z.string().array().optional()
+        name: slugSchema({ field: "name" }).optional()
       }),
       response: {
         200: z.object({
@@ -230,8 +220,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
       const gateway = await server.services.gateway.updateGatewayById({
         orgPermission: req.permission,
         id: req.params.id,
-        name: req.body.name,
-        projectIds: req.body.projectIds
+        name: req.body.name
       });
       return { gateway };
     }

backend/src/ee/routes/v1/license-router.ts

@@ -47,7 +47,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
         200: z.object({ plan: z.any() })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const plan = await server.services.license.getOrgPlan({
         actorId: req.permission.id,

backend/src/ee/routes/v1/saml-router.ts

@@ -145,7 +145,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
 
           const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
             externalId: profile.nameID,
-            email,
+            email: email.toLowerCase(),
             firstName,
             lastName: lastName as string,
             relayState: (req.body as { RelayState?: string }).RelayState,

backend/src/ee/routes/v1/secret-sync-routers/oci-vault-sync-router.ts

@@ -2,11 +2,10 @@ import {
   CreateOCIVaultSyncSchema,
   OCIVaultSyncSchema,
   UpdateOCIVaultSyncSchema
-} from "@app/services/secret-sync/oci-vault";
+} from "@app/ee/services/secret-sync/oci-vault";
+import { registerSyncSecretsEndpoints } from "@app/server/routes/v1/secret-sync-routers/secret-sync-endpoints";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
-import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
-
 export const registerOCIVaultSyncRouter = async (server: FastifyZodProvider) =>
   registerSyncSecretsEndpoints({
     destination: SecretSync.OCIVault,

backend/src/ee/routes/v1/ssh-certificate-template-router.ts

@@ -97,7 +97,7 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
           allowCustomKeyIds: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowCustomKeyIds)
         })
         .refine((data) => ms(data.maxTTL) >= ms(data.ttl), {
-          message: "Max TLL must be greater than or equal to TTL",
+          message: "Max TTL must be greater than or equal to TTL",
           path: ["maxTTL"]
         }),
       response: {

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
@@ -98,7 +98,7 @@ export const accessApprovalPolicyServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
+      ProjectPermissionApprovalActions.Create,
       ProjectPermissionSub.SecretApproval
     );
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
@@ -256,7 +256,10 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.updateById(
@@ -341,7 +344,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
+      ProjectPermissionApprovalActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -432,7 +435,10 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     return policy;
   };

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -6,6 +6,7 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { EnforcementLevel } from "@app/lib/types";
 import { triggerWorkflowIntegrationNotification } from "@app/lib/workflow-integrations/trigger-notification";
 import { TriggerFeature } from "@app/lib/workflow-integrations/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -22,6 +23,7 @@ import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-poli
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
 import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
@@ -323,26 +325,22 @@ export const accessApprovalRequestServiceFactory = ({
     status,
     actorId,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    bypassReason
   }: TReviewAccessRequestDTO) => {
     const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
     if (!accessApprovalRequest) {
       throw new NotFoundError({ message: `Secret approval request with ID '${requestId}' not found` });
     }
 
-    const { policy } = accessApprovalRequest;
+    const { policy, environment } = accessApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this access request has been deleted."
       });
     }
-    if (!policy.allowedSelfApprovals && actorId === accessApprovalRequest.requestedByUserId) {
-      throw new BadRequestError({
-        message: "Failed to review access approval request. Users are not authorized to review their own request."
-      });
-    }
 
-    const { membership, hasRole } = await permissionService.getProjectPermission({
+    const { membership, hasRole, permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
@@ -355,6 +353,20 @@ export const accessApprovalRequestServiceFactory = ({
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
 
+    const isSelfApproval = actorId === accessApprovalRequest.requestedByUserId;
+    const isSoftEnforcement = policy.enforcementLevel === EnforcementLevel.Soft;
+    const canBypassApproval = permission.can(
+      ProjectPermissionApprovalActions.AllowAccessBypass,
+      ProjectPermissionSub.SecretApproval
+    );
+    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypassApproval);
+
+    if (!policy.allowedSelfApprovals && isSelfApproval && cannotBypassUnderSoftEnforcement) {
+      throw new BadRequestError({
+        message: "Failed to review access approval request. Users are not authorized to review their own request."
+      });
+    }
+
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
@@ -363,21 +375,49 @@ export const accessApprovalRequestServiceFactory = ({
       throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
     }
 
+    const project = await projectDAL.findById(accessApprovalRequest.projectId);
+    if (!project) {
+      throw new NotFoundError({ message: "The project associated with this access request was not found." });
+    }
+
     const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
     if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
       throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
     }
 
     const reviewStatus = await accessApprovalRequestReviewerDAL.transaction(async (tx) => {
-      const review = await accessApprovalRequestReviewerDAL.findOne(
+      const isBreakGlassApprovalAttempt =
+        policy.enforcementLevel === EnforcementLevel.Soft &&
+        actorId === accessApprovalRequest.requestedByUserId &&
+        status === ApprovalStatus.APPROVED;
+
+      let reviewForThisActorProcessing: {
+        id: string;
+        requestId: string;
+        reviewerUserId: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+      };
+
+      const existingReviewByActorInTx = await accessApprovalRequestReviewerDAL.findOne(
         {
           requestId: accessApprovalRequest.id,
           reviewerUserId: actorId
         },
         tx
       );
-      if (!review) {
-        const newReview = await accessApprovalRequestReviewerDAL.create(
+
+      // Check if review exists for actor
+      if (existingReviewByActorInTx) {
+        // Check if breakglass re-approval
+        if (isBreakGlassApprovalAttempt && existingReviewByActorInTx.status === ApprovalStatus.APPROVED) {
+          reviewForThisActorProcessing = existingReviewByActorInTx;
+        } else {
+          throw new BadRequestError({ message: "You have already reviewed this request" });
+        }
+      } else {
+        reviewForThisActorProcessing = await accessApprovalRequestReviewerDAL.create(
           {
             status,
             requestId: accessApprovalRequest.id,
@@ -385,19 +425,26 @@ export const accessApprovalRequestServiceFactory = ({
           },
           tx
         );
+      }
 
-        const allReviews = [...existingReviews, newReview];
+      const otherReviews = existingReviews.filter((er) => er.reviewerUserId !== actorId);
+      const allUniqueReviews = [...otherReviews, reviewForThisActorProcessing];
 
-        const approvedReviews = allReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
+      const approvedReviews = allUniqueReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
+      const meetsStandardApprovalThreshold = approvedReviews.length >= policy.approvals;
 
-        // approvals is the required number of approvals. If the number of approved reviews is equal to the number of required approvals, then the request is approved.
-        if (approvedReviews.length === policy.approvals) {
+      if (
+        reviewForThisActorProcessing.status === ApprovalStatus.APPROVED &&
+        (meetsStandardApprovalThreshold || isBreakGlassApprovalAttempt)
+      ) {
+        const currentRequestState = await accessApprovalRequestDAL.findById(accessApprovalRequest.id, tx);
+        let privilegeIdToSet = currentRequestState?.privilegeId || null;
+
+        if (!privilegeIdToSet) {
           if (accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
             throw new BadRequestError({ message: "Temporary range is required for temporary access" });
           }
 
-          let privilegeId: string | null = null;
-
           if (!accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
             // Permanent access
             const privilege = await additionalPrivilegeDAL.create(
@@ -409,7 +456,7 @@ export const accessApprovalRequestServiceFactory = ({
               },
               tx
             );
-            privilegeId = privilege.id;
+            privilegeIdToSet = privilege.id;
           } else {
             // Temporary access
             const relativeTempAllocatedTimeInMs = ms(accessApprovalRequest.temporaryRange!);
@@ -421,23 +468,57 @@ export const accessApprovalRequestServiceFactory = ({
                 projectId: accessApprovalRequest.projectId,
                 slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
                 permissions: JSON.stringify(accessApprovalRequest.permissions),
-                isTemporary: true,
+                isTemporary: true, // Explicitly set to true for the privilege
                 temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
                 temporaryRange: accessApprovalRequest.temporaryRange!,
                 temporaryAccessStartTime: startTime,
-                temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
+                temporaryAccessEndTime: new Date(startTime.getTime() + relativeTempAllocatedTimeInMs)
               },
               tx
             );
-            privilegeId = privilege.id;
+            privilegeIdToSet = privilege.id;
           }
-
-          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId }, tx);
+          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId: privilegeIdToSet }, tx);
         }
-
-        return newReview;
       }
-      throw new BadRequestError({ message: "You have already reviewed this request" });
+
+      // Send notification if this was a breakglass approval
+      if (isBreakGlassApprovalAttempt) {
+        const cfg = getConfig();
+        const actingUser = await userDAL.findById(actorId, tx);
+
+        if (actingUser) {
+          const policyApproverUserIds = policy.approvers
+            .map((ap) => ap.userId)
+            .filter((id): id is string => typeof id === "string");
+
+          if (policyApproverUserIds.length > 0) {
+            const approverUsersForEmail = await userDAL.find({ $in: { id: policyApproverUserIds } }, { tx });
+            const recipientEmails = approverUsersForEmail
+              .map((appUser) => appUser.email)
+              .filter((email): email is string => !!email);
+
+            if (recipientEmails.length > 0) {
+              await smtpService.sendMail({
+                recipients: recipientEmails,
+                subjectLine: "Infisical Secret Access Policy Bypassed",
+                substitutions: {
+                  projectName: project.name,
+                  requesterFullName: `${actingUser.firstName} ${actingUser.lastName}`,
+                  requesterEmail: actingUser.email,
+                  bypassReason: bypassReason || "No reason provided",
+                  secretPath: policy.secretPath || "/",
+                  environment,
+                  approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`,
+                  requestType: "access"
+                },
+                template: SmtpTemplates.AccessSecretRequestBypassed
+              });
+            }
+          }
+        }
+      }
+      return reviewForThisActorProcessing;
     });
 
     return reviewStatus;

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -17,6 +17,8 @@ export type TGetAccessRequestCountDTO = {
 export type TReviewAccessRequestDTO = {
   requestId: string;
   status: ApprovalStatus;
+  envName?: string;
+  bypassReason?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TCreateAccessApprovalRequestDTO = {

backend/src/ee/services/app-connections/oci/oci-connection-service.ts

@@ -1,7 +1,9 @@
+import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";
 
-import { AppConnection } from "../app-connection-enums";
+import { AppConnection } from "../../../../services/app-connection/app-connection-enums";
+import { TLicenseServiceFactory } from "../../license/license-service";
 import { listOCICompartments, listOCIVaultKeys, listOCIVaults } from "./oci-connection-fns";
 import { TOCIConnection } from "./oci-connection-types";
 
@@ -22,8 +24,23 @@ type TListOCIVaultKeysDTO = {
   vaultOcid: string;
 };
 
-export const ociConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+// Enterprise check
+export const checkPlan = async (licenseService: Pick<TLicenseServiceFactory, "getPlan">, orgId: string) => {
+  const plan = await licenseService.getPlan(orgId);
+  if (!plan.enterpriseAppConnections)
+    throw new BadRequestError({
+      message:
+        "Failed to use app connection due to plan restriction. Upgrade plan to access enterprise app connections."
+    });
+};
+
+export const ociConnectionService = (
+  getAppConnection: TGetAppConnectionFunc,
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">
+) => {
   const listCompartments = async (connectionId: string, actor: OrgServiceActor) => {
+    await checkPlan(licenseService, actor.orgId);
+
     const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
 
     try {
@@ -36,6 +53,8 @@ export const ociConnectionService = (getAppConnection: TGetAppConnectionFunc) =>
   };
 
   const listVaults = async ({ connectionId, compartmentOcid }: TListOCIVaultsDTO, actor: OrgServiceActor) => {
+    await checkPlan(licenseService, actor.orgId);
+
     const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
 
     try {
@@ -51,6 +70,8 @@ export const ociConnectionService = (getAppConnection: TGetAppConnectionFunc) =>
     { connectionId, compartmentOcid, vaultOcid }: TListOCIVaultKeysDTO,
     actor: OrgServiceActor
   ) => {
+    await checkPlan(licenseService, actor.orgId);
+
     const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
 
     try {

backend/src/ee/services/app-connections/oci/oci-connection-types.ts

@@ -2,7 +2,7 @@ import z from "zod";
 
 import { DiscriminativePick } from "@app/lib/types";
 
-import { AppConnection } from "../app-connection-enums";
+import { AppConnection } from "../../../../services/app-connection/app-connection-enums";
 import {
   CreateOCIConnectionSchema,
   OCIConnectionSchema,

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -1,3 +1,4 @@
+import { ProjectType } from "@app/db/schemas";
 import {
   TCreateProjectTemplateDTO,
   TUpdateProjectTemplateDTO
@@ -20,7 +21,7 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
-import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
+import { CaStatus } from "@app/services/certificate-authority/certificate-authority-enums";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
@@ -162,6 +163,12 @@ export enum EventType {
   REVOKE_IDENTITY_AWS_AUTH = "revoke-identity-aws-auth",
   GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
 
+  LOGIN_IDENTITY_OCI_AUTH = "login-identity-oci-auth",
+  ADD_IDENTITY_OCI_AUTH = "add-identity-oci-auth",
+  UPDATE_IDENTITY_OCI_AUTH = "update-identity-oci-auth",
+  REVOKE_IDENTITY_OCI_AUTH = "revoke-identity-oci-auth",
+  GET_IDENTITY_OCI_AUTH = "get-identity-oci-auth",
+
   LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
   ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
   UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
@@ -225,6 +232,7 @@ export enum EventType {
   REMOVE_HOST_FROM_SSH_HOST_GROUP = "remove-host-from-ssh-host-group",
   CREATE_CA = "create-certificate-authority",
   GET_CA = "get-certificate-authority",
+  GET_CAS = "get-certificate-authorities",
   UPDATE_CA = "update-certificate-authority",
   DELETE_CA = "delete-certificate-authority",
   RENEW_CA = "renew-certificate-authority",
@@ -235,6 +243,7 @@ export enum EventType {
   IMPORT_CA_CERT = "import-certificate-authority-cert",
   GET_CA_CRLS = "get-certificate-authority-crls",
   ISSUE_CERT = "issue-cert",
+  IMPORT_CERT = "import-cert",
   SIGN_CERT = "sign-cert",
   GET_CA_CERTIFICATE_TEMPLATES = "get-ca-certificate-templates",
   GET_CERT = "get-cert",
@@ -260,7 +269,9 @@ export enum EventType {
   GET_PKI_SUBSCRIBER = "get-pki-subscriber",
   ISSUE_PKI_SUBSCRIBER_CERT = "issue-pki-subscriber-cert",
   SIGN_PKI_SUBSCRIBER_CERT = "sign-pki-subscriber-cert",
+  AUTOMATED_RENEW_SUBSCRIBER_CERT = "automated-renew-subscriber-cert",
   LIST_PKI_SUBSCRIBER_CERTS = "list-pki-subscriber-certs",
+  GET_SUBSCRIBER_ACTIVE_CERT_BUNDLE = "get-subscriber-active-cert-bundle",
   CREATE_KMS = "create-kms",
   UPDATE_KMS = "update-kms",
   DELETE_KMS = "delete-kms",
@@ -309,7 +320,6 @@ export enum EventType {
   CREATE_PROJECT_TEMPLATE = "create-project-template",
   UPDATE_PROJECT_TEMPLATE = "update-project-template",
   DELETE_PROJECT_TEMPLATE = "delete-project-template",
-  APPLY_PROJECT_TEMPLATE = "apply-project-template",
   GET_APP_CONNECTIONS = "get-app-connections",
   GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
   GET_APP_CONNECTION = "get-app-connection",
@@ -369,7 +379,13 @@ export enum EventType {
   MICROSOFT_TEAMS_WORKFLOW_INTEGRATION_LIST = "microsoft-teams-workflow-integration-list",
 
   PROJECT_ASSUME_PRIVILEGE_SESSION_START = "project-assume-privileges-session-start",
-  PROJECT_ASSUME_PRIVILEGE_SESSION_END = "project-assume-privileges-session-end"
+  PROJECT_ASSUME_PRIVILEGE_SESSION_END = "project-assume-privileges-session-end",
+
+  UPDATE_ORG = "update-org",
+
+  CREATE_PROJECT = "create-project",
+  UPDATE_PROJECT = "update-project",
+  DELETE_PROJECT = "delete-project"
 }
 
 export const filterableSecretEvents: EventType[] = [
@@ -1009,6 +1025,55 @@ interface GetIdentityAwsAuthEvent {
   };
 }
 
+interface LoginIdentityOciAuthEvent {
+  type: EventType.LOGIN_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+    identityOciAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityOciAuthEvent {
+  type: EventType.ADD_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+    tenancyOcid: string;
+    allowedUsernames: string | null;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface DeleteIdentityOciAuthEvent {
+  type: EventType.REVOKE_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface UpdateIdentityOciAuthEvent {
+  type: EventType.UPDATE_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+    tenancyOcid?: string;
+    allowedUsernames: string | null;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityOciAuthEvent {
+  type: EventType.GET_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityAzureAuthEvent {
   type: EventType.LOGIN_IDENTITY_AZURE_AUTH;
   metadata: {
@@ -1717,7 +1782,8 @@ interface CreateCa {
   type: EventType.CREATE_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
   };
 }
 
@@ -1725,7 +1791,15 @@ interface GetCa {
   type: EventType.GET_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
+  };
+}
+
+interface GetCAs {
+  type: EventType.GET_CAS;
+  metadata: {
+    caIds: string[];
   };
 }
 
@@ -1733,7 +1807,8 @@ interface UpdateCa {
   type: EventType.UPDATE_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
     status: CaStatus;
   };
 }
@@ -1742,7 +1817,8 @@ interface DeleteCa {
   type: EventType.DELETE_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
   };
 }
 
@@ -1812,6 +1888,15 @@ interface IssueCert {
   };
 }
 
+interface ImportCert {
+  type: EventType.IMPORT_CERT;
+  metadata: {
+    certId: string;
+    cn: string;
+    serialNumber: string;
+  };
+}
+
 interface SignCert {
   type: EventType.SIGN_CERT;
   metadata: {
@@ -1979,7 +2064,7 @@ interface CreatePkiSubscriber {
     caId?: string;
     name: string;
     commonName: string;
-    ttl: string;
+    ttl?: string;
     subjectAlternativeNames: string[];
     keyUsages: CertKeyUsage[];
     extendedKeyUsages: CertExtendedKeyUsage[];
@@ -2021,7 +2106,15 @@ interface IssuePkiSubscriberCert {
   metadata: {
     subscriberId: string;
     name: string;
-    serialNumber: string;
+    serialNumber?: string;
+  };
+}
+
+interface AutomatedRenewPkiSubscriberCert {
+  type: EventType.AUTOMATED_RENEW_SUBSCRIBER_CERT;
+  metadata: {
+    subscriberId: string;
+    name: string;
   };
 }
 
@@ -2043,6 +2136,16 @@ interface ListPkiSubscriberCerts {
   };
 }
 
+interface GetSubscriberActiveCertBundle {
+  type: EventType.GET_SUBSCRIBER_ACTIVE_CERT_BUNDLE;
+  metadata: {
+    subscriberId: string;
+    name: string;
+    certId: string;
+    serialNumber: string;
+  };
+}
+
 interface CreateKmsEvent {
   type: EventType.CREATE_KMS;
   metadata: {
@@ -2396,14 +2499,6 @@ interface DeleteProjectTemplateEvent {
   };
 }
 
-interface ApplyProjectTemplateEvent {
-  type: EventType.APPLY_PROJECT_TEMPLATE;
-  metadata: {
-    template: string;
-    projectId: string;
-  };
-}
-
 interface GetAppConnectionsEvent {
   type: EventType.GET_APP_CONNECTIONS;
   metadata: {
@@ -2858,6 +2953,59 @@ interface MicrosoftTeamsWorkflowIntegrationUpdateEvent {
   };
 }
 
+interface OrgUpdateEvent {
+  type: EventType.UPDATE_ORG;
+  metadata: {
+    name?: string;
+    slug?: string;
+    authEnforced?: boolean;
+    scimEnabled?: boolean;
+    defaultMembershipRoleSlug?: string;
+    enforceMfa?: boolean;
+    selectedMfaMethod?: string;
+    allowSecretSharingOutsideOrganization?: boolean;
+    bypassOrgAuthEnabled?: boolean;
+    userTokenExpiration?: string;
+    secretsProductEnabled?: boolean;
+    pkiProductEnabled?: boolean;
+    kmsProductEnabled?: boolean;
+    sshProductEnabled?: boolean;
+    scannerProductEnabled?: boolean;
+    shareSecretsProductEnabled?: boolean;
+  };
+}
+
+interface ProjectCreateEvent {
+  type: EventType.CREATE_PROJECT;
+  metadata: {
+    name: string;
+    slug?: string;
+    type: ProjectType;
+  };
+}
+
+interface ProjectUpdateEvent {
+  type: EventType.UPDATE_PROJECT;
+  metadata: {
+    name?: string;
+    description?: string;
+    autoCapitalization?: boolean;
+    hasDeleteProtection?: boolean;
+    slug?: string;
+    secretSharing?: boolean;
+    pitVersionLimit?: number;
+    auditLogsRetentionDays?: number;
+  };
+}
+
+interface ProjectDeleteEvent {
+  type: EventType.DELETE_PROJECT;
+  metadata: {
+    id: string;
+    name: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2914,6 +3062,11 @@ export type Event =
   | UpdateIdentityAwsAuthEvent
   | GetIdentityAwsAuthEvent
   | DeleteIdentityAwsAuthEvent
+  | LoginIdentityOciAuthEvent
+  | AddIdentityOciAuthEvent
+  | UpdateIdentityOciAuthEvent
+  | GetIdentityOciAuthEvent
+  | DeleteIdentityOciAuthEvent
   | LoginIdentityAzureAuthEvent
   | AddIdentityAzureAuthEvent
   | DeleteIdentityAzureAuthEvent
@@ -2977,6 +3130,7 @@ export type Event =
   | IssueSshHostHostCert
   | CreateCa
   | GetCa
+  | GetCAs
   | UpdateCa
   | DeleteCa
   | RenewCa
@@ -2987,6 +3141,7 @@ export type Event =
   | ImportCaCert
   | GetCaCrls
   | IssueCert
+  | ImportCert
   | SignCert
   | GetCaCertificateTemplates
   | GetCert
@@ -3012,7 +3167,9 @@ export type Event =
   | GetPkiSubscriber
   | IssuePkiSubscriberCert
   | SignPkiSubscriberCert
+  | AutomatedRenewPkiSubscriberCert
   | ListPkiSubscriberCerts
+  | GetSubscriberActiveCertBundle
   | CreateKmsEvent
   | UpdateKmsEvent
   | DeleteKmsEvent
@@ -3057,7 +3214,6 @@ export type Event =
   | CreateProjectTemplateEvent
   | UpdateProjectTemplateEvent
   | DeleteProjectTemplateEvent
-  | ApplyProjectTemplateEvent
   | GetAppConnectionsEvent
   | GetAvailableAppConnectionsDetailsEvent
   | GetAppConnectionEvent
@@ -3119,4 +3275,8 @@ export type Event =
   | MicrosoftTeamsWorkflowIntegrationGetTeamsEvent
   | MicrosoftTeamsWorkflowIntegrationGetEvent
   | MicrosoftTeamsWorkflowIntegrationListEvent
-  | MicrosoftTeamsWorkflowIntegrationUpdateEvent;
+  | MicrosoftTeamsWorkflowIntegrationUpdateEvent
+  | OrgUpdateEvent
+  | ProjectCreateEvent
+  | ProjectUpdateEvent
+  | ProjectDeleteEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -7,6 +7,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { NotFoundError } from "@app/lib/errors";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
+import { expandInternalCa } from "@app/services/certificate-authority/certificate-authority-fns";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns";
@@ -14,7 +15,7 @@ import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns
 import { TGetCaCrlsDTO, TGetCrlById } from "./certificate-authority-crl-types";
 
 type TCertificateAuthorityCrlServiceFactoryDep = {
-  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
+  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa">;
   certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "find" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
@@ -37,7 +38,8 @@ export const certificateAuthorityCrlServiceFactory = ({
     const caCrl = await certificateAuthorityCrlDAL.findById(crlId);
     if (!caCrl) throw new NotFoundError({ message: `CRL with ID '${crlId}' not found` });
 
-    const ca = await certificateAuthorityDAL.findById(caCrl.caId);
+    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(caCrl.caId);
+    if (!ca?.internalCa?.id) throw new NotFoundError({ message: `Internal CA with ID '${caCrl.caId}' not found` });
 
     const keyId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
@@ -54,7 +56,7 @@ export const certificateAuthorityCrlServiceFactory = ({
     const crl = new x509.X509Crl(decryptedCrl);
 
     return {
-      ca,
+      ca: expandInternalCa(ca),
       caCrl,
       crl: crl.rawData
     };
@@ -64,8 +66,8 @@ export const certificateAuthorityCrlServiceFactory = ({
    * Returns a list of CRL ids for CA with id [caId]
    */
   const getCaCrls = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCrlsDTO) => {
-    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
+    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(caId);
+    if (!ca?.internalCa?.id) throw new NotFoundError({ message: `Internal CA with ID '${caId}' not found` });
 
     const { permission } = await permissionService.getProjectPermission({
       actor,
@@ -108,7 +110,7 @@ export const certificateAuthorityCrlServiceFactory = ({
     );
 
     return {
-      ca,
+      ca: expandInternalCa(ca),
       crls: decryptedCrls
     };
   };

backend/src/ee/services/certificate-est/certificate-est-service.ts

@@ -6,7 +6,7 @@ import { isCertChainValid } from "@app/services/certificate/certificate-fns";
 import { TCertificateAuthorityCertDALFactory } from "@app/services/certificate-authority/certificate-authority-cert-dal";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
 import { getCaCertChain, getCaCertChains } from "@app/services/certificate-authority/certificate-authority-fns";
-import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
+import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { TCertificateTemplateDALFactory } from "@app/services/certificate-template/certificate-template-dal";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -16,10 +16,10 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { convertRawCertsToPkcs7 } from "./certificate-est-fns";
 
 type TCertificateEstServiceFactoryDep = {
-  certificateAuthorityService: Pick<TCertificateAuthorityServiceFactory, "signCertFromCa">;
+  internalCertificateAuthorityService: Pick<TInternalCertificateAuthorityServiceFactory, "signCertFromCa">;
   certificateTemplateService: Pick<TCertificateTemplateServiceFactory, "getEstConfiguration">;
   certificateTemplateDAL: Pick<TCertificateTemplateDALFactory, "findById">;
-  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
+  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById" | "findByIdWithAssociatedCa">;
   certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "find" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
@@ -29,7 +29,7 @@ type TCertificateEstServiceFactoryDep = {
 export type TCertificateEstServiceFactory = ReturnType<typeof certificateEstServiceFactory>;
 
 export const certificateEstServiceFactory = ({
-  certificateAuthorityService,
+  internalCertificateAuthorityService,
   certificateTemplateService,
   certificateTemplateDAL,
   certificateAuthorityCertDAL,
@@ -127,7 +127,7 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    const { certificate } = await certificateAuthorityService.signCertFromCa({
+    const { certificate } = await internalCertificateAuthorityService.signCertFromCa({
       isInternal: true,
       certificateTemplateId,
       csr
@@ -188,7 +188,7 @@ export const certificateEstServiceFactory = ({
       }
     }
 
-    const { certificate } = await certificateAuthorityService.signCertFromCa({
+    const { certificate } = await internalCertificateAuthorityService.signCertFromCa({
       isInternal: true,
       certificateTemplateId,
       csr
@@ -227,15 +227,15 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    const ca = await certificateAuthorityDAL.findById(certTemplate.caId);
-    if (!ca) {
+    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(certTemplate.caId);
+    if (!ca?.internalCa?.id) {
       throw new NotFoundError({
-        message: `Certificate Authority with ID '${certTemplate.caId}' not found`
+        message: `Internal Certificate Authority with ID '${certTemplate.caId}' not found`
       });
     }
 
     const { caCert, caCertChain } = await getCaCertChain({
-      caCertId: ca.activeCaCertId as string,
+      caCertId: ca.internalCa.activeCaCertId as string,
       certificateAuthorityDAL,
       certificateAuthorityCertDAL,
       projectDAL,

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -17,7 +17,8 @@ import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-fold
 
 import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
 import { TDynamicSecretLeaseQueueServiceFactory } from "../dynamic-secret-lease/dynamic-secret-lease-queue";
-import { TProjectGatewayDALFactory } from "../gateway/project-gateway-dal";
+import { TGatewayDALFactory } from "../gateway/gateway-dal";
+import { OrgPermissionGatewayActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TDynamicSecretDALFactory } from "./dynamic-secret-dal";
 import {
   DynamicSecretStatus,
@@ -44,9 +45,9 @@ type TDynamicSecretServiceFactoryDep = {
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-  projectGatewayDAL: Pick<TProjectGatewayDALFactory, "findOne">;
+  gatewayDAL: Pick<TGatewayDALFactory, "findOne" | "find">;
   resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
@@ -62,7 +63,7 @@ export const dynamicSecretServiceFactory = ({
   dynamicSecretQueueService,
   projectDAL,
   kmsService,
-  projectGatewayDAL,
+  gatewayDAL,
   resourceMetadataDAL
 }: TDynamicSecretServiceFactoryDep) => {
   const create = async ({
@@ -117,15 +118,31 @@ export const dynamicSecretServiceFactory = ({
     const inputs = await selectedProvider.validateProviderInputs(provider.inputs);
 
     let selectedGatewayId: string | null = null;
-    if (inputs && typeof inputs === "object" && "projectGatewayId" in inputs && inputs.projectGatewayId) {
-      const projectGatewayId = inputs.projectGatewayId as string;
+    if (inputs && typeof inputs === "object" && "gatewayId" in inputs && inputs.gatewayId) {
+      const gatewayId = inputs.gatewayId as string;
 
-      const projectGateway = await projectGatewayDAL.findOne({ id: projectGatewayId, projectId });
-      if (!projectGateway)
+      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actorOrgId });
+
+      if (!gateway) {
         throw new NotFoundError({
-          message: `Project gateway with ${projectGatewayId} not found`
+          message: `Gateway with ID ${gatewayId} not found`
         });
-      selectedGatewayId = projectGateway.id;
+      }
+
+      const { permission: orgPermission } = await permissionService.getOrgPermission(
+        actor,
+        actorId,
+        gateway.orgId,
+        actorAuthMethod,
+        actorOrgId
+      );
+
+      ForbiddenError.from(orgPermission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+
+      selectedGatewayId = gateway.id;
     }
 
     const isConnected = await selectedProvider.validateConnection(provider.inputs);
@@ -146,7 +163,7 @@ export const dynamicSecretServiceFactory = ({
           defaultTTL,
           folderId: folder.id,
           name,
-          projectGatewayId: selectedGatewayId
+          gatewayId: selectedGatewayId
         },
         tx
       );
@@ -255,20 +272,30 @@ export const dynamicSecretServiceFactory = ({
     const updatedInput = await selectedProvider.validateProviderInputs(newInput);
 
     let selectedGatewayId: string | null = null;
-    if (
-      updatedInput &&
-      typeof updatedInput === "object" &&
-      "projectGatewayId" in updatedInput &&
-      updatedInput?.projectGatewayId
-    ) {
-      const projectGatewayId = updatedInput.projectGatewayId as string;
+    if (updatedInput && typeof updatedInput === "object" && "gatewayId" in updatedInput && updatedInput?.gatewayId) {
+      const gatewayId = updatedInput.gatewayId as string;
 
-      const projectGateway = await projectGatewayDAL.findOne({ id: projectGatewayId, projectId });
-      if (!projectGateway)
+      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actorOrgId });
+      if (!gateway) {
         throw new NotFoundError({
-          message: `Project gateway with ${projectGatewayId} not found`
+          message: `Gateway with ID ${gatewayId} not found`
         });
-      selectedGatewayId = projectGateway.id;
+      }
+
+      const { permission: orgPermission } = await permissionService.getOrgPermission(
+        actor,
+        actorId,
+        gateway.orgId,
+        actorAuthMethod,
+        actorOrgId
+      );
+
+      ForbiddenError.from(orgPermission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+
+      selectedGatewayId = gateway.id;
     }
 
     const isConnected = await selectedProvider.validateConnection(newInput);
@@ -284,7 +311,7 @@ export const dynamicSecretServiceFactory = ({
           defaultTTL,
           name: newName ?? name,
           status: null,
-          projectGatewayId: selectedGatewayId
+          gatewayId: selectedGatewayId
         },
         tx
       );

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -6,6 +6,7 @@ import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
+import { KubernetesProvider } from "./kubernetes";
 import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./models";
 import { MongoAtlasProvider } from "./mongo-atlas";
@@ -18,7 +19,7 @@ import { SqlDatabaseProvider } from "./sql-database";
 import { TotpProvider } from "./totp";
 
 type TBuildDynamicSecretProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTls">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };
 
 export const buildDynamicSecretProviders = ({
@@ -38,5 +39,6 @@ export const buildDynamicSecretProviders = ({
   [DynamicSecretProviders.SapHana]: SapHanaProvider(),
   [DynamicSecretProviders.Snowflake]: SnowflakeProvider(),
   [DynamicSecretProviders.Totp]: TotpProvider(),
-  [DynamicSecretProviders.SapAse]: SapAseProvider()
+  [DynamicSecretProviders.SapAse]: SapAseProvider(),
+  [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService })
 });

backend/src/ee/services/dynamic-secret/providers/kubernetes.ts

@@ -0,0 +1,199 @@
+import axios from "axios";
+import https from "https";
+
+import { InternalServerError } from "@app/lib/errors";
+import { withGatewayProxy } from "@app/lib/gateway";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { TKubernetesTokenRequest } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-types";
+
+import { TGatewayServiceFactory } from "../../gateway/gateway-service";
+import { DynamicSecretKubernetesSchema, TDynamicProviderFns } from "./models";
+
+const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
+
+type TKubernetesProviderDTO = {
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
+};
+
+export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretKubernetesSchema.parseAsync(inputs);
+    if (!providerInputs.gatewayId) {
+      await blockLocalAndPrivateIpAddresses(providerInputs.url);
+    }
+
+    return providerInputs;
+  };
+
+  const $gatewayProxyWrapper = async <T>(
+    inputs: {
+      gatewayId: string;
+      targetHost: string;
+      targetPort: number;
+    },
+    gatewayCallback: (host: string, port: number) => Promise<T>
+  ): Promise<T> => {
+    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(inputs.gatewayId);
+    const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
+
+    const callbackResult = await withGatewayProxy(
+      async (port) => {
+        // Needs to be https protocol or the kubernetes API server will fail with "Client sent an HTTP request to an HTTPS server"
+        const res = await gatewayCallback("https://localhost", port);
+        return res;
+      },
+      {
+        targetHost: inputs.targetHost,
+        targetPort: inputs.targetPort,
+        relayHost,
+        relayPort: Number(relayPort),
+        identityId: relayDetails.identityId,
+        orgId: relayDetails.orgId,
+        tlsOptions: {
+          ca: relayDetails.certChain,
+          cert: relayDetails.certificate,
+          key: relayDetails.privateKey.toString()
+        }
+      }
+    );
+
+    return callbackResult;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const serviceAccountGetCallback = async (host: string, port: number) => {
+      const baseUrl = port ? `${host}:${port}` : host;
+
+      await axios.get(
+        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${providerInputs.serviceAccountName}`,
+        {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${providerInputs.clusterToken}`
+          },
+          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+          timeout: EXTERNAL_REQUEST_TIMEOUT,
+          httpsAgent: new https.Agent({
+            ca: providerInputs.ca,
+            rejectUnauthorized: providerInputs.sslEnabled
+          })
+        }
+      );
+    };
+
+    const url = new URL(providerInputs.url);
+    const k8sPort = url.port ? Number(url.port) : 443;
+
+    try {
+      if (providerInputs.gatewayId) {
+        const k8sHost = url.hostname;
+
+        await $gatewayProxyWrapper(
+          {
+            gatewayId: providerInputs.gatewayId,
+            targetHost: k8sHost,
+            targetPort: k8sPort
+          },
+          serviceAccountGetCallback
+        );
+      } else {
+        const k8sHost = `${url.protocol}//${url.hostname}`;
+        await serviceAccountGetCallback(k8sHost, k8sPort);
+      }
+
+      return true;
+    } catch (error) {
+      let errorMessage = error instanceof Error ? error.message : "Unknown error";
+      if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
+        errorMessage = (error.response?.data as { message: string }).message;
+      }
+
+      throw new InternalServerError({
+        message: `Failed to validate connection: ${errorMessage}`
+      });
+    }
+  };
+
+  const create = async (inputs: unknown, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const tokenRequestCallback = async (host: string, port: number) => {
+      const baseUrl = port ? `${host}:${port}` : host;
+
+      const res = await axios.post<TKubernetesTokenRequest>(
+        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${providerInputs.serviceAccountName}/token`,
+        {
+          spec: {
+            expirationSeconds: Math.floor((expireAt - Date.now()) / 1000),
+            ...(providerInputs.audiences?.length ? { audiences: providerInputs.audiences } : {})
+          }
+        },
+        {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${providerInputs.clusterToken}`
+          },
+          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+          timeout: EXTERNAL_REQUEST_TIMEOUT,
+          httpsAgent: new https.Agent({
+            ca: providerInputs.ca,
+            rejectUnauthorized: providerInputs.sslEnabled
+          })
+        }
+      );
+
+      return res.data;
+    };
+
+    const url = new URL(providerInputs.url);
+    const k8sHost = `${url.protocol}//${url.hostname}`;
+    const k8sGatewayHost = url.hostname;
+    const k8sPort = url.port ? Number(url.port) : 443;
+
+    try {
+      const tokenData = providerInputs.gatewayId
+        ? await $gatewayProxyWrapper(
+            {
+              gatewayId: providerInputs.gatewayId,
+              targetHost: k8sGatewayHost,
+              targetPort: k8sPort
+            },
+            tokenRequestCallback
+          )
+        : await tokenRequestCallback(k8sHost, k8sPort);
+
+      return {
+        entityId: providerInputs.serviceAccountName,
+        data: { TOKEN: tokenData.status.token }
+      };
+    } catch (error) {
+      let errorMessage = error instanceof Error ? error.message : "Unknown error";
+      if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
+        errorMessage = (error.response?.data as { message: string }).message;
+      }
+
+      throw new InternalServerError({
+        message: `Failed to create dynamic secret: ${errorMessage}`
+      });
+    }
+  };
+
+  const revoke = async (_inputs: unknown, entityId: string) => {
+    return { entityId };
+  };
+
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -29,6 +29,10 @@ export enum LdapCredentialType {
   Static = "static"
 }
 
+export enum KubernetesCredentialType {
+  Static = "static"
+}
+
 export enum TotpConfigType {
   URL = "url",
   MANUAL = "manual"
@@ -137,7 +141,7 @@ export const DynamicSecretSqlDBSchema = z.object({
   revocationStatement: z.string().trim(),
   renewStatement: z.string().trim().optional(),
   ca: z.string().optional(),
-  projectGatewayId: z.string().nullable().optional()
+  gatewayId: z.string().nullable().optional()
 });
 
 export const DynamicSecretCassandraSchema = z.object({
@@ -277,6 +281,18 @@ export const LdapSchema = z.union([
   })
 ]);
 
+export const DynamicSecretKubernetesSchema = z.object({
+  url: z.string().url().trim().min(1),
+  gatewayId: z.string().nullable().optional(),
+  sslEnabled: z.boolean().default(true),
+  clusterToken: z.string().trim().min(1),
+  ca: z.string().optional(),
+  serviceAccountName: z.string().trim().min(1),
+  credentialType: z.literal(KubernetesCredentialType.Static),
+  namespace: z.string().trim().min(1),
+  audiences: z.array(z.string().trim().min(1))
+});
+
 export const DynamicSecretTotpSchema = z.discriminatedUnion("configType", [
   z.object({
     configType: z.literal(TotpConfigType.URL),
@@ -320,7 +336,8 @@ export enum DynamicSecretProviders {
   SapHana = "sap-hana",
   Snowflake = "snowflake",
   Totp = "totp",
-  SapAse = "sap-ase"
+  SapAse = "sap-ase",
+  Kubernetes = "kubernetes"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -338,7 +355,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Snowflake), inputs: DynamicSecretSnowflakeSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -112,14 +112,14 @@ const generateUsername = (provider: SqlProviders) => {
 };
 
 type TSqlDatabaseProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTls">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };
 
 export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
 
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.projectGatewayId));
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.gatewayId));
     validateHandlebarTemplate("SQL creation", providerInputs.creationStatement, {
       allowedExpressions: (val) => ["username", "password", "expiration", "database"].includes(val)
     });
@@ -168,7 +168,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
     providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>,
     gatewayCallback: (host: string, port: number) => Promise<void>
   ) => {
-    const relayDetails = await gatewayService.fnGetGatewayClientTls(providerInputs.projectGatewayId as string);
+    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(providerInputs.gatewayId as string);
     const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
     await withGatewayProxy(
       async (port) => {
@@ -202,7 +202,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
       await db.destroy();
     };
 
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();
@@ -238,7 +238,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         await db.destroy();
       }
     };
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();
@@ -265,7 +265,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         await db.destroy();
       }
     };
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();
@@ -301,7 +301,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         await db.destroy();
       }
     };
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();

backend/src/ee/services/gateway/gateway-dal.ts

@@ -1,37 +1,34 @@
-import { Knex } from "knex";
-
 import { TDbClient } from "@app/db";
 import { GatewaysSchema, TableName, TGateways } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import {
-  buildFindFilter,
-  ormify,
-  selectAllTableCols,
-  sqlNestRelationships,
-  TFindFilter,
-  TFindOpt
-} from "@app/lib/knex";
+import { buildFindFilter, ormify, selectAllTableCols, TFindFilter, TFindOpt } from "@app/lib/knex";
 
 export type TGatewayDALFactory = ReturnType<typeof gatewayDALFactory>;
 
 export const gatewayDALFactory = (db: TDbClient) => {
   const orm = ormify(db, TableName.Gateway);
 
-  const find = async (filter: TFindFilter<TGateways>, { offset, limit, sort, tx }: TFindOpt<TGateways> = {}) => {
+  const find = async (
+    filter: TFindFilter<TGateways> & { orgId?: string },
+    { offset, limit, sort, tx }: TFindOpt<TGateways> = {}
+  ) => {
     try {
       const query = (tx || db)(TableName.Gateway)
         // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter(filter))
+        .where(buildFindFilter(filter, TableName.Gateway, ["orgId"]))
         .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.Gateway}.identityId`)
-        .leftJoin(TableName.ProjectGateway, `${TableName.ProjectGateway}.gatewayId`, `${TableName.Gateway}.id`)
-        .leftJoin(TableName.Project, `${TableName.Project}.id`, `${TableName.ProjectGateway}.projectId`)
+        .join(
+          TableName.IdentityOrgMembership,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.Gateway}.identityId`
+        )
         .select(selectAllTableCols(TableName.Gateway))
-        .select(
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("name").withSchema(TableName.Project).as("projectName"),
-          db.ref("slug").withSchema(TableName.Project).as("projectSlug"),
-          db.ref("id").withSchema(TableName.Project).as("projectId")
-        );
+        .select(db.ref("orgId").withSchema(TableName.IdentityOrgMembership).as("identityOrgId"))
+        .select(db.ref("name").withSchema(TableName.Identity).as("identityName"));
+
+      if (filter.orgId) {
+        void query.where(`${TableName.IdentityOrgMembership}.orgId`, filter.orgId);
+      }
       if (limit) void query.limit(limit);
       if (offset) void query.offset(offset);
       if (sort) {
@@ -39,48 +36,16 @@ export const gatewayDALFactory = (db: TDbClient) => {
       }
 
       const docs = await query;
-      return sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (data) => ({
-          ...GatewaysSchema.parse(data),
-          identity: { id: data.identityId, name: data.identityName }
-        }),
-        childrenMapper: [
-          {
-            key: "projectId",
-            label: "projects" as const,
-            mapper: ({ projectId, projectName, projectSlug }) => ({
-              id: projectId,
-              name: projectName,
-              slug: projectSlug
-            })
-          }
-        ]
-      });
+
+      return docs.map((el) => ({
+        ...GatewaysSchema.parse(el),
+        orgId: el.identityOrgId as string, // todo(daniel): figure out why typescript is not inferring this as a string
+        identity: { id: el.identityId, name: el.identityName }
+      }));
     } catch (error) {
       throw new DatabaseError({ error, name: `${TableName.Gateway}: Find` });
     }
   };
 
-  const findByProjectId = async (projectId: string, tx?: Knex) => {
-    try {
-      const query = (tx || db)(TableName.Gateway)
-        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.Gateway}.identityId`)
-        .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.gatewayId`, `${TableName.Gateway}.id`)
-        .select(selectAllTableCols(TableName.Gateway))
-        .select(
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("id").withSchema(TableName.ProjectGateway).as("projectGatewayId")
-        )
-        .where({ [`${TableName.ProjectGateway}.projectId` as "projectId"]: projectId });
-
-      const docs = await query;
-      return docs.map((el) => ({ ...el, identity: { id: el.identityId, name: el.identityName } }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: `${TableName.Gateway}: Find by project id` });
-    }
-  };
-
-  return { ...orm, find, findByProjectId };
+  return { ...orm, find };
 };

backend/src/ee/services/gateway/gateway-service.ts

@@ -4,7 +4,6 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { z } from "zod";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { KeyStorePrefixes, PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -27,17 +26,14 @@ import { TGatewayDALFactory } from "./gateway-dal";
 import {
   TExchangeAllocatedRelayAddressDTO,
   TGetGatewayByIdDTO,
-  TGetProjectGatewayByIdDTO,
   THeartBeatDTO,
   TListGatewaysDTO,
   TUpdateGatewayByIdDTO
 } from "./gateway-types";
 import { TOrgGatewayConfigDALFactory } from "./org-gateway-config-dal";
-import { TProjectGatewayDALFactory } from "./project-gateway-dal";
 
 type TGatewayServiceFactoryDep = {
   gatewayDAL: TGatewayDALFactory;
-  projectGatewayDAL: TProjectGatewayDALFactory;
   orgGatewayConfigDAL: Pick<TOrgGatewayConfigDALFactory, "findOne" | "create" | "transaction" | "findById">;
   licenseService: Pick<TLicenseServiceFactory, "onPremFeatures" | "getPlan">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "decryptWithRootKey">;
@@ -57,8 +53,7 @@ export const gatewayServiceFactory = ({
   kmsService,
   permissionService,
   orgGatewayConfigDAL,
-  keyStore,
-  projectGatewayDAL
+  keyStore
 }: TGatewayServiceFactoryDep) => {
   const $validateOrgAccessToGateway = async (orgId: string, actorId: string, actorAuthMethod: ActorAuthMethod) => {
     // if (!licenseService.onPremFeatures.gateway) {
@@ -526,7 +521,7 @@ export const gatewayServiceFactory = ({
     return gateway;
   };
 
-  const updateGatewayById = async ({ orgPermission, id, name, projectIds }: TUpdateGatewayByIdDTO) => {
+  const updateGatewayById = async ({ orgPermission, id, name }: TUpdateGatewayByIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(
       orgPermission.type,
       orgPermission.id,
@@ -543,15 +538,6 @@ export const gatewayServiceFactory = ({
 
     const [gateway] = await gatewayDAL.update({ id, orgGatewayRootCaId: orgGatewayConfig.id }, { name });
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${id} not found.` });
-    if (projectIds) {
-      await projectGatewayDAL.transaction(async (tx) => {
-        await projectGatewayDAL.delete({ gatewayId: gateway.id }, tx);
-        await projectGatewayDAL.insertMany(
-          projectIds.map((el) => ({ gatewayId: gateway.id, projectId: el })),
-          tx
-        );
-      });
-    }
 
     return gateway;
   };
@@ -576,27 +562,7 @@ export const gatewayServiceFactory = ({
     return gateway;
   };
 
-  const getProjectGateways = async ({ projectId, projectPermission }: TGetProjectGatewayByIdDTO) => {
-    await permissionService.getProjectPermission({
-      projectId,
-      actor: projectPermission.type,
-      actorId: projectPermission.id,
-      actorOrgId: projectPermission.orgId,
-      actorAuthMethod: projectPermission.authMethod,
-      actionProjectType: ActionProjectType.Any
-    });
-
-    const gateways = await gatewayDAL.findByProjectId(projectId);
-    return gateways;
-  };
-
-  // this has no permission check and used for dynamic secrets directly
-  // assumes permission check is already done
-  const fnGetGatewayClientTls = async (projectGatewayId: string) => {
-    const projectGateway = await projectGatewayDAL.findById(projectGatewayId);
-    if (!projectGateway) throw new NotFoundError({ message: `Project gateway with ID ${projectGatewayId} not found.` });
-
-    const { gatewayId } = projectGateway;
+  const fnGetGatewayClientTlsByGatewayId = async (gatewayId: string) => {
     const gateway = await gatewayDAL.findById(gatewayId);
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });
 
@@ -645,8 +611,7 @@ export const gatewayServiceFactory = ({
     getGatewayById,
     updateGatewayById,
     deleteGatewayById,
-    getProjectGateways,
-    fnGetGatewayClientTls,
+    fnGetGatewayClientTlsByGatewayId,
     heartbeat
   };
 };

backend/src/ee/services/gateway/gateway-types.ts

@@ -20,7 +20,6 @@ export type TGetGatewayByIdDTO = {
 export type TUpdateGatewayByIdDTO = {
   id: string;
   name?: string;
-  projectIds?: string[];
   orgPermission: OrgServiceActor;
 };
 

backend/src/ee/services/gateway/project-gateway-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TProjectGatewayDALFactory = ReturnType<typeof projectGatewayDALFactory>;
-
-export const projectGatewayDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.ProjectGateway);
-  return orm;
-};

backend/src/ee/services/group/group-dal.ts

@@ -111,9 +111,9 @@ export const groupDALFactory = (db: TDbClient) => {
       }
 
       if (search) {
-        void query.andWhereRaw(`CONCAT_WS(' ', "firstName", "lastName", "username") ilike ?`, [`%${search}%`]);
+        void query.andWhereRaw(`CONCAT_WS(' ', "firstName", "lastName", lower("username")) ilike ?`, [`%${search}%`]);
       } else if (username) {
-        void query.andWhere(`${TableName.Users}.username`, "ilike", `%${username}%`);
+        void query.andWhereRaw(`lower("${TableName.Users}"."username") ilike ?`, `%${username}%`);
       }
 
       switch (filter) {

backend/src/ee/services/group/group-service.ts

@@ -30,7 +30,7 @@ import {
 import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";
 
 type TGroupServiceFactoryDep = {
-  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
+  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findUserByUsername">;
   groupDAL: Pick<
     TGroupDALFactory,
     "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById" | "transaction"
@@ -380,7 +380,10 @@ export const groupServiceFactory = ({
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
-    const user = await userDAL.findOne({ username });
+    const usersWithUsername = await userDAL.findUserByUsername(username);
+    // akhilmhdh: case sensitive email resolution
+    const user =
+      usersWithUsername?.length > 1 ? usersWithUsername.find((el) => el.username === username) : usersWithUsername?.[0];
     if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
 
     const users = await addUsersToGroupByUserIds({
@@ -461,7 +464,10 @@ export const groupServiceFactory = ({
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
-    const user = await userDAL.findOne({ username });
+    const usersWithUsername = await userDAL.findUserByUsername(username);
+    // akhilmhdh: case sensitive email resolution
+    const user =
+      usersWithUsername?.length > 1 ? usersWithUsername.find((el) => el.username === username) : usersWithUsername?.[0];
     if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
 
     const users = await removeUsersFromGroupByUserIds({

backend/src/ee/services/hsm/hsm-fns.ts

@@ -24,9 +24,13 @@ export const initializeHsmModule = (envConfig: Pick<TEnvConfig, "isHsmConfigured
       isInitialized = true;
 
       logger.info("PKCS#11 module initialized");
-    } catch (err) {
-      logger.error(err, "Failed to initialize PKCS#11 module");
-      throw err;
+    } catch (error) {
+      if (error instanceof pkcs11js.Pkcs11Error && error.code === pkcs11js.CKR_CRYPTOKI_ALREADY_INITIALIZED) {
+        logger.info("Skipping HSM initialization because it's already initialized.");
+      } else {
+        logger.error(error, "Failed to initialize PKCS#11 module");
+        throw error;
+      }
     }
   };
 

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -380,7 +380,7 @@ export const ldapConfigServiceFactory = ({
         if (serverCfg.trustLdapEmails) {
           newUser = await userDAL.findOne(
             {
-              email,
+              email: email.toLowerCase(),
               isEmailVerified: true
             },
             tx
@@ -391,8 +391,8 @@ export const ldapConfigServiceFactory = ({
           const uniqueUsername = await normalizeUsername(username, userDAL);
           newUser = await userDAL.create(
             {
-              username: serverCfg.trustLdapEmails ? email : uniqueUsername,
-              email,
+              username: serverCfg.trustLdapEmails ? email.toLowerCase() : uniqueUsername,
+              email: email.toLowerCase(),
               isEmailVerified: serverCfg.trustLdapEmails,
               firstName,
               lastName,
@@ -429,7 +429,7 @@ export const ldapConfigServiceFactory = ({
           await orgMembershipDAL.create(
             {
               userId: newUser.id,
-              inviteEmail: email,
+              inviteEmail: email.toLowerCase(),
               orgId,
               role,
               roleId,

backend/src/ee/services/license/__mocks__/license-fns.ts

@@ -29,7 +29,9 @@ export const getDefaultOnPremFeatures = () => {
     secretApproval: true,
     secretRotation: true,
     caCrl: false,
-    sshHostGroups: false
+    sshHostGroups: false,
+    enterpriseSecretSyncs: false,
+    enterpriseAppConnections: false
   };
 };
 

backend/src/ee/services/license/license-dal.ts

@@ -19,7 +19,7 @@ export const licenseDALFactory = (db: TDbClient) => {
         .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
         .where(`${TableName.Users}.isGhost`, false)
         .count();
-      return Number(doc?.[0].count);
+      return Number(doc?.[0]?.count ?? 0);
     } catch (error) {
       throw new DatabaseError({ error, name: "Count of Org Members" });
     }

backend/src/ee/services/license/license-fns.ts

@@ -2,6 +2,7 @@ import axios, { AxiosError } from "axios";
 
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
+import { logger } from "@app/lib/logger";
 
 import { TFeatureSet } from "./license-types";
 
@@ -54,15 +55,24 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   projectTemplates: false,
   kmip: false,
   gateway: false,
-  sshHostGroups: false
+  sshHostGroups: false,
+  enterpriseSecretSyncs: false,
+  enterpriseAppConnections: false
 });
 
-export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {
+export const setupLicenseRequestWithStore = (
+  baseURL: string,
+  refreshUrl: string,
+  licenseKey: string,
+  region?: string
+) => {
   let token: string;
   const licenseReq = axios.create({
     baseURL,
-    timeout: 35 * 1000
-    // signal: AbortSignal.timeout(60 * 1000)
+    timeout: 35 * 1000,
+    headers: {
+      "x-region": region
+    }
   });
 
   const refreshLicense = async () => {
@@ -98,9 +108,10 @@ export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string
     (response) => response,
     async (err) => {
       const originalRequest = (err as AxiosError).config;
-
+      const errStatusCode = Number((err as AxiosError)?.response?.status);
+      logger.error((err as AxiosError)?.response?.data, "License server call error");
       // eslint-disable-next-line
-      if ((err as AxiosError)?.response?.status === 401 && !(originalRequest as any)._retry) {
+      if ((errStatusCode === 401 || errStatusCode === 403) && !(originalRequest as any)._retry) {
         // eslint-disable-next-line
         (originalRequest as any)._retry = true; // injected
 

backend/src/ee/services/license/license-service.ts

@@ -77,13 +77,15 @@ export const licenseServiceFactory = ({
   const licenseServerCloudApi = setupLicenseRequestWithStore(
     appCfg.LICENSE_SERVER_URL || "",
     LICENSE_SERVER_CLOUD_LOGIN,
-    appCfg.LICENSE_SERVER_KEY || ""
+    appCfg.LICENSE_SERVER_KEY || "",
+    appCfg.INTERNAL_REGION
   );
 
   const licenseServerOnPremApi = setupLicenseRequestWithStore(
     appCfg.LICENSE_SERVER_URL || "",
     LICENSE_SERVER_ON_PREM_LOGIN,
-    appCfg.LICENSE_KEY || ""
+    appCfg.LICENSE_KEY || "",
+    appCfg.INTERNAL_REGION
   );
 
   const syncLicenseKeyOnPremFeatures = async (shouldThrow: boolean = false) => {
@@ -92,6 +94,10 @@ export const licenseServiceFactory = ({
       const {
         data: { currentPlan }
       } = await licenseServerOnPremApi.request.get<{ currentPlan: TFeatureSet }>("/api/license/v1/plan");
+
+      const workspacesUsed = await projectDAL.countOfOrgProjects(null);
+      currentPlan.workspacesUsed = workspacesUsed;
+
       onPremFeatures = currentPlan;
       logger.info("Successfully synchronized license key features");
     } catch (error) {
@@ -185,6 +191,14 @@ export const licenseServiceFactory = ({
         } = await licenseServerCloudApi.request.get<{ currentPlan: TFeatureSet }>(
           `/api/license-server/v1/customers/${org.customerId}/cloud-plan`
         );
+        const workspacesUsed = await projectDAL.countOfOrgProjects(orgId);
+        currentPlan.workspacesUsed = workspacesUsed;
+
+        const membersUsed = await licenseDAL.countOfOrgMembers(orgId);
+        currentPlan.membersUsed = membersUsed;
+        const identityUsed = await licenseDAL.countOrgUsersAndIdentities(orgId);
+        currentPlan.identitiesUsed = identityUsed;
+
         await keyStore.setItemWithExpiry(
           FEATURE_CACHE_KEY(org.id),
           LICENSE_SERVER_CLOUD_PLAN_TTL,
@@ -348,8 +362,8 @@ export const licenseServiceFactory = ({
       } = await licenseServerCloudApi.request.post(
         `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods`,
         {
-          success_url: `${appCfg.SITE_URL}/dashboard`,
-          cancel_url: `${appCfg.SITE_URL}/dashboard`
+          success_url: `${appCfg.SITE_URL}/organization/billing`,
+          cancel_url: `${appCfg.SITE_URL}/organization/billing`
         }
       );
 
@@ -362,7 +376,7 @@ export const licenseServiceFactory = ({
     } = await licenseServerCloudApi.request.post(
       `/api/license-server/v1/customers/${organization.customerId}/billing-details/billing-portal`,
       {
-        return_url: `${appCfg.SITE_URL}/dashboard`
+        return_url: `${appCfg.SITE_URL}/organization/billing`
       }
     );
 
@@ -379,7 +393,7 @@ export const licenseServiceFactory = ({
         message: `Organization with ID '${orgId}' not found`
       });
     }
-    if (instanceType !== InstanceType.OnPrem && instanceType !== InstanceType.EnterpriseOnPremOffline) {
+    if (instanceType === InstanceType.Cloud) {
       const { data } = await licenseServerCloudApi.request.get(
         `/api/license-server/v1/customers/${organization.customerId}/cloud-plan/billing`
       );
@@ -407,11 +421,38 @@ export const licenseServiceFactory = ({
         message: `Organization with ID '${orgId}' not found`
       });
     }
-    if (instanceType !== InstanceType.OnPrem && instanceType !== InstanceType.EnterpriseOnPremOffline) {
-      const { data } = await licenseServerCloudApi.request.get(
-        `/api/license-server/v1/customers/${organization.customerId}/cloud-plan/table`
-      );
-      return data;
+
+    const orgMembersUsed = await orgDAL.countAllOrgMembers(orgId);
+    const identityUsed = await identityOrgMembershipDAL.countAllOrgIdentities({ orgId });
+    const projects = await projectDAL.find({ orgId });
+    const projectCount = projects.length;
+
+    if (instanceType === InstanceType.Cloud) {
+      const { data } = await licenseServerCloudApi.request.get<{
+        head: { name: string }[];
+        rows: { name: string; allowed: boolean }[];
+      }>(`/api/license-server/v1/customers/${organization.customerId}/cloud-plan/table`);
+
+      const formattedData = {
+        head: data.head,
+        rows: data.rows.map((el) => {
+          let used = "-";
+
+          if (el.name === BillingPlanRows.MemberLimit.name) {
+            used = orgMembersUsed.toString();
+          } else if (el.name === BillingPlanRows.WorkspaceLimit.name) {
+            used = projectCount.toString();
+          } else if (el.name === BillingPlanRows.IdentityLimit.name) {
+            used = (identityUsed + orgMembersUsed).toString();
+          }
+
+          return {
+            ...el,
+            used
+          };
+        })
+      };
+      return formattedData;
     }
 
     const mappedRows = await Promise.all(
@@ -420,14 +461,11 @@ export const licenseServiceFactory = ({
         let used = "-";
 
         if (field === BillingPlanRows.MemberLimit.field) {
-          const orgMemberships = await orgDAL.countAllOrgMembers(orgId);
-          used = orgMemberships.toString();
+          used = orgMembersUsed.toString();
         } else if (field === BillingPlanRows.WorkspaceLimit.field) {
-          const projects = await projectDAL.find({ orgId });
-          used = projects.length.toString();
+          used = projectCount.toString();
         } else if (field === BillingPlanRows.IdentityLimit.field) {
-          const identities = await identityOrgMembershipDAL.countAllOrgIdentities({ orgId });
-          used = identities.toString();
+          used = identityUsed.toString();
         }
 
         return {

backend/src/ee/services/license/license-types.ts

@@ -27,7 +27,7 @@ export type TFeatureSet = {
   slug: null;
   tier: -1;
   workspaceLimit: null;
-  workspacesUsed: 0;
+  workspacesUsed: number;
   dynamicSecret: false;
   memberLimit: null;
   membersUsed: number;
@@ -72,6 +72,8 @@ export type TFeatureSet = {
   kmip: false;
   gateway: false;
   sshHostGroups: false;
+  enterpriseSecretSyncs: false;
+  enterpriseAppConnections: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -44,6 +44,7 @@ import {
   TOidcLoginDTO,
   TUpdateOidcCfgDTO
 } from "./oidc-config-types";
+import { logger } from "@app/lib/logger";
 
 type TOidcConfigServiceFactoryDep = {
   userDAL: Pick<
@@ -171,8 +172,8 @@ export const oidcConfigServiceFactory = ({
   };
 
   const oidcLogin = async ({
-    externalId,
     email,
+    externalId,
     firstName,
     lastName,
     orgId,
@@ -699,6 +700,7 @@ export const oidcConfigServiceFactory = ({
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       (_req: any, tokenSet: TokenSet, cb: any) => {
         const claims = tokenSet.claims();
+        logger.info(`User OIDC claims received for [orgId=${org.id}] [claims=${JSON.stringify(claims)}]`);
         if (!claims.email || !claims.given_name) {
           throw new BadRequestError({
             message: "Invalid request. Missing email or first name"
@@ -714,13 +716,15 @@ export const oidcConfigServiceFactory = ({
           }
         }
 
+        const groups = typeof claims.groups === "string" ? [claims.groups] : (claims.groups as string[] | undefined);
+
         oidcLogin({
-          email: claims.email,
+          email: claims.email.toLowerCase(),
           externalId: claims.sub,
           firstName: claims.given_name ?? "",
           lastName: claims.family_name ?? "",
           orgId: org.id,
-          groups: claims.groups as string[] | undefined,
+          groups,
           callbackPort,
           manageGroupMemberships: oidcCfg.manageGroupMemberships
         })

backend/src/ee/services/permission/default-roles.ts

@@ -2,6 +2,7 @@ import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability"
 
 import {
   ProjectPermissionActions,
+  ProjectPermissionApprovalActions,
   ProjectPermissionCertificateActions,
   ProjectPermissionCmekActions,
   ProjectPermissionDynamicSecretActions,
@@ -25,7 +26,6 @@ const buildAdminPermissionRules = () => {
   [
     ProjectPermissionSub.SecretFolders,
     ProjectPermissionSub.SecretImports,
-    ProjectPermissionSub.SecretApproval,
     ProjectPermissionSub.Role,
     ProjectPermissionSub.Integrations,
     ProjectPermissionSub.Webhooks,
@@ -55,6 +55,18 @@ const buildAdminPermissionRules = () => {
     );
   });
 
+  can(
+    [
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionApprovalActions.Create,
+      ProjectPermissionApprovalActions.Delete,
+      ProjectPermissionApprovalActions.AllowChangeBypass,
+      ProjectPermissionApprovalActions.AllowAccessBypass
+    ],
+    ProjectPermissionSub.SecretApproval
+  );
+
   can(
     [
       ProjectPermissionCertificateActions.Read,
@@ -126,7 +138,6 @@ const buildAdminPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
       ProjectPermissionSecretActions.DescribeSecret,
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Create,
@@ -207,7 +218,6 @@ const buildMemberPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
       ProjectPermissionSecretActions.DescribeSecret,
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Edit,
@@ -245,7 +255,7 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.SecretImports
   );
 
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
+  can([ProjectPermissionApprovalActions.Read], ProjectPermissionSub.SecretApproval);
   can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
 
   can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
@@ -386,13 +396,14 @@ const buildMemberPermissionRules = () => {
 const buildViewerPermissionRules = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
-  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
+  can(
+    [ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSecretActions.ReadValue],
+    ProjectPermissionSub.Secrets
+  );
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
   can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionApprovalActions.Read, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionSecretRotationActions.Read, ProjectPermissionSub.SecretRotation);
   can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);

backend/src/ee/services/permission/org-permission.ts

@@ -41,7 +41,8 @@ export enum OrgPermissionGatewayActions {
   CreateGateways = "create-gateways",
   ListGateways = "list-gateways",
   EditGateways = "edit-gateways",
-  DeleteGateways = "delete-gateways"
+  DeleteGateways = "delete-gateways",
+  AttachGateways = "attach-gateways"
 }
 
 export enum OrgPermissionIdentityActions {
@@ -337,6 +338,7 @@ const buildAdminPermission = () => {
   can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
   can(OrgPermissionGatewayActions.EditGateways, OrgPermissionSubjects.Gateway);
   can(OrgPermissionGatewayActions.DeleteGateways, OrgPermissionSubjects.Gateway);
+  can(OrgPermissionGatewayActions.AttachGateways, OrgPermissionSubjects.Gateway);
 
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
@@ -378,6 +380,7 @@ const buildMemberPermission = () => {
   can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
   can(OrgPermissionGatewayActions.ListGateways, OrgPermissionSubjects.Gateway);
   can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
+  can(OrgPermissionGatewayActions.AttachGateways, OrgPermissionSubjects.Gateway);
 
   return rules;
 };

backend/src/ee/services/permission/project-permission.ts

@@ -34,6 +34,15 @@ export enum ProjectPermissionSecretActions {
   Delete = "delete"
 }
 
+export enum ProjectPermissionApprovalActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  AllowChangeBypass = "allow-change-bypass",
+  AllowAccessBypass = "allow-access-bypass"
+}
+
 export enum ProjectPermissionCmekActions {
   Read = "read",
   Create = "create",
@@ -242,7 +251,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
   | [ProjectPermissionActions, ProjectPermissionSub.Settings]
   | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
-  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionApprovalActions, ProjectPermissionSub.SecretApproval]
   | [
       ProjectPermissionSecretRotationActions,
       (
@@ -439,7 +448,7 @@ const PkiSubscriberConditionSchema = z
 const GeneralPermissionSchema = [
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionApprovalActions).describe(
       "Describe what action an entity can take."
     )
   }),
@@ -605,7 +614,7 @@ const GeneralPermissionSchema = [
   })
 ];
 
-// Do not update this schema anymore, as it's kept purely for backwards compatability. Update V2 schema only.
+// Do not update this schema anymore, as it's kept purely for backwards compatibility. Update V2 schema only.
 export const ProjectPermissionV1Schema = z.discriminatedUnion("subject", [
   z.object({
     subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),

backend/src/ee/services/scim/scim-service.ts

@@ -342,7 +342,7 @@ export const scimServiceFactory = ({
           orgMembership = await orgMembershipDAL.create(
             {
               userId: userAlias.userId,
-              inviteEmail: email,
+              inviteEmail: email.toLowerCase(),
               orgId,
               role,
               roleId,
@@ -364,7 +364,7 @@ export const scimServiceFactory = ({
         if (trustScimEmails) {
           user = await userDAL.findOne(
             {
-              email,
+              email: email.toLowerCase(),
               isEmailVerified: true
             },
             tx
@@ -379,8 +379,8 @@ export const scimServiceFactory = ({
           );
           user = await userDAL.create(
             {
-              username: trustScimEmails ? email : uniqueUsername,
-              email,
+              username: trustScimEmails ? email.toLowerCase() : uniqueUsername,
+              email: email.toLowerCase(),
               isEmailVerified: trustScimEmails,
               firstName,
               lastName,
@@ -396,7 +396,7 @@ export const scimServiceFactory = ({
             userId: user.id,
             aliasType,
             externalId,
-            emails: email ? [email] : [],
+            emails: email ? [email.toLowerCase()] : [],
             orgId
           },
           tx
@@ -418,7 +418,7 @@ export const scimServiceFactory = ({
           orgMembership = await orgMembershipDAL.create(
             {
               userId: user.id,
-              inviteEmail: email,
+              inviteEmail: email.toLowerCase(),
               orgId,
               role,
               roleId,
@@ -529,7 +529,7 @@ export const scimServiceFactory = ({
         membership.userId,
         {
           firstName: scimUser.name.givenName,
-          email: scimUser.emails[0].value,
+          email: scimUser.emails[0].value.toLowerCase(),
           lastName: scimUser.name.familyName,
           isEmailVerified: hasEmailChanged ? trustScimEmails : undefined
         },
@@ -606,7 +606,7 @@ export const scimServiceFactory = ({
         membership.userId,
         {
           firstName,
-          email,
+          email: email?.toLowerCase(),
           lastName,
           isEmailVerified:
             org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -3,7 +3,7 @@ import picomatch from "picomatch";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { containsGlobPatterns } from "@app/lib/picomatch";
@@ -89,7 +89,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
+      ProjectPermissionApprovalActions.Create,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -204,7 +204,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.secretApproval) {
@@ -301,7 +304,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
+      ProjectPermissionApprovalActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -340,7 +343,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
     return sapPolicies;
@@ -413,7 +419,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     return sapPolicy;
   };

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -62,7 +62,11 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
+import {
+  ProjectPermissionApprovalActions,
+  ProjectPermissionSecretActions,
+  ProjectPermissionSub
+} from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
@@ -504,7 +508,7 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { hasRole } = await permissionService.getProjectPermission({
+    const { hasRole, permission } = await permissionService.getProjectPermission({
       actor: ActorType.USER,
       actorId,
       projectId,
@@ -531,7 +535,13 @@ export const secretApprovalRequestServiceFactory = ({
       ).length;
     const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;
 
-    if (!hasMinApproval && !isSoftEnforcement)
+    if (
+      !hasMinApproval &&
+      !(
+        isSoftEnforcement &&
+        permission.can(ProjectPermissionApprovalActions.AllowChangeBypass, ProjectPermissionSub.SecretApproval)
+      )
+    )
       throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
 
     const { botKey, shouldUseSecretV2Bridge, project } = await projectBotService.getBotKey(projectId);

backend/src/ee/services/secret-rotation-v2/ldap-password/ldap-password-rotation-fns.ts

@@ -1,4 +1,4 @@
-import ldap from "ldapjs";
+import ldap, { Client, SearchOptions } from "ldapjs";
 
 import {
   TRotationFactory,
@@ -8,26 +8,73 @@ import {
   TRotationFactoryRotateCredentials
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
 import { logger } from "@app/lib/logger";
+import { DistinguishedNameRegex } from "@app/lib/regex";
 import { encryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
 import { getLdapConnectionClient, LdapProvider, TLdapConnection } from "@app/services/app-connection/ldap";
 
 import { generatePassword } from "../shared/utils";
 import {
+  LdapPasswordRotationMethod,
   TLdapPasswordRotationGeneratedCredentials,
+  TLdapPasswordRotationInput,
   TLdapPasswordRotationWithConnection
 } from "./ldap-password-rotation-types";
 
 const getEncodedPassword = (password: string) => Buffer.from(`"${password}"`, "utf16le");
 
+const getDN = async (dn: string, client: Client): Promise<string> => {
+  if (DistinguishedNameRegex.test(dn)) return dn;
+
+  const opts: SearchOptions = {
+    filter: `(userPrincipalName=${dn})`,
+    scope: "sub",
+    attributes: ["dn"]
+  };
+
+  const base = dn
+    .split("@")[1]
+    .split(".")
+    .map((dc) => `dc=${dc}`)
+    .join(",");
+
+  return new Promise((resolve, reject) => {
+    // Perform the search
+    client.search(base, opts, (err, res) => {
+      if (err) {
+        logger.error(err, "LDAP Failed to get DN");
+        reject(new Error(`Provider Resolve DN Error: ${err.message}`));
+      }
+
+      let userDn: string | null;
+
+      res.on("searchEntry", (entry) => {
+        userDn = entry.objectName;
+      });
+
+      res.on("error", (error) => {
+        logger.error(error, "LDAP Failed to get DN");
+        reject(new Error(`Provider Resolve DN Error: ${error.message}`));
+      });
+
+      res.on("end", () => {
+        if (userDn) {
+          resolve(userDn);
+        } else {
+          reject(new Error(`Unable to resolve DN for ${dn}.`));
+        }
+      });
+    });
+  });
+};
+
 export const ldapPasswordRotationFactory: TRotationFactory<
   TLdapPasswordRotationWithConnection,
-  TLdapPasswordRotationGeneratedCredentials
+  TLdapPasswordRotationGeneratedCredentials,
+  TLdapPasswordRotationInput["temporaryParameters"]
 > = (secretRotation, appConnectionDAL, kmsService) => {
-  const {
-    connection,
-    parameters: { dn, passwordRequirements },
-    secretsMapping
-  } = secretRotation;
+  const { connection, parameters, secretsMapping, activeIndex } = secretRotation;
+
+  const { dn, passwordRequirements } = parameters;
 
   const $verifyCredentials = async (credentials: Pick<TLdapConnection["credentials"], "dn" | "password">) => {
     try {
@@ -40,13 +87,21 @@ export const ldapPasswordRotationFactory: TRotationFactory<
     }
   };
 
-  const $rotatePassword = async () => {
+  const $rotatePassword = async (currentPassword?: string) => {
     const { credentials, orgId } = connection;
 
     if (!credentials.url.startsWith("ldaps")) throw new Error("Password Rotation requires an LDAPS connection");
 
-    const client = await getLdapConnectionClient(credentials);
-    const isPersonalRotation = credentials.dn === dn;
+    const client = await getLdapConnectionClient(
+      currentPassword
+        ? {
+            ...credentials,
+            password: currentPassword,
+            dn
+          }
+        : credentials
+    );
+    const isConnectionRotation = credentials.dn === dn;
 
     const password = generatePassword(passwordRequirements);
 
@@ -58,8 +113,8 @@ export const ldapPasswordRotationFactory: TRotationFactory<
           const encodedPassword = getEncodedPassword(password);
 
           // service account vs personal password rotation require different changes
-          if (isPersonalRotation) {
-            const currentEncodedPassword = getEncodedPassword(credentials.password);
+          if (isConnectionRotation || currentPassword) {
+            const currentEncodedPassword = getEncodedPassword(currentPassword || credentials.password);
 
             changes = [
               new ldap.Change({
@@ -93,8 +148,9 @@ export const ldapPasswordRotationFactory: TRotationFactory<
     }
 
     try {
+      const userDn = await getDN(dn, client);
       await new Promise((resolve, reject) => {
-        client.modify(dn, changes, (err) => {
+        client.modify(userDn, changes, (err) => {
           if (err) {
             logger.error(err, "LDAP Password Rotation Failed");
             reject(new Error(`Provider Modify Error: ${err.message}`));
@@ -110,7 +166,7 @@ export const ldapPasswordRotationFactory: TRotationFactory<
 
     await $verifyCredentials({ dn, password });
 
-    if (isPersonalRotation) {
+    if (isConnectionRotation) {
       const updatedCredentials: TLdapConnection["credentials"] = {
         ...credentials,
         password
@@ -128,29 +184,41 @@ export const ldapPasswordRotationFactory: TRotationFactory<
     return { dn, password };
   };
 
-  const issueCredentials: TRotationFactoryIssueCredentials<TLdapPasswordRotationGeneratedCredentials> = async (
-    callback
-  ) => {
-    const credentials = await $rotatePassword();
+  const issueCredentials: TRotationFactoryIssueCredentials<
+    TLdapPasswordRotationGeneratedCredentials,
+    TLdapPasswordRotationInput["temporaryParameters"]
+  > = async (callback, temporaryParameters) => {
+    const credentials = await $rotatePassword(
+      parameters.rotationMethod === LdapPasswordRotationMethod.TargetPrincipal
+        ? temporaryParameters?.password
+        : undefined
+    );
 
     return callback(credentials);
   };
 
   const revokeCredentials: TRotationFactoryRevokeCredentials<TLdapPasswordRotationGeneratedCredentials> = async (
-    _,
+    credentialsToRevoke,
     callback
   ) => {
+    const currentPassword = credentialsToRevoke[activeIndex].password;
+
     // we just rotate to a new password, essentially revoking old credentials
-    await $rotatePassword();
+    await $rotatePassword(
+      parameters.rotationMethod === LdapPasswordRotationMethod.TargetPrincipal ? currentPassword : undefined
+    );
 
     return callback();
   };
 
   const rotateCredentials: TRotationFactoryRotateCredentials<TLdapPasswordRotationGeneratedCredentials> = async (
     _,
-    callback
+    callback,
+    activeCredentials
   ) => {
-    const credentials = await $rotatePassword();
+    const credentials = await $rotatePassword(
+      parameters.rotationMethod === LdapPasswordRotationMethod.TargetPrincipal ? activeCredentials.password : undefined
+    );
 
     return callback(credentials);
   };

backend/src/ee/services/secret-rotation-v2/ldap-password/ldap-password-rotation-schemas.ts

@@ -1,6 +1,6 @@
-import RE2 from "re2";
 import { z } from "zod";
 
+import { LdapPasswordRotationMethod } from "@app/ee/services/secret-rotation-v2/ldap-password/ldap-password-rotation-types";
 import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 import {
   BaseCreateSecretRotationSchema,
@@ -9,7 +9,7 @@ import {
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
 import { PasswordRequirementsSchema } from "@app/ee/services/secret-rotation-v2/shared/general";
 import { SecretRotations } from "@app/lib/api-docs";
-import { DistinguishedNameRegex } from "@app/lib/regex";
+import { DistinguishedNameRegex, UserPrincipalNameRegex } from "@app/lib/regex";
 import { SecretNameSchema } from "@app/server/lib/schemas";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 
@@ -26,10 +26,16 @@ const LdapPasswordRotationParametersSchema = z.object({
   dn: z
     .string()
     .trim()
-    .regex(new RE2(DistinguishedNameRegex), "Invalid DN format, ie; CN=user,OU=users,DC=example,DC=com")
-    .min(1, "Distinguished Name (DN) Required")
+    .min(1, "DN/UPN required")
+    .refine((value) => DistinguishedNameRegex.test(value) || UserPrincipalNameRegex.test(value), {
+      message: "Invalid DN/UPN format"
+    })
     .describe(SecretRotations.PARAMETERS.LDAP_PASSWORD.dn),
-  passwordRequirements: PasswordRequirementsSchema.optional()
+  passwordRequirements: PasswordRequirementsSchema.optional(),
+  rotationMethod: z
+    .nativeEnum(LdapPasswordRotationMethod)
+    .optional()
+    .describe(SecretRotations.PARAMETERS.LDAP_PASSWORD.rotationMethod)
 });
 
 const LdapPasswordRotationSecretsMappingSchema = z.object({
@@ -50,10 +56,28 @@ export const LdapPasswordRotationSchema = BaseSecretRotationSchema(SecretRotatio
   secretsMapping: LdapPasswordRotationSecretsMappingSchema
 });
 
-export const CreateLdapPasswordRotationSchema = BaseCreateSecretRotationSchema(SecretRotation.LdapPassword).extend({
-  parameters: LdapPasswordRotationParametersSchema,
-  secretsMapping: LdapPasswordRotationSecretsMappingSchema
-});
+export const CreateLdapPasswordRotationSchema = BaseCreateSecretRotationSchema(SecretRotation.LdapPassword)
+  .extend({
+    parameters: LdapPasswordRotationParametersSchema,
+    secretsMapping: LdapPasswordRotationSecretsMappingSchema,
+    temporaryParameters: z
+      .object({
+        password: z.string().min(1, "Password required").describe(SecretRotations.PARAMETERS.LDAP_PASSWORD.password)
+      })
+      .optional()
+  })
+  .superRefine((val, ctx) => {
+    if (
+      val.parameters.rotationMethod === LdapPasswordRotationMethod.TargetPrincipal &&
+      !val.temporaryParameters?.password
+    ) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "Password required",
+        path: ["temporaryParameters", "password"]
+      });
+    }
+  });
 
 export const UpdateLdapPasswordRotationSchema = BaseUpdateSecretRotationSchema(SecretRotation.LdapPassword).extend({
   parameters: LdapPasswordRotationParametersSchema.optional(),

backend/src/ee/services/secret-rotation-v2/ldap-password/ldap-password-rotation-types.ts

@@ -9,6 +9,11 @@ import {
   LdapPasswordRotationSchema
 } from "./ldap-password-rotation-schemas";
 
+export enum LdapPasswordRotationMethod {
+  ConnectionPrincipal = "connection-principal",
+  TargetPrincipal = "target-principal"
+}
+
 export type TLdapPasswordRotation = z.infer<typeof LdapPasswordRotationSchema>;
 
 export type TLdapPasswordRotationInput = z.infer<typeof CreateLdapPasswordRotationSchema>;

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -1,12 +1,13 @@
 import { AxiosError } from "axios";
 
 import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
 import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret";
 import { AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION } from "./aws-iam-user-secret";
 import { AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./azure-client-secret";
-import { LDAP_PASSWORD_ROTATION_LIST_OPTION } from "./ldap-password";
+import { LDAP_PASSWORD_ROTATION_LIST_OPTION, TLdapPasswordRotation } from "./ldap-password";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
@@ -15,7 +16,8 @@ import {
   TSecretRotationV2,
   TSecretRotationV2GeneratedCredentials,
   TSecretRotationV2ListItem,
-  TSecretRotationV2Raw
+  TSecretRotationV2Raw,
+  TUpdateSecretRotationV2DTO
 } from "./secret-rotation-v2-types";
 
 const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2ListItem> = {
@@ -228,3 +230,30 @@ export const parseRotationErrorMessage = (err: unknown): string => {
     ? errorMessage
     : `${errorMessage.substring(0, MAX_MESSAGE_LENGTH - 3)}...`;
 };
+
+function haveUnequalProperties<T>(obj1: T, obj2: T, properties: (keyof T)[]): boolean {
+  return properties.some((prop) => obj1[prop] !== obj2[prop]);
+}
+
+export const throwOnImmutableParameterUpdate = (
+  updatePayload: TUpdateSecretRotationV2DTO,
+  secretRotation: TSecretRotationV2Raw
+) => {
+  if (!updatePayload.parameters) return;
+
+  switch (updatePayload.type) {
+    case SecretRotation.LdapPassword:
+      if (
+        haveUnequalProperties(
+          updatePayload.parameters as TLdapPasswordRotation["parameters"],
+          secretRotation.parameters as TLdapPasswordRotation["parameters"],
+          ["rotationMethod", "dn"]
+        )
+      ) {
+        throw new BadRequestError({ message: "Cannot update rotation method or DN" });
+      }
+      break;
+    default:
+    // do nothing
+  }
+};

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -25,7 +25,8 @@ import {
   getNextUtcRotationInterval,
   getSecretRotationRotateSecretJobOptions,
   listSecretRotationOptions,
-  parseRotationErrorMessage
+  parseRotationErrorMessage,
+  throwOnImmutableParameterUpdate
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-fns";
 import {
   SECRET_ROTATION_CONNECTION_MAP,
@@ -46,6 +47,7 @@ import {
   TSecretRotationV2,
   TSecretRotationV2GeneratedCredentials,
   TSecretRotationV2Raw,
+  TSecretRotationV2TemporaryParameters,
   TSecretRotationV2WithConnection,
   TUpdateSecretRotationV2DTO
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
@@ -112,7 +114,8 @@ const MAX_GENERATED_CREDENTIALS_LENGTH = 2;
 
 type TRotationFactoryImplementation = TRotationFactory<
   TSecretRotationV2WithConnection,
-  TSecretRotationV2GeneratedCredentials
+  TSecretRotationV2GeneratedCredentials,
+  TSecretRotationV2TemporaryParameters
 >;
 const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplementation> = {
   [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
@@ -400,6 +403,7 @@ export const secretRotationV2ServiceFactory = ({
       environment,
       rotateAtUtc = { hours: 0, minutes: 0 },
       secretsMapping,
+      temporaryParameters,
       ...payload
     }: TCreateSecretRotationV2DTO,
     actor: OrgServiceActor
@@ -546,7 +550,7 @@ export const secretRotationV2ServiceFactory = ({
 
           return createdRotation;
         });
-      });
+      }, temporaryParameters);
 
       await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
       await snapshotService.performSnapshot(folder.id);
@@ -585,10 +589,7 @@ export const secretRotationV2ServiceFactory = ({
     }
   };
 
-  const updateSecretRotation = async (
-    { type, rotationId, ...payload }: TUpdateSecretRotationV2DTO,
-    actor: OrgServiceActor
-  ) => {
+  const updateSecretRotation = async (dto: TUpdateSecretRotationV2DTO, actor: OrgServiceActor) => {
     const plan = await licenseService.getPlan(actor.orgId);
 
     if (!plan.secretRotation)
@@ -596,6 +597,8 @@ export const secretRotationV2ServiceFactory = ({
         message: "Failed to update secret rotation due to plan restriction. Upgrade plan to update secret rotations."
       });
 
+    const { type, rotationId, ...payload } = dto;
+
     const secretRotation = await secretRotationV2DAL.findById(rotationId);
 
     if (!secretRotation)
@@ -603,6 +606,8 @@ export const secretRotationV2ServiceFactory = ({
         message: `Could not find ${SECRET_ROTATION_NAME_MAP[type]} Rotation with ID ${rotationId}`
       });
 
+    throwOnImmutableParameterUpdate(dto, secretRotation);
+
     const { folder, environment, projectId, folderId, connection } = secretRotation;
     const secretsMapping = secretRotation.secretsMapping as TSecretRotationV2["secretsMapping"];
 
@@ -877,6 +882,7 @@ export const secretRotationV2ServiceFactory = ({
       const inactiveIndex = (activeIndex + 1) % MAX_GENERATED_CREDENTIALS_LENGTH;
 
       const inactiveCredentials = generatedCredentials[inactiveIndex];
+      const activeCredentials = generatedCredentials[activeIndex];
 
       const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type as SecretRotation](
         {
@@ -887,73 +893,77 @@ export const secretRotationV2ServiceFactory = ({
         kmsService
       );
 
-      const updatedRotation = await rotationFactory.rotateCredentials(inactiveCredentials, async (newCredentials) => {
-        const updatedCredentials = [...generatedCredentials];
-        updatedCredentials[inactiveIndex] = newCredentials;
+      const updatedRotation = await rotationFactory.rotateCredentials(
+        inactiveCredentials,
+        async (newCredentials) => {
+          const updatedCredentials = [...generatedCredentials];
+          updatedCredentials[inactiveIndex] = newCredentials;
 
-        const encryptedUpdatedCredentials = await encryptSecretRotationCredentials({
-          projectId,
-          generatedCredentials: updatedCredentials as TSecretRotationV2GeneratedCredentials,
-          kmsService
-        });
-
-        return secretRotationV2DAL.transaction(async (tx) => {
-          const secretsPayload = rotationFactory.getSecretsPayload(newCredentials);
-
-          const { encryptor } = await kmsService.createCipherPairWithDataKey({
-            type: KmsDataKey.SecretManager,
-            projectId
+          const encryptedUpdatedCredentials = await encryptSecretRotationCredentials({
+            projectId,
+            generatedCredentials: updatedCredentials as TSecretRotationV2GeneratedCredentials,
+            kmsService
           });
 
-          // update mapped secrets with new credential values
-          await fnSecretBulkUpdate({
-            folderId,
-            orgId: connection.orgId,
-            tx,
-            inputSecrets: secretsPayload.map(({ key, value }) => ({
-              filter: {
-                key,
-                folderId,
-                type: SecretType.Shared
-              },
-              data: {
-                encryptedValue: encryptor({
-                  plainText: Buffer.from(value)
-                }).cipherTextBlob,
-                references: []
-              }
-            })),
-            secretDAL: secretV2BridgeDAL,
-            secretVersionDAL: secretVersionV2BridgeDAL,
-            secretVersionTagDAL: secretVersionTagV2BridgeDAL,
-            secretTagDAL,
-            resourceMetadataDAL
-          });
+          return secretRotationV2DAL.transaction(async (tx) => {
+            const secretsPayload = rotationFactory.getSecretsPayload(newCredentials);
 
-          const currentTime = new Date();
+            const { encryptor } = await kmsService.createCipherPairWithDataKey({
+              type: KmsDataKey.SecretManager,
+              projectId
+            });
 
-          return secretRotationV2DAL.updateById(
-            secretRotation.id,
-            {
-              encryptedGeneratedCredentials: encryptedUpdatedCredentials,
-              activeIndex: inactiveIndex,
-              isLastRotationManual: isManualRotation,
-              lastRotatedAt: currentTime,
-              lastRotationAttemptedAt: currentTime,
-              nextRotationAt: calculateNextRotationAt({
-                ...(secretRotation as TSecretRotationV2),
-                rotationStatus: SecretRotationStatus.Success,
+            // update mapped secrets with new credential values
+            await fnSecretBulkUpdate({
+              folderId,
+              orgId: connection.orgId,
+              tx,
+              inputSecrets: secretsPayload.map(({ key, value }) => ({
+                filter: {
+                  key,
+                  folderId,
+                  type: SecretType.Shared
+                },
+                data: {
+                  encryptedValue: encryptor({
+                    plainText: Buffer.from(value)
+                  }).cipherTextBlob,
+                  references: []
+                }
+              })),
+              secretDAL: secretV2BridgeDAL,
+              secretVersionDAL: secretVersionV2BridgeDAL,
+              secretVersionTagDAL: secretVersionTagV2BridgeDAL,
+              secretTagDAL,
+              resourceMetadataDAL
+            });
+
+            const currentTime = new Date();
+
+            return secretRotationV2DAL.updateById(
+              secretRotation.id,
+              {
+                encryptedGeneratedCredentials: encryptedUpdatedCredentials,
+                activeIndex: inactiveIndex,
+                isLastRotationManual: isManualRotation,
                 lastRotatedAt: currentTime,
-                isManualRotation
-              }),
-              rotationStatus: SecretRotationStatus.Success,
-              lastRotationJobId: jobId,
-              encryptedLastRotationMessage: null
-            },
-            tx
-          );
-        });
-      });
+                lastRotationAttemptedAt: currentTime,
+                nextRotationAt: calculateNextRotationAt({
+                  ...(secretRotation as TSecretRotationV2),
+                  rotationStatus: SecretRotationStatus.Success,
+                  lastRotatedAt: currentTime,
+                  isManualRotation
+                }),
+                rotationStatus: SecretRotationStatus.Success,
+                lastRotationJobId: jobId,
+                encryptedLastRotationMessage: null
+              },
+              tx
+            );
+          });
+        },
+        activeCredentials
+      );
 
       await auditLogService.createAuditLog({
         ...(auditLogInfo ?? {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts

@@ -87,6 +87,8 @@ export type TSecretRotationV2ListItem =
   | TLdapPasswordRotationListItem
   | TAwsIamUserSecretRotationListItem;
 
+export type TSecretRotationV2TemporaryParameters = TLdapPasswordRotationInput["temporaryParameters"] | undefined;
+
 export type TSecretRotationV2Raw = NonNullable<Awaited<ReturnType<TSecretRotationV2DALFactory["findById"]>>>;
 
 export type TListSecretRotationsV2ByProjectId = {
@@ -120,6 +122,7 @@ export type TCreateSecretRotationV2DTO = Pick<
   environment: string;
   isAutoRotationEnabled?: boolean;
   rotateAtUtc?: TRotateAtUtc;
+  temporaryParameters?: TSecretRotationV2TemporaryParameters;
 };
 
 export type TUpdateSecretRotationV2DTO = Partial<
@@ -186,8 +189,12 @@ export type TSecretRotationSendNotificationJobPayload = {
 // transactional behavior. By passing in the rotation mutation, if this mutation fails we can roll back the
 // third party credential changes (when supported), preventing credentials getting out of sync
 
-export type TRotationFactoryIssueCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
-  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>
+export type TRotationFactoryIssueCredentials<
+  T extends TSecretRotationV2GeneratedCredentials,
+  P extends TSecretRotationV2TemporaryParameters = undefined
+> = (
+  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>,
+  temporaryParameters?: P
 ) => Promise<TSecretRotationV2Raw>;
 
 export type TRotationFactoryRevokeCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
@@ -197,7 +204,8 @@ export type TRotationFactoryRevokeCredentials<T extends TSecretRotationV2Generat
 
 export type TRotationFactoryRotateCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
   credentialsToRevoke: T[number] | undefined,
-  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>
+  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>,
+  activeCredentials: T[number]
 ) => Promise<TSecretRotationV2Raw>;
 
 export type TRotationFactoryGetSecretsPayload<T extends TSecretRotationV2GeneratedCredentials> = (
@@ -206,13 +214,14 @@ export type TRotationFactoryGetSecretsPayload<T extends TSecretRotationV2Generat
 
 export type TRotationFactory<
   T extends TSecretRotationV2WithConnection,
-  C extends TSecretRotationV2GeneratedCredentials
+  C extends TSecretRotationV2GeneratedCredentials,
+  P extends TSecretRotationV2TemporaryParameters = undefined
 > = (
   secretRotation: T,
   appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">,
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
 ) => {
-  issueCredentials: TRotationFactoryIssueCredentials<C>;
+  issueCredentials: TRotationFactoryIssueCredentials<C, P>;
   revokeCredentials: TRotationFactoryRevokeCredentials<C>;
   rotateCredentials: TRotationFactoryRotateCredentials<C>;
   getSecretsPayload: TRotationFactoryGetSecretsPayload<C>;

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-constants.ts

@@ -6,5 +6,6 @@ export const OCI_VAULT_SYNC_LIST_OPTION: TSecretSyncListItem = {
   name: "OCI Vault",
   destination: SecretSync.OCIVault,
   connection: AppConnection.OCI,
-  canImportSecrets: true
+  canImportSecrets: true,
+  enterprise: true
 };

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-fns.ts

@@ -1,7 +1,6 @@
 import { secrets, vault } from "oci-sdk";
 
-import { delay } from "@app/lib/delay";
-import { getOCIProvider } from "@app/services/app-connection/oci";
+import { getOCIProvider } from "@app/ee/services/app-connections/oci";
 import {
   TCreateOCIVaultVariable,
   TDeleteOCIVaultVariable,
@@ -9,8 +8,10 @@ import {
   TOCIVaultSyncWithCredentials,
   TUnmarkOCIVaultVariableFromDeletion,
   TUpdateOCIVaultVariable
-} from "@app/services/secret-sync/oci-vault/oci-vault-sync-types";
+} from "@app/ee/services/secret-sync/oci-vault/oci-vault-sync-types";
+import { delay } from "@app/lib/delay";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
 const listOCIVaultVariables = async ({ provider, compartmentId, vaultId, onlyActive }: TOCIVaultListVariables) => {
@@ -211,6 +212,9 @@ export const OCIVaultSyncFns = {
 
     // Update and delete secrets
     for await (const [key, variable] of Object.entries(variables)) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+
       // Only update / delete active secrets
       if (variable.lifecycleState === vault.models.SecretSummary.LifecycleState.Active) {
         if (key in secretMap && secretMap[key].value.length > 0) {

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-schemas.ts

@@ -66,5 +66,6 @@ export const OCIVaultSyncListItemSchema = z.object({
   name: z.literal("OCI Vault"),
   connection: z.literal(AppConnection.OCI),
   destination: z.literal(SecretSync.OCIVault),
-  canImportSecrets: z.literal(true)
+  canImportSecrets: z.literal(true),
+  enterprise: z.boolean()
 });

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-types.ts

@@ -1,7 +1,7 @@
 import { SimpleAuthenticationDetailsProvider } from "oci-sdk";
 import { z } from "zod";
 
-import { TOCIConnection } from "@app/services/app-connection/oci";
+import { TOCIConnection } from "@app/ee/services/app-connections/oci";
 
 import { CreateOCIVaultSyncSchema, OCIVaultSyncListItemSchema, OCIVaultSyncSchema } from "./oci-vault-sync-schemas";
 

backend/src/keystore/keystore.ts

@@ -1,5 +1,4 @@
-import { Redis } from "ioredis";
-
+import { buildRedisFromConfig, TRedisConfigKeys } from "@app/lib/config/redis";
 import { pgAdvisoryLockHashText } from "@app/lib/crypto/hashtext";
 import { applyJitter } from "@app/lib/dates";
 import { delay as delayMs } from "@app/lib/delay";
@@ -37,6 +36,8 @@ export const KeyStorePrefixes = {
     `sync-integration-last-run-${projectId}-${environmentSlug}-${secretPath}` as const,
   SecretSyncLock: (syncId: string) => `secret-sync-mutex-${syncId}` as const,
   SecretRotationLock: (rotationId: string) => `secret-rotation-v2-mutex-${rotationId}` as const,
+  CaOrderCertificateForSubscriberLock: (subscriberId: string) =>
+    `ca-order-certificate-for-subscriber-lock-${subscriberId}` as const,
   SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
   IdentityAccessTokenStatusUpdate: (identityAccessTokenId: string) =>
     `identity-access-token-status:${identityAccessTokenId}`,
@@ -66,8 +67,8 @@ type TWaitTillReady = {
   jitter?: number;
 };
 
-export const keyStoreFactory = (redisUrl: string) => {
-  const redis = new Redis(redisUrl);
+export const keyStoreFactory = (redisConfigKeys: TRedisConfigKeys) => {
+  const redis = buildRedisFromConfig(redisConfigKeys);
   const redisLock = new Redlock([redis], { retryCount: 2, retryDelay: 200 });
 
   const setItem = async (key: string, value: string | number | Buffer, prefix?: string) =>

backend/src/lib/api-docs/constants.ts

@@ -5,6 +5,8 @@ import {
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-maps";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+import { CERTIFICATE_AUTHORITIES_TYPE_MAP } from "@app/services/certificate-authority/certificate-authority-maps";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 
@@ -14,6 +16,7 @@ export enum ApiDocsTags {
   UniversalAuth = "Universal Auth",
   GcpAuth = "GCP Auth",
   AwsAuth = "AWS Auth",
+  OciAuth = "OCI Auth",
   AzureAuth = "Azure Auth",
   KubernetesAuth = "Kubernetes Auth",
   JwtAuth = "JWT Auth",
@@ -144,7 +147,9 @@ export const UNIVERSAL_AUTH = {
     accessTokenMaxTTL:
       "The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.",
     accessTokenNumUsesLimit:
-      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses."
+      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses.",
+    accessTokenPeriod:
+      "The period for an access token in seconds. This value will be referenced at renewal time. Default value is 0."
   },
   RETRIEVE: {
     identityId: "The ID of the identity to retrieve the auth method for."
@@ -158,7 +163,8 @@ export const UNIVERSAL_AUTH = {
     accessTokenTrustedIps: "The new list of IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The new lifetime for an access token in seconds.",
     accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
-    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
+    accessTokenPeriod: "The new period for an access token in seconds."
   },
   CREATE_CLIENT_SECRET: {
     identityId: "The ID of the identity to create a client secret for.",
@@ -271,6 +277,40 @@ export const AWS_AUTH = {
   }
 } as const;
 
+export const OCI_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login.",
+    userOcid: "The OCID of the user attempting login.",
+    headers: "The headers of the signed request."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    tenancyOcid: "The OCID of your tenancy.",
+    allowedUsernames:
+      "The comma-separated list of trusted OCI account usernames that are allowed to authenticate with Infisical.",
+    accessTokenTTL: "The lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    tenancyOcid: "The OCID of your tenancy.",
+    allowedUsernames:
+      "The comma-separated list of trusted OCI account usernames that are allowed to authenticate with Infisical.",
+    accessTokenTTL: "The new lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke the auth method for."
+  }
+} as const;
+
 export const AZURE_AUTH = {
   LOGIN: {
     identityId: "The ID of the identity to login."
@@ -358,6 +398,7 @@ export const KUBERNETES_AUTH = {
     allowedNames: "The comma-separated list of trusted service account names that can authenticate with Infisical.",
     allowedAudience:
       "The optional audience claim that the service account JWT token must have to authenticate with Infisical.",
+    gatewayId: "The ID of the gateway to use when performing kubernetes API requests.",
     accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The lifetime for an access token in seconds.",
     accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
@@ -374,6 +415,7 @@ export const KUBERNETES_AUTH = {
     allowedNames: "The new comma-separated list of trusted service account names that can authenticate with Infisical.",
     allowedAudience:
       "The new optional audience claim that the service account JWT token must have to authenticate with Infisical.",
+    gatewayId: "The ID of the gateway to use when performing kubernetes API requests.",
     accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The new lifetime for an acccess token in seconds.",
     accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
@@ -571,7 +613,8 @@ export const PROJECTS = {
     projectDescription: "An optional description label for the project.",
     autoCapitalization: "Disable or enable auto-capitalization for the project.",
     slug: "An optional slug for the project. (must be unique within the organization)",
-    hasDeleteProtection: "Enable or disable delete protection for the project."
+    hasDeleteProtection: "Enable or disable delete protection for the project.",
+    secretSharing: "Enable or disable secret sharing for the project."
   },
   GET_KEY: {
     workspaceId: "The ID of the project to get the key from."
@@ -1669,6 +1712,19 @@ export const CERTIFICATES = {
     certificateChain: "The certificate chain of the certificate.",
     serialNumberRes: "The serial number of the certificate.",
     privateKey: "The private key of the certificate."
+  },
+  IMPORT: {
+    projectSlug: "Slug of the project to import the certificate into.",
+    certificatePem: "The PEM-encoded leaf certificate.",
+    privateKeyPem: "The PEM-encoded private key corresponding to the certificate.",
+    chainPem: "The PEM-encoded chain of intermediate certificates.",
+    friendlyName: "A friendly name for the certificate.",
+    pkiCollectionId: "The ID of the PKI collection to add the certificate to.",
+
+    certificate: "The issued certificate.",
+    certificateChain: "The certificate chain of the issued certificate.",
+    privateKey: "The private key of the issued certificate.",
+    serialNumber: "The serial number of the issued certificate."
   }
 };
 
@@ -1740,6 +1796,14 @@ export const PKI_SUBSCRIBERS = {
     subscriberName: "The name of the PKI subscriber to get.",
     projectId: "The ID of the project to get the PKI subscriber for."
   },
+  GET_LATEST_CERT_BUNDLE: {
+    subscriberName: "The name of the PKI subscriber to get the active certificate bundle for.",
+    projectId: "The ID of the project to get the active certificate bundle for.",
+    certificate: "The active certificate for the subscriber.",
+    certificateChain: "The certificate chain of the active certificate for the subscriber.",
+    privateKey: "The private key of the active certificate for the subscriber.",
+    serialNumber: "The serial number of the active certificate for the subscriber."
+  },
   CREATE: {
     projectId: "The ID of the project to create the PKI subscriber in.",
     caId: "The ID of the CA that will issue certificates for the PKI subscriber.",
@@ -1750,7 +1814,9 @@ export const PKI_SUBSCRIBERS = {
     subjectAlternativeNames:
       "A list of Subject Alternative Names (SANs) to be used on certificates issued for this subscriber; these can be host names or email addresses.",
     keyUsages: "The key usage extension to be used on certificates issued for this subscriber.",
-    extendedKeyUsages: "The extended key usage extension to be used on certificates issued for this subscriber."
+    extendedKeyUsages: "The extended key usage extension to be used on certificates issued for this subscriber.",
+    enableAutoRenewal: "Whether or not to enable auto renewal for the PKI subscriber.",
+    autoRenewalPeriodInDays: "The period in days to auto renew the PKI subscriber's certificates."
   },
   UPDATE: {
     projectId: "The ID of the project to update the PKI subscriber in.",
@@ -1764,7 +1830,9 @@ export const PKI_SUBSCRIBERS = {
       "A comma-delimited list of Subject Alternative Names (SANs) to be used on certificates issued for this subscriber; these can be host names or email addresses.",
     keyUsages: "The key usage extension to be used on certificates issued for this subscriber to update to.",
     extendedKeyUsages:
-      "The extended key usage extension to be used on certificates issued for this subscriber to update to."
+      "The extended key usage extension to be used on certificates issued for this subscriber to update to.",
+    enableAutoRenewal: "Whether or not to enable auto renewal for the PKI subscriber.",
+    autoRenewalPeriodInDays: "The period in days to auto renew the PKI subscriber's certificates."
   },
   DELETE: {
     subscriberName: "The name of the PKI subscriber to delete.",
@@ -1953,6 +2021,47 @@ export const ProjectTemplates = {
   }
 };
 
+export const CertificateAuthorities = {
+  CREATE: (type: CaType) => ({
+    name: `The name of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority to create. Must be slug-friendly.`,
+    projectId: `The ID of the project to create the Certificate Authority in.`,
+    enableDirectIssuance: `Whether or not to enable direct issuance of certificates for the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`,
+    status: `The status of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`
+  }),
+  UPDATE: (type: CaType) => ({
+    caId: `The ID of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority to update.`,
+    projectId: `The ID of the project to update the Certificate Authority in.`,
+    name: `The updated name of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority. Must be slug-friendly.`,
+    enableDirectIssuance: `Whether or not to enable direct issuance of certificates for the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`,
+    status: `The updated status of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`
+  }),
+  CONFIGURATIONS: {
+    ACME: {
+      dnsAppConnectionId: `The ID of the App Connection to use for creating and managing DNS TXT records required for ACME domain validation. This connection must have permissions to create and delete TXT records in your DNS provider (e.g., Route53) for the ACME challenge process.`,
+      directoryUrl: `The directory URL for the ACME Certificate Authority.`,
+      accountEmail: `The email address for the ACME Certificate Authority.`,
+      provider: `The DNS provider for the ACME Certificate Authority.`,
+      hostedZoneId: `The hosted zone ID for the ACME Certificate Authority.`
+    },
+    INTERNAL: {
+      type: "The type of CA to create.",
+      friendlyName: "A friendly name for the CA.",
+      organization: "The organization (O) for the CA.",
+      ou: "The organization unit (OU) for the CA.",
+      country: "The country name (C) for the CA.",
+      province: "The state of province name for the CA.",
+      locality: "The locality name for the CA.",
+      commonName: "The common name (CN) for the CA.",
+      notBefore: "The date and time when the CA becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format.",
+      notAfter: "The date and time when the CA expires in YYYY-MM-DDTHH:mm:ss.sssZ format.",
+      maxPathLength:
+        "The maximum number of intermediate CAs that may follow this CA in the certificate / CA chain. A maxPathLength of -1 implies no path limit on the chain.",
+      keyAlgorithm:
+        "The type of public key algorithm and size, in bits, of the key pair for the CA; when you create an intermediate CA, you must use a key algorithm supported by the parent CA."
+    }
+  }
+};
+
 export const AppConnections = {
   GET_BY_ID: (app: AppConnection) => ({
     connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to retrieve.`
@@ -2025,7 +2134,7 @@ export const AppConnections = {
     LDAP: {
       provider: "The type of LDAP provider. Determines provider-specific behaviors.",
       url: "The LDAP/LDAPS URL to connect to (e.g., 'ldap://domain-or-ip:389' or 'ldaps://domain-or-ip:636').",
-      dn: "The Distinguished Name (DN) of the principal to bind with (e.g., 'CN=John,CN=Users,DC=example,DC=com').",
+      dn: "The Distinguished Name (DN) or User Principal Name (UPN) of the principal to bind with (e.g., 'CN=John,CN=Users,DC=example,DC=com').",
       password: "The password to bind with for authentication.",
       sslRejectUnauthorized:
         "Whether or not to reject unauthorized SSL certificates (true/false) when using ldaps://. Set to false only in test environments.",
@@ -2046,6 +2155,10 @@ export const AppConnections = {
       region: "The region identifier in Oracle Cloud Infrastructure where the vault is located.",
       fingerprint: "The fingerprint of the public key uploaded to the user's API keys.",
       privateKey: "The private key content in PEM format used to sign API requests."
+    },
+    ONEPASS: {
+      instanceUrl: "The URL of the 1Password Connect Server instance to authenticate with.",
+      apiToken: "The API token used to access the 1Password Connect Server."
     }
   }
 };
@@ -2109,6 +2222,7 @@ export const SecretSyncs = {
     const destinationName = SECRET_SYNC_NAME_MAP[destination];
     return {
       initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
+      keySchema: `Specify the format to use for structuring secret keys in the ${destinationName} destination.`,
       disableSecretDeletion: `Enable this flag to prevent removal of secrets from the ${destinationName} destination when syncing.`
     };
   },
@@ -2198,6 +2312,9 @@ export const SecretSyncs = {
       compartmentOcid: "The OCID (Oracle Cloud Identifier) of the compartment where the vault is located.",
       vaultOcid: "The OCID (Oracle Cloud Identifier) of the vault to sync secrets to.",
       keyOcid: "The OCID (Oracle Cloud Identifier) of the encryption key to use when creating secrets in the vault."
+    },
+    ONEPASS: {
+      vaultId: "The ID of the 1Password vault to sync secrets to."
     }
   }
 };
@@ -2269,7 +2386,10 @@ export const SecretRotations = {
       clientId: "The client ID of the Azure Application to rotate the client secret for."
     },
     LDAP_PASSWORD: {
-      dn: "The Distinguished Name (DN) of the principal to rotate the password for."
+      dn: "The Distinguished Name (DN) or User Principal Name (UPN) of the principal to rotate the password for.",
+      rotationMethod:
+        'Whether the rotation should be performed by the LDAP "connection-principal" or the "target-principal" (defaults to \'connection-principal\').',
+      password: 'The password of the provided principal if "parameters.rotationMethod" is set to "target-principal".'
     },
     GENERAL: {
       PASSWORD_REQUIREMENTS: {
@@ -2303,7 +2423,7 @@ export const SecretRotations = {
       clientSecret: "The name of the secret that the rotated client secret will be mapped to."
     },
     LDAP_PASSWORD: {
-      dn: "The name of the secret that the Distinguished Name (DN) of the principal will be mapped to.",
+      dn: "The name of the secret that the Distinguished Name (DN) or User Principal Name (UPN) of the principal will be mapped to.",
       password: "The name of the secret that the rotated password will be mapped to."
     },
     AWS_IAM_USER_SECRET: {

backend/src/lib/config/env.ts

@@ -30,7 +30,19 @@ const envSchema = z
       .enum(["true", "false"])
       .default("false")
       .transform((el) => el === "true"),
-    REDIS_URL: zpStr(z.string()),
+    REDIS_URL: zpStr(z.string().optional()),
+    REDIS_SENTINEL_HOSTS: zpStr(
+      z
+        .string()
+        .optional()
+        .describe("Comma-separated list of Sentinel host:port pairs. Eg: 192.168.65.254:26379,192.168.65.254:26380")
+    ),
+    REDIS_SENTINEL_MASTER_NAME: zpStr(
+      z.string().optional().default("mymaster").describe("The name of the Redis master set monitored by Sentinel")
+    ),
+    REDIS_SENTINEL_ENABLE_TLS: zodStrBool.optional().describe("Whether to use TLS/SSL for Redis Sentinel connection"),
+    REDIS_SENTINEL_USERNAME: zpStr(z.string().optional().describe("Authentication username for Redis Sentinel")),
+    REDIS_SENTINEL_PASSWORD: zpStr(z.string().optional().describe("Authentication password for Redis Sentinel")),
     HOST: zpStr(z.string().default("localhost")),
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
       `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
@@ -69,6 +81,9 @@ const envSchema = z
     SMTP_PASSWORD: zpStr(z.string().optional()),
     SMTP_FROM_ADDRESS: zpStr(z.string().optional()),
     SMTP_FROM_NAME: zpStr(z.string().optional().default("Infisical")),
+    SMTP_CUSTOM_CA_CERT: zpStr(
+      z.string().optional().describe("Base64 encoded custom CA certificate PEM(s) for the SMTP server")
+    ),
     COOKIE_SECRET_SIGN_KEY: z
       .string()
       .min(32)
@@ -230,7 +245,6 @@ const envSchema = z
     DATADOG_HOSTNAME: zpStr(z.string().optional()),
 
     /* CORS ----------------------------------------------------------------------------- */
-
     CORS_ALLOWED_ORIGINS: zpStr(
       z
         .string()
@@ -240,7 +254,6 @@ const envSchema = z
           return JSON.parse(val) as string[];
         })
     ),
-
     CORS_ALLOWED_HEADERS: zpStr(
       z
         .string()
@@ -249,33 +262,44 @@ const envSchema = z
           if (!val) return undefined;
           return JSON.parse(val) as string[];
         })
-    )
+    ),
+
+    /* INTERNAL ----------------------------------------------------------------------------- */
+    INTERNAL_REGION: zpStr(z.enum(["us", "eu"]).optional())
   })
   // To ensure that basic encryption is always possible.
   .refine(
     (data) => Boolean(data.ENCRYPTION_KEY) || Boolean(data.ROOT_ENCRYPTION_KEY),
     "Either ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY must be defined."
   )
+  .refine(
+    (data) => Boolean(data.REDIS_URL) || Boolean(data.REDIS_SENTINEL_HOSTS),
+    "Either REDIS_URL or REDIS_SENTINEL_HOSTS must be defined."
+  )
   .transform((data) => ({
     ...data,
-
     DB_READ_REPLICAS: data.DB_READ_REPLICAS
       ? databaseReadReplicaSchema.parse(JSON.parse(data.DB_READ_REPLICAS))
       : undefined,
     isCloud: Boolean(data.LICENSE_SERVER_KEY),
     isSmtpConfigured: Boolean(data.SMTP_HOST),
-    isRedisConfigured: Boolean(data.REDIS_URL),
+    isRedisConfigured: Boolean(data.REDIS_URL || data.REDIS_SENTINEL_HOSTS),
     isDevelopmentMode: data.NODE_ENV === "development",
     isRotationDevelopmentMode: data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE,
     isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
-
+    isRedisSentinelMode: Boolean(data.REDIS_SENTINEL_HOSTS),
+    REDIS_SENTINEL_HOSTS: data.REDIS_SENTINEL_HOSTS?.trim()
+      ?.split(",")
+      .map((el) => {
+        const [host, port] = el.trim().split(":");
+        return { host: host.trim(), port: Number(port.trim()) };
+      }),
     isSecretScanningConfigured:
       Boolean(data.SECRET_SCANNING_GIT_APP_ID) &&
       Boolean(data.SECRET_SCANNING_PRIVATE_KEY) &&
       Boolean(data.SECRET_SCANNING_WEBHOOK_SECRET),
     isHsmConfigured:
       Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined,
-
     samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG,
     SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(",")
   }));
@@ -298,6 +322,17 @@ export const initEnvConfig = (logger?: CustomLogger) => {
 };
 
 export const formatSmtpConfig = () => {
+  const tlsOptions: {
+    rejectUnauthorized: boolean;
+    ca?: string | string[];
+  } = {
+    rejectUnauthorized: envCfg.SMTP_TLS_REJECT_UNAUTHORIZED
+  };
+
+  if (envCfg.SMTP_CUSTOM_CA_CERT) {
+    tlsOptions.ca = Buffer.from(envCfg.SMTP_CUSTOM_CA_CERT, "base64").toString("utf-8");
+  }
+
   return {
     host: envCfg.SMTP_HOST,
     port: envCfg.SMTP_PORT,
@@ -309,8 +344,6 @@ export const formatSmtpConfig = () => {
     from: `"${envCfg.SMTP_FROM_NAME}" <${envCfg.SMTP_FROM_ADDRESS}>`,
     ignoreTLS: envCfg.SMTP_IGNORE_TLS,
     requireTLS: envCfg.SMTP_REQUIRE_TLS,
-    tls: {
-      rejectUnauthorized: envCfg.SMTP_TLS_REJECT_UNAUTHORIZED
-    }
+    tls: tlsOptions
   };
 };

backend/src/lib/config/redis.ts

@@ -0,0 +1,24 @@
+import { Redis } from "ioredis";
+
+export type TRedisConfigKeys = Partial<{
+  REDIS_URL: string;
+  REDIS_SENTINEL_HOSTS: { host: string; port: number }[];
+  REDIS_SENTINEL_MASTER_NAME: string;
+  REDIS_SENTINEL_ENABLE_TLS: boolean;
+  REDIS_SENTINEL_USERNAME: string;
+  REDIS_SENTINEL_PASSWORD: string;
+}>;
+
+export const buildRedisFromConfig = (cfg: TRedisConfigKeys) => {
+  if (cfg.REDIS_URL) return new Redis(cfg.REDIS_URL, { maxRetriesPerRequest: null });
+
+  return new Redis({
+    // refine at tope will catch this case
+    sentinels: cfg.REDIS_SENTINEL_HOSTS!,
+    name: cfg.REDIS_SENTINEL_MASTER_NAME!,
+    maxRetriesPerRequest: null,
+    sentinelUsername: cfg.REDIS_SENTINEL_USERNAME,
+    sentinelPassword: cfg.REDIS_SENTINEL_PASSWORD,
+    enableTLSForSentinelMode: cfg.REDIS_SENTINEL_ENABLE_TLS
+  });
+};

backend/src/lib/gateway/index.ts

@@ -3,6 +3,7 @@ import crypto from "node:crypto";
 import net from "node:net";
 
 import quicDefault, * as quicModule from "@infisical/quic";
+import axios from "axios";
 
 import { BadRequestError } from "../errors";
 import { logger } from "../logger";
@@ -174,6 +175,8 @@ const setupProxyServer = async ({
   return new Promise((resolve, reject) => {
     const server = net.createServer();
 
+    let streamClosed = false;
+
     // eslint-disable-next-line @typescript-eslint/no-misused-promises
     server.on("connection", async (clientConn) => {
       try {
@@ -202,9 +205,15 @@ const setupProxyServer = async ({
 
             // Handle client connection close
             clientConn.on("end", () => {
-              writer.close().catch((err) => {
-                logger.error(err);
-              });
+              if (!streamClosed) {
+                try {
+                  writer.close().catch((err) => {
+                    logger.debug(err, "Error closing writer (already closed)");
+                  });
+                } catch (error) {
+                  logger.debug(error, "Error in writer close");
+                }
+              }
             });
 
             clientConn.on("error", (clientConnErr) => {
@@ -249,14 +258,29 @@ const setupProxyServer = async ({
         setupCopy();
         // Handle connection closure
         clientConn.on("close", () => {
-          stream.destroy().catch((err) => {
-            proxyErrorMsg.push((err as Error)?.message);
-          });
+          if (!streamClosed) {
+            streamClosed = true;
+            stream.destroy().catch((err) => {
+              logger.debug(err, "Stream already destroyed during close event");
+            });
+          }
         });
 
         const cleanup = async () => {
-          clientConn?.destroy();
-          await stream.destroy();
+          try {
+            clientConn?.destroy();
+          } catch (err) {
+            logger.debug(err, "Error destroying client connection");
+          }
+
+          if (!streamClosed) {
+            streamClosed = true;
+            try {
+              await stream.destroy();
+            } catch (err) {
+              logger.debug(err, "Error destroying stream (might be already closed)");
+            }
+          }
         };
 
         clientConn.on("error", (clientConnErr) => {
@@ -301,8 +325,17 @@ const setupProxyServer = async ({
         server,
         port: address.port,
         cleanup: async () => {
-          server.close();
-          await quicClient?.destroy();
+          try {
+            server.close();
+          } catch (err) {
+            logger.debug(err, "Error closing server");
+          }
+
+          try {
+            await quicClient?.destroy();
+          } catch (err) {
+            logger.debug(err, "Error destroying QUIC client");
+          }
         },
         getProxyError: () => proxyErrorMsg.join(",")
       });
@@ -320,10 +353,10 @@ interface ProxyOptions {
   orgId: string;
 }
 
-export const withGatewayProxy = async (
-  callback: (port: number) => Promise<void>,
+export const withGatewayProxy = async <T>(
+  callback: (port: number) => Promise<T>,
   options: ProxyOptions
-): Promise<void> => {
+): Promise<T> => {
   const { relayHost, relayPort, targetHost, targetPort, tlsOptions, identityId, orgId } = options;
 
   // Setup the proxy server
@@ -339,14 +372,19 @@ export const withGatewayProxy = async (
 
   try {
     // Execute the callback with the allocated port
-    await callback(port);
+    return await callback(port);
   } catch (err) {
     const proxyErrorMessage = getProxyError();
     if (proxyErrorMessage) {
       logger.error(new Error(proxyErrorMessage), "Failed to proxy");
     }
     logger.error(err, "Failed to do gateway");
-    throw new BadRequestError({ message: proxyErrorMessage || (err as Error)?.message });
+    let errorMessage = proxyErrorMessage || (err as Error)?.message;
+    if (axios.isAxiosError(err) && (err.response?.data as { message?: string })?.message) {
+      errorMessage = (err.response?.data as { message: string }).message;
+    }
+
+    throw new BadRequestError({ message: errorMessage });
   } finally {
     // Ensure cleanup happens regardless of success or failure
     await cleanup();