Update parseEnvVar.ts

misc: add ssl setting for pg boss

.env.example

@@ -74,7 +74,17 @@ CAPTCHA_SECRET=
 
 NEXT_PUBLIC_CAPTCHA_SITE_KEY=
 
+OTEL_TELEMETRY_COLLECTION_ENABLED=false
+OTEL_EXPORT_TYPE=prometheus
+OTEL_EXPORT_OTLP_ENDPOINT=
+OTEL_OTLP_PUSH_INTERVAL=
+
+OTEL_COLLECTOR_BASIC_AUTH_USERNAME=
+OTEL_COLLECTOR_BASIC_AUTH_PASSWORD=
+
 PLAIN_API_KEY=
 PLAIN_WISH_LABEL_IDS=
 
 SSL_CLIENT_CERTIFICATE_HEADER_KEY=
+
+ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true

.github/workflows/deployment-pipeline.yml

@@ -170,6 +170,12 @@ jobs:
         - uses: twingate/github-action@v1
           with:
             service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
+        - name: Configure AWS Credentials 
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+            audience: sts.amazonaws.com
+            aws-region: eu-central-1
+            role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment
         - name: Checkout code
           uses: actions/checkout@v2
         - name: Setup Node.js environment
@@ -183,12 +189,6 @@ jobs:
             cd backend
             npm install
             npm run migration:latest
-        - name: Configure AWS Credentials 
-          uses: aws-actions/configure-aws-credentials@v4
-          with:
-            audience: sts.eu-central-1.amazonaws.com
-            aws-region: eu-central-1
-            role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment
         - name: Save commit hashes for tag
           id: commit
           uses: pr-mpt/actions-commit-hash@v2

.github/workflows/release-standalone-docker-img-postgres-offical.yml

@@ -1,62 +1,115 @@
 name: Release standalone docker image
 on:
-  push:
-    tags:
-      - "infisical/v*.*.*-postgres"
+    push:
+        tags:
+            - "infisical/v*.*.*-postgres"
 
 jobs:
-  infisical-tests:
-    name: Run tests before deployment
-    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
-    uses: ./.github/workflows/run-backend-tests.yml
-  infisical-standalone:
-    name: Build infisical standalone image postgres
-    runs-on: ubuntu-latest
-    needs: [infisical-tests]
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: version output
-        run: |
-          echo "Output Value: ${{ steps.version.outputs.major }}"
-          echo "Output Value: ${{ steps.version.outputs.minor }}"
-          echo "Output Value: ${{ steps.version.outputs.patch }}"
-          echo "Output Value: ${{ steps.version.outputs.version }}"
-          echo "Output Value: ${{ steps.version.outputs.version_type }}"
-          echo "Output Value: ${{ steps.version.outputs.increment }}"
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          tags: |
-            infisical/infisical:latest-postgres
-            infisical/infisical:${{ steps.commit.outputs.short }}
-            infisical/infisical:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-          file: Dockerfile.standalone-infisical
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+    infisical-tests:
+        name: Run tests before deployment
+        # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
+        uses: ./.github/workflows/run-backend-tests.yml
+
+    infisical-standalone:
+        name: Build infisical standalone image postgres
+        runs-on: ubuntu-latest
+        needs: [infisical-tests]
+        steps:
+            - name: Extract version from tag
+              id: extract_version
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+            - name: ☁️ Checkout source
+              uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+            - name: 📦 Install dependencies to test all dependencies
+              run: npm ci --only-production
+              working-directory: backend
+            - name: version output
+              run: |
+                  echo "Output Value: ${{ steps.version.outputs.major }}"
+                  echo "Output Value: ${{ steps.version.outputs.minor }}"
+                  echo "Output Value: ${{ steps.version.outputs.patch }}"
+                  echo "Output Value: ${{ steps.version.outputs.version }}"
+                  echo "Output Value: ${{ steps.version.outputs.version_type }}"
+                  echo "Output Value: ${{ steps.version.outputs.increment }}"
+            - name: Save commit hashes for tag
+              id: commit
+              uses: pr-mpt/actions-commit-hash@v2
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - name: Set up Depot CLI
+              uses: depot/setup-action@v1
+            - name: 📦 Build backend and export to Docker
+              uses: depot/build-push-action@v1
+              with:
+                  project: 64mmf0n610
+                  token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+                  push: true
+                  context: .
+                  tags: |
+                      infisical/infisical:latest-postgres
+                      infisical/infisical:${{ steps.commit.outputs.short }}
+                      infisical/infisical:${{ steps.extract_version.outputs.version }}
+                  platforms: linux/amd64,linux/arm64
+                  file: Dockerfile.standalone-infisical
+                  build-args: |
+                      POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+                      INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+
+    infisical-fips-standalone:
+        name: Build infisical standalone image postgres
+        runs-on: ubuntu-latest
+        needs: [infisical-tests]
+        steps:
+            - name: Extract version from tag
+              id: extract_version
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+            - name: ☁️ Checkout source
+              uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+            - name: 📦 Install dependencies to test all dependencies
+              run: npm ci --only-production
+              working-directory: backend
+            - name: version output
+              run: |
+                  echo "Output Value: ${{ steps.version.outputs.major }}"
+                  echo "Output Value: ${{ steps.version.outputs.minor }}"
+                  echo "Output Value: ${{ steps.version.outputs.patch }}"
+                  echo "Output Value: ${{ steps.version.outputs.version }}"
+                  echo "Output Value: ${{ steps.version.outputs.version_type }}"
+                  echo "Output Value: ${{ steps.version.outputs.increment }}"
+            - name: Save commit hashes for tag
+              id: commit
+              uses: pr-mpt/actions-commit-hash@v2
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - name: Set up Depot CLI
+              uses: depot/setup-action@v1
+            - name: 📦 Build backend and export to Docker
+              uses: depot/build-push-action@v1
+              with:
+                  project: 64mmf0n610
+                  token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+                  push: true
+                  context: .
+                  tags: |
+                      infisical/infisical-fips:latest-postgres
+                      infisical/infisical-fips:${{ steps.commit.outputs.short }}
+                      infisical/infisical-fips:${{ steps.extract_version.outputs.version }}
+                  platforms: linux/amd64,linux/arm64
+                  file: Dockerfile.fips.standalone-infisical
+                  build-args: |
+                      POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+                      INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}

.github/workflows/release_build_infisical_cli.yml

@@ -10,8 +10,7 @@ on:
 
 permissions:
     contents: write
-    # packages: write
-    # issues: write
+
 jobs:
     cli-integration-tests:
         name: Run tests before deployment
@@ -26,6 +25,63 @@ jobs:
             CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
             CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
+    npm-release:
+        runs-on: ubuntu-20.04
+        env:
+            working-directory: ./npm
+        needs:
+            - cli-integration-tests
+            - goreleaser
+        steps:
+            - uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+
+            - name: Extract version
+              run: |
+                  VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+                  echo "Version extracted: $VERSION"
+                  echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+
+            - name: Print version
+              run: echo ${{ env.CLI_VERSION }}
+
+            - name: Setup Node
+              uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+              with:
+                  node-version: 20
+                  cache: "npm"
+                  cache-dependency-path: ./npm/package-lock.json
+            - name: Install dependencies
+              working-directory: ${{ env.working-directory }}
+              run: npm install --ignore-scripts
+
+            - name: Set NPM version
+              working-directory: ${{ env.working-directory }}
+              run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+            - name: Setup NPM
+              working-directory: ${{ env.working-directory }}
+              run: |
+                  echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+                  echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+              env:
+                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+            - name: Pack NPM
+              working-directory: ${{ env.working-directory }}
+              run: npm pack
+
+            - name: Publish NPM
+              working-directory: ${{ env.working-directory }}
+              run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+              env:
+                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
     goreleaser:
         runs-on: ubuntu-20.04
         needs: [cli-integration-tests]

.gitignore

@@ -71,3 +71,5 @@ frontend-build
 cli/infisical-merge
 cli/test/infisical-merge
 /backend/binary
+
+/npm/bin

.husky/pre-commit

@@ -1,6 +1,12 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
+# Check if infisical is installed
+if ! command -v infisical >/dev/null 2>&1; then
+    echo "\nError: Infisical CLI is not installed. Please install the Infisical CLI before comitting.\n You can refer to the documentation at https://infisical.com/docs/cli/overview\n\n"
+    exit 1
+fi
+
 npx lint-staged
 
 infisical scan git-changes --staged -v

.infisicalignore

@@ -6,3 +6,4 @@ frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/S
 docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
+backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134

Dockerfile.fips.standalone-infisical

@@ -0,0 +1,194 @@
+ARG POSTHOG_HOST=https://app.posthog.com
+ARG POSTHOG_API_KEY=posthog-api-key
+ARG INTERCOM_ID=intercom-id
+ARG CAPTCHA_SITE_KEY=captcha-site-key
+
+FROM node:20-slim AS base
+
+FROM base AS frontend-dependencies
+WORKDIR /app
+
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+
+# Install dependencies
+RUN npm ci --only-production --ignore-scripts
+
+# Rebuild the source code only when needed
+FROM base AS frontend-builder
+WORKDIR /app
+
+# Copy dependencies
+COPY --from=frontend-dependencies /app/node_modules ./node_modules
+# Copy all files 
+COPY /frontend .
+
+ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
+ARG POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ARG INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ARG CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+
+# Build
+RUN npm run build
+
+# Production image
+FROM base AS frontend-runner
+WORKDIR /app
+
+RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
+
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
+
+USER non-root-user
+
+ENV NEXT_TELEMETRY_DISABLED 1
+
+##
+## BACKEND
+##
+FROM base AS backend-build
+
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
+RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
+
+WORKDIR /app
+
+# Required for pkcs11js and ODBC
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc \
+    && rm -rf /var/lib/apt/lists/*
+
+# Configure ODBC
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY /backend .
+COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
+RUN npm i -D tsconfig-paths
+RUN npm run build
+
+# Production stage
+FROM base AS backend-runner
+
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
+WORKDIR /app
+
+# Required for pkcs11js and ODBC
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc \
+    && rm -rf /var/lib/apt/lists/*
+
+# Configure ODBC
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY --from=backend-build /app .
+
+RUN mkdir frontend-build
+
+# Production stage
+FROM base AS production
+
+# Install necessary packages including ODBC
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    curl \
+    git \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc \
+    && rm -rf /var/lib/apt/lists/*
+
+# Configure ODBC in production
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
+
+# Give non-root-user permission to update SSL certs
+RUN chown -R non-root-user /etc/ssl/certs
+RUN chown non-root-user /etc/ssl/certs/ca-certificates.crt
+RUN chmod -R u+rwx /etc/ssl/certs
+RUN chmod u+rw /etc/ssl/certs/ca-certificates.crt
+RUN chown non-root-user /usr/sbin/update-ca-certificates
+RUN chmod u+rx /usr/sbin/update-ca-certificates
+
+## set pre baked keys
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ARG INTERCOM_ID=intercom-id
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ARG CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+
+WORKDIR / 
+
+COPY --from=backend-runner /app /backend
+
+COPY --from=frontend-runner /app ./backend/frontend-build
+
+ENV PORT 8080
+ENV HOST=0.0.0.0
+ENV HTTPS_ENABLED false 
+ENV NODE_ENV production
+ENV STANDALONE_BUILD true 
+ENV STANDALONE_MODE true
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
+WORKDIR /backend
+
+ENV TELEMETRY_ENABLED true
+
+EXPOSE 8080
+EXPOSE 443
+
+USER non-root-user
+
+CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -72,6 +72,17 @@ RUN addgroup --system --gid 1001 nodejs \
 
 WORKDIR /app
 
+# Install all required dependencies for build
+RUN apk --update add \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev
+
 COPY backend/package*.json ./
 RUN npm ci --only-production
 
@@ -85,6 +96,20 @@ FROM base AS backend-runner
 
 WORKDIR /app
 
+# Install all required dependencies for runtime
+RUN apk --update add \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev
+
+# Configure ODBC
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
 COPY backend/package*.json ./
 RUN npm ci --only-production
 
@@ -94,11 +119,32 @@ RUN mkdir frontend-build
 
 # Production stage
 FROM base AS production
+
 RUN apk add --upgrade --no-cache ca-certificates
 RUN apk add --no-cache bash curl && curl -1sLf \
   'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
   && apk add infisical=0.31.1 && apk add --no-cache git
 
+WORKDIR /
+
+# Install all required runtime dependencies
+RUN apk --update add \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev \
+    bash \
+    curl \
+    git
+
+# Configure ODBC in production
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# Setup user permissions
 RUN addgroup --system --gid 1001 nodejs \
   && adduser --system --uid 1001 non-root-user
 
@@ -121,7 +167,6 @@ ARG CAPTCHA_SITE_KEY
 ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
   BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
-WORKDIR / 
 
 COPY --from=backend-runner /app /backend
 
@@ -143,4 +188,4 @@ EXPOSE 443
 
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

Makefile

@@ -10,6 +10,9 @@ up-dev:
 up-dev-ldap:
 	docker compose -f docker-compose.dev.yml --profile ldap up --build
 
+up-dev-metrics:
+	docker compose -f docker-compose.dev.yml --profile metrics up --build
+
 up-prod:
 	docker-compose -f docker-compose.prod.yml up --build
 
@@ -27,4 +30,3 @@ reviewable-api:
 	npm run type:check
 
 reviewable: reviewable-ui reviewable-api
-

README.md

@@ -14,15 +14,6 @@
   <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
 </h4>
 
-<p align="center">
-  <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2">
-    <img src=".github/images/deploy-to-aws.png" width="137" />
-  </a>
-  <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean">
-     <img width="200" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/>
-  </a>
-</p>
-
 <h4 align="center">
   <a href="https://github.com/Infisical/infisical/blob/main/LICENSE">
     <img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="Infisical is released under the MIT license." />

backend/Dockerfile

@@ -3,6 +3,21 @@ FROM node:20-alpine AS build
 
 WORKDIR /app
 
+# Required for pkcs11js
+RUN apk --update add \
+        python3 \
+        make \
+        g++
+
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev
+
+
 COPY package*.json ./
 RUN npm ci --only-production
 
@@ -11,12 +26,28 @@ RUN npm run build
 
 # Production stage
 FROM node:20-alpine
-
 WORKDIR /app
 
 ENV npm_config_cache /home/node/.npm
 
 COPY package*.json ./
+
+RUN apk --update add \
+        python3 \
+        make \
+        g++
+
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev
+
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
 RUN npm ci --only-production && npm cache clean --force
 
 COPY --from=build /app .

backend/Dockerfile.dev

@@ -1,5 +1,56 @@
 FROM node:20-alpine
 
+# ? Setup a test SoftHSM module. In production a real HSM is used.
+
+ARG SOFTHSM2_VERSION=2.5.0
+
+ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
+    SOFTHSM2_SOURCES=/tmp/softhsm2
+
+# install build dependencies including python3 (required for pkcs11js and partially TDS driver)
+RUN apk --update add \
+        alpine-sdk \
+        autoconf \
+        automake \
+        git \
+        libtool \
+        openssl-dev \
+        python3 \
+        make \
+        g++
+
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev
+
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# build and install SoftHSM2
+
+RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
+WORKDIR ${SOFTHSM2_SOURCES}
+
+RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
+    && sh autogen.sh \
+    && ./configure --prefix=/usr/local --disable-gost \
+    && make \
+    && make install
+
+WORKDIR /root
+RUN rm -fr ${SOFTHSM2_SOURCES}
+
+# install pkcs11-tool
+RUN apk --update add opensc
+
+RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+
+# ? App setup
+
 RUN apk add --no-cache bash curl && curl -1sLf \
   'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
   && apk add infisical=0.8.1 && apk add --no-cache git

backend/e2e-test/mocks/queue.ts

@@ -10,12 +10,15 @@ export const mockQueue = (): TQueueServiceFactory => {
     queue: async (name, jobData) => {
       job[name] = jobData;
     },
+    queuePg: async () => {},
+    initialize: async () => {},
     shutdown: async () => undefined,
     stopRepeatableJob: async () => true,
     start: (name, jobFn) => {
       queues[name] = jobFn;
       workers[name] = jobFn;
     },
+    startPg: async () => {},
     listen: (name, event) => {
       events[name] = event;
     },

backend/e2e-test/mocks/smtp.ts

@@ -5,6 +5,9 @@ export const mockSmtpServer = (): TSmtpService => {
   return {
     sendMail: async (data) => {
       storage.push(data);
+    },
+    verify: async () => {
+      return true;
     }
   };
 };

backend/e2e-test/routes/v1/identity.spec.ts

@@ -34,7 +34,7 @@ describe("Identity v1", async () => {
   test("Create identity", async () => {
     const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
     expect(newIdentity.name).toBe("mac1");
-    expect(newIdentity.authMethod).toBeNull();
+    expect(newIdentity.authMethods).toEqual([]);
 
     await deleteIdentity(newIdentity.id);
   });
@@ -42,7 +42,7 @@ describe("Identity v1", async () => {
   test("Update identity", async () => {
     const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
     expect(newIdentity.name).toBe("mac1");
-    expect(newIdentity.authMethod).toBeNull();
+    expect(newIdentity.authMethods).toEqual([]);
 
     const updatedIdentity = await testServer.inject({
       method: "PATCH",

backend/e2e-test/routes/v1/secret-replication.spec.ts

@@ -118,9 +118,9 @@ describe.each([{ secretPath: "/" }, { secretPath: "/deep" }])(
         value: "stage-value"
       });
 
-      // wait for 5 second for  replication to finish
+      // wait for 10 second for  replication to finish
       await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
+        setTimeout(resolve, 10000); // time to breathe for db
       });
 
       const secret = await getSecretByNameV2({
@@ -173,9 +173,9 @@ describe.each([{ secretPath: "/" }, { secretPath: "/deep" }])(
         value: "prod-value"
       });
 
-      // wait for 5 second for  replication to finish
+      // wait for 10 second for  replication to finish
       await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
+        setTimeout(resolve, 10000); // time to breathe for db
       });
 
       const secret = await getSecretByNameV2({
@@ -343,9 +343,9 @@ describe.each([{ path: "/" }, { path: "/deep" }])(
         value: "prod-value"
       });
 
-      // wait for 5 second for  replication to finish
+      // wait for 10 second for  replication to finish
       await new Promise((resolve) => {
-        setTimeout(resolve, 5000); // time to breathe for db
+        setTimeout(resolve, 10000); // time to breathe for db
       });
 
       const secret = await getSecretByNameV2({

backend/e2e-test/routes/v3/secret-recursive.spec.ts

@@ -0,0 +1,86 @@
+import { createFolder, deleteFolder } from "e2e-test/testUtils/folders";
+import { createSecretV2, deleteSecretV2, getSecretsV2 } from "e2e-test/testUtils/secrets";
+
+import { seedData1 } from "@app/db/seed-data";
+
+describe("Secret Recursive Testing", async () => {
+  const projectId = seedData1.projectV3.id;
+  const folderAndSecretNames = [
+    { name: "deep1", path: "/", expectedSecretCount: 4 },
+    { name: "deep21", path: "/deep1", expectedSecretCount: 2 },
+    { name: "deep3", path: "/deep1/deep2", expectedSecretCount: 1 },
+    { name: "deep22", path: "/deep2", expectedSecretCount: 1 }
+  ];
+
+  beforeAll(async () => {
+    const rootFolderIds: string[] = [];
+    for (const folder of folderAndSecretNames) {
+      // eslint-disable-next-line no-await-in-loop
+      const createdFolder = await createFolder({
+        authToken: jwtAuthToken,
+        environmentSlug: "prod",
+        workspaceId: projectId,
+        secretPath: folder.path,
+        name: folder.name
+      });
+
+      if (folder.path === "/") {
+        rootFolderIds.push(createdFolder.id);
+      }
+      // eslint-disable-next-line no-await-in-loop
+      await createSecretV2({
+        secretPath: folder.path,
+        authToken: jwtAuthToken,
+        environmentSlug: "prod",
+        workspaceId: projectId,
+        key: folder.name,
+        value: folder.name
+      });
+    }
+
+    return async () => {
+      await Promise.all(
+        rootFolderIds.map((id) =>
+          deleteFolder({
+            authToken: jwtAuthToken,
+            secretPath: "/",
+            id,
+            workspaceId: projectId,
+            environmentSlug: "prod"
+          })
+        )
+      );
+
+      await deleteSecretV2({
+        authToken: jwtAuthToken,
+        secretPath: "/",
+        workspaceId: projectId,
+        environmentSlug: "prod",
+        key: folderAndSecretNames[0].name
+      });
+    };
+  });
+
+  test.each(folderAndSecretNames)("$path recursive secret fetching", async ({ path, expectedSecretCount }) => {
+    const secrets = await getSecretsV2({
+      authToken: jwtAuthToken,
+      secretPath: path,
+      workspaceId: projectId,
+      environmentSlug: "prod",
+      recursive: true
+    });
+
+    expect(secrets.secrets.length).toEqual(expectedSecretCount);
+    expect(secrets.secrets.sort((a, b) => a.secretKey.localeCompare(b.secretKey))).toEqual(
+      folderAndSecretNames
+        .filter((el) => el.path.startsWith(path))
+        .sort((a, b) => a.name.localeCompare(b.name))
+        .map((el) =>
+          expect.objectContaining({
+            secretKey: el.name,
+            secretValue: el.name
+          })
+        )
+    );
+  });
+});

backend/e2e-test/testUtils/secrets.ts

@@ -97,6 +97,7 @@ export const getSecretsV2 = async (dto: {
   environmentSlug: string;
   secretPath: string;
   authToken: string;
+  recursive?: boolean;
 }) => {
   const getSecretsResponse = await testServer.inject({
     method: "GET",
@@ -109,7 +110,8 @@ export const getSecretsV2 = async (dto: {
       environment: dto.environmentSlug,
       secretPath: dto.secretPath,
       expandSecretReferences: "true",
-      include_imports: "true"
+      include_imports: "true",
+      recursive: String(dto.recursive || false)
     }
   });
   expect(getSecretsResponse.statusCode).toBe(200);

backend/e2e-test/vitest-environment-knex.ts

@@ -16,6 +16,7 @@ import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
 import { Redis } from "ioredis";
+import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -52,9 +53,14 @@ export default {
         extension: "ts"
       });
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(cfg.REDIS_URL);
+      const queue = queueServiceFactory(cfg.REDIS_URL, { dbConnectionUrl: cfg.DB_CONNECTION_URI });
       const keyStore = keyStoreFactory(cfg.REDIS_URL);
-      const server = await main({ db, smtp, logger, queue, keyStore });
+
+      const hsmModule = initializeHsmModule();
+      hsmModule.initialize();
+
+      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule(), redis });
+
       // @ts-expect-error type
       globalThis.testServer = server;
       // @ts-expect-error type

backend/package.json

@@ -44,12 +44,13 @@
     "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
     "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
     "generate:component": "tsx ./scripts/create-backend-file.ts",
-    "generate:schema": "tsx ./scripts/generate-schema-types.ts",
+    "generate:schema": "tsx ./scripts/generate-schema-types.ts && eslint --fix --ext ts ./src/db/schemas",
     "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
     "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
     "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
     "auditlog-migration:list": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:list",
     "auditlog-migration:status": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:status",
+    "auditlog-migration:unlock": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:unlock",
     "auditlog-migration:rollback": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:rollback",
     "migration:new": "tsx ./scripts/create-migration.ts",
     "migration:up": "npm run auditlog-migration:up && knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
@@ -58,6 +59,7 @@
     "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
     "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
     "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./src/db/knexfile.ts migrate:unlock",
     "migrate:org": "tsx ./scripts/migrate-organization.ts",
     "seed:new": "tsx ./scripts/create-seed-file.ts",
     "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
@@ -84,6 +86,7 @@
     "@types/passport-google-oauth20": "^2.0.14",
     "@types/pg": "^8.10.9",
     "@types/picomatch": "^2.3.3",
+    "@types/pkcs11js": "^1.0.4",
     "@types/prompt-sync": "^4.2.3",
     "@types/resolve": "^1.20.6",
     "@types/safe-regex": "^1.1.6",
@@ -129,14 +132,25 @@
     "@fastify/multipart": "8.3.0",
     "@fastify/passport": "^2.4.0",
     "@fastify/rate-limit": "^9.0.0",
+    "@fastify/request-context": "^5.1.0",
     "@fastify/session": "^10.7.0",
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
+    "@google-cloud/kms": "^4.5.0",
     "@node-saml/passport-saml": "^4.0.4",
     "@octokit/auth-app": "^7.1.1",
     "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
+    "@octopusdeploy/api-client": "^3.4.1",
+    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.53.0",
+    "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
+    "@opentelemetry/exporter-prometheus": "^0.55.0",
+    "@opentelemetry/instrumentation": "^0.55.0",
+    "@opentelemetry/resources": "^1.28.0",
+    "@opentelemetry/sdk-metrics": "^1.28.0",
+    "@opentelemetry/semantic-conventions": "^1.27.0",
     "@peculiar/asn1-schema": "^2.3.8",
     "@peculiar/x509": "^1.12.1",
     "@serdnam/pino-cloudwatch-transport": "^1.0.4",
@@ -156,11 +170,12 @@
     "connect-redis": "^7.1.1",
     "cron": "^3.1.7",
     "dotenv": "^16.4.1",
-    "fastify": "^4.26.0",
+    "fastify": "^4.28.1",
     "fastify-plugin": "^4.5.1",
     "google-auth-library": "^9.9.0",
     "googleapis": "^137.1.0",
     "handlebars": "^4.7.8",
+    "hdb": "^0.19.10",
     "ioredis": "^5.3.2",
     "jmespath": "^0.16.0",
     "jsonwebtoken": "^9.0.2",
@@ -176,17 +191,21 @@
     "mysql2": "^3.9.8",
     "nanoid": "^3.3.4",
     "nodemailer": "^6.9.9",
+    "odbc": "^2.4.9",
     "openid-client": "^5.6.5",
     "ora": "^7.0.1",
     "oracledb": "^6.4.0",
+    "otplib": "^12.0.1",
     "passport-github": "^1.1.0",
     "passport-gitlab2": "^5.0.0",
     "passport-google-oauth20": "^2.0.0",
     "passport-ldapauth": "^3.0.1",
     "pg": "^8.11.3",
+    "pg-boss": "^10.1.5",
     "pg-query-stream": "^4.5.3",
     "picomatch": "^3.0.1",
     "pino": "^8.16.2",
+    "pkcs11js": "^2.1.6",
     "pkijs": "^3.2.4",
     "posthog-node": "^3.6.2",
     "probot": "^13.3.8",
@@ -195,6 +214,7 @@
     "scim2-parse-filter": "^0.2.10",
     "sjcl": "^1.0.8",
     "smee-client": "^2.0.0",
+    "snowflake-sdk": "^1.14.0",
     "tedious": "^18.2.1",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",

backend/scripts/migrate-organization.ts

@@ -8,61 +8,80 @@ const prompt = promptSync({
   sigint: true
 });
 
+const sanitizeInputParam = (value: string) => {
+  // Escape double quotes and wrap the entire value in double quotes
+  if (value) {
+    return `"${value.replace(/"/g, '\\"')}"`;
+  }
+  return '""';
+};
+
 const exportDb = () => {
-  const exportHost = prompt("Enter your Postgres Host to migrate from: ");
-  const exportPort = prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432";
-  const exportUser = prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical";
-  const exportPassword = prompt("Enter your Postgres Password to migrate from: ");
-  const exportDatabase = prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical";
+  const exportHost = sanitizeInputParam(prompt("Enter your Postgres Host to migrate from: "));
+  const exportPort = sanitizeInputParam(
+    prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432"
+  );
+  const exportUser = sanitizeInputParam(
+    prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical"
+  );
+  const exportPassword = sanitizeInputParam(prompt("Enter your Postgres Password to migrate from: "));
+  const exportDatabase = sanitizeInputParam(
+    prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical"
+  );
 
   // we do not include the audit_log and secret_sharing entries
   execSync(
-    `PGDATABASE="${exportDatabase}" PGPASSWORD="${exportPassword}" PGHOST="${exportHost}" PGPORT=${exportPort} PGUSER=${exportUser} pg_dump infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
+    `PGDATABASE=${exportDatabase} PGPASSWORD=${exportPassword} PGHOST=${exportHost} PGPORT=${exportPort} PGUSER=${exportUser} pg_dump -Fc infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
       __dirname,
-      "../src/db/dump.sql"
+      "../src/db/backup.dump"
     )}`,
     { stdio: "inherit" }
   );
 };
 
 const importDbForOrg = () => {
-  const importHost = prompt("Enter your Postgres Host to migrate to: ");
-  const importPort = prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432";
-  const importUser = prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical";
-  const importPassword = prompt("Enter your Postgres Password to migrate to: ");
-  const importDatabase = prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical";
-  const orgId = prompt("Enter the organization ID to migrate: ");
+  const importHost = sanitizeInputParam(prompt("Enter your Postgres Host to migrate to: "));
+  const importPort = sanitizeInputParam(prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432");
+  const importUser = sanitizeInputParam(
+    prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical"
+  );
+  const importPassword = sanitizeInputParam(prompt("Enter your Postgres Password to migrate to: "));
+  const importDatabase = sanitizeInputParam(
+    prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical"
+  );
+  const orgId = sanitizeInputParam(prompt("Enter the organization ID to migrate: "));
 
-  if (!existsSync(path.join(__dirname, "../src/db/dump.sql"))) {
+  if (!existsSync(path.join(__dirname, "../src/db/backup.dump"))) {
     console.log("File not found, please export the database first.");
     return;
   }
 
   execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -f ${path.join(
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} pg_restore -d ${importDatabase} --verbose ${path.join(
       __dirname,
-      "../src/db/dump.sql"
-    )}`
+      "../src/db/backup.dump"
+    )}`,
+    { maxBuffer: 1024 * 1024 * 4096 }
   );
 
   execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
   );
 
   // delete global/instance-level resources not relevant to the organization to migrate
   // users
   execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
   );
 
   // identities
   execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
   );
 
   // reset slack configuration in superAdmin
   execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
   );
 
   console.log("Organization migrated successfully.");

backend/src/@types/fastify-request-context.d.ts

@@ -0,0 +1,7 @@
+import "@fastify/request-context";
+
+declare module "@fastify/request-context" {
+  interface RequestContextData {
+    reqId: string;
+  }
+}

backend/src/@types/fastify-zod.d.ts

@@ -1,6 +1,6 @@
 import { FastifyInstance, RawReplyDefaultExpression, RawRequestDefaultExpression, RawServerDefault } from "fastify";
-import { Logger } from "pino";
 
+import { CustomLogger } from "@app/lib/logger/logger";
 import { ZodTypeProvider } from "@app/server/plugins/fastify-zod";
 
 declare global {
@@ -8,7 +8,7 @@ declare global {
     RawServerDefault,
     RawRequestDefaultExpression<RawServerDefault>,
     RawReplyDefaultExpression<RawServerDefault>,
-    Readonly<Logger>,
+    Readonly<CustomLogger>,
     ZodTypeProvider
   >;
 

backend/src/@types/fastify.d.ts

@@ -1,5 +1,7 @@
 import "fastify";
 
+import { Redis } from "ioredis";
+
 import { TUsers } from "@app/db/schemas";
 import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
 import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
@@ -18,6 +20,7 @@ import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-con
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { TProjectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-service";
 import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
 import { RateLimitConfiguration } from "@app/ee/services/rate-limit/rate-limit-types";
@@ -43,6 +46,7 @@ import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
+import { THsmServiceFactory } from "@app/services/hsm/hsm-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
@@ -77,6 +81,7 @@ import { TServiceTokenServiceFactory } from "@app/services/service-token/service
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
 import { TSuperAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
+import { TTotpServiceFactory } from "@app/services/totp/totp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TUserServiceFactory } from "@app/services/user/user-service";
 import { TUserEngagementServiceFactory } from "@app/services/user-engagement/user-engagement-service";
@@ -84,6 +89,10 @@ import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
 import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integration/workflow-integration-service";
 
 declare module "fastify" {
+  interface Session {
+    callbackPort: string;
+  }
+
   interface FastifyRequest {
     realIp: string;
     // used for mfa session authentication
@@ -112,6 +121,7 @@ declare module "fastify" {
   }
 
   interface FastifyInstance {
+    redis: Redis;
     services: {
       login: TAuthLoginFactory;
       password: TAuthPasswordFactory;
@@ -183,12 +193,15 @@ declare module "fastify" {
       rateLimit: TRateLimitServiceFactory;
       userEngagement: TUserEngagementServiceFactory;
       externalKms: TExternalKmsServiceFactory;
+      hsm: THsmServiceFactory;
       orgAdmin: TOrgAdminServiceFactory;
       slack: TSlackServiceFactory;
       workflowIntegration: TWorkflowIntegrationServiceFactory;
       cmek: TCmekServiceFactory;
       migration: TExternalMigrationServiceFactory;
       externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
+      projectTemplate: TProjectTemplateServiceFactory;
+      totp: TTotpServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/hdb.d.ts

@@ -0,0 +1,4 @@
+declare module "hdb" {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Untyped, the function returns `any`.
+  function createClient(options): any;
+}

backend/src/@types/knex.d.ts

@@ -200,6 +200,9 @@ import {
   TProjectSlackConfigsInsert,
   TProjectSlackConfigsUpdate,
   TProjectsUpdate,
+  TProjectTemplates,
+  TProjectTemplatesInsert,
+  TProjectTemplatesUpdate,
   TProjectUserAdditionalPrivilege,
   TProjectUserAdditionalPrivilegeInsert,
   TProjectUserAdditionalPrivilegeUpdate,
@@ -311,6 +314,9 @@ import {
   TSuperAdmin,
   TSuperAdminInsert,
   TSuperAdminUpdate,
+  TTotpConfigs,
+  TTotpConfigsInsert,
+  TTotpConfigsUpdate,
   TTrustedIps,
   TTrustedIpsInsert,
   TTrustedIpsUpdate,
@@ -818,5 +824,11 @@ declare module "knex/types/tables" {
       TExternalGroupOrgRoleMappingsInsert,
       TExternalGroupOrgRoleMappingsUpdate
     >;
+    [TableName.ProjectTemplates]: KnexOriginal.CompositeTableType<
+      TProjectTemplates,
+      TProjectTemplatesInsert,
+      TProjectTemplatesUpdate
+    >;
+    [TableName.TotpConfig]: KnexOriginal.CompositeTableType<TTotpConfigs, TTotpConfigsInsert, TTotpConfigsUpdate>;
   }
 }

backend/src/db/migrations/20231222172455_integration.ts

@@ -9,7 +9,7 @@ export async function up(knex: Knex): Promise<void> {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
       t.string("integration").notNullable();
       t.string("teamId"); // vercel-specific
-      t.string("url"); // for self hosted
+      t.string("url"); // for self-hosted
       t.string("namespace"); // hashicorp specific
       t.string("accountId"); // netlify
       t.text("refreshCiphertext");
@@ -36,7 +36,7 @@ export async function up(knex: Knex): Promise<void> {
     await knex.schema.createTable(TableName.Integration, (t) => {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
       t.boolean("isActive").notNullable();
-      t.string("url"); // self hosted
+      t.string("url"); // self-hosted
       t.string("app"); // name of app in provider
       t.string("appId");
       t.string("targetEnvironment");

backend/src/db/migrations/20240802181855_ca-cert-version.ts

@@ -64,23 +64,25 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   if (await knex.schema.hasTable(TableName.Certificate)) {
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").nullable();
-      t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
-    });
+    const hasCaCertIdColumn = await knex.schema.hasColumn(TableName.Certificate, "caCertId");
+    if (!hasCaCertIdColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.uuid("caCertId").nullable();
+        t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
+      });
 
-    await knex.raw(`
+      await knex.raw(`
         UPDATE "${TableName.Certificate}" cert
         SET "caCertId" = (
           SELECT caCert.id
           FROM "${TableName.CertificateAuthorityCert}" caCert
           WHERE caCert."caId" = cert."caId"
-        )
-      `);
+        )`);
 
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").notNullable().alter();
-    });
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.uuid("caCertId").notNullable().alter();
+      });
+    }
   }
 }
 

backend/src/db/migrations/20241014084900_identity-multiple-auth-methods.ts

@@ -0,0 +1,78 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const BATCH_SIZE = 10_000;
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAuthMethodColumnAccessToken = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
+
+  if (!hasAuthMethodColumnAccessToken) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.string("authMethod").nullable();
+    });
+
+    // first we remove identities without auth method that is unused
+    // ! We delete all access tokens where the identity has no auth method set!
+    // ! Which means un-configured identities that for some reason have access tokens, will have their access tokens deleted.
+    await knex(TableName.IdentityAccessToken)
+      .leftJoin(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityAccessToken}.identityId`)
+      .whereNull(`${TableName.Identity}.authMethod`)
+      .delete();
+
+    let nullableAccessTokens = await knex(TableName.IdentityAccessToken)
+      .whereNull("authMethod")
+      .limit(BATCH_SIZE)
+      .select("id");
+    let totalUpdated = 0;
+
+    do {
+      const batchIds = nullableAccessTokens.map((token) => token.id);
+
+      // ! Update the auth method column in batches for the current batch
+      // eslint-disable-next-line no-await-in-loop
+      await knex(TableName.IdentityAccessToken)
+        .whereIn("id", batchIds)
+        .update({
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore because generate schema happens after this
+          authMethod: knex(TableName.Identity)
+            .select("authMethod")
+            .whereRaw(`${TableName.IdentityAccessToken}."identityId" = ${TableName.Identity}.id`)
+            .whereNotNull("authMethod")
+            .first()
+        });
+
+      // eslint-disable-next-line no-await-in-loop
+      nullableAccessTokens = await knex(TableName.IdentityAccessToken)
+        .whereNull("authMethod")
+        .limit(BATCH_SIZE)
+        .select("id");
+
+      totalUpdated += batchIds.length;
+      console.log(`Updated ${batchIds.length} access tokens in batch <> Total updated: ${totalUpdated}`);
+    } while (nullableAccessTokens.length > 0);
+
+    // Finally we set the authMethod to notNullable after populating the column.
+    // This will fail if the data is not populated correctly, so it's safe.
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.string("authMethod").notNullable().alter();
+    });
+  }
+
+  // ! We aren't dropping the authMethod column from the Identity itself, because we wan't to be able to easily rollback for the time being.
+}
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export async function down(knex: Knex): Promise<void> {
+  const hasAuthMethodColumnAccessToken = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
+
+  if (hasAuthMethodColumnAccessToken) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.dropColumn("authMethod");
+    });
+  }
+}
+
+const config = { transaction: false };
+export { config };

backend/src/db/migrations/20241101174939_project-templates.ts

@@ -0,0 +1,28 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.ProjectTemplates))) {
+    await knex.schema.createTable(TableName.ProjectTemplates, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name", 32).notNullable();
+      t.string("description").nullable();
+      t.jsonb("roles").notNullable();
+      t.jsonb("environments").notNullable();
+      t.uuid("orgId").notNullable().references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.ProjectTemplates);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.ProjectTemplates)) {
+    await dropOnUpdateTrigger(knex, TableName.ProjectTemplates);
+
+    await knex.schema.dropTable(TableName.ProjectTemplates);
+  }
+}

backend/src/db/migrations/20241107112632_skip-bootstrap-cert-validation-est.ts

@@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasDisableBootstrapCertValidationCol = await knex.schema.hasColumn(
+    TableName.CertificateTemplateEstConfig,
+    "disableBootstrapCertValidation"
+  );
+
+  const hasCaChainCol = await knex.schema.hasColumn(TableName.CertificateTemplateEstConfig, "encryptedCaChain");
+
+  await knex.schema.alterTable(TableName.CertificateTemplateEstConfig, (t) => {
+    if (!hasDisableBootstrapCertValidationCol) {
+      t.boolean("disableBootstrapCertValidation").defaultTo(false).notNullable();
+    }
+
+    if (hasCaChainCol) {
+      t.binary("encryptedCaChain").nullable().alter();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasDisableBootstrapCertValidationCol = await knex.schema.hasColumn(
+    TableName.CertificateTemplateEstConfig,
+    "disableBootstrapCertValidation"
+  );
+
+  await knex.schema.alterTable(TableName.CertificateTemplateEstConfig, (t) => {
+    if (hasDisableBootstrapCertValidationCol) {
+      t.dropColumn("disableBootstrapCertValidation");
+    }
+  });
+}

backend/src/db/migrations/20241110032223_add-missing-oidc-org-cascade-reference.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization);
+    });
+  }
+}

backend/src/db/migrations/20241111175154_kms-root-cfg-hsm.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptionStrategy = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "encryptionStrategy");
+  const hasTimestampsCol = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "createdAt");
+
+  await knex.schema.alterTable(TableName.KmsServerRootConfig, (t) => {
+    if (!hasEncryptionStrategy) t.string("encryptionStrategy").defaultTo("SOFTWARE");
+    if (!hasTimestampsCol) t.timestamps(true, true, true);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptionStrategy = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "encryptionStrategy");
+  const hasTimestampsCol = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "createdAt");
+
+  await knex.schema.alterTable(TableName.KmsServerRootConfig, (t) => {
+    if (hasEncryptionStrategy) t.dropColumn("encryptionStrategy");
+    if (hasTimestampsCol) t.dropTimestamps(true);
+  });
+}

backend/src/db/migrations/20241112082701_add-totp-support.ts

@@ -0,0 +1,54 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.TotpConfig))) {
+    await knex.schema.createTable(TableName.TotpConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("userId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.boolean("isVerified").defaultTo(false).notNullable();
+      t.binary("encryptedRecoveryCodes").notNullable();
+      t.binary("encryptedSecret").notNullable();
+      t.timestamps(true, true, true);
+      t.unique("userId");
+    });
+
+    await createOnUpdateTrigger(knex, TableName.TotpConfig);
+  }
+
+  const doesOrgMfaMethodColExist = await knex.schema.hasColumn(TableName.Organization, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (!doesOrgMfaMethodColExist) {
+      t.string("selectedMfaMethod");
+    }
+  });
+
+  const doesUserSelectedMfaMethodColExist = await knex.schema.hasColumn(TableName.Users, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    if (!doesUserSelectedMfaMethodColExist) {
+      t.string("selectedMfaMethod");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.TotpConfig);
+  await knex.schema.dropTableIfExists(TableName.TotpConfig);
+
+  const doesOrgMfaMethodColExist = await knex.schema.hasColumn(TableName.Organization, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (doesOrgMfaMethodColExist) {
+      t.dropColumn("selectedMfaMethod");
+    }
+  });
+
+  const doesUserSelectedMfaMethodColExist = await knex.schema.hasColumn(TableName.Users, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    if (doesUserSelectedMfaMethodColExist) {
+      t.dropColumn("selectedMfaMethod");
+    }
+  });
+}

backend/src/db/migrations/20241119143026_add-project-descripton.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.Project, "description");
+
+  if (!hasProjectDescription) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.string("description");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.Project, "description");
+
+  if (hasProjectDescription) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("description");
+    });
+  }
+}

backend/src/db/migrations/20241121131344_make-identity-metadata-not-nullable-again.ts

@@ -0,0 +1,20 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
+    await knex(TableName.IdentityMetadata).whereNull("value").delete();
+    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
+      t.string("value", 1020).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
+    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
+      t.string("value", 1020).alter();
+    });
+  }
+}

backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts

@@ -0,0 +1,59 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicy,
+    "deletedAt"
+  );
+  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicy,
+    "deletedAt"
+  );
+
+  if (!hasAccessApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.timestamp("deletedAt");
+    });
+  }
+  if (!hasSecretApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.timestamp("deletedAt");
+    });
+  }
+
+  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+    t.dropForeign(["privilegeId"]);
+
+    // Add the new foreign key constraint with ON DELETE SET NULL
+    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("SET NULL");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicy,
+    "deletedAt"
+  );
+  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicy,
+    "deletedAt"
+  );
+
+  if (hasAccessApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.dropColumn("deletedAt");
+    });
+  }
+  if (hasSecretApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.dropColumn("deletedAt");
+    });
+  }
+
+  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+    t.dropForeign(["privilegeId"]);
+    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
+  });
+}

backend/src/db/schemas/access-approval-policies.ts

@@ -15,7 +15,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  enforcementLevel: z.string().default("hard"),
+  deletedAt: z.date().nullable().optional()
 });
 
 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;

backend/src/db/schemas/certificate-template-est-configs.ts

@@ -12,11 +12,12 @@ import { TImmutableDBKeys } from "./models";
 export const CertificateTemplateEstConfigsSchema = z.object({
   id: z.string().uuid(),
   certificateTemplateId: z.string().uuid(),
-  encryptedCaChain: zodBuffer,
+  encryptedCaChain: zodBuffer.nullable().optional(),
   hashedPassphrase: z.string(),
   isEnabled: z.boolean(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  disableBootstrapCertValidation: z.boolean().default(false)
 });
 
 export type TCertificateTemplateEstConfigs = z.infer<typeof CertificateTemplateEstConfigsSchema>;

backend/src/db/schemas/identity-access-tokens.ts

@@ -20,7 +20,8 @@ export const IdentityAccessTokensSchema = z.object({
   identityId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  name: z.string().nullable().optional()
+  name: z.string().nullable().optional(),
+  authMethod: z.string()
 });
 
 export type TIdentityAccessTokens = z.infer<typeof IdentityAccessTokensSchema>;

backend/src/db/schemas/index.ts

@@ -64,6 +64,7 @@ export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
 export * from "./project-slack-configs";
+export * from "./project-templates";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
@@ -105,6 +106,7 @@ export * from "./secrets-v2";
 export * from "./service-tokens";
 export * from "./slack-integrations";
 export * from "./super-admin";
+export * from "./totp-configs";
 export * from "./trusted-ips";
 export * from "./user-actions";
 export * from "./user-aliases";

backend/src/db/schemas/kms-root-config.ts

@@ -11,7 +11,10 @@ import { TImmutableDBKeys } from "./models";
 
 export const KmsRootConfigSchema = z.object({
   id: z.string().uuid(),
-  encryptedRootKey: zodBuffer
+  encryptedRootKey: zodBuffer,
+  encryptionStrategy: z.string().default("SOFTWARE").nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
 });
 
 export type TKmsRootConfig = z.infer<typeof KmsRootConfigSchema>;

backend/src/db/schemas/models.ts

@@ -41,6 +41,7 @@ export enum TableName {
   ProjectUserAdditionalPrivilege = "project_user_additional_privilege",
   ProjectUserMembershipRole = "project_user_membership_roles",
   ProjectKeys = "project_keys",
+  ProjectTemplates = "project_templates",
   Secret = "secrets",
   SecretReference = "secret_references",
   SecretSharing = "secret_sharing",
@@ -116,6 +117,7 @@ export enum TableName {
   ExternalKms = "external_kms",
   InternalKms = "internal_kms",
   InternalKmsKeyVersion = "internal_kms_key_version",
+  TotpConfig = "totp_configs",
   // @depreciated
   KmsKeyVersion = "kms_key_versions",
   WorkflowIntegrations = "workflow_integrations",
@@ -189,7 +191,7 @@ export enum ProjectUpgradeStatus {
 
 export enum IdentityAuthMethod {
   TOKEN_AUTH = "token-auth",
-  Univeral = "universal-auth",
+  UNIVERSAL_AUTH = "universal-auth",
   KUBERNETES_AUTH = "kubernetes-auth",
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",

backend/src/db/schemas/organizations.ts

@@ -21,7 +21,8 @@ export const OrganizationsSchema = z.object({
   kmsDefaultKeyId: z.string().uuid().nullable().optional(),
   kmsEncryptedDataKey: zodBuffer.nullable().optional(),
   defaultMembershipRole: z.string().default("member"),
-  enforceMfa: z.boolean().default(false)
+  enforceMfa: z.boolean().default(false),
+  selectedMfaMethod: z.string().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/project-roles.ts

@@ -15,7 +15,8 @@ export const ProjectRolesSchema = z.object({
   permissions: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  projectId: z.string()
+  projectId: z.string(),
+  version: z.number().default(1)
 });
 
 export type TProjectRoles = z.infer<typeof ProjectRolesSchema>;

backend/src/db/schemas/project-templates.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectTemplatesSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  description: z.string().nullable().optional(),
+  roles: z.unknown(),
+  environments: z.unknown(),
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;
+export type TProjectTemplatesInsert = Omit<z.input<typeof ProjectTemplatesSchema>, TImmutableDBKeys>;
+export type TProjectTemplatesUpdate = Partial<Omit<z.input<typeof ProjectTemplatesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/projects.ts

@@ -23,7 +23,8 @@ export const ProjectsSchema = z.object({
   kmsCertificateKeyId: z.string().uuid().nullable().optional(),
   auditLogsRetentionDays: z.number().nullable().optional(),
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
-  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional()
+  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
+  description: z.string().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/secret-approval-policies.ts

@@ -15,7 +15,8 @@ export const SecretApprovalPoliciesSchema = z.object({
   envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  enforcementLevel: z.string().default("hard"),
+  deletedAt: z.date().nullable().optional()
 });
 
 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;

backend/src/db/schemas/totp-configs.ts

@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const TotpConfigsSchema = z.object({
+  id: z.string().uuid(),
+  userId: z.string().uuid(),
+  isVerified: z.boolean().default(false),
+  encryptedRecoveryCodes: zodBuffer,
+  encryptedSecret: zodBuffer,
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TTotpConfigs = z.infer<typeof TotpConfigsSchema>;
+export type TTotpConfigsInsert = Omit<z.input<typeof TotpConfigsSchema>, TImmutableDBKeys>;
+export type TTotpConfigsUpdate = Partial<Omit<z.input<typeof TotpConfigsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/users.ts

@@ -26,7 +26,8 @@ export const UsersSchema = z.object({
   consecutiveFailedMfaAttempts: z.number().default(0).nullable().optional(),
   isLocked: z.boolean().default(false).nullable().optional(),
   temporaryLockDateEnd: z.date().nullable().optional(),
-  consecutiveFailedPasswordAttempts: z.number().default(0).nullable().optional()
+  consecutiveFailedPasswordAttempts: z.number().default(0).nullable().optional(),
+  selectedMfaMethod: z.string().nullable().optional()
 });
 
 export type TUsers = z.infer<typeof UsersSchema>;

backend/src/db/seeds/5-machine-identity.ts

@@ -16,7 +16,7 @@ export async function seed(knex: Knex): Promise<void> {
       // @ts-ignore
       id: seedData1.machineIdentity.id,
       name: seedData1.machineIdentity.name,
-      authMethod: IdentityAuthMethod.Univeral
+      authMethod: IdentityAuthMethod.UNIVERSAL_AUTH
     }
   ]);
   const identityUa = await knex(TableName.IdentityUniversalAuth)

backend/src/db/utils.ts

@@ -2,6 +2,9 @@ import { Knex } from "knex";
 
 import { TableName } from "./schemas";
 
+interface PgTriggerResult {
+  rows: Array<{ exists: boolean }>;
+}
 export const createJunctionTable = (knex: Knex, tableName: TableName, table1Name: TableName, table2Name: TableName) =>
   knex.schema.createTable(tableName, (table) => {
     table.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
@@ -28,13 +31,26 @@ DROP FUNCTION IF EXISTS on_update_timestamp() CASCADE;
 
 // we would be using this to apply updatedAt where ever we wanta
 // remember to set `timestamps(true,true,true)` before this on schema
-export const createOnUpdateTrigger = (knex: Knex, tableName: string) =>
-  knex.raw(`
-CREATE TRIGGER "${tableName}_updatedAt"
-BEFORE UPDATE ON ${tableName}
-FOR EACH ROW
-EXECUTE PROCEDURE on_update_timestamp();
-`);
+export const createOnUpdateTrigger = async (knex: Knex, tableName: string) => {
+  const triggerExists = await knex.raw<PgTriggerResult>(`
+    SELECT EXISTS (
+      SELECT 1 
+      FROM pg_trigger 
+      WHERE tgname = '${tableName}_updatedAt'
+    );
+  `);
+
+  if (!triggerExists?.rows?.[0]?.exists) {
+    return knex.raw(`
+      CREATE TRIGGER "${tableName}_updatedAt"
+      BEFORE UPDATE ON ${tableName}
+      FOR EACH ROW
+      EXECUTE PROCEDURE on_update_timestamp();
+    `);
+  }
+
+  return null;
+};
 
 export const dropOnUpdateTrigger = (knex: Knex, tableName: string) =>
   knex.raw(`DROP TRIGGER IF EXISTS "${tableName}_updatedAt" ON ${tableName}`);

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -109,7 +109,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               approvers: z.string().array(),
               secretPath: z.string().nullish(),
               envId: z.string(),
-              enforcementLevel: z.string()
+              enforcementLevel: z.string(),
+              deletedAt: z.date().nullish()
             }),
             reviewers: z
               .object({

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -1,4 +1,3 @@
-import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";
 
@@ -8,6 +7,7 @@ import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -48,15 +48,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
           .nullable(),
         path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
         environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
-        name: z
-          .string()
-          .describe(DYNAMIC_SECRETS.CREATE.name)
-          .min(1)
-          .toLowerCase()
-          .max(64)
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid"
-          })
+        name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/external-kms-router.ts

@@ -4,9 +4,15 @@ import { ExternalKmsSchema, KmsKeysSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import {
   ExternalKmsAwsSchema,
+  ExternalKmsGcpCredentialSchema,
+  ExternalKmsGcpSchema,
   ExternalKmsInputSchema,
-  ExternalKmsInputUpdateSchema
+  ExternalKmsInputUpdateSchema,
+  KmsGcpKeyFetchAuthType,
+  KmsProviders,
+  TExternalKmsGcpCredentialSchema
 } from "@app/ee/services/external-kms/providers/model";
+import { NotFoundError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -44,7 +50,8 @@ const sanitizedExternalSchemaForGetById = KmsKeysSchema.extend({
     statusDetails: true,
     provider: true
   }).extend({
-    providerInput: ExternalKmsAwsSchema
+    // for GCP, we don't return the credential object as it is sensitive data that should not be exposed
+    providerInput: z.union([ExternalKmsAwsSchema, ExternalKmsGcpSchema.pick({ gcpRegion: true, keyName: true })])
   })
 });
 
@@ -286,4 +293,67 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
       return { externalKms };
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/gcp/keys",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.discriminatedUnion("authMethod", [
+        z.object({
+          authMethod: z.literal(KmsGcpKeyFetchAuthType.Credential),
+          region: z.string().trim().min(1),
+          credential: ExternalKmsGcpCredentialSchema
+        }),
+        z.object({
+          authMethod: z.literal(KmsGcpKeyFetchAuthType.Kms),
+          region: z.string().trim().min(1),
+          kmsId: z.string().trim().min(1)
+        })
+      ]),
+      response: {
+        200: z.object({
+          keys: z.string().array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { region, authMethod } = req.body;
+      let credentialJson: TExternalKmsGcpCredentialSchema | undefined;
+
+      if (authMethod === KmsGcpKeyFetchAuthType.Credential) {
+        credentialJson = req.body.credential;
+      } else if (authMethod === KmsGcpKeyFetchAuthType.Kms) {
+        const externalKms = await server.services.externalKms.findById({
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          id: req.body.kmsId
+        });
+
+        if (!externalKms || externalKms.external.provider !== KmsProviders.Gcp) {
+          throw new NotFoundError({ message: "KMS not found or not of type GCP" });
+        }
+
+        credentialJson = externalKms.external.providerInput.credential as TExternalKmsGcpCredentialSchema;
+      }
+
+      if (!credentialJson) {
+        throw new NotFoundError({
+          message: "Something went wrong while fetching the GCP credential, please check inputs and try again"
+        });
+      }
+
+      const results = await server.services.externalKms.fetchGcpKeys({
+        credential: credentialJson,
+        gcpRegion: region
+      });
+
+      return results;
+    }
+  });
 };

backend/src/ee/routes/v1/group-router.ts

@@ -1,8 +1,8 @@
-import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
 import { GroupsSchema, OrgMembershipRole, UsersSchema } from "@app/db/schemas";
 import { GROUPS } from "@app/lib/api-docs";
+import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -14,15 +14,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     schema: {
       body: z.object({
         name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
-        slug: z
-          .string()
-          .min(5)
-          .max(36)
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
-          .optional()
-          .describe(GROUPS.CREATE.slug),
+        slug: slugSchema({ min: 5, max: 36 }).optional().describe(GROUPS.CREATE.slug),
         role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(GROUPS.CREATE.role)
       }),
       response: {
@@ -100,14 +92,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
       body: z
         .object({
           name: z.string().trim().min(1).describe(GROUPS.UPDATE.name),
-          slug: z
-            .string()
-            .min(5)
-            .max(36)
-            .refine((v) => slugify(v) === v, {
-              message: "Slug must be a valid slug"
-            })
-            .describe(GROUPS.UPDATE.slug),
+          slug: slugSchema({ min: 5, max: 36 }).describe(GROUPS.UPDATE.slug),
           role: z.string().trim().min(1).describe(GROUPS.UPDATE.role)
         })
         .partial(),

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -8,6 +8,7 @@ import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import {
   ProjectPermissionSchema,
@@ -33,17 +34,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       body: z.object({
         identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.identityId),
         projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.projectSlug),
-        slug: z
-          .string()
-          .min(1)
-          .max(60)
-          .trim()
-          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
-          .optional()
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
+        slug: slugSchema({ min: 1, max: 60 }).optional().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
         permissions: ProjectPermissionSchema.array()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
           .optional(),
@@ -77,7 +68,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         ...req.body,
-        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
+        slug: req.body.slug ?? slugify(alphaNumericNanoId(12)),
         isTemporary: false,
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore-error this is valid ts
@@ -103,17 +94,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       body: z.object({
         identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.identityId),
         projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.projectSlug),
-        slug: z
-          .string()
-          .min(1)
-          .max(60)
-          .trim()
-          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
-          .optional()
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
+        slug: slugSchema({ min: 1, max: 60 }).optional().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
         permissions: ProjectPermissionSchema.array()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
           .optional(),
@@ -159,7 +140,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         ...req.body,
-        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
+        slug: req.body.slug ?? slugify(alphaNumericNanoId(12)),
         isTemporary: true,
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore-error this is valid ts
@@ -189,16 +170,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.projectSlug),
         privilegeDetails: z
           .object({
-            slug: z
-              .string()
-              .min(1)
-              .max(60)
-              .trim()
-              .refine((val) => val.toLowerCase() === val, "Must be lowercase")
-              .refine((v) => slugify(v) === v, {
-                message: "Slug must be a valid slug"
-              })
-              .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
+            slug: slugSchema({ min: 1, max: 60 }).describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
             permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
             privilegePermission: ProjectSpecificPrivilegePermissionSchema.describe(
               IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.privilegePermission

backend/src/ee/routes/v1/index.ts

@@ -1,3 +1,5 @@
+import { registerProjectTemplateRouter } from "@app/ee/routes/v1/project-template-router";
+
 import { registerAccessApprovalPolicyRouter } from "./access-approval-policy-router";
 import { registerAccessApprovalRequestRouter } from "./access-approval-request-router";
 import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
@@ -92,4 +94,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerExternalKmsRouter, {
     prefix: "/external-kms"
   });
+
+  await server.register(registerProjectTemplateRouter, { prefix: "/project-templates" });
 };

backend/src/ee/routes/v1/oidc-router.ts

@@ -9,7 +9,6 @@
 import { Authenticator, Strategy } from "@fastify/passport";
 import fastifySession from "@fastify/session";
 import RedisStore from "connect-redis";
-import { Redis } from "ioredis";
 import { z } from "zod";
 
 import { OidcConfigsSchema } from "@app/db/schemas/oidc-configs";
@@ -21,7 +20,6 @@ import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerOidcRouter = async (server: FastifyZodProvider) => {
   const appCfg = getConfig();
-  const redis = new Redis(appCfg.REDIS_URL);
   const passport = new Authenticator({ key: "oidc", userProperty: "passportUser" });
 
   /*
@@ -30,7 +28,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
   - Fastify session <> Redis structure is based on the ff: https://github.com/fastify/session/blob/master/examples/redis.js
   */
   const redisStore = new RedisStore({
-    client: redis,
+    client: server.redis,
     prefix: "oidc-session:",
     ttl: 600 // 10 minutes
   });

backend/src/ee/routes/v1/org-role-router.ts

@@ -1,8 +1,8 @@
-import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
 import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -18,17 +18,10 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         organizationId: z.string().trim()
       }),
       body: z.object({
-        slug: z
-          .string()
-          .min(1)
-          .trim()
-          .refine(
-            (val) => !Object.values(OrgMembershipRole).includes(val as OrgMembershipRole),
-            "Please choose a different slug, the slug you have entered is reserved"
-          )
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid"
-          }),
+        slug: slugSchema({ min: 1, max: 64 }).refine(
+          (val) => !Object.values(OrgMembershipRole).includes(val as OrgMembershipRole),
+          "Please choose a different slug, the slug you have entered is reserved"
+        ),
         name: z.string().trim(),
         description: z.string().trim().optional(),
         permissions: z.any().array()
@@ -94,17 +87,13 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         roleId: z.string().trim()
       }),
       body: z.object({
-        slug: z
-          .string()
-          .trim()
-          .optional()
+        // TODO: Switch to slugSchema after verifying correct methods with Akhil - Omar 11/24
+        slug: slugSchema({ min: 1, max: 64 })
           .refine(
-            (val) => typeof val !== "undefined" && !Object.keys(OrgMembershipRole).includes(val),
+            (val) => !Object.keys(OrgMembershipRole).includes(val),
             "Please choose a different slug, the slug you have entered is reserved."
           )
-          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
-            message: "Slug must be a valid"
-          }),
+          .optional(),
         name: z.string().trim().optional(),
         description: z.string().trim().optional(),
         permissions: z.any().array().optional()

backend/src/ee/routes/v1/project-role-router.ts

@@ -1,5 +1,4 @@
 import { packRules } from "@casl/ability/extra";
-import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
 import { ProjectMembershipRole, ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
@@ -9,6 +8,7 @@ import {
 } from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedRoleSchemaV1 } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -32,18 +32,11 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         projectSlug: z.string().trim().describe(PROJECT_ROLE.CREATE.projectSlug)
       }),
       body: z.object({
-        slug: z
-          .string()
-          .toLowerCase()
-          .trim()
-          .min(1)
+        slug: slugSchema({ max: 64 })
           .refine(
             (val) => !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
             "Please choose a different slug, the slug you have entered is reserved"
           )
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid"
-          })
           .describe(PROJECT_ROLE.CREATE.slug),
         name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
         description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
@@ -94,21 +87,13 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         roleId: z.string().trim().describe(PROJECT_ROLE.UPDATE.roleId)
       }),
       body: z.object({
-        slug: z
-          .string()
-          .toLowerCase()
-          .trim()
-          .optional()
-          .describe(PROJECT_ROLE.UPDATE.slug)
+        slug: slugSchema({ max: 64 })
           .refine(
-            (val) =>
-              typeof val === "undefined" ||
-              !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
+            (val) => !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
             "Please choose a different slug, the slug you have entered is reserved"
           )
-          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
-            message: "Slug must be a valid"
-          }),
+          .describe(PROJECT_ROLE.UPDATE.slug)
+          .optional(),
         name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
         description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
         permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
@@ -192,7 +177,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          roles: ProjectRolesSchema.omit({ permissions: true }).array()
+          roles: ProjectRolesSchema.omit({ permissions: true, version: true }).array()
         })
       }
     },
@@ -225,7 +210,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          role: SanitizedRoleSchemaV1
+          role: SanitizedRoleSchemaV1.omit({ version: true })
         })
       }
     },

backend/src/ee/routes/v1/project-template-router.ts

@@ -0,0 +1,302 @@
+import { z } from "zod";
+
+import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
+import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
+import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
+import { ProjectTemplates } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const MAX_JSON_SIZE_LIMIT_IN_BYTES = 32_768;
+
+const isReservedRoleSlug = (slug: string) =>
+  Object.values(ProjectMembershipRole).includes(slug as ProjectMembershipRole);
+
+const isReservedRoleName = (name: string) =>
+  ["custom", "admin", "viewer", "developer", "no access"].includes(name.toLowerCase());
+
+const SanitizedProjectTemplateSchema = ProjectTemplatesSchema.extend({
+  roles: z
+    .object({
+      name: z.string().trim().min(1),
+      slug: slugSchema(),
+      permissions: UnpackedPermissionSchema.array()
+    })
+    .array(),
+  environments: z
+    .object({
+      name: z.string().trim().min(1),
+      slug: slugSchema(),
+      position: z.number().min(1)
+    })
+    .array()
+});
+
+const ProjectTemplateRolesSchema = z
+  .object({
+    name: z.string().trim().min(1),
+    slug: slugSchema(),
+    permissions: ProjectPermissionV2Schema.array()
+  })
+  .array()
+  .superRefine((roles, ctx) => {
+    if (!roles.length) return;
+
+    if (Buffer.byteLength(JSON.stringify(roles)) > MAX_JSON_SIZE_LIMIT_IN_BYTES)
+      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Size limit exceeded" });
+
+    if (new Set(roles.map((v) => v.slug)).size !== roles.length)
+      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Role slugs must be unique" });
+
+    if (new Set(roles.map((v) => v.name)).size !== roles.length)
+      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Role names must be unique" });
+
+    roles.forEach((role) => {
+      if (isReservedRoleSlug(role.slug))
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: `Role slug "${role.slug}" is reserved` });
+
+      if (isReservedRoleName(role.name))
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: `Role name "${role.name}" is reserved` });
+    });
+  });
+
+const ProjectTemplateEnvironmentsSchema = z
+  .object({
+    name: z.string().trim().min(1),
+    slug: slugSchema(),
+    position: z.number().min(1)
+  })
+  .array()
+  .min(1)
+  .superRefine((environments, ctx) => {
+    if (Buffer.byteLength(JSON.stringify(environments)) > MAX_JSON_SIZE_LIMIT_IN_BYTES)
+      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Size limit exceeded" });
+
+    if (new Set(environments.map((v) => v.name)).size !== environments.length)
+      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Environment names must be unique" });
+
+    if (new Set(environments.map((v) => v.slug)).size !== environments.length)
+      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Environment slugs must be unique" });
+
+    if (
+      environments.some((env) => env.position < 1 || env.position > environments.length) ||
+      new Set(environments.map((env) => env.position)).size !== environments.length
+    )
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "One or more of the positions specified is invalid. Positions must be sequential starting from 1."
+      });
+  });
+
+export const registerProjectTemplateRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List project templates for the current organization.",
+      response: {
+        200: z.object({
+          projectTemplates: SanitizedProjectTemplateSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
+
+      const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_PROJECT_TEMPLATES,
+          metadata: {
+            count: auditTemplates.length,
+            templateIds: auditTemplates.map((template) => template.id)
+          }
+        }
+      });
+
+      return { projectTemplates };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:templateId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get a project template by ID.",
+      params: z.object({
+        templateId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          projectTemplate: SanitizedProjectTemplateSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const projectTemplate = await server.services.projectTemplate.findProjectTemplateById(
+        req.params.templateId,
+        req.permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_PROJECT_TEMPLATE,
+          metadata: {
+            templateId: req.params.templateId
+          }
+        }
+      });
+
+      return { projectTemplate };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Create a project template.",
+      body: z.object({
+        name: slugSchema({ field: "name" })
+          .refine((val) => !isInfisicalProjectTemplate(val), {
+            message: `The requested project template name is reserved.`
+          })
+          .describe(ProjectTemplates.CREATE.name),
+        description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
+        roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
+        environments: ProjectTemplateEnvironmentsSchema.default(ProjectTemplateDefaultEnvironments).describe(
+          ProjectTemplates.CREATE.environments
+        )
+      }),
+      response: {
+        200: z.object({
+          projectTemplate: SanitizedProjectTemplateSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const projectTemplate = await server.services.projectTemplate.createProjectTemplate(req.body, req.permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.CREATE_PROJECT_TEMPLATE,
+          metadata: req.body
+        }
+      });
+
+      return { projectTemplate };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:templateId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Update a project template.",
+      params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.UPDATE.templateId) }),
+      body: z.object({
+        name: slugSchema({ field: "name" })
+          .refine((val) => !isInfisicalProjectTemplate(val), {
+            message: `The requested project template name is reserved.`
+          })
+          .optional()
+          .describe(ProjectTemplates.UPDATE.name),
+        description: z.string().max(256).trim().optional().describe(ProjectTemplates.UPDATE.description),
+        roles: ProjectTemplateRolesSchema.optional().describe(ProjectTemplates.UPDATE.roles),
+        environments: ProjectTemplateEnvironmentsSchema.optional().describe(ProjectTemplates.UPDATE.environments)
+      }),
+      response: {
+        200: z.object({
+          projectTemplate: SanitizedProjectTemplateSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const projectTemplate = await server.services.projectTemplate.updateProjectTemplateById(
+        req.params.templateId,
+        req.body,
+        req.permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.UPDATE_PROJECT_TEMPLATE,
+          metadata: {
+            templateId: req.params.templateId,
+            ...req.body
+          }
+        }
+      });
+
+      return { projectTemplate };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:templateId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Delete a project template.",
+      params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.DELETE.templateId) }),
+
+      response: {
+        200: z.object({
+          projectTemplate: SanitizedProjectTemplateSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const projectTemplate = await server.services.projectTemplate.deleteProjectTemplateById(
+        req.params.templateId,
+        req.permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.DELETE_PROJECT_TEMPLATE,
+          metadata: {
+            templateId: req.params.templateId
+          }
+        }
+      });
+
+      return { projectTemplate };
+    }
+  });
+};

backend/src/ee/routes/v1/saml-router.ts

@@ -122,6 +122,8 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
               },
               `email: ${email} firstName: ${profile.firstName as string}`
             );
+
+            throw new Error("Invalid saml request. Missing email or first name");
           }
 
           const userMetadata = Object.keys(profile.attributes || {})

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -52,7 +52,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 })
                 .array(),
               secretPath: z.string().optional().nullable(),
-              enforcementLevel: z.string()
+              enforcementLevel: z.string(),
+              deletedAt: z.date().nullish()
             }),
             committerUser: approvalRequestUser,
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
@@ -260,7 +261,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 approvals: z.number(),
                 approvers: approvalRequestUser.array(),
                 secretPath: z.string().optional().nullable(),
-                enforcementLevel: z.string()
+                enforcementLevel: z.string(),
+                deletedAt: z.date().nullish()
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),

backend/src/ee/routes/v1/user-additional-privilege-router.ts

@@ -7,6 +7,7 @@ import { ProjectUserAdditionalPrivilegeTemporaryMode } from "@app/ee/services/pr
 import { PROJECT_USER_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedUserProjectAdditionalPrivilegeSchema } from "@app/server/routes/santizedSchemas/user-additional-privilege";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -21,17 +22,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
     schema: {
       body: z.object({
         projectMembershipId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.projectMembershipId),
-        slug: z
-          .string()
-          .min(1)
-          .max(60)
-          .trim()
-          .refine((v) => v.toLowerCase() === v, "Slug must be lowercase")
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
-          .optional()
-          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
+        slug: slugSchema({ min: 1, max: 60 }).optional().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
         permissions: ProjectPermissionV2Schema.array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions),
         type: z.discriminatedUnion("isTemporary", [
           z.object({
@@ -87,15 +78,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
       }),
       body: z
         .object({
-          slug: z
-            .string()
-            .max(60)
-            .trim()
-            .refine((v) => v.toLowerCase() === v, "Slug must be lowercase")
-            .refine((v) => slugify(v) === v, {
-              message: "Slug must be a valid slug"
-            })
-            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.slug),
+          slug: slugSchema({ min: 1, max: 60 }).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.slug),
           permissions: ProjectPermissionV2Schema.array()
             .optional()
             .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions),

backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts

@@ -7,6 +7,7 @@ import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-p
 import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedIdentityPrivilegeSchema } from "@app/server/routes/santizedSchemas/identitiy-additional-privilege";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -28,17 +29,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       body: z.object({
         identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.identityId),
         projectId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.projectId),
-        slug: z
-          .string()
-          .min(1)
-          .max(60)
-          .trim()
-          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
-          .optional()
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.slug),
+        slug: slugSchema({ min: 1, max: 60 }).optional().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.slug),
         permissions: ProjectPermissionV2Schema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.permission),
         type: z.discriminatedUnion("isTemporary", [
           z.object({
@@ -100,16 +91,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         id: z.string().trim().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.id)
       }),
       body: z.object({
-        slug: z
-          .string()
-          .min(1)
-          .max(60)
-          .trim()
-          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.slug),
+        slug: slugSchema({ min: 1, max: 60 }).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.slug),
         permissions: ProjectPermissionV2Schema.array()
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.privilegePermission),

backend/src/ee/routes/v2/project-role-router.ts

@@ -1,11 +1,11 @@
 import { packRules } from "@casl/ability/extra";
-import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -29,18 +29,11 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         projectId: z.string().trim().describe(PROJECT_ROLE.CREATE.projectId)
       }),
       body: z.object({
-        slug: z
-          .string()
-          .toLowerCase()
-          .trim()
-          .min(1)
+        slug: slugSchema({ min: 1, max: 64 })
           .refine(
             (val) => !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
             "Please choose a different slug, the slug you have entered is reserved"
           )
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid"
-          })
           .describe(PROJECT_ROLE.CREATE.slug),
         name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
         description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
@@ -90,21 +83,13 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         roleId: z.string().trim().describe(PROJECT_ROLE.UPDATE.roleId)
       }),
       body: z.object({
-        slug: z
-          .string()
-          .toLowerCase()
-          .trim()
-          .optional()
-          .describe(PROJECT_ROLE.UPDATE.slug)
+        slug: slugSchema({ min: 1, max: 64 })
           .refine(
-            (val) =>
-              typeof val === "undefined" ||
-              !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
+            (val) => !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
             "Please choose a different slug, the slug you have entered is reserved"
           )
-          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
-            message: "Slug must be a valid"
-          }),
+          .optional()
+          .describe(PROJECT_ROLE.UPDATE.slug),
         name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
         description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
         permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
@@ -186,7 +171,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          roles: ProjectRolesSchema.omit({ permissions: true }).array()
+          roles: ProjectRolesSchema.omit({ permissions: true, version: true }).array()
         })
       }
     },
@@ -219,7 +204,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          role: SanitizedRoleSchema
+          role: SanitizedRoleSchema.omit({ version: true })
         })
       }
     },

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -139,5 +139,10 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...accessApprovalPolicyOrm, find, findById };
+  const softDeleteById = async (policyId: string, tx?: Knex) => {
+    const softDeletedPolicy = await accessApprovalPolicyOrm.updateById(policyId, { deletedAt: new Date() }, tx);
+    return softDeletedPolicy;
+  };
+
+  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById };
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -8,7 +8,11 @@ import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
+import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
+import { TAccessApprovalRequestReviewerDALFactory } from "../access-approval-request/access-approval-request-reviewer-dal";
+import { ApprovalStatus } from "../access-approval-request/access-approval-request-types";
 import { TGroupDALFactory } from "../group/group-dal";
+import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
 import {
@@ -21,7 +25,7 @@ import {
   TUpdateAccessApprovalPolicy
 } from "./access-approval-policy-types";
 
-type TSecretApprovalPolicyServiceFactoryDep = {
+type TAccessApprovalPolicyServiceFactoryDep = {
   projectDAL: TProjectDALFactory;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
@@ -30,6 +34,9 @@ type TSecretApprovalPolicyServiceFactoryDep = {
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
   groupDAL: TGroupDALFactory;
   userDAL: Pick<TUserDALFactory, "find">;
+  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update" | "find">;
+  additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
+  accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update">;
 };
 
 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@@ -41,8 +48,11 @@ export const accessApprovalPolicyServiceFactory = ({
   permissionService,
   projectEnvDAL,
   projectDAL,
-  userDAL
-}: TSecretApprovalPolicyServiceFactoryDep) => {
+  userDAL,
+  accessApprovalRequestDAL,
+  additionalPrivilegeDAL,
+  accessApprovalRequestReviewerDAL
+}: TAccessApprovalPolicyServiceFactoryDep) => {
   const createAccessApprovalPolicy = async ({
     name,
     actor,
@@ -189,7 +199,7 @@ export const accessApprovalPolicyServiceFactory = ({
     );
     // ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
-    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id });
+    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
     return accessApprovalPolicies;
   };
 
@@ -326,7 +336,29 @@ export const accessApprovalPolicyServiceFactory = ({
       ProjectPermissionSub.SecretApproval
     );
 
-    await accessApprovalPolicyDAL.deleteById(policyId);
+    await accessApprovalPolicyDAL.transaction(async (tx) => {
+      await accessApprovalPolicyDAL.softDeleteById(policyId, tx);
+      const allAccessApprovalRequests = await accessApprovalRequestDAL.find({ policyId });
+
+      if (allAccessApprovalRequests.length) {
+        const accessApprovalRequestsIds = allAccessApprovalRequests.map((request) => request.id);
+
+        const privilegeIdsArray = allAccessApprovalRequests
+          .map((request) => request.privilegeId)
+          .filter((id): id is string => id != null);
+
+        if (privilegeIdsArray.length) {
+          await additionalPrivilegeDAL.delete({ $in: { id: privilegeIdsArray } }, tx);
+        }
+
+        await accessApprovalRequestReviewerDAL.update(
+          { $in: { id: accessApprovalRequestsIds }, status: ApprovalStatus.PENDING },
+          { status: ApprovalStatus.REJECTED },
+          tx
+        );
+      }
+    });
+
     return policy;
   };
 
@@ -356,7 +388,11 @@ export const accessApprovalPolicyServiceFactory = ({
     const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
     if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });
 
-    const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
+    const policies = await accessApprovalPolicyDAL.find({
+      envId: environment.id,
+      projectId: project.id,
+      deletedAt: null
+    });
     if (!policies) throw new NotFoundError({ message: `No policies found in environment with slug '${envSlug}'` });
 
     return { count: policies.length };

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -61,7 +61,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
           db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
           db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
-          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId")
+          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId"),
+          db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
         )
 
         .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
@@ -118,7 +119,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             approvals: doc.policyApprovals,
             secretPath: doc.policySecretPath,
             enforcementLevel: doc.policyEnforcementLevel,
-            envId: doc.policyEnvId
+            envId: doc.policyEnvId,
+            deletedAt: doc.policyDeletedAt
           },
           requestedByUser: {
             userId: doc.requestedByUserId,
@@ -141,7 +143,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
               }
             : null,
 
-          isApproved: !!doc.privilegeId
+          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId
         }),
         childrenMapper: [
           {
@@ -252,7 +254,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
         tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
-        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals")
+        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
+        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
       );
 
   const findById = async (id: string, tx?: Knex) => {
@@ -271,7 +274,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             name: el.policyName,
             approvals: el.policyApprovals,
             secretPath: el.policySecretPath,
-            enforcementLevel: el.policyEnforcementLevel
+            enforcementLevel: el.policyEnforcementLevel,
+            deletedAt: el.policyDeletedAt
           },
           requestedByUser: {
             userId: el.requestedByUserId,
@@ -363,6 +367,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         )
 
         .where(`${TableName.Environment}.projectId`, projectId)
+        .where(`${TableName.AccessApprovalPolicy}.deletedAt`, null)
         .select(selectAllTableCols(TableName.AccessApprovalRequest))
         .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
         .select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"));

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -130,6 +130,9 @@ export const accessApprovalRequestServiceFactory = ({
         message: `No policy in environment with slug '${environment.slug}' and with secret path '${secretPath}' was found.`
       });
     }
+    if (policy.deletedAt) {
+      throw new BadRequestError({ message: "The policy linked to this request has been deleted" });
+    }
 
     const approverIds: string[] = [];
     const approverGroupIds: string[] = [];
@@ -309,6 +312,12 @@ export const accessApprovalRequestServiceFactory = ({
     }
 
     const { policy } = accessApprovalRequest;
+    if (policy.deletedAt) {
+      throw new BadRequestError({
+        message: "The policy associated with this access request has been deleted."
+      });
+    }
+
     const { membership, hasRole } = await permissionService.getProjectPermission(
       actor,
       actorId,

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -1,6 +1,7 @@
 import { RawAxiosRequestHeaders } from "axios";
 
 import { SecretKeyEncoding } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
@@ -20,27 +21,130 @@ type TAuditLogQueueServiceFactoryDep = {
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
 
-export type TAuditLogQueueServiceFactory = ReturnType<typeof auditLogQueueServiceFactory>;
+export type TAuditLogQueueServiceFactory = Awaited<ReturnType<typeof auditLogQueueServiceFactory>>;
 
 // keep this timeout 5s it must be fast because else the queue will take time to finish
 // audit log is a crowded queue thus needs to be fast
 export const AUDIT_LOG_STREAM_TIMEOUT = 5 * 1000;
-export const auditLogQueueServiceFactory = ({
+
+export const auditLogQueueServiceFactory = async ({
   auditLogDAL,
   queueService,
   projectDAL,
   licenseService,
   auditLogStreamDAL
 }: TAuditLogQueueServiceFactoryDep) => {
+  const appCfg = getConfig();
+
   const pushToLog = async (data: TCreateAuditLogDTO) => {
-    await queueService.queue(QueueName.AuditLog, QueueJobs.AuditLog, data, {
-      removeOnFail: {
-        count: 3
-      },
-      removeOnComplete: true
-    });
+    if (appCfg.USE_PG_QUEUE && appCfg.SHOULD_INIT_PG_QUEUE) {
+      await queueService.queuePg<QueueName.AuditLog>(QueueJobs.AuditLog, data, {
+        retryLimit: 10,
+        retryBackoff: true
+      });
+    } else {
+      await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
+        removeOnFail: {
+          count: 3
+        },
+        removeOnComplete: true
+      });
+    }
   };
 
+  if (appCfg.SHOULD_INIT_PG_QUEUE) {
+    await queueService.startPg<QueueName.AuditLog>(
+      QueueJobs.AuditLog,
+      async ([job]) => {
+        const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
+        let { orgId } = job.data;
+        const MS_IN_DAY = 24 * 60 * 60 * 1000;
+        let project;
+
+        if (!orgId) {
+          // it will never be undefined for both org and project id
+          // TODO(akhilmhdh): use caching here in dal to avoid db calls
+          project = await projectDAL.findById(projectId as string);
+          orgId = project.orgId;
+        }
+
+        const plan = await licenseService.getPlan(orgId);
+        if (plan.auditLogsRetentionDays === 0) {
+          // skip inserting if audit log retention is 0 meaning its not supported
+          return;
+        }
+
+        // For project actions, set TTL to project-level audit log retention config
+        // This condition ensures that the plan's audit log retention days cannot be bypassed
+        const ttlInDays =
+          project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
+            ? project.auditLogsRetentionDays
+            : plan.auditLogsRetentionDays;
+
+        const ttl = ttlInDays * MS_IN_DAY;
+
+        const auditLog = await auditLogDAL.create({
+          actor: actor.type,
+          actorMetadata: actor.metadata,
+          userAgent,
+          projectId,
+          projectName: project?.name,
+          ipAddress,
+          orgId,
+          eventType: event.type,
+          expiresAt: new Date(Date.now() + ttl),
+          eventMetadata: event.metadata,
+          userAgentType
+        });
+
+        const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
+        await Promise.allSettled(
+          logStreams.map(
+            async ({
+              url,
+              encryptedHeadersTag,
+              encryptedHeadersIV,
+              encryptedHeadersKeyEncoding,
+              encryptedHeadersCiphertext
+            }) => {
+              const streamHeaders =
+                encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
+                  ? (JSON.parse(
+                      infisicalSymmetricDecrypt({
+                        keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                        iv: encryptedHeadersIV,
+                        tag: encryptedHeadersTag,
+                        ciphertext: encryptedHeadersCiphertext
+                      })
+                    ) as LogStreamHeaders[])
+                  : [];
+
+              const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
+
+              if (streamHeaders.length)
+                streamHeaders.forEach(({ key, value }) => {
+                  headers[key] = value;
+                });
+
+              return request.post(url, auditLog, {
+                headers,
+                // request timeout
+                timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                // connection timeout
+                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+              });
+            }
+          )
+        );
+      },
+      {
+        batchSize: 1,
+        workerCount: 30,
+        pollingIntervalSeconds: 0.5
+      }
+    );
+  }
+
   queueService.start(QueueName.AuditLog, async (job) => {
     const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
     let { orgId } = job.data;

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -1,3 +1,7 @@
+import {
+  TCreateProjectTemplateDTO,
+  TUpdateProjectTemplateDTO
+} from "@app/ee/services/project-template/project-template-types";
 import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -56,6 +60,7 @@ export enum EventType {
   DELETE_SECRETS = "delete-secrets",
   GET_WORKSPACE_KEY = "get-workspace-key",
   AUTHORIZE_INTEGRATION = "authorize-integration",
+  UPDATE_INTEGRATION_AUTH = "update-integration-auth",
   UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
   CREATE_INTEGRATION = "create-integration",
   DELETE_INTEGRATION = "delete-integration",
@@ -192,7 +197,13 @@ export enum EventType {
   CMEK_ENCRYPT = "cmek-encrypt",
   CMEK_DECRYPT = "cmek-decrypt",
   UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
-  GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "get-external-group-org-role-mapping"
+  GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "get-external-group-org-role-mapping",
+  GET_PROJECT_TEMPLATES = "get-project-templates",
+  GET_PROJECT_TEMPLATE = "get-project-template",
+  CREATE_PROJECT_TEMPLATE = "create-project-template",
+  UPDATE_PROJECT_TEMPLATE = "update-project-template",
+  DELETE_PROJECT_TEMPLATE = "delete-project-template",
+  APPLY_PROJECT_TEMPLATE = "apply-project-template"
 }
 
 interface UserActorMetadata {
@@ -347,6 +358,13 @@ interface AuthorizeIntegrationEvent {
   };
 }
 
+interface UpdateIntegrationAuthEvent {
+  type: EventType.UPDATE_INTEGRATION_AUTH;
+  metadata: {
+    integration: string;
+  };
+}
+
 interface UnauthorizeIntegrationEvent {
   type: EventType.UNAUTHORIZE_INTEGRATION;
   metadata: {
@@ -1618,6 +1636,46 @@ interface UpdateExternalGroupOrgRoleMappingsEvent {
   };
 }
 
+interface GetProjectTemplatesEvent {
+  type: EventType.GET_PROJECT_TEMPLATES;
+  metadata: {
+    count: number;
+    templateIds: string[];
+  };
+}
+
+interface GetProjectTemplateEvent {
+  type: EventType.GET_PROJECT_TEMPLATE;
+  metadata: {
+    templateId: string;
+  };
+}
+
+interface CreateProjectTemplateEvent {
+  type: EventType.CREATE_PROJECT_TEMPLATE;
+  metadata: TCreateProjectTemplateDTO;
+}
+
+interface UpdateProjectTemplateEvent {
+  type: EventType.UPDATE_PROJECT_TEMPLATE;
+  metadata: TUpdateProjectTemplateDTO & { templateId: string };
+}
+
+interface DeleteProjectTemplateEvent {
+  type: EventType.DELETE_PROJECT_TEMPLATE;
+  metadata: {
+    templateId: string;
+  };
+}
+
+interface ApplyProjectTemplateEvent {
+  type: EventType.APPLY_PROJECT_TEMPLATE;
+  metadata: {
+    template: string;
+    projectId: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -1630,6 +1688,7 @@ export type Event =
   | DeleteSecretBatchEvent
   | GetWorkspaceKeyEvent
   | AuthorizeIntegrationEvent
+  | UpdateIntegrationAuthEvent
   | UnauthorizeIntegrationEvent
   | CreateIntegrationEvent
   | DeleteIntegrationEvent
@@ -1766,4 +1825,10 @@ export type Event =
   | CmekEncryptEvent
   | CmekDecryptEvent
   | GetExternalGroupOrgRoleMappingsEvent
-  | UpdateExternalGroupOrgRoleMappingsEvent;
+  | UpdateExternalGroupOrgRoleMappingsEvent
+  | GetProjectTemplatesEvent
+  | GetProjectTemplateEvent
+  | CreateProjectTemplateEvent
+  | UpdateProjectTemplateEvent
+  | DeleteProjectTemplateEvent
+  | ApplyProjectTemplateEvent;

backend/src/ee/services/certificate-est/certificate-est-service.ts

@@ -171,27 +171,29 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    const caCerts = estConfig.caChain
-      .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
-      ?.map((cert) => {
-        return new x509.X509Certificate(cert);
-      });
+    if (!estConfig.disableBootstrapCertValidation) {
+      const caCerts = estConfig.caChain
+        .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+        ?.map((cert) => {
+          return new x509.X509Certificate(cert);
+        });
 
-    if (!caCerts) {
-      throw new BadRequestError({ message: "Failed to parse certificate chain" });
-    }
+      if (!caCerts) {
+        throw new BadRequestError({ message: "Failed to parse certificate chain" });
+      }
 
-    const leafCertificate = decodeURIComponent(sslClientCert).match(
-      /-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g
-    )?.[0];
+      const leafCertificate = decodeURIComponent(sslClientCert).match(
+        /-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g
+      )?.[0];
 
-    if (!leafCertificate) {
-      throw new BadRequestError({ message: "Missing client certificate" });
-    }
+      if (!leafCertificate) {
+        throw new BadRequestError({ message: "Missing client certificate" });
+      }
 
-    const certObj = new x509.X509Certificate(leafCertificate);
-    if (!(await isCertChainValid([certObj, ...caCerts]))) {
-      throw new BadRequestError({ message: "Invalid certificate chain" });
+      const certObj = new x509.X509Certificate(leafCertificate);
+      if (!(await isCertChainValid([certObj, ...caCerts]))) {
+        throw new BadRequestError({ message: "Invalid certificate chain" });
+      }
     }
 
     const { certificate } = await certificateAuthorityService.signCertFromCa({

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -112,7 +112,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       })
     ) as object;
 
-    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
+    const selectedTTL = ttl || dynamicSecretCfg.defaultTTL;
     const { maxTTL } = dynamicSecretCfg;
     const expireAt = new Date(new Date().getTime() + ms(selectedTTL));
     if (maxTTL) {
@@ -187,7 +187,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       })
     ) as object;
 
-    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
+    const selectedTTL = ttl || dynamicSecretCfg.defaultTTL;
     const { maxTTL } = dynamicSecretCfg;
     const expireAt = new Date(dynamicSecretLease.expireAt.getTime() + ms(selectedTTL));
     if (maxTTL) {

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -0,0 +1,20 @@
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
+import { getDbConnectionHost } from "@app/lib/knex";
+
+export const verifyHostInputValidity = (host: string) => {
+  const appCfg = getConfig();
+  const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
+
+  if (
+    appCfg.isCloud &&
+    // localhost
+    // internal ips
+    (host === "host.docker.internal" || host.match(/^10\.\d+\.\d+\.\d+/) || host.match(/^192\.168\.\d+\.\d+/))
+  )
+    throw new BadRequestError({ message: "Invalid db host" });
+
+  if (host === "localhost" || host === "127.0.0.1" || dbHost === host) {
+    throw new BadRequestError({ message: "Invalid db host" });
+  }
+};

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -9,7 +9,7 @@ import {
 } from "@app/ee/services/permission/project-permission";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { OrderByDirection } from "@app/lib/types";
+import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 
@@ -22,6 +22,7 @@ import {
   TDeleteDynamicSecretDTO,
   TDetailsDynamicSecretDTO,
   TGetDynamicSecretsCountDTO,
+  TListDynamicSecretsByFolderMappingsDTO,
   TListDynamicSecretsDTO,
   TListDynamicSecretsMultiEnvDTO,
   TUpdateDynamicSecretDTO
@@ -454,8 +455,44 @@ export const dynamicSecretServiceFactory = ({
     return dynamicSecretCfg;
   };
 
+  const listDynamicSecretsByFolderIds = async (
+    { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
+    actor: OrgServiceActor
+  ) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
+      permission.can(
+        ProjectPermissionDynamicSecretActions.ReadRootCredential,
+        subject(ProjectPermissionSub.DynamicSecrets, { environment, secretPath: path })
+      )
+    );
+
+    const groupedFolderMappings = new Map(userAccessibleFolderMappings.map((path) => [path.folderId, path]));
+
+    const dynamicSecrets = await dynamicSecretDAL.listDynamicSecretsByFolderIds({
+      folderIds: userAccessibleFolderMappings.map(({ folderId }) => folderId),
+      ...filters
+    });
+
+    return dynamicSecrets.map((dynamicSecret) => {
+      const { environment, path } = groupedFolderMappings.get(dynamicSecret.folderId)!;
+      return {
+        ...dynamicSecret,
+        environment,
+        path
+      };
+    });
+  };
+
   // get dynamic secrets for multiple envs
-  const listDynamicSecretsByFolderIds = async ({
+  const listDynamicSecretsByEnvs = async ({
     actorAuthMethod,
     actorOrgId,
     actorId,
@@ -521,9 +558,10 @@ export const dynamicSecretServiceFactory = ({
     deleteByName,
     getDetails,
     listDynamicSecretsByEnv,
-    listDynamicSecretsByFolderIds,
+    listDynamicSecretsByEnvs,
     getDynamicSecretCount,
     getCountMultiEnv,
-    fetchAzureEntraIdUsers
+    fetchAzureEntraIdUsers,
+    listDynamicSecretsByFolderIds
   };
 };

backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts

@@ -48,17 +48,27 @@ export type TDetailsDynamicSecretDTO = {
   projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TListDynamicSecretsDTO = {
-  path: string;
-  environmentSlug: string;
-  projectSlug?: string;
-  projectId?: string;
+export type ListDynamicSecretsFilters = {
   offset?: number;
   limit?: number;
   orderBy?: SecretsOrderBy;
   orderDirection?: OrderByDirection;
   search?: string;
-} & Omit<TProjectPermission, "projectId">;
+};
+
+export type TListDynamicSecretsDTO = {
+  path: string;
+  environmentSlug: string;
+  projectSlug?: string;
+  projectId?: string;
+} & ListDynamicSecretsFilters &
+  Omit<TProjectPermission, "projectId">;
+
+export type TListDynamicSecretsByFolderMappingsDTO = {
+  projectId: string;
+  folderMappings: { folderId: string; path: string; environment: string }[];
+  filters: ListDynamicSecretsFilters;
+};
 
 export type TListDynamicSecretsMultiEnvDTO = Omit<
   TListDynamicSecretsDTO,

backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts

@@ -80,7 +80,7 @@ const ElastiCacheUserManager = (credentials: TBasicAWSCredentials, region: strin
     }
   };
 
-  const addUserToInfisicalGroup = async (userId: string) => {
+  const $addUserToInfisicalGroup = async (userId: string) => {
     // figure out if the default user is already in the group, if it is, then we shouldn't add it again
 
     const addUserToGroupCommand = new ModifyUserGroupCommand({
@@ -96,7 +96,7 @@ const ElastiCacheUserManager = (credentials: TBasicAWSCredentials, region: strin
     await ensureInfisicalGroupExists(clusterName);
 
     await elastiCache.send(new CreateUserCommand(creationInput)); // First create the user
-    await addUserToInfisicalGroup(creationInput.UserId); // Then add the user to the group. We know the group is already a part of the cluster because of ensureInfisicalGroupExists()
+    await $addUserToInfisicalGroup(creationInput.UserId); // Then add the user to the group. We know the group is already a part of the cluster because of ensureInfisicalGroupExists()
 
     return {
       userId: creationInput.UserId,
@@ -127,7 +127,7 @@ const ElastiCacheUserManager = (credentials: TBasicAWSCredentials, region: strin
 };
 
 const generatePassword = () => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 64)();
 };
 
@@ -211,8 +211,8 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
     return { entityId };
   };
 
-  const renew = async (inputs: unknown, entityId: string) => {
-    // Do nothing
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -33,7 +33,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretAwsIamSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretAwsIamSchema>) => {
     const client = new IAMClient({
       region: providerInputs.region,
       credentials: {
@@ -47,7 +47,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const isConnected = await client.send(new GetUserCommand({})).then(() => true);
     return isConnected;
@@ -55,7 +55,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = generateUsername();
     const { policyArns, userGroups, policyDocument, awsPath, permissionBoundaryPolicyArn } = providerInputs;
@@ -118,7 +118,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = entityId;
 
@@ -179,9 +179,8 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
   };
 
   const renew = async (_inputs: unknown, entityId: string) => {
-    // do nothing
-    const username = entityId;
-    return { entityId: username };
+    // No renewal necessary
+    return { entityId };
   };
 
   return {

backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts

@@ -9,7 +9,7 @@ const MSFT_GRAPH_API_URL = "https://graph.microsoft.com/v1.0/";
 const MSFT_LOGIN_URL = "https://login.microsoftonline.com";
 
 const generatePassword = () => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 64)();
 };
 
@@ -23,7 +23,7 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
     return providerInputs;
   };
 
-  const getToken = async (
+  const $getToken = async (
     tenantId: string,
     applicationId: string,
     clientSecret: string
@@ -51,18 +51,13 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
     return data.success;
   };
 
-  const renew = async (inputs: unknown, entityId: string) => {
-    // Do nothing
-    return { entityId };
-  };
-
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
     if (!data.success) {
       throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
     }
@@ -98,7 +93,7 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
   };
 
   const fetchAzureEntraIdUsers = async (tenantId: string, applicationId: string, clientSecret: string) => {
-    const data = await getToken(tenantId, applicationId, clientSecret);
+    const data = await $getToken(tenantId, applicationId, clientSecret);
     if (!data.success) {
       throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
     }
@@ -127,6 +122,11 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
     return users;
   };
 
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
+    return { entityId };
+  };
+
   return {
     validateProviderInputs,
     validateConnection,

backend/src/ee/services/dynamic-secret/providers/cassandra.ts

@@ -9,7 +9,7 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { DynamicSecretCassandraSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = (size = 48) => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 48)(size);
 };
 
@@ -27,7 +27,7 @@ export const CassandraProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretCassandraSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretCassandraSchema>) => {
     const sslOptions = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
     const client = new cassandra.Client({
       sslOptions,
@@ -47,7 +47,7 @@ export const CassandraProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
     await client.shutdown();
@@ -56,7 +56,7 @@ export const CassandraProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -82,7 +82,7 @@ export const CassandraProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = entityId;
     const { keyspace } = providerInputs;
@@ -99,20 +99,24 @@ export const CassandraProvider = (): TDynamicProviderFns => {
 
   const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    if (!providerInputs.renewStatement) return { entityId };
+
+    const client = await $getClient(providerInputs);
 
-    const username = entityId;
     const expiration = new Date(expireAt).toISOString();
     const { keyspace } = providerInputs;
 
-    const renewStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace, expiration });
+    const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+      username: entityId,
+      keyspace,
+      expiration
+    });
     const queries = renewStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
+    for await (const query of queries) {
       await client.execute(query);
     }
     await client.shutdown();
-    return { entityId: username };
+    return { entityId };
   };
 
   return {

backend/src/ee/services/dynamic-secret/providers/elastic-search.ts

@@ -2,14 +2,13 @@ import { Client as ElasticSearchClient } from "@elastic/elasticsearch";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretElasticSearchSchema, ElasticSearchAuthTypes, TDynamicProviderFns } from "./models";
 
 const generatePassword = () => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 64)();
 };
 
@@ -19,28 +18,13 @@ const generateUsername = () => {
 
 export const ElasticSearchProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
-    const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
-
     const providerInputs = await DynamicSecretElasticSearchSchema.parseAsync(inputs);
-    if (
-      isCloud &&
-      // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    ) {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1") {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
+    verifyHostInputValidity(providerInputs.host);
 
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretElasticSearchSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretElasticSearchSchema>) => {
     const connection = new ElasticSearchClient({
       node: {
         url: new URL(`${providerInputs.host}:${providerInputs.port}`),
@@ -71,7 +55,7 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const infoResponse = await connection
       .info()
@@ -83,7 +67,7 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -101,7 +85,7 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     await connection.security.deleteUser({
       username: entityId
@@ -111,8 +95,8 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
     return { entityId };
   };
 
-  const renew = async (inputs: unknown, entityId: string) => {
-    // Do nothing
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -1,17 +1,22 @@
+import { SnowflakeProvider } from "@app/ee/services/dynamic-secret/providers/snowflake";
+
 import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
 import { LdapProvider } from "./ldap";
-import { DynamicSecretProviders } from "./models";
+import { DynamicSecretProviders, TDynamicProviderFns } from "./models";
 import { MongoAtlasProvider } from "./mongo-atlas";
 import { MongoDBProvider } from "./mongo-db";
 import { RabbitMqProvider } from "./rabbit-mq";
 import { RedisDatabaseProvider } from "./redis";
+import { SapAseProvider } from "./sap-ase";
+import { SapHanaProvider } from "./sap-hana";
 import { SqlDatabaseProvider } from "./sql-database";
+import { TotpProvider } from "./totp";
 
-export const buildDynamicSecretProviders = () => ({
+export const buildDynamicSecretProviders = (): Record<DynamicSecretProviders, TDynamicProviderFns> => ({
   [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider(),
   [DynamicSecretProviders.Cassandra]: CassandraProvider(),
   [DynamicSecretProviders.AwsIam]: AwsIamProvider(),
@@ -22,5 +27,9 @@ export const buildDynamicSecretProviders = () => ({
   [DynamicSecretProviders.ElasticSearch]: ElasticSearchProvider(),
   [DynamicSecretProviders.RabbitMq]: RabbitMqProvider(),
   [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider(),
-  [DynamicSecretProviders.Ldap]: LdapProvider()
+  [DynamicSecretProviders.Ldap]: LdapProvider(),
+  [DynamicSecretProviders.SapHana]: SapHanaProvider(),
+  [DynamicSecretProviders.Snowflake]: SnowflakeProvider(),
+  [DynamicSecretProviders.Totp]: TotpProvider(),
+  [DynamicSecretProviders.SapAse]: SapAseProvider()
 });

backend/src/ee/services/dynamic-secret/providers/ldap.ts

@@ -7,7 +7,7 @@ import { z } from "zod";
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
-import { LdapSchema, TDynamicProviderFns } from "./models";
+import { LdapCredentialType, LdapSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = () => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
@@ -52,7 +52,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof LdapSchema>): Promise<ldapjs.Client> => {
+  const $getClient = async (providerInputs: z.infer<typeof LdapSchema>): Promise<ldapjs.Client> => {
     return new Promise((resolve, reject) => {
       const client = ldapjs.createClient({
         url: providerInputs.url,
@@ -83,7 +83,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
     return client.connected;
   };
 
@@ -191,37 +191,84 @@ export const LdapProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
-    const username = generateUsername();
-    const password = generatePassword();
-    const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });
+    if (providerInputs.credentialType === LdapCredentialType.Static) {
+      const dnMatch = providerInputs.rotationLdif.match(/^dn:\s*(.+)/m);
 
-    try {
-      const dnArray = await executeLdif(client, generatedLdif);
+      if (dnMatch) {
+        const username = dnMatch[1];
+        const password = generatePassword();
 
-      return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
-    } catch (err) {
-      if (providerInputs.rollbackLdif) {
-        const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
-        await executeLdif(client, rollbackLdif);
+        const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rotationLdif });
+
+        try {
+          const dnArray = await executeLdif(client, generatedLdif);
+
+          return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
+        } catch (err) {
+          throw new BadRequestError({ message: (err as Error).message });
+        }
+      } else {
+        throw new BadRequestError({
+          message: "Invalid rotation LDIF, missing DN."
+        });
+      }
+    } else {
+      const username = generateUsername();
+      const password = generatePassword();
+      const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });
+
+      try {
+        const dnArray = await executeLdif(client, generatedLdif);
+
+        return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
+      } catch (err) {
+        if (providerInputs.rollbackLdif) {
+          const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
+          await executeLdif(client, rollbackLdif);
+        }
+        throw new BadRequestError({ message: (err as Error).message });
       }
-      throw new BadRequestError({ message: (err as Error).message });
     }
   };
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
+
+    if (providerInputs.credentialType === LdapCredentialType.Static) {
+      const dnMatch = providerInputs.rotationLdif.match(/^dn:\s*(.+)/m);
+
+      if (dnMatch) {
+        const username = dnMatch[1];
+        const password = generatePassword();
+
+        const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rotationLdif });
+
+        try {
+          const dnArray = await executeLdif(client, generatedLdif);
+
+          return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
+        } catch (err) {
+          throw new BadRequestError({ message: (err as Error).message });
+        }
+      } else {
+        throw new BadRequestError({
+          message: "Invalid rotation LDIF, missing DN."
+        });
+      }
+    }
+
     const revocationLdif = generateLDIF({ username: entityId, ldifTemplate: providerInputs.revocationLdif });
 
-    await executeLdif(connection, revocationLdif);
+    await executeLdif(client, revocationLdif);
 
     return { entityId };
   };
 
   const renew = async (inputs: unknown, entityId: string) => {
-    // Do nothing
+    // No renewal necessary
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -4,7 +4,8 @@ export enum SqlProviders {
   Postgres = "postgres",
   MySQL = "mysql2",
   Oracle = "oracledb",
-  MsSQL = "mssql"
+  MsSQL = "mssql",
+  SapAse = "sap-ase"
 }
 
 export enum ElasticSearchAuthTypes {
@@ -12,6 +13,22 @@ export enum ElasticSearchAuthTypes {
   ApiKey = "api-key"
 }
 
+export enum LdapCredentialType {
+  Dynamic = "dynamic",
+  Static = "static"
+}
+
+export enum TotpConfigType {
+  URL = "url",
+  MANUAL = "manual"
+}
+
+export enum TotpAlgorithm {
+  SHA1 = "sha1",
+  SHA256 = "sha256",
+  SHA512 = "sha512"
+}
+
 export const DynamicSecretRedisDBSchema = z.object({
   host: z.string().trim().toLowerCase(),
   port: z.number(),
@@ -102,6 +119,16 @@ export const DynamicSecretCassandraSchema = z.object({
   ca: z.string().optional()
 });
 
+export const DynamicSecretSapAseSchema = z.object({
+  host: z.string().trim().toLowerCase(),
+  port: z.number(),
+  database: z.string().trim(),
+  username: z.string().trim(),
+  password: z.string().trim(),
+  creationStatement: z.string().trim(),
+  revocationStatement: z.string().trim()
+});
+
 export const DynamicSecretAwsIamSchema = z.object({
   accessKey: z.string().trim().min(1),
   secretAccessKey: z.string().trim().min(1),
@@ -166,6 +193,27 @@ export const DynamicSecretMongoDBSchema = z.object({
     )
 });
 
+export const DynamicSecretSapHanaSchema = z.object({
+  host: z.string().trim().toLowerCase(),
+  port: z.number(),
+  username: z.string().trim(),
+  password: z.string().trim(),
+  creationStatement: z.string().trim(),
+  revocationStatement: z.string().trim(),
+  renewStatement: z.string().trim().optional(),
+  ca: z.string().optional()
+});
+
+export const DynamicSecretSnowflakeSchema = z.object({
+  accountId: z.string().trim().min(1),
+  orgId: z.string().trim().min(1),
+  username: z.string().trim().min(1),
+  password: z.string().trim().min(1),
+  creationStatement: z.string().trim().min(1),
+  revocationStatement: z.string().trim().min(1),
+  renewStatement: z.string().trim().optional()
+});
+
 export const AzureEntraIDSchema = z.object({
   tenantId: z.string().trim().min(1),
   userId: z.string().trim().min(1),
@@ -174,16 +222,54 @@ export const AzureEntraIDSchema = z.object({
   clientSecret: z.string().trim().min(1)
 });
 
-export const LdapSchema = z.object({
-  url: z.string().trim().min(1),
-  binddn: z.string().trim().min(1),
-  bindpass: z.string().trim().min(1),
-  ca: z.string().optional(),
+export const LdapSchema = z.union([
+  z.object({
+    url: z.string().trim().min(1),
+    binddn: z.string().trim().min(1),
+    bindpass: z.string().trim().min(1),
+    ca: z.string().optional(),
+    credentialType: z.literal(LdapCredentialType.Dynamic).optional().default(LdapCredentialType.Dynamic),
+    creationLdif: z.string().min(1),
+    revocationLdif: z.string().min(1),
+    rollbackLdif: z.string().optional()
+  }),
+  z.object({
+    url: z.string().trim().min(1),
+    binddn: z.string().trim().min(1),
+    bindpass: z.string().trim().min(1),
+    ca: z.string().optional(),
+    credentialType: z.literal(LdapCredentialType.Static),
+    rotationLdif: z.string().min(1)
+  })
+]);
 
-  creationLdif: z.string().min(1),
-  revocationLdif: z.string().min(1),
-  rollbackLdif: z.string().optional()
-});
+export const DynamicSecretTotpSchema = z.discriminatedUnion("configType", [
+  z.object({
+    configType: z.literal(TotpConfigType.URL),
+    url: z
+      .string()
+      .url()
+      .trim()
+      .min(1)
+      .refine((val) => {
+        const urlObj = new URL(val);
+        const secret = urlObj.searchParams.get("secret");
+
+        return Boolean(secret);
+      }, "OTP URL must contain secret field")
+  }),
+  z.object({
+    configType: z.literal(TotpConfigType.MANUAL),
+    secret: z
+      .string()
+      .trim()
+      .min(1)
+      .transform((val) => val.replace(/\s+/g, "")),
+    period: z.number().optional(),
+    algorithm: z.nativeEnum(TotpAlgorithm).optional(),
+    digits: z.number().optional()
+  })
+]);
 
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
@@ -196,21 +282,29 @@ export enum DynamicSecretProviders {
   MongoDB = "mongo-db",
   RabbitMq = "rabbit-mq",
   AzureEntraID = "azure-entra-id",
-  Ldap = "ldap"
+  Ldap = "ldap",
+  SapHana = "sap-hana",
+  Snowflake = "snowflake",
+  Totp = "totp",
+  SapAse = "sap-ase"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.SqlDatabase), inputs: DynamicSecretSqlDBSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Cassandra), inputs: DynamicSecretCassandraSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.SapAse), inputs: DynamicSecretSapAseSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.AwsIam), inputs: DynamicSecretAwsIamSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Redis), inputs: DynamicSecretRedisDBSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.SapHana), inputs: DynamicSecretSapHanaSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.AwsElastiCache), inputs: DynamicSecretAwsElastiCacheSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.MongoAtlas), inputs: DynamicSecretMongoAtlasSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.ElasticSearch), inputs: DynamicSecretElasticSearchSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.MongoDB), inputs: DynamicSecretMongoDBSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Snowflake), inputs: DynamicSecretSnowflakeSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts

@@ -8,7 +8,7 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { DynamicSecretMongoAtlasSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = (size = 48) => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 48)(size);
 };
 
@@ -22,7 +22,7 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoAtlasSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoAtlasSchema>) => {
     const client = axios.create({
       baseURL: "https://cloud.mongodb.com/api/atlas",
       headers: {
@@ -40,7 +40,7 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const isConnected = await client({
       method: "GET",
@@ -59,7 +59,7 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -87,7 +87,7 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = entityId;
     const isExisting = await client({
@@ -114,7 +114,7 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
 
   const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = entityId;
     const expiration = new Date(expireAt).toISOString();

backend/src/ee/services/dynamic-secret/providers/mongo-db.ts

@@ -2,14 +2,13 @@ import { MongoClient } from "mongodb";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretMongoDBSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = (size = 48) => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 48)(size);
 };
 
@@ -19,26 +18,12 @@ const generateUsername = () => {
 
 export const MongoDBProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
     const providerInputs = await DynamicSecretMongoDBSchema.parseAsync(inputs);
-    if (
-      appCfg.isCloud &&
-      // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    )
-      throw new BadRequestError({ message: "Invalid db host" });
-
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1") {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
-
+    verifyHostInputValidity(providerInputs.host);
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoDBSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoDBSchema>) => {
     const isSrv = !providerInputs.port;
     const uri = isSrv
       ? `mongodb+srv://${providerInputs.host}`
@@ -57,7 +42,7 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const isConnected = await client
       .db(providerInputs.database)
@@ -70,7 +55,7 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -89,7 +74,7 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = entityId;
 
@@ -103,6 +88,7 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
   };
 
   const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts

@@ -3,16 +3,15 @@ import https from "https";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRabbitMqSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = () => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 64)();
 };
 
@@ -79,28 +78,13 @@ async function deleteRabbitMqUser({ axiosInstance, usernameToDelete }: TDeleteRa
 
 export const RabbitMqProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
-    const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
-
     const providerInputs = await DynamicSecretRabbitMqSchema.parseAsync(inputs);
-    if (
-      isCloud &&
-      // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    ) {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1") {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
+    verifyHostInputValidity(providerInputs.host);
 
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretRabbitMqSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretRabbitMqSchema>) => {
     const axiosInstance = axios.create({
       baseURL: `${removeTrailingSlash(providerInputs.host)}:${providerInputs.port}/api`,
       auth: {
@@ -121,7 +105,7 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const infoResponse = await connection.get("/whoami").then(() => true);
 
@@ -130,7 +114,7 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -150,15 +134,15 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     await deleteRabbitMqUser({ axiosInstance: connection, usernameToDelete: entityId });
 
     return { entityId };
   };
 
-  const renew = async (inputs: unknown, entityId: string) => {
-    // Do nothing
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/redis.ts

@@ -3,15 +3,14 @@ import { Redis } from "ioredis";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRedisDBSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = () => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 64)();
 };
 
@@ -51,26 +50,12 @@ const executeTransactions = async (connection: Redis, commands: string[]): Promi
 
 export const RedisDatabaseProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
-    const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
-    const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-
     const providerInputs = await DynamicSecretRedisDBSchema.parseAsync(inputs);
-    if (
-      isCloud &&
-      // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    )
-      throw new BadRequestError({ message: "Invalid db host" });
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1" || dbHost === providerInputs.host)
-      throw new BadRequestError({ message: "Invalid db host" });
+    verifyHostInputValidity(providerInputs.host);
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretRedisDBSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretRedisDBSchema>) => {
     let connection: Redis | null = null;
     try {
       connection = new Redis({
@@ -107,7 +92,7 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const pingResponse = await connection
       .ping()
@@ -119,7 +104,7 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -141,7 +126,7 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const username = entityId;
 
@@ -156,7 +141,9 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
 
   const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    if (!providerInputs.renewStatement) return { entityId };
+
+    const connection = await $getClient(providerInputs);
 
     const username = entityId;
     const expiration = new Date(expireAt).toISOString();

backend/src/ee/services/dynamic-secret/providers/sap-ase.ts

@@ -0,0 +1,145 @@
+import handlebars from "handlebars";
+import { customAlphabet } from "nanoid";
+import odbc from "odbc";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
+import { DynamicSecretSapAseSchema, TDynamicProviderFns } from "./models";
+
+const generatePassword = (size = 48) => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  return customAlphabet(charset, 48)(size);
+};
+
+const generateUsername = () => {
+  return alphaNumericNanoId(25);
+};
+
+enum SapCommands {
+  CreateLogin = "sp_addlogin",
+  DropLogin = "sp_droplogin"
+}
+
+export const SapAseProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretSapAseSchema.parseAsync(inputs);
+
+    verifyHostInputValidity(providerInputs.host);
+    return providerInputs;
+  };
+
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSapAseSchema>, useMaster?: boolean) => {
+    const connectionString =
+      `DRIVER={FreeTDS};` +
+      `SERVER=${providerInputs.host};` +
+      `PORT=${providerInputs.port};` +
+      `DATABASE=${useMaster ? "master" : providerInputs.database};` +
+      `UID=${providerInputs.username};` +
+      `PWD=${providerInputs.password};` +
+      `TDS_VERSION=5.0`;
+
+    const client = await odbc.connect(connectionString);
+
+    return client;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const masterClient = await $getClient(providerInputs, true);
+    const client = await $getClient(providerInputs);
+
+    const [resultFromMasterDatabase] = await masterClient.query<{ version: string }>("SELECT @@VERSION AS version");
+    const [resultFromSelectedDatabase] = await client.query<{ version: string }>("SELECT @@VERSION AS version");
+
+    if (!resultFromSelectedDatabase.version) {
+      throw new BadRequestError({
+        message: "Failed to validate SAP ASE connection, version query failed"
+      });
+    }
+
+    if (resultFromMasterDatabase.version !== resultFromSelectedDatabase.version) {
+      throw new BadRequestError({
+        message: "Failed to validate SAP ASE connection (master), version mismatch"
+      });
+    }
+
+    return true;
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const username = `inf_${generateUsername()}`;
+    const password = `${generatePassword()}`;
+
+    const client = await $getClient(providerInputs);
+    const masterClient = await $getClient(providerInputs, true);
+
+    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+      username,
+      password
+    });
+
+    const queries = creationStatement.trim().replace(/\n/g, "").split(";").filter(Boolean);
+
+    for await (const query of queries) {
+      // If it's an adduser query, we need to first call sp_addlogin on the MASTER database.
+      // If not done, then the newly created user won't be able to authenticate.
+      await (query.startsWith(SapCommands.CreateLogin) ? masterClient : client).query(query);
+    }
+
+    await masterClient.close();
+    await client.close();
+
+    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+  };
+
+  const revoke = async (inputs: unknown, username: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const revokeStatement = handlebars.compile(providerInputs.revocationStatement, { noEscape: true })({
+      username
+    });
+
+    const queries = revokeStatement.trim().replace(/\n/g, "").split(";").filter(Boolean);
+
+    const client = await $getClient(providerInputs);
+    const masterClient = await $getClient(providerInputs, true);
+
+    // Get all processes for this login and kill them. If there are active connections to the database when drop login happens, it will throw an error.
+    const result = await masterClient.query<{ spid?: string }>(`sp_who '${username}'`);
+
+    if (result && result.length > 0) {
+      for await (const row of result) {
+        if (row.spid) {
+          await masterClient.query(`KILL ${row.spid.trim()}`);
+        }
+      }
+    }
+
+    for await (const query of queries) {
+      await (query.startsWith(SapCommands.DropLogin) ? masterClient : client).query(query);
+    }
+
+    await masterClient.close();
+    await client.close();
+
+    return { entityId: username };
+  };
+
+  const renew = async (_: unknown, username: string) => {
+    // No need for renewal
+    return { entityId: username };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/sap-hana.ts

@@ -0,0 +1,176 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable @typescript-eslint/no-unsafe-call */
+/* eslint-disable @typescript-eslint/no-unsafe-return */
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+
+import handlebars from "handlebars";
+import hdb from "hdb";
+import { customAlphabet } from "nanoid";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
+import { DynamicSecretSapHanaSchema, TDynamicProviderFns } from "./models";
+
+const generatePassword = (size = 48) => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  return customAlphabet(charset, 48)(size);
+};
+
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
+};
+
+export const SapHanaProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretSapHanaSchema.parseAsync(inputs);
+
+    verifyHostInputValidity(providerInputs.host);
+    return providerInputs;
+  };
+
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSapHanaSchema>) => {
+    const client = hdb.createClient({
+      host: providerInputs.host,
+      port: providerInputs.port,
+      user: providerInputs.username,
+      password: providerInputs.password,
+      ...(providerInputs.ca
+        ? {
+            ca: providerInputs.ca
+          }
+        : {})
+    });
+
+    await new Promise((resolve, reject) => {
+      client.connect((err: any) => {
+        if (err) {
+          return reject(err);
+        }
+
+        if (client.readyState) {
+          return resolve(true);
+        }
+
+        reject(new Error("SAP HANA client not ready"));
+      });
+    });
+
+    return client;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await $getClient(providerInputs);
+
+    const testResult = await new Promise<boolean>((resolve, reject) => {
+      client.exec("SELECT 1 FROM DUMMY;", (err: any) => {
+        if (err) {
+          reject();
+        }
+
+        resolve(true);
+      });
+    });
+
+    return testResult;
+  };
+
+  const create = async (inputs: unknown, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const username = generateUsername();
+    const password = generatePassword();
+    const expiration = new Date(expireAt).toISOString();
+
+    const client = await $getClient(providerInputs);
+    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+      username,
+      password,
+      expiration
+    });
+
+    const queries = creationStatement.toString().split(";").filter(Boolean);
+    for await (const query of queries) {
+      await new Promise((resolve, reject) => {
+        client.exec(query, (err: any) => {
+          if (err) {
+            reject(
+              new BadRequestError({
+                message: err.message
+              })
+            );
+          }
+          resolve(true);
+        });
+      });
+    }
+
+    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+  };
+
+  const revoke = async (inputs: unknown, username: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await $getClient(providerInputs);
+    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
+    const queries = revokeStatement.toString().split(";").filter(Boolean);
+    for await (const query of queries) {
+      await new Promise((resolve, reject) => {
+        client.exec(query, (err: any) => {
+          if (err) {
+            reject(
+              new BadRequestError({
+                message: err.message
+              })
+            );
+          }
+          resolve(true);
+        });
+      });
+    }
+
+    return { entityId: username };
+  };
+
+  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    if (!providerInputs.renewStatement) return { entityId };
+
+    const client = await $getClient(providerInputs);
+    try {
+      const expiration = new Date(expireAt).toISOString();
+
+      const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username: entityId, expiration });
+      const queries = renewStatement.toString().split(";").filter(Boolean);
+      for await (const query of queries) {
+        await new Promise((resolve, reject) => {
+          client.exec(query, (err: any) => {
+            if (err) {
+              reject(
+                new BadRequestError({
+                  message: err.message
+                })
+              );
+            }
+            resolve(true);
+          });
+        });
+      }
+    } finally {
+      client.disconnect();
+    }
+
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/snowflake.ts

@@ -0,0 +1,173 @@
+import handlebars from "handlebars";
+import { customAlphabet } from "nanoid";
+import snowflake from "snowflake-sdk";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { DynamicSecretSnowflakeSchema, TDynamicProviderFns } from "./models";
+
+// destroy client requires callback...
+const noop = () => {};
+
+const generatePassword = (size = 48) => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  return customAlphabet(charset, 48)(size);
+};
+
+const generateUsername = () => {
+  return `infisical_${alphaNumericNanoId(32)}`; // username must start with alpha character, hence prefix
+};
+
+const getDaysToExpiry = (expiryDate: Date) => {
+  const start = new Date().getTime();
+  const end = new Date(expiryDate).getTime();
+  const diffTime = Math.abs(end - start);
+
+  return Math.ceil(diffTime / (1000 * 60 * 60 * 24));
+};
+
+export const SnowflakeProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretSnowflakeSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSnowflakeSchema>) => {
+    const client = snowflake.createConnection({
+      account: `${providerInputs.orgId}-${providerInputs.accountId}`,
+      username: providerInputs.username,
+      password: providerInputs.password,
+      application: "Infisical"
+    });
+
+    await client.connectAsync(noop);
+
+    return client;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await $getClient(providerInputs);
+
+    let isValidConnection: boolean;
+
+    try {
+      isValidConnection = await Promise.race([
+        client.isValidAsync(),
+        new Promise((resolve) => {
+          setTimeout(resolve, 10000);
+        }).then(() => {
+          throw new BadRequestError({ message: "Unable to establish connection - verify credentials" });
+        })
+      ]);
+    } finally {
+      client.destroy(noop);
+    }
+
+    return isValidConnection;
+  };
+
+  const create = async (inputs: unknown, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const client = await $getClient(providerInputs);
+
+    const username = generateUsername();
+    const password = generatePassword();
+
+    try {
+      const expiration = getDaysToExpiry(new Date(expireAt));
+      const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+        username,
+        password,
+        expiration
+      });
+
+      await new Promise((resolve, reject) => {
+        client.execute({
+          sqlText: creationStatement,
+          complete(err) {
+            if (err) {
+              return reject(new BadRequestError({ name: "CreateLease", message: err.message }));
+            }
+
+            return resolve(true);
+          }
+        });
+      });
+    } finally {
+      client.destroy(noop);
+    }
+
+    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+  };
+
+  const revoke = async (inputs: unknown, username: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const client = await $getClient(providerInputs);
+
+    try {
+      const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
+
+      await new Promise((resolve, reject) => {
+        client.execute({
+          sqlText: revokeStatement,
+          complete(err) {
+            if (err) {
+              return reject(new BadRequestError({ name: "RevokeLease", message: err.message }));
+            }
+
+            return resolve(true);
+          }
+        });
+      });
+    } finally {
+      client.destroy(noop);
+    }
+
+    return { entityId: username };
+  };
+
+  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    if (!providerInputs.renewStatement) return { entityId };
+
+    const client = await $getClient(providerInputs);
+
+    try {
+      const expiration = getDaysToExpiry(new Date(expireAt));
+      const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+        username: entityId,
+        expiration
+      });
+
+      await new Promise((resolve, reject) => {
+        client.execute({
+          sqlText: renewStatement,
+          complete(err) {
+            if (err) {
+              return reject(new BadRequestError({ name: "RenewLease", message: err.message }));
+            }
+
+            return resolve(true);
+          }
+        });
+      });
+    } finally {
+      client.destroy(noop);
+    }
+
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -3,11 +3,9 @@ import knex from "knex";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
-import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretSqlDBSchema, SqlProviders, TDynamicProviderFns } from "./models";
 
 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
@@ -16,7 +14,7 @@ const generatePassword = (provider: SqlProviders) => {
   // oracle has limit of 48 password length
   const size = provider === SqlProviders.Oracle ? 30 : 48;
 
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
   return customAlphabet(charset, 48)(size);
 };
 
@@ -29,31 +27,12 @@ const generateUsername = (provider: SqlProviders) => {
 
 export const SqlDatabaseProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
-    const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
-    const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-
     const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
-    if (
-      isCloud &&
-      // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    )
-      throw new BadRequestError({ message: "Invalid db host" });
-    if (
-      providerInputs.host === "localhost" ||
-      providerInputs.host === "127.0.0.1" ||
-      // database infisical uses
-      dbHost === providerInputs.host
-    )
-      throw new BadRequestError({ message: "Invalid db host" });
+    verifyHostInputValidity(providerInputs.host);
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
     const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
     const db = knex({
       client: providerInputs.client,
@@ -73,7 +52,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
+    const db = await $getClient(providerInputs);
     // oracle needs from keyword
     const testStatement = providerInputs.client === SqlProviders.Oracle ? "SELECT 1 FROM DUAL" : "SELECT 1";
 
@@ -84,7 +63,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
+    const db = await $getClient(providerInputs);
 
     const username = generateUsername(providerInputs.client);
     const password = generatePassword(providerInputs.client);
@@ -111,7 +90,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
+    const db = await $getClient(providerInputs);
 
     const username = entityId;
     const { database } = providerInputs;
@@ -131,13 +110,19 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
+    if (!providerInputs.renewStatement) return { entityId };
+
+    const db = await $getClient(providerInputs);
 
-    const username = entityId;
     const expiration = new Date(expireAt).toISOString();
     const { database } = providerInputs;
 
-    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration, database });
+    const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+      username: entityId,
+      expiration,
+      database
+    });
+
     if (renewStatement) {
       const queries = renewStatement.toString().split(";").filter(Boolean);
       await db.transaction(async (tx) => {
@@ -149,7 +134,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
     }
 
     await db.destroy();
-    return { entityId: username };
+    return { entityId };
   };
 
   return {

backend/src/ee/services/dynamic-secret/providers/totp.ts

@@ -0,0 +1,90 @@
+import { authenticator } from "otplib";
+import { HashAlgorithms } from "otplib/core";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { DynamicSecretTotpSchema, TDynamicProviderFns, TotpConfigType } from "./models";
+
+export const TotpProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretTotpSchema.parseAsync(inputs);
+
+    return providerInputs;
+  };
+
+  const validateConnection = async () => {
+    return true;
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const entityId = alphaNumericNanoId(32);
+    const authenticatorInstance = authenticator.clone();
+
+    let secret: string;
+    let period: number | null | undefined;
+    let digits: number | null | undefined;
+    let algorithm: HashAlgorithms | null | undefined;
+
+    if (providerInputs.configType === TotpConfigType.URL) {
+      const urlObj = new URL(providerInputs.url);
+      secret = urlObj.searchParams.get("secret") as string;
+      const periodFromUrl = urlObj.searchParams.get("period");
+      const digitsFromUrl = urlObj.searchParams.get("digits");
+      const algorithmFromUrl = urlObj.searchParams.get("algorithm");
+
+      if (periodFromUrl) {
+        period = +periodFromUrl;
+      }
+
+      if (digitsFromUrl) {
+        digits = +digitsFromUrl;
+      }
+
+      if (algorithmFromUrl) {
+        algorithm = algorithmFromUrl.toLowerCase() as HashAlgorithms;
+      }
+    } else {
+      secret = providerInputs.secret;
+      period = providerInputs.period;
+      digits = providerInputs.digits;
+      algorithm = providerInputs.algorithm as unknown as HashAlgorithms;
+    }
+
+    if (digits) {
+      authenticatorInstance.options = { digits };
+    }
+
+    if (algorithm) {
+      authenticatorInstance.options = { algorithm };
+    }
+
+    if (period) {
+      authenticatorInstance.options = { step: period };
+    }
+
+    return {
+      entityId,
+      data: { TOTP: authenticatorInstance.generate(secret), TIME_REMAINING: authenticatorInstance.timeRemaining() }
+    };
+  };
+
+  const revoke = async (_inputs: unknown, entityId: string) => {
+    return { entityId };
+  };
+
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -20,7 +20,8 @@ import {
   TUpdateExternalKmsDTO
 } from "./external-kms-types";
 import { AwsKmsProviderFactory } from "./providers/aws-kms";
-import { ExternalKmsAwsSchema, KmsProviders } from "./providers/model";
+import { GcpKmsProviderFactory } from "./providers/gcp-kms";
+import { ExternalKmsAwsSchema, ExternalKmsGcpSchema, KmsProviders, TExternalKmsGcpSchema } from "./providers/model";
 
 type TExternalKmsServiceFactoryDep = {
   externalKmsDAL: TExternalKmsDALFactory;
@@ -78,6 +79,13 @@ export const externalKmsServiceFactory = ({
           await externalKms.validateConnection();
         }
         break;
+      case KmsProviders.Gcp:
+        {
+          const externalKms = await GcpKmsProviderFactory({ inputs: provider.inputs });
+          await externalKms.validateConnection();
+          sanitizedProviderInput = JSON.stringify(provider.inputs);
+        }
+        break;
       default:
         throw new BadRequestError({ message: "external kms provided is invalid" });
     }
@@ -88,7 +96,7 @@ export const externalKmsServiceFactory = ({
     });
 
     const { cipherTextBlob: encryptedProviderInputs } = orgDataKeyEncryptor({
-      plainText: Buffer.from(sanitizedProviderInput, "utf8")
+      plainText: Buffer.from(sanitizedProviderInput)
     });
 
     const externalKms = await externalKmsDAL.transaction(async (tx) => {
@@ -162,7 +170,7 @@ export const externalKmsServiceFactory = ({
         case KmsProviders.Aws:
           {
             const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
-              JSON.parse(decryptedProviderInputBlob.toString("utf8"))
+              JSON.parse(decryptedProviderInputBlob.toString())
             );
             const updatedProviderInput = { ...decryptedProviderInput, ...provider.inputs };
             const externalKms = await AwsKmsProviderFactory({ inputs: updatedProviderInput });
@@ -170,6 +178,17 @@ export const externalKmsServiceFactory = ({
             sanitizedProviderInput = JSON.stringify(updatedProviderInput);
           }
           break;
+        case KmsProviders.Gcp:
+          {
+            const decryptedProviderInput = await ExternalKmsGcpSchema.parseAsync(
+              JSON.parse(decryptedProviderInputBlob.toString())
+            );
+            const updatedProviderInput = { ...decryptedProviderInput, ...provider.inputs };
+            const externalKms = await GcpKmsProviderFactory({ inputs: updatedProviderInput });
+            await externalKms.validateConnection();
+            sanitizedProviderInput = JSON.stringify(updatedProviderInput);
+          }
+          break;
         default:
           throw new BadRequestError({ message: "external kms provided is invalid" });
       }
@@ -178,7 +197,7 @@ export const externalKmsServiceFactory = ({
     let encryptedProviderInputs: Buffer | undefined;
     if (sanitizedProviderInput) {
       const { cipherTextBlob } = orgDataKeyEncryptor({
-        plainText: Buffer.from(sanitizedProviderInput, "utf8")
+        plainText: Buffer.from(sanitizedProviderInput)
       });
       encryptedProviderInputs = cipherTextBlob;
     }
@@ -271,10 +290,17 @@ export const externalKmsServiceFactory = ({
     switch (externalKmsDoc.provider) {
       case KmsProviders.Aws: {
         const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
-          JSON.parse(decryptedProviderInputBlob.toString("utf8"))
+          JSON.parse(decryptedProviderInputBlob.toString())
         );
         return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
       }
+      case KmsProviders.Gcp: {
+        const decryptedProviderInput = await ExternalKmsGcpSchema.parseAsync(
+          JSON.parse(decryptedProviderInputBlob.toString())
+        );
+
+        return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
+      }
       default:
         throw new BadRequestError({ message: "external kms provided is invalid" });
     }
@@ -312,21 +338,34 @@ export const externalKmsServiceFactory = ({
     switch (externalKmsDoc.provider) {
       case KmsProviders.Aws: {
         const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
-          JSON.parse(decryptedProviderInputBlob.toString("utf8"))
+          JSON.parse(decryptedProviderInputBlob.toString())
         );
         return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
       }
+      case KmsProviders.Gcp: {
+        const decryptedProviderInput = await ExternalKmsGcpSchema.parseAsync(
+          JSON.parse(decryptedProviderInputBlob.toString())
+        );
+
+        return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
+      }
       default:
         throw new BadRequestError({ message: "external kms provided is invalid" });
     }
   };
 
+  const fetchGcpKeys = async ({ credential, gcpRegion }: Pick<TExternalKmsGcpSchema, "credential" | "gcpRegion">) => {
+    const externalKms = await GcpKmsProviderFactory({ inputs: { credential, gcpRegion, keyName: "" } });
+    return externalKms.getKeysList();
+  };
+
   return {
     create,
     updateById,
     deleteById,
     list,
     findById,
-    findByName
+    findByName,
+    fetchGcpKeys
   };
 };

backend/src/ee/services/external-kms/providers/gcp-kms.ts

@@ -0,0 +1,113 @@
+import { KeyManagementServiceClient } from "@google-cloud/kms";
+
+import { BadRequestError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+
+import { ExternalKmsGcpSchema, TExternalKmsGcpClientSchema, TExternalKmsProviderFns } from "./model";
+
+const getGcpKmsClient = async ({ credential, gcpRegion }: TExternalKmsGcpClientSchema) => {
+  const gcpKmsClient = new KeyManagementServiceClient({
+    credentials: credential
+  });
+  const projectId = credential.project_id;
+  const locationName = gcpKmsClient.locationPath(projectId, gcpRegion);
+
+  return {
+    gcpKmsClient,
+    locationName
+  };
+};
+
+type GcpKmsProviderArgs = {
+  inputs: unknown;
+};
+type TGcpKmsProviderFactoryReturn = TExternalKmsProviderFns & {
+  getKeysList: () => Promise<{ keys: string[] }>;
+};
+
+export const GcpKmsProviderFactory = async ({ inputs }: GcpKmsProviderArgs): Promise<TGcpKmsProviderFactoryReturn> => {
+  const { credential, gcpRegion, keyName } = await ExternalKmsGcpSchema.parseAsync(inputs);
+  const { gcpKmsClient, locationName } = await getGcpKmsClient({
+    credential,
+    gcpRegion
+  });
+
+  const validateConnection = async () => {
+    try {
+      await gcpKmsClient.listKeyRings({
+        parent: locationName
+      });
+      return true;
+    } catch (error) {
+      throw new BadRequestError({
+        message: "Cannot connect to GCP KMS"
+      });
+    }
+  };
+
+  // Used when adding the KMS to fetch the list of keys in specified region
+  const getKeysList = async () => {
+    try {
+      const [keyRings] = await gcpKmsClient.listKeyRings({
+        parent: locationName
+      });
+
+      const validKeyRings = keyRings
+        .filter(
+          (keyRing): keyRing is { name: string } =>
+            keyRing !== null && typeof keyRing === "object" && "name" in keyRing && typeof keyRing.name === "string"
+        )
+        .map((keyRing) => keyRing.name);
+      const keyList: string[] = [];
+      const keyListPromises = validKeyRings.map((keyRingName) =>
+        gcpKmsClient
+          .listCryptoKeys({
+            parent: keyRingName
+          })
+          .then(([cryptoKeys]) =>
+            cryptoKeys
+              .filter(
+                (key): key is { name: string } =>
+                  key !== null && typeof key === "object" && "name" in key && typeof key.name === "string"
+              )
+              .map((key) => key.name)
+          )
+      );
+
+      const cryptoKeyLists = await Promise.all(keyListPromises);
+      keyList.push(...cryptoKeyLists.flat());
+      return { keys: keyList };
+    } catch (error) {
+      logger.error(error, "Could not validate GCP KMS connection and credentials");
+      throw new BadRequestError({
+        message: "Could not validate GCP KMS connection and credentials",
+        error
+      });
+    }
+  };
+
+  const encrypt = async (data: Buffer) => {
+    const encryptedText = await gcpKmsClient.encrypt({
+      name: keyName,
+      plaintext: data
+    });
+    if (!encryptedText[0].ciphertext) throw new Error("encryption failed");
+    return { encryptedBlob: Buffer.from(encryptedText[0].ciphertext) };
+  };
+
+  const decrypt = async (encryptedBlob: Buffer) => {
+    const decryptedText = await gcpKmsClient.decrypt({
+      name: keyName,
+      ciphertext: encryptedBlob
+    });
+    if (!decryptedText[0].plaintext) throw new Error("decryption failed");
+    return { data: Buffer.from(decryptedText[0].plaintext) };
+  };
+
+  return {
+    validateConnection,
+    getKeysList,
+    encrypt,
+    decrypt
+  };
+};

backend/src/ee/services/external-kms/providers/model.ts

@@ -1,13 +1,23 @@
 import { z } from "zod";
 
 export enum KmsProviders {
-  Aws = "aws"
+  Aws = "aws",
+  Gcp = "gcp"
 }
 
 export enum KmsAwsCredentialType {
   AssumeRole = "assume-role",
   AccessKey = "access-key"
 }
+// Google uses snake_case for their enum values and we need to match that
+export enum KmsGcpCredentialType {
+  ServiceAccount = "service_account"
+}
+
+export enum KmsGcpKeyFetchAuthType {
+  Credential = "credential",
+  Kms = "kmsId"
+}
 
 export const ExternalKmsAwsSchema = z.object({
   credential: z
@@ -42,14 +52,44 @@ export const ExternalKmsAwsSchema = z.object({
 });
 export type TExternalKmsAwsSchema = z.infer<typeof ExternalKmsAwsSchema>;
 
+export const ExternalKmsGcpCredentialSchema = z.object({
+  type: z.literal(KmsGcpCredentialType.ServiceAccount),
+  project_id: z.string().min(1),
+  private_key_id: z.string().min(1),
+  private_key: z.string().min(1),
+  client_email: z.string().min(1),
+  client_id: z.string().min(1),
+  auth_uri: z.string().min(1),
+  token_uri: z.string().min(1),
+  auth_provider_x509_cert_url: z.string().min(1),
+  client_x509_cert_url: z.string().min(1),
+  universe_domain: z.string().min(1)
+});
+
+export type TExternalKmsGcpCredentialSchema = z.infer<typeof ExternalKmsGcpCredentialSchema>;
+
+export const ExternalKmsGcpSchema = z.object({
+  credential: ExternalKmsGcpCredentialSchema.describe("GCP Service Account JSON credential to connect"),
+  gcpRegion: z.string().trim().describe("GCP region where the KMS key is located"),
+  keyName: z.string().trim().describe("GCP key name")
+});
+export type TExternalKmsGcpSchema = z.infer<typeof ExternalKmsGcpSchema>;
+
+const ExternalKmsGcpClientSchema = ExternalKmsGcpSchema.pick({ gcpRegion: true }).extend({
+  credential: ExternalKmsGcpCredentialSchema
+});
+export type TExternalKmsGcpClientSchema = z.infer<typeof ExternalKmsGcpClientSchema>;
+
 // The root schema of the JSON
 export const ExternalKmsInputSchema = z.discriminatedUnion("type", [
-  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema })
+  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema }),
+  z.object({ type: z.literal(KmsProviders.Gcp), inputs: ExternalKmsGcpSchema })
 ]);
 export type TExternalKmsInputSchema = z.infer<typeof ExternalKmsInputSchema>;
 
 export const ExternalKmsInputUpdateSchema = z.discriminatedUnion("type", [
-  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema.partial() })
+  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema.partial() }),
+  z.object({ type: z.literal(KmsProviders.Gcp), inputs: ExternalKmsGcpSchema.partial() })
 ]);
 export type TExternalKmsInputUpdateSchema = z.infer<typeof ExternalKmsInputUpdateSchema>;