Improve random value generator modal UI

feat: dashboard failing on failing check

.github/workflows/release_build_infisical_cli.yml

@@ -1,132 +1,147 @@
 name: Build and release CLI
 
 on:
-    workflow_dispatch:
+  workflow_dispatch:
 
-    push:
-        # run only against tags
-        tags:
-            - "infisical-cli/v*.*.*"
+  push:
+    # run only against tags
+    tags:
+      - "infisical-cli/v*.*.*"
 
 permissions:
-    contents: write
+  contents: write
 
 jobs:
-    cli-integration-tests:
-        name: Run tests before deployment
-        uses: ./.github/workflows/run-cli-tests.yml
-        secrets:
-            CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-            CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-            CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-            CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-            CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-            CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
-            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+  cli-integration-tests:
+    name: Run tests before deployment
+    uses: ./.github/workflows/run-cli-tests.yml
+    secrets:
+      CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+      CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+      CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+      CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+      CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+      CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+      CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+      CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
-    npm-release:
-        runs-on: ubuntu-latest
+  npm-release:
+    runs-on: ubuntu-latest
+    env:
+      working-directory: ./npm
+    needs:
+      - cli-integration-tests
+      - goreleaser
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Extract version
+        run: |
+          VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+          echo "Version extracted: $VERSION"
+          echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Print version
+        run: echo ${{ env.CLI_VERSION }}
+
+      - name: Setup Node
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          node-version: 20
+          cache: "npm"
+          cache-dependency-path: ./npm/package-lock.json
+      - name: Install dependencies
+        working-directory: ${{ env.working-directory }}
+        run: npm install --ignore-scripts
+
+      - name: Set NPM version
+        working-directory: ${{ env.working-directory }}
+        run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+      - name: Setup NPM
+        working-directory: ${{ env.working-directory }}
+        run: |
+          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+          echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
         env:
-            working-directory: ./npm
-        needs:
-            - cli-integration-tests
-            - goreleaser
-        steps:
-            - uses: actions/checkout@v3
-              with:
-                  fetch-depth: 0
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
-            - name: Extract version
-              run: |
-                  VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
-                  echo "Version extracted: $VERSION"
-                  echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+      - name: Pack NPM
+        working-directory: ${{ env.working-directory }}
+        run: npm pack
 
-            - name: Print version
-              run: echo ${{ env.CLI_VERSION }}
+      - name: Publish NPM
+        working-directory: ${{ env.working-directory }}
+        run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
-            - name: Setup Node
-              uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
-              with:
-                  node-version: 20
-                  cache: "npm"
-                  cache-dependency-path: ./npm/package-lock.json
-            - name: Install dependencies
-              working-directory: ${{ env.working-directory }}
-              run: npm install --ignore-scripts
-
-            - name: Set NPM version
-              working-directory: ${{ env.working-directory }}
-              run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
-
-            - name: Setup NPM
-              working-directory: ${{ env.working-directory }}
-              run: |
-                  echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
-                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
-
-                  echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
-                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
-              env:
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-            - name: Pack NPM
-              working-directory: ${{ env.working-directory }}
-              run: npm pack
-
-            - name: Publish NPM
-              working-directory: ${{ env.working-directory }}
-              run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
-              env:
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-    goreleaser:
-        runs-on: ubuntu-latest
-        needs: [cli-integration-tests]
-        steps:
-            - uses: actions/checkout@v3
-              with:
-                  fetch-depth: 0
-            - name: 🐋 Login to Docker Hub
-              uses: docker/login-action@v2
-              with:
-                  username: ${{ secrets.DOCKERHUB_USERNAME }}
-                  password: ${{ secrets.DOCKERHUB_TOKEN }}
-            - name: 🔧 Set up Docker Buildx
-              uses: docker/setup-buildx-action@v2
-            - run: git fetch --force --tags
-            - run: echo "Ref name ${{github.ref_name}}"
-            - uses: actions/setup-go@v3
-              with:
-                  go-version: ">=1.19.3"
-                  cache: true
-                  cache-dependency-path: cli/go.sum
-            - name: Setup for libssl1.0-dev
-              run: |
-                  echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-                  sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
-                  sudo apt update
-                  sudo apt-get install -y libssl1.0-dev
-            - name: OSXCross for CGO Support
-              run: |
-                  mkdir ../../osxcross
-                  git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-            - uses: goreleaser/goreleaser-action@v4
-              with:
-                  distribution: goreleaser-pro
-                  version: v1.26.2-pro
-                  args: release --clean
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-                  POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
-                  FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-                  AUR_KEY: ${{ secrets.AUR_KEY }}
-                  GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-            - uses: actions/setup-python@v4
-            - run: pip install --upgrade cloudsmith-cli
-            - name: Publish to CloudSmith
-              run: sh cli/upload_to_cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+  goreleaser:
+    runs-on: ubuntu-latest
+    needs: [cli-integration-tests]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.19.3"
+          cache: true
+          cache-dependency-path: cli/go.sum
+      - name: Setup for libssl1.0-dev
+        run: |
+          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+          sudo apt update
+          sudo apt-get install -y libssl1.0-dev
+      - name: OSXCross for CGO Support
+        run: |
+          mkdir ../../osxcross
+          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+      - uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser-pro
+          version: v1.26.2-pro
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - uses: actions/setup-python@v4
+      - run: pip install --upgrade cloudsmith-cli
+      - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252
+        with:
+          ruby-version: "3.3" # Not needed with a .ruby-version, .tool-versions or mise.toml
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - name: Install deb-s3
+        run: gem install deb-s3
+      - name: Configure GPG Key
+        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --import
+        env:
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
+      - name: Publish to CloudSmith
+        run: sh cli/upload_to_cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
+          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}

.goreleaser.yaml

@@ -162,6 +162,24 @@ scoop:
   description: "The official Infisical CLI"
   license: MIT
 
+winget:
+  - name: infisical
+    publisher: infisical
+    license: MIT
+    homepage: https://infisical.com
+    short_description: "The official Infisical CLI"
+    repository:
+      owner: infisical
+      name: winget-pkgs
+      branch: "infisical-{{.Version}}"
+      pull_request:
+        enabled: true
+        draft: false
+        base:
+          owner: microsoft
+          name: winget-pkgs
+          branch: master
+
 aurs:
   - name: infisical-bin
     homepage: "https://infisical.com"

.infisicalignore

@@ -14,3 +14,13 @@ docs/self-hosting/guides/automated-bootstrapping.mdx:jwt:74
 frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx:generic-api-key:72
 k8-operator/config/samples/crd/pushsecret/source-secret-with-templating.yaml:private-key:11
 k8-operator/config/samples/crd/pushsecret/push-secret-with-template.yaml:private-key:52
+backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts:generic-api-key:125
+frontend/src/components/permissions/AccessTree/nodes/RoleNode.tsx:generic-api-key:67
+frontend/src/components/secret-rotations-v2/RotateSecretRotationV2Modal.tsx:generic-api-key:14
+frontend/src/components/secret-rotations-v2/SecretRotationV2StatusBadge.tsx:generic-api-key:11
+frontend/src/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/ViewSecretRotationV2GeneratedCredentials.tsx:generic-api-key:23
+frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:28
+frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:65
+frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretRotationListView/SecretRotationItem.tsx:generic-api-key:26
+docs/documentation/platform/kms/overview.mdx:generic-api-key:281
+docs/documentation/platform/kms/overview.mdx:generic-api-key:344

backend/Dockerfile

@@ -8,7 +8,8 @@ RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
-    openssh-client
+    openssh-client \
+    openssl 
 
 # Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apt-get install -y \

backend/Dockerfile.dev

@@ -19,6 +19,7 @@ RUN apt-get update && apt-get install -y \
     make \
     g++ \
     openssh-client \
+    openssl \
     curl \
     pkg-config
 

backend/e2e-test/mocks/keystore.ts

@@ -9,6 +9,7 @@ export const mockKeyStore = (): TKeyStoreFactory => {
       store[key] = value;
       return "OK";
     },
+    setExpiry: async () => 0,
     setItemWithExpiry: async (key, value) => {
       store[key] = value;
       return "OK";

backend/package-lock.json

@@ -132,7 +132,7 @@
         "@types/jsrp": "^0.2.6",
         "@types/libsodium-wrappers": "^0.7.13",
         "@types/lodash.isequal": "^4.5.8",
-        "@types/node": "^20.9.5",
+        "@types/node": "^20.17.30",
         "@types/nodemailer": "^6.4.14",
         "@types/passport-github": "^1.1.12",
         "@types/passport-google-oauth20": "^2.0.14",
@@ -9753,11 +9753,12 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "20.9.5",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.9.5.tgz",
-      "integrity": "sha512-Uq2xbNq0chGg+/WQEU0LJTSs/1nKxz6u1iemLcGomkSnKokbW1fbLqc3HOqCf2JP7KjlL4QkS7oZZTrOQHQYgQ==",
+      "version": "20.17.30",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.17.30.tgz",
+      "integrity": "sha512-7zf4YyHA+jvBNfVrk2Gtvs6x7E8V+YDW05bNfG2XkWDJfYRXrTiP/DsB2zSYTaHX0bGIujTBQdMVAhb+j7mwpg==",
+      "license": "MIT",
       "dependencies": {
-        "undici-types": "~5.26.4"
+        "undici-types": "~6.19.2"
       }
     },
     "node_modules/@types/node-fetch": {
@@ -20081,11 +20082,6 @@
         "undici-types": "~6.19.2"
       }
     },
-    "node_modules/scim-patch/node_modules/undici-types": {
-      "version": "6.19.8",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz",
-      "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw=="
-    },
     "node_modules/scim2-parse-filter": {
       "version": "0.2.10",
       "resolved": "https://registry.npmjs.org/scim2-parse-filter/-/scim2-parse-filter-0.2.10.tgz",
@@ -22442,9 +22438,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "5.26.5",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
-      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="
+      "version": "6.19.8",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz",
+      "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw=="
     },
     "node_modules/unicode-canonical-property-names-ecmascript": {
       "version": "2.0.0",

backend/package.json

@@ -89,7 +89,7 @@
     "@types/jsrp": "^0.2.6",
     "@types/libsodium-wrappers": "^0.7.13",
     "@types/lodash.isequal": "^4.5.8",
-    "@types/node": "^20.9.5",
+    "@types/node": "^20.17.30",
     "@types/nodemailer": "^6.4.14",
     "@types/passport-github": "^1.1.12",
     "@types/passport-google-oauth20": "^2.0.14",

backend/src/@types/fastify.d.ts

@@ -38,6 +38,7 @@ import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
 import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
+import { TSshHostServiceFactory } from "@app/ee/services/ssh-host/ssh-host-service";
 import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
@@ -206,6 +207,7 @@ declare module "fastify" {
       certificateTemplate: TCertificateTemplateServiceFactory;
       sshCertificateAuthority: TSshCertificateAuthorityServiceFactory;
       sshCertificateTemplate: TSshCertificateTemplateServiceFactory;
+      sshHost: TSshHostServiceFactory;
       certificateAuthority: TCertificateAuthorityServiceFactory;
       certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
       certificateEst: TCertificateEstServiceFactory;

backend/src/@types/knex.d.ts

@@ -232,6 +232,9 @@ import {
   TProjectSplitBackfillIds,
   TProjectSplitBackfillIdsInsert,
   TProjectSplitBackfillIdsUpdate,
+  TProjectSshConfigs,
+  TProjectSshConfigsInsert,
+  TProjectSshConfigsUpdate,
   TProjectsUpdate,
   TProjectTemplates,
   TProjectTemplatesInsert,
@@ -380,6 +383,15 @@ import {
   TSshCertificateTemplates,
   TSshCertificateTemplatesInsert,
   TSshCertificateTemplatesUpdate,
+  TSshHostLoginUserMappings,
+  TSshHostLoginUserMappingsInsert,
+  TSshHostLoginUserMappingsUpdate,
+  TSshHostLoginUsers,
+  TSshHostLoginUsersInsert,
+  TSshHostLoginUsersUpdate,
+  TSshHosts,
+  TSshHostsInsert,
+  TSshHostsUpdate,
   TSuperAdmin,
   TSuperAdminInsert,
   TSuperAdminUpdate,
@@ -425,6 +437,7 @@ declare module "knex/types/tables" {
   interface Tables {
     [TableName.Users]: KnexOriginal.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
     [TableName.Groups]: KnexOriginal.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
+    [TableName.SshHost]: KnexOriginal.CompositeTableType<TSshHosts, TSshHostsInsert, TSshHostsUpdate>;
     [TableName.SshCertificateAuthority]: KnexOriginal.CompositeTableType<
       TSshCertificateAuthorities,
       TSshCertificateAuthoritiesInsert,
@@ -450,6 +463,16 @@ declare module "knex/types/tables" {
       TSshCertificateBodiesInsert,
       TSshCertificateBodiesUpdate
     >;
+    [TableName.SshHostLoginUser]: KnexOriginal.CompositeTableType<
+      TSshHostLoginUsers,
+      TSshHostLoginUsersInsert,
+      TSshHostLoginUsersUpdate
+    >;
+    [TableName.SshHostLoginUserMapping]: KnexOriginal.CompositeTableType<
+      TSshHostLoginUserMappings,
+      TSshHostLoginUserMappingsInsert,
+      TSshHostLoginUserMappingsUpdate
+    >;
     [TableName.CertificateAuthority]: KnexOriginal.CompositeTableType<
       TCertificateAuthorities,
       TCertificateAuthoritiesInsert,
@@ -554,6 +577,11 @@ declare module "knex/types/tables" {
     [TableName.SuperAdmin]: KnexOriginal.CompositeTableType<TSuperAdmin, TSuperAdminInsert, TSuperAdminUpdate>;
     [TableName.ApiKey]: KnexOriginal.CompositeTableType<TApiKeys, TApiKeysInsert, TApiKeysUpdate>;
     [TableName.Project]: KnexOriginal.CompositeTableType<TProjects, TProjectsInsert, TProjectsUpdate>;
+    [TableName.ProjectSshConfig]: KnexOriginal.CompositeTableType<
+      TProjectSshConfigs,
+      TProjectSshConfigsInsert,
+      TProjectSshConfigsUpdate
+    >;
     [TableName.ProjectMembership]: KnexOriginal.CompositeTableType<
       TProjectMemberships,
       TProjectMembershipsInsert,

backend/src/db/migrations/20250402000941_add-type-to-kms-keys.ts

@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { KmsKeyUsage } from "@app/services/kms/kms-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasKeyUsageColumn = await knex.schema.hasColumn(TableName.KmsKey, "keyUsage");
+
+  if (!hasKeyUsageColumn) {
+    await knex.schema.alterTable(TableName.KmsKey, (t) => {
+      t.string("keyUsage").notNullable().defaultTo(KmsKeyUsage.ENCRYPT_DECRYPT);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasKeyUsageColumn = await knex.schema.hasColumn(TableName.KmsKey, "keyUsage");
+
+  if (hasKeyUsageColumn) {
+    await knex.schema.alterTable(TableName.KmsKey, (t) => {
+      t.dropColumn("keyUsage");
+    });
+  }
+}

backend/src/db/migrations/20250404022310_ssh-ca-key-source.ts

@@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SshCertificateAuthority, "keySource"))) {
+    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
+      t.string("keySource");
+    });
+
+    // Backfilling the keySource to internal
+    await knex(TableName.SshCertificateAuthority).update({ keySource: "internal" });
+
+    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
+      t.string("keySource").notNullable().alter();
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.SshCertificate, "sshCaId")) {
+    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
+      t.uuid("sshCaId").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SshCertificateAuthority, "keySource")) {
+    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
+      t.dropColumn("keySource");
+    });
+  }
+}

backend/src/db/migrations/20250405185753_ssh-mgmt-v2.ts

@@ -0,0 +1,93 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SshHost))) {
+    await knex.schema.createTable(TableName.SshHost, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.string("hostname").notNullable();
+      t.string("userCertTtl").notNullable();
+      t.string("hostCertTtl").notNullable();
+      t.uuid("userSshCaId").notNullable();
+      t.foreign("userSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
+      t.uuid("hostSshCaId").notNullable();
+      t.foreign("hostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
+      t.unique(["projectId", "hostname"]);
+    });
+    await createOnUpdateTrigger(knex, TableName.SshHost);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SshHostLoginUser))) {
+    await knex.schema.createTable(TableName.SshHostLoginUser, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("sshHostId").notNullable();
+      t.foreign("sshHostId").references("id").inTable(TableName.SshHost).onDelete("CASCADE");
+      t.string("loginUser").notNullable(); // e.g. ubuntu, root, ec2-user, ...
+      t.unique(["sshHostId", "loginUser"]);
+    });
+    await createOnUpdateTrigger(knex, TableName.SshHostLoginUser);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SshHostLoginUserMapping))) {
+    await knex.schema.createTable(TableName.SshHostLoginUserMapping, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("sshHostLoginUserId").notNullable();
+      t.foreign("sshHostLoginUserId").references("id").inTable(TableName.SshHostLoginUser).onDelete("CASCADE");
+      t.uuid("userId").nullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.unique(["sshHostLoginUserId", "userId"]);
+    });
+    await createOnUpdateTrigger(knex, TableName.SshHostLoginUserMapping);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.ProjectSshConfig))) {
+    // new table to store configuration for projects of type SSH (i.e. Infisical SSH)
+    await knex.schema.createTable(TableName.ProjectSshConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("defaultUserSshCaId");
+      t.foreign("defaultUserSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
+      t.uuid("defaultHostSshCaId");
+      t.foreign("defaultHostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
+    });
+    await createOnUpdateTrigger(knex, TableName.ProjectSshConfig);
+  }
+
+  const hasColumn = await knex.schema.hasColumn(TableName.SshCertificate, "sshHostId");
+  if (!hasColumn) {
+    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
+      t.uuid("sshHostId").nullable();
+      t.foreign("sshHostId").references("id").inTable(TableName.SshHost).onDelete("SET NULL");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.ProjectSshConfig);
+  await dropOnUpdateTrigger(knex, TableName.ProjectSshConfig);
+
+  await knex.schema.dropTableIfExists(TableName.SshHostLoginUserMapping);
+  await dropOnUpdateTrigger(knex, TableName.SshHostLoginUserMapping);
+
+  await knex.schema.dropTableIfExists(TableName.SshHostLoginUser);
+  await dropOnUpdateTrigger(knex, TableName.SshHostLoginUser);
+
+  const hasColumn = await knex.schema.hasColumn(TableName.SshCertificate, "sshHostId");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
+      t.dropColumn("sshHostId");
+    });
+  }
+
+  await knex.schema.dropTableIfExists(TableName.SshHost);
+  await dropOnUpdateTrigger(knex, TableName.SshHost);
+}

backend/src/db/migrations/20250409161555_add-dynamic-secret-to-resource-metadata.ts

@@ -0,0 +1,20 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.ResourceMetadata, "dynamicSecretId"))) {
+    await knex.schema.alterTable(TableName.ResourceMetadata, (tb) => {
+      tb.uuid("dynamicSecretId");
+      tb.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.ResourceMetadata, "dynamicSecretId")) {
+    await knex.schema.alterTable(TableName.ResourceMetadata, (tb) => {
+      tb.dropColumn("dynamicSecretId");
+    });
+  }
+}

backend/src/db/migrations/20250410203010_add-comment-to-access-request.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "note");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.string("note").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "note");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.dropColumn("note");
+    });
+  }
+}

backend/src/db/migrations/20250415010421_increase-certificate-altnames-character-limit.ts

@@ -0,0 +1,15 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.Certificate, (t) => {
+    t.string("altNames", 4096).alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.Certificate, (t) => {
+    t.string("altNames").alter(); // Defaults to varchar(255)
+  });
+}

backend/src/db/migrations/20250415020304_increase-kmip-certificate-altnames-character-limit.ts

@@ -0,0 +1,15 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.KmipOrgServerCertificates, (t) => {
+    t.string("altNames", 4096).alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.KmipOrgServerCertificates, (t) => {
+    t.string("altNames").alter(); // Defaults to varchar(255)
+  });
+}

backend/src/db/schemas/access-approval-requests.ts

@@ -17,7 +17,8 @@ export const AccessApprovalRequestsSchema = z.object({
   permissions: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  requestedByUserId: z.string().uuid()
+  requestedByUserId: z.string().uuid(),
+  note: z.string().nullable().optional()
 });
 
 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;

backend/src/db/schemas/index.ts

@@ -75,6 +75,7 @@ export * from "./project-memberships";
 export * from "./project-roles";
 export * from "./project-slack-configs";
 export * from "./project-split-backfill-ids";
+export * from "./project-ssh-configs";
 export * from "./project-templates";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
@@ -125,6 +126,9 @@ export * from "./ssh-certificate-authority-secrets";
 export * from "./ssh-certificate-bodies";
 export * from "./ssh-certificate-templates";
 export * from "./ssh-certificates";
+export * from "./ssh-host-login-user-mappings";
+export * from "./ssh-host-login-users";
+export * from "./ssh-hosts";
 export * from "./super-admin";
 export * from "./totp-configs";
 export * from "./trusted-ips";

backend/src/db/schemas/kms-keys.ts

@@ -16,7 +16,8 @@ export const KmsKeysSchema = z.object({
   name: z.string(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  projectId: z.string().nullable().optional()
+  projectId: z.string().nullable().optional(),
+  keyUsage: z.string().default("encrypt-decrypt")
 });
 
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;

backend/src/db/schemas/models.ts

@@ -2,6 +2,9 @@ import { z } from "zod";
 
 export enum TableName {
   Users = "users",
+  SshHost = "ssh_hosts",
+  SshHostLoginUser = "ssh_host_login_users",
+  SshHostLoginUserMapping = "ssh_host_login_user_mappings",
   SshCertificateAuthority = "ssh_certificate_authorities",
   SshCertificateAuthoritySecret = "ssh_certificate_authority_secrets",
   SshCertificateTemplate = "ssh_certificate_templates",
@@ -38,6 +41,7 @@ export enum TableName {
   SuperAdmin = "super_admin",
   RateLimit = "rate_limit",
   ApiKey = "api_keys",
+  ProjectSshConfig = "project_ssh_configs",
   Project = "projects",
   ProjectBot = "project_bots",
   Environment = "project_environments",

backend/src/db/schemas/project-ssh-configs.ts

@@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectSshConfigsSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  projectId: z.string(),
+  defaultUserSshCaId: z.string().uuid().nullable().optional(),
+  defaultHostSshCaId: z.string().uuid().nullable().optional()
+});
+
+export type TProjectSshConfigs = z.infer<typeof ProjectSshConfigsSchema>;
+export type TProjectSshConfigsInsert = Omit<z.input<typeof ProjectSshConfigsSchema>, TImmutableDBKeys>;
+export type TProjectSshConfigsUpdate = Partial<Omit<z.input<typeof ProjectSshConfigsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/resource-metadata.ts

@@ -16,7 +16,8 @@ export const ResourceMetadataSchema = z.object({
   identityId: z.string().uuid().nullable().optional(),
   secretId: z.string().uuid().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  dynamicSecretId: z.string().uuid().nullable().optional()
 });
 
 export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;

backend/src/db/schemas/ssh-certificate-authorities.ts

@@ -14,7 +14,8 @@ export const SshCertificateAuthoritiesSchema = z.object({
   projectId: z.string(),
   status: z.string(),
   friendlyName: z.string(),
-  keyAlgorithm: z.string()
+  keyAlgorithm: z.string(),
+  keySource: z.string()
 });
 
 export type TSshCertificateAuthorities = z.infer<typeof SshCertificateAuthoritiesSchema>;

backend/src/db/schemas/ssh-certificates.ts

@@ -11,14 +11,15 @@ export const SshCertificatesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  sshCaId: z.string().uuid(),
+  sshCaId: z.string().uuid().nullable().optional(),
   sshCertificateTemplateId: z.string().uuid().nullable().optional(),
   serialNumber: z.string(),
   certType: z.string(),
   principals: z.string().array(),
   keyId: z.string(),
   notBefore: z.date(),
-  notAfter: z.date()
+  notAfter: z.date(),
+  sshHostId: z.string().uuid().nullable().optional()
 });
 
 export type TSshCertificates = z.infer<typeof SshCertificatesSchema>;

backend/src/db/schemas/ssh-host-login-user-mappings.ts

@@ -0,0 +1,22 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SshHostLoginUserMappingsSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  sshHostLoginUserId: z.string().uuid(),
+  userId: z.string().uuid().nullable().optional()
+});
+
+export type TSshHostLoginUserMappings = z.infer<typeof SshHostLoginUserMappingsSchema>;
+export type TSshHostLoginUserMappingsInsert = Omit<z.input<typeof SshHostLoginUserMappingsSchema>, TImmutableDBKeys>;
+export type TSshHostLoginUserMappingsUpdate = Partial<
+  Omit<z.input<typeof SshHostLoginUserMappingsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/ssh-host-login-users.ts

@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SshHostLoginUsersSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  sshHostId: z.string().uuid(),
+  loginUser: z.string()
+});
+
+export type TSshHostLoginUsers = z.infer<typeof SshHostLoginUsersSchema>;
+export type TSshHostLoginUsersInsert = Omit<z.input<typeof SshHostLoginUsersSchema>, TImmutableDBKeys>;
+export type TSshHostLoginUsersUpdate = Partial<Omit<z.input<typeof SshHostLoginUsersSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/ssh-hosts.ts

@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SshHostsSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  projectId: z.string(),
+  hostname: z.string(),
+  userCertTtl: z.string(),
+  hostCertTtl: z.string(),
+  userSshCaId: z.string().uuid(),
+  hostSshCaId: z.string().uuid()
+});
+
+export type TSshHosts = z.infer<typeof SshHostsSchema>;
+export type TSshHostsInsert = Omit<z.input<typeof SshHostsSchema>, TImmutableDBKeys>;
+export type TSshHostsUpdate = Partial<Omit<z.input<typeof SshHostsSchema>, TImmutableDBKeys>>;

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -22,7 +22,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
       body: z.object({
         permissions: z.any().array(),
         isTemporary: z.boolean(),
-        temporaryRange: z.string().optional()
+        temporaryRange: z.string().optional(),
+        note: z.string().max(255).optional()
       }),
       querystring: z.object({
         projectSlug: z.string().trim()
@@ -43,7 +44,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         actorOrgId: req.permission.orgId,
         projectSlug: req.query.projectSlug,
         temporaryRange: req.body.temporaryRange,
-        isTemporary: req.body.isTemporary
+        isTemporary: req.body.isTemporary,
+        note: req.body.note
       });
       return { approval: request };
     }

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -11,6 +11,7 @@ import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -48,7 +49,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
           .nullable(),
         path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
         environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
-        name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name)
+        name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name),
+        metadata: ResourceMetadataSchema.optional()
       }),
       response: {
         200: z.object({
@@ -143,7 +145,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
                 ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
             })
             .nullable(),
-          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional()
+          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional(),
+          metadata: ResourceMetadataSchema.optional()
         })
       }),
       response: {
@@ -238,6 +241,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
         name: req.params.name,
         ...req.query
       });
+
       return { dynamicSecret: dynamicSecretCfg };
     }
   });

backend/src/ee/routes/v1/index.ts

@@ -32,6 +32,7 @@ import { registerSnapshotRouter } from "./snapshot-router";
 import { registerSshCaRouter } from "./ssh-certificate-authority-router";
 import { registerSshCertRouter } from "./ssh-certificate-router";
 import { registerSshCertificateTemplateRouter } from "./ssh-certificate-template-router";
+import { registerSshHostRouter } from "./ssh-host-router";
 import { registerTrustedIpRouter } from "./trusted-ip-router";
 import { registerUserAdditionalPrivilegeRouter } from "./user-additional-privilege-router";
 
@@ -82,6 +83,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
       await sshRouter.register(registerSshCaRouter, { prefix: "/ca" });
       await sshRouter.register(registerSshCertRouter, { prefix: "/certificates" });
       await sshRouter.register(registerSshCertificateTemplateRouter, { prefix: "/certificate-templates" });
+      await sshRouter.register(registerSshHostRouter, { prefix: "/hosts" });
     },
     { prefix: "/ssh" }
   );

backend/src/ee/routes/v1/kmip-spec-router.ts

@@ -2,7 +2,7 @@ import z from "zod";
 
 import { KmsKeysSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -74,7 +74,7 @@ export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
     schema: {
       description: "KMIP endpoint for creating managed objects",
       body: z.object({
-        algorithm: z.nativeEnum(SymmetricEncryption)
+        algorithm: z.nativeEnum(SymmetricKeyAlgorithm)
       }),
       response: {
         200: KmsKeysSchema
@@ -433,7 +433,7 @@ export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         key: z.string(),
         name: z.string(),
-        algorithm: z.nativeEnum(SymmetricEncryption)
+        algorithm: z.nativeEnum(SymmetricKeyAlgorithm)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/oidc-router.ts

@@ -136,11 +136,12 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
     url: "/login/error",
     method: "GET",
     handler: async (req, res) => {
+      const failureMessage = req.session.get<any>("messages");
       await req.session.destroy();
 
       return res.status(500).send({
         error: "Authentication error",
-        details: req.query
+        details: failureMessage ?? req.query
       });
     }
   });

backend/src/ee/routes/v1/secret-rotation-provider-router.ts

@@ -23,7 +23,8 @@ export const registerSecretRotationProviderRouter = async (server: FastifyZodPro
               title: z.string(),
               image: z.string().optional(),
               description: z.string().optional(),
-              template: z.any()
+              template: z.any(),
+              isDeprecated: z.boolean().optional()
             })
             .array()
         })

backend/src/ee/routes/v1/secret-rotation-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { SecretRotationOutputsSchema, SecretRotationsSchema } from "@app/db/schemas";
-import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -41,10 +40,16 @@ export const registerSecretRotationRouter = async (server: FastifyZodProvider) =
       }
     },
     onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async () => {
-      throw new BadRequestError({
-        message: `This version of Secret Rotations has been deprecated. Please see docs for new version.`
+    handler: async (req) => {
+      const secretRotation = await server.services.secretRotation.createRotation({
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        projectId: req.body.workspaceId
       });
+      return { secretRotation };
     }
   });
 

backend/src/ee/routes/v1/ssh-certificate-authority-router.ts

@@ -1,14 +1,15 @@
 import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { normalizeSshPrivateKey } from "@app/ee/services/ssh/ssh-certificate-authority-fns";
 import { sanitizedSshCa } from "@app/ee/services/ssh/ssh-certificate-authority-schema";
-import { SshCaStatus } from "@app/ee/services/ssh/ssh-certificate-authority-types";
+import { SshCaKeySource, SshCaStatus } from "@app/ee/services/ssh/ssh-certificate-authority-types";
+import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
 import { sanitizedSshCertificateTemplate } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-schema";
 import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 
 export const registerSshCaRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -20,14 +21,34 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
       description: "Create SSH CA",
-      body: z.object({
-        projectId: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.projectId),
-        friendlyName: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.friendlyName),
-        keyAlgorithm: z
-          .nativeEnum(CertKeyAlgorithm)
-          .default(CertKeyAlgorithm.RSA_2048)
-          .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keyAlgorithm)
-      }),
+      body: z
+        .object({
+          projectId: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.projectId),
+          friendlyName: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.friendlyName),
+          keyAlgorithm: z
+            .nativeEnum(SshCertKeyAlgorithm)
+            .default(SshCertKeyAlgorithm.ED25519)
+            .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keyAlgorithm),
+          publicKey: z.string().trim().optional().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.publicKey),
+          privateKey: z
+            .string()
+            .trim()
+            .optional()
+            .transform((val) => (val ? normalizeSshPrivateKey(val) : undefined))
+            .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.privateKey),
+          keySource: z
+            .nativeEnum(SshCaKeySource)
+            .default(SshCaKeySource.INTERNAL)
+            .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keySource)
+        })
+        .refine((data) => data.keySource === SshCaKeySource.INTERNAL || (!!data.publicKey && !!data.privateKey), {
+          message: "publicKey and privateKey are required when keySource is external",
+          path: ["publicKey"]
+        })
+        .refine((data) => data.keySource === SshCaKeySource.EXTERNAL || !!data.keyAlgorithm, {
+          message: "keyAlgorithm is required when keySource is internal",
+          path: ["keyAlgorithm"]
+        }),
       response: {
         200: z.object({
           ca: sanitizedSshCa.extend({

backend/src/ee/routes/v1/ssh-certificate-router.ts

@@ -2,13 +2,13 @@ import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
+import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
 import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerSshCertRouter = async (server: FastifyZodProvider) => {
@@ -108,8 +108,8 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
           .min(1)
           .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.certificateTemplateId),
         keyAlgorithm: z
-          .nativeEnum(CertKeyAlgorithm)
-          .default(CertKeyAlgorithm.RSA_2048)
+          .nativeEnum(SshCertKeyAlgorithm)
+          .default(SshCertKeyAlgorithm.ED25519)
           .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyAlgorithm),
         certType: z
           .nativeEnum(SshCertType)
@@ -133,7 +133,7 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
           privateKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.privateKey),
           publicKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.publicKey),
           keyAlgorithm: z
-            .nativeEnum(CertKeyAlgorithm)
+            .nativeEnum(SshCertKeyAlgorithm)
             .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyAlgorithm)
         })
       }

backend/src/ee/routes/v1/ssh-certificate-template-router.ts

@@ -92,8 +92,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
           allowHostCertificates: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowHostCertificates),
           allowCustomKeyIds: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowCustomKeyIds)
         })
-        .refine((data) => ms(data.maxTTL) > ms(data.ttl), {
-          message: "Max TLL must be greater than TTL",
+        .refine((data) => ms(data.maxTTL) >= ms(data.ttl), {
+          message: "Max TLL must be greater than or equal to TTL",
           path: ["maxTTL"]
         }),
       response: {

backend/src/ee/routes/v1/ssh-host-router.ts

@@ -0,0 +1,444 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
+import { loginMappingSchema, sanitizedSshHost } from "@app/ee/services/ssh-host/ssh-host-schema";
+import { isValidHostname } from "@app/ee/services/ssh-host/ssh-host-validators";
+import { SSH_HOSTS } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
+import { publicSshCaLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
+
+export const registerSshHostRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.array(
+          sanitizedSshHost.extend({
+            loginMappings: z.array(loginMappingSchema)
+          })
+        )
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const hosts = await server.services.sshHost.listSshHosts({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return hosts;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:sshHostId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        sshHostId: z.string().describe(SSH_HOSTS.GET.sshHostId)
+      }),
+      response: {
+        200: sanitizedSshHost.extend({
+          loginMappings: z.array(loginMappingSchema)
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const host = await server.services.sshHost.getSshHost({
+        sshHostId: req.params.sshHostId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: host.projectId,
+        event: {
+          type: EventType.GET_SSH_HOST,
+          metadata: {
+            sshHostId: host.id,
+            hostname: host.hostname
+          }
+        }
+      });
+
+      return host;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Add an SSH Host",
+      body: z.object({
+        projectId: z.string().describe(SSH_HOSTS.CREATE.projectId),
+        hostname: z
+          .string()
+          .min(1)
+          .refine((v) => isValidHostname(v), {
+            message: "Hostname must be a valid hostname"
+          })
+          .describe(SSH_HOSTS.CREATE.hostname),
+        userCertTtl: z
+          .string()
+          .refine((val) => ms(val) > 0, "TTL must be a positive number")
+          .default("8h")
+          .describe(SSH_HOSTS.CREATE.userCertTtl),
+        hostCertTtl: z
+          .string()
+          .refine((val) => ms(val) > 0, "TTL must be a positive number")
+          .default("1y")
+          .describe(SSH_HOSTS.CREATE.hostCertTtl),
+        loginMappings: z.array(loginMappingSchema).default([]).describe(SSH_HOSTS.CREATE.loginMappings),
+        userSshCaId: z.string().describe(SSH_HOSTS.CREATE.userSshCaId).optional(),
+        hostSshCaId: z.string().describe(SSH_HOSTS.CREATE.hostSshCaId).optional()
+      }),
+      response: {
+        200: sanitizedSshHost.extend({
+          loginMappings: z.array(loginMappingSchema)
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const host = await server.services.sshHost.createSshHost({
+        ...req.body,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: host.projectId,
+        event: {
+          type: EventType.CREATE_SSH_HOST,
+          metadata: {
+            sshHostId: host.id,
+            hostname: host.hostname,
+            userCertTtl: host.userCertTtl,
+            hostCertTtl: host.hostCertTtl,
+            loginMappings: host.loginMappings,
+            userSshCaId: host.userSshCaId,
+            hostSshCaId: host.hostSshCaId
+          }
+        }
+      });
+
+      return host;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:sshHostId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update SSH Host",
+      params: z.object({
+        sshHostId: z.string().trim().describe(SSH_HOSTS.UPDATE.sshHostId)
+      }),
+      body: z.object({
+        hostname: z
+          .string()
+          .min(1)
+          .refine((v) => isValidHostname(v), {
+            message: "Hostname must be a valid hostname"
+          })
+          .optional()
+          .describe(SSH_HOSTS.UPDATE.hostname),
+        userCertTtl: z
+          .string()
+          .refine((val) => ms(val) > 0, "TTL must be a positive number")
+          .optional()
+          .describe(SSH_HOSTS.UPDATE.userCertTtl),
+        hostCertTtl: z
+          .string()
+          .refine((val) => ms(val) > 0, "TTL must be a positive number")
+          .optional()
+          .describe(SSH_HOSTS.UPDATE.hostCertTtl),
+        loginMappings: z.array(loginMappingSchema).optional().describe(SSH_HOSTS.UPDATE.loginMappings)
+      }),
+      response: {
+        200: sanitizedSshHost.extend({
+          loginMappings: z.array(loginMappingSchema)
+        })
+      }
+    },
+    handler: async (req) => {
+      const host = await server.services.sshHost.updateSshHost({
+        sshHostId: req.params.sshHostId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: host.projectId,
+        event: {
+          type: EventType.UPDATE_SSH_HOST,
+          metadata: {
+            sshHostId: host.id,
+            hostname: host.hostname,
+            userCertTtl: host.userCertTtl,
+            hostCertTtl: host.hostCertTtl,
+            loginMappings: host.loginMappings,
+            userSshCaId: host.userSshCaId,
+            hostSshCaId: host.hostSshCaId
+          }
+        }
+      });
+
+      return host;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:sshHostId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        sshHostId: z.string().describe(SSH_HOSTS.DELETE.sshHostId)
+      }),
+      response: {
+        200: sanitizedSshHost.extend({
+          loginMappings: z.array(loginMappingSchema)
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const host = await server.services.sshHost.deleteSshHost({
+        sshHostId: req.params.sshHostId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: host.projectId,
+        event: {
+          type: EventType.DELETE_SSH_HOST,
+          metadata: {
+            sshHostId: host.id,
+            hostname: host.hostname
+          }
+        }
+      });
+
+      return host;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:sshHostId/issue-user-cert",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      description: "Issue SSH certificate for user",
+      params: z.object({
+        sshHostId: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.sshHostId)
+      }),
+      body: z.object({
+        loginUser: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.loginUser)
+      }),
+      response: {
+        200: z.object({
+          serialNumber: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.serialNumber),
+          signedKey: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.signedKey),
+          privateKey: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.privateKey),
+          publicKey: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.publicKey),
+          keyAlgorithm: z.nativeEnum(SshCertKeyAlgorithm).describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.keyAlgorithm)
+        })
+      }
+    },
+    handler: async (req) => {
+      const { serialNumber, signedPublicKey, privateKey, publicKey, keyAlgorithm, host, principals } =
+        await server.services.sshHost.issueSshHostUserCert({
+          sshHostId: req.params.sshHostId,
+          loginUser: req.body.loginUser,
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId
+        });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.ISSUE_SSH_HOST_USER_CERT,
+          metadata: {
+            sshHostId: req.params.sshHostId,
+            hostname: host.hostname,
+            loginUser: req.body.loginUser,
+            principals,
+            ttl: host.userCertTtl
+          }
+        }
+      });
+
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IssueSshHostUserCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          sshHostId: req.params.sshHostId,
+          hostname: host.hostname,
+          principals,
+          ...req.auditLogInfo
+        }
+      });
+
+      return {
+        serialNumber,
+        signedKey: signedPublicKey,
+        privateKey,
+        publicKey,
+        keyAlgorithm
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:sshHostId/issue-host-cert",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Issue SSH certificate for host",
+      params: z.object({
+        sshHostId: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.sshHostId)
+      }),
+      body: z.object({
+        publicKey: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.publicKey)
+      }),
+      response: {
+        200: z.object({
+          serialNumber: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.serialNumber),
+          signedKey: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.signedKey)
+        })
+      }
+    },
+    handler: async (req) => {
+      const { host, principals, serialNumber, signedPublicKey } = await server.services.sshHost.issueSshHostHostCert({
+        sshHostId: req.params.sshHostId,
+        publicKey: req.body.publicKey,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.ISSUE_SSH_HOST_HOST_CERT,
+          metadata: {
+            sshHostId: req.params.sshHostId,
+            hostname: host.hostname,
+            principals,
+            serialNumber,
+            ttl: host.hostCertTtl
+          }
+        }
+      });
+
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IssueSshHostHostCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          sshHostId: req.params.sshHostId,
+          hostname: host.hostname,
+          principals,
+          ...req.auditLogInfo
+        }
+      });
+
+      return {
+        serialNumber,
+        signedKey: signedPublicKey
+      };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:sshHostId/user-ca-public-key",
+    config: {
+      rateLimit: publicSshCaLimit
+    },
+    schema: {
+      description: "Get public key of the user SSH CA linked to the host",
+      params: z.object({
+        sshHostId: z.string().trim().describe(SSH_HOSTS.GET_USER_CA_PUBLIC_KEY.sshHostId)
+      }),
+      response: {
+        200: z.string().describe(SSH_HOSTS.GET_USER_CA_PUBLIC_KEY.publicKey)
+      }
+    },
+    handler: async (req) => {
+      const publicKey = await server.services.sshHost.getSshHostUserCaPk(req.params.sshHostId);
+      return publicKey;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:sshHostId/host-ca-public-key",
+    config: {
+      rateLimit: publicSshCaLimit
+    },
+    schema: {
+      description: "Get public key of the host SSH CA linked to the host",
+      params: z.object({
+        sshHostId: z.string().trim().describe(SSH_HOSTS.GET_HOST_CA_PUBLIC_KEY.sshHostId)
+      }),
+      response: {
+        200: z.string().describe(SSH_HOSTS.GET_HOST_CA_PUBLIC_KEY.publicKey)
+      }
+    },
+    handler: async (req) => {
+      const publicKey = await server.services.sshHost.getSshHostHostCaPk(req.params.sshHostId);
+      return publicKey;
+    }
+  });
+};

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -94,7 +94,8 @@ export const accessApprovalRequestServiceFactory = ({
     actor,
     actorOrgId,
     actorAuthMethod,
-    projectSlug
+    projectSlug,
+    note
   }: TCreateAccessApprovalRequestDTO) => {
     const cfg = getConfig();
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
@@ -209,7 +210,8 @@ export const accessApprovalRequestServiceFactory = ({
           requestedByUserId: actorId,
           temporaryRange: temporaryRange || null,
           permissions: JSON.stringify(requestedPermissions),
-          isTemporary
+          isTemporary,
+          note: note || null
         },
         tx
       );
@@ -232,7 +234,8 @@ export const accessApprovalRequestServiceFactory = ({
             secretPath,
             environment: envSlug,
             permissions: accessTypes,
-            approvalUrl
+            approvalUrl,
+            note
           }
         }
       });
@@ -252,7 +255,8 @@ export const accessApprovalRequestServiceFactory = ({
           secretPath,
           environment: envSlug,
           permissions: accessTypes,
-          approvalUrl
+          approvalUrl,
+          note
         },
         template: SmtpTemplates.AccessApprovalRequest
       });

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -24,6 +24,7 @@ export type TCreateAccessApprovalRequestDTO = {
   permissions: unknown;
   isTemporary: boolean;
   temporaryRange?: string;
+  note?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TListApprovalRequestsDTO = {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -10,8 +10,10 @@ import {
   TUpdateSecretRotationV2DTO
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
 import { SshCaStatus, SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
+import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
 import { SshCertTemplateStatus } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-types";
-import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
+import { AsymmetricKeyAlgorithm, SigningAlgorithm } from "@app/lib/crypto/sign/types";
 import { TProjectPermission } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
@@ -189,6 +191,12 @@ export enum EventType {
   UPDATE_SSH_CERTIFICATE_TEMPLATE = "update-ssh-certificate-template",
   DELETE_SSH_CERTIFICATE_TEMPLATE = "delete-ssh-certificate-template",
   GET_SSH_CERTIFICATE_TEMPLATE = "get-ssh-certificate-template",
+  CREATE_SSH_HOST = "create-ssh-host",
+  UPDATE_SSH_HOST = "update-ssh-host",
+  DELETE_SSH_HOST = "delete-ssh-host",
+  GET_SSH_HOST = "get-ssh-host",
+  ISSUE_SSH_HOST_USER_CERT = "issue-ssh-host-user-cert",
+  ISSUE_SSH_HOST_HOST_CERT = "issue-ssh-host-host-cert",
   CREATE_CA = "create-certificate-authority",
   GET_CA = "get-certificate-authority",
   UPDATE_CA = "update-certificate-authority",
@@ -248,6 +256,11 @@ export enum EventType {
   GET_CMEK = "get-cmek",
   CMEK_ENCRYPT = "cmek-encrypt",
   CMEK_DECRYPT = "cmek-decrypt",
+  CMEK_SIGN = "cmek-sign",
+  CMEK_VERIFY = "cmek-verify",
+  CMEK_LIST_SIGNING_ALGORITHMS = "cmek-list-signing-algorithms",
+  CMEK_GET_PUBLIC_KEY = "cmek-get-public-key",
+
   UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
   GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "get-external-group-org-role-mapping",
   GET_PROJECT_TEMPLATES = "get-project-templates",
@@ -1377,7 +1390,7 @@ interface IssueSshCreds {
   type: EventType.ISSUE_SSH_CREDS;
   metadata: {
     certificateTemplateId: string;
-    keyAlgorithm: CertKeyAlgorithm;
+    keyAlgorithm: SshCertKeyAlgorithm;
     certType: SshCertType;
     principals: string[];
     ttl: string;
@@ -1473,6 +1486,80 @@ interface DeleteSshCertificateTemplate {
   };
 }
 
+interface CreateSshHost {
+  type: EventType.CREATE_SSH_HOST;
+  metadata: {
+    sshHostId: string;
+    hostname: string;
+    userCertTtl: string;
+    hostCertTtl: string;
+    loginMappings: {
+      loginUser: string;
+      allowedPrincipals: {
+        usernames: string[];
+      };
+    }[];
+    userSshCaId: string;
+    hostSshCaId: string;
+  };
+}
+
+interface UpdateSshHost {
+  type: EventType.UPDATE_SSH_HOST;
+  metadata: {
+    sshHostId: string;
+    hostname?: string;
+    userCertTtl?: string;
+    hostCertTtl?: string;
+    loginMappings?: {
+      loginUser: string;
+      allowedPrincipals: {
+        usernames: string[];
+      };
+    }[];
+    userSshCaId?: string;
+    hostSshCaId?: string;
+  };
+}
+
+interface DeleteSshHost {
+  type: EventType.DELETE_SSH_HOST;
+  metadata: {
+    sshHostId: string;
+    hostname: string;
+  };
+}
+
+interface GetSshHost {
+  type: EventType.GET_SSH_HOST;
+  metadata: {
+    sshHostId: string;
+    hostname: string;
+  };
+}
+
+interface IssueSshHostUserCert {
+  type: EventType.ISSUE_SSH_HOST_USER_CERT;
+  metadata: {
+    sshHostId: string;
+    hostname: string;
+    loginUser: string;
+    principals: string[];
+    ttl: string;
+  };
+}
+
+interface IssueSshHostHostCert {
+  type: EventType.ISSUE_SSH_HOST_HOST_CERT;
+  metadata: {
+    sshHostId: string;
+    hostname: string;
+    serialNumber: string;
+    principals: string[];
+    ttl: string;
+  };
+}
+
 interface CreateCa {
   type: EventType.CREATE_CA;
   metadata: {
@@ -1916,7 +2003,7 @@ interface CreateCmekEvent {
     keyId: string;
     name: string;
     description?: string;
-    encryptionAlgorithm: SymmetricEncryption;
+    encryptionAlgorithm: SymmetricKeyAlgorithm | AsymmetricKeyAlgorithm;
   };
 }
 
@@ -1964,6 +2051,39 @@ interface CmekDecryptEvent {
   };
 }
 
+interface CmekSignEvent {
+  type: EventType.CMEK_SIGN;
+  metadata: {
+    keyId: string;
+    signingAlgorithm: SigningAlgorithm;
+    signature: string;
+  };
+}
+
+interface CmekVerifyEvent {
+  type: EventType.CMEK_VERIFY;
+  metadata: {
+    keyId: string;
+    signingAlgorithm: SigningAlgorithm;
+    signature: string;
+    signatureValid: boolean;
+  };
+}
+
+interface CmekListSigningAlgorithmsEvent {
+  type: EventType.CMEK_LIST_SIGNING_ALGORITHMS;
+  metadata: {
+    keyId: string;
+  };
+}
+
+interface CmekGetPublicKeyEvent {
+  type: EventType.CMEK_GET_PUBLIC_KEY;
+  metadata: {
+    keyId: string;
+  };
+}
+
 interface GetExternalGroupOrgRoleMappingsEvent {
   type: EventType.GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS;
   metadata?: Record<string, never>; // not needed, based off orgId
@@ -2493,6 +2613,12 @@ export type Event =
   | UpdateSshCertificateTemplate
   | GetSshCertificateTemplate
   | DeleteSshCertificateTemplate
+  | CreateSshHost
+  | UpdateSshHost
+  | DeleteSshHost
+  | GetSshHost
+  | IssueSshHostUserCert
+  | IssueSshHostHostCert
   | CreateCa
   | GetCa
   | UpdateCa
@@ -2552,6 +2678,10 @@ export type Event =
   | GetCmeksEvent
   | CmekEncryptEvent
   | CmekDecryptEvent
+  | CmekSignEvent
+  | CmekVerifyEvent
+  | CmekListSigningAlgorithmsEvent
+  | CmekGetPublicKeyEvent
   | GetExternalGroupOrgRoleMappingsEvent
   | UpdateExternalGroupOrgRoleMappingsEvent
   | GetProjectTemplatesEvent

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -78,10 +78,6 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan?.dynamicSecret) {
@@ -102,6 +98,15 @@ export const dynamicSecretLeaseServiceFactory = ({
         message: `Dynamic secret with name '${name}' in folder with path '${path}' not found`
       });
 
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, {
+        environment: environmentSlug,
+        secretPath: path,
+        metadata: dynamicSecretCfg.metadata
+      })
+    );
+
     const totalLeasesTaken = await dynamicSecretLeaseDAL.countLeasesForDynamicSecret(dynamicSecretCfg.id);
     if (totalLeasesTaken >= appCfg.MAX_LEASE_LIMIT)
       throw new BadRequestError({ message: `Max lease limit reached. Limit: ${appCfg.MAX_LEASE_LIMIT}` });
@@ -159,10 +164,6 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.SecretManager,
@@ -187,7 +188,25 @@ export const dynamicSecretLeaseServiceFactory = ({
       throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
     }
 
-    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
+    const dynamicSecretCfg = await dynamicSecretDAL.findOne({
+      id: dynamicSecretLease.dynamicSecretId,
+      folderId: folder.id
+    });
+
+    if (!dynamicSecretCfg)
+      throw new NotFoundError({
+        message: `Dynamic secret with ID '${dynamicSecretLease.dynamicSecretId}' not found`
+      });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, {
+        environment: environmentSlug,
+        secretPath: path,
+        metadata: dynamicSecretCfg.metadata
+      })
+    );
+
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
     const decryptedStoredInput = JSON.parse(
       secretManagerDecryptor({ cipherTextBlob: Buffer.from(dynamicSecretCfg.encryptedInput) }).toString()
@@ -239,10 +258,6 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.SecretManager,
@@ -259,7 +274,25 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!dynamicSecretLease || dynamicSecretLease.dynamicSecret.folderId !== folder.id)
       throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
 
-    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
+    const dynamicSecretCfg = await dynamicSecretDAL.findOne({
+      id: dynamicSecretLease.dynamicSecretId,
+      folderId: folder.id
+    });
+
+    if (!dynamicSecretCfg)
+      throw new NotFoundError({
+        message: `Dynamic secret with ID '${dynamicSecretLease.dynamicSecretId}' not found`
+      });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, {
+        environment: environmentSlug,
+        secretPath: path,
+        metadata: dynamicSecretCfg.metadata
+      })
+    );
+
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
     const decryptedStoredInput = JSON.parse(
       secretManagerDecryptor({ cipherTextBlob: Buffer.from(dynamicSecretCfg.encryptedInput) }).toString()
@@ -309,10 +342,6 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder)
@@ -326,6 +355,15 @@ export const dynamicSecretLeaseServiceFactory = ({
         message: `Dynamic secret with name '${name}' in folder with path '${path}' not found`
       });
 
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, {
+        environment: environmentSlug,
+        secretPath: path,
+        metadata: dynamicSecretCfg.metadata
+      })
+    );
+
     const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
     return dynamicSecretLeases;
   };
@@ -352,10 +390,6 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder) throw new NotFoundError({ message: `Folder with path '${path}' not found` });
@@ -364,6 +398,25 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!dynamicSecretLease)
       throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
 
+    const dynamicSecretCfg = await dynamicSecretDAL.findOne({
+      id: dynamicSecretLease.dynamicSecretId,
+      folderId: folder.id
+    });
+
+    if (!dynamicSecretCfg)
+      throw new NotFoundError({
+        message: `Dynamic secret with ID '${dynamicSecretLease.dynamicSecretId}' not found`
+      });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.Lease,
+      subject(ProjectPermissionSub.DynamicSecrets, {
+        environment: environmentSlug,
+        secretPath: path,
+        metadata: dynamicSecretCfg.metadata
+      })
+    );
+
     return dynamicSecretLease;
   };
 

backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts

@@ -1,9 +1,17 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
+import { TableName, TDynamicSecrets } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import {
+  buildFindFilter,
+  ormify,
+  prependTableNameToFindFilter,
+  selectAllTableCols,
+  sqlNestRelationships,
+  TFindFilter,
+  TFindOpt
+} from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
@@ -12,6 +20,86 @@ export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory
 export const dynamicSecretDALFactory = (db: TDbClient) => {
   const orm = ormify(db, TableName.DynamicSecret);
 
+  const findOne = async (filter: TFindFilter<TDynamicSecrets>, tx?: Knex) => {
+    const query = (tx || db.replicaNode())(TableName.DynamicSecret)
+      .leftJoin(
+        TableName.ResourceMetadata,
+        `${TableName.ResourceMetadata}.dynamicSecretId`,
+        `${TableName.DynamicSecret}.id`
+      )
+      .select(selectAllTableCols(TableName.DynamicSecret))
+      .select(
+        db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+        db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+        db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+      )
+      .where(prependTableNameToFindFilter(TableName.DynamicSecret, filter));
+
+    const docs = sqlNestRelationships({
+      data: await query,
+      key: "id",
+      parentMapper: (el) => el,
+      childrenMapper: [
+        {
+          key: "metadataId",
+          label: "metadata" as const,
+          mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+            id: metadataId,
+            key: metadataKey,
+            value: metadataValue
+          })
+        }
+      ]
+    });
+
+    return docs[0];
+  };
+
+  const findWithMetadata = async (
+    filter: TFindFilter<TDynamicSecrets>,
+    { offset, limit, sort, tx }: TFindOpt<TDynamicSecrets> = {}
+  ) => {
+    const query = (tx || db.replicaNode())(TableName.DynamicSecret)
+      .leftJoin(
+        TableName.ResourceMetadata,
+        `${TableName.ResourceMetadata}.dynamicSecretId`,
+        `${TableName.DynamicSecret}.id`
+      )
+      .select(selectAllTableCols(TableName.DynamicSecret))
+      .select(
+        db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+        db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+        db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
+      )
+      // eslint-disable-next-line @typescript-eslint/no-misused-promises
+      .where(buildFindFilter(filter));
+
+    if (limit) void query.limit(limit);
+    if (offset) void query.offset(offset);
+    if (sort) {
+      void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
+    }
+
+    const docs = sqlNestRelationships({
+      data: await query,
+      key: "id",
+      parentMapper: (el) => el,
+      childrenMapper: [
+        {
+          key: "metadataId",
+          label: "metadata" as const,
+          mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+            id: metadataId,
+            key: metadataKey,
+            value: metadataValue
+          })
+        }
+      ]
+    });
+
+    return docs;
+  };
+
   // find dynamic secrets for multiple environments (folder IDs are cross env, thus need to rank for pagination)
   const listDynamicSecretsByFolderIds = async (
     {
@@ -39,18 +127,27 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
             void bd.whereILike(`${TableName.DynamicSecret}.name`, `%${search}%`);
           }
         })
+        .leftJoin(
+          TableName.ResourceMetadata,
+          `${TableName.ResourceMetadata}.dynamicSecretId`,
+          `${TableName.DynamicSecret}.id`
+        )
         .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
         .leftJoin(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
         .select(
           selectAllTableCols(TableName.DynamicSecret),
           db.ref("slug").withSchema(TableName.Environment).as("environment"),
-          db.raw(`DENSE_RANK() OVER (ORDER BY ${TableName.DynamicSecret}."name" ${orderDirection}) as rank`)
+          db.raw(`DENSE_RANK() OVER (ORDER BY ${TableName.DynamicSecret}."name" ${orderDirection}) as rank`),
+          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
         )
         .orderBy(`${TableName.DynamicSecret}.${orderBy}`, orderDirection);
 
+      let queryWithLimit;
       if (limit) {
         const rankOffset = offset + 1;
-        return await (tx || db)
+        queryWithLimit = (tx || db.replicaNode())
           .with("w", query)
           .select("*")
           .from<Awaited<typeof query>[number]>("w")
@@ -58,7 +155,22 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
           .andWhere("w.rank", "<", rankOffset + limit);
       }
 
-      const dynamicSecrets = await query;
+      const dynamicSecrets = sqlNestRelationships({
+        data: await (queryWithLimit || query),
+        key: "id",
+        parentMapper: (el) => el,
+        childrenMapper: [
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
+          }
+        ]
+      });
 
       return dynamicSecrets;
     } catch (error) {
@@ -66,5 +178,5 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...orm, listDynamicSecretsByFolderIds };
+  return { ...orm, listDynamicSecretsByFolderIds, findOne, findWithMetadata };
 };

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -42,7 +42,7 @@ export const verifyHostInputValidity = async (host: string, isGateway = false) =
     inputHostIps.push(...resolvedIps);
   }
 
-  if (!isGateway && !appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP) {
+  if (!isGateway && !(appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP || appCfg.ALLOW_INTERNAL_IP_CONNECTIONS)) {
     const isInternalIp = inputHostIps.some((el) => isPrivateIp(el));
     if (isInternalIp) throw new BadRequestError({ message: "Invalid db host" });
   }

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -12,6 +12,7 @@ import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 
 import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
@@ -46,6 +47,7 @@ type TDynamicSecretServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
   projectGatewayDAL: Pick<TProjectGatewayDALFactory, "findOne">;
+  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TDynamicSecretServiceFactory = ReturnType<typeof dynamicSecretServiceFactory>;
@@ -60,7 +62,8 @@ export const dynamicSecretServiceFactory = ({
   dynamicSecretQueueService,
   projectDAL,
   kmsService,
-  projectGatewayDAL
+  projectGatewayDAL,
+  resourceMetadataDAL
 }: TDynamicSecretServiceFactoryDep) => {
   const create = async ({
     path,
@@ -73,7 +76,8 @@ export const dynamicSecretServiceFactory = ({
     projectSlug,
     actorOrgId,
     defaultTTL,
-    actorAuthMethod
+    actorAuthMethod,
+    metadata
   }: TCreateDynamicSecretDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -87,9 +91,10 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
+
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.CreateRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path, metadata })
     );
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -131,16 +136,36 @@ export const dynamicSecretServiceFactory = ({
       projectId
     });
 
-    const dynamicSecretCfg = await dynamicSecretDAL.create({
-      type: provider.type,
-      version: 1,
-      encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(inputs)) }).cipherTextBlob,
-      maxTTL,
-      defaultTTL,
-      folderId: folder.id,
-      name,
-      projectGatewayId: selectedGatewayId
+    const dynamicSecretCfg = await dynamicSecretDAL.transaction(async (tx) => {
+      const cfg = await dynamicSecretDAL.create(
+        {
+          type: provider.type,
+          version: 1,
+          encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(inputs)) }).cipherTextBlob,
+          maxTTL,
+          defaultTTL,
+          folderId: folder.id,
+          name,
+          projectGatewayId: selectedGatewayId
+        },
+        tx
+      );
+
+      if (metadata) {
+        await resourceMetadataDAL.insertMany(
+          metadata.map(({ key, value }) => ({
+            key,
+            value,
+            dynamicSecretId: cfg.id,
+            orgId: actorOrgId
+          })),
+          tx
+        );
+      }
+
+      return cfg;
     });
+
     return dynamicSecretCfg;
   };
 
@@ -156,7 +181,8 @@ export const dynamicSecretServiceFactory = ({
     actorId,
     newName,
     actorOrgId,
-    actorAuthMethod
+    actorAuthMethod,
+    metadata
   }: TUpdateDynamicSecretDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -171,10 +197,6 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan?.dynamicSecret) {
@@ -193,6 +215,27 @@ export const dynamicSecretServiceFactory = ({
         message: `Dynamic secret with name '${name}' in folder '${folder.path}' not found`
       });
     }
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.EditRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, {
+        environment: environmentSlug,
+        secretPath: path,
+        metadata: dynamicSecretCfg.metadata
+      })
+    );
+
+    if (metadata) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionDynamicSecretActions.EditRootCredential,
+        subject(ProjectPermissionSub.DynamicSecrets, {
+          environment: environmentSlug,
+          secretPath: path,
+          metadata
+        })
+      );
+    }
+
     if (newName) {
       const existingDynamicSecret = await dynamicSecretDAL.findOne({ name: newName, folderId: folder.id });
       if (existingDynamicSecret)
@@ -231,14 +274,41 @@ export const dynamicSecretServiceFactory = ({
     const isConnected = await selectedProvider.validateConnection(newInput);
     if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
 
-    const updatedDynamicCfg = await dynamicSecretDAL.updateById(dynamicSecretCfg.id, {
-      encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(updatedInput)) }).cipherTextBlob,
-      maxTTL,
-      defaultTTL,
-      name: newName ?? name,
-      status: null,
-      statusDetails: null,
-      projectGatewayId: selectedGatewayId
+    const updatedDynamicCfg = await dynamicSecretDAL.transaction(async (tx) => {
+      const cfg = await dynamicSecretDAL.updateById(
+        dynamicSecretCfg.id,
+        {
+          encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(updatedInput)) })
+            .cipherTextBlob,
+          maxTTL,
+          defaultTTL,
+          name: newName ?? name,
+          status: null,
+          projectGatewayId: selectedGatewayId
+        },
+        tx
+      );
+
+      if (metadata) {
+        await resourceMetadataDAL.delete(
+          {
+            dynamicSecretId: cfg.id
+          },
+          tx
+        );
+
+        await resourceMetadataDAL.insertMany(
+          metadata.map(({ key, value }) => ({
+            key,
+            value,
+            dynamicSecretId: cfg.id,
+            orgId: actorOrgId
+          })),
+          tx
+        );
+      }
+
+      return cfg;
     });
 
     return updatedDynamicCfg;
@@ -268,10 +338,6 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder)
@@ -282,6 +348,15 @@ export const dynamicSecretServiceFactory = ({
       throw new NotFoundError({ message: `Dynamic secret with name '${name}' in folder '${folder.path}' not found` });
     }
 
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, {
+        environment: environmentSlug,
+        secretPath: path,
+        metadata: dynamicSecretCfg.metadata
+      })
+    );
+
     const leases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
     // when not forced we check with the external system to first remove the things
     // we introduce a forced concept because consider the external lease got deleted by some other external like a human or another system
@@ -329,14 +404,6 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder)
@@ -346,6 +413,25 @@ export const dynamicSecretServiceFactory = ({
     if (!dynamicSecretCfg) {
       throw new NotFoundError({ message: `Dynamic secret with name '${name} in folder '${path}' not found` });
     }
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.ReadRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, {
+        environment: environmentSlug,
+        secretPath: path,
+        metadata: dynamicSecretCfg.metadata
+      })
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionDynamicSecretActions.EditRootCredential,
+      subject(ProjectPermissionSub.DynamicSecrets, {
+        environment: environmentSlug,
+        secretPath: path,
+        metadata: dynamicSecretCfg.metadata
+      })
+    );
+
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.SecretManager,
       projectId
@@ -356,6 +442,7 @@ export const dynamicSecretServiceFactory = ({
     ) as object;
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
     const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput)) as object;
+
     return { ...dynamicSecretCfg, inputs: providerInputs };
   };
 
@@ -426,7 +513,7 @@ export const dynamicSecretServiceFactory = ({
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionSub.DynamicSecrets
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -473,16 +560,12 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder)
       throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });
 
-    const dynamicSecretCfg = await dynamicSecretDAL.find(
+    const dynamicSecretCfg = await dynamicSecretDAL.findWithMetadata(
       { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
       {
         limit,
@@ -490,7 +573,17 @@ export const dynamicSecretServiceFactory = ({
         sort: orderBy ? [[orderBy, orderDirection]] : undefined
       }
     );
-    return dynamicSecretCfg;
+
+    return dynamicSecretCfg.filter((dynamicSecret) => {
+      return permission.can(
+        ProjectPermissionDynamicSecretActions.ReadRootCredential,
+        subject(ProjectPermissionSub.DynamicSecrets, {
+          environment: environmentSlug,
+          secretPath: path,
+          metadata: dynamicSecret.metadata
+        })
+      );
+    });
   };
 
   const listDynamicSecretsByFolderIds = async (
@@ -542,24 +635,14 @@ export const dynamicSecretServiceFactory = ({
     isInternal,
     ...params
   }: TListDynamicSecretsMultiEnvDTO) => {
-    if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
-        actor,
-        actorId,
-        projectId,
-        actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
-
-      // verify user has access to each env in request
-      environmentSlugs.forEach((environmentSlug) =>
-        ForbiddenError.from(permission).throwUnlessCan(
-          ProjectPermissionDynamicSecretActions.ReadRootCredential,
-          subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-        )
-      );
-    }
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
 
     const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
     if (!folders.length)
@@ -572,7 +655,16 @@ export const dynamicSecretServiceFactory = ({
       ...params
     });
 
-    return dynamicSecretCfg;
+    return dynamicSecretCfg.filter((dynamicSecret) => {
+      return permission.can(
+        ProjectPermissionDynamicSecretActions.ReadRootCredential,
+        subject(ProjectPermissionSub.DynamicSecrets, {
+          environment: dynamicSecret.environment,
+          secretPath: path,
+          metadata: dynamicSecret.metadata
+        })
+      );
+    });
   };
 
   const fetchAzureEntraIdUsers = async ({

backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { OrderByDirection, TProjectPermission } from "@app/lib/types";
+import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
 import { DynamicSecretProviderSchema } from "./providers/models";
@@ -20,6 +21,7 @@ export type TCreateDynamicSecretDTO = {
   environmentSlug: string;
   name: string;
   projectSlug: string;
+  metadata?: ResourceMetadataDTO;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateDynamicSecretDTO = {
@@ -31,6 +33,7 @@ export type TUpdateDynamicSecretDTO = {
   environmentSlug: string;
   inputs?: TProvider["inputs"];
   projectSlug: string;
+  metadata?: ResourceMetadataDTO;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteDynamicSecretDTO = {

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -7,7 +7,7 @@ import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/er
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
+import { KmsDataKey, KmsKeyUsage } from "@app/services/kms/kms-types";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -115,6 +115,7 @@ export const externalKmsServiceFactory = ({
         {
           isReserved: false,
           description,
+          keyUsage: KmsKeyUsage.ENCRYPT_DECRYPT,
           name: kmsName,
           orgId: actorOrgId
         },

backend/src/ee/services/external-kms/providers/gcp-kms.ts

@@ -92,7 +92,7 @@ export const GcpKmsProviderFactory = async ({ inputs }: GcpKmsProviderArgs): Pro
       plaintext: data
     });
     if (!encryptedText[0].ciphertext) throw new Error("encryption failed");
-    return { encryptedBlob: Buffer.from(encryptedText[0].ciphertext) };
+    return { encryptedBlob: Buffer.from(encryptedText[0].ciphertext as Uint8Array) };
   };
 
   const decrypt = async (encryptedBlob: Buffer) => {
@@ -101,7 +101,7 @@ export const GcpKmsProviderFactory = async ({ inputs }: GcpKmsProviderArgs): Pro
       ciphertext: encryptedBlob
     });
     if (!decryptedText[0].plaintext) throw new Error("decryption failed");
-    return { data: Buffer.from(decryptedText[0].plaintext) };
+    return { data: Buffer.from(decryptedText[0].plaintext as Uint8Array) };
   };
 
   return {

backend/src/ee/services/hsm/hsm-service.ts

@@ -258,7 +258,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
   const decrypt: {
     (encryptedBlob: Buffer, providedSession: pkcs11js.Handle): Promise<Buffer>;
     (encryptedBlob: Buffer): Promise<Buffer>;
-  } = async (encryptedBlob: Buffer, providedSession?: pkcs11js.Handle) => {
+  } = async (encryptedBlob: Buffer, providedSession?: pkcs11js.Handle): Promise<Buffer> => {
     if (!pkcs11 || !isInitialized) {
       throw new Error("PKCS#11 module is not initialized");
     }
@@ -309,10 +309,10 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
 
         pkcs11.C_DecryptInit(sessionHandle, decryptMechanism, aesKey);
 
-        const tempBuffer = Buffer.alloc(encryptedData.length);
+        const tempBuffer: Buffer = Buffer.alloc(encryptedData.length);
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
         const decryptedData = pkcs11.C_Decrypt(sessionHandle, encryptedData, tempBuffer);
 
-        // Create a new buffer from the decrypted data
         return Buffer.from(decryptedData);
       } catch (error) {
         logger.error(error, "HSM: Failed to perform decryption");

backend/src/ee/services/kmip/kmip-operation-service.ts

@@ -3,6 +3,7 @@ import { ForbiddenError } from "@casl/ability";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { KmsKeyUsage } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
 import { OrgPermissionKmipActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -403,6 +404,7 @@ export const kmipOperationServiceFactory = ({
       algorithm,
       isReserved: false,
       projectId,
+      keyUsage: KmsKeyUsage.ENCRYPT_DECRYPT,
       orgId: project.orgId
     });
 

backend/src/ee/services/kmip/kmip-types.ts

@@ -1,4 +1,4 @@
-import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
 import { OrderByDirection, TOrgPermission, TProjectPermission } from "@app/lib/types";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 
@@ -49,7 +49,7 @@ type KmipOperationBaseDTO = {
 } & Omit<TOrgPermission, "orgId">;
 
 export type TKmipCreateDTO = {
-  algorithm: SymmetricEncryption;
+  algorithm: SymmetricKeyAlgorithm;
 } & KmipOperationBaseDTO;
 
 export type TKmipGetDTO = {
@@ -77,7 +77,7 @@ export type TKmipLocateDTO = KmipOperationBaseDTO;
 export type TKmipRegisterDTO = {
   name: string;
   key: string;
-  algorithm: SymmetricEncryption;
+  algorithm: SymmetricKeyAlgorithm;
 } & KmipOperationBaseDTO;
 
 export type TSetupOrgKmipDTO = {

backend/src/ee/services/permission/project-permission.ts

@@ -32,7 +32,9 @@ export enum ProjectPermissionCmekActions {
   Edit = "edit",
   Delete = "delete",
   Encrypt = "encrypt",
-  Decrypt = "decrypt"
+  Decrypt = "decrypt",
+  Sign = "sign",
+  Verify = "verify"
 }
 
 export enum ProjectPermissionDynamicSecretActions {
@@ -67,6 +69,14 @@ export enum ProjectPermissionGroupActions {
   GrantPrivileges = "grant-privileges"
 }
 
+export enum ProjectPermissionSshHostActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  IssueHostCert = "issue-host-cert"
+}
+
 export enum ProjectPermissionSecretSyncActions {
   Read = "read",
   Create = "create",
@@ -121,6 +131,7 @@ export enum ProjectPermissionSub {
   SshCertificateAuthorities = "ssh-certificate-authorities",
   SshCertificates = "ssh-certificates",
   SshCertificateTemplates = "ssh-certificate-templates",
+  SshHosts = "ssh-hosts",
   PkiAlerts = "pki-alerts",
   PkiCollections = "pki-collections",
   Kms = "kms",
@@ -144,6 +155,10 @@ export type SecretFolderSubjectFields = {
 export type DynamicSecretSubjectFields = {
   environment: string;
   secretPath: string;
+  metadata?: {
+    key: string;
+    value: string;
+  }[];
 };
 
 export type SecretImportSubjectFields = {
@@ -160,6 +175,10 @@ export type IdentityManagementSubjectFields = {
   identityId: string;
 };
 
+export type SshHostSubjectFields = {
+  hostname: string;
+};
+
 export type ProjectPermissionSet =
   | [
       ProjectPermissionSecretActions,
@@ -215,6 +234,10 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateAuthorities]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificates]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
+  | [
+      ProjectPermissionSshHostActions,
+      ProjectPermissionSub.SshHosts | (ForcedSubject<ProjectPermissionSub.SshHosts> & SshHostSubjectFields)
+    ]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
   | [ProjectPermissionSecretSyncActions, ProjectPermissionSub.SecretSyncs]
@@ -265,6 +288,42 @@ const SecretConditionV1Schema = z
   })
   .partial();
 
+const DynamicSecretConditionV2Schema = z
+  .object({
+    environment: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+        })
+        .partial()
+    ]),
+    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA,
+    metadata: z.object({
+      [PermissionConditionOperators.$ELEMENTMATCH]: z
+        .object({
+          key: z
+            .object({
+              [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+              [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+              [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+            })
+            .partial(),
+          value: z
+            .object({
+              [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+              [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+              [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+            })
+            .partial()
+        })
+        .partial()
+    })
+  })
+  .partial();
+
 const SecretConditionV2Schema = z
   .object({
     environment: z.union([
@@ -313,6 +372,21 @@ const IdentityManagementConditionSchema = z
   })
   .partial();
 
+const SshHostConditionSchema = z
+  .object({
+    hostname: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+        })
+        .partial()
+    ])
+  })
+  .partial();
+
 const GeneralPermissionSchema = [
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
@@ -547,7 +621,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionDynamicSecretActions).describe(
       "Describe what action an entity can take."
     ),
-    conditions: SecretConditionV1Schema.describe(
+    conditions: DynamicSecretConditionV2Schema.describe(
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
@@ -561,6 +635,16 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.SshHosts).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSshHostActions).describe(
+      "Describe what action an entity can take."
+    ),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
+    conditions: SshHostConditionSchema.describe(
+      "When specified, only matching conditions will be allowed to access given resource."
+    ).optional()
+  }),
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretRotation).describe("The entity this permission pertains to."),
     inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
@@ -613,6 +697,17 @@ const buildAdminPermissionRules = () => {
     );
   });
 
+  can(
+    [
+      ProjectPermissionSshHostActions.Edit,
+      ProjectPermissionSshHostActions.Read,
+      ProjectPermissionSshHostActions.Create,
+      ProjectPermissionSshHostActions.Delete,
+      ProjectPermissionSshHostActions.IssueHostCert
+    ],
+    ProjectPermissionSub.SshHosts
+  );
+
   can(
     [
       ProjectPermissionMemberActions.Create,
@@ -679,7 +774,9 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionCmekActions.Delete,
       ProjectPermissionCmekActions.Read,
       ProjectPermissionCmekActions.Encrypt,
-      ProjectPermissionCmekActions.Decrypt
+      ProjectPermissionCmekActions.Decrypt,
+      ProjectPermissionCmekActions.Sign,
+      ProjectPermissionCmekActions.Verify
     ],
     ProjectPermissionSub.Cmek
   );
@@ -873,6 +970,8 @@ const buildMemberPermissionRules = () => {
   can([ProjectPermissionActions.Create], ProjectPermissionSub.SshCertificates);
   can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateTemplates);
 
+  can([ProjectPermissionSshHostActions.Read], ProjectPermissionSub.SshHosts);
+
   can(
     [
       ProjectPermissionCmekActions.Create,
@@ -880,7 +979,9 @@ const buildMemberPermissionRules = () => {
       ProjectPermissionCmekActions.Delete,
       ProjectPermissionCmekActions.Read,
       ProjectPermissionCmekActions.Encrypt,
-      ProjectPermissionCmekActions.Decrypt
+      ProjectPermissionCmekActions.Decrypt,
+      ProjectPermissionCmekActions.Sign,
+      ProjectPermissionCmekActions.Verify
     ],
     ProjectPermissionSub.Cmek
   );

backend/src/ee/services/scim/scim-service.ts

@@ -594,6 +594,7 @@ export const scimServiceFactory = ({
         },
         tx
       );
+
       await orgMembershipDAL.updateById(
         membership.id,
         {

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -113,7 +113,13 @@ type TSecretApprovalRequestServiceFactoryDep = {
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "encryptWithInputKey" | "decryptWithInputKey">;
   secretV2BridgeDAL: Pick<
     TSecretV2BridgeDALFactory,
-    "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "bulkUpdate" | "deleteMany" | "find"
+    | "insertMany"
+    | "upsertSecretReferences"
+    | "findBySecretKeys"
+    | "bulkUpdate"
+    | "deleteMany"
+    | "find"
+    | "invalidateSecretCacheByProjectId"
   >;
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
@@ -262,13 +268,14 @@ export const secretApprovalRequestServiceFactory = ({
         id: el.id,
         version: el.version,
         secretMetadata: el.secretMetadata as ResourceMetadataDTO,
-        isRotatedSecret: el.secret.isRotatedSecret,
-        // eslint-disable-next-line no-nested-ternary
-        secretValue: el.secret.isRotatedSecret
-          ? undefined
-          : el.encryptedValue
-            ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
-            : "",
+        isRotatedSecret: el.secret?.isRotatedSecret ?? false,
+        secretValue:
+          // eslint-disable-next-line no-nested-ternary
+          el.secret && el.secret.isRotatedSecret
+            ? undefined
+            : el.encryptedValue
+              ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
+              : "",
         secretComment: el.encryptedComment
           ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
           : "",
@@ -615,7 +622,7 @@ export const secretApprovalRequestServiceFactory = ({
               tx,
               inputSecrets: secretUpdationCommits.map((el) => {
                 const encryptedValue =
-                  !el.secret.isRotatedSecret && typeof el.encryptedValue !== "undefined"
+                  !el.secret?.isRotatedSecret && typeof el.encryptedValue !== "undefined"
                     ? {
                         encryptedValue: el.encryptedValue as Buffer,
                         references: el.encryptedValue
@@ -863,6 +870,7 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
+    await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
     await snapshotService.performSnapshot(folderId);
     const [folder] = await folderDAL.findSecretPathByFolderIds(projectId, [folderId]);
     if (!folder) {

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -45,7 +45,14 @@ type TSecretReplicationServiceFactoryDep = {
   secretVersionDAL: Pick<TSecretVersionDALFactory, "find" | "insertMany" | "update" | "findLatestVersionMany">;
   secretV2BridgeDAL: Pick<
     TSecretV2BridgeDALFactory,
-    "find" | "findBySecretKeys" | "insertMany" | "bulkUpdate" | "delete" | "upsertSecretReferences" | "transaction"
+    | "find"
+    | "findBySecretKeys"
+    | "insertMany"
+    | "bulkUpdate"
+    | "delete"
+    | "upsertSecretReferences"
+    | "transaction"
+    | "invalidateSecretCacheByProjectId"
   >;
   secretVersionV2BridgeDAL: Pick<
     TSecretVersionV2DALFactory,
@@ -260,6 +267,7 @@ export const secretReplicationServiceFactory = ({
       const sourceLocalSecrets = await secretV2BridgeDAL.find({ folderId: folder.id, type: SecretType.Shared });
       const sourceSecretImports = await secretImportDAL.find({ folderId: folder.id });
       const sourceImportedSecrets = await fnSecretsV2FromImports({
+        projectId,
         secretImports: sourceSecretImports,
         secretDAL: secretV2BridgeDAL,
         folderDAL,
@@ -497,6 +505,7 @@ export const secretReplicationServiceFactory = ({
                 }
               });
 
+              await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
               await secretQueueService.syncSecrets({
                 projectId,
                 orgId,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -88,7 +88,7 @@ export type TSecretRotationV2ServiceFactoryDep = {
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
   secretV2BridgeDAL: Pick<
     TSecretV2BridgeDALFactory,
-    "bulkUpdate" | "insertMany" | "deleteMany" | "upsertSecretReferences" | "find"
+    "bulkUpdate" | "insertMany" | "deleteMany" | "upsertSecretReferences" | "find" | "invalidateSecretCacheByProjectId"
   >;
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
   secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
@@ -515,6 +515,7 @@ export const secretRotationV2ServiceFactory = ({
         });
       });
 
+      await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
       await snapshotService.performSnapshot(folder.id);
       await secretQueueService.syncSecrets({
         orgId: connection.orgId,
@@ -651,6 +652,7 @@ export const secretRotationV2ServiceFactory = ({
       });
 
       if (secretsMappingUpdated) {
+        await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
         await snapshotService.performSnapshot(folder.id);
         await secretQueueService.syncSecrets({
           orgId: connection.orgId,
@@ -777,6 +779,7 @@ export const secretRotationV2ServiceFactory = ({
     }
 
     if (deleteSecrets) {
+      await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
       await snapshotService.performSnapshot(folder.id);
       await secretQueueService.syncSecrets({
         orgId: connection.orgId,
@@ -935,6 +938,7 @@ export const secretRotationV2ServiceFactory = ({
         }
       });
 
+      await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
       await snapshotService.performSnapshot(folder.id);
       await secretQueueService.syncSecrets({
         orgId: connection.orgId,

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -48,7 +48,7 @@ type TSecretRotationQueueFactoryDep = {
   secretRotationDAL: TSecretRotationDALFactory;
   projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
   secretDAL: Pick<TSecretDALFactory, "bulkUpdate" | "find">;
-  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "bulkUpdate" | "find">;
+  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "bulkUpdate" | "find" | "invalidateSecretCacheByProjectId">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "insertMany" | "findLatestVersionMany">;
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   telemetryService: Pick<TTelemetryServiceFactory, "sendPostHogEvents">;
@@ -339,6 +339,8 @@ export const secretRotationQueueFactory = ({
             tx
           );
         });
+
+        await secretV2BridgeDAL.invalidateSecretCacheByProjectId(secretRotation.projectId);
       } else {
         if (!botKey)
           throw new NotFoundError({

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -127,6 +127,13 @@ export const secretRotationServiceFactory = ({
       });
       if (selectedSecrets.length !== Object.values(outputs).length)
         throw new NotFoundError({ message: `Secrets not found in folder with ID '${folder.id}'` });
+      const rotatedSecrets = selectedSecrets.filter(({ isRotatedSecret }) => isRotatedSecret);
+      if (rotatedSecrets.length)
+        throw new BadRequestError({
+          message: `Selected secrets are already used for rotation: ${rotatedSecrets
+            .map((secret) => secret.key)
+            .join(", ")}`
+        });
     } else {
       const selectedSecrets = await secretDAL.find({
         folderId: folder.id,

backend/src/ee/services/secret-rotation/templates/index.ts

@@ -18,7 +18,8 @@ export const rotationTemplates: TSecretRotationProviderTemplate[] = [
     title: "PostgreSQL",
     image: "postgres.png",
     description: "Rotate PostgreSQL/CockroachDB user credentials",
-    template: POSTGRES_TEMPLATE
+    template: POSTGRES_TEMPLATE,
+    isDeprecated: true
   },
   {
     name: "mysql",
@@ -32,7 +33,8 @@ export const rotationTemplates: TSecretRotationProviderTemplate[] = [
     title: "Microsoft SQL Server",
     image: "mssqlserver.png",
     description: "Rotate Microsoft SQL server user credentials",
-    template: MSSQL_TEMPLATE
+    template: MSSQL_TEMPLATE,
+    isDeprecated: true
   },
   {
     name: "aws-iam",

backend/src/ee/services/secret-rotation/templates/types.ts

@@ -50,6 +50,7 @@ export type TSecretRotationProviderTemplate = {
   image?: string;
   description?: string;
   template: THttpProviderTemplate | TDbProviderTemplate | TAwsProviderTemplate;
+  isDeprecated?: boolean;
 };
 
 export type THttpProviderTemplate = {

backend/src/ee/services/ssh-certificate/ssh-certificate-types.ts

@@ -0,0 +1,7 @@
+export enum SshCertKeyAlgorithm {
+  RSA_2048 = "RSA_2048",
+  RSA_4096 = "RSA_4096",
+  ECDSA_P256 = "EC_prime256v1",
+  ECDSA_P384 = "EC_secp384r1",
+  ED25519 = "ED25519"
+}

backend/src/ee/services/ssh-host/ssh-host-dal.ts

@@ -0,0 +1,193 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { groupBy, unique } from "@app/lib/fn";
+import { ormify } from "@app/lib/knex";
+
+export type TSshHostDALFactory = ReturnType<typeof sshHostDALFactory>;
+
+export const sshHostDALFactory = (db: TDbClient) => {
+  const sshHostOrm = ormify(db, TableName.SshHost);
+
+  const findUserAccessibleSshHosts = async (projectIds: string[], userId: string, tx?: Knex) => {
+    try {
+      const user = await (tx || db.replicaNode())(TableName.Users).where({ id: userId }).select("username").first();
+
+      if (!user) {
+        throw new DatabaseError({ name: `${TableName.Users}: UserNotFound`, error: new Error("User not found") });
+      }
+
+      const rows = await (tx || db.replicaNode())(TableName.SshHost)
+        .leftJoin(TableName.SshHostLoginUser, `${TableName.SshHost}.id`, `${TableName.SshHostLoginUser}.sshHostId`)
+        .leftJoin(
+          TableName.SshHostLoginUserMapping,
+          `${TableName.SshHostLoginUser}.id`,
+          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
+        )
+        .leftJoin(TableName.Users, `${TableName.Users}.id`, `${TableName.SshHostLoginUserMapping}.userId`)
+        .whereIn(`${TableName.SshHost}.projectId`, projectIds)
+        .andWhere(`${TableName.SshHostLoginUserMapping}.userId`, userId)
+        .select(
+          db.ref("id").withSchema(TableName.SshHost).as("sshHostId"),
+          db.ref("projectId").withSchema(TableName.SshHost),
+          db.ref("hostname").withSchema(TableName.SshHost),
+          db.ref("userCertTtl").withSchema(TableName.SshHost),
+          db.ref("hostCertTtl").withSchema(TableName.SshHost),
+          db.ref("loginUser").withSchema(TableName.SshHostLoginUser),
+          db.ref("username").withSchema(TableName.Users),
+          db.ref("userId").withSchema(TableName.SshHostLoginUserMapping),
+          db.ref("userSshCaId").withSchema(TableName.SshHost),
+          db.ref("hostSshCaId").withSchema(TableName.SshHost)
+        )
+        .orderBy(`${TableName.SshHost}.updatedAt`, "desc");
+
+      const grouped = groupBy(rows, (r) => r.sshHostId);
+      return Object.values(grouped).map((hostRows) => {
+        const { sshHostId, hostname, userCertTtl, hostCertTtl, userSshCaId, hostSshCaId, projectId } = hostRows[0];
+
+        const loginMappingGrouped = groupBy(hostRows, (r) => r.loginUser);
+
+        const loginMappings = Object.entries(loginMappingGrouped).map(([loginUser]) => ({
+          loginUser,
+          allowedPrincipals: {
+            usernames: [user.username]
+          }
+        }));
+
+        return {
+          id: sshHostId,
+          hostname,
+          projectId,
+          userCertTtl,
+          hostCertTtl,
+          loginMappings,
+          userSshCaId,
+          hostSshCaId
+        };
+      });
+    } catch (error) {
+      throw new DatabaseError({ error, name: `${TableName.SshHost}: FindSshHostsWithPrincipalsAcrossProjects` });
+    }
+  };
+
+  const findSshHostsWithLoginMappings = async (projectId: string, tx?: Knex) => {
+    try {
+      const rows = await (tx || db.replicaNode())(TableName.SshHost)
+        .leftJoin(TableName.SshHostLoginUser, `${TableName.SshHost}.id`, `${TableName.SshHostLoginUser}.sshHostId`)
+        .leftJoin(
+          TableName.SshHostLoginUserMapping,
+          `${TableName.SshHostLoginUser}.id`,
+          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
+        )
+        .leftJoin(TableName.Users, `${TableName.SshHostLoginUserMapping}.userId`, `${TableName.Users}.id`)
+        .where(`${TableName.SshHost}.projectId`, projectId)
+        .select(
+          db.ref("id").withSchema(TableName.SshHost).as("sshHostId"),
+          db.ref("projectId").withSchema(TableName.SshHost),
+          db.ref("hostname").withSchema(TableName.SshHost),
+          db.ref("userCertTtl").withSchema(TableName.SshHost),
+          db.ref("hostCertTtl").withSchema(TableName.SshHost),
+          db.ref("loginUser").withSchema(TableName.SshHostLoginUser),
+          db.ref("username").withSchema(TableName.Users),
+          db.ref("userId").withSchema(TableName.SshHostLoginUserMapping),
+          db.ref("userSshCaId").withSchema(TableName.SshHost),
+          db.ref("hostSshCaId").withSchema(TableName.SshHost)
+        )
+        .orderBy(`${TableName.SshHost}.updatedAt`, "desc");
+
+      const hostsGrouped = groupBy(rows, (r) => r.sshHostId);
+      return Object.values(hostsGrouped).map((hostRows) => {
+        const { sshHostId, hostname, userCertTtl, hostCertTtl, userSshCaId, hostSshCaId } = hostRows[0];
+
+        const loginMappingGrouped = groupBy(
+          hostRows.filter((r) => r.loginUser),
+          (r) => r.loginUser
+        );
+
+        const loginMappings = Object.entries(loginMappingGrouped).map(([loginUser, entries]) => ({
+          loginUser,
+          allowedPrincipals: {
+            usernames: unique(entries.map((e) => e.username)).filter(Boolean)
+          }
+        }));
+
+        return {
+          id: sshHostId,
+          hostname,
+          projectId,
+          userCertTtl,
+          hostCertTtl,
+          loginMappings,
+          userSshCaId,
+          hostSshCaId
+        };
+      });
+    } catch (error) {
+      throw new DatabaseError({ error, name: `${TableName.SshHost}: FindSshHostsWithLoginMappings` });
+    }
+  };
+
+  const findSshHostByIdWithLoginMappings = async (sshHostId: string, tx?: Knex) => {
+    try {
+      const rows = await (tx || db.replicaNode())(TableName.SshHost)
+        .leftJoin(TableName.SshHostLoginUser, `${TableName.SshHost}.id`, `${TableName.SshHostLoginUser}.sshHostId`)
+        .leftJoin(
+          TableName.SshHostLoginUserMapping,
+          `${TableName.SshHostLoginUser}.id`,
+          `${TableName.SshHostLoginUserMapping}.sshHostLoginUserId`
+        )
+        .leftJoin(TableName.Users, `${TableName.SshHostLoginUserMapping}.userId`, `${TableName.Users}.id`)
+        .where(`${TableName.SshHost}.id`, sshHostId)
+        .select(
+          db.ref("id").withSchema(TableName.SshHost).as("sshHostId"),
+          db.ref("projectId").withSchema(TableName.SshHost),
+          db.ref("hostname").withSchema(TableName.SshHost),
+          db.ref("userCertTtl").withSchema(TableName.SshHost),
+          db.ref("hostCertTtl").withSchema(TableName.SshHost),
+          db.ref("loginUser").withSchema(TableName.SshHostLoginUser),
+          db.ref("username").withSchema(TableName.Users),
+          db.ref("userId").withSchema(TableName.SshHostLoginUserMapping),
+          db.ref("userSshCaId").withSchema(TableName.SshHost),
+          db.ref("hostSshCaId").withSchema(TableName.SshHost)
+        );
+
+      if (rows.length === 0) return null;
+
+      const { sshHostId: id, projectId, hostname, userCertTtl, hostCertTtl, userSshCaId, hostSshCaId } = rows[0];
+
+      const loginMappingGrouped = groupBy(
+        rows.filter((r) => r.loginUser),
+        (r) => r.loginUser
+      );
+
+      const loginMappings = Object.entries(loginMappingGrouped).map(([loginUser, entries]) => ({
+        loginUser,
+        allowedPrincipals: {
+          usernames: unique(entries.map((e) => e.username)).filter(Boolean)
+        }
+      }));
+
+      return {
+        id,
+        projectId,
+        hostname,
+        userCertTtl,
+        hostCertTtl,
+        loginMappings,
+        userSshCaId,
+        hostSshCaId
+      };
+    } catch (error) {
+      throw new DatabaseError({ error, name: `${TableName.SshHost}: FindSshHostByIdWithLoginMappings` });
+    }
+  };
+
+  return {
+    ...sshHostOrm,
+    findSshHostsWithLoginMappings,
+    findUserAccessibleSshHosts,
+    findSshHostByIdWithLoginMappings
+  };
+};

backend/src/ee/services/ssh-host/ssh-host-login-user-mapping-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TSshHostLoginUserMappingDALFactory = ReturnType<typeof sshHostLoginUserMappingDALFactory>;
+
+export const sshHostLoginUserMappingDALFactory = (db: TDbClient) => {
+  const sshHostLoginUserMappingOrm = ormify(db, TableName.SshHostLoginUserMapping);
+  return sshHostLoginUserMappingOrm;
+};

backend/src/ee/services/ssh-host/ssh-host-schema.ts

@@ -0,0 +1,20 @@
+import { z } from "zod";
+
+import { SshHostsSchema } from "@app/db/schemas";
+
+export const sanitizedSshHost = SshHostsSchema.pick({
+  id: true,
+  projectId: true,
+  hostname: true,
+  userCertTtl: true,
+  hostCertTtl: true,
+  userSshCaId: true,
+  hostSshCaId: true
+});
+
+export const loginMappingSchema = z.object({
+  loginUser: z.string().trim(),
+  allowedPrincipals: z.object({
+    usernames: z.array(z.string().trim()).transform((usernames) => Array.from(new Set(usernames)))
+  })
+});

backend/src/ee/services/ssh-host/ssh-host-service.ts

@@ -0,0 +1,694 @@
+import { ForbiddenError, subject } from "@casl/ability";
+
+import { ActionProjectType, ProjectType } from "@app/db/schemas";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
+import { TSshCertificateAuthoritySecretDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-secret-dal";
+import { TSshCertificateBodyDALFactory } from "@app/ee/services/ssh-certificate/ssh-certificate-body-dal";
+import { TSshCertificateDALFactory } from "@app/ee/services/ssh-certificate/ssh-certificate-dal";
+import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
+import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
+import { TSshHostLoginUserMappingDALFactory } from "@app/ee/services/ssh-host/ssh-host-login-user-mapping-dal";
+import { TSshHostLoginUserDALFactory } from "@app/ee/services/ssh-host/ssh-login-user-dal";
+import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import { ActorType } from "@app/services/auth/auth-type";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TProjectSshConfigDALFactory } from "@app/services/project/project-ssh-config-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";
+
+import {
+  convertActorToPrincipals,
+  createSshCert,
+  createSshKeyPair,
+  getSshPublicKey
+} from "../ssh/ssh-certificate-authority-fns";
+import { SshCertType } from "../ssh/ssh-certificate-authority-types";
+import {
+  TCreateSshHostDTO,
+  TDeleteSshHostDTO,
+  TGetSshHostDTO,
+  TIssueSshHostHostCertDTO,
+  TIssueSshHostUserCertDTO,
+  TListSshHostsDTO,
+  TUpdateSshHostDTO
+} from "./ssh-host-types";
+
+type TSshHostServiceFactoryDep = {
+  userDAL: Pick<TUserDALFactory, "findById" | "find">;
+  projectDAL: Pick<TProjectDALFactory, "find">;
+  projectSshConfigDAL: Pick<TProjectSshConfigDALFactory, "findOne">;
+  sshCertificateAuthorityDAL: Pick<TSshCertificateAuthorityDALFactory, "findOne">;
+  sshCertificateAuthoritySecretDAL: Pick<TSshCertificateAuthoritySecretDALFactory, "findOne">;
+  sshCertificateDAL: Pick<TSshCertificateDALFactory, "create" | "transaction">;
+  sshCertificateBodyDAL: Pick<TSshCertificateBodyDALFactory, "create">;
+  sshHostDAL: Pick<
+    TSshHostDALFactory,
+    | "transaction"
+    | "create"
+    | "findById"
+    | "updateById"
+    | "deleteById"
+    | "findOne"
+    | "findSshHostByIdWithLoginMappings"
+    | "findUserAccessibleSshHosts"
+  >;
+  sshHostLoginUserDAL: TSshHostLoginUserDALFactory;
+  sshHostLoginUserMappingDAL: TSshHostLoginUserMappingDALFactory;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getUserProjectPermission">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+};
+
+export type TSshHostServiceFactory = ReturnType<typeof sshHostServiceFactory>;
+
+export const sshHostServiceFactory = ({
+  userDAL,
+  projectDAL,
+  projectSshConfigDAL,
+  sshCertificateAuthorityDAL,
+  sshCertificateAuthoritySecretDAL,
+  sshCertificateDAL,
+  sshCertificateBodyDAL,
+  sshHostDAL,
+  sshHostLoginUserMappingDAL,
+  sshHostLoginUserDAL,
+  permissionService,
+  kmsService
+}: TSshHostServiceFactoryDep) => {
+  /**
+   * Return list of all SSH hosts that a user can issue user SSH certificates for
+   * (i.e. is able to access / connect to) across all SSH projects in the organization
+   */
+  const listSshHosts = async ({ actorId, actorAuthMethod, actor, actorOrgId }: TListSshHostsDTO) => {
+    if (actor !== ActorType.USER) {
+      // (dangtony98): only support user for now
+      throw new BadRequestError({ message: `Actor type ${actor} not supported` });
+    }
+
+    const sshProjects = await projectDAL.find({
+      orgId: actorOrgId,
+      type: ProjectType.SSH
+    });
+
+    const allowedHosts = [];
+
+    for await (const project of sshProjects) {
+      try {
+        await permissionService.getProjectPermission({
+          actor,
+          actorId,
+          projectId: project.id,
+          actorAuthMethod,
+          actorOrgId,
+          actionProjectType: ActionProjectType.SSH
+        });
+
+        const projectHosts = await sshHostDAL.findUserAccessibleSshHosts([project.id], actorId);
+
+        allowedHosts.push(...projectHosts);
+      } catch {
+        // intentionally ignore projects where user lacks access
+      }
+    }
+
+    return allowedHosts;
+  };
+
+  const createSshHost = async ({
+    projectId,
+    hostname,
+    userCertTtl,
+    hostCertTtl,
+    loginMappings,
+    userSshCaId: requestedUserSshCaId,
+    hostSshCaId: requestedHostSshCaId,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TCreateSshHostDTO) => {
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionSshHostActions.Create,
+      subject(ProjectPermissionSub.SshHosts, {
+        hostname
+      })
+    );
+
+    const resolveSshCaId = async ({
+      requestedId,
+      fallbackId,
+      label
+    }: {
+      requestedId?: string;
+      fallbackId?: string | null;
+      label: "User" | "Host";
+    }) => {
+      const finalId = requestedId ?? fallbackId;
+      if (!finalId) {
+        throw new BadRequestError({ message: `Missing ${label.toLowerCase()} SSH CA` });
+      }
+
+      const ca = await sshCertificateAuthorityDAL.findOne({
+        id: finalId,
+        projectId
+      });
+
+      if (!ca) {
+        throw new BadRequestError({
+          message: `${label} SSH CA with ID '${finalId}' not found in project '${projectId}'`
+        });
+      }
+
+      return ca.id;
+    };
+
+    const projectSshConfig = await projectSshConfigDAL.findOne({ projectId });
+
+    const userSshCaId = await resolveSshCaId({
+      requestedId: requestedUserSshCaId,
+      fallbackId: projectSshConfig?.defaultUserSshCaId,
+      label: "User"
+    });
+
+    const hostSshCaId = await resolveSshCaId({
+      requestedId: requestedHostSshCaId,
+      fallbackId: projectSshConfig?.defaultHostSshCaId,
+      label: "Host"
+    });
+
+    const newSshHost = await sshHostDAL.transaction(async (tx) => {
+      const host = await sshHostDAL.create(
+        {
+          projectId,
+          hostname,
+          userCertTtl,
+          hostCertTtl,
+          userSshCaId,
+          hostSshCaId
+        },
+        tx
+      );
+
+      // (dangtony98): room to optimize
+      for await (const { loginUser, allowedPrincipals } of loginMappings) {
+        const sshHostLoginUser = await sshHostLoginUserDAL.create(
+          {
+            sshHostId: host.id,
+            loginUser
+          },
+          tx
+        );
+
+        if (allowedPrincipals.usernames.length > 0) {
+          const users = await userDAL.find(
+            {
+              $in: {
+                username: allowedPrincipals.usernames
+              }
+            },
+            { tx }
+          );
+
+          const foundUsernames = new Set(users.map((u) => u.username));
+
+          for (const uname of allowedPrincipals.usernames) {
+            if (!foundUsernames.has(uname)) {
+              throw new BadRequestError({
+                message: `Invalid username: ${uname}`
+              });
+            }
+          }
+
+          for await (const user of users) {
+            // check that each user has access to the SSH project
+            await permissionService.getUserProjectPermission({
+              userId: user.id,
+              projectId,
+              authMethod: actorAuthMethod,
+              userOrgId: actorOrgId,
+              actionProjectType: ActionProjectType.SSH
+            });
+          }
+
+          await sshHostLoginUserMappingDAL.insertMany(
+            users.map((user) => ({
+              sshHostLoginUserId: sshHostLoginUser.id,
+              userId: user.id
+            })),
+            tx
+          );
+        }
+      }
+
+      const newSshHostWithLoginMappings = await sshHostDAL.findSshHostByIdWithLoginMappings(host.id, tx);
+      if (!newSshHostWithLoginMappings) {
+        throw new NotFoundError({ message: `SSH host with ID '${host.id}' not found` });
+      }
+
+      return newSshHostWithLoginMappings;
+    });
+
+    return newSshHost;
+  };
+
+  const updateSshHost = async ({
+    sshHostId,
+    hostname,
+    userCertTtl,
+    hostCertTtl,
+    loginMappings,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateSshHostDTO) => {
+    const host = await sshHostDAL.findById(sshHostId);
+    if (!host) throw new NotFoundError({ message: `SSH host with ID '${sshHostId}' not found` });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: host.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionSshHostActions.Edit,
+      subject(ProjectPermissionSub.SshHosts, {
+        hostname: host.hostname
+      })
+    );
+
+    const updatedHost = await sshHostDAL.transaction(async (tx) => {
+      await sshHostDAL.updateById(
+        sshHostId,
+        {
+          hostname,
+          userCertTtl,
+          hostCertTtl
+        },
+        tx
+      );
+
+      if (loginMappings) {
+        await sshHostLoginUserDAL.delete({ sshHostId: host.id }, tx);
+        if (loginMappings.length) {
+          for await (const { loginUser, allowedPrincipals } of loginMappings) {
+            const sshHostLoginUser = await sshHostLoginUserDAL.create(
+              {
+                sshHostId: host.id,
+                loginUser
+              },
+              tx
+            );
+
+            if (allowedPrincipals.usernames.length > 0) {
+              const users = await userDAL.find(
+                {
+                  $in: {
+                    username: allowedPrincipals.usernames
+                  }
+                },
+                { tx }
+              );
+
+              const foundUsernames = new Set(users.map((u) => u.username));
+
+              for (const uname of allowedPrincipals.usernames) {
+                if (!foundUsernames.has(uname)) {
+                  throw new BadRequestError({
+                    message: `Invalid username: ${uname}`
+                  });
+                }
+              }
+
+              for await (const user of users) {
+                await permissionService.getUserProjectPermission({
+                  userId: user.id,
+                  projectId: host.projectId,
+                  authMethod: actorAuthMethod,
+                  userOrgId: actorOrgId,
+                  actionProjectType: ActionProjectType.SSH
+                });
+              }
+
+              await sshHostLoginUserMappingDAL.insertMany(
+                users.map((user) => ({
+                  sshHostLoginUserId: sshHostLoginUser.id,
+                  userId: user.id
+                })),
+                tx
+              );
+            }
+          }
+        }
+      }
+
+      const updatedHostWithLoginMappings = await sshHostDAL.findSshHostByIdWithLoginMappings(sshHostId, tx);
+      if (!updatedHostWithLoginMappings) {
+        throw new NotFoundError({ message: `SSH host with ID '${sshHostId}' not found` });
+      }
+
+      return updatedHostWithLoginMappings;
+    });
+
+    return updatedHost;
+  };
+
+  const deleteSshHost = async ({ sshHostId, actorId, actorAuthMethod, actor, actorOrgId }: TDeleteSshHostDTO) => {
+    const host = await sshHostDAL.findSshHostByIdWithLoginMappings(sshHostId);
+    if (!host) throw new NotFoundError({ message: `SSH host with ID '${sshHostId}' not found` });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: host.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionSshHostActions.Delete,
+      subject(ProjectPermissionSub.SshHosts, {
+        hostname: host.hostname
+      })
+    );
+
+    await sshHostDAL.deleteById(sshHostId);
+
+    return host;
+  };
+
+  const getSshHost = async ({ sshHostId, actorId, actorAuthMethod, actor, actorOrgId }: TGetSshHostDTO) => {
+    const host = await sshHostDAL.findSshHostByIdWithLoginMappings(sshHostId);
+    if (!host) {
+      throw new NotFoundError({
+        message: `SSH host with ID ${sshHostId} not found`
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: host.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionSshHostActions.Read,
+      subject(ProjectPermissionSub.SshHosts, {
+        hostname: host.hostname
+      })
+    );
+
+    return host;
+  };
+
+  /**
+   * Return SSH certificate and corresponding new SSH public-private key pair where
+   * SSH public key is signed using CA behind SSH certificate with name [templateName].
+   *
+   * Note: Used for issuing SSH credentials as part of request against a specific SSH Host.
+   */
+  const issueSshHostUserCert = async ({
+    sshHostId,
+    loginUser,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TIssueSshHostUserCertDTO) => {
+    const host = await sshHostDAL.findSshHostByIdWithLoginMappings(sshHostId);
+    if (!host) {
+      throw new NotFoundError({
+        message: `SSH host with ID ${sshHostId} not found`
+      });
+    }
+
+    await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: host.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });
+
+    const internalPrincipals = await convertActorToPrincipals({
+      actor,
+      actorId,
+      userDAL
+    });
+
+    const mapping = host.loginMappings.find(
+      (m) =>
+        m.loginUser === loginUser &&
+        m.allowedPrincipals.usernames.some((allowed) => internalPrincipals.includes(allowed))
+    );
+
+    if (!mapping) {
+      throw new UnauthorizedError({
+        message: `You are not allowed to login as ${loginUser} on this host`
+      });
+    }
+
+    const keyId = `${actor}-${actorId}`;
+
+    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: host.userSshCaId });
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId: host.projectId
+    });
+
+    const decryptedCaPrivateKey = secretManagerDecryptor({
+      cipherTextBlob: sshCaSecret.encryptedPrivateKey
+    });
+
+    // (dangtony98): will support more algorithms in the future
+    const keyAlgorithm = SshCertKeyAlgorithm.ED25519;
+    const { publicKey, privateKey } = await createSshKeyPair(keyAlgorithm);
+
+    // (dangtony98): include the loginUser as a principal on the issued certificate
+    const principals = [...internalPrincipals, loginUser];
+
+    const { serialNumber, signedPublicKey, ttl } = await createSshCert({
+      caPrivateKey: decryptedCaPrivateKey.toString("utf8"),
+      clientPublicKey: publicKey,
+      keyId,
+      principals,
+      requestedTtl: host.userCertTtl,
+      certType: SshCertType.USER
+    });
+
+    const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId: host.projectId
+    });
+
+    const encryptedCertificate = secretManagerEncryptor({
+      plainText: Buffer.from(signedPublicKey, "utf8")
+    }).cipherTextBlob;
+
+    await sshCertificateDAL.transaction(async (tx) => {
+      const cert = await sshCertificateDAL.create(
+        {
+          sshCaId: host.userSshCaId,
+          sshHostId: host.id,
+          serialNumber,
+          certType: SshCertType.USER,
+          principals,
+          keyId,
+          notBefore: new Date(),
+          notAfter: new Date(Date.now() + ttl * 1000)
+        },
+        tx
+      );
+
+      await sshCertificateBodyDAL.create(
+        {
+          sshCertId: cert.id,
+          encryptedCertificate
+        },
+        tx
+      );
+    });
+
+    return {
+      host,
+      principals,
+      serialNumber,
+      signedPublicKey,
+      privateKey,
+      publicKey,
+      ttl,
+      keyAlgorithm
+    };
+  };
+
+  const issueSshHostHostCert = async ({
+    sshHostId,
+    publicKey,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TIssueSshHostHostCertDTO) => {
+    const host = await sshHostDAL.findSshHostByIdWithLoginMappings(sshHostId);
+    if (!host) {
+      throw new NotFoundError({
+        message: `SSH host with ID ${sshHostId} not found`
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: host.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionSshHostActions.IssueHostCert,
+      subject(ProjectPermissionSub.SshHosts, {
+        hostname: host.hostname
+      })
+    );
+
+    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: host.hostSshCaId });
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId: host.projectId
+    });
+
+    const decryptedCaPrivateKey = secretManagerDecryptor({
+      cipherTextBlob: sshCaSecret.encryptedPrivateKey
+    });
+
+    const principals = [host.hostname];
+    const keyId = `host-${host.id}`;
+
+    const { serialNumber, signedPublicKey, ttl } = await createSshCert({
+      caPrivateKey: decryptedCaPrivateKey.toString("utf8"),
+      clientPublicKey: publicKey,
+      keyId,
+      principals,
+      requestedTtl: host.hostCertTtl,
+      certType: SshCertType.HOST
+    });
+
+    const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId: host.projectId
+    });
+
+    const encryptedCertificate = secretManagerEncryptor({
+      plainText: Buffer.from(signedPublicKey, "utf8")
+    }).cipherTextBlob;
+
+    await sshCertificateDAL.transaction(async (tx) => {
+      const cert = await sshCertificateDAL.create(
+        {
+          sshCaId: host.hostSshCaId,
+          sshHostId: host.id,
+          serialNumber,
+          certType: SshCertType.HOST,
+          principals,
+          keyId,
+          notBefore: new Date(),
+          notAfter: new Date(Date.now() + ttl * 1000)
+        },
+        tx
+      );
+
+      await sshCertificateBodyDAL.create(
+        {
+          sshCertId: cert.id,
+          encryptedCertificate
+        },
+        tx
+      );
+    });
+
+    return { host, principals, serialNumber, signedPublicKey };
+  };
+
+  const getSshHostUserCaPk = async (sshHostId: string) => {
+    const host = await sshHostDAL.findById(sshHostId);
+    if (!host) {
+      throw new NotFoundError({
+        message: `SSH host with ID ${sshHostId} not found`
+      });
+    }
+
+    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: host.userSshCaId });
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId: host.projectId
+    });
+
+    const decryptedCaPrivateKey = secretManagerDecryptor({
+      cipherTextBlob: sshCaSecret.encryptedPrivateKey
+    });
+
+    const publicKey = await getSshPublicKey(decryptedCaPrivateKey.toString("utf-8"));
+
+    return publicKey;
+  };
+
+  const getSshHostHostCaPk = async (sshHostId: string) => {
+    const host = await sshHostDAL.findById(sshHostId);
+    if (!host) {
+      throw new NotFoundError({
+        message: `SSH host with ID ${sshHostId} not found`
+      });
+    }
+
+    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: host.hostSshCaId });
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId: host.projectId
+    });
+
+    const decryptedCaPrivateKey = secretManagerDecryptor({
+      cipherTextBlob: sshCaSecret.encryptedPrivateKey
+    });
+
+    const publicKey = await getSshPublicKey(decryptedCaPrivateKey.toString("utf-8"));
+
+    return publicKey;
+  };
+
+  return {
+    listSshHosts,
+    createSshHost,
+    updateSshHost,
+    deleteSshHost,
+    getSshHost,
+    issueSshHostUserCert,
+    issueSshHostHostCert,
+    getSshHostUserCaPk,
+    getSshHostHostCaPk
+  };
+};

backend/src/ee/services/ssh-host/ssh-host-types.ts

@@ -0,0 +1,48 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TListSshHostsDTO = Omit<TProjectPermission, "projectId">;
+
+export type TCreateSshHostDTO = {
+  hostname: string;
+  userCertTtl: string;
+  hostCertTtl: string;
+  loginMappings: {
+    loginUser: string;
+    allowedPrincipals: {
+      usernames: string[];
+    };
+  }[];
+  userSshCaId?: string;
+  hostSshCaId?: string;
+} & TProjectPermission;
+
+export type TUpdateSshHostDTO = {
+  sshHostId: string;
+  hostname?: string;
+  userCertTtl?: string;
+  hostCertTtl?: string;
+  loginMappings?: {
+    loginUser: string;
+    allowedPrincipals: {
+      usernames: string[];
+    };
+  }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetSshHostDTO = {
+  sshHostId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TDeleteSshHostDTO = {
+  sshHostId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TIssueSshHostUserCertDTO = {
+  sshHostId: string;
+  loginUser: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TIssueSshHostHostCertDTO = {
+  sshHostId: string;
+  publicKey: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/ssh-host/ssh-host-validators.ts

@@ -0,0 +1,15 @@
+import { isFQDN } from "@app/lib/validator/validate-url";
+
+export const isValidHostname = (value: string): boolean => {
+  if (typeof value !== "string") return false;
+  if (value.length > 255) return false;
+
+  // Only allow strict FQDNs, no wildcards or IPs
+  return isFQDN(value, {
+    require_tld: true,
+    allow_underscores: false,
+    allow_trailing_dot: false,
+    allow_numeric_tld: true,
+    allow_wildcard: false
+  });
+};

backend/src/ee/services/ssh-host/ssh-login-user-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TSshHostLoginUserDALFactory = ReturnType<typeof sshHostLoginUserDALFactory>;
+
+export const sshHostLoginUserDALFactory = (db: TDbClient) => {
+  const sshHostLoginUserOrm = ormify(db, TableName.SshHostLoginUser);
+  return sshHostLoginUserOrm;
+};

backend/src/ee/services/ssh/ssh-certificate-authority-fns.ts

@@ -1,21 +1,31 @@
 import { execFile } from "child_process";
 import crypto from "crypto";
 import { promises as fs } from "fs";
+import { Knex } from "knex";
 import os from "os";
 import path from "path";
 import { promisify } from "util";
 
 import { TSshCertificateTemplates } from "@app/db/schemas";
+import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
 import { BadRequestError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+import { ActorType } from "@app/services/auth/auth-type";
+import { KmsDataKey } from "@app/services/kms/kms-types";
 
 import {
   isValidHostPattern,
   isValidUserPattern
 } from "../ssh-certificate-template/ssh-certificate-template-validators";
-import { SshCertType, TCreateSshCertDTO } from "./ssh-certificate-authority-types";
+import {
+  SshCaKeySource,
+  SshCaStatus,
+  SshCertType,
+  TConvertActorToPrincipalsDTO,
+  TCreateSshCaHelperDTO,
+  TCreateSshCertDTO
+} from "./ssh-certificate-authority-types";
 
 const execFileAsync = promisify(execFile);
 
@@ -31,31 +41,35 @@ export const createSshCertSerialNumber = () => {
  * Return a pair of SSH CA keys based on the specified key algorithm [keyAlgorithm].
  * We use this function because the key format generated by `ssh-keygen` is unique.
  */
-export const createSshKeyPair = async (keyAlgorithm: CertKeyAlgorithm) => {
+export const createSshKeyPair = async (keyAlgorithm: SshCertKeyAlgorithm) => {
   const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "ssh-key-"));
   const privateKeyFile = path.join(tempDir, "id_key");
   const publicKeyFile = `${privateKeyFile}.pub`;
 
   let keyType: string;
-  let keyBits: string;
+  let keyBits: string | null;
 
   switch (keyAlgorithm) {
-    case CertKeyAlgorithm.RSA_2048:
+    case SshCertKeyAlgorithm.RSA_2048:
       keyType = "rsa";
       keyBits = "2048";
       break;
-    case CertKeyAlgorithm.RSA_4096:
+    case SshCertKeyAlgorithm.RSA_4096:
       keyType = "rsa";
       keyBits = "4096";
       break;
-    case CertKeyAlgorithm.ECDSA_P256:
+    case SshCertKeyAlgorithm.ECDSA_P256:
       keyType = "ecdsa";
       keyBits = "256";
       break;
-    case CertKeyAlgorithm.ECDSA_P384:
+    case SshCertKeyAlgorithm.ECDSA_P384:
       keyType = "ecdsa";
       keyBits = "384";
       break;
+    case SshCertKeyAlgorithm.ED25519:
+      keyType = "ed25519";
+      keyBits = null;
+      break;
     default:
       throw new BadRequestError({
         message: "Failed to produce SSH CA key pair generation command due to unrecognized key algorithm"
@@ -63,10 +77,16 @@ export const createSshKeyPair = async (keyAlgorithm: CertKeyAlgorithm) => {
   }
 
   try {
+    const args = ["-t", keyType];
+    if (keyBits !== null) {
+      args.push("-b", keyBits);
+    }
+    args.push("-f", privateKeyFile, "-N", "");
+
     // Generate the SSH key pair
     // The "-N ''" sets an empty passphrase
     // The keys are created in the temporary directory
-    await execFileAsync("ssh-keygen", ["-t", keyType, "-b", keyBits, "-f", privateKeyFile, "-N", ""], {
+    await execFileAsync("ssh-keygen", args, {
       timeout: EXEC_TIMEOUT_MS
     });
 
@@ -280,7 +300,12 @@ export const validateSshCertificateTtl = (template: TSshCertificateTemplates, tt
  * that it only contains alphanumeric characters with no spaces.
  */
 export const validateSshCertificateKeyId = (keyId: string) => {
-  const regex = characterValidator([CharacterType.AlphaNumeric, CharacterType.Hyphen]);
+  const regex = characterValidator([
+    CharacterType.AlphaNumeric,
+    CharacterType.Hyphen,
+    CharacterType.Colon,
+    CharacterType.Period
+  ]);
   if (!regex(keyId)) {
     throw new BadRequestError({
       message:
@@ -322,6 +347,96 @@ const validateSshPublicKey = async (publicKey: string) => {
   }
 };
 
+export const getKeyAlgorithmFromFingerprintOutput = (output: string): SshCertKeyAlgorithm | undefined => {
+  const parts = output.trim().split(" ");
+  const bitsInt = parseInt(parts[0], 10);
+  const keyTypeRaw = parts.at(-1)?.replace(/[()]/g, ""); // remove surrounding parentheses
+
+  if (keyTypeRaw === "RSA") {
+    return bitsInt === 2048 ? SshCertKeyAlgorithm.RSA_2048 : SshCertKeyAlgorithm.RSA_4096;
+  }
+
+  if (keyTypeRaw === "ECDSA") {
+    return bitsInt === 256 ? SshCertKeyAlgorithm.ECDSA_P256 : SshCertKeyAlgorithm.ECDSA_P384;
+  }
+
+  if (keyTypeRaw === "ED25519") {
+    return SshCertKeyAlgorithm.ED25519;
+  }
+
+  return undefined;
+};
+
+export const normalizeSshPrivateKey = (raw: string): string => {
+  return `${raw
+    .replace(/\r\n/g, "\n") // Windows CRLF → LF
+    .replace(/\r/g, "\n") // Old Mac CR → LF
+    .replace(/\\n/g, "\n") // Double-escaped \n
+    .trim()}\n`;
+};
+
+/**
+ * Validate the format of the SSH private key
+ *
+ * Returns the SSH public key corresponding to the private key
+ * and the key algorithm categorization.
+ */
+export const validateSshPrivateKey = async (privateKey: string) => {
+  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "ssh-privkey-"));
+  const privateKeyFile = path.join(tempDir, "id_key");
+
+  try {
+    await fs.writeFile(privateKeyFile, privateKey, {
+      encoding: "utf8",
+      mode: 0o600
+    });
+
+    // This will fail if the private key is malformed or unreadable
+    const { stdout: publicKey } = await execFileAsync("ssh-keygen", ["-y", "-f", privateKeyFile], {
+      timeout: EXEC_TIMEOUT_MS
+    });
+
+    const { stdout: fingerprint } = await execFileAsync("ssh-keygen", ["-lf", privateKeyFile]);
+    const keyAlgorithm = getKeyAlgorithmFromFingerprintOutput(fingerprint);
+
+    if (!keyAlgorithm) {
+      throw new BadRequestError({
+        message: "Failed to validate SSH private key format: The key algorithm is not supported."
+      });
+    }
+
+    return {
+      publicKey,
+      keyAlgorithm
+    };
+  } catch (err) {
+    throw new BadRequestError({
+      message: "Failed to validate SSH private key format: could not be parsed."
+    });
+  } finally {
+    await fs.rm(tempDir, { recursive: true, force: true }).catch(() => {});
+  }
+};
+
+/**
+ * Validate that the provided public and private keys are valid and constitute
+ * a matching SSH key pair.
+ */
+export const validateExternalSshCaKeyPair = async (publicKey: string, privateKey: string) => {
+  await validateSshPublicKey(publicKey);
+
+  const { publicKey: derivedPublicKey, keyAlgorithm } = await validateSshPrivateKey(privateKey);
+
+  if (publicKey.trim() !== derivedPublicKey.trim()) {
+    throw new BadRequestError({
+      message:
+        "Failed to validate matching SSH key pair: The provided public key does not match the public key derived from the private key."
+    });
+  }
+
+  return keyAlgorithm;
+};
+
 /**
  * Create an SSH certificate for a user or host.
  */
@@ -331,17 +446,32 @@ export const createSshCert = async ({
   clientPublicKey,
   keyId,
   principals,
-  requestedTtl,
+  requestedTtl, // in ms lib format
   certType
 }: TCreateSshCertDTO) => {
-  // validate if the requested [certType] is allowed under the template configuration
-  validateSshCertificateType(template, certType);
+  let ttl: number | undefined;
 
-  // validate if the requested [principals] are valid for the given [certType] under the template configuration
-  validateSshCertificatePrincipals(certType, template, principals);
+  if (!template && requestedTtl) {
+    const parsedTtl = Math.ceil(ms(requestedTtl) / 1000);
+    if (parsedTtl > 0) ttl = parsedTtl;
+  }
 
-  // validate if the requested TTL is valid under the template configuration
-  const ttl = validateSshCertificateTtl(template, requestedTtl);
+  if (template) {
+    // validate if the requested [certType] is allowed under the template configuration
+    validateSshCertificateType(template, certType);
+
+    // validate if the requested [principals] are valid for the given [certType] under the template configuration
+    validateSshCertificatePrincipals(certType, template, principals);
+
+    // validate if the requested TTL is valid under the template configuration
+    ttl = validateSshCertificateTtl(template, requestedTtl);
+  }
+
+  if (!ttl) {
+    throw new BadRequestError({
+      message: "Failed to create SSH certificate due to missing TTL"
+    });
+  }
 
   validateSshCertificateKeyId(keyId);
   await validateSshPublicKey(clientPublicKey);
@@ -388,3 +518,88 @@ export const createSshCert = async ({
     await fs.rm(tempDir, { recursive: true, force: true }).catch(() => {});
   }
 };
+
+export const createSshCaHelper = async ({
+  projectId,
+  friendlyName,
+  keyAlgorithm: requestedKeyAlgorithm,
+  keySource,
+  externalPk,
+  externalSk,
+  sshCertificateAuthorityDAL,
+  sshCertificateAuthoritySecretDAL,
+  kmsService,
+  tx: outerTx
+}: TCreateSshCaHelperDTO) => {
+  // Function to handle the actual creation logic
+  const processCreation = async (tx: Knex) => {
+    let publicKey: string;
+    let privateKey: string;
+    let keyAlgorithm: SshCertKeyAlgorithm = requestedKeyAlgorithm;
+    if (keySource === SshCaKeySource.INTERNAL) {
+      // generate SSH CA key pair internally
+      ({ publicKey, privateKey } = await createSshKeyPair(requestedKeyAlgorithm));
+    } else {
+      // use external SSH CA key pair
+      if (!externalPk || !externalSk) {
+        throw new BadRequestError({
+          message: "Public and private keys are required when key source is external"
+        });
+      }
+      publicKey = externalPk;
+      privateKey = externalSk;
+      keyAlgorithm = await validateExternalSshCaKeyPair(publicKey, privateKey);
+    }
+    const ca = await sshCertificateAuthorityDAL.create(
+      {
+        projectId,
+        friendlyName,
+        status: SshCaStatus.ACTIVE,
+        keyAlgorithm,
+        keySource
+      },
+      tx
+    );
+    const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey(
+      {
+        type: KmsDataKey.SecretManager,
+        projectId
+      },
+      tx
+    );
+    await sshCertificateAuthoritySecretDAL.create(
+      {
+        sshCaId: ca.id,
+        encryptedPrivateKey: secretManagerEncryptor({ plainText: Buffer.from(privateKey, "utf8") }).cipherTextBlob
+      },
+      tx
+    );
+    return { ...ca, publicKey };
+  };
+
+  if (outerTx) {
+    return processCreation(outerTx);
+  }
+
+  return sshCertificateAuthorityDAL.transaction(processCreation);
+};
+
+/**
+ * Convert an actor to a list of principals to be included in an SSH certificate.
+ *
+ * (dangtony98): This function is only supported for user actors at the moment and returns
+ * only the email of the associated user. In the future, we will consider other
+ * actor types and attributes such as group membership slugs and/or metadata to be
+ * included in the list of principals.
+ */
+export const convertActorToPrincipals = async ({ userDAL, actor, actorId }: TConvertActorToPrincipalsDTO) => {
+  if (actor !== ActorType.USER) {
+    throw new BadRequestError({
+      message: "Failed to convert actor to principals due to unsupported actor type"
+    });
+  }
+
+  const user = await userDAL.findById(actorId);
+
+  return [user.username];
+};

backend/src/ee/services/ssh/ssh-certificate-authority-schema.ts

@@ -5,5 +5,6 @@ export const sanitizedSshCa = SshCertificateAuthoritiesSchema.pick({
   projectId: true,
   friendlyName: true,
   status: true,
-  keyAlgorithm: true
+  keyAlgorithm: true,
+  keySource: true
 });

backend/src/ee/services/ssh/ssh-certificate-authority-service.ts

@@ -13,7 +13,7 @@ import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
 import { SshCertTemplateStatus } from "../ssh-certificate-template/ssh-certificate-template-types";
-import { createSshCert, createSshKeyPair, getSshPublicKey } from "./ssh-certificate-authority-fns";
+import { createSshCaHelper, createSshCert, createSshKeyPair, getSshPublicKey } from "./ssh-certificate-authority-fns";
 import {
   SshCaStatus,
   TCreateSshCaDTO,
@@ -59,7 +59,10 @@ export const sshCertificateAuthorityServiceFactory = ({
   const createSshCa = async ({
     projectId,
     friendlyName,
-    keyAlgorithm,
+    keyAlgorithm: requestedKeyAlgorithm,
+    publicKey: externalPk,
+    privateKey: externalSk,
+    keySource,
     actorId,
     actorAuthMethod,
     actor,
@@ -79,33 +82,16 @@ export const sshCertificateAuthorityServiceFactory = ({
       ProjectPermissionSub.SshCertificateAuthorities
     );
 
-    const newCa = await sshCertificateAuthorityDAL.transaction(async (tx) => {
-      const ca = await sshCertificateAuthorityDAL.create(
-        {
-          projectId,
-          friendlyName,
-          status: SshCaStatus.ACTIVE,
-          keyAlgorithm
-        },
-        tx
-      );
-
-      const { publicKey, privateKey } = await createSshKeyPair(keyAlgorithm);
-
-      const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
-        type: KmsDataKey.SecretManager,
-        projectId
-      });
-
-      await sshCertificateAuthoritySecretDAL.create(
-        {
-          sshCaId: ca.id,
-          encryptedPrivateKey: secretManagerEncryptor({ plainText: Buffer.from(privateKey, "utf8") }).cipherTextBlob
-        },
-        tx
-      );
-
-      return { ...ca, publicKey };
+    const newCa = await createSshCaHelper({
+      projectId,
+      friendlyName,
+      keyAlgorithm: requestedKeyAlgorithm,
+      keySource,
+      externalPk,
+      externalSk,
+      sshCertificateAuthorityDAL,
+      sshCertificateAuthoritySecretDAL,
+      kmsService
     });
 
     return newCa;

backend/src/ee/services/ssh/ssh-certificate-authority-types.ts

@@ -1,12 +1,24 @@
+import { Knex } from "knex";
+
 import { TSshCertificateTemplates } from "@app/db/schemas";
+import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
+import { TSshCertificateAuthoritySecretDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-secret-dal";
+import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
 import { TProjectPermission } from "@app/lib/types";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+import { ActorType } from "@app/services/auth/auth-type";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { TUserDALFactory } from "@app/services/user/user-dal";
 
 export enum SshCaStatus {
   ACTIVE = "active",
   DISABLED = "disabled"
 }
 
+export enum SshCaKeySource {
+  INTERNAL = "internal",
+  EXTERNAL = "external"
+}
+
 export enum SshCertType {
   USER = "user",
   HOST = "host"
@@ -14,9 +26,25 @@ export enum SshCertType {
 
 export type TCreateSshCaDTO = {
   friendlyName: string;
-  keyAlgorithm: CertKeyAlgorithm;
+  keyAlgorithm: SshCertKeyAlgorithm;
+  publicKey?: string;
+  privateKey?: string;
+  keySource: SshCaKeySource;
 } & TProjectPermission;
 
+export type TCreateSshCaHelperDTO = {
+  projectId: string;
+  friendlyName: string;
+  keyAlgorithm: SshCertKeyAlgorithm;
+  keySource: SshCaKeySource;
+  externalPk?: string;
+  externalSk?: string;
+  sshCertificateAuthorityDAL: Pick<TSshCertificateAuthorityDALFactory, "transaction" | "create">;
+  sshCertificateAuthoritySecretDAL: Pick<TSshCertificateAuthoritySecretDALFactory, "create">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  tx?: Knex;
+};
+
 export type TGetSshCaDTO = {
   caId: string;
 } & Omit<TProjectPermission, "projectId">;
@@ -37,7 +65,7 @@ export type TDeleteSshCaDTO = {
 
 export type TIssueSshCredsDTO = {
   certificateTemplateId: string;
-  keyAlgorithm: CertKeyAlgorithm;
+  keyAlgorithm: SshCertKeyAlgorithm;
   certType: SshCertType;
   principals: string[];
   ttl?: string;
@@ -58,7 +86,7 @@ export type TGetSshCaCertificateTemplatesDTO = {
 } & Omit<TProjectPermission, "projectId">;
 
 export type TCreateSshCertDTO = {
-  template: TSshCertificateTemplates;
+  template?: TSshCertificateTemplates;
   caPrivateKey: string;
   clientPublicKey: string;
   keyId: string;
@@ -66,3 +94,9 @@ export type TCreateSshCertDTO = {
   requestedTtl?: string;
   certType: SshCertType;
 };
+
+export type TConvertActorToPrincipalsDTO = {
+  actor: ActorType;
+  actorId: string;
+  userDAL: Pick<TUserDALFactory, "findById">;
+};

backend/src/keystore/keystore.ts

@@ -77,6 +77,8 @@ export const keyStoreFactory = (redisUrl: string) => {
 
   const incrementBy = async (key: string, value: number) => redis.incrby(key, value);
 
+  const setExpiry = async (key: string, expiryInSeconds: number) => redis.expire(key, expiryInSeconds);
+
   const waitTillReady = async ({
     key,
     waitingCb,
@@ -103,6 +105,7 @@ export const keyStoreFactory = (redisUrl: string) => {
   return {
     setItem,
     getItem,
+    setExpiry,
     setItemWithExpiry,
     deleteItem,
     incrementBy,

backend/src/keystore/memory.ts

@@ -10,6 +10,7 @@ export const inMemoryKeyStore = (): TKeyStoreFactory => {
       store[key] = value;
       return "OK";
     },
+    setExpiry: async () => 0,
     setItemWithExpiry: async (key, value) => {
       store[key] = value;
       return "OK";

backend/src/lib/api-docs/constants.ts

@@ -66,6 +66,17 @@ export const IDENTITIES = {
   },
   LIST: {
     orgId: "The ID of the organization to list identities."
+  },
+  SEARCH: {
+    search: {
+      desc: "The filters to apply to the search.",
+      name: "The name of the identity to filter by.",
+      role: "The organizational role of the identity to filter by."
+    },
+    offset: "The offset to start from. If you enter 10, it will start from the 10th identity.",
+    limit: "The number of identities to return.",
+    orderBy: "The column to order identities by.",
+    orderDirection: "The direction to order identities in."
   }
 } as const;
 
@@ -508,6 +519,9 @@ export const PROJECTS = {
   LIST_SSH_CAS: {
     projectId: "The ID of the project to list SSH CAs for."
   },
+  LIST_SSH_HOSTS: {
+    projectId: "The ID of the project to list SSH hosts for."
+  },
   LIST_SSH_CERTIFICATES: {
     projectId: "The ID of the project to list SSH certificates for.",
     offset: "The offset to start from. If you enter 10, it will start from the 10th SSH certificate.",
@@ -1242,7 +1256,11 @@ export const SSH_CERTIFICATE_AUTHORITIES = {
   CREATE: {
     projectId: "The ID of the project to create the SSH CA in.",
     friendlyName: "A friendly name for the SSH CA.",
-    keyAlgorithm: "The type of public key algorithm and size, in bits, of the key pair for the SSH CA."
+    keyAlgorithm:
+      "The type of public key algorithm and size, in bits, of the key pair for the SSH CA; required if keySource is internal.",
+    publicKey: "The public key for the SSH CA key pair; required if keySource is external.",
+    privateKey: "The private key for the SSH CA key pair; required if keySource is external.",
+    keySource: "The source of the SSH CA key pair. This can be one of internal or external."
   },
   GET: {
     sshCaId: "The ID of the SSH CA to get."
@@ -1316,6 +1334,62 @@ export const SSH_CERTIFICATE_TEMPLATES = {
   }
 };
 
+export const SSH_HOSTS = {
+  GET: {
+    sshHostId: "The ID of the SSH host to get."
+  },
+  CREATE: {
+    projectId: "The ID of the project to create the SSH host in.",
+    hostname: "The hostname of the SSH host.",
+    userCertTtl: "The time to live for user certificates issued under this host.",
+    hostCertTtl: "The time to live for host certificates issued under this host.",
+    loginUser: "A login user on the remote machine (e.g. 'ec2-user', 'deploy', 'admin')",
+    allowedPrincipals: "A list of allowed principals that can log in as the login user.",
+    loginMappings:
+      "A list of login mappings for the SSH host. Each login mapping contains a login user and a list of corresponding allowed principals being usernames of users in the Infisical SSH project.",
+    userSshCaId:
+      "The ID of the SSH CA to use for user certificates. If not specified, the default user SSH CA will be used if it exists.",
+    hostSshCaId:
+      "The ID of the SSH CA to use for host certificates. If not specified, the default host SSH CA will be used if it exists."
+  },
+  UPDATE: {
+    sshHostId: "The ID of the SSH host to update.",
+    hostname: "The hostname of the SSH host to update to.",
+    userCertTtl: "The time to live for user certificates issued under this host to update to.",
+    hostCertTtl: "The time to live for host certificates issued under this host to update to.",
+    loginUser: "A login user on the remote machine (e.g. 'ec2-user', 'deploy', 'admin')",
+    allowedPrincipals: "A list of allowed principals that can log in as the login user.",
+    loginMappings:
+      "A list of login mappings for the SSH host. Each login mapping contains a login user and a list of corresponding allowed principals being usernames of users in the Infisical SSH project."
+  },
+  DELETE: {
+    sshHostId: "The ID of the SSH host to delete."
+  },
+  ISSUE_SSH_CREDENTIALS: {
+    sshHostId: "The ID of the SSH host to issue the SSH credentials for.",
+    loginUser: "The login user to issue the SSH credentials for.",
+    keyAlgorithm: "The type of public key algorithm and size, in bits, of the key pair for the SSH host.",
+    serialNumber: "The serial number of the issued SSH certificate.",
+    signedKey: "The SSH certificate or signed SSH public key.",
+    privateKey: "The private key corresponding to the issued SSH certificate.",
+    publicKey: "The public key of the issued SSH certificate."
+  },
+  ISSUE_HOST_CERT: {
+    sshHostId: "The ID of the SSH host to issue the SSH certificate for.",
+    publicKey: "The SSH public key to issue the SSH certificate for.",
+    serialNumber: "The serial number of the issued SSH certificate.",
+    signedKey: "The SSH certificate or signed SSH public key."
+  },
+  GET_USER_CA_PUBLIC_KEY: {
+    sshHostId: "The ID of the SSH host to get the user SSH CA public key for.",
+    publicKey: "The public key of the user SSH CA linked to the SSH host."
+  },
+  GET_HOST_CA_PUBLIC_KEY: {
+    sshHostId: "The ID of the SSH host to get the host SSH CA public key for.",
+    publicKey: "The public key of the host SSH CA linked to the SSH host."
+  }
+};
+
 export const CERTIFICATE_AUTHORITIES = {
   CREATE: {
     projectSlug: "Slug of the project to create the CA in.",
@@ -1598,7 +1672,8 @@ export const KMS = {
     projectId: "The ID of the project to create the key in.",
     name: "The name of the key to be created. Must be slug-friendly.",
     description: "An optional description of the key.",
-    encryptionAlgorithm: "The algorithm to use when performing cryptographic operations with the key."
+    encryptionAlgorithm: "The algorithm to use when performing cryptographic operations with the key.",
+    type: "The type of key to be created, either encrypt-decrypt or sign-verify, based on your intended use for the key."
   },
   UPDATE_KEY: {
     keyId: "The ID of the key to be updated.",
@@ -1631,6 +1706,28 @@ export const KMS = {
   DECRYPT: {
     keyId: "The ID of the key to decrypt the data with.",
     ciphertext: "The ciphertext to be decrypted (base64 encoded)."
+  },
+
+  LIST_SIGNING_ALGORITHMS: {
+    keyId: "The ID of the key to list the signing algorithms for. The key must be for signing and verifying."
+  },
+
+  GET_PUBLIC_KEY: {
+    keyId: "The ID of the key to get the public key for. The key must be for signing and verifying."
+  },
+
+  SIGN: {
+    keyId: "The ID of the key to sign the data with.",
+    data: "The data in string format to be signed (base64 encoded).",
+    isDigest:
+      "Whether the data is already digested or not. Please be aware that if you are passing a digest the algorithm used to create the digest must match the signing algorithm used to sign the digest.",
+    signingAlgorithm: "The algorithm to use when performing cryptographic operations with the key."
+  },
+  VERIFY: {
+    keyId: "The ID of the key to verify the data with.",
+    data: "The data in string format to be verified (base64 encoded). For data larger than 4096 bytes you must first create a digest of the data and then pass the digest in the data parameter.",
+    signature: "The signature to be verified (base64 encoded).",
+    isDigest: "Whether the data is already digested or not."
   }
 };
 
@@ -1694,6 +1791,16 @@ export const AppConnections = {
       sslEnabled: "Whether or not to use SSL when connecting to the database.",
       sslRejectUnauthorized: "Whether or not to reject unauthorized SSL certificates.",
       sslCertificate: "The SSL certificate to use for connection."
+    },
+    TERRAFORM_CLOUD: {
+      apiToken: "The API token to use to connect with Terraform Cloud."
+    },
+    VERCEL: {
+      apiToken: "The API token used to authenticate with Vercel."
+    },
+    CAMUNDA: {
+      clientId: "The client ID used to authenticate with Camunda.",
+      clientSecret: "The client secret used to authenticate with Camunda."
     }
   }
 };
@@ -1804,11 +1911,31 @@ export const SecretSyncs = {
     DATABRICKS: {
       scope: "The Databricks secret scope that secrets should be synced to."
     },
+    CAMUNDA: {
+      scope: "The Camunda scope that secrets should be synced to.",
+      clusterUUID: "The UUID of the Camunda cluster that secrets should be synced to."
+    },
     HUMANITEC: {
       app: "The ID of the Humanitec app to sync secrets to.",
       org: "The ID of the Humanitec org to sync secrets to.",
       env: "The ID of the Humanitec environment to sync secrets to.",
       scope: "The Humanitec scope that secrets should be synced to."
+    },
+    TERRAFORM_CLOUD: {
+      org: "The ID of the Terraform Cloud org to sync secrets to.",
+      variableSetName: "The name of the Terraform Cloud Variable Set to sync secrets to.",
+      variableSetId: "The ID of the Terraform Cloud Variable Set to sync secrets to.",
+      workspaceName: "The name of the Terraform Cloud workspace to sync secrets to.",
+      workspaceId: "The ID of the Terraform Cloud workspace to sync secrets to.",
+      scope: "The Terraform Cloud scope that secrets should be synced to.",
+      category: "The Terraform Cloud category that secrets should be synced to."
+    },
+    VERCEL: {
+      app: "The ID of the Vercel app to sync secrets to.",
+      appName: "The name of the Vercel app to sync secrets to.",
+      env: "The ID of the Vercel environment to sync secrets to.",
+      branch: "The branch to sync preview secrets to.",
+      teamId: "The ID of the Vercel team to sync secrets to."
     }
   }
 };

backend/src/lib/casl/index.ts

@@ -24,5 +24,6 @@ export enum PermissionConditionOperators {
   $IN = "$in",
   $EQ = "$eq",
   $NEQ = "$ne",
-  $GLOB = "$glob"
+  $GLOB = "$glob",
+  $ELEMENTMATCH = "$elemMatch"
 }

backend/src/lib/config/env.ts

@@ -197,6 +197,7 @@ const envSchema = z
     /* ----------------------------------------------------------------------------- */
 
     /* App Connections ----------------------------------------------------------------------------- */
+    ALLOW_INTERNAL_IP_CONNECTIONS: zodStrBool.default("false"),
 
     // aws
     INF_APP_CONNECTION_AWS_ACCESS_KEY_ID: zpStr(z.string().optional()),

backend/src/lib/crypto/cache.ts

@@ -0,0 +1,10 @@
+import crypto from "node:crypto";
+
+export const generateCacheKeyFromData = (data: unknown) =>
+  crypto
+    .createHash("md5")
+    .update(JSON.stringify(data))
+    .digest("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=/g, "");

backend/src/lib/crypto/cipher/cipher.ts

@@ -1,6 +1,6 @@
 import crypto from "crypto";
 
-import { SymmetricEncryption, TSymmetricEncryptionFns } from "./types";
+import { SymmetricKeyAlgorithm, TSymmetricEncryptionFns } from "./types";
 
 const getIvLength = () => {
   return 12;
@@ -10,7 +10,9 @@ const getTagLength = () => {
   return 16;
 };
 
-export const symmetricCipherService = (type: SymmetricEncryption): TSymmetricEncryptionFns => {
+export const symmetricCipherService = (
+  type: SymmetricKeyAlgorithm.AES_GCM_128 | SymmetricKeyAlgorithm.AES_GCM_256
+): TSymmetricEncryptionFns => {
   const IV_LENGTH = getIvLength();
   const TAG_LENGTH = getTagLength();
 

backend/src/lib/crypto/cipher/index.ts

@@ -1,2 +1,2 @@
 export { symmetricCipherService } from "./cipher";
-export { SymmetricEncryption } from "./types";
+export { AllowedEncryptionKeyAlgorithms, SymmetricKeyAlgorithm } from "./types";

backend/src/lib/crypto/cipher/types.ts

@@ -1,7 +1,18 @@
-export enum SymmetricEncryption {
+import { z } from "zod";
+
+import { AsymmetricKeyAlgorithm } from "../sign/types";
+
+// Supported symmetric encrypt/decrypt algorithms
+export enum SymmetricKeyAlgorithm {
   AES_GCM_256 = "aes-256-gcm",
   AES_GCM_128 = "aes-128-gcm"
 }
+export const SymmetricKeyAlgorithmEnum = z.enum(Object.values(SymmetricKeyAlgorithm) as [string, ...string[]]).options;
+
+export const AllowedEncryptionKeyAlgorithms = z.enum([
+  ...Object.values(SymmetricKeyAlgorithm),
+  ...Object.values(AsymmetricKeyAlgorithm)
+] as [string, ...string[]]).options;
 
 export type TSymmetricEncryptionFns = {
   encrypt: (text: Buffer, key: Buffer) => Buffer;

backend/src/lib/crypto/sign/index.ts

@@ -0,0 +1,2 @@
+export { signingService } from "./signing";
+export { AsymmetricKeyAlgorithm, SigningAlgorithm } from "./types";

backend/src/lib/crypto/sign/signing.ts

@@ -0,0 +1,564 @@
+import { execFile } from "child_process";
+import crypto from "crypto";
+import fs from "fs/promises";
+import path from "path";
+import { promisify } from "util";
+
+import { BadRequestError } from "@app/lib/errors";
+import { cleanTemporaryDirectory, createTemporaryDirectory, writeToTemporaryFile } from "@app/lib/files";
+import { logger } from "@app/lib/logger";
+
+import { AsymmetricKeyAlgorithm, SigningAlgorithm, TAsymmetricSignVerifyFns } from "./types";
+
+const execFileAsync = promisify(execFile);
+
+interface SigningParams {
+  hashAlgorithm: SupportedHashAlgorithm;
+  padding?: number;
+  saltLength?: number;
+}
+
+enum SupportedHashAlgorithm {
+  SHA256 = "sha256",
+  SHA384 = "sha384",
+  SHA512 = "sha512"
+}
+
+const COMMAND_TIMEOUT = 15_000;
+
+const SHA256_DIGEST_LENGTH = 32;
+const SHA384_DIGEST_LENGTH = 48;
+const SHA512_DIGEST_LENGTH = 64;
+
+/**
+ * Service for cryptographic signing and verification operations using asymmetric keys
+ *
+ * @param algorithm The key algorithm itself. The signing algorithm is supplied in the individual sign/verify functions.
+ * @returns Object with sign and verify functions
+ */
+export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSignVerifyFns => {
+  const $getSigningParams = (signingAlgorithm: SigningAlgorithm): SigningParams => {
+    switch (signingAlgorithm) {
+      // RSA PSS
+      case SigningAlgorithm.RSASSA_PSS_SHA_512:
+        return {
+          hashAlgorithm: SupportedHashAlgorithm.SHA512,
+          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: SHA512_DIGEST_LENGTH
+        };
+      case SigningAlgorithm.RSASSA_PSS_SHA_256:
+        return {
+          hashAlgorithm: SupportedHashAlgorithm.SHA256,
+          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: SHA256_DIGEST_LENGTH
+        };
+      case SigningAlgorithm.RSASSA_PSS_SHA_384:
+        return {
+          hashAlgorithm: SupportedHashAlgorithm.SHA384,
+          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: SHA384_DIGEST_LENGTH
+        };
+
+      // RSA PKCS#1 v1.5
+      case SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_512:
+        return {
+          hashAlgorithm: SupportedHashAlgorithm.SHA512,
+          padding: crypto.constants.RSA_PKCS1_PADDING
+        };
+      case SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_384:
+        return {
+          hashAlgorithm: SupportedHashAlgorithm.SHA384,
+          padding: crypto.constants.RSA_PKCS1_PADDING
+        };
+      case SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256:
+        return {
+          hashAlgorithm: SupportedHashAlgorithm.SHA256,
+          padding: crypto.constants.RSA_PKCS1_PADDING
+        };
+
+      // ECDSA
+      case SigningAlgorithm.ECDSA_SHA_256:
+        return { hashAlgorithm: SupportedHashAlgorithm.SHA256 };
+      case SigningAlgorithm.ECDSA_SHA_384:
+        return { hashAlgorithm: SupportedHashAlgorithm.SHA384 };
+      case SigningAlgorithm.ECDSA_SHA_512:
+        return { hashAlgorithm: SupportedHashAlgorithm.SHA512 };
+
+      default:
+        throw new Error(`Unsupported signing algorithm: ${signingAlgorithm as string}`);
+    }
+  };
+
+  const $getEcCurveName = (keyAlgorithm: AsymmetricKeyAlgorithm): { full: string; short: string } => {
+    // We will support more in the future
+    switch (keyAlgorithm) {
+      case AsymmetricKeyAlgorithm.ECC_NIST_P256:
+        return {
+          full: "prime256v1",
+          short: "p256"
+        };
+      default:
+        throw new Error(`Unsupported EC curve: ${keyAlgorithm}`);
+    }
+  };
+
+  const $validateAlgorithmWithKeyType = (signingAlgorithm: SigningAlgorithm) => {
+    const isRsaKey = algorithm.startsWith("RSA");
+    const isEccKey = algorithm.startsWith("ECC");
+
+    const isRsaAlgorithm = signingAlgorithm.startsWith("RSASSA");
+    const isEccAlgorithm = signingAlgorithm.startsWith("ECDSA");
+
+    if (isRsaKey && !isRsaAlgorithm) {
+      throw new BadRequestError({ message: `KMS RSA key cannot be used with ${signingAlgorithm}` });
+    }
+
+    if (isEccKey && !isEccAlgorithm) {
+      throw new BadRequestError({ message: `KMS ECC key cannot be used with ${signingAlgorithm}` });
+    }
+  };
+
+  const $signRsaDigest = async (
+    digest: Buffer,
+    privateKey: Buffer,
+    hashAlgorithm: SupportedHashAlgorithm,
+    signingAlgorithm: SigningAlgorithm
+  ) => {
+    const tempDir = await createTemporaryDirectory("kms-rsa-sign");
+    const digestPath = path.join(tempDir, "digest.bin");
+    const sigPath = path.join(tempDir, "signature.bin");
+    const keyPath = path.join(tempDir, "key.pem");
+
+    try {
+      await writeToTemporaryFile(digestPath, digest);
+      await writeToTemporaryFile(keyPath, privateKey);
+
+      const { stderr } = await execFileAsync(
+        "openssl",
+        [
+          "pkeyutl",
+          "-sign",
+          "-in",
+          digestPath,
+          "-inkey",
+          keyPath,
+          "-pkeyopt",
+          `digest:${hashAlgorithm}`,
+          "-out",
+          sigPath
+        ],
+        {
+          maxBuffer: 10 * 1024 * 1024,
+          timeout: COMMAND_TIMEOUT
+        }
+      );
+
+      if (stderr) {
+        logger.error(stderr, "KMS: Failed to sign RSA digest");
+        throw new BadRequestError({
+          message: "Failed to sign RSA digest due to signing error"
+        });
+      }
+      const signature = await fs.readFile(sigPath);
+
+      if (!signature) {
+        throw new BadRequestError({
+          message:
+            "No signature was created. Make sure you are using an appropriate signing algorithm that uses the same hashing algorithm as the one used to create the digest."
+        });
+      }
+
+      return signature;
+    } catch (err) {
+      logger.error(err, "KMS: Failed to sign RSA digest");
+      throw new BadRequestError({
+        message: `Failed to sign RSA digest with ${signingAlgorithm} due to signing error. Ensure that your digest is hashed with ${hashAlgorithm.toUpperCase()}.`
+      });
+    } finally {
+      await cleanTemporaryDirectory(tempDir);
+    }
+  };
+
+  const $signEccDigest = async (
+    digest: Buffer,
+    privateKey: Buffer,
+    hashAlgorithm: SupportedHashAlgorithm,
+    signingAlgorithm: SigningAlgorithm
+  ) => {
+    const tempDir = await createTemporaryDirectory("ecc-sign");
+    const digestPath = path.join(tempDir, "digest.bin");
+    const keyPath = path.join(tempDir, "key.pem");
+    const sigPath = path.join(tempDir, "signature.bin");
+
+    try {
+      await writeToTemporaryFile(digestPath, digest);
+      await writeToTemporaryFile(keyPath, privateKey);
+
+      const { stderr } = await execFileAsync(
+        "openssl",
+        [
+          "pkeyutl",
+          "-sign",
+          "-in",
+          digestPath,
+          "-inkey",
+          keyPath,
+          "-pkeyopt",
+          `digest:${hashAlgorithm}`,
+          "-out",
+          sigPath
+        ],
+        {
+          maxBuffer: 10 * 1024 * 1024,
+          timeout: COMMAND_TIMEOUT
+        }
+      );
+
+      if (stderr) {
+        logger.error(stderr, "KMS: Failed to sign ECC digest");
+        throw new BadRequestError({
+          message: "Failed to sign ECC digest due to signing error"
+        });
+      }
+
+      const signature = await fs.readFile(sigPath);
+
+      if (!signature) {
+        throw new BadRequestError({
+          message:
+            "No signature was created. Make sure you are using an appropriate signing algorithm that uses the same hashing algorithm as the one used to create the digest."
+        });
+      }
+
+      return signature;
+    } catch (err) {
+      logger.error(err, "KMS: Failed to sign ECC digest");
+      throw new BadRequestError({
+        message: `Failed to sign ECC digest with ${signingAlgorithm} due to signing error. Ensure that your digest is hashed with ${hashAlgorithm.toUpperCase()}.`
+      });
+    } finally {
+      await cleanTemporaryDirectory(tempDir);
+    }
+  };
+
+  const $verifyEccDigest = async (
+    digest: Buffer,
+    signature: Buffer,
+    publicKey: Buffer,
+    hashAlgorithm: SupportedHashAlgorithm
+  ) => {
+    const tempDir = await createTemporaryDirectory("ecc-signature-verification");
+    const publicKeyFile = path.join(tempDir, "public-key.pem");
+    const sigFile = path.join(tempDir, "signature.sig");
+    const digestFile = path.join(tempDir, "digest.bin");
+
+    try {
+      await writeToTemporaryFile(publicKeyFile, publicKey);
+      await writeToTemporaryFile(sigFile, signature);
+      await writeToTemporaryFile(digestFile, digest);
+
+      await execFileAsync(
+        "openssl",
+        [
+          "pkeyutl",
+          "-verify",
+          "-in",
+          digestFile,
+          "-inkey",
+          publicKeyFile,
+          "-pubin", // Important for EC public keys
+          "-sigfile",
+          sigFile,
+          "-pkeyopt",
+          `digest:${hashAlgorithm}`
+        ],
+        { timeout: COMMAND_TIMEOUT }
+      );
+
+      return true;
+    } catch (error) {
+      const err = error as { stderr: string };
+
+      if (
+        !err?.stderr?.toLowerCase()?.includes("signature verification failure") &&
+        !err?.stderr?.toLowerCase()?.includes("bad signature")
+      ) {
+        logger.error(error, "KMS: Failed to verify ECC signature");
+      }
+      return false;
+    } finally {
+      await cleanTemporaryDirectory(tempDir);
+    }
+  };
+
+  const $verifyRsaDigest = async (
+    digest: Buffer,
+    signature: Buffer,
+    publicKey: Buffer,
+    hashAlgorithm: SupportedHashAlgorithm
+  ) => {
+    const tempDir = await createTemporaryDirectory("kms-signature-verification");
+    const publicKeyFile = path.join(tempDir, "public-key.pub");
+    const signatureFile = path.join(tempDir, "signature.sig");
+    const digestFile = path.join(tempDir, "digest.bin");
+
+    try {
+      await writeToTemporaryFile(publicKeyFile, publicKey);
+      await writeToTemporaryFile(signatureFile, signature);
+      await writeToTemporaryFile(digestFile, digest);
+
+      await execFileAsync(
+        "openssl",
+        [
+          "pkeyutl",
+          "-verify",
+          "-in",
+          digestFile,
+          "-inkey",
+          publicKeyFile,
+          "-pubin",
+          "-sigfile",
+          signatureFile,
+          "-pkeyopt",
+          `digest:${hashAlgorithm}`
+        ],
+        { timeout: COMMAND_TIMEOUT }
+      );
+
+      // it'll throw if the verification was not successful
+      return true;
+    } catch (error) {
+      const err = error as { stdout: string };
+
+      if (!err?.stdout?.toLowerCase()?.includes("signature verification failure")) {
+        logger.error(error, "KMS: Failed to verify signature");
+      }
+      return false;
+    } finally {
+      await cleanTemporaryDirectory(tempDir);
+    }
+  };
+
+  const verifyDigestFunctionsMap: Record<
+    AsymmetricKeyAlgorithm,
+    (data: Buffer, signature: Buffer, publicKey: Buffer, hashAlgorithm: SupportedHashAlgorithm) => Promise<boolean>
+  > = {
+    [AsymmetricKeyAlgorithm.ECC_NIST_P256]: $verifyEccDigest,
+    [AsymmetricKeyAlgorithm.RSA_4096]: $verifyRsaDigest
+  };
+
+  const signDigestFunctionsMap: Record<
+    AsymmetricKeyAlgorithm,
+    (
+      data: Buffer,
+      privateKey: Buffer,
+      hashAlgorithm: SupportedHashAlgorithm,
+      signingAlgorithm: SigningAlgorithm
+    ) => Promise<Buffer>
+  > = {
+    [AsymmetricKeyAlgorithm.ECC_NIST_P256]: $signEccDigest,
+    [AsymmetricKeyAlgorithm.RSA_4096]: $signRsaDigest
+  };
+
+  const sign = async (
+    data: Buffer,
+    privateKey: Buffer,
+    signingAlgorithm: SigningAlgorithm,
+    isDigest: boolean
+  ): Promise<Buffer> => {
+    $validateAlgorithmWithKeyType(signingAlgorithm);
+
+    const { hashAlgorithm, padding, saltLength } = $getSigningParams(signingAlgorithm);
+
+    if (isDigest) {
+      if (signingAlgorithm.startsWith("RSASSA_PSS")) {
+        throw new BadRequestError({
+          message: "RSA PSS does not support digested input"
+        });
+      }
+
+      const signFunction = signDigestFunctionsMap[algorithm];
+
+      if (!signFunction) {
+        throw new BadRequestError({
+          message: `Digested input is not supported for key algorithm ${algorithm}`
+        });
+      }
+
+      const signature = await signFunction(data, privateKey, hashAlgorithm, signingAlgorithm);
+      return signature;
+    }
+
+    const privateKeyObject = crypto.createPrivateKey({
+      key: privateKey,
+      format: "pem",
+      type: "pkcs8"
+    });
+
+    // For RSA signatures
+    if (signingAlgorithm.startsWith("RSA")) {
+      const signer = crypto.createSign(hashAlgorithm);
+      signer.update(data);
+
+      return signer.sign({
+        key: privateKeyObject,
+        padding,
+        ...(signingAlgorithm.includes("PSS") ? { saltLength } : {})
+      });
+    }
+    if (signingAlgorithm.startsWith("ECDSA")) {
+      // For ECDSA signatures
+      const signer = crypto.createSign(hashAlgorithm);
+      signer.update(data);
+      return signer.sign({
+        key: privateKeyObject,
+        dsaEncoding: "der"
+      });
+    }
+    throw new BadRequestError({
+      message: `Signing algorithm ${signingAlgorithm} not implemented`
+    });
+  };
+
+  const verify = async (
+    data: Buffer,
+    signature: Buffer,
+    publicKey: Buffer,
+    signingAlgorithm: SigningAlgorithm,
+    isDigest: boolean
+  ): Promise<boolean> => {
+    try {
+      $validateAlgorithmWithKeyType(signingAlgorithm);
+
+      const { hashAlgorithm, padding, saltLength } = $getSigningParams(signingAlgorithm);
+
+      if (isDigest) {
+        if (signingAlgorithm.startsWith("RSASSA_PSS")) {
+          throw new BadRequestError({
+            message: "RSA PSS does not support digested input"
+          });
+        }
+
+        const verifyFunction = verifyDigestFunctionsMap[algorithm];
+
+        if (!verifyFunction) {
+          throw new BadRequestError({
+            message: `Digested input is not supported for key algorithm ${algorithm}`
+          });
+        }
+
+        const signatureValid = await verifyFunction(data, signature, publicKey, hashAlgorithm);
+
+        return signatureValid;
+      }
+
+      const publicKeyObject = crypto.createPublicKey({
+        key: publicKey,
+        format: "der",
+        type: "spki"
+      });
+
+      // For RSA signatures
+      if (signingAlgorithm.startsWith("RSA")) {
+        const verifier = crypto.createVerify(hashAlgorithm);
+        verifier.update(data);
+
+        return verifier.verify(
+          {
+            key: publicKeyObject,
+            padding,
+            ...(signingAlgorithm.includes("PSS") ? { saltLength } : {})
+          },
+          signature
+        );
+      }
+      // For ECDSA signatures
+      if (signingAlgorithm.startsWith("ECDSA")) {
+        const verifier = crypto.createVerify(hashAlgorithm);
+        verifier.update(data);
+        return verifier.verify(
+          {
+            key: publicKeyObject,
+            dsaEncoding: "der"
+          },
+          signature
+        );
+      }
+      throw new BadRequestError({
+        message: `Verification for algorithm ${signingAlgorithm} not implemented`
+      });
+    } catch (error) {
+      if (error instanceof BadRequestError) {
+        throw error;
+      }
+      logger.error(error, "KMS: Failed to verify signature");
+      return false;
+    }
+  };
+
+  const generateAsymmetricPrivateKey = async () => {
+    const { privateKey } = await new Promise<{ privateKey: string }>((resolve, reject) => {
+      if (algorithm.startsWith("RSA")) {
+        crypto.generateKeyPair(
+          "rsa",
+          {
+            modulusLength: Number(algorithm.split("_")[1]),
+            publicKeyEncoding: { type: "spki", format: "pem" },
+            privateKeyEncoding: { type: "pkcs8", format: "pem" }
+          },
+          (err, _, pk) => {
+            if (err) {
+              reject(err);
+            } else {
+              resolve({ privateKey: pk });
+            }
+          }
+        );
+      } else {
+        const { full: namedCurve } = $getEcCurveName(algorithm);
+
+        crypto.generateKeyPair(
+          "ec",
+          {
+            namedCurve,
+            publicKeyEncoding: { type: "spki", format: "pem" },
+            privateKeyEncoding: { type: "pkcs8", format: "pem" }
+          },
+          (err, _, pk) => {
+            if (err) {
+              reject(err);
+            } else {
+              resolve({
+                privateKey: pk
+              });
+            }
+          }
+        );
+      }
+    });
+
+    return Buffer.from(privateKey);
+  };
+
+  const getPublicKeyFromPrivateKey = (privateKey: Buffer) => {
+    const privateKeyObj = crypto.createPrivateKey({
+      key: privateKey,
+      format: "pem",
+      type: "pkcs8"
+    });
+
+    const publicKey = crypto.createPublicKey(privateKeyObj).export({
+      type: "spki",
+      format: "der"
+    });
+
+    return publicKey;
+  };
+
+  return {
+    sign,
+    verify,
+    generateAsymmetricPrivateKey,
+    getPublicKeyFromPrivateKey
+  };
+};

backend/src/lib/crypto/sign/types.ts

@@ -0,0 +1,45 @@
+import { z } from "zod";
+
+export type TAsymmetricSignVerifyFns = {
+  sign: (data: Buffer, key: Buffer, signingAlgorithm: SigningAlgorithm, isDigest: boolean) => Promise<Buffer>;
+  verify: (
+    data: Buffer,
+    signature: Buffer,
+    key: Buffer,
+    signingAlgorithm: SigningAlgorithm,
+    isDigest: boolean
+  ) => Promise<boolean>;
+  generateAsymmetricPrivateKey: () => Promise<Buffer>;
+  getPublicKeyFromPrivateKey: (privateKey: Buffer) => Buffer;
+};
+
+// Supported asymmetric key types
+export enum AsymmetricKeyAlgorithm {
+  RSA_4096 = "RSA_4096",
+  ECC_NIST_P256 = "ECC_NIST_P256"
+}
+
+export const AsymmetricKeyAlgorithmEnum = z.enum(
+  Object.values(AsymmetricKeyAlgorithm) as [string, ...string[]]
+).options;
+
+export enum SigningAlgorithm {
+  // RSA PSS algorithms
+  // These are NOT deterministic and include randomness.
+  // This means that the output signature is different each time for the same input.
+  RSASSA_PSS_SHA_512 = "RSASSA_PSS_SHA_512",
+  RSASSA_PSS_SHA_384 = "RSASSA_PSS_SHA_384",
+  RSASSA_PSS_SHA_256 = "RSASSA_PSS_SHA_256",
+
+  // RSA PKCS#1 v1.5 algorithms
+  // These are deterministic and the output is the same each time for the same input.
+  RSASSA_PKCS1_V1_5_SHA_512 = "RSASSA_PKCS1_V1_5_SHA_512",
+  RSASSA_PKCS1_V1_5_SHA_384 = "RSASSA_PKCS1_V1_5_SHA_384",
+  RSASSA_PKCS1_V1_5_SHA_256 = "RSASSA_PKCS1_V1_5_SHA_256",
+
+  // ECDSA algorithms
+  // None of these are deterministic and include randomness like RSA PSS.
+  ECDSA_SHA_512 = "ECDSA_SHA_512",
+  ECDSA_SHA_384 = "ECDSA_SHA_384",
+  ECDSA_SHA_256 = "ECDSA_SHA_256"
+}

backend/src/lib/files/files.ts

@@ -0,0 +1,35 @@
+import crypto from "crypto";
+import fs from "fs/promises";
+import os from "os";
+import path from "path";
+
+import { logger } from "@app/lib/logger";
+
+const baseDir = path.join(os.tmpdir(), "infisical");
+const randomPath = () => `${crypto.randomBytes(32).toString("hex")}`;
+
+export const createTemporaryDirectory = async (name: string) => {
+  const tempDirPath = path.join(baseDir, `${name}-${randomPath()}`);
+  await fs.mkdir(tempDirPath, { recursive: true });
+
+  return tempDirPath;
+};
+
+export const removeTemporaryBaseDirectory = async () => {
+  await fs.rm(baseDir, { force: true, recursive: true }).catch((err) => {
+    logger.error(err, `Failed to remove temporary base directory [path=${baseDir}]`);
+  });
+};
+
+export const cleanTemporaryDirectory = async (dirPath: string) => {
+  await fs.rm(dirPath, { recursive: true, force: true }).catch((err) => {
+    logger.error(err, `Failed to cleanup temporary directory [path=${dirPath}]`);
+  });
+};
+
+export const writeToTemporaryFile = async (tempDirPath: string, data: string | Buffer) => {
+  await fs.writeFile(tempDirPath, data, { mode: 0o600 }).catch((err) => {
+    logger.error(err, `Failed to write to temporary file [path=${tempDirPath}]`);
+    throw err;
+  });
+};

backend/src/lib/files/index.ts

@@ -0,0 +1 @@
+export * from "./files";

backend/src/lib/search-resource/db.ts

@@ -0,0 +1,141 @@
+import { Knex } from "knex";
+
+import { SearchResourceOperators, TSearchResourceOperator } from "./search";
+
+const buildKnexQuery = (
+  query: Knex.QueryBuilder,
+  // when it's multiple table field means it's field1 or field2
+  fields: string | string[],
+  operator: SearchResourceOperators,
+  value: unknown
+) => {
+  switch (operator) {
+    case SearchResourceOperators.$eq: {
+      if (typeof value !== "string" && typeof value !== "number")
+        throw new Error("Invalid value type for $eq operator");
+
+      if (typeof fields === "string") {
+        return void query.where(fields, "=", value);
+      }
+
+      return void query.where((qb) => {
+        return fields.forEach((el, index) => {
+          if (index === 0) {
+            return void qb.where(el, "=", value);
+          }
+          return void qb.orWhere(el, "=", value);
+        });
+      });
+    }
+
+    case SearchResourceOperators.$neq: {
+      if (typeof value !== "string" && typeof value !== "number")
+        throw new Error("Invalid value type for $neq operator");
+
+      if (typeof fields === "string") {
+        return void query.where(fields, "<>", value);
+      }
+
+      return void query.where((qb) => {
+        return fields.forEach((el, index) => {
+          if (index === 0) {
+            return void qb.where(el, "<>", value);
+          }
+          return void qb.orWhere(el, "<>", value);
+        });
+      });
+    }
+    case SearchResourceOperators.$in: {
+      if (!Array.isArray(value)) throw new Error("Invalid value type for $in operator");
+
+      if (typeof fields === "string") {
+        return void query.whereIn(fields, value);
+      }
+
+      return void query.where((qb) => {
+        return fields.forEach((el, index) => {
+          if (index === 0) {
+            return void qb.whereIn(el, value);
+          }
+          return void qb.orWhereIn(el, value);
+        });
+      });
+    }
+    case SearchResourceOperators.$contains: {
+      if (typeof value !== "string") throw new Error("Invalid value type for $contains operator");
+
+      if (typeof fields === "string") {
+        return void query.whereILike(fields, `%${value}%`);
+      }
+
+      return void query.where((qb) => {
+        return fields.forEach((el, index) => {
+          if (index === 0) {
+            return void qb.whereILike(el, `%${value}%`);
+          }
+          return void qb.orWhereILike(el, `%${value}%`);
+        });
+      });
+    }
+    default:
+      throw new Error(`Unsupported operator: ${String(operator)}`);
+  }
+};
+
+export const buildKnexFilterForSearchResource = <T extends { [K: string]: TSearchResourceOperator }, K extends keyof T>(
+  rootQuery: Knex.QueryBuilder,
+  searchFilter: T & { $or?: T[] },
+  getAttributeField: (attr: K) => string | string[] | null
+) => {
+  const { $or: orFilters = [] } = searchFilter;
+  (Object.keys(searchFilter) as K[]).forEach((key) => {
+    // akhilmhdh: yes, we could have split in top. This is done to satisfy ts type error
+    if (key === "$or") return;
+
+    const dbField = getAttributeField(key);
+    if (!dbField) throw new Error(`DB field not found for ${String(key)}`);
+
+    const dbValue = searchFilter[key];
+    if (typeof dbValue === "string" || typeof dbValue === "number") {
+      buildKnexQuery(rootQuery, dbField, SearchResourceOperators.$eq, dbValue);
+      return;
+    }
+
+    Object.keys(dbValue as Record<string, unknown>).forEach((el) => {
+      buildKnexQuery(
+        rootQuery,
+        dbField,
+        el as SearchResourceOperators,
+        (dbValue as Record<SearchResourceOperators, unknown>)[el as SearchResourceOperators]
+      );
+    });
+  });
+
+  if (orFilters.length) {
+    void rootQuery.andWhere((andQb) => {
+      return orFilters.forEach((orFilter) => {
+        return void andQb.orWhere((qb) => {
+          (Object.keys(orFilter) as K[]).forEach((key) => {
+            const dbField = getAttributeField(key);
+            if (!dbField) throw new Error(`DB field not found for ${String(key)}`);
+
+            const dbValue = orFilter[key];
+            if (typeof dbValue === "string" || typeof dbValue === "number") {
+              buildKnexQuery(qb, dbField, SearchResourceOperators.$eq, dbValue);
+              return;
+            }
+
+            Object.keys(dbValue as Record<string, unknown>).forEach((el) => {
+              buildKnexQuery(
+                qb,
+                dbField,
+                el as SearchResourceOperators,
+                (dbValue as Record<SearchResourceOperators, unknown>)[el as SearchResourceOperators]
+              );
+            });
+          });
+        });
+      });
+    });
+  }
+};

backend/src/lib/search-resource/search.ts

@@ -0,0 +1,43 @@
+import { z } from "zod";
+
+export enum SearchResourceOperators {
+  $eq = "$eq",
+  $neq = "$neq",
+  $in = "$in",
+  $contains = "$contains"
+}
+
+export const SearchResourceOperatorSchema = z.union([
+  z.string(),
+  z.number(),
+  z
+    .object({
+      [SearchResourceOperators.$eq]: z.string().optional(),
+      [SearchResourceOperators.$neq]: z.string().optional(),
+      [SearchResourceOperators.$in]: z.string().array().optional(),
+      [SearchResourceOperators.$contains]: z.string().array().optional()
+    })
+    .partial()
+]);
+
+export type TSearchResourceOperator = z.infer<typeof SearchResourceOperatorSchema>;
+
+export type TSearchResource = {
+  [k: string]: z.ZodOptional<
+    z.ZodUnion<
+      [
+        z.ZodEffects<z.ZodString | z.ZodNumber>,
+        z.ZodObject<{
+          [SearchResourceOperators.$eq]?: z.ZodOptional<z.ZodEffects<z.ZodString | z.ZodNumber>>;
+          [SearchResourceOperators.$neq]?: z.ZodOptional<z.ZodEffects<z.ZodString | z.ZodNumber>>;
+          [SearchResourceOperators.$in]?: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString | z.ZodNumber>>>;
+          [SearchResourceOperators.$contains]?: z.ZodOptional<z.ZodEffects<z.ZodString>>;
+        }>
+      ]
+    >
+  >;
+};
+
+export const buildSearchZodSchema = <T extends TSearchResource>(schema: z.ZodObject<T>) => {
+  return schema.extend({ $or: schema.array().max(5).optional() }).optional();
+};

backend/src/lib/types/index.ts

@@ -41,6 +41,18 @@ export type RequiredKeys<T> = {
   [K in keyof T]-?: undefined extends T[K] ? never : K;
 }[keyof T];
 
+export type BufferKeysToString<T> = {
+  [K in keyof T]: T[K] extends Buffer
+    ? string
+    : T[K] extends Buffer | null
+      ? string | null
+      : T[K] extends Buffer | undefined
+        ? string | undefined
+        : T[K] extends Buffer | null | undefined
+          ? string | null | undefined
+          : T[K];
+};
+
 export type PickRequired<T> = Pick<T, RequiredKeys<T>>;
 
 export type DiscriminativePick<T, K extends keyof T> = T extends unknown ? Pick<T, K> : never;

backend/src/lib/validator/validate-string.ts

@@ -1,3 +1,5 @@
+import { z } from "zod";
+
 export enum CharacterType {
   Alphabets = "alphabets",
   Numbers = "numbers",
@@ -101,3 +103,10 @@ export const characterValidator = (allowedCharacters: CharacterType[]) => {
     return regex.test(input);
   };
 };
+
+export const zodValidateCharacters = (allowedCharacters: CharacterType[]) => {
+  const validator = characterValidator(allowedCharacters);
+  return (schema: z.ZodString, fieldName: string) => {
+    return schema.refine(validator, { message: `${fieldName} can only contain ${allowedCharacters.join(",")}` });
+  };
+};

backend/src/lib/validator/validate-url.ts

@@ -2,10 +2,16 @@ import dns from "node:dns/promises";
 
 import { isIPv4 } from "net";
 
+import { getConfig } from "@app/lib/config/env";
+
 import { BadRequestError } from "../errors";
 import { isPrivateIp } from "../ip/ipRange";
 
 export const blockLocalAndPrivateIpAddresses = async (url: string) => {
+  const appCfg = getConfig();
+
+  if (appCfg.isDevelopmentMode) return;
+
   const validUrl = new URL(url);
   const inputHostIps: string[] = [];
   if (isIPv4(validUrl.host)) {
@@ -18,7 +24,8 @@ export const blockLocalAndPrivateIpAddresses = async (url: string) => {
     inputHostIps.push(...resolvedIps);
   }
   const isInternalIp = inputHostIps.some((el) => isPrivateIp(el));
-  if (isInternalIp) throw new BadRequestError({ message: "Local IPs not allowed as URL" });
+  if (isInternalIp && !appCfg.ALLOW_INTERNAL_IP_CONNECTIONS)
+    throw new BadRequestError({ message: "Local IPs not allowed as URL" });
 };
 
 type FQDNOptions = {

backend/src/main.ts

@@ -9,6 +9,7 @@ import { runMigrations } from "./auto-start-migrations";
 import { initAuditLogDbConnection, initDbConnection } from "./db";
 import { keyStoreFactory } from "./keystore/keystore";
 import { formatSmtpConfig, initEnvConfig } from "./lib/config/env";
+import { removeTemporaryBaseDirectory } from "./lib/files";
 import { initLogger } from "./lib/logger";
 import { queueServiceFactory } from "./queue";
 import { main } from "./server/app";
@@ -21,6 +22,8 @@ const run = async () => {
   const logger = initLogger();
   const envConfig = initEnvConfig(logger);
 
+  await removeTemporaryBaseDirectory();
+
   const db = initDbConnection({
     dbConnectionUri: envConfig.DB_CONNECTION_URI,
     dbRootCert: envConfig.DB_ROOT_CERT,
@@ -71,6 +74,7 @@ const run = async () => {
   process.on("SIGINT", async () => {
     await server.close();
     await db.destroy();
+    await removeTemporaryBaseDirectory();
     hsmModule.finalize();
     process.exit(0);
   });
@@ -79,6 +83,7 @@ const run = async () => {
   process.on("SIGTERM", async () => {
     await server.close();
     await db.destroy();
+    await removeTemporaryBaseDirectory();
     hsmModule.finalize();
     process.exit(0);
   });

backend/src/server/app.ts

@@ -113,7 +113,7 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
     await server.register(fastifyErrHandler);
 
     // Rate limiters and security headers
-    if (appCfg.isProductionMode) {
+    if (appCfg.isProductionMode && appCfg.isCloud) {
       await server.register<FastifyRateLimitOptions>(ratelimiter, globalRateLimiterCfg());
     }
 

backend/src/server/config/rateLimiter.ts

@@ -93,3 +93,10 @@ export const userEngagementLimit: RateLimitOptions = {
   max: 5,
   keyGenerator: (req) => req.realIp
 };
+
+export const publicSshCaLimit: RateLimitOptions = {
+  timeWindow: 60 * 1000,
+  hook: "preValidation",
+  max: 30, // conservative default
+  keyGenerator: (req) => req.realIp
+};

backend/src/server/lib/schemas.ts

@@ -45,4 +45,6 @@ export const BaseSecretNameSchema = z.string().trim().min(1);
 export const SecretNameSchema = BaseSecretNameSchema.refine(
   (el) => !el.includes(" "),
   "Secret name cannot contain spaces."
-).refine((el) => !el.includes(":"), "Secret name cannot contain colon.");
+)
+  .refine((el) => !el.includes(":"), "Secret name cannot contain colon.")
+  .refine((el) => !el.includes("/"), "Secret name cannot contain forward slash.");

backend/src/server/routes/index.ts

@@ -96,6 +96,10 @@ import { sshCertificateBodyDALFactory } from "@app/ee/services/ssh-certificate/s
 import { sshCertificateDALFactory } from "@app/ee/services/ssh-certificate/ssh-certificate-dal";
 import { sshCertificateTemplateDALFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-dal";
 import { sshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
+import { sshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
+import { sshHostLoginUserMappingDALFactory } from "@app/ee/services/ssh-host/ssh-host-login-user-mapping-dal";
+import { sshHostServiceFactory } from "@app/ee/services/ssh-host/ssh-host-service";
+import { sshHostLoginUserDALFactory } from "@app/ee/services/ssh-host/ssh-login-user-dal";
 import { trustedIpDALFactory } from "@app/ee/services/trusted-ip/trusted-ip-dal";
 import { trustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
@@ -184,6 +188,7 @@ import { pkiCollectionServiceFactory } from "@app/services/pki-collection/pki-co
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
 import { projectServiceFactory } from "@app/services/project/project-service";
+import { projectSshConfigDALFactory } from "@app/services/project/project-ssh-config-dal";
 import { projectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { projectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { projectEnvDALFactory } from "@app/services/project-env/project-env-dal";
@@ -292,6 +297,7 @@ export const registerRoutes = async (
   const apiKeyDAL = apiKeyDALFactory(db);
 
   const projectDAL = projectDALFactory(db);
+  const projectSshConfigDAL = projectSshConfigDALFactory(db);
   const projectMembershipDAL = projectMembershipDALFactory(db);
   const projectUserAdditionalPrivilegeDAL = projectUserAdditionalPrivilegeDALFactory(db);
   const projectUserMembershipRoleDAL = projectUserMembershipRoleDALFactory(db);
@@ -309,7 +315,7 @@ export const registerRoutes = async (
   const secretVersionTagDAL = secretVersionTagDALFactory(db);
   const secretBlindIndexDAL = secretBlindIndexDALFactory(db);
 
-  const secretV2BridgeDAL = secretV2BridgeDALFactory(db);
+  const secretV2BridgeDAL = secretV2BridgeDALFactory({ db, keyStore });
   const secretVersionV2BridgeDAL = secretVersionV2BridgeDALFactory(db);
   const secretVersionTagV2BridgeDAL = secretVersionV2TagBridgeDALFactory(db);
 
@@ -385,6 +391,9 @@ export const registerRoutes = async (
   const sshCertificateAuthorityDAL = sshCertificateAuthorityDALFactory(db);
   const sshCertificateAuthoritySecretDAL = sshCertificateAuthoritySecretDALFactory(db);
   const sshCertificateTemplateDAL = sshCertificateTemplateDALFactory(db);
+  const sshHostDAL = sshHostDALFactory(db);
+  const sshHostLoginUserDAL = sshHostLoginUserDALFactory(db);
+  const sshHostLoginUserMappingDAL = sshHostLoginUserMappingDALFactory(db);
 
   const kmsDAL = kmskeyDALFactory(db);
   const internalKmsDAL = internalKmsDALFactory(db);
@@ -796,6 +805,21 @@ export const registerRoutes = async (
     permissionService
   });
 
+  const sshHostService = sshHostServiceFactory({
+    userDAL,
+    projectDAL,
+    projectSshConfigDAL,
+    sshCertificateAuthorityDAL,
+    sshCertificateAuthoritySecretDAL,
+    sshCertificateDAL,
+    sshCertificateBodyDAL,
+    sshHostDAL,
+    sshHostLoginUserDAL,
+    sshHostLoginUserMappingDAL,
+    permissionService,
+    kmsService
+  });
+
   const certificateAuthorityService = certificateAuthorityServiceFactory({
     certificateAuthorityDAL,
     certificateAuthorityCertDAL,
@@ -938,6 +962,7 @@ export const registerRoutes = async (
   const projectService = projectServiceFactory({
     permissionService,
     projectDAL,
+    projectSshConfigDAL,
     secretDAL,
     secretV2BridgeDAL,
     queueService,
@@ -959,8 +984,10 @@ export const registerRoutes = async (
     pkiAlertDAL,
     pkiCollectionDAL,
     sshCertificateAuthorityDAL,
+    sshCertificateAuthoritySecretDAL,
     sshCertificateDAL,
     sshCertificateTemplateDAL,
+    sshHostDAL,
     projectUserMembershipRoleDAL,
     identityProjectMembershipRoleDAL,
     keyStore,
@@ -1364,7 +1391,8 @@ export const registerRoutes = async (
     permissionService,
     licenseService,
     kmsService,
-    projectGatewayDAL
+    projectGatewayDAL,
+    resourceMetadataDAL
   });
 
   const dynamicSecretLeaseService = dynamicSecretLeaseServiceFactory({
@@ -1603,6 +1631,7 @@ export const registerRoutes = async (
     certificate: certificateService,
     sshCertificateAuthority: sshCertificateAuthorityService,
     sshCertificateTemplate: sshCertificateTemplateService,
+    sshHost: sshHostService,
     certificateAuthority: certificateAuthorityService,
     certificateTemplate: certificateTemplateService,
     certificateAuthorityCrl: certificateAuthorityCrlService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -11,6 +11,7 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 import { UnpackedPermissionSchema } from "./sanitizedSchema/permission";
 
@@ -232,7 +233,11 @@ export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
   inputIV: true,
   inputTag: true,
   algorithm: true
-});
+}).merge(
+  z.object({
+    metadata: ResourceMetadataSchema.optional()
+  })
+);
 
 export const SanitizedAuditLogStreamSchema = z.object({
   id: z.string(),

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -12,6 +12,10 @@ import {
   AzureKeyVaultConnectionListItemSchema,
   SanitizedAzureKeyVaultConnectionSchema
 } from "@app/services/app-connection/azure-key-vault";
+import {
+  CamundaConnectionListItemSchema,
+  SanitizedCamundaConnectionSchema
+} from "@app/services/app-connection/camunda";
 import {
   DatabricksConnectionListItemSchema,
   SanitizedDatabricksConnectionSchema
@@ -27,6 +31,11 @@ import {
   PostgresConnectionListItemSchema,
   SanitizedPostgresConnectionSchema
 } from "@app/services/app-connection/postgres";
+import {
+  SanitizedTerraformCloudConnectionSchema,
+  TerraformCloudConnectionListItemSchema
+} from "@app/services/app-connection/terraform-cloud";
+import { SanitizedVercelConnectionSchema, VercelConnectionListItemSchema } from "@app/services/app-connection/vercel";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 // can't use discriminated due to multiple schemas for certain apps
@@ -38,8 +47,11 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedAzureAppConfigurationConnectionSchema.options,
   ...SanitizedDatabricksConnectionSchema.options,
   ...SanitizedHumanitecConnectionSchema.options,
+  ...SanitizedTerraformCloudConnectionSchema.options,
+  ...SanitizedVercelConnectionSchema.options,
   ...SanitizedPostgresConnectionSchema.options,
-  ...SanitizedMsSqlConnectionSchema.options
+  ...SanitizedMsSqlConnectionSchema.options,
+  ...SanitizedCamundaConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -50,8 +62,11 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   AzureAppConfigurationConnectionListItemSchema,
   DatabricksConnectionListItemSchema,
   HumanitecConnectionListItemSchema,
+  TerraformCloudConnectionListItemSchema,
+  VercelConnectionListItemSchema,
   PostgresConnectionListItemSchema,
-  MsSqlConnectionListItemSchema
+  MsSqlConnectionListItemSchema,
+  CamundaConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/camunda-connection-router.ts

@@ -0,0 +1,51 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateCamundaConnectionSchema,
+  SanitizedCamundaConnectionSchema,
+  UpdateCamundaConnectionSchema
+} from "@app/services/app-connection/camunda";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerCamundaConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Camunda,
+    server,
+    sanitizedResponseSchema: SanitizedCamundaConnectionSchema,
+    createSchema: CreateCamundaConnectionSchema,
+    updateSchema: UpdateCamundaConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/clusters`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          clusters: z.object({ uuid: z.string(), name: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const clusters = await server.services.appConnection.camunda.listClusters(connectionId, req.permission);
+
+      return { clusters };
+    }
+  });
+};