Merge pull request #2251 from akhilmhdh/fix/replication

fix: resolved replication secret not getting deleted

backend/package-lock.json

@@ -25,6 +25,7 @@
         "@fastify/swagger": "^8.14.0",
         "@fastify/swagger-ui": "^2.1.0",
         "@node-saml/passport-saml": "^4.0.4",
+        "@octokit/plugin-retry": "^5.0.5",
         "@octokit/rest": "^20.0.2",
         "@octokit/webhooks-types": "^7.3.1",
         "@peculiar/asn1-schema": "^2.3.8",
@@ -7812,19 +7813,45 @@
       }
     },
     "node_modules/@octokit/plugin-retry": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-6.0.1.tgz",
-      "integrity": "sha512-SKs+Tz9oj0g4p28qkZwl/topGcb0k0qPNX/i7vBKmDsjoeqnVfFUquqrE/O9oJY7+oLzdCtkiWSXLpLjvl6uog==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-5.0.5.tgz",
+      "integrity": "sha512-sB1RWMhSrre02Atv95K6bhESlJ/sPdZkK/wE/w1IdSCe0yM6FxSjksLa6T7aAvxvxlLKzQEC4KIiqpqyov1Tbg==",
       "dependencies": {
-        "@octokit/request-error": "^5.0.0",
-        "@octokit/types": "^12.0.0",
+        "@octokit/request-error": "^4.0.1",
+        "@octokit/types": "^10.0.0",
         "bottleneck": "^2.15.3"
       },
       "engines": {
         "node": ">= 18"
       },
       "peerDependencies": {
-        "@octokit/core": ">=5"
+        "@octokit/core": ">=3"
+      }
+    },
+    "node_modules/@octokit/plugin-retry/node_modules/@octokit/openapi-types": {
+      "version": "18.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-18.1.1.tgz",
+      "integrity": "sha512-VRaeH8nCDtF5aXWnjPuEMIYf1itK/s3JYyJcWFJT8X9pSNnBtriDf7wlEWsGuhPLl4QIH4xM8fqTXDwJ3Mu6sw=="
+    },
+    "node_modules/@octokit/plugin-retry/node_modules/@octokit/request-error": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-4.0.2.tgz",
+      "integrity": "sha512-uqwUEmZw3x4I9DGYq9fODVAAvcLsPQv97NRycP6syEFu5916M189VnNBW2zANNwqg3OiligNcAey7P0SET843w==",
+      "dependencies": {
+        "@octokit/types": "^10.0.0",
+        "deprecation": "^2.0.0",
+        "once": "^1.4.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/plugin-retry/node_modules/@octokit/types": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-10.0.0.tgz",
+      "integrity": "sha512-Vm8IddVmhCgU1fxC1eyinpwqzXPEYu0NrYzD3YZjlGjyftdLBTeqNblRC0jmJmgxbJIsQlyogVeGnrNaaMVzIg==",
+      "dependencies": {
+        "@octokit/openapi-types": "^18.0.0"
       }
     },
     "node_modules/@octokit/plugin-throttling": {
@@ -17396,6 +17423,22 @@
         "node": ">=18"
       }
     },
+    "node_modules/probot/node_modules/@octokit/plugin-retry": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-6.0.1.tgz",
+      "integrity": "sha512-SKs+Tz9oj0g4p28qkZwl/topGcb0k0qPNX/i7vBKmDsjoeqnVfFUquqrE/O9oJY7+oLzdCtkiWSXLpLjvl6uog==",
+      "dependencies": {
+        "@octokit/request-error": "^5.0.0",
+        "@octokit/types": "^12.0.0",
+        "bottleneck": "^2.15.3"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "peerDependencies": {
+        "@octokit/core": ">=5"
+      }
+    },
     "node_modules/probot/node_modules/commander": {
       "version": "11.1.0",
       "resolved": "https://registry.npmjs.org/commander/-/commander-11.1.0.tgz",

backend/package.json

@@ -121,6 +121,7 @@
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@node-saml/passport-saml": "^4.0.4",
+    "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
     "@peculiar/asn1-schema": "^2.3.8",

backend/src/@types/fastify.d.ts

@@ -51,6 +51,7 @@ import { TIntegrationServiceFactory } from "@app/services/integration/integratio
 import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
 import { TOrgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { TOrgServiceFactory } from "@app/services/org/org-service";
+import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@@ -167,6 +168,7 @@ declare module "fastify" {
       rateLimit: TRateLimitServiceFactory;
       userEngagement: TUserEngagementServiceFactory;
       externalKms: TExternalKmsServiceFactory;
+      orgAdmin: TOrgAdminServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -147,7 +147,8 @@ export enum EventType {
   GET_KMS = "get-kms",
   UPDATE_PROJECT_KMS = "update-project-kms",
   GET_PROJECT_KMS_BACKUP = "get-project-kms-backup",
-  LOAD_PROJECT_KMS_BACKUP = "load-project-kms-backup"
+  LOAD_PROJECT_KMS_BACKUP = "load-project-kms-backup",
+  ORG_ADMIN_ACCESS_PROJECT = "org-admin-accessed-project"
 }
 
 interface UserActorMetadata {
@@ -337,6 +338,7 @@ interface DeleteIntegrationEvent {
     targetServiceId?: string;
     path?: string;
     region?: string;
+    shouldDeleteIntegrationSecrets?: boolean;
   };
 }
 
@@ -1245,6 +1247,16 @@ interface LoadProjectKmsBackupEvent {
   metadata: Record<string, string>; // no metadata yet
 }
 
+interface OrgAdminAccessProjectEvent {
+  type: EventType.ORG_ADMIN_ACCESS_PROJECT;
+  metadata: {
+    userId: string;
+    username: string;
+    email: string;
+    projectId: string;
+  }; // no metadata yet
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -1354,4 +1366,5 @@ export type Event =
   | GetKmsEvent
   | UpdateProjectKmsEvent
   | GetProjectKmsBackupEvent
-  | LoadProjectKmsBackupEvent;
+  | LoadProjectKmsBackupEvent
+  | OrgAdminAccessProjectEvent;

backend/src/ee/services/permission/org-permission.ts

@@ -9,6 +9,10 @@ export enum OrgPermissionActions {
   Delete = "delete"
 }
 
+export enum OrgPermissionAdminConsoleAction {
+  AccessAllProjects = "access-all-projects"
+}
+
 export enum OrgPermissionSubjects {
   Workspace = "workspace",
   Role = "role",
@@ -22,7 +26,8 @@ export enum OrgPermissionSubjects {
   Billing = "billing",
   SecretScanning = "secret-scanning",
   Identity = "identity",
-  Kms = "kms"
+  Kms = "kms",
+  AdminConsole = "organization-admin-console"
 }
 
 export type OrgPermissionSet =
@@ -39,7 +44,8 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
   | [OrgPermissionActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionActions, OrgPermissionSubjects.Identity]
-  | [OrgPermissionActions, OrgPermissionSubjects.Kms];
+  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
+  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 
 const buildAdminPermission = () => {
   const { can, build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
@@ -107,6 +113,8 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.Kms);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);
 
+  can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
+
   return build({ conditionsMatcher });
 };
 

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -449,7 +449,7 @@ export const secretReplicationServiceFactory = ({
                   });
                 }
                 if (locallyDeletedSecrets.length) {
-                  await secretDAL.delete(
+                  await secretV2BridgeDAL.delete(
                     {
                       $in: {
                         id: locallyDeletedSecrets.map(({ id }) => id)

backend/src/lib/knex/index.ts

@@ -19,23 +19,43 @@ export const withTransaction = <K extends object>(db: Knex, dal: K) => ({
 
 export type TFindFilter<R extends object = object> = Partial<R> & {
   $in?: Partial<{ [k in keyof R]: R[k][] }>;
+  $search?: Partial<{ [k in keyof R]: R[k] }>;
 };
 export const buildFindFilter =
-  <R extends object = object>({ $in, ...filter }: TFindFilter<R>) =>
+  <R extends object = object>({ $in, $search, ...filter }: TFindFilter<R>) =>
   (bd: Knex.QueryBuilder<R, R>) => {
     void bd.where(filter);
     if ($in) {
       Object.entries($in).forEach(([key, val]) => {
-        void bd.whereIn(key as never, val as never);
+        if (val) {
+          void bd.whereIn(key as never, val as never);
+        }
+      });
+    }
+    if ($search) {
+      Object.entries($search).forEach(([key, val]) => {
+        if (val) {
+          void bd.whereILike(key as never, val as never);
+        }
       });
     }
     return bd;
   };
 
-export type TFindOpt<R extends object = object> = {
+export type TFindReturn<TQuery extends Knex.QueryBuilder, TCount extends boolean = false> = Array<
+  Awaited<TQuery>[0] &
+    (TCount extends true
+      ? {
+          count: string;
+        }
+      : unknown)
+>;
+
+export type TFindOpt<R extends object = object, TCount extends boolean = boolean> = {
   limit?: number;
   offset?: number;
   sort?: Array<[keyof R, "asc" | "desc"] | [keyof R, "asc" | "desc", "first" | "last"]>;
+  count?: TCount;
   tx?: Knex;
 };
 
@@ -66,18 +86,22 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
       throw new DatabaseError({ error, name: "Find one" });
     }
   },
-  find: async (
+  find: async <TCount extends boolean = false>(
     filter: TFindFilter<Tables[Tname]["base"]>,
-    { offset, limit, sort, tx }: TFindOpt<Tables[Tname]["base"]> = {}
+    { offset, limit, sort, count, tx }: TFindOpt<Tables[Tname]["base"], TCount> = {}
   ) => {
     try {
       const query = (tx || db.replicaNode())(tableName).where(buildFindFilter(filter));
+      if (count) {
+        void query.select(db.raw("COUNT(*) OVER() AS count"));
+        void query.select("*");
+      }
       if (limit) void query.limit(limit);
       if (offset) void query.offset(offset);
       if (sort) {
         void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
       }
-      const res = await query;
+      const res = (await query) as TFindReturn<typeof query, TCount>;
       return res;
     } catch (error) {
       throw new DatabaseError({ error, name: "Find one" });

backend/src/server/routes/index.ts

@@ -129,6 +129,7 @@ import { orgDALFactory } from "@app/services/org/org-dal";
 import { orgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { orgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { orgServiceFactory } from "@app/services/org/org-service";
+import { orgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
 import { orgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
@@ -499,6 +500,16 @@ export const registerRoutes = async (
     keyStore,
     licenseService
   });
+  const orgAdminService = orgAdminServiceFactory({
+    projectDAL,
+    permissionService,
+    projectUserMembershipRoleDAL,
+    userDAL,
+    projectBotDAL,
+    projectKeyDAL,
+    projectMembershipDAL
+  });
+
   const rateLimitService = rateLimitServiceFactory({
     rateLimitDAL,
     licenseService
@@ -886,8 +897,15 @@ export const registerRoutes = async (
     folderDAL,
     integrationDAL,
     integrationAuthDAL,
-    secretQueueService
+    secretQueueService,
+    integrationAuthService,
+    projectBotService,
+    secretV2BridgeDAL,
+    secretImportDAL,
+    secretDAL,
+    kmsService
   });
+
   const serviceTokenService = serviceTokenServiceFactory({
     projectEnvDAL,
     serviceTokenDAL,
@@ -1114,7 +1132,8 @@ export const registerRoutes = async (
     identityProjectAdditionalPrivilege: identityProjectAdditionalPrivilegeService,
     secretSharing: secretSharingService,
     userEngagement: userEngagementService,
-    externalKms: externalKmsService
+    externalKms: externalKmsService,
+    orgAdmin: orgAdminService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/v1/index.ts

@@ -15,6 +15,7 @@ import { registerIdentityUaRouter } from "./identity-universal-auth-router";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
 import { registerIntegrationRouter } from "./integration-router";
 import { registerInviteOrgRouter } from "./invite-org-router";
+import { registerOrgAdminRouter } from "./org-admin-router";
 import { registerOrgRouter } from "./organization-router";
 import { registerPasswordRouter } from "./password-router";
 import { registerProjectEnvRouter } from "./project-env-router";
@@ -50,6 +51,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerPasswordRouter, { prefix: "/password" });
   await server.register(registerOrgRouter, { prefix: "/organization" });
   await server.register(registerAdminRouter, { prefix: "/admin" });
+  await server.register(registerOrgAdminRouter, { prefix: "/organization-admin" });
   await server.register(registerUserRouter, { prefix: "/user" });
   await server.register(registerInviteOrgRouter, { prefix: "/invite-org" });
   await server.register(registerUserActionRouter, { prefix: "/user-action" });

backend/src/server/routes/v1/integration-router.ts

@@ -170,6 +170,12 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
       params: z.object({
         integrationId: z.string().trim().describe(INTEGRATION.DELETE.integrationId)
       }),
+      querystring: z.object({
+        shouldDeleteIntegrationSecrets: z
+          .enum(["true", "false"])
+          .optional()
+          .transform((val) => val === "true")
+      }),
       response: {
         200: z.object({
           integration: IntegrationsSchema
@@ -183,7 +189,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         actorAuthMethod: req.permission.authMethod,
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
-        id: req.params.integrationId
+        id: req.params.integrationId,
+        shouldDeleteIntegrationSecrets: req.query.shouldDeleteIntegrationSecrets
       });
 
       await server.services.auditLog.createAuditLog({
@@ -205,7 +212,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
             targetService: integration.targetService,
             targetServiceId: integration.targetServiceId,
             path: integration.path,
-            region: integration.region
+            region: integration.region,
+            shouldDeleteIntegrationSecrets: req.query.shouldDeleteIntegrationSecrets
             // eslint-disable-next-line
           }) as any
         }

backend/src/server/routes/v1/org-admin-router.ts

@@ -0,0 +1,90 @@
+import { z } from "zod";
+
+import { ProjectMembershipsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { SanitizedProjectSchema } from "../sanitizedSchemas";
+
+export const registerOrgAdminRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/projects",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        search: z.string().optional(),
+        offset: z.coerce.number().default(0),
+        limit: z.coerce.number().max(100).default(50)
+      }),
+      response: {
+        200: z.object({
+          projects: SanitizedProjectSchema.array(),
+          count: z.coerce.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { projects, count } = await server.services.orgAdmin.listOrgProjects({
+        limit: req.query.limit,
+        offset: req.query.offset,
+        search: req.query.search,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actor: req.permission.type
+      });
+      return { projects, count };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/projects/:projectId/grant-admin-access",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        projectId: z.string()
+      }),
+      response: {
+        200: z.object({
+          membership: ProjectMembershipsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { membership } = await server.services.orgAdmin.grantProjectAdminAccess({
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        projectId: req.params.projectId
+      });
+      if (req.auth.authMode === AuthMode.JWT) {
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          projectId: req.params.projectId,
+          event: {
+            type: EventType.ORG_ADMIN_ACCESS_PROJECT,
+            metadata: {
+              projectId: req.params.projectId,
+              username: req.auth.user.username,
+              email: req.auth.user.email || "",
+              userId: req.auth.userId
+            }
+          }
+        });
+      }
+
+      return { membership };
+    }
+  });
+};

backend/src/services/integration-auth/integration-delete-secret.ts

@@ -0,0 +1,357 @@
+import { retry } from "@octokit/plugin-retry";
+import { Octokit } from "@octokit/rest";
+
+import { TIntegrationAuths, TIntegrations } from "@app/db/schemas";
+import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+
+import { IntegrationMetadataSchema } from "../integration/integration-schema";
+import { TKmsServiceFactory } from "../kms/kms-service";
+import { KmsDataKey } from "../kms/kms-types";
+import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
+import { TSecretDALFactory } from "../secret/secret-dal";
+import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
+import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
+import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
+import { TIntegrationAuthServiceFactory } from "./integration-auth-service";
+import { Integrations } from "./integration-list";
+
+const MAX_SYNC_SECRET_DEPTH = 5;
+
+/**
+ * Return the secrets in a given [folderId] including secrets from
+ * nested imported folders recursively.
+ */
+const getIntegrationSecretsV2 = async (
+  dto: {
+    projectId: string;
+    environment: string;
+    folderId: string;
+    depth: number;
+    decryptor: (value: Buffer | null | undefined) => string;
+  },
+  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "find" | "findByFolderId">,
+  folderDAL: Pick<TSecretFolderDALFactory, "findByManySecretPath">,
+  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">
+) => {
+  const content: Record<string, boolean> = {};
+  if (dto.depth > MAX_SYNC_SECRET_DEPTH) {
+    logger.info(
+      `getIntegrationSecrets: secret depth exceeded for [projectId=${dto.projectId}] [folderId=${dto.folderId}] [depth=${dto.depth}]`
+    );
+    return content;
+  }
+
+  // process secrets in current folder
+  const secrets = await secretV2BridgeDAL.findByFolderId(dto.folderId);
+
+  secrets.forEach((secret) => {
+    const secretKey = secret.key;
+    content[secretKey] = true;
+  });
+
+  // check if current folder has any imports from other folders
+  const secretImports = await secretImportDAL.find({ folderId: dto.folderId, isReplication: false });
+
+  // if no imports then return secrets in the current folder
+  if (!secretImports.length) return content;
+  const importedSecrets = await fnSecretsV2FromImports({
+    decryptor: dto.decryptor,
+    folderDAL,
+    secretDAL: secretV2BridgeDAL,
+    secretImportDAL,
+    allowedImports: secretImports
+  });
+
+  for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {
+    for (let j = 0; j < importedSecrets[i].secrets.length; j += 1) {
+      const importedSecret = importedSecrets[i].secrets[j];
+      if (!content[importedSecret.key]) {
+        content[importedSecret.key] = true;
+      }
+    }
+  }
+  return content;
+};
+
+/**
+ * Return the secrets in a given [folderId] including secrets from
+ * nested imported folders recursively.
+ */
+const getIntegrationSecretsV1 = async (
+  dto: {
+    projectId: string;
+    environment: string;
+    folderId: string;
+    key: string;
+    depth: number;
+  },
+  secretDAL: Pick<TSecretDALFactory, "findByFolderId">,
+  folderDAL: Pick<TSecretFolderDALFactory, "findByManySecretPath">,
+  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">
+) => {
+  let content: Record<string, boolean> = {};
+  if (dto.depth > MAX_SYNC_SECRET_DEPTH) {
+    logger.info(
+      `getIntegrationSecrets: secret depth exceeded for [projectId=${dto.projectId}] [folderId=${dto.folderId}] [depth=${dto.depth}]`
+    );
+    return content;
+  }
+
+  // process secrets in current folder
+  const secrets = await secretDAL.findByFolderId(dto.folderId);
+  secrets.forEach((secret) => {
+    const secretKey = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secret.secretKeyCiphertext,
+      iv: secret.secretKeyIV,
+      tag: secret.secretKeyTag,
+      key: dto.key
+    });
+
+    content[secretKey] = true;
+  });
+
+  // check if current folder has any imports from other folders
+  const secretImport = await secretImportDAL.find({ folderId: dto.folderId, isReplication: false });
+
+  // if no imports then return secrets in the current folder
+  if (!secretImport) return content;
+
+  const importedFolders = await folderDAL.findByManySecretPath(
+    secretImport.map(({ importEnv, importPath }) => ({
+      envId: importEnv.id,
+      secretPath: importPath
+    }))
+  );
+
+  for await (const folder of importedFolders) {
+    if (folder) {
+      // get secrets contained in each imported folder by recursively calling
+      // this function against the imported folder
+      const importedSecrets = await getIntegrationSecretsV1(
+        {
+          environment: dto.environment,
+          projectId: dto.projectId,
+          folderId: folder.id,
+          key: dto.key,
+          depth: dto.depth + 1
+        },
+        secretDAL,
+        folderDAL,
+        secretImportDAL
+      );
+
+      // add the imported secrets to the current folder secrets
+      content = { ...importedSecrets, ...content };
+    }
+  }
+
+  return content;
+};
+
+export const deleteGithubSecrets = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: Omit<TIntegrations, "envId">;
+  secrets: Record<string, boolean>;
+  accessToken: string;
+}) => {
+  interface GitHubSecret {
+    name: string;
+    created_at: string;
+    updated_at: string;
+    visibility?: "all" | "private" | "selected";
+    selected_repositories_url?: string | undefined;
+  }
+
+  const OctokitWithRetry = Octokit.plugin(retry);
+  const octokit = new OctokitWithRetry({
+    auth: accessToken
+  });
+
+  enum GithubScope {
+    Repo = "github-repo",
+    Org = "github-org",
+    Env = "github-env"
+  }
+
+  let encryptedGithubSecrets: GitHubSecret[];
+
+  switch (integration.scope) {
+    case GithubScope.Org: {
+      encryptedGithubSecrets = (
+        await octokit.request("GET /orgs/{org}/actions/secrets", {
+          org: integration.owner as string
+        })
+      ).data.secrets;
+      break;
+    }
+    case GithubScope.Env: {
+      encryptedGithubSecrets = (
+        await octokit.request("GET /repositories/{repository_id}/environments/{environment_name}/secrets", {
+          repository_id: Number(integration.appId),
+          environment_name: integration.targetEnvironmentId as string
+        })
+      ).data.secrets;
+      break;
+    }
+    default: {
+      encryptedGithubSecrets = (
+        await octokit.request("GET /repos/{owner}/{repo}/actions/secrets", {
+          owner: integration.owner as string,
+          repo: integration.app as string
+        })
+      ).data.secrets;
+      break;
+    }
+  }
+
+  for await (const encryptedSecret of encryptedGithubSecrets) {
+    if (encryptedSecret.name in secrets) {
+      switch (integration.scope) {
+        case GithubScope.Org: {
+          await octokit.request("DELETE /orgs/{org}/actions/secrets/{secret_name}", {
+            org: integration.owner as string,
+            secret_name: encryptedSecret.name
+          });
+          break;
+        }
+        case GithubScope.Env: {
+          await octokit.request(
+            "DELETE /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}",
+            {
+              repository_id: Number(integration.appId),
+              environment_name: integration.targetEnvironmentId as string,
+              secret_name: encryptedSecret.name
+            }
+          );
+          break;
+        }
+        default: {
+          await octokit.request("DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
+            owner: integration.owner as string,
+            repo: integration.app as string,
+            secret_name: encryptedSecret.name
+          });
+          break;
+        }
+      }
+
+      // small delay to prevent hitting API rate limits
+      await new Promise((resolve) => {
+        setTimeout(resolve, 50);
+      });
+    }
+  }
+};
+
+export const deleteIntegrationSecrets = async ({
+  integration,
+  integrationAuth,
+  integrationAuthService,
+  projectBotService,
+  secretV2BridgeDAL,
+  folderDAL,
+  secretDAL,
+  secretImportDAL,
+  kmsService
+}: {
+  integration: Omit<TIntegrations, "envId"> & {
+    projectId: string;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    secretPath: string;
+  };
+  integrationAuth: TIntegrationAuths;
+  integrationAuthService: Pick<TIntegrationAuthServiceFactory, "getIntegrationAccessToken" | "getIntegrationAuth">;
+  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
+  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "find" | "findByFolderId">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findByManySecretPath" | "findBySecretPath">;
+  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
+  secretDAL: Pick<TSecretDALFactory, "findByFolderId">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+}) => {
+  const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integration.projectId);
+  const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+    type: KmsDataKey.SecretManager,
+    projectId: integration.projectId
+  });
+
+  const folder = await folderDAL.findBySecretPath(
+    integration.projectId,
+    integration.environment.slug,
+    integration.secretPath
+  );
+
+  if (!folder) {
+    throw new NotFoundError({
+      message: "Folder not found."
+    });
+  }
+
+  const { accessToken } = await integrationAuthService.getIntegrationAccessToken(
+    integrationAuth,
+    shouldUseSecretV2Bridge,
+    botKey
+  );
+
+  const secrets = shouldUseSecretV2Bridge
+    ? await getIntegrationSecretsV2(
+        {
+          environment: integration.environment.id,
+          projectId: integration.projectId,
+          folderId: folder.id,
+          depth: 1,
+          decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : "")
+        },
+        secretV2BridgeDAL,
+        folderDAL,
+        secretImportDAL
+      )
+    : await getIntegrationSecretsV1(
+        {
+          environment: integration.environment.id,
+          projectId: integration.projectId,
+          folderId: folder.id,
+          key: botKey as string,
+          depth: 1
+        },
+        secretDAL,
+        folderDAL,
+        secretImportDAL
+      );
+
+  const suffixedSecrets: typeof secrets = {};
+  const metadata = IntegrationMetadataSchema.parse(integration.metadata);
+
+  if (metadata) {
+    Object.keys(secrets).forEach((key) => {
+      const prefix = metadata?.secretPrefix || "";
+      const suffix = metadata?.secretSuffix || "";
+      const newKey = prefix + key + suffix;
+      suffixedSecrets[newKey] = secrets[key];
+    });
+  }
+
+  switch (integration.integration) {
+    case Integrations.GITHUB: {
+      await deleteGithubSecrets({
+        integration,
+        accessToken,
+        secrets: Object.keys(suffixedSecrets).length !== 0 ? suffixedSecrets : secrets
+      });
+      break;
+    }
+    default:
+      throw new BadRequestError({
+        message: "Invalid integration"
+      });
+  }
+};

backend/src/services/integration/integration-service.ts

@@ -6,8 +6,15 @@ import { BadRequestError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
 
 import { TIntegrationAuthDALFactory } from "../integration-auth/integration-auth-dal";
+import { TIntegrationAuthServiceFactory } from "../integration-auth/integration-auth-service";
+import { deleteIntegrationSecrets } from "../integration-auth/integration-delete-secret";
+import { TKmsServiceFactory } from "../kms/kms-service";
+import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
+import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
+import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
 import { TIntegrationDALFactory } from "./integration-dal";
 import {
   TCreateIntegrationDTO,
@@ -19,9 +26,15 @@ import {
 type TIntegrationServiceFactoryDep = {
   integrationDAL: TIntegrationDALFactory;
   integrationAuthDAL: TIntegrationAuthDALFactory;
-  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
+  integrationAuthService: TIntegrationAuthServiceFactory;
+  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findByManySecretPath">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  projectBotService: TProjectBotServiceFactory;
   secretQueueService: Pick<TSecretQueueFactory, "syncIntegrations">;
+  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "find" | "findByFolderId">;
+  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  secretDAL: Pick<TSecretDALFactory, "findByFolderId">;
 };
 
 export type TIntegrationServiceFactory = ReturnType<typeof integrationServiceFactory>;
@@ -31,7 +44,13 @@ export const integrationServiceFactory = ({
   integrationAuthDAL,
   folderDAL,
   permissionService,
-  secretQueueService
+  secretQueueService,
+  integrationAuthService,
+  projectBotService,
+  secretV2BridgeDAL,
+  secretImportDAL,
+  kmsService,
+  secretDAL
 }: TIntegrationServiceFactoryDep) => {
   const createIntegration = async ({
     app,
@@ -161,7 +180,14 @@ export const integrationServiceFactory = ({
     return updatedIntegration;
   };
 
-  const deleteIntegration = async ({ actorId, id, actor, actorAuthMethod, actorOrgId }: TDeleteIntegrationDTO) => {
+  const deleteIntegration = async ({
+    actorId,
+    id,
+    actor,
+    actorAuthMethod,
+    actorOrgId,
+    shouldDeleteIntegrationSecrets
+  }: TDeleteIntegrationDTO) => {
     const integration = await integrationDAL.findById(id);
     if (!integration) throw new BadRequestError({ message: "Integration auth not found" });
 
@@ -174,6 +200,22 @@ export const integrationServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
 
+    const integrationAuth = await integrationAuthDAL.findById(integration.integrationAuthId);
+
+    if (shouldDeleteIntegrationSecrets) {
+      await deleteIntegrationSecrets({
+        integration,
+        integrationAuth,
+        projectBotService,
+        integrationAuthService,
+        secretV2BridgeDAL,
+        folderDAL,
+        secretImportDAL,
+        secretDAL,
+        kmsService
+      });
+    }
+
     const deletedIntegration = await integrationDAL.transaction(async (tx) => {
       // delete integration
       const deletedIntegrationResult = await integrationDAL.deleteById(id, tx);

backend/src/services/integration/integration-types.ts

@@ -63,6 +63,7 @@ export type TUpdateIntegrationDTO = {
 
 export type TDeleteIntegrationDTO = {
   id: string;
+  shouldDeleteIntegrationSecrets?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TSyncIntegrationDTO = {

backend/src/services/org-admin/org-admin-dal.ts

@@ -0,0 +1,5 @@
+export type TOrgAdminDALFactory = ReturnType<typeof orgAdminDALFactory>;
+
+export const orgAdminDALFactory = () => {
+  return {};
+};

backend/src/services/org-admin/org-admin-service.ts

@@ -0,0 +1,191 @@
+import { ForbiddenError } from "@casl/ability";
+
+import { ProjectMembershipRole, ProjectVersion, SecretKeyEncoding } from "@app/db/schemas";
+import { OrgPermissionAdminConsoleAction, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { BadRequestError } from "@app/lib/errors";
+
+import { TProjectDALFactory } from "../project/project-dal";
+import { assignWorkspaceKeysToMembers } from "../project/project-fns";
+import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
+import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
+import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
+import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
+import { TUserDALFactory } from "../user/user-dal";
+import { TAccessProjectDTO, TListOrgProjectsDTO } from "./org-admin-types";
+
+type TOrgAdminServiceFactoryDep = {
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  projectDAL: Pick<TProjectDALFactory, "find" | "findById" | "findProjectGhostUser">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findOne" | "create" | "transaction" | "delete">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "create">;
+  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
+  userDAL: Pick<TUserDALFactory, "findUserEncKeyByUserId">;
+  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create" | "delete">;
+};
+
+export type TOrgAdminServiceFactory = ReturnType<typeof orgAdminServiceFactory>;
+
+export const orgAdminServiceFactory = ({
+  permissionService,
+  projectDAL,
+  projectMembershipDAL,
+  projectKeyDAL,
+  projectBotDAL,
+  userDAL,
+  projectUserMembershipRoleDAL
+}: TOrgAdminServiceFactoryDep) => {
+  const listOrgProjects = async ({
+    actor,
+    limit,
+    actorId,
+    offset,
+    search,
+    actorOrgId,
+    actorAuthMethod
+  }: TListOrgProjectsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAdminConsoleAction.AccessAllProjects,
+      OrgPermissionSubjects.AdminConsole
+    );
+    const projects = await projectDAL.find(
+      {
+        orgId: actorOrgId,
+        $search: {
+          name: search ? `%${search}%` : undefined
+        }
+      },
+      { offset, limit, sort: [["name", "asc"]], count: true }
+    );
+
+    const count = projects?.[0]?.count ? parseInt(projects?.[0]?.count, 10) : 0;
+    return { projects, count };
+  };
+
+  const grantProjectAdminAccess = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId
+  }: TAccessProjectDTO) => {
+    const { permission, membership } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAdminConsoleAction.AccessAllProjects,
+      OrgPermissionSubjects.AdminConsole
+    );
+
+    const project = await projectDAL.findById(projectId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    if (project.version === ProjectVersion.V1) {
+      throw new BadRequestError({ message: "Please upgrade your project on your dashboard" });
+    }
+
+    // check already there exist a membership if there return it
+    const projectMembership = await projectMembershipDAL.findOne({
+      projectId,
+      userId: actorId
+    });
+    if (projectMembership) {
+      // reset and make the user admin
+      await projectMembershipDAL.transaction(async (tx) => {
+        await projectUserMembershipRoleDAL.delete({ projectMembershipId: projectMembership.id }, tx);
+        await projectUserMembershipRoleDAL.create(
+          {
+            projectMembershipId: projectMembership.id,
+            role: ProjectMembershipRole.Admin
+          },
+          tx
+        );
+      });
+      return { isExistingMember: true, membership: projectMembership };
+    }
+
+    // missing membership thus add admin back as admin to project
+    const ghostUser = await projectDAL.findProjectGhostUser(projectId);
+    if (!ghostUser) {
+      throw new BadRequestError({
+        message: "Failed to find sudo user"
+      });
+    }
+
+    const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId);
+    if (!ghostUserLatestKey) {
+      throw new BadRequestError({
+        message: "Failed to find sudo user latest key"
+      });
+    }
+
+    const bot = await projectBotDAL.findOne({ projectId });
+    if (!bot) {
+      throw new BadRequestError({
+        message: "Failed to find bot"
+      });
+    }
+
+    const botPrivateKey = infisicalSymmetricDecrypt({
+      keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+      iv: bot.iv,
+      tag: bot.tag,
+      ciphertext: bot.encryptedPrivateKey
+    });
+
+    const userEncryptionKey = await userDAL.findUserEncKeyByUserId(actorId);
+    if (!userEncryptionKey) throw new BadRequestError({ message: "user encryption key not found" });
+    const [newWsMember] = assignWorkspaceKeysToMembers({
+      decryptKey: ghostUserLatestKey,
+      userPrivateKey: botPrivateKey,
+      members: [
+        {
+          orgMembershipId: membership.id,
+          projectMembershipRole: ProjectMembershipRole.Admin,
+          userPublicKey: userEncryptionKey.publicKey
+        }
+      ]
+    });
+
+    const updatedMembership = await projectMembershipDAL.transaction(async (tx) => {
+      const newProjectMembership = await projectMembershipDAL.create(
+        {
+          projectId,
+          userId: actorId
+        },
+        tx
+      );
+      await projectUserMembershipRoleDAL.create(
+        { projectMembershipId: newProjectMembership.id, role: ProjectMembershipRole.Admin },
+        tx
+      );
+
+      await projectKeyDAL.create(
+        {
+          encryptedKey: newWsMember.workspaceEncryptedKey,
+          nonce: newWsMember.workspaceEncryptedNonce,
+          senderId: ghostUser.id,
+          receiverId: actorId,
+          projectId
+        },
+        tx
+      );
+      return newProjectMembership;
+    });
+    return { isExistingMember: false, membership: updatedMembership };
+  };
+
+  return { listOrgProjects, grantProjectAdminAccess };
+};

backend/src/services/org-admin/org-admin-types.ts

@@ -0,0 +1,11 @@
+import { TOrgPermission } from "@app/lib/types";
+
+export type TListOrgProjectsDTO = {
+  limit?: number;
+  offset?: number;
+  search?: string;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TAccessProjectDTO = {
+  projectId: string;
+} & Omit<TOrgPermission, "orgId">;

backend/src/services/project-bot/project-bot-dal.ts

@@ -46,6 +46,7 @@ export const projectBotDALFactory = (db: TDbClient) => {
       const doc = await db
         .replicaNode()(TableName.ProjectMembership)
         .where(`${TableName.ProjectMembership}.projectId` as "projectId", projectId)
+        .where(`${TableName.ProjectKeys}.projectId` as "projectId", projectId)
         .where(`${TableName.Users}.isGhost` as "isGhost", false)
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
         .join(TableName.ProjectKeys, `${TableName.ProjectMembership}.userId`, `${TableName.ProjectKeys}.receiverId`)

backend/src/services/project-bot/project-bot-fns.ts

@@ -66,10 +66,10 @@ export const getBotKeyFnFactory = (
         await projectBotDAL.create({
           name: "Infisical Bot (Ghost)",
           projectId,
+          isActive: true,
           tag,
           iv,
           encryptedPrivateKey: ciphertext,
-          isActive: true,
           publicKey: botKey.publicKey,
           algorithm,
           keyEncoding: encoding,
@@ -80,6 +80,12 @@ export const getBotKeyFnFactory = (
       } else {
         await projectBotDAL.updateById(bot.id, {
           isActive: true,
+          tag,
+          iv,
+          encryptedPrivateKey: ciphertext,
+          publicKey: botKey.publicKey,
+          algorithm,
+          keyEncoding: encoding,
           encryptedProjectKey: encryptedWorkspaceKey.ciphertext,
           encryptedProjectKeyNonce: encryptedWorkspaceKey.nonce,
           senderId: projectV1Keys.userId
@@ -89,7 +95,6 @@ export const getBotKeyFnFactory = (
     }
 
     const botPrivateKey = getBotPrivateKey({ bot });
-
     const botKey = decryptAsymmetric({
       ciphertext: bot.encryptedProjectKey,
       privateKey: botPrivateKey,

backend/src/services/project-membership/project-membership-service.ts

@@ -256,7 +256,6 @@ export const projectMembershipServiceFactory = ({
     }
 
     const bot = await projectBotDAL.findOne({ projectId });
-
     if (!bot) {
       throw new BadRequestError({
         message: "Failed to find bot"

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -542,8 +542,8 @@ export const reshapeBridgeSecret = (
   secretPath,
   workspace: workspaceId,
   environment,
-  secretValue: secret.value,
-  secretComment: secret.comment,
+  secretValue: secret.value || "",
+  secretComment: secret.comment || "",
   version: secret.version,
   type: secret.type,
   _id: secret.id,

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -490,10 +490,10 @@ export const secretV2BridgeServiceFactory = ({
         ...secret,
         value: secret.encryptedValue
           ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedValue }).toString()
-          : undefined,
+          : "",
         comment: secret.encryptedComment
           ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedComment }).toString()
-          : undefined
+          : ""
       })
     );
     const expandSecretReferences = expandSecretReferencesFactory({
@@ -522,7 +522,7 @@ export const secretV2BridgeServiceFactory = ({
           await expandSecretReferences(secretsGroupByKey);
           secretsGroupByPath[secretPathKey].forEach((decryptedSecret) => {
             // eslint-disable-next-line no-param-reassign
-            decryptedSecret.secretValue = secretsGroupByKey[decryptedSecret.secretKey].value;
+            decryptedSecret.secretValue = secretsGroupByKey[decryptedSecret.secretKey].value || "";
           });
         }
       }

cli/packages/cmd/vault.go

@@ -4,6 +4,7 @@ Copyright (c) 2023 Infisical Inc.
 package cmd
 
 import (
+	"encoding/base64"
 	"fmt"
 	"strings"
 
@@ -13,53 +14,56 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var AvailableVaultsAndDescriptions = []string{"auto (automatically select native vault on system)", "file (encrypted file vault)"}
-var AvailableVaults = []string{"auto", "file"}
+type VaultBackendType struct {
+	Name        string
+	Description string
+}
+
+var AvailableVaults = []VaultBackendType{
+	{
+		Name:        "auto",
+		Description: "automatically select the system keyring",
+	},
+	{
+		Name:        "file",
+		Description: "encrypted file vault",
+	},
+}
 
 var vaultSetCmd = &cobra.Command{
-	Example:               `infisical vault set pass`,
-	Use:                   "set [vault-name]",
-	Short:                 "Used to set the vault backend to store your login details securely at rest",
+	Example:               `infisical vault set file --passphrase <your-passphrase>`,
+	Use:                   "set [file|auto] [flags]",
+	Short:                 "Used to configure the vault backends",
 	DisableFlagsInUseLine: true,
 	Args:                  cobra.MinimumNArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
-		wantedVaultTypeName := args[0]
-		currentVaultBackend, err := util.GetCurrentVaultBackend()
+
+		vaultType := args[0]
+
+		passphrase, err := cmd.Flags().GetString("passphrase")
 		if err != nil {
-			log.Error().Msgf("Unable to set vault to [%s] because of [err=%s]", wantedVaultTypeName, err)
+			util.HandleError(err, "Unable to get passphrase flag")
+		}
+
+		if vaultType == util.VAULT_BACKEND_FILE_MODE && passphrase != "" {
+			setFileVaultPassphrase(passphrase)
 			return
 		}
 
-		if wantedVaultTypeName == string(currentVaultBackend) {
-			log.Error().Msgf("You are already on vault backend [%s]", currentVaultBackend)
-			return
-		}
-
-		if wantedVaultTypeName == "auto" || wantedVaultTypeName == "file" {
-			configFile, err := util.GetConfigFile()
-			if err != nil {
-				log.Error().Msgf("Unable to set vault to [%s] because of [err=%s]", wantedVaultTypeName, err)
-				return
-			}
-
-			configFile.VaultBackendType = wantedVaultTypeName // save selected vault
-			configFile.LoggedInUserEmail = ""                 // reset the logged in user to prompt them to re login
-
-			err = util.WriteConfigFile(&configFile)
-			if err != nil {
-				log.Error().Msgf("Unable to set vault to [%s] because an error occurred when saving the config file [err=%s]", wantedVaultTypeName, err)
-				return
-			}
-
-			fmt.Printf("\nSuccessfully, switched vault backend from [%s] to [%s]. Please login in again to store your login details in the new vault with [infisical login]\n", currentVaultBackend, wantedVaultTypeName)
-
-			Telemetry.CaptureEvent("cli-command:vault set", posthog.NewProperties().Set("currentVault", currentVaultBackend).Set("wantedVault", wantedVaultTypeName).Set("version", util.CLI_VERSION))
-		} else {
-			log.Error().Msgf("The requested vault type [%s] is not available on this system. Only the following vault backends are available for you system: %s", wantedVaultTypeName, strings.Join(AvailableVaults, ", "))
-		}
+		util.PrintWarning("This command has been deprecated. Please use 'infisical vault use [file|auto]' to select which vault to use.\n")
+		selectVaultTypeCmd(cmd, args)
 	},
 }
 
+var vaultUseCmd = &cobra.Command{
+	Example:               `infisical vault use [file|auto]`,
+	Use:                   "use [file|auto]",
+	Short:                 "Used to select the the type of vault backend to store sensitive data securely at rest",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.MinimumNArgs(1),
+	Run:                   selectVaultTypeCmd,
+}
+
 // runCmd represents the run command
 var vaultCmd = &cobra.Command{
 	Use:                   "vault",
@@ -71,10 +75,30 @@ var vaultCmd = &cobra.Command{
 	},
 }
 
+func setFileVaultPassphrase(passphrase string) {
+	configFile, err := util.GetConfigFile()
+	if err != nil {
+		log.Error().Msgf("Unable to set passphrase for file vault because of [err=%s]", err)
+		return
+	}
+
+	// encode with base64
+	encodedPassphrase := base64.StdEncoding.EncodeToString([]byte(passphrase))
+	configFile.VaultBackendPassphrase = encodedPassphrase
+
+	err = util.WriteConfigFile(&configFile)
+	if err != nil {
+		log.Error().Msgf("Unable to set passphrase for file vault because of [err=%s]", err)
+		return
+	}
+
+	util.PrintSuccessMessage("\nSuccessfully, set passphrase for file vault.\n")
+}
+
 func printAvailableVaultBackends() {
 	fmt.Printf("Vaults are used to securely store your login details locally. Available vaults:")
-	for _, backend := range AvailableVaultsAndDescriptions {
-		fmt.Printf("\n- %s", backend)
+	for _, vaultType := range AvailableVaults {
+		fmt.Printf("\n- %s (%s)", vaultType.Name, vaultType.Description)
 	}
 
 	currentVaultBackend, err := util.GetCurrentVaultBackend()
@@ -87,7 +111,53 @@ func printAvailableVaultBackends() {
 	fmt.Printf("\n\nYou are currently using [%s] vault to store your login credentials\n", string(currentVaultBackend))
 }
 
+func selectVaultTypeCmd(cmd *cobra.Command, args []string) {
+	wantedVaultTypeName := args[0]
+	currentVaultBackend, err := util.GetCurrentVaultBackend()
+	if err != nil {
+		log.Error().Msgf("Unable to set vault to [%s] because of [err=%s]", wantedVaultTypeName, err)
+		return
+	}
+
+	if wantedVaultTypeName == string(currentVaultBackend) {
+		log.Error().Msgf("You are already on vault backend [%s]", currentVaultBackend)
+		return
+	}
+
+	if wantedVaultTypeName == util.VAULT_BACKEND_AUTO_MODE || wantedVaultTypeName == util.VAULT_BACKEND_FILE_MODE {
+		configFile, err := util.GetConfigFile()
+		if err != nil {
+			log.Error().Msgf("Unable to set vault to [%s] because of [err=%s]", wantedVaultTypeName, err)
+			return
+		}
+
+		configFile.VaultBackendType = wantedVaultTypeName // save selected vault
+		configFile.LoggedInUserEmail = ""                 // reset the logged in user to prompt them to re login
+
+		err = util.WriteConfigFile(&configFile)
+		if err != nil {
+			log.Error().Msgf("Unable to set vault to [%s] because an error occurred when saving the config file [err=%s]", wantedVaultTypeName, err)
+			return
+		}
+
+		fmt.Printf("\nSuccessfully, switched vault backend from [%s] to [%s]. Please login in again to store your login details in the new vault with [infisical login]\n", currentVaultBackend, wantedVaultTypeName)
+
+		Telemetry.CaptureEvent("cli-command:vault set", posthog.NewProperties().Set("currentVault", currentVaultBackend).Set("wantedVault", wantedVaultTypeName).Set("version", util.CLI_VERSION))
+	} else {
+		var availableVaultsNames []string
+		for _, vault := range AvailableVaults {
+			availableVaultsNames = append(availableVaultsNames, vault.Name)
+		}
+		log.Error().Msgf("The requested vault type [%s] is not available on this system. Only the following vault backends are available for you system: %s", wantedVaultTypeName, strings.Join(availableVaultsNames, ", "))
+	}
+}
+
 func init() {
+
+	vaultSetCmd.Flags().StringP("passphrase", "p", "", "Set the passphrase for the file vault")
+
 	vaultCmd.AddCommand(vaultSetCmd)
+	vaultCmd.AddCommand(vaultUseCmd)
+
 	rootCmd.AddCommand(vaultCmd)
 }

cli/packages/models/cli.go

@@ -11,10 +11,11 @@ type UserCredentials struct {
 
 // The file struct for Infisical config file
 type ConfigFile struct {
-	LoggedInUserEmail  string         `json:"loggedInUserEmail"`
-	LoggedInUserDomain string         `json:"LoggedInUserDomain,omitempty"`
-	LoggedInUsers      []LoggedInUser `json:"loggedInUsers,omitempty"`
-	VaultBackendType   string         `json:"vaultBackendType,omitempty"`
+	LoggedInUserEmail      string         `json:"loggedInUserEmail"`
+	LoggedInUserDomain     string         `json:"LoggedInUserDomain,omitempty"`
+	LoggedInUsers          []LoggedInUser `json:"loggedInUsers,omitempty"`
+	VaultBackendType       string         `json:"vaultBackendType,omitempty"`
+	VaultBackendPassphrase string         `json:"vaultBackendPassphrase,omitempty"`
 }
 
 type LoggedInUser struct {

cli/packages/util/config.go

@@ -1,6 +1,7 @@
 package util
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -50,10 +51,11 @@ func WriteInitalConfig(userCredentials *models.UserCredentials) error {
 	}
 
 	configFile := models.ConfigFile{
-		LoggedInUserEmail:  userCredentials.Email,
-		LoggedInUserDomain: config.INFISICAL_URL,
-		LoggedInUsers:      existingConfigFile.LoggedInUsers,
-		VaultBackendType:   existingConfigFile.VaultBackendType,
+		LoggedInUserEmail:      userCredentials.Email,
+		LoggedInUserDomain:     config.INFISICAL_URL,
+		LoggedInUsers:          existingConfigFile.LoggedInUsers,
+		VaultBackendType:       existingConfigFile.VaultBackendType,
+		VaultBackendPassphrase: existingConfigFile.VaultBackendPassphrase,
 	}
 
 	configFileMarshalled, err := json.Marshal(configFile)
@@ -215,6 +217,14 @@ func GetConfigFile() (models.ConfigFile, error) {
 		return models.ConfigFile{}, err
 	}
 
+	if configFile.VaultBackendPassphrase != "" {
+		decodedPassphrase, err := base64.StdEncoding.DecodeString(configFile.VaultBackendPassphrase)
+		if err != nil {
+			return models.ConfigFile{}, fmt.Errorf("GetConfigFile: Unable to decode base64 passphrase [err=%s]", err)
+		}
+		os.Setenv("INFISICAL_VAULT_FILE_PASSPHRASE", string(decodedPassphrase))
+	}
+
 	return configFile, nil
 }
 

cli/packages/util/constants.go

@@ -8,6 +8,10 @@ const (
 	INFISICAL_WORKSPACE_CONFIG_FILE_NAME       = ".infisical.json"
 	INFISICAL_TOKEN_NAME                       = "INFISICAL_TOKEN"
 	INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN_NAME = "INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN"
+	INFISICAL_VAULT_FILE_PASSPHRASE_ENV_NAME   = "INFISICAL_VAULT_FILE_PASSPHRASE" // This works because we've forked the keyring package and added support for this env variable. This explains why you won't find any occurrences of it in the CLI codebase.
+
+	VAULT_BACKEND_AUTO_MODE = "auto"
+	VAULT_BACKEND_FILE_MODE = "file"
 
 	// Universal Auth
 	INFISICAL_UNIVERSAL_AUTH_CLIENT_ID_NAME     = "INFISICAL_UNIVERSAL_AUTH_CLIENT_ID"

cli/packages/util/keyringwrapper.go

@@ -1,6 +1,9 @@
 package util
 
 import (
+	"encoding/base64"
+
+	"github.com/manifoldco/promptui"
 	"github.com/zalando/go-keyring"
 )
 
@@ -20,16 +23,51 @@ func SetValueInKeyring(key, value string) error {
 		PrintErrorAndExit(1, err, "Unable to get current vault. Tip: run [infisical rest] then try again")
 	}
 
-	return keyring.Set(currentVaultBackend, MAIN_KEYRING_SERVICE, key, value)
+	err = keyring.Set(currentVaultBackend, MAIN_KEYRING_SERVICE, key, value)
+
+	if err != nil {
+		configFile, _ := GetConfigFile()
+
+		if configFile.VaultBackendPassphrase == "" {
+			PrintWarning("System keyring could not be used, falling back to `file` vault for sensitive data storage.")
+			passphrasePrompt := promptui.Prompt{
+				Label: "Enter the passphrase to use for keyring encryption",
+			}
+			passphrase, err := passphrasePrompt.Run()
+			if err != nil {
+				return err
+			}
+
+			encodedPassphrase := base64.StdEncoding.EncodeToString([]byte(passphrase))
+			configFile.VaultBackendPassphrase = encodedPassphrase
+			err = WriteConfigFile(&configFile)
+			if err != nil {
+				return err
+			}
+
+			// We call this function at last to trigger the environment variable to be set
+			GetConfigFile()
+		}
+
+		err = keyring.Set(VAULT_BACKEND_FILE_MODE, MAIN_KEYRING_SERVICE, key, value)
+	}
+
+	return err
 }
 
 func GetValueInKeyring(key string) (string, error) {
 	currentVaultBackend, err := GetCurrentVaultBackend()
 	if err != nil {
-		PrintErrorAndExit(1, err, "Unable to get current vault. Tip: run [infisical rest] then try again")
+		PrintErrorAndExit(1, err, "Unable to get current vault. Tip: run [infisical reset] then try again")
 	}
 
-	return keyring.Get(currentVaultBackend, MAIN_KEYRING_SERVICE, key)
+	value, err := keyring.Get(currentVaultBackend, MAIN_KEYRING_SERVICE, key)
+
+	if err != nil {
+		value, err = keyring.Get(VAULT_BACKEND_FILE_MODE, MAIN_KEYRING_SERVICE, key)
+	}
+	return value, err
+
 }
 
 func DeleteValueInKeyring(key string) error {
@@ -38,5 +76,11 @@ func DeleteValueInKeyring(key string) error {
 		return err
 	}
 
-	return keyring.Delete(currentVaultBackend, MAIN_KEYRING_SERVICE, key)
+	err = keyring.Delete(currentVaultBackend, MAIN_KEYRING_SERVICE, key)
+
+	if err != nil {
+		err = keyring.Delete(VAULT_BACKEND_FILE_MODE, MAIN_KEYRING_SERVICE, key)
+	}
+
+	return err
 }

cli/packages/util/vault.go

@@ -11,11 +11,11 @@ func GetCurrentVaultBackend() (string, error) {
 	}
 
 	if configFile.VaultBackendType == "" {
-		return "auto", nil
+		return VAULT_BACKEND_AUTO_MODE, nil
 	}
 
-	if configFile.VaultBackendType != "auto" && configFile.VaultBackendType != "file" {
-		return "auto", nil
+	if configFile.VaultBackendType != VAULT_BACKEND_AUTO_MODE && configFile.VaultBackendType != VAULT_BACKEND_FILE_MODE {
+		return VAULT_BACKEND_AUTO_MODE, nil
 	}
 
 	return configFile.VaultBackendType, nil

company/handbook/meetings.mdx

@@ -0,0 +1,15 @@
+---
+title: "Meetings"
+sidebarTitle: "Meetings"
+description: "The guide to meetings at Infisical."
+---
+
+## "Let's schedule a meeting about this"
+
+Being a remote-first company, we try to be as async as possible. When an issue arises, it's best to create a public Slack thread and tag all the necessary team members. Otherwise, if you were to "put a meeting on a calendar", the decision making process will inevitable slow down by at least a day (e.g., trying to find the right time for folks in different time zones is not always straightforward). 
+
+In other words, we have almost no (recurring) meetings and prefer written communication or quick Slack huddles.
+
+## Weekly All-hands
+
+All-hands is the single recurring meeting that we run every Monday at 8:30am PT. Typically, we would discuss everything important that happened during the previous week and plan out the week ahead. This is also an opportunity to bring up any important topics in front of the whole company (but feel free to post those in Slack too).

company/mint.json

@@ -59,7 +59,8 @@
         "handbook/onboarding", 
         "handbook/spending-money",
         "handbook/time-off",
-        "handbook/hiring"
+        "handbook/hiring",
+        "handbook/meetings"
       ]
     }
   ],

docs/cli/commands/vault.mdx

@@ -32,6 +32,6 @@ description: "Change the vault type in Infisical"
 
 To safeguard your login details when using the CLI, Infisical places them in a system vault or an encrypted text file, protected by a passphrase that only the user knows.
 
-<Tip>To avoid constantly entering your passphrase when using the `file` vault type, set the `INFISICAL_VAULT_FILE_PASSPHRASE` environment variable with your password in your shell</Tip>
+<Tip>To avoid constantly entering your passphrase when using the `file` vault type, use the `infisical vault set file --passphrase <your-passphrase>` CLI command to specify your password once.</Tip>
 
 

docs/documentation/platform/kms/aws-kms.mdx

@@ -16,7 +16,7 @@ Before you begin, you'll first need to choose a method of authentication with AW
   <Steps>
     <Step title="Create the Managing User IAM Role">
       1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console.
-        ![IAM Role Creation](../../images/integrations/aws/integration-aws-iam-assume-role.png)
+        ![IAM Role Creation](/images/integrations/aws/integration-aws-iam-assume-role.png)
 
       2. Select **AWS Account** as the **Trusted Entity Type**.
       3. Choose **Another AWS Account** and enter **381492033652** (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If you are self-hosting, provide the AWS account number where Infisical is hosted.

docs/integrations/platforms/kubernetes.mdx

@@ -1,5 +1,5 @@
 ---
-title: "Kubernetes"
+title: "Kubernetes Operator"
 description: "How to use Infisical to inject secrets into Kubernetes clusters."
 ---
 
@@ -9,6 +9,10 @@ The Infisical Secrets Operator is a Kubernetes controller that retrieves secrets
 It uses an `InfisicalSecret` resource to specify authentication and storage methods.
 The operator continuously updates secrets and can also reload dependent deployments automatically.
 
+<Note>
+  If you are already using the External Secrets operator, you can you can view the integration documentation for it [here](https://external-secrets.io/latest/provider/infisical/).
+</Note>
+
 ## Install Operator
 
 The operator can be install via [Helm](https://helm.sh) or [kubectl](https://github.com/kubernetes/kubectl)

docs/mint.json

@@ -155,7 +155,7 @@
           ]
         },
         {
-          "group": "Key Management",
+          "group": "Key Management (KMS)",
           "pages": [
             "documentation/platform/kms/overview",
             "documentation/platform/kms/aws-kms",

frontend/src/components/v2/DeleteActionModal/DeleteActionModal.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useState } from "react";
+import { ReactNode, useEffect, useState } from "react";
 
 import { useToggle } from "@app/hooks";
 
@@ -16,6 +16,7 @@ type Props = {
   subTitle?: string;
   onDeleteApproved: () => Promise<void>;
   buttonText?: string;
+  children?: ReactNode;
 };
 
 export const DeleteActionModal = ({
@@ -26,7 +27,8 @@ export const DeleteActionModal = ({
   onDeleteApproved,
   title,
   subTitle = "This action is irreversible.",
-  buttonText = "Delete"
+  buttonText = "Delete",
+  children
 }: Props): JSX.Element => {
   const [inputData, setInputData] = useState("");
   const [isLoading, setIsLoading] = useToggle();
@@ -94,9 +96,10 @@ export const DeleteActionModal = ({
             <Input
               value={inputData}
               onChange={(e) => setInputData(e.target.value)}
-              placeholder="Type confirm..."
+              placeholder={`Type ${deleteKey} here`}
             />
           </FormControl>
+          {children}
         </form>
       </ModalContent>
     </Modal>

frontend/src/components/v2/Pagination/Pagination.tsx

@@ -50,7 +50,7 @@ export const Pagination = ({
     >
       <div className="mr-6 flex items-center space-x-2">
         <div className="text-xs">
-          {(page - 1) * perPage} - {(page - 1) * perPage + perPage} of {count}
+          {(page - 1) * perPage} - {Math.min((page - 1) * perPage + perPage, count)} of {count}
         </div>
         <DropdownMenu>
           <DropdownMenuTrigger asChild>

frontend/src/context/OrgPermissionContext/types.ts

@@ -20,7 +20,12 @@ export enum OrgPermissionSubjects {
   Billing = "billing",
   SecretScanning = "secret-scanning",
   Identity = "identity",
-  Kms = "kms"
+  Kms = "kms",
+  AdminConsole = "organization-admin-console"
+}
+
+export enum OrgPermissionAdminConsoleAction {
+  AccessAllProjects = "access-all-projects"
 }
 
 export type OrgPermissionSet =
@@ -37,6 +42,7 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
   | [OrgPermissionActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionActions, OrgPermissionSubjects.Identity]
-  | [OrgPermissionActions, OrgPermissionSubjects.Kms];
+  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
+  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 
 export type TOrgPermission = MongoAbility<OrgPermissionSet>;

frontend/src/helpers/parseEnvVar.ts

@@ -0,0 +1,14 @@
+/** Extracts the key and value from a passed in env string based on the provided delimiters. */
+export const getKeyValue = (pastedContent: string, delimiters: string[]) => {
+  const foundDelimiter = delimiters.find((delimiter) => pastedContent.includes(delimiter));
+
+  if (!foundDelimiter) {
+    return { key: pastedContent.trim(), value: "" };
+  }
+
+  const [key, value] = pastedContent.split(foundDelimiter);
+  return {
+    key: key.trim(),
+    value: (value ?? "").trim()
+  };
+};

frontend/src/hooks/api/auditLogs/constants.tsx

@@ -56,7 +56,8 @@ export const eventToNameMap: { [K in EventType]: string } = {
   [EventType.GET_CERT]: "Get certificate",
   [EventType.DELETE_CERT]: "Delete certificate",
   [EventType.REVOKE_CERT]: "Revoke certificate",
-  [EventType.GET_CERT_BODY]: "Get certificate body"
+  [EventType.GET_CERT_BODY]: "Get certificate body",
+  [EventType.ORG_ADMIN_ACCESS_PROJECT]: "Org admin accessed project"
 };
 
 export const userAgentTTypeoNameMap: { [K in UserAgentType]: string } = {

frontend/src/hooks/api/auditLogs/enums.tsx

@@ -70,5 +70,6 @@ export enum EventType {
   GET_CERT = "get-cert",
   DELETE_CERT = "delete-cert",
   REVOKE_CERT = "revoke-cert",
-  GET_CERT_BODY = "get-cert-body"
+  GET_CERT_BODY = "get-cert-body",
+  ORG_ADMIN_ACCESS_PROJECT = "org-admin-accessed-project"
 }

frontend/src/hooks/api/auditLogs/types.tsx

@@ -579,6 +579,16 @@ interface GetCertBody {
   };
 }
 
+interface OrgAdminAccessProjectEvent {
+  type: EventType.ORG_ADMIN_ACCESS_PROJECT;
+  metadata: {
+    userId: string;
+    username: string;
+    email: string;
+    projectId: string;
+  }; // no metadata yet
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -635,7 +645,8 @@ export type Event =
   | GetCert
   | DeleteCert
   | RevokeCert
-  | GetCertBody;
+  | GetCertBody
+  | OrgAdminAccessProjectEvent;
 
 export type AuditLog = {
   id: string;

frontend/src/hooks/api/index.tsx

@@ -19,6 +19,7 @@ export * from "./keys";
 export * from "./kms";
 export * from "./ldapConfig";
 export * from "./oidcConfig";
+export * from "./orgAdmin";
 export * from "./organization";
 export * from "./projectUserAdditionalPrivilege";
 export * from "./rateLimit";

frontend/src/hooks/api/integrations/queries.tsx

@@ -110,8 +110,15 @@ export const useCreateIntegration = () => {
 export const useDeleteIntegration = () => {
   const queryClient = useQueryClient();
 
-  return useMutation<{}, {}, { id: string; workspaceId: string }>({
-    mutationFn: ({ id }) => apiRequest.delete(`/api/v1/integration/${id}`),
+  return useMutation<
+    {},
+    {},
+    { id: string; workspaceId: string; shouldDeleteIntegrationSecrets: boolean }
+  >({
+    mutationFn: ({ id, shouldDeleteIntegrationSecrets }) =>
+      apiRequest.delete(
+        `/api/v1/integration/${id}?shouldDeleteIntegrationSecrets=${shouldDeleteIntegrationSecrets}`
+      ),
     onSuccess: (_, { workspaceId }) => {
       queryClient.invalidateQueries(workspaceKeys.getWorkspaceIntegrations(workspaceId));
       queryClient.invalidateQueries(workspaceKeys.getWorkspaceAuthorization(workspaceId));

frontend/src/hooks/api/orgAdmin/index.tsx

@@ -0,0 +1,2 @@
+export { useOrgAdminAccessProject } from "./mutation";
+export { useOrgAdminGetProjects } from "./queries";

frontend/src/hooks/api/orgAdmin/mutation.tsx

@@ -0,0 +1,15 @@
+import { useMutation } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { TOrgAdminAccessProjectDTO } from "./types";
+
+export const useOrgAdminAccessProject = () =>
+  useMutation({
+    mutationFn: async ({ projectId }: TOrgAdminAccessProjectDTO) => {
+      const { data } = await apiRequest.post(
+        `/api/v1/organization-admin/projects/${projectId}/grant-admin-access`
+      );
+      return data;
+    }
+  });

frontend/src/hooks/api/orgAdmin/queries.tsx

@@ -0,0 +1,30 @@
+import { useQuery } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { Workspace } from "../types";
+import { TOrgAdminGetProjectsDTO } from "./types";
+
+export const orgAdminQueryKeys = {
+  getProjects: (filter: TOrgAdminGetProjectsDTO) => ["org-admin-projects", filter] as const
+};
+
+export const useOrgAdminGetProjects = ({ search, offset, limit = 50 }: TOrgAdminGetProjectsDTO) => {
+  return useQuery({
+    queryKey: orgAdminQueryKeys.getProjects({ search, offset, limit }),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<{ projects: Workspace[]; count: number }>(
+        "/api/v1/organization-admin/projects",
+        {
+          params: {
+            limit,
+            offset,
+            search
+          }
+        }
+      );
+
+      return data;
+    }
+  });
+};

frontend/src/hooks/api/orgAdmin/types.ts

@@ -0,0 +1,9 @@
+export type TOrgAdminGetProjectsDTO = {
+  limit?: number;
+  offset?: number;
+  search?: string;
+};
+
+export type TOrgAdminAccessProjectDTO = {
+  projectId: string;
+};

frontend/src/hooks/api/workspace/queries.tsx

@@ -317,6 +317,7 @@ export const useDeleteWorkspace = () => {
     },
     onSuccess: () => {
       queryClient.invalidateQueries(workspaceKeys.getAllUserWorkspace);
+      queryClient.invalidateQueries(["org-admin-projects"]);
     }
   });
 };

frontend/src/hooks/api/workspace/types.ts

@@ -21,6 +21,7 @@ export type Workspace = {
   pitVersionLimit: number;
   auditLogsRetentionDays: number;
   slug: string;
+  createdAt: string;
 };
 
 export type WorkspaceEnv = {

frontend/src/hooks/usePopUp.tsx

@@ -13,7 +13,7 @@ interface UsePopUpProps {
 export type UsePopUpState<T extends Readonly<string[]> | UsePopUpProps[]> = {
   [P in T extends UsePopUpProps[] ? T[number]["name"] : T[number]]: {
     isOpen: boolean;
-    data?: unknown;
+    data?: any;
   };
 };
 

frontend/src/layouts/AppLayout/AppLayout.tsx

@@ -476,10 +476,15 @@ export const AppLayout = ({ children }: LayoutProps) => {
                         {user?.superAdmin && (
                           <Link href="/admin" legacyBehavior>
                             <DropdownMenuItem className="mt-1 border-t border-mineshaft-600">
-                              Admin Panel
+                              Server Admin Panel
                             </DropdownMenuItem>
                           </Link>
                         )}
+                        <Link href={`/org/${currentOrg?.id}/admin`} legacyBehavior>
+                          <DropdownMenuItem className="mt-1 border-t border-mineshaft-600">
+                          Organization Admin Console
+                          </DropdownMenuItem>
+                        </Link>
                         <div className="mt-1 h-1 border-t border-mineshaft-600" />
                         <button type="button" onClick={logOutUser} className="w-full">
                           <DropdownMenuItem>Log Out</DropdownMenuItem>

frontend/src/pages/org/[id]/admin/index.tsx

@@ -0,0 +1,21 @@
+/* eslint-disable @typescript-eslint/no-unused-vars */
+import { useTranslation } from "react-i18next";
+import Head from "next/head";
+
+import { OrgAdminPage } from "@app/views/OrgAdminPage";
+
+export default function SettingsOrg() {
+  const { t } = useTranslation();
+
+  return (
+    <>
+      <Head>
+        <title>{t("common.head-title", { title: t("settings.org.title") })}</title>
+        <link rel="icon" href="/infisical.ico" />
+      </Head>
+      <OrgAdminPage />
+    </>
+  );
+}
+
+SettingsOrg.requireAuth = true;

frontend/src/views/IntegrationsPage/IntegrationsPage.tsx

@@ -106,9 +106,13 @@ export const IntegrationsPage = withProjectPermission(
       handleProviderIntegration(provider);
     };
 
-    const handleIntegrationDelete = async (integrationId: string, cb: () => void) => {
+    const handleIntegrationDelete = async (
+      integrationId: string,
+      shouldDeleteIntegrationSecrets: boolean,
+      cb: () => void
+    ) => {
       try {
-        await deleteIntegration({ id: integrationId, workspaceId });
+        await deleteIntegration({ id: integrationId, workspaceId, shouldDeleteIntegrationSecrets });
         if (cb) cb();
         createNotification({
           type: "success",
@@ -152,7 +156,7 @@ export const IntegrationsPage = withProjectPermission(
           isLoading={isIntegrationLoading}
           integrations={integrations}
           environments={environments}
-          onIntegrationDelete={({ id }, cb) => handleIntegrationDelete(id, cb)}
+          onIntegrationDelete={handleIntegrationDelete}
           workspaceId={workspaceId}
         />
         <CloudIntegrationSection

frontend/src/views/IntegrationsPage/components/IntegrationsSection/IntegrationsSection.tsx

@@ -7,6 +7,7 @@ import { integrationSlugNameMapping } from "public/data/frequentConstants";
 import { ProjectPermissionCan } from "@app/components/permissions";
 import {
   Button,
+  Checkbox,
   DeleteActionModal,
   EmptyState,
   FormLabel,
@@ -16,7 +17,7 @@ import {
   Tooltip
 } from "@app/components/v2";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
-import { usePopUp } from "@app/hooks";
+import { usePopUp, useToggle } from "@app/hooks";
 import { useSyncIntegration } from "@app/hooks/api/integrations/queries";
 import { IntegrationMappingBehavior } from "@app/hooks/api/integrations/types";
 import { TIntegration } from "@app/hooks/api/types";
@@ -25,7 +26,11 @@ type Props = {
   environments: Array<{ name: string; slug: string; id: string }>;
   integrations?: TIntegration[];
   isLoading?: boolean;
-  onIntegrationDelete: (integration: TIntegration, cb: () => void) => void;
+  onIntegrationDelete: (
+    integrationId: string,
+    shouldDeleteIntegrationSecrets: boolean,
+    cb: () => void
+  ) => Promise<void>;
   workspaceId: string;
 };
 
@@ -37,10 +42,12 @@ export const IntegrationsSection = ({
   workspaceId
 }: Props) => {
   const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
-    "deleteConfirmation"
+    "deleteConfirmation",
+    "deleteSecretsConfirmation"
   ] as const);
 
   const { mutate: syncIntegration } = useSyncIntegration();
+  const [shouldDeleteSecrets, setShouldDeleteSecrets] = useToggle(false);
 
   return (
     <div className="mb-8">
@@ -249,7 +256,10 @@ export const IntegrationsSection = ({
                     <div className="flex items-end opacity-80 duration-200 hover:opacity-100">
                       <Tooltip content="Remove Integration">
                         <IconButton
-                          onClick={() => handlePopUpOpen("deleteConfirmation", integration)}
+                          onClick={() => {
+                            setShouldDeleteSecrets.off();
+                            handlePopUpOpen("deleteConfirmation", integration);
+                          }}
                           ariaLabel="delete"
                           isDisabled={!isAllowed}
                           colorSchema="danger"
@@ -281,11 +291,49 @@ export const IntegrationsSection = ({
           (popUp?.deleteConfirmation?.data as TIntegration)?.integration ||
           ""
         }
-        onDeleteApproved={async () =>
-          onIntegrationDelete(popUp?.deleteConfirmation.data as TIntegration, () =>
-            handlePopUpClose("deleteConfirmation")
-          )
-        }
+        onDeleteApproved={async () => {
+          if (shouldDeleteSecrets) {
+            handlePopUpOpen("deleteSecretsConfirmation");
+            return;
+          }
+
+          await onIntegrationDelete(
+            (popUp?.deleteConfirmation.data as TIntegration).id,
+            false,
+            () => handlePopUpClose("deleteConfirmation")
+          );
+        }}
+      >
+        {(popUp?.deleteConfirmation?.data as TIntegration)?.integration === "github" && (
+          <div className="mt-4">
+            <Checkbox
+              id="delete-integration-secrets"
+              checkIndicatorBg="text-white"
+              onCheckedChange={() => setShouldDeleteSecrets.toggle()}
+            >
+              Delete previously synced secrets from the destination
+            </Checkbox>
+          </div>
+        )}
+      </DeleteActionModal>
+      <DeleteActionModal
+        isOpen={popUp.deleteSecretsConfirmation.isOpen}
+        title={`Are you sure you also want to delete secrets on ${
+          (popUp?.deleteConfirmation.data as TIntegration)?.integration
+        }?`}
+        subTitle="By confirming, you acknowledge that all secrets managed by this integration will be removed from the destination. This action is irreversible."
+        onChange={(isOpen) => handlePopUpToggle("deleteSecretsConfirmation", isOpen)}
+        deleteKey="confirm"
+        onDeleteApproved={async () => {
+          await onIntegrationDelete(
+            (popUp?.deleteConfirmation.data as TIntegration).id,
+            true,
+            () => {
+              handlePopUpClose("deleteSecretsConfirmation");
+              handlePopUpClose("deleteConfirmation");
+            }
+          );
+        }}
       />
     </div>
   );

frontend/src/views/Org/MembersPage/components/OrgRoleTabSection/OrgRoleModifySection/WorkspacePermission.tsx

@@ -1,133 +0,0 @@
-import { useEffect, useMemo } from "react";
-import { Control, Controller, UseFormSetValue, useWatch } from "react-hook-form";
-import { faMoneyBill } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-import { motion } from "framer-motion";
-import { twMerge } from "tailwind-merge";
-
-import { Checkbox, Select, SelectItem } from "@app/components/v2";
-import { useToggle } from "@app/hooks";
-
-import { TFormSchema } from "../../../../RolePage/components/OrgRoleModifySection.utils";
-
-type Props = {
-  isNonEditable?: boolean;
-  setValue: UseFormSetValue<TFormSchema>;
-  control: Control<TFormSchema>;
-};
-
-enum Permission {
-  NoAccess = "no-access",
-  ReadOnly = "read-only",
-  FullAccess = "full-acess",
-  Custom = "custom"
-}
-
-const PERMISSIONS = [
-  { action: "read", label: "View projects" },
-  { action: "create", label: "Create new projects" }
-] as const;
-
-export const WorkspacePermission = ({ isNonEditable, setValue, control }: Props) => {
-  const rule = useWatch({
-    control,
-    name: "permissions.workspace"
-  });
-  const [isCustom, setIsCustom] = useToggle();
-
-  const selectedPermissionCategory = useMemo(() => {
-    const actions = Object.keys(rule || {}) as Array<keyof typeof rule>;
-    const totalActions = PERMISSIONS.length;
-    const score = actions.map((key) => (rule?.[key] ? 1 : 0)).reduce((a, b) => a + b, 0 as number);
-
-    if (isCustom) return Permission.Custom;
-    if (score === 0) return Permission.NoAccess;
-    if (score === totalActions) return Permission.FullAccess;
-    if (score === 1 && rule?.read) return Permission.ReadOnly;
-
-    return Permission.Custom;
-  }, [rule, isCustom]);
-
-  useEffect(() => {
-    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
-    else setIsCustom.off();
-  }, [selectedPermissionCategory]);
-
-  const handlePermissionChange = (val: Permission) => {
-    if (val === Permission.Custom) setIsCustom.on();
-    else setIsCustom.off();
-
-    switch (val) {
-      case Permission.NoAccess:
-        setValue("permissions.workspace", { read: false, create: false }, { shouldDirty: true });
-        break;
-      case Permission.FullAccess:
-        setValue("permissions.workspace", { read: true, create: true }, { shouldDirty: true });
-        break;
-      case Permission.ReadOnly:
-        setValue("permissions.workspace", { read: true, create: false }, { shouldDirty: true });
-        break;
-      default:
-        setValue("permissions.workspace", { read: false, create: false }, { shouldDirty: true });
-        break;
-    }
-  };
-
-  return (
-    <div
-      className={twMerge(
-        "rounded-md bg-mineshaft-800 px-10 py-6",
-        selectedPermissionCategory !== Permission.NoAccess && "border-l-2 border-primary-600"
-      )}
-    >
-      <div className="flex items-center space-x-4">
-        <div>
-          <FontAwesomeIcon icon={faMoneyBill} className="text-4xl" />
-        </div>
-        <div className="flex flex-grow flex-col">
-          <div className="mb-1 text-lg font-medium">Project</div>
-          <div className="text-xs font-light">
-            View and create new projects in this organization
-          </div>
-        </div>
-        <div>
-          <Select
-            defaultValue={Permission.NoAccess}
-            isDisabled={isNonEditable}
-            value={selectedPermissionCategory}
-            onValueChange={handlePermissionChange}
-          >
-            <SelectItem value={Permission.NoAccess}>No Access</SelectItem>
-            <SelectItem value={Permission.ReadOnly}>Read Only</SelectItem>
-            <SelectItem value={Permission.FullAccess}>Full Access</SelectItem>
-            <SelectItem value={Permission.Custom}>Custom</SelectItem>
-          </Select>
-        </div>
-      </div>
-      <motion.div
-        initial={false}
-        animate={{ height: isCustom ? "2.5rem" : 0, paddingTop: isCustom ? "1rem" : 0 }}
-        className="grid auto-cols-min grid-flow-col gap-8 overflow-hidden"
-      >
-        {isCustom &&
-          PERMISSIONS.map(({ action, label }) => (
-            <Controller
-              name={`permissions.workspace.${action}`}
-              key={`permissions.workspace.${action}`}
-              control={control}
-              render={({ field }) => (
-                <Checkbox
-                  isChecked={field.value}
-                  onCheckedChange={field.onChange}
-                  id={`permissions.workspace.${action}`}
-                  isDisabled={isNonEditable}
-                >
-                  {label}
-                </Checkbox>
-              )}
-            />
-          ))}
-      </motion.div>
-    </div>
-  );
-};

frontend/src/views/Org/RolePage/components/OrgRoleModifySection.utils.ts

@@ -12,6 +12,12 @@ const generalPermissionSchema = z
   })
   .optional();
 
+const adminConsolePermissionSchmea = z
+  .object({
+    "access-all-projects": z.boolean().optional()
+  })
+  .optional();
+
 export const formSchema = z.object({
   name: z.string().trim(),
   description: z.string().trim().optional(),
@@ -23,7 +29,6 @@ export const formSchema = z.object({
     .object({
       workspace: z
         .object({
-          read: z.boolean().optional(),
           create: z.boolean().optional()
         })
         .optional(),
@@ -38,7 +43,8 @@ export const formSchema = z.object({
       scim: generalPermissionSchema,
       ldap: generalPermissionSchema,
       billing: generalPermissionSchema,
-      identity: generalPermissionSchema
+      identity: generalPermissionSchema,
+      "organization-admin-console": adminConsolePermissionSchmea
     })
     .optional()
 });

frontend/src/views/Org/RolePage/components/RolePermissionsSection/OrgPermissionAdminConsoleRow.tsx

@@ -0,0 +1,135 @@
+import { useEffect, useMemo } from "react";
+import { Control, Controller, UseFormSetValue, useWatch } from "react-hook-form";
+import { faChevronDown, faChevronRight } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { createNotification } from "@app/components/notifications";
+import { Checkbox, Select, SelectItem, Td, Tr } from "@app/components/v2";
+import { useToggle } from "@app/hooks";
+import { TFormSchema } from "@app/views/Org/RolePage/components/OrgRoleModifySection.utils";
+
+type Props = {
+  isEditable: boolean;
+  setValue: UseFormSetValue<TFormSchema>;
+  control: Control<TFormSchema>;
+};
+
+enum Permission {
+  NoAccess = "no-access",
+  Custom = "custom"
+}
+
+const PERMISSION_ACTIONS = [
+  { action: "access-all-projects", label: "Access all organization projects" }
+] as const;
+
+export const OrgPermissionAdminConsoleRow = ({ isEditable, control, setValue }: Props) => {
+  const [isRowExpanded, setIsRowExpanded] = useToggle();
+  const [isCustom, setIsCustom] = useToggle();
+
+  const rule = useWatch({
+    control,
+    name: "permissions.organization-admin-console"
+  });
+
+  const selectedPermissionCategory = useMemo(() => {
+    if (rule?.["access-all-projects"]) {
+      return Permission.Custom;
+    }
+    return Permission.NoAccess;
+  }, [rule, isCustom]);
+
+  useEffect(() => {
+    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
+  }, [selectedPermissionCategory]);
+
+  useEffect(() => {
+    const isRowCustom = selectedPermissionCategory === Permission.Custom;
+    if (isRowCustom) {
+      setIsRowExpanded.on();
+    }
+  }, []);
+
+  const handlePermissionChange = (val: Permission) => {
+    if (!val) return;
+    if (val === Permission.Custom) {
+      setIsRowExpanded.on();
+      setIsCustom.on();
+      return;
+    }
+    setIsCustom.off();
+
+    if (val === Permission.NoAccess) {
+      setValue(
+        "permissions.organization-admin-console",
+        { "access-all-projects": false },
+        { shouldDirty: true }
+      );
+    }
+  };
+
+  return (
+    <>
+      <Tr
+        className="h-10 cursor-pointer transition-colors duration-100 hover:bg-mineshaft-700"
+        onClick={() => setIsRowExpanded.toggle()}
+      >
+        <Td>
+          <FontAwesomeIcon icon={isRowExpanded ? faChevronDown : faChevronRight} />
+        </Td>
+        <Td>Organization Admin Console</Td>
+        <Td>
+          <Select
+            value={selectedPermissionCategory}
+            className="w-40 bg-mineshaft-600"
+            dropdownContainerClassName="border border-mineshaft-600 bg-mineshaft-800"
+            onValueChange={handlePermissionChange}
+            isDisabled={!isEditable}
+          >
+            <SelectItem value={Permission.NoAccess}>No Access</SelectItem>
+            <SelectItem value={Permission.Custom}>Custom</SelectItem>
+          </Select>
+        </Td>
+      </Tr>
+      {isRowExpanded && (
+        <Tr>
+          <Td
+            colSpan={3}
+            className={`bg-bunker-600 px-0 py-0 ${isRowExpanded && " border-mineshaft-500 p-8"}`}
+          >
+            <div className="grid grid-cols-3 gap-4">
+              {PERMISSION_ACTIONS.map(({ action, label }) => {
+                return (
+                  <Controller
+                    name={`permissions.organization-admin-console.${action}`}
+                    key={`permissions.organization-admin-console.${action}`}
+                    control={control}
+                    render={({ field }) => (
+                      <Checkbox
+                        isChecked={field.value}
+                        onCheckedChange={(e) => {
+                          if (!isEditable) {
+                            createNotification({
+                              type: "error",
+                              text: "Failed to update default role"
+                            });
+                            return;
+                          }
+                          field.onChange(e);
+                        }}
+                        id={`permissions.organization-admin-console.${action}`}
+                      >
+                        {label}
+                      </Checkbox>
+                    )}
+                  />
+                );
+              })}
+            </div>
+          </Td>
+        </Tr>
+      )}
+    </>
+  );
+};

frontend/src/views/Org/RolePage/components/RolePermissionsSection/OrgRoleWorkspaceRow.tsx

@@ -0,0 +1,129 @@
+import { useEffect, useMemo } from "react";
+import { Control, Controller, UseFormSetValue, useWatch } from "react-hook-form";
+import { faChevronDown, faChevronRight } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { createNotification } from "@app/components/notifications";
+import { Checkbox, Select, SelectItem, Td, Tr } from "@app/components/v2";
+import { useToggle } from "@app/hooks";
+import { TFormSchema } from "@app/views/Org/RolePage/components/OrgRoleModifySection.utils";
+
+type Props = {
+  isEditable: boolean;
+  setValue: UseFormSetValue<TFormSchema>;
+  control: Control<TFormSchema>;
+};
+
+enum Permission {
+  NoAccess = "no-access",
+  Custom = "custom"
+}
+
+const PERMISSION_ACTIONS = [{ action: "create", label: "Create projects" }] as const;
+
+export const OrgRoleWorkspaceRow = ({ isEditable, control, setValue }: Props) => {
+  const [isRowExpanded, setIsRowExpanded] = useToggle();
+  const [isCustom, setIsCustom] = useToggle();
+
+  const rule = useWatch({
+    control,
+    name: "permissions.workspace"
+  });
+
+  const selectedPermissionCategory = useMemo(() => {
+    if (rule?.create) {
+      return Permission.Custom;
+    }
+    return Permission.NoAccess;
+  }, [rule, isCustom]);
+
+  useEffect(() => {
+    if (selectedPermissionCategory === Permission.Custom) setIsCustom.on();
+    else setIsCustom.off();
+  }, [selectedPermissionCategory]);
+
+  useEffect(() => {
+    const isRowCustom = selectedPermissionCategory === Permission.Custom;
+    if (isRowCustom) {
+      setIsRowExpanded.on();
+    }
+  }, []);
+
+  const handlePermissionChange = (val: Permission) => {
+    if (!val) return;
+    if (val === Permission.Custom) {
+      setIsRowExpanded.on();
+      setIsCustom.on();
+      return;
+    }
+    setIsCustom.off();
+
+    if (val === Permission.NoAccess) {
+      setValue("permissions.workspace", { create: false }, { shouldDirty: true });
+    }
+  };
+
+  return (
+    <>
+      <Tr
+        className="h-10 cursor-pointer transition-colors duration-100 hover:bg-mineshaft-700"
+        onClick={() => setIsRowExpanded.toggle()}
+      >
+        <Td>
+          <FontAwesomeIcon icon={isRowExpanded ? faChevronDown : faChevronRight} />
+        </Td>
+        <Td>Project</Td>
+        <Td>
+          <Select
+            value={selectedPermissionCategory}
+            className="w-40 bg-mineshaft-600"
+            dropdownContainerClassName="border border-mineshaft-600 bg-mineshaft-800"
+            onValueChange={handlePermissionChange}
+            isDisabled={!isEditable}
+          >
+            <SelectItem value={Permission.NoAccess}>No Access</SelectItem>
+            <SelectItem value={Permission.Custom}>Custom</SelectItem>
+          </Select>
+        </Td>
+      </Tr>
+      {isRowExpanded && (
+        <Tr>
+          <Td
+            colSpan={3}
+            className={`bg-bunker-600 px-0 py-0 ${isRowExpanded && " border-mineshaft-500 p-8"}`}
+          >
+            <div className="grid grid-cols-3 gap-4">
+              {PERMISSION_ACTIONS.map(({ action, label }) => {
+                return (
+                  <Controller
+                    name={`permissions.workspace.${action}`}
+                    key={`permissions.workspace.${action}`}
+                    control={control}
+                    render={({ field }) => (
+                      <Checkbox
+                        isChecked={field.value}
+                        onCheckedChange={(e) => {
+                          if (!isEditable) {
+                            createNotification({
+                              type: "error",
+                              text: "Failed to update default role"
+                            });
+                            return;
+                          }
+                          field.onChange(e);
+                        }}
+                        id={`permissions.organization-admin-console.${action}`}
+                      >
+                        {label}
+                      </Checkbox>
+                    )}
+                  />
+                );
+              })}
+            </div>
+          </Td>
+        </Tr>
+      )}
+    </>
+  );
+};

frontend/src/views/Org/RolePage/components/RolePermissionsSection/RolePermissionRow.tsx

@@ -61,7 +61,10 @@ const getPermissionList = (option: string) => {
 type Props = {
   isEditable: boolean;
   title: string;
-  formName: keyof Omit<Exclude<TFormSchema["permissions"], undefined>, "workspace">;
+  formName: keyof Omit<
+    Exclude<TFormSchema["permissions"], undefined>,
+    "workspace" | "organization-admin-console"
+  >;
   setValue: UseFormSetValue<TFormSchema>;
   control: Control<TFormSchema>;
 };

frontend/src/views/Org/RolePage/components/RolePermissionsSection/RolePermissionsSection.tsx

@@ -12,6 +12,8 @@ import {
   TFormSchema
 } from "@app/views/Org/RolePage/components/OrgRoleModifySection.utils";
 
+import { OrgPermissionAdminConsoleRow } from "./OrgPermissionAdminConsoleRow";
+import { OrgRoleWorkspaceRow } from "./OrgRoleWorkspaceRow";
 import { RolePermissionRow } from "./RolePermissionRow";
 
 const SIMPLE_PERMISSION_OPTIONS = [
@@ -153,6 +155,16 @@ export const RolePermissionsSection = ({ roleId }: Props) => {
                   />
                 );
               })}
+              <OrgRoleWorkspaceRow
+                control={control}
+                setValue={setValue}
+                isEditable={isCustomRole}
+              />
+              <OrgPermissionAdminConsoleRow
+                control={control}
+                setValue={setValue}
+                isEditable={isCustomRole}
+              />
             </TBody>
           </Table>
         </TableContainer>

frontend/src/views/OrgAdminPage/OrgAdminPage.tsx

@@ -0,0 +1,30 @@
+import { useState } from "react";
+
+import { Tab, TabList, TabPanel, Tabs } from "@app/components/v2";
+
+import { OrgAdminProjects } from "./components/OrgAdminProjects";
+
+enum TabSections {
+  Projects = "projects"
+}
+
+export const OrgAdminPage = () => {
+  const [activeTab, setActiveTab] = useState<TabSections>(TabSections.Projects);
+  return (
+    <div className="flex w-full justify-center bg-bunker-800 py-6 text-white">
+      <div className="w-full max-w-6xl px-6">
+        <div className="mb-4">
+          <p className="text-3xl font-semibold text-gray-200">Organization Admin Console</p>
+        </div>
+        <Tabs value={activeTab} onValueChange={(el) => setActiveTab(el as TabSections)}>
+          <TabList>
+            <Tab value={TabSections.Projects}>Projects</Tab>
+          </TabList>
+          <TabPanel value={TabSections.Projects}>
+            <OrgAdminProjects />
+          </TabPanel>
+        </Tabs>
+      </div>
+    </div>
+  );
+};

frontend/src/views/OrgAdminPage/components/OrgAdminProjects/OrgAdminProjects.tsx

@@ -0,0 +1,167 @@
+import { useState } from "react";
+import { useRouter } from "next/router";
+import { faEllipsis, faMagnifyingGlass, faSignIn } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { format } from "date-fns";
+import { motion } from "framer-motion";
+
+import { createNotification } from "@app/components/notifications";
+import {
+  Button,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+  EmptyState,
+  Input,
+  Pagination,
+  Spinner,
+  Table,
+  TableContainer,
+  TableSkeleton,
+  TBody,
+  Td,
+  Th,
+  THead,
+  Tr
+} from "@app/components/v2";
+import {
+  OrgPermissionAdminConsoleAction,
+  OrgPermissionSubjects
+} from "@app/context/OrgPermissionContext/types";
+import { withPermission } from "@app/hoc";
+import { useDebounce } from "@app/hooks";
+import { useOrgAdminAccessProject, useOrgAdminGetProjects } from "@app/hooks/api";
+
+export const OrgAdminProjects = withPermission(
+  () => {
+    const [page, setPage] = useState(1);
+    const [search, setSearch] = useState("");
+    const debouncedSearch = useDebounce(search);
+    const [perPage, setPerPage] = useState(25);
+    const router = useRouter();
+    const orgAdminAccessProject = useOrgAdminAccessProject();
+
+    const { data, isLoading: isProjectsLoading } = useOrgAdminGetProjects({
+      offset: (page - 1) * perPage,
+      limit: perPage,
+      search: debouncedSearch || undefined
+    });
+
+    const projects = data?.projects || [];
+    const projectCount = data?.count || 0;
+    const isEmpty = !isProjectsLoading && projects.length === 0;
+
+    const handleAccessProject = async (projectId: string) => {
+      try {
+        await orgAdminAccessProject.mutateAsync({
+          projectId
+        });
+        await router.push({
+          pathname: "/project/[projectId]/secrets/overview",
+          query: {
+            projectId
+          }
+        });
+      } catch {
+        createNotification({
+          text: "Failed to access project",
+          type: "error"
+        });
+      }
+    };
+
+    return (
+      <motion.div
+        key="panel-projects"
+        transition={{ duration: 0.15 }}
+        initial={{ opacity: 0, translateX: 30 }}
+        animate={{ opacity: 1, translateX: 0 }}
+        exit={{ opacity: 0, translateX: 30 }}
+      >
+        <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+          <div className="mb-4 flex justify-between">
+            <p className="text-xl font-semibold text-mineshaft-100">Projects</p>
+          </div>
+          <div>
+            <Input
+              value={search}
+              onChange={(e) => setSearch(e.target.value)}
+              leftIcon={<FontAwesomeIcon icon={faMagnifyingGlass} />}
+              placeholder="Search by project name"
+            />
+            <TableContainer className="mt-4">
+              <Table>
+                <THead>
+                  <Tr>
+                    <Th>Name</Th>
+                    <Th>Slug</Th>
+                    <Th>Created At</Th>
+                    <Th className="w-5" />
+                  </Tr>
+                </THead>
+                <TBody>
+                  {isProjectsLoading && <TableSkeleton columns={4} innerKey="projects" />}
+                  {!isProjectsLoading &&
+                    projects?.map(({ name, slug, createdAt, id }) => (
+                      <Tr key={`project-${id}`} className="group w-full">
+                        <Td>{name}</Td>
+                        <Td>{slug}</Td>
+                        <Td>{format(new Date(createdAt), "yyyy-MM-dd, hh:mm aaa")}</Td>
+                        <Td>
+                          <div>
+                            <DropdownMenu>
+                              <DropdownMenuTrigger asChild className="rounded-lg">
+                                <Button
+                                  variant="link"
+                                  className="text-bunker-300 hover:text-primary-400 data-[state=open]:text-primary-400"
+                                >
+                                  <FontAwesomeIcon size="sm" icon={faEllipsis} />
+                                </Button>
+                              </DropdownMenuTrigger>
+                              <DropdownMenuContent align="start" className="p-1">
+                                <DropdownMenuItem
+                                  onClick={(e) => {
+                                    e.stopPropagation();
+                                    e.preventDefault();
+                                    handleAccessProject(id);
+                                  }}
+                                  icon={<FontAwesomeIcon icon={faSignIn} />}
+                                  disabled={
+                                    orgAdminAccessProject.variables?.projectId === id &&
+                                    orgAdminAccessProject.isLoading
+                                  }
+                                >
+                                  Access{" "}
+                                  {orgAdminAccessProject.variables?.projectId === id &&
+                                    orgAdminAccessProject.isLoading && <Spinner size="xs" />}
+                                </DropdownMenuItem>
+                              </DropdownMenuContent>
+                            </DropdownMenu>
+                          </div>
+                        </Td>
+                      </Tr>
+                    ))}
+                </TBody>
+              </Table>
+              {!isProjectsLoading && (
+                <Pagination
+                  count={projectCount}
+                  page={page}
+                  perPage={perPage}
+                  onChangePage={(newPage) => setPage(newPage)}
+                  onChangePerPage={(newPerPage) => setPerPage(newPerPage)}
+                />
+              )}
+              {isEmpty && <EmptyState title="No projects found" />}
+            </TableContainer>
+          </div>
+        </div>
+      </motion.div>
+    );
+  },
+  {
+    action: OrgPermissionAdminConsoleAction.AccessAllProjects,
+    subject: OrgPermissionSubjects.AdminConsole
+  }
+);

frontend/src/views/OrgAdminPage/components/OrgAdminProjects/index.tsx

@@ -0,0 +1 @@
+export { OrgAdminProjects } from "./OrgAdminProjects";

frontend/src/views/OrgAdminPage/index.tsx

@@ -0,0 +1 @@
+export { OrgAdminPage } from "./OrgAdminPage";

frontend/src/views/Project/AuditLogsPage/components/LogsTableRow.tsx

@@ -317,6 +317,12 @@ export const LogsTableRow = ({ auditLog }: Props) => {
             })}
           </Td>
         );
+      case EventType.ORG_ADMIN_ACCESS_PROJECT:
+        return (
+          <Td>
+            <p>{`Email: ${event.metadata.email}`}</p>
+          </Td>
+        );
       case EventType.CREATE_CA:
       case EventType.GET_CA:
       case EventType.UPDATE_CA:

frontend/src/views/SecretMainPage/components/CreateSecretForm/CreateSecretForm.tsx

@@ -1,3 +1,4 @@
+import { ClipboardEvent } from "react";
 import { Controller, useForm } from "react-hook-form";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";
@@ -5,6 +6,7 @@ import { z } from "zod";
 import { createNotification } from "@app/components/notifications";
 import { Button, FormControl, Input, Modal, ModalContent } from "@app/components/v2";
 import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
+import { getKeyValue } from "@app/helpers/parseEnvVar";
 import { useCreateSecretV3 } from "@app/hooks/api";
 import { SecretType } from "@app/hooks/api/types";
 
@@ -38,6 +40,7 @@ export const CreateSecretForm = ({
     handleSubmit,
     control,
     reset,
+    setValue,
     formState: { errors, isSubmitting }
   } = useForm<TFormSchema>({ resolver: zodResolver(typeSchema) });
   const { isOpen } = usePopUpState(PopUpNames.CreateSecretForm);
@@ -73,6 +76,16 @@ export const CreateSecretForm = ({
     }
   };
 
+  const handlePaste = (e: ClipboardEvent<HTMLInputElement>) => {
+    e.preventDefault();
+    const delimitters = [":", "="];
+    const pastedContent = e.clipboardData.getData("text");
+    const { key, value } = getKeyValue(pastedContent, delimitters);
+
+    setValue("key", key);
+    setValue("value", value);
+  };
+
   return (
     <Modal
       isOpen={isOpen}
@@ -83,10 +96,16 @@ export const CreateSecretForm = ({
         subTitle="Add a secret to the particular environment and folder"
       >
         <form onSubmit={handleSubmit(handleFormSubmit)} noValidate>
-          <FormControl label="Key" isRequired isError={Boolean(errors?.key)} errorText={errors?.key?.message}>
+          <FormControl
+            label="Key"
+            isRequired
+            isError={Boolean(errors?.key)}
+            errorText={errors?.key?.message}
+          >
             <Input
               {...register("key")}
               placeholder="Type your secret name"
+              onPaste={handlePaste}
               autoCapitalization={autoCapitalize}
             />
           </FormControl>

frontend/src/views/SecretOverviewPage/components/CreateSecretForm/CreateSecretForm.tsx

@@ -1,3 +1,4 @@
+import { ClipboardEvent } from "react";
 import { Controller, useForm } from "react-hook-form";
 import { faWarning } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
@@ -17,8 +18,9 @@ import {
 } from "@app/components/v2";
 import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
 import { useWorkspace } from "@app/context";
+import { getKeyValue } from "@app/helpers/parseEnvVar";
 import { useCreateFolder, useCreateSecretV3, useUpdateSecretV3 } from "@app/hooks/api";
-import { SecretType,SecretV3RawSanitized } from "@app/hooks/api/types";
+import { SecretType, SecretV3RawSanitized } from "@app/hooks/api/types";
 
 const typeSchema = z
   .object({
@@ -54,6 +56,7 @@ export const CreateSecretForm = ({
     control,
     reset,
     watch,
+    setValue,
     formState: { isSubmitting, errors }
   } = useForm<TFormSchema>({ resolver: zodResolver(typeSchema) });
   const newSecretKey = watch("key");
@@ -133,6 +136,17 @@ export const CreateSecretForm = ({
       });
     }
   };
+
+  const handlePaste = (e: ClipboardEvent<HTMLInputElement>) => {
+    e.preventDefault();
+    const delimitters = [":", "="];
+    const pastedContent = e.clipboardData.getData("text");
+    const { key, value } = getKeyValue(pastedContent, delimitters);
+
+    setValue("key", key);
+    setValue("value", value);
+  };
+
   return (
     <Modal isOpen={isOpen} onOpenChange={onTogglePopUp}>
       <ModalContent
@@ -141,10 +155,16 @@ export const CreateSecretForm = ({
         subTitle="Create & update a secret across many environments"
       >
         <form onSubmit={handleSubmit(handleFormSubmit)} noValidate>
-          <FormControl label="Key" isRequired isError={Boolean(errors?.key)} errorText={errors?.key?.message}>
+          <FormControl
+            label="Key"
+            isRequired
+            isError={Boolean(errors?.key)}
+            errorText={errors?.key?.message}
+          >
             <Input
               {...register("key")}
               placeholder="Type your secret name"
+              onPaste={handlePaste}
               autoCapitalization={currentWorkspace?.autoCapitalization}
             />
           </FormControl>