dedicated-instance-deploy

.env.example

@@ -112,11 +112,4 @@ INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
 
 # azure app connection
 INF_APP_CONNECTION_AZURE_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
-
-# datadog
-SHOULD_USE_DATADOG_TRACER=
-DATADOG_PROFILING_ENABLED=
-DATADOG_ENV=
-DATADOG_SERVICE=
-DATADOG_HOSTNAME=
+INF_APP_CONNECTION_AZURE_CLIENT_SECRET=

.envrc

@@ -1,3 +0,0 @@
-# Learn more at https://direnv.net
-# We instruct direnv to use our Nix flake for a consistent development environment.
-use flake

.github/workflows/check-api-for-breaking-changes.yml

@@ -32,23 +32,10 @@ jobs:
         run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
       - name: Start the server
         run: |
-          echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
-          echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
-          echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
-
-          echo "Examining built image:"
-          docker image inspect infisical-api | grep -A 5 "Entrypoint"
-          
-          docker run --name infisical-api -d -p 4000:4000 \
-            -e DB_CONNECTION_URI=$DB_CONNECTION_URI \
-            -e REDIS_URL=$REDIS_URL \
-            -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET \
-            -e ENCRYPTION_KEY=$ENCRYPTION_KEY \
-            --env-file .env \
-            infisical-api
-          
-          echo "Container status right after creation:"
-          docker ps -a | grep infisical-api
+            echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
+            echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
+            echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
+            docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
         env:
           REDIS_URL: redis://172.17.0.1:6379
           DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
@@ -56,48 +43,35 @@ jobs:
           ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21.5"
+          go-version: '1.21.5'
       - name: Wait for container to be stable and check logs
         run: |
           SECONDS=0
           HEALTHY=0
           while [ $SECONDS -lt 60 ]; do
-            # Check if container is running
-            if docker ps | grep infisical-api; then
-              # Try to access the API endpoint
-              if curl -s -f http://localhost:4000/api/docs/json > /dev/null 2>&1; then
-                echo "API endpoint is responding. Container seems healthy."
-                HEALTHY=1
-                break
-              fi
-            else
-              echo "Container is not running!"
-              docker ps -a | grep infisical-api
+            if docker ps | grep infisical-api | grep -q healthy; then
+              echo "Container is healthy."
+              HEALTHY=1
               break
             fi
-            
             echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
-            sleep 5
-            SECONDS=$((SECONDS+5))
+
+            docker logs infisical-api
+
+            sleep 2
+            SECONDS=$((SECONDS+2))
           done
-          
+      
           if [ $HEALTHY -ne 1 ]; then
             echo "Container did not become healthy in time"
-            echo "Container status:"
-            docker ps -a | grep infisical-api
-            echo "Container logs (if any):"
-            docker logs infisical-api || echo "No logs available"
-            echo "Container inspection:"
-            docker inspect infisical-api | grep -A 5 "State"
             exit 1
           fi
       - name: Install openapi-diff
-        run: go install github.com/oasdiff/oasdiff@latest
+        run: go install github.com/tufin/oasdiff@latest
       - name: Running OpenAPI Spec diff action
         run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
       - name: cleanup
-        if: always()
         run: |
           docker compose -f "docker-compose.dev.yml" down
-          docker stop infisical-api || true
-          docker rm infisical-api || true
+          docker stop infisical-api
+          docker remove infisical-api

.github/workflows/release_build_infisical_cli.yml

@@ -26,7 +26,7 @@ jobs:
             CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
     npm-release:
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-20.04
         env:
             working-directory: ./npm
         needs:
@@ -83,7 +83,7 @@ jobs:
                   NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
     goreleaser:
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-20.04
         needs: [cli-integration-tests]
         steps:
             - uses: actions/checkout@v3
@@ -103,12 +103,11 @@ jobs:
                   go-version: ">=1.19.3"
                   cache: true
                   cache-dependency-path: cli/go.sum
-            - name: Setup for libssl1.0-dev
+            - name: libssl1.1 => libssl1.0-dev for OSXCross
               run: |
                   echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-                  sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
-                  sudo apt update
-                  sudo apt-get install -y libssl1.0-dev
+                  sudo apt update && apt-cache policy libssl1.0-dev
+                  sudo apt-get install libssl1.0-dev
             - name: OSXCross for CGO Support
               run: |
                   mkdir ../../osxcross

.github/workflows/run-backend-tests.yml

@@ -34,10 +34,7 @@ jobs:
         working-directory: backend
       - name: Start postgres and redis
         run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
-      - name: Run unit test
-        run: npm run test:unit
-        working-directory: backend
-      - name: Run integration test
+      - name: Start integration test
         run: npm run test:e2e
         working-directory: backend
         env:
@@ -47,5 +44,4 @@ jobs:
           ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
       - name: cleanup
         run: |
-          docker compose -f "docker-compose.dev.yml" down
-
+          docker compose -f "docker-compose.dev.yml" down

Dockerfile.fips.standalone-infisical

@@ -161,9 +161,6 @@ COPY --from=backend-runner /app /backend
 
 COPY --from=frontend-runner /app ./backend/frontend-build
 
-ARG INFISICAL_PLATFORM_VERSION
-ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
-
 ENV PORT 8080
 ENV HOST=0.0.0.0
 ENV HTTPS_ENABLED false 

Dockerfile.standalone-infisical

@@ -3,10 +3,13 @@ ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
 ARG CAPTCHA_SITE_KEY=captcha-site-key
 
-FROM node:20-slim AS base
+FROM  node:20-alpine AS base
 
 FROM base AS frontend-dependencies
 
+# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
+RUN apk add --no-cache libc6-compat
+
 WORKDIR /app
 
 COPY frontend/package.json frontend/package-lock.json  ./
@@ -42,8 +45,8 @@ RUN npm run build
 FROM base AS frontend-runner
 WORKDIR /app
 
-RUN groupadd --system --gid 1001 nodejs
-RUN useradd --system --uid 1001 --gid nodejs non-root-user
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 non-root-user
 
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 
@@ -53,23 +56,21 @@ USER non-root-user
 ## BACKEND
 ##
 FROM base AS backend-build
+RUN addgroup --system --gid 1001 nodejs \
+  && adduser --system --uid 1001 non-root-user
 
 WORKDIR /app
 
 # Install all required dependencies for build
-RUN apt-get update && apt-get install -y \
+RUN apk --update add \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds-bin \
+    freetds \
     unixodbc-dev \
     libc-dev \
-    freetds-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN groupadd --system --gid 1001 nodejs
-RUN useradd --system --uid 1001 --gid nodejs non-root-user
+    freetds-dev
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -85,19 +86,18 @@ FROM base AS backend-runner
 WORKDIR /app
 
 # Install all required dependencies for runtime
-RUN apt-get update && apt-get install -y \
+RUN apk --update add \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds-bin \
+    freetds \
     unixodbc-dev \
     libc-dev \
-    freetds-dev \
-    && rm -rf /var/lib/apt/lists/*
+    freetds-dev
 
 # Configure ODBC
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -109,36 +109,34 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 
-RUN apt-get update && apt-get install -y \
-    ca-certificates \
-    bash \
-    curl \
-    git \
+RUN apk add --upgrade --no-cache ca-certificates
+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.31.1 && apk add --no-cache git
+
+WORKDIR /
+
+# Install all required runtime dependencies
+RUN apk --update add \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds-bin \
+    freetds \
     unixodbc-dev \
     libc-dev \
     freetds-dev \
-		wget \
-    openssh-client \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install Infisical CLI
-RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.31.1 \
-    && rm -rf /var/lib/apt/lists/*
-
-WORKDIR /
+    bash \
+    curl \
+    git \
+    openssh
 
 # Configure ODBC in production
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 # Setup user permissions
-RUN groupadd --system --gid 1001 nodejs \
-  && useradd --system --uid 1001 --gid nodejs non-root-user
+RUN addgroup --system --gid 1001 nodejs \
+  && adduser --system --uid 1001 non-root-user
 
 # Give non-root-user permission to update SSL certs
 RUN chown -R non-root-user /etc/ssl/certs
@@ -156,11 +154,11 @@ ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
 ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
+
 COPY --from=backend-runner /app /backend
+
 COPY --from=frontend-runner /app ./backend/frontend-build
 
-ARG INFISICAL_PLATFORM_VERSION
-ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 
 ENV PORT 8080
 ENV HOST=0.0.0.0
@@ -168,7 +166,6 @@ ENV HTTPS_ENABLED false
 ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
-
 WORKDIR /backend
 
 ENV TELEMETRY_ENABLED true

backend/Dockerfile

@@ -1,22 +1,23 @@
 # Build stage
-FROM node:20-slim AS build
+FROM node:20-alpine AS build
 
 WORKDIR /app
 
 # Required for pkcs11js
-RUN apt-get update && apt-get install -y \
-    python3 \
-    make \
-    g++ \
-    openssh-client
+RUN apk --update add \
+        python3 \
+        make \
+        g++ \
+        openssh
 
-# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apt-get install -y \
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
     unixodbc \
-    freetds-bin \
-    freetds-dev \
+    freetds \
     unixodbc-dev \
-    libc-dev
+    libc-dev \
+    freetds-dev
+
 
 COPY package*.json ./
 RUN npm ci --only-production
@@ -25,36 +26,36 @@ COPY . .
 RUN npm run build
 
 # Production stage
-FROM node:20-slim
+FROM node:20-alpine
 WORKDIR /app
 
 ENV npm_config_cache /home/node/.npm
 
 COPY package*.json ./
 
-RUN apt-get update && apt-get install -y \
-    python3 \
-    make \
-    g++
+RUN apk --update add \
+        python3 \
+        make \
+        g++
 
-# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apt-get install -y \
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
     unixodbc \
-    freetds-bin \
-    freetds-dev \
+    freetds \
     unixodbc-dev \
-    libc-dev
+    libc-dev \
+    freetds-dev
 
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 RUN npm ci --only-production && npm cache clean --force
 
 COPY --from=build /app .
 
-# Install Infisical CLI
-RUN apt-get install -y curl bash && \
-    curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
-    apt-get update && apt-get install -y infisical=0.8.1 git
+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.8.1 && apk add --no-cache git
 
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
   CMD node healthcheck.js

backend/Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM node:20-slim
+FROM node:20-alpine
 
 # ? Setup a test SoftHSM module. In production a real HSM is used.
 
@@ -7,32 +7,32 @@ ARG SOFTHSM2_VERSION=2.5.0
 ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
     SOFTHSM2_SOURCES=/tmp/softhsm2
 
-# Install build dependencies including python3 (required for pkcs11js and partially TDS driver)
-RUN apt-get update && apt-get install -y \
-    build-essential \
-    autoconf \
-    automake \
-    git \
-    libtool \
-    libssl-dev \
-    python3 \
-    make \
-    g++ \
-    openssh-client \
-    curl \
-    pkg-config
+# install build dependencies including python3 (required for pkcs11js and partially TDS driver)
+RUN apk --update add \
+        alpine-sdk \
+        autoconf \
+        automake \
+        git \
+        libtool \
+        openssl-dev \
+        python3 \
+        make \
+        g++ \
+        openssh
 
-# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apt-get install -y \
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
     unixodbc \
+    freetds \
     unixodbc-dev \
-    freetds-dev \
-    freetds-bin \
-    tdsodbc
+    libc-dev \
+    freetds-dev
 
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
-# Build and install SoftHSM2
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# build and install SoftHSM2
+
 RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
 WORKDIR ${SOFTHSM2_SOURCES}
 
@@ -45,18 +45,16 @@ RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
 WORKDIR /root
 RUN rm -fr ${SOFTHSM2_SOURCES}
 
-# Install pkcs11-tool
-RUN apt-get install -y opensc
+# install pkcs11-tool
+RUN apk --update add opensc
 
-RUN mkdir -p /etc/softhsm2/tokens && \
-    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
 
 # ? App setup
 
-# Install Infisical CLI
-RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
-    apt-get update && \
-    apt-get install -y infisical=0.8.1
+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.8.1 && apk add --no-cache git
 
 WORKDIR /app
 

backend/e2e-test/vitest-environment-knex.ts

@@ -120,3 +120,4 @@ export default {
     };
   }
 };
+

backend/package.json

@@ -40,7 +40,6 @@
     "type:check": "tsc --noEmit",
     "lint:fix": "eslint --fix --ext js,ts ./src",
     "lint": "eslint 'src/**/*.ts'",
-    "test:unit": "vitest run -c vitest.unit.config.ts",
     "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
     "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
     "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
@@ -61,17 +60,9 @@
     "migration:status": "npm run auditlog-migration:status && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:status",
     "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./dist/db/knexfile.mjs migrate:rollback",
     "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./dist/db/knexfile.mjs migrate:unlock",
-    "migration:up-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
-    "migration:down-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
-    "migration:list-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
-    "migration:latest-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
-    "migration:status-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
-    "migration:rollback-dev": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
-    "migration:unlock-dev": "knex --knexfile ./src/db/knexfile.ts migrate:unlock",
     "migrate:org": "tsx ./scripts/migrate-organization.ts",
     "seed:new": "tsx ./scripts/create-seed-file.ts",
     "seed": "knex --knexfile ./dist/db/knexfile.ts --client pg seed:run",
-    "seed-dev": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
     "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
   },
   "keywords": [],
@@ -126,6 +117,7 @@
     "vitest": "^1.2.2"
   },
   "dependencies": {
+    "@aws-sdk/client-cloudformation": "^3.750.0",
     "@aws-sdk/client-elasticache": "^3.637.0",
     "@aws-sdk/client-iam": "^3.525.0",
     "@aws-sdk/client-kms": "^3.609.0",
@@ -147,18 +139,17 @@
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@google-cloud/kms": "^4.5.0",
-    "@infisical/quic": "^1.0.8",
-    "@node-saml/passport-saml": "^5.0.1",
-    "@octokit/auth-app": "^7.1.1",
-    "@octokit/plugin-retry": "^5.0.5",
-    "@octokit/rest": "^20.0.2",
+    "@node-saml/passport-saml": "^4.0.4",
+    "@octokit/auth-app": "^7.1.5",
+    "@octokit/plugin-retry": "^7.1.4",
+    "@octokit/rest": "^21.1.1",
     "@octokit/webhooks-types": "^7.3.1",
     "@octopusdeploy/api-client": "^3.4.1",
     "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.53.0",
     "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
     "@opentelemetry/exporter-prometheus": "^0.55.0",
     "@opentelemetry/instrumentation": "^0.55.0",
-    "@opentelemetry/instrumentation-http": "^0.57.2",
     "@opentelemetry/resources": "^1.28.0",
     "@opentelemetry/sdk-metrics": "^1.28.0",
     "@opentelemetry/semantic-conventions": "^1.27.0",
@@ -171,6 +162,7 @@
     "@ucast/mongo2js": "^1.3.4",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
+    "aws-cdk-lib": "^2.180.0",
     "aws-sdk": "^2.1553.0",
     "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
@@ -179,7 +171,6 @@
     "cassandra-driver": "^4.7.2",
     "connect-redis": "^7.1.1",
     "cron": "^3.1.7",
-    "dd-trace": "^5.40.0",
     "dotenv": "^16.4.1",
     "fastify": "^4.28.1",
     "fastify-plugin": "^4.5.1",
@@ -188,7 +179,6 @@
     "handlebars": "^4.7.8",
     "hdb": "^0.19.10",
     "ioredis": "^5.3.2",
-    "isomorphic-dompurify": "^2.22.0",
     "jmespath": "^0.16.0",
     "jsonwebtoken": "^9.0.2",
     "jsrp": "^0.2.4",

backend/src/@types/fastify-request-context.d.ts

@@ -0,0 +1,7 @@
+import "@fastify/request-context";
+
+declare module "@fastify/request-context" {
+  interface RequestContextData {
+    reqId: string;
+  }
+}

backend/src/@types/fastify.d.ts

@@ -13,13 +13,13 @@ import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
-import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
 import { TKmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
 import { TKmipOperationServiceFactory } from "@app/ee/services/kmip/kmip-operation-service";
 import { TKmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
+import { TDedicatedInstanceServiceFactory } from "@app/ee/services/dedicated-instance/dedicated-instance-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
@@ -100,13 +100,6 @@ import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integ
 declare module "@fastify/request-context" {
   interface RequestContextData {
     reqId: string;
-    identityAuthInfo?: {
-      identityId: string;
-      oidc?: {
-        claims: Record<string, string>;
-      };
-    };
-    identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
   }
 }
 
@@ -236,7 +229,7 @@ declare module "fastify" {
       secretSync: TSecretSyncServiceFactory;
       kmip: TKmipServiceFactory;
       kmipOperation: TKmipOperationServiceFactory;
-      gateway: TGatewayServiceFactory;
+      dedicatedInstance: TDedicatedInstanceServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -68,9 +68,6 @@ import {
   TExternalKms,
   TExternalKmsInsert,
   TExternalKmsUpdate,
-  TGateways,
-  TGatewaysInsert,
-  TGatewaysUpdate,
   TGitAppInstallSessions,
   TGitAppInstallSessionsInsert,
   TGitAppInstallSessionsUpdate,
@@ -182,9 +179,6 @@ import {
   TOrgBots,
   TOrgBotsInsert,
   TOrgBotsUpdate,
-  TOrgGatewayConfig,
-  TOrgGatewayConfigInsert,
-  TOrgGatewayConfigUpdate,
   TOrgMemberships,
   TOrgMembershipsInsert,
   TOrgMembershipsUpdate,
@@ -206,9 +200,6 @@ import {
   TProjectEnvironments,
   TProjectEnvironmentsInsert,
   TProjectEnvironmentsUpdate,
-  TProjectGateways,
-  TProjectGatewaysInsert,
-  TProjectGatewaysUpdate,
   TProjectKeys,
   TProjectKeysInsert,
   TProjectKeysUpdate,
@@ -939,16 +930,10 @@ declare module "knex/types/tables" {
       TKmipClientCertificatesInsert,
       TKmipClientCertificatesUpdate
     >;
-    [TableName.Gateway]: KnexOriginal.CompositeTableType<TGateways, TGatewaysInsert, TGatewaysUpdate>;
-    [TableName.ProjectGateway]: KnexOriginal.CompositeTableType<
-      TProjectGateways,
-      TProjectGatewaysInsert,
-      TProjectGatewaysUpdate
-    >;
-    [TableName.OrgGatewayConfig]: KnexOriginal.CompositeTableType<
-      TOrgGatewayConfig,
-      TOrgGatewayConfigInsert,
-      TOrgGatewayConfigUpdate
+    [TableName.DedicatedInstances]: KnexOriginal.CompositeTableType<
+      TDedicatedInstances,
+      TDedicatedInstancesInsert,
+      TDedicatedInstancesUpdate
     >;
   }
 }

backend/src/db/knexfile.ts

@@ -39,7 +39,7 @@ export default {
     },
     migrations: {
       tableName: "infisical_migrations",
-      loadExtensions: [".mjs", ".ts"]
+      loadExtensions: [".mjs"]
     }
   },
   production: {
@@ -64,7 +64,7 @@ export default {
     },
     migrations: {
       tableName: "infisical_migrations",
-      loadExtensions: [".mjs", ".ts"]
+      loadExtensions: [".mjs"]
     }
   }
 } as Knex.Config;

backend/src/db/migrations/20240321000000_dedicated_instances.ts

@@ -0,0 +1,56 @@
+import { Knex } from "knex";
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const isTablePresent = await knex.schema.hasTable(TableName.DedicatedInstances);
+  if (!isTablePresent) {
+    await knex.schema.createTable(TableName.DedicatedInstances, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("orgId").notNullable();
+      t.string("instanceName").notNullable();
+      t.string("subdomain").notNullable().unique();
+      t.enum("status", ["RUNNING", "UPGRADING", "PROVISIONING", "FAILED"]).notNullable();
+      t.string("rdsInstanceType").notNullable();
+      t.string("elasticCacheType").notNullable();
+      t.integer("elasticContainerMemory").notNullable();
+      t.integer("elasticContainerCpu").notNullable();
+      t.string("region").notNullable();
+      t.string("version").notNullable();
+      t.integer("backupRetentionDays").defaultTo(7);
+      t.timestamp("lastBackupTime").nullable();
+      t.timestamp("lastUpgradeTime").nullable();
+      t.boolean("publiclyAccessible").defaultTo(false);
+      t.string("vpcId").nullable();
+      t.specificType("subnetIds", "text[]").nullable();
+      t.jsonb("tags").nullable();
+      t.boolean("multiAz").defaultTo(true);
+      t.integer("rdsAllocatedStorage").defaultTo(50);
+      t.integer("rdsBackupRetentionDays").defaultTo(7);
+      t.integer("redisNumCacheNodes").defaultTo(1);
+      t.integer("desiredContainerCount").defaultTo(1);
+      t.string("stackName").nullable();
+      t.text("rdsInstanceId").nullable();
+      t.text("redisClusterId").nullable();
+      t.text("ecsClusterArn").nullable();
+      t.text("ecsServiceArn").nullable();
+      t.specificType("securityGroupIds", "text[]").nullable();
+      t.text("error").nullable();
+      t.timestamps(true, true, true);
+
+      t.foreign("orgId")
+        .references("id")
+        .inTable(TableName.Organization)
+        .onDelete("CASCADE");
+      
+      t.unique(["orgId", "instanceName"]);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.DedicatedInstances);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.DedicatedInstances);
+  await knex.schema.dropTableIfExists(TableName.DedicatedInstances);
+} 

backend/src/db/migrations/20240324000000_add_failed_status_to_dedicated_instances.ts

@@ -0,0 +1,16 @@
+import { Knex } from "knex";
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  // First drop the existing constraint
+  await knex.raw(`ALTER TABLE ${TableName.DedicatedInstances} DROP CONSTRAINT IF EXISTS dedicated_instances_status_check`);
+  
+  // Add the new constraint with updated enum values
+  await knex.raw(`ALTER TABLE ${TableName.DedicatedInstances} ADD CONSTRAINT dedicated_instances_status_check CHECK (status IN ('RUNNING', 'UPGRADING', 'PROVISIONING', 'FAILED'))`);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // Revert back to original constraint
+  await knex.raw(`ALTER TABLE ${TableName.DedicatedInstances} DROP CONSTRAINT IF EXISTS dedicated_instances_status_check`);
+  await knex.raw(`ALTER TABLE ${TableName.DedicatedInstances} ADD CONSTRAINT dedicated_instances_status_check CHECK (status IN ('RUNNING', 'UPGRADING', 'PROVISIONING'))`);
+} 

backend/src/db/migrations/20250212191958_create-gateway.ts

@@ -1,115 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.OrgGatewayConfig))) {
-    await knex.schema.createTable(TableName.OrgGatewayConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("rootCaKeyAlgorithm").notNullable();
-
-      t.datetime("rootCaIssuedAt").notNullable();
-      t.datetime("rootCaExpiration").notNullable();
-      t.string("rootCaSerialNumber").notNullable();
-      t.binary("encryptedRootCaCertificate").notNullable();
-      t.binary("encryptedRootCaPrivateKey").notNullable();
-
-      t.datetime("clientCaIssuedAt").notNullable();
-      t.datetime("clientCaExpiration").notNullable();
-      t.string("clientCaSerialNumber");
-      t.binary("encryptedClientCaCertificate").notNullable();
-      t.binary("encryptedClientCaPrivateKey").notNullable();
-
-      t.string("clientCertSerialNumber").notNullable();
-      t.string("clientCertKeyAlgorithm").notNullable();
-      t.datetime("clientCertIssuedAt").notNullable();
-      t.datetime("clientCertExpiration").notNullable();
-      t.binary("encryptedClientCertificate").notNullable();
-      t.binary("encryptedClientPrivateKey").notNullable();
-
-      t.datetime("gatewayCaIssuedAt").notNullable();
-      t.datetime("gatewayCaExpiration").notNullable();
-      t.string("gatewayCaSerialNumber").notNullable();
-      t.binary("encryptedGatewayCaCertificate").notNullable();
-      t.binary("encryptedGatewayCaPrivateKey").notNullable();
-
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.unique("orgId");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.OrgGatewayConfig);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.Gateway))) {
-    await knex.schema.createTable(TableName.Gateway, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.string("name").notNullable();
-      t.string("serialNumber").notNullable();
-      t.string("keyAlgorithm").notNullable();
-      t.datetime("issuedAt").notNullable();
-      t.datetime("expiration").notNullable();
-      t.datetime("heartbeat");
-
-      t.binary("relayAddress").notNullable();
-
-      t.uuid("orgGatewayRootCaId").notNullable();
-      t.foreign("orgGatewayRootCaId").references("id").inTable(TableName.OrgGatewayConfig).onDelete("CASCADE");
-
-      t.uuid("identityId").notNullable();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.Gateway);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ProjectGateway))) {
-    await knex.schema.createTable(TableName.ProjectGateway, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-
-      t.uuid("gatewayId").notNullable();
-      t.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("CASCADE");
-
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.ProjectGateway);
-  }
-
-  if (await knex.schema.hasTable(TableName.DynamicSecret)) {
-    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "projectGatewayId");
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      // not setting a foreign constraint so that cascade effects are not triggered
-      if (!doesGatewayColExist) {
-        t.uuid("projectGatewayId");
-        t.foreign("projectGatewayId").references("id").inTable(TableName.ProjectGateway);
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.DynamicSecret)) {
-    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "projectGatewayId");
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      if (doesGatewayColExist) t.dropColumn("projectGatewayId");
-    });
-  }
-
-  await knex.schema.dropTableIfExists(TableName.ProjectGateway);
-  await dropOnUpdateTrigger(knex, TableName.ProjectGateway);
-
-  await knex.schema.dropTableIfExists(TableName.Gateway);
-  await dropOnUpdateTrigger(knex, TableName.Gateway);
-
-  await knex.schema.dropTableIfExists(TableName.OrgGatewayConfig);
-  await dropOnUpdateTrigger(knex, TableName.OrgGatewayConfig);
-}

backend/src/db/migrations/20250226021631_secret-requests.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretSharingType } from "@app/services/secret-sharing/secret-sharing-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
-
-  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
-    if (!hasSharingTypeColumn) {
-      table.string("type", 32).defaultTo(SecretSharingType.Share).notNullable();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
-
-  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
-    if (hasSharingTypeColumn) {
-      table.dropColumn("type");
-    }
-  });
-}

backend/src/db/migrations/20250226082254_add-gov-banner-and-consent-fields.ts

@@ -1,31 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasAuthConsentContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "authConsentContent");
-  const hasPageFrameContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "pageFrameContent");
-  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      if (!hasAuthConsentContentCol) {
-        t.text("authConsentContent");
-      }
-      if (!hasPageFrameContentCol) {
-        t.text("pageFrameContent");
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasAuthConsentContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "authConsentContent");
-  const hasPageFrameContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "pageFrameContent");
-  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-    if (hasAuthConsentContentCol) {
-      t.dropColumn("authConsentContent");
-    }
-    if (hasPageFrameContentCol) {
-      t.dropColumn("pageFrameContent");
-    }
-  });
-}

backend/src/db/migrations/20250228022604_increase-secret-reminder-note-max-length.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  for await (const tableName of [
-    TableName.SecretV2,
-    TableName.SecretVersionV2,
-    TableName.SecretApprovalRequestSecretV2
-  ]) {
-    const hasReminderNoteCol = await knex.schema.hasColumn(tableName, "reminderNote");
-
-    if (hasReminderNoteCol) {
-      await knex.schema.alterTable(tableName, (t) => {
-        t.string("reminderNote", 1024).alter();
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  for await (const tableName of [
-    TableName.SecretV2,
-    TableName.SecretVersionV2,
-    TableName.SecretApprovalRequestSecretV2
-  ]) {
-    const hasReminderNoteCol = await knex.schema.hasColumn(tableName, "reminderNote");
-
-    if (hasReminderNoteCol) {
-      await knex.schema.alterTable(tableName, (t) => {
-        t.string("reminderNote").alter();
-      });
-    }
-  }
-}

backend/src/db/migrations/20250303213350_add-folder-description.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
-
-  if (!hasProjectDescription) {
-    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
-      t.string("description");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
-
-  if (hasProjectDescription) {
-    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
-      t.dropColumn("description");
-    });
-  }
-}

backend/src/db/migrations/20250305080145_add-secret-review-comment.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "comment"))) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
-      t.string("comment");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "comment")) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
-      t.dropColumn("comment");
-    });
-  }
-}

backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts

@@ -1,45 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
-    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
-    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
-    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
-
-    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
-      if (!hasSecretVersionV2UserActorId) {
-        t.uuid("userActorId");
-        t.foreign("userActorId").references("id").inTable(TableName.Users);
-      }
-      if (!hasSecretVersionV2IdentityActorId) {
-        t.uuid("identityActorId");
-        t.foreign("identityActorId").references("id").inTable(TableName.Identity);
-      }
-      if (!hasSecretVersionV2ActorType) {
-        t.string("actorType");
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
-    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
-    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
-    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
-
-    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
-      if (hasSecretVersionV2UserActorId) {
-        t.dropColumn("userActorId");
-      }
-      if (hasSecretVersionV2IdentityActorId) {
-        t.dropColumn("identityActorId");
-      }
-      if (hasSecretVersionV2ActorType) {
-        t.dropColumn("actorType");
-      }
-    });
-  }
-}

backend/src/db/migrations/20250311105617_add-share-to-anyone-setting-to-organizations.ts

@@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Organization)) {
-    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
-      TableName.Organization,
-      "allowSecretSharingOutsideOrganization"
-    );
-
-    if (!hasSecretShareToAnyoneCol) {
-      await knex.schema.alterTable(TableName.Organization, (t) => {
-        t.boolean("allowSecretSharingOutsideOrganization").defaultTo(true);
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Organization)) {
-    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
-      TableName.Organization,
-      "allowSecretSharingOutsideOrganization"
-    );
-    if (hasSecretShareToAnyoneCol) {
-      await knex.schema.alterTable(TableName.Organization, (t) => {
-        t.dropColumn("allowSecretSharingOutsideOrganization");
-      });
-    }
-  }
-}

backend/src/db/migrations/20250314145202_identity-oidc-claim-mapping.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
-  if (!hasMappingField) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      t.jsonb("claimMetadataMapping");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
-  if (hasMappingField) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      t.dropColumn("claimMetadataMapping");
-    });
-  }
-}

backend/src/db/migrations/20250317101525_add-instance-admin-mi.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas/models";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds"))) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.specificType("adminIdentityIds", "text[]");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds")) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("adminIdentityIds");
-    });
-  }
-}

backend/src/db/schemas/dedicated-instances.ts

@@ -0,0 +1,34 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const DedicatedInstancesSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  instanceName: z.string(),
+  status: z.string(),
+  rdsInstanceType: z.string(),
+  elasticCacheType: z.string(),
+  elasticContainerMemory: z.number(),
+  elasticContainerCpu: z.number(),
+  region: z.string(),
+  version: z.string(),
+  backupRetentionDays: z.number().default(7).nullable().optional(),
+  lastBackupTime: z.date().nullable().optional(),
+  lastUpgradeTime: z.date().nullable().optional(),
+  publiclyAccessible: z.boolean().default(false).nullable().optional(),
+  vpcId: z.string().nullable().optional(),
+  subnetIds: z.string().array().nullable().optional(),
+  tags: z.unknown().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TDedicatedInstances = z.infer<typeof DedicatedInstancesSchema>;
+export type TDedicatedInstancesInsert = Omit<z.input<typeof DedicatedInstancesSchema>, TImmutableDBKeys>;
+export type TDedicatedInstancesUpdate = Partial<Omit<z.input<typeof DedicatedInstancesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/dynamic-secrets.ts

@@ -26,8 +26,7 @@ export const DynamicSecretsSchema = z.object({
   statusDetails: z.string().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  encryptedInput: zodBuffer,
-  projectGatewayId: z.string().uuid().nullable().optional()
+  encryptedInput: zodBuffer
 });
 
 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;

backend/src/db/schemas/gateways.ts

@@ -1,29 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const GatewaysSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  serialNumber: z.string(),
-  keyAlgorithm: z.string(),
-  issuedAt: z.date(),
-  expiration: z.date(),
-  heartbeat: z.date().nullable().optional(),
-  relayAddress: zodBuffer,
-  orgGatewayRootCaId: z.string().uuid(),
-  identityId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TGateways = z.infer<typeof GatewaysSchema>;
-export type TGatewaysInsert = Omit<z.input<typeof GatewaysSchema>, TImmutableDBKeys>;
-export type TGatewaysUpdate = Partial<Omit<z.input<typeof GatewaysSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-oidc-auths.ts

@@ -26,8 +26,7 @@ export const IdentityOidcAuthsSchema = z.object({
   boundSubject: z.string().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  encryptedCaCertificate: zodBuffer.nullable().optional(),
-  claimMetadataMapping: z.unknown().nullable().optional()
+  encryptedCaCertificate: zodBuffer.nullable().optional()
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/index.ts

@@ -20,7 +20,6 @@ export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
 export * from "./external-kms";
-export * from "./gateways";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./group-project-membership-roles";
@@ -58,7 +57,6 @@ export * from "./ldap-group-maps";
 export * from "./models";
 export * from "./oidc-configs";
 export * from "./org-bots";
-export * from "./org-gateway-config";
 export * from "./org-memberships";
 export * from "./org-roles";
 export * from "./organizations";
@@ -67,7 +65,6 @@ export * from "./pki-collection-items";
 export * from "./pki-collections";
 export * from "./project-bots";
 export * from "./project-environments";
-export * from "./project-gateways";
 export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";

backend/src/db/schemas/models.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 export enum TableName {
   Users = "users",
+  Organization = "organizations",
   SshCertificateAuthority = "ssh_certificate_authorities",
   SshCertificateAuthoritySecret = "ssh_certificate_authority_secrets",
   SshCertificateTemplate = "ssh_certificate_templates",
@@ -29,7 +30,6 @@ export enum TableName {
   AuthTokens = "auth_tokens",
   AuthTokenSession = "auth_token_sessions",
   BackupPrivateKey = "backup_private_key",
-  Organization = "organizations",
   OrgMembership = "org_memberships",
   OrgRoles = "org_roles",
   OrgBot = "org_bots",
@@ -113,10 +113,6 @@ export enum TableName {
   SecretApprovalRequestSecretTagV2 = "secret_approval_request_secret_tags_v2",
   SnapshotSecretV2 = "secret_snapshot_secrets_v2",
   ProjectSplitBackfillIds = "project_split_backfill_ids",
-  // Gateway
-  OrgGatewayConfig = "org_gateway_config",
-  Gateway = "gateways",
-  ProjectGateway = "project_gateways",
   // junction tables with tags
   SecretV2JnTag = "secret_v2_tag_junction",
   JnSecretTag = "secret_tag_junction",
@@ -140,7 +136,8 @@ export enum TableName {
   KmipClient = "kmip_clients",
   KmipOrgConfig = "kmip_org_configs",
   KmipOrgServerCertificates = "kmip_org_server_certificates",
-  KmipClientCertificates = "kmip_client_certificates"
+  KmipClientCertificates = "kmip_client_certificates",
+  DedicatedInstances = "dedicated_instances"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";

backend/src/db/schemas/org-gateway-config.ts

@@ -1,43 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const OrgGatewayConfigSchema = z.object({
-  id: z.string().uuid(),
-  rootCaKeyAlgorithm: z.string(),
-  rootCaIssuedAt: z.date(),
-  rootCaExpiration: z.date(),
-  rootCaSerialNumber: z.string(),
-  encryptedRootCaCertificate: zodBuffer,
-  encryptedRootCaPrivateKey: zodBuffer,
-  clientCaIssuedAt: z.date(),
-  clientCaExpiration: z.date(),
-  clientCaSerialNumber: z.string().nullable().optional(),
-  encryptedClientCaCertificate: zodBuffer,
-  encryptedClientCaPrivateKey: zodBuffer,
-  clientCertSerialNumber: z.string(),
-  clientCertKeyAlgorithm: z.string(),
-  clientCertIssuedAt: z.date(),
-  clientCertExpiration: z.date(),
-  encryptedClientCertificate: zodBuffer,
-  encryptedClientPrivateKey: zodBuffer,
-  gatewayCaIssuedAt: z.date(),
-  gatewayCaExpiration: z.date(),
-  gatewayCaSerialNumber: z.string(),
-  encryptedGatewayCaCertificate: zodBuffer,
-  encryptedGatewayCaPrivateKey: zodBuffer,
-  orgId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TOrgGatewayConfig = z.infer<typeof OrgGatewayConfigSchema>;
-export type TOrgGatewayConfigInsert = Omit<z.input<typeof OrgGatewayConfigSchema>, TImmutableDBKeys>;
-export type TOrgGatewayConfigUpdate = Partial<Omit<z.input<typeof OrgGatewayConfigSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/organizations.ts

@@ -22,8 +22,7 @@ export const OrganizationsSchema = z.object({
   kmsEncryptedDataKey: zodBuffer.nullable().optional(),
   defaultMembershipRole: z.string().default("member"),
   enforceMfa: z.boolean().default(false),
-  selectedMfaMethod: z.string().nullable().optional(),
-  allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional()
+  selectedMfaMethod: z.string().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/project-gateways.ts

@@ -1,20 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ProjectGatewaysSchema = z.object({
-  id: z.string().uuid(),
-  projectId: z.string(),
-  gatewayId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TProjectGateways = z.infer<typeof ProjectGatewaysSchema>;
-export type TProjectGatewaysInsert = Omit<z.input<typeof ProjectGatewaysSchema>, TImmutableDBKeys>;
-export type TProjectGatewaysUpdate = Partial<Omit<z.input<typeof ProjectGatewaysSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-approval-requests-reviewers.ts

@@ -13,8 +13,7 @@ export const SecretApprovalRequestsReviewersSchema = z.object({
   requestId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  reviewerUserId: z.string().uuid(),
-  comment: z.string().nullable().optional()
+  reviewerUserId: z.string().uuid()
 });
 
 export type TSecretApprovalRequestsReviewers = z.infer<typeof SecretApprovalRequestsReviewersSchema>;

backend/src/db/schemas/secret-folders.ts

@@ -15,8 +15,7 @@ export const SecretFoldersSchema = z.object({
   updatedAt: z.date(),
   envId: z.string().uuid(),
   parentId: z.string().uuid().nullable().optional(),
-  isReserved: z.boolean().default(false).nullable().optional(),
-  description: z.string().nullable().optional()
+  isReserved: z.boolean().default(false).nullable().optional()
 });
 
 export type TSecretFolders = z.infer<typeof SecretFoldersSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -26,8 +26,7 @@ export const SecretSharingSchema = z.object({
   lastViewedAt: z.date().nullable().optional(),
   password: z.string().nullable().optional(),
   encryptedSecret: zodBuffer.nullable().optional(),
-  identifier: z.string().nullable().optional(),
-  type: z.string().default("share")
+  identifier: z.string().nullable().optional()
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/db/schemas/secret-versions-v2.ts

@@ -25,10 +25,7 @@ export const SecretVersionsV2Schema = z.object({
   folderId: z.string().uuid(),
   userId: z.string().uuid().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  userActorId: z.string().uuid().nullable().optional(),
-  identityActorId: z.string().uuid().nullable().optional(),
-  actorType: z.string().nullable().optional()
+  updatedAt: z.date()
 });
 
 export type TSecretVersionsV2 = z.infer<typeof SecretVersionsV2Schema>;

backend/src/db/schemas/super-admin.ts

@@ -23,10 +23,7 @@ export const SuperAdminSchema = z.object({
   defaultAuthOrgId: z.string().uuid().nullable().optional(),
   enabledLoginMethods: z.string().array().nullable().optional(),
   encryptedSlackClientId: zodBuffer.nullable().optional(),
-  encryptedSlackClientSecret: zodBuffer.nullable().optional(),
-  authConsentContent: z.string().nullable().optional(),
-  pageFrameContent: z.string().nullable().optional(),
-  adminIdentityIds: z.string().array().nullable().optional()
+  encryptedSlackClientSecret: zodBuffer.nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/ee/migrations/dedicated-instance.ts

@@ -0,0 +1 @@
+ 

backend/src/ee/routes/v1/dedicated-instance-router.ts

@@ -0,0 +1,141 @@
+import { z } from "zod";
+
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const DedicatedInstanceSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  instanceName: z.string().min(1),
+  subdomain: z.string().min(1),
+  status: z.enum(["RUNNING", "UPGRADING", "PROVISIONING", "FAILED"]),
+  rdsInstanceType: z.string(),
+  elasticCacheType: z.string(),
+  elasticContainerMemory: z.number(),
+  elasticContainerCpu: z.number(),
+  region: z.string(),
+  version: z.string(),
+  backupRetentionDays: z.number(),
+  lastBackupTime: z.date().nullable(),
+  lastUpgradeTime: z.date().nullable(),
+  publiclyAccessible: z.boolean(),
+  vpcId: z.string().nullable(),
+  subnetIds: z.array(z.string()).nullable(),
+  tags: z.record(z.string()).nullable(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+const CreateDedicatedInstanceSchema = z.object({
+  instanceName: z.string().min(1),
+  subdomain: z.string().min(1),
+  provider: z.literal('aws'), // Only allow 'aws' as provider
+  region: z.string(),
+  publiclyAccessible: z.boolean().default(false)
+});
+
+const DedicatedInstanceDetailsSchema = DedicatedInstanceSchema.extend({
+  stackStatus: z.string().optional(),
+  stackStatusReason: z.string().optional(),
+  error: z.string().nullable(),
+  events: z.array(
+    z.object({
+      timestamp: z.date().optional(),
+      logicalResourceId: z.string().optional(),
+      resourceType: z.string().optional(),
+      resourceStatus: z.string().optional(),
+      resourceStatusReason: z.string().optional()
+    })
+  ).optional()
+});
+
+export const registerDedicatedInstanceRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/:organizationId/dedicated-instances",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        organizationId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          instances: DedicatedInstanceSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const instances = await server.services.dedicatedInstance.listInstances({
+        orgId: req.params.organizationId
+      });
+      return { instances };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:organizationId/dedicated-instances",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        organizationId: z.string().uuid()
+      }),
+      body: CreateDedicatedInstanceSchema
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { organizationId } = req.params;
+      const { instanceName, subdomain, region, publiclyAccessible, provider} = req.body;
+
+      const instance = await server.services.dedicatedInstance.createInstance({
+        orgId: organizationId,
+        instanceName,
+        subdomain,
+        region,
+        publiclyAccessible,
+        provider: provider,
+        dryRun: false,
+      });
+
+      return instance;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:organizationId/dedicated-instances/:instanceId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        organizationId: z.string().uuid(),
+        instanceId: z.string().uuid()
+      }),
+      response: {
+        200: DedicatedInstanceDetailsSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { organizationId, instanceId } = req.params;
+      const { instance, stackStatus, stackStatusReason, events } = await server.services.dedicatedInstance.getInstance({
+        orgId: organizationId,
+        instanceId
+      });
+
+      return {
+        ...instance,
+        stackStatus,
+        stackStatusReason,
+        events
+      };
+    }
+  });
+}; 

backend/src/ee/routes/v1/dynamic-secret-lease-router.ts

@@ -1,10 +1,10 @@
+import ms from "ms";
 import { z } from "zod";
 
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -1,3 +1,4 @@
+import ms from "ms";
 import { z } from "zod";
 
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
@@ -5,7 +6,6 @@ import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/pro
 import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";

backend/src/ee/routes/v1/gateway-router.ts

@@ -1,265 +0,0 @@
-import { z } from "zod";
-
-import { GatewaysSchema } from "@app/db/schemas";
-import { isValidIp } from "@app/lib/ip";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { slugSchema } from "@app/server/lib/schemas";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-const SanitizedGatewaySchema = GatewaysSchema.pick({
-  id: true,
-  identityId: true,
-  name: true,
-  createdAt: true,
-  updatedAt: true,
-  issuedAt: true,
-  serialNumber: true,
-  heartbeat: true
-});
-
-const isValidRelayAddress = (relayAddress: string) => {
-  const [ip, port] = relayAddress.split(":");
-  return isValidIp(ip) && Number(port) <= 65535 && Number(port) >= 40000;
-};
-
-export const registerGatewayRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/register-identity",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      response: {
-        200: z.object({
-          turnServerUsername: z.string(),
-          turnServerPassword: z.string(),
-          turnServerRealm: z.string(),
-          turnServerAddress: z.string(),
-          infisicalStaticIp: z.string().optional()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const relayDetails = await server.services.gateway.getGatewayRelayDetails(
-        req.permission.id,
-        req.permission.orgId,
-        req.permission.authMethod
-      );
-      return relayDetails;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/exchange-cert",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.object({
-        relayAddress: z.string().refine(isValidRelayAddress, { message: "Invalid relay address" })
-      }),
-      response: {
-        200: z.object({
-          serialNumber: z.string(),
-          privateKey: z.string(),
-          certificate: z.string(),
-          certificateChain: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const gatewayCertificates = await server.services.gateway.exchangeAllocatedRelayAddress({
-        identityOrg: req.permission.orgId,
-        identityId: req.permission.id,
-        relayAddress: req.body.relayAddress,
-        identityOrgAuthMethod: req.permission.authMethod
-      });
-      return gatewayCertificates;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/heartbeat",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      await server.services.gateway.heartbeat({
-        orgPermission: req.permission
-      });
-      return { message: "Successfully registered heartbeat" };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      querystring: z.object({
-        projectId: z.string().optional()
-      }),
-      response: {
-        200: z.object({
-          gateways: SanitizedGatewaySchema.extend({
-            identity: z.object({
-              name: z.string(),
-              id: z.string()
-            }),
-            projects: z
-              .object({
-                name: z.string(),
-                id: z.string(),
-                slug: z.string()
-              })
-              .array()
-          }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
-    handler: async (req) => {
-      const gateways = await server.services.gateway.listGateways({
-        orgPermission: req.permission
-      });
-      return { gateways };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/projects/:projectId",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        projectId: z.string()
-      }),
-      response: {
-        200: z.object({
-          gateways: SanitizedGatewaySchema.extend({
-            identity: z.object({
-              name: z.string(),
-              id: z.string()
-            }),
-            projectGatewayId: z.string()
-          }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
-    handler: async (req) => {
-      const gateways = await server.services.gateway.getProjectGateways({
-        projectId: req.params.projectId,
-        projectPermission: req.permission
-      });
-      return { gateways };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:id",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        id: z.string()
-      }),
-      response: {
-        200: z.object({
-          gateway: SanitizedGatewaySchema.extend({
-            identity: z.object({
-              name: z.string(),
-              id: z.string()
-            })
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
-    handler: async (req) => {
-      const gateway = await server.services.gateway.getGatewayById({
-        orgPermission: req.permission,
-        id: req.params.id
-      });
-      return { gateway };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:id",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        id: z.string()
-      }),
-      body: z.object({
-        name: slugSchema({ field: "name" }).optional(),
-        projectIds: z.string().array().optional()
-      }),
-      response: {
-        200: z.object({
-          gateway: SanitizedGatewaySchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
-    handler: async (req) => {
-      const gateway = await server.services.gateway.updateGatewayById({
-        orgPermission: req.permission,
-        id: req.params.id,
-        name: req.body.name,
-        projectIds: req.body.projectIds
-      });
-      return { gateway };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:id",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        id: z.string()
-      }),
-      response: {
-        200: z.object({
-          gateway: SanitizedGatewaySchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
-    handler: async (req) => {
-      const gateway = await server.services.gateway.deleteGatewayById({
-        orgPermission: req.permission,
-        id: req.params.id
-      });
-      return { gateway };
-    }
-  });
-};

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -1,11 +1,11 @@
 import slugify from "@sindresorhus/slugify";
+import ms from "ms";
 import { z } from "zod";
 
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
-import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";

backend/src/ee/routes/v1/index.ts

@@ -4,10 +4,10 @@ import { registerAccessApprovalPolicyRouter } from "./access-approval-policy-rou
 import { registerAccessApprovalRequestRouter } from "./access-approval-request-router";
 import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
 import { registerCaCrlRouter } from "./certificate-authority-crl-router";
+import { registerDedicatedInstanceRouter } from "./dedicated-instance-router";
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerExternalKmsRouter } from "./external-kms-router";
-import { registerGatewayRouter } from "./gateway-router";
 import { registerGroupRouter } from "./group-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
 import { registerKmipRouter } from "./kmip-router";
@@ -39,6 +39,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   // org role starts with organization
   await server.register(registerOrgRoleRouter, { prefix: "/organization" });
   await server.register(registerLicenseRouter, { prefix: "/organizations" });
+  await server.register(registerDedicatedInstanceRouter, { prefix: "/organizations" });
   await server.register(
     async (projectRouter) => {
       await projectRouter.register(registerProjectRoleRouter);
@@ -68,8 +69,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
     { prefix: "/dynamic-secrets" }
   );
 
-  await server.register(registerGatewayRouter, { prefix: "/gateways" });
-
   await server.register(
     async (pkiRouter) => {
       await pkiRouter.register(registerCaCrlRouter, { prefix: "/crl" });

backend/src/ee/routes/v1/kmip-router.ts

@@ -1,10 +1,10 @@
+import ms from "ms";
 import { z } from "zod";
 
 import { KmipClientsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { KmipPermission } from "@app/ee/services/kmip/kmip-enum";
 import { KmipClientOrderBy } from "@app/ee/services/kmip/kmip-types";
-import { ms } from "@app/lib/ms";
 import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";

backend/src/ee/routes/v1/saml-router.ts

@@ -25,7 +25,7 @@ type TSAMLConfig = {
   callbackUrl: string;
   entryPoint: string;
   issuer: string;
-  idpCert: string;
+  cert: string;
   audience: string;
   wantAuthnResponseSigned?: boolean;
   wantAssertionsSigned?: boolean;
@@ -72,7 +72,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
               callbackUrl: `${appCfg.SITE_URL}/api/v1/sso/saml2/${ssoConfig.id}`,
               entryPoint: ssoConfig.entryPoint,
               issuer: ssoConfig.issuer,
-              idpCert: ssoConfig.cert,
+              cert: ssoConfig.cert,
               audience: appCfg.SITE_URL || ""
             };
             if (ssoConfig.authProvider === SamlProviders.JUMPCLOUD_SAML) {
@@ -302,21 +302,15 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { isActive, authProvider, issuer, entryPoint, cert } = req.body;
-      const { permission } = req;
-
-      return server.services.saml.createSamlCfg({
-        isActive,
-        authProvider,
-        issuer,
-        entryPoint,
-        idpCert: cert,
-        actor: permission.type,
-        actorId: permission.id,
-        actorAuthMethod: permission.authMethod,
-        actorOrgId: permission.orgId,
-        orgId: req.body.organizationId
+      const saml = await server.services.saml.createSamlCfg({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.body.organizationId,
+        ...req.body
       });
+      return saml;
     }
   });
 
@@ -343,21 +337,15 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { isActive, authProvider, issuer, entryPoint, cert } = req.body;
-      const { permission } = req;
-
-      return server.services.saml.updateSamlCfg({
-        isActive,
-        authProvider,
-        issuer,
-        entryPoint,
-        idpCert: cert,
-        actor: permission.type,
-        actorId: permission.id,
-        actorAuthMethod: permission.authMethod,
-        actorOrgId: permission.orgId,
-        orgId: req.body.organizationId
+      const saml = await server.services.saml.updateSamlCfg({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.body.organizationId,
+        ...req.body
       });
+      return saml;
     }
   });
 };

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -1,11 +1,16 @@
 import { z } from "zod";
 
-import { SecretApprovalRequestsReviewersSchema, SecretApprovalRequestsSchema, UsersSchema } from "@app/db/schemas";
+import {
+  SecretApprovalRequestsReviewersSchema,
+  SecretApprovalRequestsSchema,
+  SecretTagsSchema,
+  UsersSchema
+} from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApprovalStatus, RequestState } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
+import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
@@ -154,8 +159,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
         id: z.string()
       }),
       body: z.object({
-        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED]),
-        comment: z.string().optional()
+        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
       }),
       response: {
         200: z.object({
@@ -171,25 +175,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         approvalId: req.params.id,
-        status: req.body.status,
-        comment: req.body.comment
+        status: req.body.status
       });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        projectId: review.projectId,
-        event: {
-          type: EventType.SECRET_APPROVAL_REQUEST_REVIEW,
-          metadata: {
-            secretApprovalRequestId: review.requestId,
-            reviewedBy: review.reviewerUserId,
-            status: review.status as ApprovalStatus,
-            comment: review.comment || ""
-          }
-        }
-      });
-
       return { review };
     }
   });
@@ -245,6 +232,15 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
     }
   });
 
+  const tagSchema = SecretTagsSchema.pick({
+    id: true,
+    slug: true,
+    name: true,
+    color: true
+  })
+    .array()
+    .optional();
+
   server.route({
     method: "GET",
     url: "/:id",
@@ -272,13 +268,13 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),
               committerUser: approvalRequestUser,
-              reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
+              reviewers: approvalRequestUser.extend({ status: z.string() }).array(),
               secretPath: z.string(),
               commits: secretRawSchema
                 .omit({ _id: true, environment: true, workspace: true, type: true, version: true })
                 .extend({
                   op: z.string(),
-                  tags: SanitizedTagSchema.array().optional(),
+                  tags: tagSchema,
                   secretMetadata: ResourceMetadataSchema.nullish(),
                   secret: z
                     .object({
@@ -297,7 +293,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                       secretKey: z.string(),
                       secretValue: z.string().optional(),
                       secretComment: z.string().optional(),
-                      tags: SanitizedTagSchema.array().optional(),
+                      tags: tagSchema,
                       secretMetadata: ResourceMetadataSchema.nullish()
                     })
                     .optional()

backend/src/ee/routes/v1/secret-router.ts

@@ -1,6 +1,6 @@
 import z from "zod";
 
-import { ProjectPermissionSecretActions } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
 import { RAW_SECRETS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit } from "@app/server/config/rateLimiter";
@@ -9,7 +9,7 @@ import { AuthMode } from "@app/services/auth/auth-type";
 
 const AccessListEntrySchema = z
   .object({
-    allowedActions: z.nativeEnum(ProjectPermissionSecretActions).array(),
+    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
     id: z.string(),
     membershipId: z.string(),
     name: z.string()

backend/src/ee/routes/v1/secret-version-router.ts

@@ -22,11 +22,7 @@ export const registerSecretVersionRouter = async (server: FastifyZodProvider) =>
       }),
       response: {
         200: z.object({
-          secretVersions: secretRawSchema
-            .extend({
-              secretValueHidden: z.boolean()
-            })
-            .array()
+          secretVersions: secretRawSchema.array()
         })
       }
     },
@@ -41,7 +37,6 @@ export const registerSecretVersionRouter = async (server: FastifyZodProvider) =>
         offset: req.query.offset,
         secretId: req.params.secretId
       });
-
       return { secretVersions };
     }
   });

backend/src/ee/routes/v1/snapshot-router.ts

@@ -1,10 +1,10 @@
 import { z } from "zod";
 
-import { SecretSnapshotsSchema } from "@app/db/schemas";
+import { SecretSnapshotsSchema, SecretTagsSchema } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
+import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
@@ -31,9 +31,13 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
             secretVersions: secretRawSchema
               .omit({ _id: true, environment: true, workspace: true, type: true })
               .extend({
-                secretValueHidden: z.boolean(),
                 secretId: z.string(),
-                tags: SanitizedTagSchema.array()
+                tags: SecretTagsSchema.pick({
+                  id: true,
+                  slug: true,
+                  name: true,
+                  color: true
+                }).array()
               })
               .array(),
             folderVersion: z.object({ id: z.string(), name: z.string() }).array(),
@@ -52,7 +56,6 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         id: req.params.secretSnapshotId
       });
-
       return { secretSnapshot };
     }
   });

backend/src/ee/routes/v1/ssh-certificate-router.ts

@@ -1,9 +1,9 @@
+import ms from "ms";
 import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
-import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

backend/src/ee/routes/v1/ssh-certificate-template-router.ts

@@ -1,4 +1,5 @@
 import slugify from "@sindresorhus/slugify";
+import ms from "ms";
 import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
@@ -9,7 +10,6 @@ import {
   isValidUserPattern
 } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-validators";
 import { SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
-import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

backend/src/ee/routes/v1/user-additional-privilege-router.ts

@@ -1,11 +1,10 @@
 import slugify from "@sindresorhus/slugify";
+import ms from "ms";
 import { z } from "zod";
 
-import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-types";
 import { PROJECT_USER_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
-import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
@@ -24,9 +23,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
       body: z.object({
         projectMembershipId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.projectMembershipId),
         slug: slugSchema({ min: 1, max: 60 }).optional().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: ProjectPermissionV2Schema.array()
-          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions)
-          .refine(checkForInvalidPermissionCombination),
+        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions),
         type: z.discriminatedUnion("isTemporary", [
           z.object({
             isTemporary: z.literal(false)
@@ -84,8 +81,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
           slug: slugSchema({ min: 1, max: 60 }).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.slug),
           permissions: ProjectPermissionV2Schema.array()
             .optional()
-            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions)
-            .refine(checkForInvalidPermissionCombination),
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
           type: z.discriminatedUnion("isTemporary", [
             z.object({ isTemporary: z.literal(false).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary) }),
             z.object({

backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts

@@ -1,11 +1,10 @@
 import slugify from "@sindresorhus/slugify";
+import ms from "ms";
 import { z } from "zod";
 
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types";
-import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
-import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
@@ -31,9 +30,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.identityId),
         projectId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.projectId),
         slug: slugSchema({ min: 1, max: 60 }).optional().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.slug),
-        permissions: ProjectPermissionV2Schema.array()
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.permission)
-          .refine(checkForInvalidPermissionCombination),
+        permissions: ProjectPermissionV2Schema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.permission),
         type: z.discriminatedUnion("isTemporary", [
           z.object({
             isTemporary: z.literal(false)
@@ -97,8 +94,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         slug: slugSchema({ min: 1, max: 60 }).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.slug),
         permissions: ProjectPermissionV2Schema.array()
           .optional()
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.privilegePermission)
-          .refine(checkForInvalidPermissionCombination),
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.privilegePermission),
         type: z.discriminatedUnion("isTemporary", [
           z.object({ isTemporary: z.literal(false).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.isTemporary) }),
           z.object({

backend/src/ee/routes/v2/project-role-router.ts

@@ -2,7 +2,6 @@ import { packRules } from "@casl/ability/extra";
 import { z } from "zod";
 
 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
-import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -38,9 +37,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
           .describe(PROJECT_ROLE.CREATE.slug),
         name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
         description: z.string().trim().nullish().describe(PROJECT_ROLE.CREATE.description),
-        permissions: ProjectPermissionV2Schema.array()
-          .describe(PROJECT_ROLE.CREATE.permissions)
-          .refine(checkForInvalidPermissionCombination)
+        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
       }),
       response: {
         200: z.object({
@@ -95,10 +92,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
           .describe(PROJECT_ROLE.UPDATE.slug),
         name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
         description: z.string().trim().nullish().describe(PROJECT_ROLE.UPDATE.description),
-        permissions: ProjectPermissionV2Schema.array()
-          .describe(PROJECT_ROLE.UPDATE.permissions)
-          .optional()
-          .superRefine(checkForInvalidPermissionCombination)
+        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
       }),
       response: {
         200: z.object({

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,10 +1,9 @@
 import slugify from "@sindresorhus/slugify";
-import msFn from "ms";
+import ms from "ms";
 
 import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -247,7 +246,7 @@ export const accessApprovalRequestServiceFactory = ({
           requesterEmail: requestedByUser.email,
           isTemporary,
           ...(isTemporary && {
-            expiresIn: msFn(ms(temporaryRange || ""), { long: true })
+            expiresIn: ms(ms(temporaryRange || ""), { long: true })
           }),
           secretPath,
           environment: envSlug,

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,10 +1,8 @@
 import { ForbiddenError } from "@casl/ability";
-import { requestContext } from "@fastify/request-context";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { ActorType } from "@app/services/auth/auth-type";
 
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
@@ -83,12 +81,8 @@ export const auditLogServiceFactory = ({
       if (!data.projectId && !data.orgId)
         throw new BadRequestError({ message: "Must specify either project id or org id" });
     }
-    const el = { ...data };
-    if (el.actor.type === ActorType.USER || el.actor.type === ActorType.IDENTITY) {
-      const permissionMetadata = requestContext.get("identityPermissionMetadata");
-      el.actor.metadata.permission = permissionMetadata;
-    }
-    return auditLogQueue.pushToLog(el);
+
+    return auditLogQueue.pushToLog(data);
   };
 
   return {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -22,7 +22,6 @@ import {
 } from "@app/services/secret-sync/secret-sync-types";
 
 import { KmipPermission } from "../kmip/kmip-enum";
-import { ApprovalStatus } from "../secret-approval-request/secret-approval-request-types";
 
 export type TListProjectAuditLogDTO = {
   filter: {
@@ -166,7 +165,6 @@ export enum EventType {
   SECRET_APPROVAL_REQUEST = "secret-approval-request",
   SECRET_APPROVAL_CLOSED = "secret-approval-closed",
   SECRET_APPROVAL_REOPENED = "secret-approval-reopened",
-  SECRET_APPROVAL_REQUEST_REVIEW = "secret-approval-request-review",
   SIGN_SSH_KEY = "sign-ssh-key",
   ISSUE_SSH_CREDS = "issue-ssh-creds",
   CREATE_SSH_CA = "create-ssh-certificate-authority",
@@ -252,7 +250,6 @@ export enum EventType {
   UPDATE_APP_CONNECTION = "update-app-connection",
   DELETE_APP_CONNECTION = "delete-app-connection",
   CREATE_SHARED_SECRET = "create-shared-secret",
-  CREATE_SECRET_REQUEST = "create-secret-request",
   DELETE_SHARED_SECRET = "delete-shared-secret",
   READ_SHARED_SECRET = "read-shared-secret",
   GET_SECRET_SYNCS = "get-secret-syncs",
@@ -290,7 +287,6 @@ interface UserActorMetadata {
   userId: string;
   email?: string | null;
   username: string;
-  permission?: Record<string, unknown>;
 }
 
 interface ServiceActorMetadata {
@@ -301,7 +297,6 @@ interface ServiceActorMetadata {
 interface IdentityActorMetadata {
   identityId: string;
   name: string;
-  permission?: Record<string, unknown>;
 }
 
 interface ScimClientActorMetadata {}
@@ -980,7 +975,6 @@ interface AddIdentityOidcAuthEvent {
     boundIssuer: string;
     boundAudiences: string;
     boundClaims: Record<string, string>;
-    claimMetadataMapping: Record<string, string>;
     boundSubject: string;
     accessTokenTTL: number;
     accessTokenMaxTTL: number;
@@ -1005,7 +999,6 @@ interface UpdateIdentityOidcAuthEvent {
     boundIssuer?: string;
     boundAudiences?: string;
     boundClaims?: Record<string, string>;
-    claimMetadataMapping?: Record<string, string>;
     boundSubject?: string;
     accessTokenTTL?: number;
     accessTokenMaxTTL?: number;
@@ -1148,7 +1141,6 @@ interface CreateFolderEvent {
     folderId: string;
     folderName: string;
     folderPath: string;
-    description?: string;
   };
 }
 
@@ -1320,16 +1312,6 @@ interface SecretApprovalRequest {
   };
 }
 
-interface SecretApprovalRequestReview {
-  type: EventType.SECRET_APPROVAL_REQUEST_REVIEW;
-  metadata: {
-    secretApprovalRequestId: string;
-    reviewedBy: string;
-    status: ApprovalStatus;
-    comment: string;
-  };
-}
-
 interface SignSshKey {
   type: EventType.SIGN_SSH_KEY;
   metadata: {
@@ -2038,15 +2020,6 @@ interface CreateSharedSecretEvent {
   };
 }
 
-interface CreateSecretRequestEvent {
-  type: EventType.CREATE_SECRET_REQUEST;
-  metadata: {
-    id: string;
-    accessType: string;
-    name?: string;
-  };
-}
-
 interface DeleteSharedSecretEvent {
   type: EventType.DELETE_SHARED_SECRET;
   metadata: {
@@ -2497,6 +2470,4 @@ export type Event =
   | KmipOperationActivateEvent
   | KmipOperationRevokeEvent
   | KmipOperationLocateEvent
-  | KmipOperationRegisterEvent
-  | CreateSecretRequestEvent
-  | SecretApprovalRequestReview;
+  | KmipOperationRegisterEvent;

backend/src/ee/services/dedicated-instance/dedicated-instance-dal.ts

@@ -0,0 +1,28 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify } from "@app/lib/knex";
+
+export type TDedicatedInstanceDALFactory = ReturnType<typeof dedicatedInstanceDALFactory>;
+
+export const dedicatedInstanceDALFactory = (db: TDbClient) => {
+  const dedicatedInstanceOrm = ormify(db, TableName.DedicatedInstances);
+
+  const findInstancesByOrgId = async (orgId: string, tx?: Knex) => {
+    try {
+      const instances = await (tx || db.replicaNode())(TableName.DedicatedInstances)
+        .where({ orgId })
+        .select("*");
+      return instances;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find instances by org ID" });
+    }
+  };
+
+  return {
+    ...dedicatedInstanceOrm,
+    findInstancesByOrgId
+  };
+}; 

backend/src/ee/services/dedicated-instance/dedicated-instance-service.ts

@@ -0,0 +1,470 @@
+import { ForbiddenError } from "@casl/ability";
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as rds from 'aws-cdk-lib/aws-rds';
+import * as elasticache from 'aws-cdk-lib/aws-elasticache';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import * as ssm from 'aws-cdk-lib/aws-ssm';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { randomBytes } from 'crypto';
+import { CloudFormationClient, CreateStackCommand, DescribeStacksCommand, DescribeStackEventsCommand } from "@aws-sdk/client-cloudformation";
+
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
+import { TDedicatedInstanceDALFactory } from "./dedicated-instance-dal";
+
+type TDedicatedInstanceServiceFactoryDep = {
+  dedicatedInstanceDAL: TDedicatedInstanceDALFactory;
+  permissionService: TPermissionServiceFactory;
+};
+
+interface CreateInstanceParams {
+  orgId: string;
+  instanceName: string;
+  subdomain: string;
+  region: string;
+  provider: 'aws';
+  publiclyAccessible: boolean;
+  clusterSize: 'small' | 'medium' | 'large';
+  dryRun?: boolean;
+}
+
+interface GetInstanceParams {
+  orgId: string;
+  instanceId: string;
+}
+
+interface StackResource {
+  resourceType: string;
+  resourceStatus: string;
+  resourceStatusReason?: string;
+}
+
+interface StackEvent {
+  timestamp?: Date;
+  logicalResourceId?: string;
+  resourceType?: string;
+  resourceStatus?: string;
+  resourceStatusReason?: string;
+}
+
+interface InstanceDetails {
+  instance: Awaited<ReturnType<TDedicatedInstanceDALFactory["findById"]>>;
+  stackStatus?: string;
+  stackStatusReason?: string;
+  resources?: StackResource[];
+  events?: StackEvent[];
+}
+
+export type TDedicatedInstanceServiceFactory = ReturnType<typeof dedicatedInstanceServiceFactory>;
+
+const CLUSTER_SIZES = {
+  small: {
+    containerCpu: 1024,  // 1 vCPU
+    containerMemory: 2048,  // 2GB
+    rdsInstanceType: 'db.t3.small',
+    elasticCacheType: 'cache.t3.micro',
+    desiredContainerCount: 1,
+    displayName: '1 vCPU, 2GB RAM'
+  },
+  medium: {
+    containerCpu: 2048,  // 2 vCPU
+    containerMemory: 4096,  // 4GB
+    rdsInstanceType: 'db.t3.medium',
+    elasticCacheType: 'cache.t3.small',
+    desiredContainerCount: 2,
+    displayName: '2 vCPU, 4GB RAM'
+  },
+  large: {
+    containerCpu: 4096,  // 4 vCPU
+    containerMemory: 8192,  // 8GB
+    rdsInstanceType: 'db.t3.large',
+    elasticCacheType: 'cache.t3.medium',
+    desiredContainerCount: 4,
+    displayName: '4 vCPU, 8GB RAM'
+  }
+};
+
+export const dedicatedInstanceServiceFactory = ({
+  dedicatedInstanceDAL,
+  permissionService
+}: TDedicatedInstanceServiceFactoryDep) => {
+  const listInstances = async ({
+    orgId
+  }: {
+    orgId: string;
+  }) => {
+    const instances = await dedicatedInstanceDAL.findInstancesByOrgId(orgId);
+    return instances;
+  };
+
+  const createInstance = async (params: CreateInstanceParams) => {
+    const { orgId, instanceName, subdomain, region, publiclyAccessible, dryRun = false, clusterSize = 'small' } = params;
+
+    if (params.provider !== 'aws') {
+      throw new BadRequestError({ message: 'Only AWS provider is supported' });
+    }
+
+    const clusterConfig = CLUSTER_SIZES[clusterSize];
+
+    // Configure AWS SDK with environment variables
+    const awsConfig = {
+      credentials: {
+        accessKeyId: process.env.AWS_ACCESS_KEY_ID || '',
+        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY || '',
+      },
+      region: region,
+    };
+
+    if (!awsConfig.credentials.accessKeyId || !awsConfig.credentials.secretAccessKey) {
+      throw new Error('AWS credentials not found in environment variables');
+    }
+
+    const internalTags = {
+      'managed-by': 'infisical',
+      'organization-id': orgId,
+      'instance-name': instanceName
+    };
+
+    // Create the instance record with expanded configuration
+    const instance = await dedicatedInstanceDAL.create({
+      orgId,
+      instanceName,
+      subdomain,
+      status: "PROVISIONING",
+      region,
+      rdsInstanceType: clusterConfig.rdsInstanceType,
+      elasticCacheType: clusterConfig.elasticCacheType,
+      elasticContainerMemory: clusterConfig.containerMemory,
+      elasticContainerCpu: clusterConfig.containerCpu,
+      publiclyAccessible,
+      tags: internalTags,
+      version: "1.0.0",
+      multiAz: true,
+      rdsAllocatedStorage: 50,
+      rdsBackupRetentionDays: 7,
+      redisNumCacheNodes: 1,
+      desiredContainerCount: clusterConfig.desiredContainerCount,
+      subnetIds: [],
+      securityGroupIds: []
+    });
+
+    // Generate unique names for resources
+    const stackName = `infisical-dedicated-${instance.id}`;
+    const dbPassword = randomBytes(32).toString('hex');
+    
+    // Create CDK app and stack
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app, stackName, {
+      env: { region },
+      tags: internalTags,
+      synthesizer: new cdk.DefaultStackSynthesizer({
+        generateBootstrapVersionRule: false,
+      })
+    });
+
+    // Create VPC
+    const vpc = new ec2.Vpc(stack, `${orgId}-${instanceName}-vpc`, {
+      maxAzs: 2,
+      natGateways: 1,
+      subnetConfiguration: [
+        {
+          name: 'Public',
+          subnetType: ec2.SubnetType.PUBLIC,
+          cidrMask: 24,
+        },
+        {
+          name: 'Private',
+          subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
+          cidrMask: 24,
+        },
+      ],
+    });
+
+    // Create RDS instance
+    const dbSecurityGroup = new ec2.SecurityGroup(stack, `${orgId}-${instanceName}-db-sg`, {
+      vpc,
+      description: `Security group for ${instanceName} RDS instance`,
+    });
+
+    const db = new rds.DatabaseInstance(stack, `${orgId}-${instanceName}-db`, {
+      vpc,
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
+      engine: rds.DatabaseInstanceEngine.postgres({
+        version: rds.PostgresEngineVersion.VER_14,
+      }),
+      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MEDIUM),
+      securityGroups: [dbSecurityGroup],
+      credentials: rds.Credentials.fromPassword(
+        'postgres',
+        cdk.SecretValue.unsafePlainText(dbPassword)
+      ),
+      multiAz: true,
+      allocatedStorage: 50,
+      backupRetention: cdk.Duration.days(7),
+    });
+
+    // Create Redis cluster
+    const redisSecurityGroup = new ec2.SecurityGroup(stack, `${orgId}-${instanceName}-redis-sg`, {
+      vpc,
+      description: `Security group for ${instanceName} Redis cluster`,
+    });
+
+    const redisSubnetGroup = new elasticache.CfnSubnetGroup(stack, `${orgId}-${instanceName}-redis-subnet`, {
+      subnetIds: vpc.privateSubnets.map((subnet: ec2.ISubnet) => subnet.subnetId),
+      description: `Subnet group for ${instanceName} Redis cluster`,
+    });
+
+    const redis = new elasticache.CfnCacheCluster(stack, `${orgId}-${instanceName}-redis`, {
+      engine: 'redis',
+      cacheNodeType: 'cache.t3.micro',
+      numCacheNodes: 1,
+      vpcSecurityGroupIds: [redisSecurityGroup.securityGroupId],
+      cacheSubnetGroupName: redisSubnetGroup.ref,
+    });
+
+    // Create ECS Fargate cluster and service
+    const cluster = new ecs.Cluster(stack, `${orgId}-${instanceName}-cluster`, { vpc });
+
+    // Create task execution role with permissions to read from Parameter Store
+    const executionRole = new iam.Role(stack, `${orgId}-${instanceName}-execution-role`, {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+    });
+    executionRole.addManagedPolicy(
+      iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonECSTaskExecutionRolePolicy')
+    );
+
+    // Create ECS task definition and service
+    const taskDefinition = new ecs.FargateTaskDefinition(stack, `${orgId}-${instanceName}-task-def`, {
+      memoryLimitMiB: clusterConfig.containerMemory,
+      cpu: clusterConfig.containerCpu,
+      executionRole,
+    });
+
+    taskDefinition.addContainer('infisical', {
+      image: ecs.ContainerImage.fromRegistry('infisical/infisical:latest-postgres'),
+      environment: {
+        NODE_ENV: 'production',
+        ENCRYPTION_KEY: randomBytes(16).toString('hex'),
+        AUTH_SECRET: randomBytes(32).toString('base64'),
+        DB_CONNECTION_URI: `postgresql://postgres:${dbPassword}@${db.instanceEndpoint.hostname}:5432/postgres?sslmode=no-verify`,
+        REDIS_URL: `redis://${redis.attrRedisEndpointAddress}:${redis.attrRedisEndpointPort}`,
+      },
+      logging: ecs.LogDrivers.awsLogs({ streamPrefix: stackName }),
+    });
+
+    const service = new ecs.FargateService(stack, `${orgId}-${instanceName}-service`, {
+      cluster,
+      taskDefinition,
+      desiredCount: clusterConfig.desiredContainerCount,
+      assignPublicIp: publiclyAccessible,
+      vpcSubnets: {
+        subnetType: publiclyAccessible ? ec2.SubnetType.PUBLIC : ec2.SubnetType.PRIVATE_WITH_EGRESS,
+      },
+    });
+
+    // Create security group for ECS service
+    const ecsSecurityGroup = new ec2.SecurityGroup(stack, `${orgId}-${instanceName}-ecs-sg`, {
+      vpc,
+      description: `Security group for ${instanceName} ECS service`,
+      allowAllOutbound: true,
+    });
+
+    // Update service to use the security group
+    service.connections.addSecurityGroup(ecsSecurityGroup);
+
+    // Configure security group rules for RDS access
+    dbSecurityGroup.addIngressRule(
+      ecsSecurityGroup,
+      ec2.Port.tcp(5432),
+      'Allow ECS tasks to connect to PostgreSQL'
+    );
+
+    // Configure security group rules for Redis access
+    redisSecurityGroup.addIngressRule(
+      ecsSecurityGroup,
+      ec2.Port.tcp(6379),
+      'Allow ECS tasks to connect to Redis'
+    );
+
+    // Add outputs for resource IDs
+    new cdk.CfnOutput(stack, 'vpcid', { value: vpc.vpcId });
+    new cdk.CfnOutput(stack, 'publicsubnet1id', { value: vpc.publicSubnets[0].subnetId });
+    new cdk.CfnOutput(stack, 'publicsubnet2id', { value: vpc.publicSubnets[1].subnetId });
+    new cdk.CfnOutput(stack, 'privatesubnet1id', { value: vpc.privateSubnets[0].subnetId });
+    new cdk.CfnOutput(stack, 'privatesubnet2id', { value: vpc.privateSubnets[1].subnetId });
+    new cdk.CfnOutput(stack, 'rdsinstanceid', { value: db.instanceIdentifier });
+    new cdk.CfnOutput(stack, 'redisclusterid', { value: redis.ref });
+    new cdk.CfnOutput(stack, 'ecsclusterarn', { value: cluster.clusterArn });
+    new cdk.CfnOutput(stack, 'ecsservicearn', { value: service.serviceArn });
+    new cdk.CfnOutput(stack, 'dbsecuritygroupid', { value: dbSecurityGroup.securityGroupId });
+    new cdk.CfnOutput(stack, 'redissecuritygroupid', { value: redisSecurityGroup.securityGroupId });
+
+    // After VPC creation, store subnet IDs
+    const subnetIds = [
+      ...vpc.publicSubnets.map(subnet => subnet.subnetId),
+      ...vpc.privateSubnets.map(subnet => subnet.subnetId)
+    ];
+
+    // After security group creation, store security group IDs
+    const securityGroupIds = [
+      dbSecurityGroup.securityGroupId,
+      redisSecurityGroup.securityGroupId
+    ];
+
+    // Update instance with all infrastructure details
+    await dedicatedInstanceDAL.updateById(instance.id, {
+      stackName,
+      status: "PROVISIONING",
+      // Remove the token values and update them after stack creation
+      rdsInstanceId: null,
+      redisClusterId: null,
+      ecsClusterArn: null,
+      ecsServiceArn: null,
+      vpcId: null,
+      subnetIds: null,
+      securityGroupIds: null
+    });
+
+    // Deploy the stack
+    const deployment = app.synth();
+    
+    if (dryRun) {
+      console.log('Dry run - would create stack with template:', JSON.stringify(deployment.getStackArtifact(stackName).template, null, 2));
+      return instance;
+    }
+
+    // Deploy the CloudFormation stack
+    try {
+      const cfnClient = new CloudFormationClient(awsConfig);
+      const command = new CreateStackCommand({
+        StackName: stackName,
+        TemplateBody: JSON.stringify(deployment.getStackArtifact(stackName).template),
+        Capabilities: ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM"],
+        Tags: Object.entries(internalTags).map(([Key, Value]) => ({ Key, Value }))
+      });
+
+      await cfnClient.send(command);
+    } catch (error) {
+      await dedicatedInstanceDAL.updateById(instance.id, {
+        status: "FAILED",
+        error: error instanceof Error ? error.message : 'Unknown error occurred'
+      });
+      throw error;
+    }
+
+    return instance;
+  };
+
+  const getInstance = async ({ orgId, instanceId }: GetInstanceParams): Promise<InstanceDetails> => {
+    const instance = await dedicatedInstanceDAL.findById(instanceId);
+    
+    if (!instance) {
+      throw new NotFoundError({ message: "Instance not found" });
+    }
+
+    if (instance.orgId !== orgId) {
+      throw new BadRequestError({ message: "Not authorized to access this instance" });
+    }
+
+    // Get CloudFormation stack status
+    try {
+      const awsConfig = {
+        credentials: {
+          accessKeyId: process.env.AWS_ACCESS_KEY_ID || '',
+          secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY || '',
+        },
+        region: instance.region,
+      };
+
+      if (!awsConfig.credentials.accessKeyId || !awsConfig.credentials.secretAccessKey) {
+        throw new Error('AWS credentials not found in environment variables');
+      }
+
+      const cfnClient = new CloudFormationClient(awsConfig);
+      
+      // Get stack status
+      const stackResponse = await cfnClient.send(new DescribeStacksCommand({
+        StackName: instance.stackName
+      }));
+      const stack = stackResponse.Stacks?.[0];
+
+      if (!stack) {
+        return { instance };
+      }
+
+      // Get stack events for progress tracking
+      const eventsResponse = await cfnClient.send(new DescribeStackEventsCommand({
+        StackName: instance.stackName
+      }));
+      const events = eventsResponse.StackEvents?.map(event => ({
+        timestamp: event.Timestamp,
+        logicalResourceId: event.LogicalResourceId,
+        resourceType: event.ResourceType,
+        resourceStatus: event.ResourceStatus,
+        resourceStatusReason: event.ResourceStatusReason
+      })).sort((a, b) => (b.timestamp?.getTime() || 0) - (a.timestamp?.getTime() || 0)) || [];
+
+      const stackStatus = stack.StackStatus || '';
+      let updates: Record<string, any> = {};
+
+      // Process outputs when stack is complete
+      if (stackStatus === 'CREATE_COMPLETE') {
+        const outputs = stack.Outputs || [];
+        const getOutput = (key: string) => outputs.find(o => o.OutputKey?.toLowerCase() === key.toLowerCase())?.OutputValue;
+
+        updates = {
+          status: 'RUNNING',
+          vpcId: getOutput('vpcid'),
+          subnetIds: [
+            getOutput('publicsubnet1id'),
+            getOutput('publicsubnet2id'),
+            getOutput('privatesubnet1id'),
+            getOutput('privatesubnet2id')
+          ].filter(Boolean) as string[],
+          rdsInstanceId: getOutput('rdsinstanceid'),
+          redisClusterId: getOutput('redisclusterid'),
+          ecsClusterArn: getOutput('ecsclusterarn'),
+          ecsServiceArn: getOutput('ecsservicearn'),
+          securityGroupIds: [
+            getOutput('dbsecuritygroupid'),
+            getOutput('redissecuritygroupid')
+          ].filter(Boolean) as string[]
+        };
+      } else if (stackStatus.includes('FAILED')) {
+        updates = {
+          status: 'FAILED',
+          error: stack.StackStatusReason
+        };
+      }
+
+      // Update instance if we have changes
+      if (Object.keys(updates).length > 0) {
+        await dedicatedInstanceDAL.updateById(instance.id, updates);
+      }
+
+      return {
+        instance: {
+          ...instance,
+          ...updates
+        },
+        stackStatus: stack.StackStatus,
+        stackStatusReason: stack.StackStatusReason,
+        events
+      };
+
+    } catch (error) {
+      // Log the error but don't throw - we still want to return the instance details
+      console.error('Error fetching CloudFormation stack status:', error);
+    }
+
+    return { instance };
+  };
+
+  return {
+    listInstances,
+    createInstance,
+    getInstance
+  };
+}; 

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,4 +1,5 @@
 import { ForbiddenError, subject } from "@casl/ability";
+import ms from "ms";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -10,7 +11,6 @@ import {
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
-import { ms } from "@app/lib/ms";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -1,31 +1,20 @@
-import crypto from "node:crypto";
-
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { getDbConnectionHost } from "@app/lib/knex";
 
-export const verifyHostInputValidity = (host: string, isGateway = false) => {
+export const verifyHostInputValidity = (host: string) => {
   const appCfg = getConfig();
   const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-  // no need for validation when it's dev
-  if (appCfg.NODE_ENV === "development") return;
-
-  if (host === "host.docker.internal") throw new BadRequestError({ message: "Invalid db host" });
 
   if (
     appCfg.isCloud &&
-    !isGateway &&
     // localhost
     // internal ips
-    (host.match(/^10\.\d+\.\d+\.\d+/) || host.match(/^192\.168\.\d+\.\d+/))
+    (host === "host.docker.internal" || host.match(/^10\.\d+\.\d+\.\d+/) || host.match(/^192\.168\.\d+\.\d+/))
   )
     throw new BadRequestError({ message: "Invalid db host" });
 
-  if (
-    host === "localhost" ||
-    host === "127.0.0.1" ||
-    (dbHost?.length === host.length && crypto.timingSafeEqual(Buffer.from(dbHost || ""), Buffer.from(host)))
-  ) {
+  if (host === "localhost" || host === "127.0.0.1" || dbHost === host) {
     throw new BadRequestError({ message: "Invalid db host" });
   }
 };

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -16,7 +16,6 @@ import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-fold
 
 import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
 import { TDynamicSecretLeaseQueueServiceFactory } from "../dynamic-secret-lease/dynamic-secret-lease-queue";
-import { TProjectGatewayDALFactory } from "../gateway/project-gateway-dal";
 import { TDynamicSecretDALFactory } from "./dynamic-secret-dal";
 import {
   DynamicSecretStatus,
@@ -45,7 +44,6 @@ type TDynamicSecretServiceFactoryDep = {
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-  projectGatewayDAL: Pick<TProjectGatewayDALFactory, "findOne">;
 };
 
 export type TDynamicSecretServiceFactory = ReturnType<typeof dynamicSecretServiceFactory>;
@@ -59,8 +57,7 @@ export const dynamicSecretServiceFactory = ({
   permissionService,
   dynamicSecretQueueService,
   projectDAL,
-  kmsService,
-  projectGatewayDAL
+  kmsService
 }: TDynamicSecretServiceFactoryDep) => {
   const create = async ({
     path,
@@ -111,18 +108,6 @@ export const dynamicSecretServiceFactory = ({
     const selectedProvider = dynamicSecretProviders[provider.type];
     const inputs = await selectedProvider.validateProviderInputs(provider.inputs);
 
-    let selectedGatewayId: string | null = null;
-    if (inputs && typeof inputs === "object" && "projectGatewayId" in inputs && inputs.projectGatewayId) {
-      const projectGatewayId = inputs.projectGatewayId as string;
-
-      const projectGateway = await projectGatewayDAL.findOne({ id: projectGatewayId, projectId });
-      if (!projectGateway)
-        throw new NotFoundError({
-          message: `Project gateway with ${projectGatewayId} not found`
-        });
-      selectedGatewayId = projectGateway.id;
-    }
-
     const isConnected = await selectedProvider.validateConnection(provider.inputs);
     if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
 
@@ -138,8 +123,7 @@ export const dynamicSecretServiceFactory = ({
       maxTTL,
       defaultTTL,
       folderId: folder.id,
-      name,
-      projectGatewayId: selectedGatewayId
+      name
     });
     return dynamicSecretCfg;
   };
@@ -211,23 +195,6 @@ export const dynamicSecretServiceFactory = ({
     const newInput = { ...decryptedStoredInput, ...(inputs || {}) };
     const updatedInput = await selectedProvider.validateProviderInputs(newInput);
 
-    let selectedGatewayId: string | null = null;
-    if (
-      updatedInput &&
-      typeof updatedInput === "object" &&
-      "projectGatewayId" in updatedInput &&
-      updatedInput?.projectGatewayId
-    ) {
-      const projectGatewayId = updatedInput.projectGatewayId as string;
-
-      const projectGateway = await projectGatewayDAL.findOne({ id: projectGatewayId, projectId });
-      if (!projectGateway)
-        throw new NotFoundError({
-          message: `Project gateway with ${projectGatewayId} not found`
-        });
-      selectedGatewayId = projectGateway.id;
-    }
-
     const isConnected = await selectedProvider.validateConnection(newInput);
     if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
 
@@ -237,8 +204,7 @@ export const dynamicSecretServiceFactory = ({
       defaultTTL,
       name: newName ?? name,
       status: null,
-      statusDetails: null,
-      projectGatewayId: selectedGatewayId
+      statusDetails: null
     });
 
     return updatedDynamicCfg;

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -1,6 +1,5 @@
 import { SnowflakeProvider } from "@app/ee/services/dynamic-secret/providers/snowflake";
 
-import { TGatewayServiceFactory } from "../../gateway/gateway-service";
 import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
@@ -17,14 +16,8 @@ import { SapHanaProvider } from "./sap-hana";
 import { SqlDatabaseProvider } from "./sql-database";
 import { TotpProvider } from "./totp";
 
-type TBuildDynamicSecretProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTls">;
-};
-
-export const buildDynamicSecretProviders = ({
-  gatewayService
-}: TBuildDynamicSecretProviderDTO): Record<DynamicSecretProviders, TDynamicProviderFns> => ({
-  [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider({ gatewayService }),
+export const buildDynamicSecretProviders = (): Record<DynamicSecretProviders, TDynamicProviderFns> => ({
+  [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider(),
   [DynamicSecretProviders.Cassandra]: CassandraProvider(),
   [DynamicSecretProviders.AwsIam]: AwsIamProvider(),
   [DynamicSecretProviders.Redis]: RedisDatabaseProvider(),

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -1,16 +1,5 @@
 import { z } from "zod";
 
-export type PasswordRequirements = {
-  length: number;
-  required: {
-    lowercase: number;
-    uppercase: number;
-    digits: number;
-    symbols: number;
-  };
-  allowedSymbols?: string;
-};
-
 export enum SqlProviders {
   Postgres = "postgres",
   MySQL = "mysql2",
@@ -111,33 +100,10 @@ export const DynamicSecretSqlDBSchema = z.object({
   database: z.string().trim(),
   username: z.string().trim(),
   password: z.string().trim(),
-  passwordRequirements: z
-    .object({
-      length: z.number().min(1).max(250),
-      required: z
-        .object({
-          lowercase: z.number().min(0),
-          uppercase: z.number().min(0),
-          digits: z.number().min(0),
-          symbols: z.number().min(0)
-        })
-        .refine((data) => {
-          const total = Object.values(data).reduce((sum, count) => sum + count, 0);
-          return total <= 250;
-        }, "Sum of required characters cannot exceed 250"),
-      allowedSymbols: z.string().optional()
-    })
-    .refine((data) => {
-      const total = Object.values(data.required).reduce((sum, count) => sum + count, 0);
-      return total <= data.length;
-    }, "Sum of required characters cannot exceed the total length")
-    .optional()
-    .describe("Password generation requirements"),
   creationStatement: z.string().trim(),
   revocationStatement: z.string().trim(),
   renewStatement: z.string().trim().optional(),
-  ca: z.string().optional(),
-  projectGatewayId: z.string().nullable().optional()
+  ca: z.string().optional()
 });
 
 export const DynamicSecretCassandraSchema = z.object({

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -1,106 +1,21 @@
-import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex from "knex";
+import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
-import { TGatewayServiceFactory } from "../../gateway/gateway-service";
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
-import { DynamicSecretSqlDBSchema, PasswordRequirements, SqlProviders, TDynamicProviderFns } from "./models";
+import { DynamicSecretSqlDBSchema, SqlProviders, TDynamicProviderFns } from "./models";
 
 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
 
-const DEFAULT_PASSWORD_REQUIREMENTS = {
-  length: 48,
-  required: {
-    lowercase: 1,
-    uppercase: 1,
-    digits: 1,
-    symbols: 0
-  },
-  allowedSymbols: "-_.~!*"
-};
+const generatePassword = (provider: SqlProviders) => {
+  // oracle has limit of 48 password length
+  const size = provider === SqlProviders.Oracle ? 30 : 48;
 
-const ORACLE_PASSWORD_REQUIREMENTS = {
-  ...DEFAULT_PASSWORD_REQUIREMENTS,
-  length: 30
-};
-
-const generatePassword = (provider: SqlProviders, requirements?: PasswordRequirements) => {
-  const defaultReqs = provider === SqlProviders.Oracle ? ORACLE_PASSWORD_REQUIREMENTS : DEFAULT_PASSWORD_REQUIREMENTS;
-  const finalReqs = requirements || defaultReqs;
-
-  try {
-    const { length, required, allowedSymbols } = finalReqs;
-
-    const chars = {
-      lowercase: "abcdefghijklmnopqrstuvwxyz",
-      uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
-      digits: "0123456789",
-      symbols: allowedSymbols || "-_.~!*"
-    };
-
-    const parts: string[] = [];
-
-    if (required.lowercase > 0) {
-      parts.push(
-        ...Array(required.lowercase)
-          .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
-      );
-    }
-
-    if (required.uppercase > 0) {
-      parts.push(
-        ...Array(required.uppercase)
-          .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
-      );
-    }
-
-    if (required.digits > 0) {
-      parts.push(
-        ...Array(required.digits)
-          .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
-      );
-    }
-
-    if (required.symbols > 0) {
-      parts.push(
-        ...Array(required.symbols)
-          .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
-      );
-    }
-
-    const requiredTotal = Object.values(required).reduce<number>((a, b) => a + b, 0);
-    const remainingLength = Math.max(length - requiredTotal, 0);
-
-    const allowedChars = Object.entries(chars)
-      .filter(([key]) => required[key as keyof typeof required] > 0)
-      .map(([, value]) => value)
-      .join("");
-
-    parts.push(
-      ...Array(remainingLength)
-        .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
-    );
-
-    // shuffle the array to mix up the characters
-    for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
-      [parts[i], parts[j]] = [parts[j], parts[i]];
-    }
-
-    return parts.join("");
-  } catch (error: unknown) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    throw new Error(`Failed to generate password: ${message}`);
-  }
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  return customAlphabet(charset, 48)(size);
 };
 
 const generateUsername = (provider: SqlProviders) => {
@@ -110,14 +25,10 @@ const generateUsername = (provider: SqlProviders) => {
   return alphaNumericNanoId(32);
 };
 
-type TSqlDatabaseProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTls">;
-};
-
-export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO): TDynamicProviderFns => {
+export const SqlDatabaseProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
-    verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.projectGatewayId));
+    verifyHostInputValidity(providerInputs.host);
     return providerInputs;
   };
 
@@ -134,6 +45,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         user: providerInputs.username,
         password: providerInputs.password,
         ssl,
+        pool: { min: 0, max: 1 },
         // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
         // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
         // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
@@ -149,112 +61,61 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
     return db;
   };
 
-  const gatewayProxyWrapper = async (
-    providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>,
-    gatewayCallback: (host: string, port: number) => Promise<void>
-  ) => {
-    const relayDetails = await gatewayService.fnGetGatewayClientTls(providerInputs.projectGatewayId as string);
-    const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
-    await withGatewayProxy(
-      async (port) => {
-        await gatewayCallback("localhost", port);
-      },
-      {
-        targetHost: providerInputs.host,
-        targetPort: providerInputs.port,
-        relayHost,
-        relayPort: Number(relayPort),
-        identityId: relayDetails.identityId,
-        orgId: relayDetails.orgId,
-        tlsOptions: {
-          ca: relayDetails.certChain,
-          cert: relayDetails.certificate,
-          key: relayDetails.privateKey.toString()
-        }
-      }
-    );
-  };
-
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    let isConnected = false;
-    const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
-      const db = await $getClient({ ...providerInputs, port, host });
-      // oracle needs from keyword
-      const testStatement = providerInputs.client === SqlProviders.Oracle ? "SELECT 1 FROM DUAL" : "SELECT 1";
+    const db = await $getClient(providerInputs);
+    // oracle needs from keyword
+    const testStatement = providerInputs.client === SqlProviders.Oracle ? "SELECT 1 FROM DUAL" : "SELECT 1";
 
-      isConnected = await db.raw(testStatement).then(() => true);
-      await db.destroy();
-    };
-
-    if (providerInputs.projectGatewayId) {
-      await gatewayProxyWrapper(providerInputs, gatewayCallback);
-    } else {
-      await gatewayCallback();
-    }
+    const isConnected = await db.raw(testStatement).then(() => true);
+    await db.destroy();
     return isConnected;
   };
 
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
+    const db = await $getClient(providerInputs);
+
     const username = generateUsername(providerInputs.client);
-    const password = generatePassword(providerInputs.client, providerInputs.passwordRequirements);
-    const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
-      const db = await $getClient({ ...providerInputs, port, host });
-      try {
-        const { database } = providerInputs;
-        const expiration = new Date(expireAt).toISOString();
+    const password = generatePassword(providerInputs.client);
+    const { database } = providerInputs;
+    const expiration = new Date(expireAt).toISOString();
 
-        const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
-          username,
-          password,
-          expiration,
-          database
-        });
+    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+      username,
+      password,
+      expiration,
+      database
+    });
 
-        const queries = creationStatement.toString().split(";").filter(Boolean);
-        await db.transaction(async (tx) => {
-          for (const query of queries) {
-            // eslint-disable-next-line
-            await tx.raw(query);
-          }
-        });
-      } finally {
-        await db.destroy();
+    const queries = creationStatement.toString().split(";").filter(Boolean);
+    await db.transaction(async (tx) => {
+      for (const query of queries) {
+        // eslint-disable-next-line
+        await tx.raw(query);
       }
-    };
-    if (providerInputs.projectGatewayId) {
-      await gatewayProxyWrapper(providerInputs, gatewayCallback);
-    } else {
-      await gatewayCallback();
-    }
+    });
+    await db.destroy();
     return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
   };
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
+    const db = await $getClient(providerInputs);
+
     const username = entityId;
     const { database } = providerInputs;
-    const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
-      const db = await $getClient({ ...providerInputs, port, host });
-      try {
-        const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, database });
-        const queries = revokeStatement.toString().split(";").filter(Boolean);
-        await db.transaction(async (tx) => {
-          for (const query of queries) {
-            // eslint-disable-next-line
-            await tx.raw(query);
-          }
-        });
-      } finally {
-        await db.destroy();
+
+    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, database });
+    const queries = revokeStatement.toString().split(";").filter(Boolean);
+    await db.transaction(async (tx) => {
+      for (const query of queries) {
+        // eslint-disable-next-line
+        await tx.raw(query);
       }
-    };
-    if (providerInputs.projectGatewayId) {
-      await gatewayProxyWrapper(providerInputs, gatewayCallback);
-    } else {
-      await gatewayCallback();
-    }
+    });
+
+    await db.destroy();
     return { entityId: username };
   };
 
@@ -262,35 +123,28 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
     const providerInputs = await validateProviderInputs(inputs);
     if (!providerInputs.renewStatement) return { entityId };
 
-    const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
-      const db = await $getClient({ ...providerInputs, port, host });
-      const expiration = new Date(expireAt).toISOString();
-      const { database } = providerInputs;
+    const db = await $getClient(providerInputs);
 
-      const renewStatement = handlebars.compile(providerInputs.renewStatement)({
-        username: entityId,
-        expiration,
-        database
-      });
-      try {
-        if (renewStatement) {
-          const queries = renewStatement.toString().split(";").filter(Boolean);
-          await db.transaction(async (tx) => {
-            for (const query of queries) {
-              // eslint-disable-next-line
-              await tx.raw(query);
-            }
-          });
+    const expiration = new Date(expireAt).toISOString();
+    const { database } = providerInputs;
+
+    const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+      username: entityId,
+      expiration,
+      database
+    });
+
+    if (renewStatement) {
+      const queries = renewStatement.toString().split(";").filter(Boolean);
+      await db.transaction(async (tx) => {
+        for (const query of queries) {
+          // eslint-disable-next-line
+          await tx.raw(query);
         }
-      } finally {
-        await db.destroy();
-      }
-    };
-    if (providerInputs.projectGatewayId) {
-      await gatewayProxyWrapper(providerInputs, gatewayCallback);
-    } else {
-      await gatewayCallback();
+      });
     }
+
+    await db.destroy();
     return { entityId };
   };
 

backend/src/ee/services/gateway/gateway-dal.ts

@@ -1,86 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { GatewaysSchema, TableName, TGateways } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import {
-  buildFindFilter,
-  ormify,
-  selectAllTableCols,
-  sqlNestRelationships,
-  TFindFilter,
-  TFindOpt
-} from "@app/lib/knex";
-
-export type TGatewayDALFactory = ReturnType<typeof gatewayDALFactory>;
-
-export const gatewayDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.Gateway);
-
-  const find = async (filter: TFindFilter<TGateways>, { offset, limit, sort, tx }: TFindOpt<TGateways> = {}) => {
-    try {
-      const query = (tx || db)(TableName.Gateway)
-        // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter(filter))
-        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.Gateway}.identityId`)
-        .leftJoin(TableName.ProjectGateway, `${TableName.ProjectGateway}.gatewayId`, `${TableName.Gateway}.id`)
-        .leftJoin(TableName.Project, `${TableName.Project}.id`, `${TableName.ProjectGateway}.projectId`)
-        .select(selectAllTableCols(TableName.Gateway))
-        .select(
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("name").withSchema(TableName.Project).as("projectName"),
-          db.ref("slug").withSchema(TableName.Project).as("projectSlug"),
-          db.ref("id").withSchema(TableName.Project).as("projectId")
-        );
-      if (limit) void query.limit(limit);
-      if (offset) void query.offset(offset);
-      if (sort) {
-        void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
-      }
-
-      const docs = await query;
-      return sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (data) => ({
-          ...GatewaysSchema.parse(data),
-          identity: { id: data.identityId, name: data.identityName }
-        }),
-        childrenMapper: [
-          {
-            key: "projectId",
-            label: "projects" as const,
-            mapper: ({ projectId, projectName, projectSlug }) => ({
-              id: projectId,
-              name: projectName,
-              slug: projectSlug
-            })
-          }
-        ]
-      });
-    } catch (error) {
-      throw new DatabaseError({ error, name: `${TableName.Gateway}: Find` });
-    }
-  };
-
-  const findByProjectId = async (projectId: string, tx?: Knex) => {
-    try {
-      const query = (tx || db)(TableName.Gateway)
-        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.Gateway}.identityId`)
-        .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.gatewayId`, `${TableName.Gateway}.id`)
-        .select(selectAllTableCols(TableName.Gateway))
-        .select(
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("id").withSchema(TableName.ProjectGateway).as("projectGatewayId")
-        )
-        .where({ [`${TableName.ProjectGateway}.projectId` as "projectId"]: projectId });
-
-      const docs = await query;
-      return docs.map((el) => ({ ...el, identity: { id: el.identityId, name: el.identityName } }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: `${TableName.Gateway}: Find by project id` });
-    }
-  };
-
-  return { ...orm, find, findByProjectId };
-};

backend/src/ee/services/gateway/gateway-service.ts

@@ -1,652 +0,0 @@
-import crypto from "node:crypto";
-
-import { ForbiddenError } from "@casl/ability";
-import * as x509 from "@peculiar/x509";
-import { z } from "zod";
-
-import { ActionProjectType } from "@app/db/schemas";
-import { KeyStorePrefixes, PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { pingGatewayAndVerify } from "@app/lib/gateway";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { getTurnCredentials } from "@app/lib/turn/credentials";
-import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
-import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
-import {
-  createSerialNumber,
-  keyAlgorithmToAlgCfg
-} from "@app/services/certificate-authority/certificate-authority-fns";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { TLicenseServiceFactory } from "../license/license-service";
-import { OrgPermissionGatewayActions, OrgPermissionSubjects } from "../permission/org-permission";
-import { TPermissionServiceFactory } from "../permission/permission-service";
-import { TGatewayDALFactory } from "./gateway-dal";
-import {
-  TExchangeAllocatedRelayAddressDTO,
-  TGetGatewayByIdDTO,
-  TGetProjectGatewayByIdDTO,
-  THeartBeatDTO,
-  TListGatewaysDTO,
-  TUpdateGatewayByIdDTO
-} from "./gateway-types";
-import { TOrgGatewayConfigDALFactory } from "./org-gateway-config-dal";
-import { TProjectGatewayDALFactory } from "./project-gateway-dal";
-
-type TGatewayServiceFactoryDep = {
-  gatewayDAL: TGatewayDALFactory;
-  projectGatewayDAL: TProjectGatewayDALFactory;
-  orgGatewayConfigDAL: Pick<TOrgGatewayConfigDALFactory, "findOne" | "create" | "transaction" | "findById">;
-  licenseService: Pick<TLicenseServiceFactory, "onPremFeatures" | "getPlan">;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "decryptWithRootKey">;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getProjectPermission">;
-  keyStore: Pick<TKeyStoreFactory, "getItem" | "setItemWithExpiry">;
-};
-
-export type TGatewayServiceFactory = ReturnType<typeof gatewayServiceFactory>;
-const TURN_SERVER_CREDENTIALS_SCHEMA = z.object({
-  username: z.string(),
-  password: z.string()
-});
-
-export const gatewayServiceFactory = ({
-  gatewayDAL,
-  licenseService,
-  kmsService,
-  permissionService,
-  orgGatewayConfigDAL,
-  keyStore,
-  projectGatewayDAL
-}: TGatewayServiceFactoryDep) => {
-  const $validateOrgAccessToGateway = async (orgId: string, actorId: string, actorAuthMethod: ActorAuthMethod) => {
-    // if (!licenseService.onPremFeatures.gateway) {
-    //   throw new BadRequestError({
-    //     message:
-    //       "Gateway handshake failed due to instance plan restrictions. Please upgrade your instance to Infisical's Enterprise plan."
-    //   });
-    // }
-    const orgLicensePlan = await licenseService.getPlan(orgId);
-    if (!orgLicensePlan.gateway) {
-      throw new BadRequestError({
-        message:
-          "Gateway handshake failed due to organization plan restrictions. Please upgrade your instance to Infisical's Enterprise plan."
-      });
-    }
-    const { permission } = await permissionService.getOrgPermission(
-      ActorType.IDENTITY,
-      actorId,
-      orgId,
-      actorAuthMethod,
-      orgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionGatewayActions.CreateGateways,
-      OrgPermissionSubjects.Gateway
-    );
-  };
-
-  const getGatewayRelayDetails = async (actorId: string, actorOrgId: string, actorAuthMethod: ActorAuthMethod) => {
-    const TURN_CRED_EXPIRY = 10 * 60; // 10 minutes
-
-    const envCfg = getConfig();
-    await $validateOrgAccessToGateway(actorOrgId, actorId, actorAuthMethod);
-    const { encryptor, decryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.Organization,
-      orgId: actorOrgId
-    });
-
-    if (!envCfg.GATEWAY_RELAY_AUTH_SECRET || !envCfg.GATEWAY_RELAY_ADDRESS || !envCfg.GATEWAY_RELAY_REALM) {
-      throw new BadRequestError({
-        message: "Gateway handshake failed due to missing instance configuration."
-      });
-    }
-
-    let turnServerUsername = "";
-    let turnServerPassword = "";
-    // keep it in redis for 5mins to avoid generating so many credentials
-    const previousCredential = await keyStore.getItem(KeyStorePrefixes.GatewayIdentityCredential(actorId));
-    if (previousCredential) {
-      const el = await TURN_SERVER_CREDENTIALS_SCHEMA.parseAsync(
-        JSON.parse(decryptor({ cipherTextBlob: Buffer.from(previousCredential, "hex") }).toString())
-      );
-      turnServerUsername = el.username;
-      turnServerPassword = el.password;
-    } else {
-      const el = getTurnCredentials(actorId, envCfg.GATEWAY_RELAY_AUTH_SECRET);
-      await keyStore.setItemWithExpiry(
-        KeyStorePrefixes.GatewayIdentityCredential(actorId),
-        TURN_CRED_EXPIRY,
-        encryptor({
-          plainText: Buffer.from(JSON.stringify({ username: el.username, password: el.password }))
-        }).cipherTextBlob.toString("hex")
-      );
-      turnServerUsername = el.username;
-      turnServerPassword = el.password;
-    }
-
-    return {
-      turnServerUsername,
-      turnServerPassword,
-      turnServerRealm: envCfg.GATEWAY_RELAY_REALM,
-      turnServerAddress: envCfg.GATEWAY_RELAY_ADDRESS,
-      infisicalStaticIp: envCfg.GATEWAY_INFISICAL_STATIC_IP_ADDRESS
-    };
-  };
-
-  const exchangeAllocatedRelayAddress = async ({
-    identityId,
-    identityOrg,
-    relayAddress,
-    identityOrgAuthMethod
-  }: TExchangeAllocatedRelayAddressDTO) => {
-    await $validateOrgAccessToGateway(identityOrg, identityId, identityOrgAuthMethod);
-    const { encryptor: orgKmsEncryptor, decryptor: orgKmsDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.Organization,
-      orgId: identityOrg
-    });
-
-    const orgGatewayConfig = await orgGatewayConfigDAL.transaction(async (tx) => {
-      await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.OrgGatewayRootCaInit(identityOrg)]);
-      const existingGatewayConfig = await orgGatewayConfigDAL.findOne({ orgId: identityOrg });
-      if (existingGatewayConfig) return existingGatewayConfig;
-
-      const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
-      // generate root CA
-      const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const rootCaSerialNumber = createSerialNumber();
-      const rootCaSkObj = crypto.KeyObject.from(rootCaKeys.privateKey);
-      const rootCaIssuedAt = new Date();
-      const rootCaKeyAlgorithm = CertKeyAlgorithm.RSA_2048;
-      const rootCaExpiration = new Date(new Date().setFullYear(2045));
-      const rootCaCert = await x509.X509CertificateGenerator.createSelfSigned({
-        name: `O=${identityOrg},CN=Infisical Gateway Root CA`,
-        serialNumber: rootCaSerialNumber,
-        notBefore: rootCaIssuedAt,
-        notAfter: rootCaExpiration,
-        signingAlgorithm: alg,
-        keys: rootCaKeys,
-        extensions: [
-          // eslint-disable-next-line no-bitwise
-          new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true),
-          await x509.SubjectKeyIdentifierExtension.create(rootCaKeys.publicKey)
-        ]
-      });
-
-      // generate client ca
-      const clientCaSerialNumber = createSerialNumber();
-      const clientCaIssuedAt = new Date();
-      const clientCaExpiration = new Date(new Date().setFullYear(2045));
-      const clientCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const clientCaSkObj = crypto.KeyObject.from(clientCaKeys.privateKey);
-
-      const clientCaCert = await x509.X509CertificateGenerator.create({
-        serialNumber: clientCaSerialNumber,
-        subject: `O=${identityOrg},CN=Client Intermediate CA`,
-        issuer: rootCaCert.subject,
-        notBefore: clientCaIssuedAt,
-        notAfter: clientCaExpiration,
-        signingKey: rootCaKeys.privateKey,
-        publicKey: clientCaKeys.publicKey,
-        signingAlgorithm: alg,
-        extensions: [
-          new x509.KeyUsagesExtension(
-            // eslint-disable-next-line no-bitwise
-            x509.KeyUsageFlags.keyCertSign |
-              x509.KeyUsageFlags.cRLSign |
-              x509.KeyUsageFlags.digitalSignature |
-              x509.KeyUsageFlags.keyEncipherment,
-            true
-          ),
-          new x509.BasicConstraintsExtension(true, 0, true),
-          await x509.AuthorityKeyIdentifierExtension.create(rootCaCert, false),
-          await x509.SubjectKeyIdentifierExtension.create(clientCaKeys.publicKey)
-        ]
-      });
-
-      const clientKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const clientCertSerialNumber = createSerialNumber();
-      const clientCert = await x509.X509CertificateGenerator.create({
-        serialNumber: clientCertSerialNumber,
-        subject: `O=${identityOrg},OU=gateway-client,CN=cloud`,
-        issuer: clientCaCert.subject,
-        notAfter: clientCaExpiration,
-        notBefore: clientCaIssuedAt,
-        signingKey: clientCaKeys.privateKey,
-        publicKey: clientKeys.publicKey,
-        signingAlgorithm: alg,
-        extensions: [
-          new x509.BasicConstraintsExtension(false),
-          await x509.AuthorityKeyIdentifierExtension.create(clientCaCert, false),
-          await x509.SubjectKeyIdentifierExtension.create(clientKeys.publicKey),
-          new x509.CertificatePolicyExtension(["2.5.29.32.0"]), // anyPolicy
-          new x509.KeyUsagesExtension(
-            // eslint-disable-next-line no-bitwise
-            x509.KeyUsageFlags[CertKeyUsage.DIGITAL_SIGNATURE] |
-              x509.KeyUsageFlags[CertKeyUsage.KEY_ENCIPHERMENT] |
-              x509.KeyUsageFlags[CertKeyUsage.KEY_AGREEMENT],
-            true
-          ),
-          new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage[CertExtendedKeyUsage.CLIENT_AUTH]], true)
-        ]
-      });
-      const clientSkObj = crypto.KeyObject.from(clientKeys.privateKey);
-
-      // generate gateway ca
-      const gatewayCaSerialNumber = createSerialNumber();
-      const gatewayCaIssuedAt = new Date();
-      const gatewayCaExpiration = new Date(new Date().setFullYear(2045));
-      const gatewayCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const gatewayCaSkObj = crypto.KeyObject.from(gatewayCaKeys.privateKey);
-      const gatewayCaCert = await x509.X509CertificateGenerator.create({
-        serialNumber: gatewayCaSerialNumber,
-        subject: `O=${identityOrg},CN=Gateway CA`,
-        issuer: rootCaCert.subject,
-        notBefore: gatewayCaIssuedAt,
-        notAfter: gatewayCaExpiration,
-        signingKey: rootCaKeys.privateKey,
-        publicKey: gatewayCaKeys.publicKey,
-        signingAlgorithm: alg,
-        extensions: [
-          new x509.KeyUsagesExtension(
-            // eslint-disable-next-line no-bitwise
-            x509.KeyUsageFlags.keyCertSign |
-              x509.KeyUsageFlags.cRLSign |
-              x509.KeyUsageFlags.digitalSignature |
-              x509.KeyUsageFlags.keyEncipherment,
-            true
-          ),
-          new x509.BasicConstraintsExtension(true, 0, true),
-          await x509.AuthorityKeyIdentifierExtension.create(rootCaCert, false),
-          await x509.SubjectKeyIdentifierExtension.create(gatewayCaKeys.publicKey)
-        ]
-      });
-
-      return orgGatewayConfigDAL.create({
-        orgId: identityOrg,
-        rootCaIssuedAt,
-        rootCaExpiration,
-        rootCaSerialNumber,
-        rootCaKeyAlgorithm,
-        encryptedRootCaPrivateKey: orgKmsEncryptor({
-          plainText: rootCaSkObj.export({
-            type: "pkcs8",
-            format: "der"
-          })
-        }).cipherTextBlob,
-        encryptedRootCaCertificate: orgKmsEncryptor({ plainText: Buffer.from(rootCaCert.rawData) }).cipherTextBlob,
-
-        clientCaIssuedAt,
-        clientCaExpiration,
-        clientCaSerialNumber,
-        encryptedClientCaPrivateKey: orgKmsEncryptor({
-          plainText: clientCaSkObj.export({
-            type: "pkcs8",
-            format: "der"
-          })
-        }).cipherTextBlob,
-        encryptedClientCaCertificate: orgKmsEncryptor({
-          plainText: Buffer.from(clientCaCert.rawData)
-        }).cipherTextBlob,
-
-        clientCertIssuedAt: clientCaIssuedAt,
-        clientCertExpiration: clientCaExpiration,
-        clientCertKeyAlgorithm: CertKeyAlgorithm.RSA_2048,
-        clientCertSerialNumber,
-        encryptedClientPrivateKey: orgKmsEncryptor({
-          plainText: clientSkObj.export({
-            type: "pkcs8",
-            format: "der"
-          })
-        }).cipherTextBlob,
-        encryptedClientCertificate: orgKmsEncryptor({
-          plainText: Buffer.from(clientCert.rawData)
-        }).cipherTextBlob,
-
-        gatewayCaIssuedAt,
-        gatewayCaExpiration,
-        gatewayCaSerialNumber,
-        encryptedGatewayCaPrivateKey: orgKmsEncryptor({
-          plainText: gatewayCaSkObj.export({
-            type: "pkcs8",
-            format: "der"
-          })
-        }).cipherTextBlob,
-        encryptedGatewayCaCertificate: orgKmsEncryptor({
-          plainText: Buffer.from(gatewayCaCert.rawData)
-        }).cipherTextBlob
-      });
-    });
-
-    const rootCaCert = new x509.X509Certificate(
-      orgKmsDecryptor({
-        cipherTextBlob: orgGatewayConfig.encryptedRootCaCertificate
-      })
-    );
-    const clientCaCert = new x509.X509Certificate(
-      orgKmsDecryptor({
-        cipherTextBlob: orgGatewayConfig.encryptedClientCaCertificate
-      })
-    );
-
-    const gatewayCaAlg = keyAlgorithmToAlgCfg(orgGatewayConfig.rootCaKeyAlgorithm as CertKeyAlgorithm);
-    const gatewayCaSkObj = crypto.createPrivateKey({
-      key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedGatewayCaPrivateKey }),
-      format: "der",
-      type: "pkcs8"
-    });
-    const gatewayCaCert = new x509.X509Certificate(
-      orgKmsDecryptor({
-        cipherTextBlob: orgGatewayConfig.encryptedGatewayCaCertificate
-      })
-    );
-
-    const gatewayCaPrivateKey = await crypto.subtle.importKey(
-      "pkcs8",
-      gatewayCaSkObj.export({ format: "der", type: "pkcs8" }),
-      gatewayCaAlg,
-      true,
-      ["sign"]
-    );
-
-    const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
-    const gatewayKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const certIssuedAt = new Date();
-    // then need to periodically init
-    const certExpireAt = new Date(new Date().setMonth(new Date().getMonth() + 1));
-
-    const extensions: x509.Extension[] = [
-      new x509.BasicConstraintsExtension(false),
-      await x509.AuthorityKeyIdentifierExtension.create(gatewayCaCert, false),
-      await x509.SubjectKeyIdentifierExtension.create(gatewayKeys.publicKey),
-      new x509.CertificatePolicyExtension(["2.5.29.32.0"]), // anyPolicy
-      new x509.KeyUsagesExtension(
-        // eslint-disable-next-line no-bitwise
-        x509.KeyUsageFlags[CertKeyUsage.DIGITAL_SIGNATURE] | x509.KeyUsageFlags[CertKeyUsage.KEY_ENCIPHERMENT],
-        true
-      ),
-      new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage[CertExtendedKeyUsage.SERVER_AUTH]], true),
-      // san
-      new x509.SubjectAlternativeNameExtension([{ type: "ip", value: relayAddress.split(":")[0] }], false)
-    ];
-
-    const serialNumber = createSerialNumber();
-    const privateKey = crypto.KeyObject.from(gatewayKeys.privateKey);
-    const gatewayCertificate = await x509.X509CertificateGenerator.create({
-      serialNumber,
-      subject: `CN=${identityId},O=${identityOrg},OU=Gateway`,
-      issuer: gatewayCaCert.subject,
-      notBefore: certIssuedAt,
-      notAfter: certExpireAt,
-      signingKey: gatewayCaPrivateKey,
-      publicKey: gatewayKeys.publicKey,
-      signingAlgorithm: alg,
-      extensions
-    });
-
-    const appCfg = getConfig();
-    // just for local development
-    const formatedRelayAddress =
-      appCfg.NODE_ENV === "development" ? relayAddress.replace("127.0.0.1", "host.docker.internal") : relayAddress;
-
-    await gatewayDAL.transaction(async (tx) => {
-      await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.OrgGatewayCertExchange(identityOrg)]);
-      const existingGateway = await gatewayDAL.findOne({ identityId, orgGatewayRootCaId: orgGatewayConfig.id });
-
-      if (existingGateway) {
-        return gatewayDAL.updateById(existingGateway.id, {
-          keyAlgorithm: CertKeyAlgorithm.RSA_2048,
-          issuedAt: certIssuedAt,
-          expiration: certExpireAt,
-          serialNumber,
-          relayAddress: orgKmsEncryptor({
-            plainText: Buffer.from(formatedRelayAddress)
-          }).cipherTextBlob
-        });
-      }
-
-      return gatewayDAL.create({
-        keyAlgorithm: CertKeyAlgorithm.RSA_2048,
-        issuedAt: certIssuedAt,
-        expiration: certExpireAt,
-        serialNumber,
-        relayAddress: orgKmsEncryptor({
-          plainText: Buffer.from(formatedRelayAddress)
-        }).cipherTextBlob,
-        identityId,
-        orgGatewayRootCaId: orgGatewayConfig.id,
-        name: `gateway-${alphaNumericNanoId(6).toLowerCase()}`
-      });
-    });
-
-    const gatewayCertificateChain = `${clientCaCert.toString("pem")}\n${rootCaCert.toString("pem")}`.trim();
-
-    return {
-      serialNumber,
-      privateKey: privateKey.export({ format: "pem", type: "pkcs8" }) as string,
-      certificate: gatewayCertificate.toString("pem"),
-      certificateChain: gatewayCertificateChain
-    };
-  };
-
-  const heartbeat = async ({ orgPermission }: THeartBeatDTO) => {
-    await $validateOrgAccessToGateway(orgPermission.orgId, orgPermission.id, orgPermission.authMethod);
-    const orgGatewayConfig = await orgGatewayConfigDAL.findOne({ orgId: orgPermission.orgId });
-    if (!orgGatewayConfig) throw new NotFoundError({ message: `Identity with ID ${orgPermission.id} not found.` });
-
-    const [gateway] = await gatewayDAL.find({ identityId: orgPermission.id, orgGatewayRootCaId: orgGatewayConfig.id });
-    if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${orgPermission.id} not found.` });
-
-    const { decryptor: orgKmsDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.Organization,
-      orgId: orgGatewayConfig.orgId
-    });
-
-    const rootCaCert = new x509.X509Certificate(
-      orgKmsDecryptor({
-        cipherTextBlob: orgGatewayConfig.encryptedRootCaCertificate
-      })
-    );
-    const gatewayCaCert = new x509.X509Certificate(
-      orgKmsDecryptor({
-        cipherTextBlob: orgGatewayConfig.encryptedGatewayCaCertificate
-      })
-    );
-    const clientCert = new x509.X509Certificate(
-      orgKmsDecryptor({
-        cipherTextBlob: orgGatewayConfig.encryptedClientCertificate
-      })
-    );
-
-    const privateKey = crypto
-      .createPrivateKey({
-        key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedClientPrivateKey }),
-        format: "der",
-        type: "pkcs8"
-      })
-      .export({ type: "pkcs8", format: "pem" });
-
-    const relayAddress = orgKmsDecryptor({ cipherTextBlob: gateway.relayAddress }).toString();
-    const [relayHost, relayPort] = relayAddress.split(":");
-
-    await pingGatewayAndVerify({
-      relayHost,
-      relayPort: Number(relayPort),
-      tlsOptions: {
-        key: privateKey.toString(),
-        ca: `${gatewayCaCert.toString("pem")}\n${rootCaCert.toString("pem")}`.trim(),
-        cert: clientCert.toString("pem")
-      },
-      identityId: orgPermission.id,
-      orgId: orgPermission.orgId
-    });
-
-    await gatewayDAL.updateById(gateway.id, { heartbeat: new Date() });
-  };
-
-  const listGateways = async ({ orgPermission }: TListGatewaysDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      orgPermission.type,
-      orgPermission.id,
-      orgPermission.orgId,
-      orgPermission.authMethod,
-      orgPermission.orgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionGatewayActions.ListGateways,
-      OrgPermissionSubjects.Gateway
-    );
-    const orgGatewayConfig = await orgGatewayConfigDAL.findOne({ orgId: orgPermission.orgId });
-    if (!orgGatewayConfig) return [];
-
-    const gateways = await gatewayDAL.find({
-      orgGatewayRootCaId: orgGatewayConfig.id
-    });
-    return gateways;
-  };
-
-  const getGatewayById = async ({ orgPermission, id }: TGetGatewayByIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      orgPermission.type,
-      orgPermission.id,
-      orgPermission.orgId,
-      orgPermission.authMethod,
-      orgPermission.orgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionGatewayActions.ListGateways,
-      OrgPermissionSubjects.Gateway
-    );
-    const orgGatewayConfig = await orgGatewayConfigDAL.findOne({ orgId: orgPermission.orgId });
-    if (!orgGatewayConfig) throw new NotFoundError({ message: `Gateway with ID ${id} not found.` });
-
-    const [gateway] = await gatewayDAL.find({ id, orgGatewayRootCaId: orgGatewayConfig.id });
-    if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${id} not found.` });
-    return gateway;
-  };
-
-  const updateGatewayById = async ({ orgPermission, id, name, projectIds }: TUpdateGatewayByIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      orgPermission.type,
-      orgPermission.id,
-      orgPermission.orgId,
-      orgPermission.authMethod,
-      orgPermission.orgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionGatewayActions.EditGateways,
-      OrgPermissionSubjects.Gateway
-    );
-    const orgGatewayConfig = await orgGatewayConfigDAL.findOne({ orgId: orgPermission.orgId });
-    if (!orgGatewayConfig) throw new NotFoundError({ message: `Gateway with ID ${id} not found.` });
-
-    const [gateway] = await gatewayDAL.update({ id, orgGatewayRootCaId: orgGatewayConfig.id }, { name });
-    if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${id} not found.` });
-    if (projectIds) {
-      await projectGatewayDAL.transaction(async (tx) => {
-        await projectGatewayDAL.delete({ gatewayId: gateway.id }, tx);
-        await projectGatewayDAL.insertMany(
-          projectIds.map((el) => ({ gatewayId: gateway.id, projectId: el })),
-          tx
-        );
-      });
-    }
-
-    return gateway;
-  };
-
-  const deleteGatewayById = async ({ orgPermission, id }: TGetGatewayByIdDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      orgPermission.type,
-      orgPermission.id,
-      orgPermission.orgId,
-      orgPermission.authMethod,
-      orgPermission.orgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionGatewayActions.DeleteGateways,
-      OrgPermissionSubjects.Gateway
-    );
-    const orgGatewayConfig = await orgGatewayConfigDAL.findOne({ orgId: orgPermission.orgId });
-    if (!orgGatewayConfig) throw new NotFoundError({ message: `Gateway with ID ${id} not found.` });
-
-    const [gateway] = await gatewayDAL.delete({ id, orgGatewayRootCaId: orgGatewayConfig.id });
-    if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${id} not found.` });
-    return gateway;
-  };
-
-  const getProjectGateways = async ({ projectId, projectPermission }: TGetProjectGatewayByIdDTO) => {
-    await permissionService.getProjectPermission({
-      projectId,
-      actor: projectPermission.type,
-      actorId: projectPermission.id,
-      actorOrgId: projectPermission.orgId,
-      actorAuthMethod: projectPermission.authMethod,
-      actionProjectType: ActionProjectType.Any
-    });
-
-    const gateways = await gatewayDAL.findByProjectId(projectId);
-    return gateways;
-  };
-
-  // this has no permission check and used for dynamic secrets directly
-  // assumes permission check is already done
-  const fnGetGatewayClientTls = async (projectGatewayId: string) => {
-    const projectGateway = await projectGatewayDAL.findById(projectGatewayId);
-    if (!projectGateway) throw new NotFoundError({ message: `Project gateway with ID ${projectGatewayId} not found.` });
-
-    const { gatewayId } = projectGateway;
-    const gateway = await gatewayDAL.findById(gatewayId);
-    if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });
-
-    const orgGatewayConfig = await orgGatewayConfigDAL.findById(gateway.orgGatewayRootCaId);
-    const { decryptor: orgKmsDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.Organization,
-      orgId: orgGatewayConfig.orgId
-    });
-
-    const rootCaCert = new x509.X509Certificate(
-      orgKmsDecryptor({
-        cipherTextBlob: orgGatewayConfig.encryptedRootCaCertificate
-      })
-    );
-    const gatewayCaCert = new x509.X509Certificate(
-      orgKmsDecryptor({
-        cipherTextBlob: orgGatewayConfig.encryptedGatewayCaCertificate
-      })
-    );
-    const clientCert = new x509.X509Certificate(
-      orgKmsDecryptor({
-        cipherTextBlob: orgGatewayConfig.encryptedClientCertificate
-      })
-    );
-
-    const clientSkObj = crypto.createPrivateKey({
-      key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedClientPrivateKey }),
-      format: "der",
-      type: "pkcs8"
-    });
-
-    return {
-      relayAddress: orgKmsDecryptor({ cipherTextBlob: gateway.relayAddress }).toString(),
-      privateKey: clientSkObj.export({ type: "pkcs8", format: "pem" }),
-      certificate: clientCert.toString("pem"),
-      certChain: `${gatewayCaCert.toString("pem")}\n${rootCaCert.toString("pem")}`.trim(),
-      identityId: gateway.identityId,
-      orgId: orgGatewayConfig.orgId
-    };
-  };
-
-  return {
-    getGatewayRelayDetails,
-    exchangeAllocatedRelayAddress,
-    listGateways,
-    getGatewayById,
-    updateGatewayById,
-    deleteGatewayById,
-    getProjectGateways,
-    fnGetGatewayClientTls,
-    heartbeat
-  };
-};

backend/src/ee/services/gateway/gateway-types.ts

@@ -1,39 +0,0 @@
-import { OrgServiceActor } from "@app/lib/types";
-import { ActorAuthMethod } from "@app/services/auth/auth-type";
-
-export type TExchangeAllocatedRelayAddressDTO = {
-  identityId: string;
-  identityOrg: string;
-  identityOrgAuthMethod: ActorAuthMethod;
-  relayAddress: string;
-};
-
-export type TListGatewaysDTO = {
-  orgPermission: OrgServiceActor;
-};
-
-export type TGetGatewayByIdDTO = {
-  id: string;
-  orgPermission: OrgServiceActor;
-};
-
-export type TUpdateGatewayByIdDTO = {
-  id: string;
-  name?: string;
-  projectIds?: string[];
-  orgPermission: OrgServiceActor;
-};
-
-export type TDeleteGatewayByIdDTO = {
-  id: string;
-  orgPermission: OrgServiceActor;
-};
-
-export type TGetProjectGatewayByIdDTO = {
-  projectId: string;
-  projectPermission: OrgServiceActor;
-};
-
-export type THeartBeatDTO = {
-  orgPermission: OrgServiceActor;
-};

backend/src/ee/services/gateway/org-gateway-config-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TOrgGatewayConfigDALFactory = ReturnType<typeof orgGatewayConfigDALFactory>;
-
-export const orgGatewayConfigDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.OrgGatewayConfig);
-  return orm;
-};

backend/src/ee/services/gateway/project-gateway-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TProjectGatewayDALFactory = ReturnType<typeof projectGatewayDALFactory>;
-
-export const projectGatewayDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.ProjectGateway);
-  return orm;
-};

backend/src/ee/services/group/group-service.ts

@@ -3,7 +3,7 @@ import slugify from "@sindresorhus/slugify";
 
 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
@@ -87,14 +87,9 @@ export const groupServiceFactory = ({
       actorOrgId
     );
     const isCustomRole = Boolean(customRole);
-
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to create a more privileged group",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
 
     const group = await groupDAL.transaction(async (tx) => {
       const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
@@ -161,13 +156,9 @@ export const groupServiceFactory = ({
       );
 
       const isCustomRole = Boolean(customOrgRole);
-      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-      if (!permissionBoundary.isValid)
-        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: "Failed to update a more privileged group",
-          details: { missingPermissions: permissionBoundary.missingPermissions }
-        });
+      const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
+      if (!hasRequiredNewRolePermission)
+        throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
       if (isCustomRole) customRole = customOrgRole;
     }
 
@@ -338,13 +329,9 @@ export const groupServiceFactory = ({
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
 
     // check if user has broader or equal to privileges than group
-    const permissionBoundary = validatePermissionBoundary(permission, groupRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to add user to more privileged group",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, groupRolePermission);
+    if (!hasRequiredPrivileges)
+      throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" });
 
     const user = await userDAL.findOne({ username });
     if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
@@ -409,13 +396,9 @@ export const groupServiceFactory = ({
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
 
     // check if user has broader or equal to privileges than group
-    const permissionBoundary = validatePermissionBoundary(permission, groupRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to delete user from more privileged group",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, groupRolePermission);
+    if (!hasRequiredPrivileges)
+      throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" });
 
     const user = await userDAL.findOne({ username });
     if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -1,10 +1,10 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
+import ms from "ms";
 
 import { ActionProjectType, TableName } from "@app/db/schemas";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { ms } from "@app/lib/ms";
 import { unpackPermissions } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
@@ -79,13 +79,9 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
     const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
       slug,
@@ -165,13 +161,9 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
     if (data?.slug) {
       const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
@@ -247,13 +239,9 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
     const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
     return {

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,10 +1,10 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
+import ms from "ms";
 
 import { ActionProjectType } from "@app/db/schemas";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { ms } from "@app/lib/ms";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
@@ -88,13 +88,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
     const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
       slug,
@@ -176,13 +172,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
     const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
       slug,
@@ -276,13 +268,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to edit more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });
 
     const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
       slug,

backend/src/ee/services/kmip/kmip-service.ts

@@ -1,11 +1,11 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import crypto, { KeyObject } from "crypto";
+import ms from "ms";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidHostname, isValidIp } from "@app/lib/ip";
-import { ms } from "@app/lib/ms";
 import { constructPemChainFromCerts } from "@app/services/certificate/certificate-fns";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
 import {

backend/src/ee/services/license/license-fns.ts

@@ -51,8 +51,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   pkiEst: false,
   enforceMfa: false,
   projectTemplates: false,
-  kmip: false,
-  gateway: false
+  kmip: false
 });
 
 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/ee/services/license/license-service.ts

@@ -50,7 +50,7 @@ export type TLicenseServiceFactory = ReturnType<typeof licenseServiceFactory>;
 const LICENSE_SERVER_CLOUD_LOGIN = "/api/auth/v1/license-server-login";
 const LICENSE_SERVER_ON_PREM_LOGIN = "/api/auth/v1/license-login";
 
-const LICENSE_SERVER_CLOUD_PLAN_TTL = 5 * 60; // 5 mins
+const LICENSE_SERVER_CLOUD_PLAN_TTL = 30; // 30 second
 const FEATURE_CACHE_KEY = (orgId: string) => `infisical-cloud-plan-${orgId}`;
 
 export const licenseServiceFactory = ({
@@ -142,10 +142,7 @@ export const licenseServiceFactory = ({
     try {
       if (instanceType === InstanceType.Cloud) {
         const cachedPlan = await keyStore.getItem(FEATURE_CACHE_KEY(orgId));
-        if (cachedPlan) {
-          logger.info(`getPlan: plan fetched from cache [orgId=${orgId}] [projectId=${projectId}]`);
-          return JSON.parse(cachedPlan) as TFeatureSet;
-        }
+        if (cachedPlan) return JSON.parse(cachedPlan) as TFeatureSet;
 
         const org = await orgDAL.findOrgById(orgId);
         if (!org) throw new NotFoundError({ message: `Organization with ID '${orgId}' not found` });
@@ -173,8 +170,6 @@ export const licenseServiceFactory = ({
         JSON.stringify(onPremFeatures)
       );
       return onPremFeatures;
-    } finally {
-      logger.info(`getPlan: Process done for [orgId=${orgId}] [projectId=${projectId}]`);
     }
     return onPremFeatures;
   };

backend/src/ee/services/license/license-types.ts

@@ -69,7 +69,6 @@ export type TFeatureSet = {
   enforceMfa: boolean;
   projectTemplates: false;
   kmip: false;
-  gateway: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/permission/org-permission.ts

@@ -12,7 +12,8 @@ export enum OrgPermissionActions {
   Read = "read",
   Create = "create",
   Edit = "edit",
-  Delete = "delete"
+  Delete = "delete",
+  Update = "update"
 }
 
 export enum OrgPermissionAppConnectionActions {
@@ -32,18 +33,6 @@ export enum OrgPermissionAdminConsoleAction {
   AccessAllProjects = "access-all-projects"
 }
 
-export enum OrgPermissionSecretShareAction {
-  ManageSettings = "manage-settings"
-}
-
-export enum OrgPermissionGatewayActions {
-  // is there a better word for this. This mean can an identity be a gateway
-  CreateGateways = "create-gateways",
-  ListGateways = "list-gateways",
-  EditGateways = "edit-gateways",
-  DeleteGateways = "delete-gateways"
-}
-
 export enum OrgPermissionSubjects {
   Workspace = "workspace",
   Role = "role",
@@ -63,8 +52,7 @@ export enum OrgPermissionSubjects {
   ProjectTemplates = "project-templates",
   AppConnections = "app-connections",
   Kmip = "kmip",
-  Gateway = "gateway",
-  SecretShare = "secret-share"
+  DedicatedInstance = "dedicatedInstance"
 }
 
 export type AppConnectionSubjectFields = {
@@ -87,7 +75,6 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
   | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
-  | [OrgPermissionGatewayActions, OrgPermissionSubjects.Gateway]
   | [
       OrgPermissionAppConnectionActions,
       (
@@ -97,7 +84,7 @@ export type OrgPermissionSet =
     ]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
   | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip]
-  | [OrgPermissionSecretShareAction, OrgPermissionSubjects.SecretShare];
+  | [OrgPermissionActions, OrgPermissionSubjects.DedicatedInstance];
 
 const AppConnectionConditionSchema = z
   .object({
@@ -191,12 +178,6 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
       "Describe what action an entity can take."
     )
   }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.SecretShare).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionSecretShareAction).describe(
-      "Describe what action an entity can take."
-    )
-  }),
   z.object({
     subject: z.literal(OrgPermissionSubjects.Kmip).describe("The entity this permission pertains to."),
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionKmipActions).describe(
@@ -204,10 +185,8 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
     )
   }),
   z.object({
-    subject: z.literal(OrgPermissionSubjects.Gateway).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionGatewayActions).describe(
-      "Describe what action an entity can take."
-    )
+    subject: z.literal(OrgPermissionSubjects.DedicatedInstance).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
   })
 ]);
 
@@ -292,11 +271,6 @@ const buildAdminPermission = () => {
   can(OrgPermissionAppConnectionActions.Delete, OrgPermissionSubjects.AppConnections);
   can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
 
-  can(OrgPermissionGatewayActions.ListGateways, OrgPermissionSubjects.Gateway);
-  can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
-  can(OrgPermissionGatewayActions.EditGateways, OrgPermissionSubjects.Gateway);
-  can(OrgPermissionGatewayActions.DeleteGateways, OrgPermissionSubjects.Gateway);
-
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
   can(OrgPermissionKmipActions.Setup, OrgPermissionSubjects.Kmip);
@@ -304,7 +278,10 @@ const buildAdminPermission = () => {
   // the proxy assignment is temporary in order to prevent "more privilege" error during role assignment to MI
   can(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
 
-  can(OrgPermissionSecretShareAction.ManageSettings, OrgPermissionSubjects.SecretShare);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.DedicatedInstance);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.DedicatedInstance);
+  can(OrgPermissionActions.Update, OrgPermissionSubjects.DedicatedInstance);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.DedicatedInstance);
 
   return rules;
 };
@@ -335,8 +312,8 @@ const buildMemberPermission = () => {
   can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
 
   can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionGatewayActions.ListGateways, OrgPermissionSubjects.Gateway);
-  can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
+
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.DedicatedInstance);
 
   return rules;
 };

backend/src/ee/services/permission/permission-fns.ts

@@ -1,109 +1,7 @@
-/* eslint-disable no-nested-ternary */
-import { ForbiddenError, MongoAbility, PureAbility, subject } from "@casl/ability";
-import { z } from "zod";
-
 import { TOrganizations } from "@app/db/schemas";
-import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
 
-import {
-  ProjectPermissionSecretActions,
-  ProjectPermissionSet,
-  ProjectPermissionSub,
-  ProjectPermissionV2Schema,
-  SecretSubjectFields
-} from "./project-permission";
-
-export function throwIfMissingSecretReadValueOrDescribePermission(
-  permission: MongoAbility<ProjectPermissionSet> | PureAbility,
-  action: Extract<
-    ProjectPermissionSecretActions,
-    ProjectPermissionSecretActions.ReadValue | ProjectPermissionSecretActions.DescribeSecret
-  >,
-  subjectFields?: SecretSubjectFields
-) {
-  try {
-    if (subjectFields) {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionSecretActions.DescribeAndReadValue,
-        subject(ProjectPermissionSub.Secrets, subjectFields)
-      );
-    } else {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionSecretActions.DescribeAndReadValue,
-        ProjectPermissionSub.Secrets
-      );
-    }
-  } catch {
-    if (subjectFields) {
-      ForbiddenError.from(permission).throwUnlessCan(action, subject(ProjectPermissionSub.Secrets, subjectFields));
-    } else {
-      ForbiddenError.from(permission).throwUnlessCan(action, ProjectPermissionSub.Secrets);
-    }
-  }
-}
-
-export function hasSecretReadValueOrDescribePermission(
-  permission: MongoAbility<ProjectPermissionSet>,
-  action: Extract<
-    ProjectPermissionSecretActions,
-    ProjectPermissionSecretActions.DescribeSecret | ProjectPermissionSecretActions.ReadValue
-  >,
-  subjectFields?: SecretSubjectFields
-) {
-  let canNewPermission = false;
-  let canOldPermission = false;
-
-  if (subjectFields) {
-    canNewPermission = permission.can(action, subject(ProjectPermissionSub.Secrets, subjectFields));
-    canOldPermission = permission.can(
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      subject(ProjectPermissionSub.Secrets, subjectFields)
-    );
-  } else {
-    canNewPermission = permission.can(action, ProjectPermissionSub.Secrets);
-    canOldPermission = permission.can(
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      ProjectPermissionSub.Secrets
-    );
-  }
-
-  return canNewPermission || canOldPermission;
-}
-
-const OptionalArrayPermissionSchema = ProjectPermissionV2Schema.array().optional();
-export function checkForInvalidPermissionCombination(permissions: z.infer<typeof OptionalArrayPermissionSchema>) {
-  if (!permissions) return;
-
-  for (const permission of permissions) {
-    if (permission.subject === ProjectPermissionSub.Secrets) {
-      if (permission.action.includes(ProjectPermissionSecretActions.DescribeAndReadValue)) {
-        const hasReadValue = permission.action.includes(ProjectPermissionSecretActions.ReadValue);
-        const hasDescribeSecret = permission.action.includes(ProjectPermissionSecretActions.DescribeSecret);
-
-        // eslint-disable-next-line no-continue
-        if (!hasReadValue && !hasDescribeSecret) continue;
-
-        const hasBothDescribeAndReadValue = hasReadValue && hasDescribeSecret;
-
-        throw new BadRequestError({
-          message: `You have selected Read, and ${
-            hasBothDescribeAndReadValue
-              ? "both Read Value and Describe Secret"
-              : hasReadValue
-                ? "Read Value"
-                : hasDescribeSecret
-                  ? "Describe Secret"
-                  : ""
-          }. You cannot select Read Value or Describe Secret if you have selected Read. The Read permission is a legacy action which has been replaced by Describe Secret and Read Value.`
-        });
-      }
-    }
-  }
-
-  return true;
-}
-
 function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
   if (!actorAuthMethod) return false;
 
@@ -131,12 +29,12 @@ function validateOrgSSO(actorAuthMethod: ActorAuthMethod, isOrgSsoEnforced: TOrg
   }
 }
 
-const escapeHandlebarsMissingDict = (obj: Record<string, string>, key: string) => {
+const escapeHandlebarsMissingMetadata = (obj: Record<string, string>) => {
   const handler = {
     get(target: Record<string, string>, prop: string) {
-      if (!Object.hasOwn(target, prop)) {
+      if (!(prop in target)) {
         // eslint-disable-next-line no-param-reassign
-        target[prop] = `{{${key}.${prop}}}`; // Add missing key as an "own" property
+        target[prop] = `{{identity.metadata.${prop}}}`; // Add missing key as an "own" property
       }
       return target[prop];
     }
@@ -145,4 +43,4 @@ const escapeHandlebarsMissingDict = (obj: Record<string, string>, key: string) =
   return new Proxy(obj, handler);
 };
 
-export { escapeHandlebarsMissingDict, isAuthMethodSaml, validateOrgSSO };
+export { escapeHandlebarsMissingMetadata, isAuthMethodSaml, validateOrgSSO };

backend/src/ee/services/permission/permission-service.ts

@@ -1,6 +1,5 @@
 import { createMongoAbility, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, unpackRules } from "@casl/ability/extra";
-import { requestContext } from "@fastify/request-context";
 import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 
@@ -23,7 +22,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
-import { escapeHandlebarsMissingDict, validateOrgSSO } from "./permission-fns";
+import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
 import {
   TBuildOrgPermissionDTO,
   TBuildProjectPermissionDTO,
@@ -244,13 +243,13 @@ export const permissionServiceFactory = ({
 
     const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
     const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-    const unescapedMetadata = objectify(
-      userProjectPermission.metadata,
-      (i) => i.key,
-      (i) => i.value
+    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+      objectify(
+        userProjectPermission.metadata,
+        (i) => i.key,
+        (i) => i.value
+      )
     );
-    const metadataKeyValuePair = escapeHandlebarsMissingDict(unescapedMetadata, "identity.metadata");
-    requestContext.set("identityPermissionMetadata", { metadata: unescapedMetadata });
     const interpolateRules = templatedRules(
       {
         identity: {
@@ -318,26 +317,20 @@ export const permissionServiceFactory = ({
 
     const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
     const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-    const unescapedIdentityAuthInfo = requestContext.get("identityAuthInfo");
-    const unescapedMetadata = objectify(
-      identityProjectPermission.metadata,
-      (i) => i.key,
-      (i) => i.value
+    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+      objectify(
+        identityProjectPermission.metadata,
+        (i) => i.key,
+        (i) => i.value
+      )
     );
-    const identityAuthInfo =
-      unescapedIdentityAuthInfo?.identityId === identityId && unescapedIdentityAuthInfo
-        ? escapeHandlebarsMissingDict(unescapedIdentityAuthInfo as never, "identity.auth")
-        : {};
-    const metadataKeyValuePair = escapeHandlebarsMissingDict(unescapedMetadata, "identity.metadata");
 
-    requestContext.set("identityPermissionMetadata", { metadata: unescapedMetadata, auth: unescapedIdentityAuthInfo });
     const interpolateRules = templatedRules(
       {
         identity: {
           id: identityProjectPermission.identityId,
           username: identityProjectPermission.username,
-          metadata: metadataKeyValuePair,
-          auth: identityAuthInfo
+          metadata: metadataKeyValuePair
         }
       },
       { data: false }
@@ -431,13 +424,12 @@ export const permissionServiceFactory = ({
 
       const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
       const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingDict(
+      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
         objectify(
           userProjectPermission.metadata,
           (i) => i.key,
           (i) => i.value
-        ),
-        "identity.metadata"
+        )
       );
       const interpolateRules = templatedRules(
         {
@@ -477,14 +469,14 @@ export const permissionServiceFactory = ({
 
       const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
       const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingDict(
+      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
         objectify(
           identityProjectPermission.metadata,
           (i) => i.key,
           (i) => i.value
-        ),
-        "identity.metadata"
+        )
       );
+
       const interpolateRules = templatedRules(
         {
           identity: {

backend/src/ee/services/permission/permission-types.ts

@@ -5,6 +5,22 @@ import { PermissionConditionOperators } from "@app/lib/casl";
 
 export const PermissionConditionSchema = {
   [PermissionConditionOperators.$IN]: z.string().trim().min(1).array(),
+  [PermissionConditionOperators.$ALL]: z.string().trim().min(1).array(),
+  [PermissionConditionOperators.$REGEX]: z
+    .string()
+    .min(1)
+    .refine(
+      (el) => {
+        try {
+          // eslint-disable-next-line no-new
+          new RegExp(el);
+          return true;
+        } catch {
+          return false;
+        }
+      },
+      { message: "Invalid regex pattern" }
+    ),
   [PermissionConditionOperators.$EQ]: z.string().min(1),
   [PermissionConditionOperators.$NEQ]: z.string().min(1),
   [PermissionConditionOperators.$GLOB]: z

backend/src/ee/services/permission/project-permission.ts

@@ -17,15 +17,6 @@ export enum ProjectPermissionActions {
   Delete = "delete"
 }
 
-export enum ProjectPermissionSecretActions {
-  DescribeAndReadValue = "read",
-  DescribeSecret = "describeSecret",
-  ReadValue = "readValue",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete"
-}
-
 export enum ProjectPermissionCmekActions {
   Read = "read",
   Create = "create",
@@ -124,7 +115,7 @@ export type IdentityManagementSubjectFields = {
 
 export type ProjectPermissionSet =
   | [
-      ProjectPermissionSecretActions,
+      ProjectPermissionActions,
       ProjectPermissionSub.Secrets | (ForcedSubject<ProjectPermissionSub.Secrets> & SecretSubjectFields)
     ]
   | [
@@ -438,7 +429,6 @@ const GeneralPermissionSchema = [
   })
 ];
 
-// Do not update this schema anymore, as it's kept purely for backwards compatability. Update V2 schema only.
 export const ProjectPermissionV1Schema = z.discriminatedUnion("subject", [
   z.object({
     subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
@@ -470,7 +460,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
   z.object({
     subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
     inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
       "Describe what action an entity can take."
     ),
     conditions: SecretConditionV2Schema.describe(
@@ -527,6 +517,7 @@ const buildAdminPermissionRules = () => {
 
   // Admins get full access to everything
   [
+    ProjectPermissionSub.Secrets,
     ProjectPermissionSub.SecretFolders,
     ProjectPermissionSub.SecretImports,
     ProjectPermissionSub.SecretApproval,
@@ -559,22 +550,10 @@ const buildAdminPermissionRules = () => {
         ProjectPermissionActions.Create,
         ProjectPermissionActions.Delete
       ],
-      el
+      el as ProjectPermissionSub
     );
   });
 
-  can(
-    [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      ProjectPermissionSecretActions.DescribeSecret,
-      ProjectPermissionSecretActions.ReadValue,
-      ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Delete
-    ],
-    ProjectPermissionSub.Secrets
-  );
-
   can(
     [
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -634,12 +613,10 @@ const buildMemberPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      ProjectPermissionSecretActions.DescribeSecret,
-      ProjectPermissionSecretActions.ReadValue,
-      ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Delete
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
     ],
     ProjectPermissionSub.Secrets
   );
@@ -811,9 +788,7 @@ export const projectMemberPermissions = buildMemberPermissionRules();
 const buildViewerPermissionRules = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
-  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
   can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
@@ -862,6 +837,7 @@ export const buildServiceTokenProjectPermission = (
       (subject) => {
         if (canWrite) {
           can(ProjectPermissionActions.Edit, subject, {
+            // TODO: @Akhi
             // @ts-expect-error type
             secretPath: { $glob: secretPath },
             environment
@@ -940,17 +916,7 @@ export const backfillPermissionV1SchemaToV2Schema = (
     subject: ProjectPermissionSub.SecretImports as const
   }));
 
-  const secretPolicies = secretSubjects.map(({ subject, ...el }) => ({
-    subject: ProjectPermissionSub.Secrets as const,
-    ...el,
-    action:
-      el.action.includes(ProjectPermissionActions.Read) && !el.action.includes(ProjectPermissionSecretActions.ReadValue)
-        ? el.action.concat(ProjectPermissionSecretActions.ReadValue)
-        : el.action
-  }));
-
   const secretFolderPolicies = secretSubjects
-
     .map(({ subject, ...el }) => ({
       ...el,
       // read permission is not needed anymore
@@ -992,7 +958,6 @@ export const backfillPermissionV1SchemaToV2Schema = (
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore-error this is valid ts
     secretImportPolicies,
-    secretPolicies,
     dynamicSecretPolicies,
     hasReadOnlyFolder.length ? [] : secretFolderPolicies
   );

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -1,10 +1,10 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
+import ms from "ms";
 
 import { ActionProjectType, TableName } from "@app/db/schemas";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { ms } from "@app/lib/ms";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -76,13 +76,9 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetUserPermission.update(targetUserPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePermissionBoundary(permission, targetUserPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged user",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetUserPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
     const existingSlug = await projectUserAdditionalPrivilegeDAL.findOne({
       slug,
@@ -167,13 +163,9 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetUserPermission.update(targetUserPermission.rules.concat(dto.permissions || []));
-    const permissionBoundary = validatePermissionBoundary(permission, targetUserPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetUserPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
     if (dto?.slug) {
       const existingSlug = await projectUserAdditionalPrivilegeDAL.findOne({

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -63,7 +63,7 @@ export const samlConfigServiceFactory = ({
   kmsService
 }: TSamlConfigServiceFactoryDep) => {
   const createSamlCfg = async ({
-    idpCert,
+    cert,
     actor,
     actorAuthMethod,
     actorOrgId,
@@ -93,9 +93,9 @@ export const samlConfigServiceFactory = ({
       orgId,
       authProvider,
       isActive,
-      encryptedSamlCertificate: encryptor({ plainText: Buffer.from(idpCert) }).cipherTextBlob,
+      encryptedSamlIssuer: encryptor({ plainText: Buffer.from(issuer) }).cipherTextBlob,
       encryptedSamlEntryPoint: encryptor({ plainText: Buffer.from(entryPoint) }).cipherTextBlob,
-      encryptedSamlIssuer: encryptor({ plainText: Buffer.from(issuer) }).cipherTextBlob
+      encryptedSamlCertificate: encryptor({ plainText: Buffer.from(cert) }).cipherTextBlob
     });
 
     return samlConfig;
@@ -106,7 +106,7 @@ export const samlConfigServiceFactory = ({
     actor,
     actorOrgId,
     actorAuthMethod,
-    idpCert,
+    cert,
     actorId,
     issuer,
     isActive,
@@ -136,8 +136,8 @@ export const samlConfigServiceFactory = ({
       updateQuery.encryptedSamlIssuer = encryptor({ plainText: Buffer.from(issuer) }).cipherTextBlob;
     }
 
-    if (idpCert !== undefined) {
-      updateQuery.encryptedSamlCertificate = encryptor({ plainText: Buffer.from(idpCert) }).cipherTextBlob;
+    if (cert !== undefined) {
+      updateQuery.encryptedSamlCertificate = encryptor({ plainText: Buffer.from(cert) }).cipherTextBlob;
     }
 
     const [ssoConfig] = await samlConfigDAL.update({ orgId }, updateQuery);

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -15,7 +15,7 @@ export type TCreateSamlCfgDTO = {
   isActive: boolean;
   entryPoint: string;
   issuer: string;
-  idpCert: string;
+  cert: string;
 } & TOrgPermission;
 
 export type TUpdateSamlCfgDTO = Partial<{
@@ -23,7 +23,7 @@ export type TUpdateSamlCfgDTO = Partial<{
   isActive: boolean;
   entryPoint: string;
   issuer: string;
-  idpCert: string;
+  cert: string;
 }> &
   TOrgPermission;
 

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -100,7 +100,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("lastName").withSchema("committerUser").as("committerUserLastName"),
         tx.ref("reviewerUserId").withSchema(TableName.SecretApprovalRequestReviewer),
         tx.ref("status").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerStatus"),
-        tx.ref("comment").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerComment"),
         tx.ref("email").withSchema("secretApprovalReviewerUser").as("reviewerEmail"),
         tx.ref("username").withSchema("secretApprovalReviewerUser").as("reviewerUsername"),
         tx.ref("firstName").withSchema("secretApprovalReviewerUser").as("reviewerFirstName"),
@@ -163,10 +162,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
               reviewerEmail: email,
               reviewerLastName: lastName,
               reviewerUsername: username,
-              reviewerFirstName: firstName,
-              reviewerComment: comment
-            }) =>
-              userId ? { userId, status, email, firstName, lastName, username, comment: comment ?? "" } : undefined
+              reviewerFirstName: firstName
+            }) => (userId ? { userId, status, email, firstName, lastName, username } : undefined)
           },
           {
             key: "approverUserId",

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -6,7 +6,6 @@ import {
   SecretEncryptionAlgo,
   SecretKeyEncoding,
   SecretType,
-  TableName,
   TSecretApprovalRequestsSecretsInsert,
   TSecretApprovalRequestsSecretsV2Insert
 } from "@app/db/schemas";
@@ -58,9 +57,8 @@ import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TLicenseServiceFactory } from "../license/license-service";
-import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
@@ -90,12 +88,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretDAL: TSecretDALFactory;
   secretTagDAL: Pick<
     TSecretTagDALFactory,
-    | "findManyTagsById"
-    | "saveTagsToSecret"
-    | "deleteTagsManySecret"
-    | "saveTagsToSecretV2"
-    | "deleteTagsToSecretV2"
-    | "find"
+    "findManyTagsById" | "saveTagsToSecret" | "deleteTagsManySecret" | "saveTagsToSecretV2" | "deleteTagsToSecretV2"
   >;
   secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
@@ -113,7 +106,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "encryptWithInputKey" | "decryptWithInputKey">;
   secretV2BridgeDAL: Pick<
     TSecretV2BridgeDALFactory,
-    "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "bulkUpdate" | "deleteMany" | "find"
+    "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "bulkUpdate" | "deleteMany"
   >;
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
@@ -327,7 +320,6 @@ export const secretApprovalRequestServiceFactory = ({
     approvalId,
     actor,
     status,
-    comment,
     actorId,
     actorAuthMethod,
     actorOrgId
@@ -380,18 +372,15 @@ export const secretApprovalRequestServiceFactory = ({
         return secretApprovalRequestReviewerDAL.create(
           {
             status,
-            comment,
             requestId: secretApprovalRequest.id,
             reviewerUserId: actorId
           },
           tx
         );
       }
-
-      return secretApprovalRequestReviewerDAL.updateById(review.id, { status, comment }, tx);
+      return secretApprovalRequestReviewerDAL.updateById(review.id, { status }, tx);
     });
-
-    return { ...reviewStatus, projectId: secretApprovalRequest.projectId };
+    return reviewStatus;
   };
 
   const updateApprovalStatus = async ({
@@ -510,7 +499,7 @@ export const secretApprovalRequestServiceFactory = ({
     if (!hasMinApproval && !isSoftEnforcement)
       throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
 
-    const { botKey, shouldUseSecretV2Bridge, project } = await projectBotService.getBotKey(projectId);
+    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     let mergeStatus;
     if (shouldUseSecretV2Bridge) {
       // this cycle if for bridged secrets
@@ -868,6 +857,7 @@ export const secretApprovalRequestServiceFactory = ({
 
     if (isSoftEnforcement) {
       const cfg = getConfig();
+      const project = await projectDAL.findProjectById(projectId);
       const env = await projectEnvDAL.findOne({ id: policy.envId });
       const requestedByUser = await userDAL.findOne({ id: actorId });
       const approverUsers = await userDAL.find({
@@ -919,11 +909,10 @@ export const secretApprovalRequestServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-
-    throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
-      environment,
-      secretPath
-    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+    );
 
     await projectDAL.checkProjectUpgradeStatus(projectId);
 
@@ -1008,7 +997,6 @@ export const secretApprovalRequestServiceFactory = ({
               : keyName2BlindIndex[secretName];
           // add tags
           if (tagIds?.length) commitTagIds[keyName2BlindIndex[secretName]] = tagIds;
-
           return {
             ...latestSecretVersions[secretId],
             ...el,
@@ -1164,8 +1152,7 @@ export const secretApprovalRequestServiceFactory = ({
           environment: env.name,
           secretPath,
           projectId,
-          requestId: secretApprovalRequest.id,
-          secretKeys: [...new Set(Object.values(data).flatMap((arr) => arr?.map((item) => item.secretName) ?? []))]
+          requestId: secretApprovalRequest.id
         }
       }
     });
@@ -1307,7 +1294,7 @@ export const secretApprovalRequestServiceFactory = ({
             secretMetadata
           }) => {
             const secretId = updatingSecretsGroupByKey[secretKey][0].id;
-            if (tagIds?.length) commitTagIds[newSecretName ?? secretKey] = tagIds;
+            if (tagIds?.length) commitTagIds[secretKey] = tagIds;
             return {
               ...latestSecretVersions[secretId],
               secretMetadata,
@@ -1336,48 +1323,17 @@ export const secretApprovalRequestServiceFactory = ({
     // deleted secrets
     const deletedSecrets = data[SecretOperations.Delete];
     if (deletedSecrets && deletedSecrets.length) {
-      const secretsToDeleteInDB = await secretV2BridgeDAL.find({
+      const secretsToDeleteInDB = await secretV2BridgeDAL.findBySecretKeys(
         folderId,
-        $complex: {
-          operator: "and",
-          value: [
-            {
-              operator: "or",
-              value: deletedSecrets.map((el) => ({
-                operator: "and",
-                value: [
-                  {
-                    operator: "eq",
-                    field: `${TableName.SecretV2}.key` as "key",
-                    value: el.secretKey
-                  },
-                  {
-                    operator: "eq",
-                    field: "type",
-                    value: SecretType.Shared
-                  }
-                ]
-              }))
-            }
-          ]
-        }
-      });
+        deletedSecrets.map((el) => ({
+          key: el.secretKey,
+          type: SecretType.Shared
+        }))
+      );
       if (secretsToDeleteInDB.length !== deletedSecrets.length)
         throw new NotFoundError({
           message: `Secret does not exist: ${secretsToDeleteInDB.map((el) => el.key).join(",")}`
         });
-      secretsToDeleteInDB.forEach((el) => {
-        ForbiddenError.from(permission).throwUnlessCan(
-          ProjectPermissionSecretActions.Delete,
-          subject(ProjectPermissionSub.Secrets, {
-            environment,
-            secretPath,
-            secretName: el.key,
-            secretTags: el.tags?.map((i) => i.slug)
-          })
-        );
-      });
-
       const secretsGroupedByKey = groupBy(secretsToDeleteInDB, (i) => i.key);
       const deletedSecretIds = deletedSecrets.map((el) => secretsGroupedByKey[el.secretKey][0].id);
       const latestSecretVersions = await secretVersionV2BridgeDAL.findLatestVersionMany(folderId, deletedSecretIds);
@@ -1403,9 +1359,9 @@ export const secretApprovalRequestServiceFactory = ({
     const tagsGroupById = groupBy(tags, (i) => i.id);
 
     commits.forEach((commit) => {
-      let action = ProjectPermissionSecretActions.Create;
-      if (commit.op === SecretOperations.Update) action = ProjectPermissionSecretActions.Edit;
-      if (commit.op === SecretOperations.Delete) return; // we do the validation on top
+      let action = ProjectPermissionActions.Create;
+      if (commit.op === SecretOperations.Update) action = ProjectPermissionActions.Edit;
+      if (commit.op === SecretOperations.Delete) action = ProjectPermissionActions.Delete;
 
       ForbiddenError.from(permission).throwUnlessCan(
         action,
@@ -1496,8 +1452,7 @@ export const secretApprovalRequestServiceFactory = ({
           environment: env.name,
           secretPath,
           projectId,
-          requestId: secretApprovalRequest.id,
-          secretKeys: [...new Set(Object.values(data).flatMap((arr) => arr?.map((item) => item.secretKey) ?? []))]
+          requestId: secretApprovalRequest.id
         }
       }
     });

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -80,7 +80,6 @@ export type TStatusChangeDTO = {
 export type TReviewRequestDTO = {
   approvalId: string;
   status: ApprovalStatus;
-  comment?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TApprovalRequestCountDTO = TProjectPermission;

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -265,7 +265,6 @@ export const secretReplicationServiceFactory = ({
         folderDAL,
         secretImportDAL,
         decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : ""),
-        viewSecretValue: true,
         hasSecretAccess: () => true
       });
       // secrets that gets replicated across imports

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -13,7 +13,6 @@ import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
-import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -333,7 +332,6 @@ export const secretRotationQueueFactory = ({
           await secretVersionV2BridgeDAL.insertMany(
             updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => ({
               ...el,
-              actorType: ActorType.PLATFORM,
               secretId: id
             })),
             tx

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -15,11 +15,7 @@ import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import {
-  ProjectPermissionActions,
-  ProjectPermissionSecretActions,
-  ProjectPermissionSub
-} from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TSecretRotationDALFactory } from "./secret-rotation-dal";
 import { TSecretRotationQueueFactory } from "./secret-rotation-queue";
 import { TSecretRotationEncData } from "./secret-rotation-queue/secret-rotation-queue-types";
@@ -110,7 +106,7 @@ export const secretRotationServiceFactory = ({
       });
     }
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionSecretActions.Edit,
+      ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
 

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -1,18 +1,16 @@
 /* eslint-disable @typescript-eslint/no-unsafe-assignment,@typescript-eslint/no-unsafe-member-access,@typescript-eslint/no-unsafe-argument */
 // akhilmhdh: I did this, quite strange bug with eslint. Everything do have a type stil has this error
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";
 
 import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
-import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
-import { INFISICAL_SECRET_VALUE_HIDDEN_MASK } from "@app/services/secret/secret-fns";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
 import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version-tag-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
@@ -23,16 +21,8 @@ import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secre
 import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
 
 import { TLicenseServiceFactory } from "../license/license-service";
-import {
-  hasSecretReadValueOrDescribePermission,
-  throwIfMissingSecretReadValueOrDescribePermission
-} from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import {
-  ProjectPermissionActions,
-  ProjectPermissionSecretActions,
-  ProjectPermissionSub
-} from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import {
   TGetSnapshotDataDTO,
   TProjectSnapshotCountDTO,
@@ -106,10 +96,10 @@ export const secretSnapshotServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
     // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
-    throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.DescribeSecret, {
-      environment,
-      secretPath: path
-    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
+    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) {
@@ -143,10 +133,10 @@ export const secretSnapshotServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
     // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
-    throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.DescribeSecret, {
-      environment,
-      secretPath: path
-    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
+    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder)
@@ -171,7 +161,6 @@ export const secretSnapshotServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
-
     const shouldUseBridge = snapshot.projectVersion === 3;
     let snapshotDetails;
     if (shouldUseBridge) {
@@ -180,112 +169,68 @@ export const secretSnapshotServiceFactory = ({
         projectId: snapshot.projectId
       });
       const encryptedSnapshotDetails = await snapshotDAL.findSecretSnapshotV2DataById(id);
-
-      const fullFolderPath = await getFullFolderPath({
-        folderDAL,
-        folderId: encryptedSnapshotDetails.folderId,
-        envId: encryptedSnapshotDetails.environment.id
-      });
-
       snapshotDetails = {
         ...encryptedSnapshotDetails,
-        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => {
-          const canReadValue = hasSecretReadValueOrDescribePermission(
-            permission,
-            ProjectPermissionSecretActions.ReadValue,
-            {
-              environment: encryptedSnapshotDetails.environment.slug,
-              secretPath: fullFolderPath,
-              secretName: el.key,
-              secretTags: el.tags.length ? el.tags.map((tag) => tag.slug) : undefined
-            }
-          );
-
-          let secretValue = "";
-          if (canReadValue) {
-            secretValue = el.encryptedValue
-              ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
-              : "";
-          } else {
-            secretValue = INFISICAL_SECRET_VALUE_HIDDEN_MASK;
-          }
-
-          return {
-            ...el,
-            secretKey: el.key,
-            secretValueHidden: !canReadValue,
-            secretValue,
-            secretComment: el.encryptedComment
-              ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
-              : ""
-          };
-        })
+        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => ({
+          ...el,
+          secretKey: el.key,
+          secretValue: el.encryptedValue
+            ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
+            : "",
+          secretComment: el.encryptedComment
+            ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
+            : ""
+        }))
       };
     } else {
       const encryptedSnapshotDetails = await snapshotDAL.findSecretSnapshotDataById(id);
-
-      const fullFolderPath = await getFullFolderPath({
-        folderDAL,
-        folderId: encryptedSnapshotDetails.folderId,
-        envId: encryptedSnapshotDetails.environment.id
-      });
-
       const { botKey } = await projectBotService.getBotKey(snapshot.projectId);
       if (!botKey)
         throw new NotFoundError({ message: `Project bot key not found for project with ID '${snapshot.projectId}'` });
       snapshotDetails = {
         ...encryptedSnapshotDetails,
-        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => {
-          const secretKey = decryptSymmetric128BitHexKeyUTF8({
+        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => ({
+          ...el,
+          secretKey: decryptSymmetric128BitHexKeyUTF8({
             ciphertext: el.secretKeyCiphertext,
             iv: el.secretKeyIV,
             tag: el.secretKeyTag,
             key: botKey
-          });
-
-          const canReadValue = hasSecretReadValueOrDescribePermission(
-            permission,
-            ProjectPermissionSecretActions.ReadValue,
-            {
-              environment: encryptedSnapshotDetails.environment.slug,
-              secretPath: fullFolderPath,
-              secretName: secretKey,
-              secretTags: el.tags.length ? el.tags.map((tag) => tag.slug) : undefined
-            }
-          );
-
-          let secretValue = "";
-
-          if (canReadValue) {
-            secretValue = decryptSymmetric128BitHexKeyUTF8({
-              ciphertext: el.secretValueCiphertext,
-              iv: el.secretValueIV,
-              tag: el.secretValueTag,
-              key: botKey
-            });
-          } else {
-            secretValue = INFISICAL_SECRET_VALUE_HIDDEN_MASK;
-          }
-
-          return {
-            ...el,
-            secretKey,
-            secretValueHidden: !canReadValue,
-            secretValue,
-            secretComment:
-              el.secretCommentTag && el.secretCommentIV && el.secretCommentCiphertext
-                ? decryptSymmetric128BitHexKeyUTF8({
-                    ciphertext: el.secretCommentCiphertext,
-                    iv: el.secretCommentIV,
-                    tag: el.secretCommentTag,
-                    key: botKey
-                  })
-                : ""
-          };
-        })
+          }),
+          secretValue: decryptSymmetric128BitHexKeyUTF8({
+            ciphertext: el.secretValueCiphertext,
+            iv: el.secretValueIV,
+            tag: el.secretValueTag,
+            key: botKey
+          }),
+          secretComment:
+            el.secretCommentTag && el.secretCommentIV && el.secretCommentCiphertext
+              ? decryptSymmetric128BitHexKeyUTF8({
+                  ciphertext: el.secretCommentCiphertext,
+                  iv: el.secretCommentIV,
+                  tag: el.secretCommentTag,
+                  key: botKey
+                })
+              : ""
+        }))
       };
     }
 
+    const fullFolderPath = await getFullFolderPath({
+      folderDAL,
+      folderId: snapshotDetails.folderId,
+      envId: snapshotDetails.environment.id
+    });
+
+    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, {
+        environment: snapshotDetails.environment.slug,
+        secretPath: fullFolderPath
+      })
+    );
+
     return snapshotDetails;
   };
 
@@ -425,21 +370,7 @@ export const secretSnapshotServiceFactory = ({
         const secrets = await secretV2BridgeDAL.insertMany(
           rollbackSnaps.flatMap(({ secretVersions, folderId }) =>
             secretVersions.map(
-              ({
-                latestSecretVersion,
-                version,
-                updatedAt,
-                createdAt,
-                secretId,
-                envId,
-                id,
-                tags,
-                // exclude the bottom fields from the secret - they are for versioning only.
-                userActorId,
-                identityActorId,
-                actorType,
-                ...el
-              }) => ({
+              ({ latestSecretVersion, version, updatedAt, createdAt, secretId, envId, id, tags, ...el }) => ({
                 ...el,
                 id: secretId,
                 version: deletedTopLevelSecsGroupById[secretId] ? latestSecretVersion + 1 : latestSecretVersion,
@@ -470,18 +401,8 @@ export const secretSnapshotServiceFactory = ({
           })),
           tx
         );
-        const userActorId = actor === ActorType.USER ? actorId : undefined;
-        const identityActorId = actor !== ActorType.USER ? actorId : undefined;
-        const actorType = actor || ActorType.PLATFORM;
-
         const secretVersions = await secretVersionV2BridgeDAL.insertMany(
-          secrets.map(({ id, updatedAt, createdAt, ...el }) => ({
-            ...el,
-            secretId: id,
-            userActorId,
-            identityActorId,
-            actorType
-          })),
+          secrets.map(({ id, updatedAt, createdAt, ...el }) => ({ ...el, secretId: id })),
           tx
         );
         await secretVersionV2TagBridgeDAL.insertMany(

backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts

@@ -1,10 +1,10 @@
 import { ForbiddenError } from "@casl/ability";
+import ms from "ms";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { ms } from "@app/lib/ms";
 
 import { TSshCertificateAuthorityDALFactory } from "../ssh/ssh-certificate-authority-dal";
 import { TSshCertificateTemplateDALFactory } from "./ssh-certificate-template-dal";

backend/src/ee/services/ssh-certificate/ssh-certificate-schema.ts

@@ -6,6 +6,7 @@ export const sanitizedSshCertificate = SshCertificatesSchema.pick({
   sshCertificateTemplateId: true,
   serialNumber: true,
   certType: true,
+  publicKey: true,
   principals: true,
   keyId: true,
   notBefore: true,