feat: fixed UI and added permissions check to backend

Feature: Add Data Region Select

.env.example

@@ -72,6 +72,3 @@ PLAIN_API_KEY=
 PLAIN_WISH_LABEL_IDS=
 
 SSL_CLIENT_CERTIFICATE_HEADER_KEY=
-
-WORKFLOW_SLACK_CLIENT_ID=
-WORKFLOW_SLACK_CLIENT_SECRET=

backend/e2e-test/routes/v1/secret-approval-policy.spec.ts

@@ -1,6 +1,7 @@
 import { seedData1 } from "@app/db/seed-data";
+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 
-const createPolicy = async (dto: { name: string; secretPath: string; approvers: string[]; approvals: number }) => {
+const createPolicy = async (dto: { name: string; secretPath: string; approvers: {type: ApproverType.User, id: string}[]; approvals: number }) => {
   const res = await testServer.inject({
     method: "POST",
     url: `/api/v1/secret-approvals`,
@@ -26,7 +27,7 @@ describe("Secret approval policy router", async () => {
     const policy = await createPolicy({
       secretPath: "/",
       approvals: 1,
-      approvers: [seedData1.id],
+      approvers: [{id:seedData1.id, type: ApproverType.User}],
       name: "test-policy"
     });
 

backend/e2e-test/routes/v2/service-token.spec.ts

@@ -510,7 +510,7 @@ describe("Service token fail cases", async () => {
         authorization: `Bearer ${serviceToken}`
       }
     });
-    expect(fetchSecrets.statusCode).toBe(401);
+    expect(fetchSecrets.statusCode).toBe(403);
     expect(fetchSecrets.json().error).toBe("PermissionDenied");
     await deleteServiceToken();
   });
@@ -532,7 +532,7 @@ describe("Service token fail cases", async () => {
         authorization: `Bearer ${serviceToken}`
       }
     });
-    expect(fetchSecrets.statusCode).toBe(401);
+    expect(fetchSecrets.statusCode).toBe(403);
     expect(fetchSecrets.json().error).toBe("PermissionDenied");
     await deleteServiceToken();
   });
@@ -557,7 +557,7 @@ describe("Service token fail cases", async () => {
         authorization: `Bearer ${serviceToken}`
       }
     });
-    expect(writeSecrets.statusCode).toBe(401);
+    expect(writeSecrets.statusCode).toBe(403);
     expect(writeSecrets.json().error).toBe("PermissionDenied");
 
     // but read access should still work fine

backend/e2e-test/routes/v3/secrets.spec.ts

@@ -1075,7 +1075,7 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
       },
       body: createSecretReqBody
     });
-    expect(createSecRes.statusCode).toBe(400);
+    expect(createSecRes.statusCode).toBe(404);
   });
 
   test("Update secret raw", async () => {
@@ -1093,7 +1093,7 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
       },
       body: updateSecretReqBody
     });
-    expect(updateSecRes.statusCode).toBe(400);
+    expect(updateSecRes.statusCode).toBe(404);
   });
 
   test("Delete secret raw", async () => {
@@ -1110,6 +1110,6 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
       },
       body: deletedSecretReqBody
     });
-    expect(deletedSecRes.statusCode).toBe(400);
+    expect(deletedSecRes.statusCode).toBe(404);
   });
 });

backend/package-lock.json

@@ -81,10 +81,11 @@
         "pino": "^8.16.2",
         "pkijs": "^3.2.4",
         "posthog-node": "^3.6.2",
-        "probot": "^13.0.0",
+        "probot": "^13.3.8",
         "safe-regex": "^2.1.1",
         "scim-patch": "^0.8.3",
         "scim2-parse-filter": "^0.2.10",
+        "sjcl": "^1.0.8",
         "smee-client": "^2.0.0",
         "tedious": "^18.2.1",
         "tweetnacl": "^1.0.3",
@@ -117,6 +118,7 @@
         "@types/prompt-sync": "^4.2.3",
         "@types/resolve": "^1.20.6",
         "@types/safe-regex": "^1.1.6",
+        "@types/sjcl": "^1.0.34",
         "@types/uuid": "^9.0.7",
         "@typescript-eslint/eslint-plugin": "^6.20.0",
         "@typescript-eslint/parser": "^6.20.0",
@@ -7296,6 +7298,13 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/sjcl": {
+      "version": "1.0.34",
+      "resolved": "https://registry.npmjs.org/@types/sjcl/-/sjcl-1.0.34.tgz",
+      "integrity": "sha512-bQHEeK5DTQRunIfQeUMgtpPsNNCcZyQ9MJuAfW1I7iN0LDunTc78Fu17STbLMd7KiEY/g2zHVApippa70h6HoQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/uuid": {
       "version": "9.0.7",
       "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-9.0.7.tgz",
@@ -8018,6 +8027,7 @@
       "version": "1.3.8",
       "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
       "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
+      "license": "MIT",
       "dependencies": {
         "mime-types": "~2.1.34",
         "negotiator": "0.6.3"
@@ -8336,7 +8346,8 @@
     "node_modules/array-flatten": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
-      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg=="
+      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==",
+      "license": "MIT"
     },
     "node_modules/array-includes": {
       "version": "3.1.7",
@@ -8814,9 +8825,10 @@
       }
     },
     "node_modules/body-parser": {
-      "version": "1.20.2",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz",
-      "integrity": "sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==",
+      "version": "1.20.3",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz",
+      "integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==",
+      "license": "MIT",
       "dependencies": {
         "bytes": "3.1.2",
         "content-type": "~1.0.5",
@@ -8826,7 +8838,7 @@
         "http-errors": "2.0.0",
         "iconv-lite": "0.4.24",
         "on-finished": "2.4.1",
-        "qs": "6.11.0",
+        "qs": "6.13.0",
         "raw-body": "2.5.2",
         "type-is": "~1.6.18",
         "unpipe": "1.0.0"
@@ -8840,6 +8852,7 @@
       "version": "2.6.9",
       "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
       "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
       "dependencies": {
         "ms": "2.0.0"
       }
@@ -8848,6 +8861,7 @@
       "version": "0.4.24",
       "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
       "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "license": "MIT",
       "dependencies": {
         "safer-buffer": ">= 2.1.2 < 3"
       },
@@ -8858,7 +8872,8 @@
     "node_modules/body-parser/node_modules/ms": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
     },
     "node_modules/bottleneck": {
       "version": "2.19.5",
@@ -9006,6 +9021,7 @@
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
       "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.8"
       }
@@ -9028,13 +9044,19 @@
       }
     },
     "node_modules/call-bind": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.5.tgz",
-      "integrity": "sha512-C3nQxfFZxFRVoJoGKKI8y3MOEo129NQ+FgQ08iye+Mk4zNZZGdjfs06bVTr+DBSlA66Q2VEcMki/cUCP4SercQ==",
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.7.tgz",
+      "integrity": "sha512-GHTSNSYICQ7scH7sZ+M2rFopRoLh8t2bLSW6BbgrtLsahOIB5iyAVJf9GjWK3cYTDaMj4XdBpM1cA6pIS0Kv2w==",
+      "license": "MIT",
       "dependencies": {
+        "es-define-property": "^1.0.0",
+        "es-errors": "^1.3.0",
         "function-bind": "^1.1.2",
-        "get-intrinsic": "^1.2.1",
-        "set-function-length": "^1.1.1"
+        "get-intrinsic": "^1.2.4",
+        "set-function-length": "^1.2.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
       },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
@@ -9379,6 +9401,7 @@
       "version": "1.0.5",
       "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
       "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.6"
       }
@@ -9543,16 +9566,20 @@
       }
     },
     "node_modules/define-data-property": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/define-data-property/-/define-data-property-1.1.1.tgz",
-      "integrity": "sha512-E7uGkTzkk1d0ByLeSc6ZsFS79Axg+m1P/VsgYsxHgiuc3tFSj+MjMIwe90FC4lOAZzNBdY7kkO2P2wKdsQ1vgQ==",
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/define-data-property/-/define-data-property-1.1.4.tgz",
+      "integrity": "sha512-rBMvIzlpA8v6E+SJZoo++HAYqsLrkg7MSfIinMPFhmkorw7X+dOXVJQs+QT69zGkzMyfDnIMN2Wid1+NbL3T+A==",
+      "license": "MIT",
       "dependencies": {
-        "get-intrinsic": "^1.2.1",
-        "gopd": "^1.0.1",
-        "has-property-descriptors": "^1.0.0"
+        "es-define-property": "^1.0.0",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.0.1"
       },
       "engines": {
         "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
       }
     },
     "node_modules/define-lazy-prop": {
@@ -9618,6 +9645,7 @@
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
       "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.8",
         "npm": "1.2.8000 || >= 1.4.16"
@@ -9724,7 +9752,8 @@
     "node_modules/ee-first": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
-      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow=="
+      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==",
+      "license": "MIT"
     },
     "node_modules/electron-to-chromium": {
       "version": "1.4.816",
@@ -9738,9 +9767,10 @@
       "integrity": "sha512-QpLs9D9v9kArv4lfDEgg1X/gN5XLnf/A6l9cs8SPZLRZR3ZkY9+kwIQTxm+fsSej5UMYGE8fdoaZVIBlqG0XTw=="
     },
     "node_modules/encodeurl": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
-      "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
+      "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.8"
       }
@@ -9827,6 +9857,27 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/es-define-property": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.0.tgz",
+      "integrity": "sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ==",
+      "license": "MIT",
+      "dependencies": {
+        "get-intrinsic": "^1.2.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
     "node_modules/es-set-tostringtag": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.0.2.tgz",
@@ -10452,6 +10503,7 @@
       "version": "1.8.1",
       "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
       "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.6"
       }
@@ -10495,36 +10547,37 @@
       }
     },
     "node_modules/express": {
-      "version": "4.19.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.19.2.tgz",
-      "integrity": "sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==",
+      "version": "4.21.0",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.21.0.tgz",
+      "integrity": "sha512-VqcNGcj/Id5ZT1LZ/cfihi3ttTn+NJmkli2eZADigjq29qTlWi/hAQ43t/VLPq8+UX06FCEx3ByOYet6ZFblng==",
+      "license": "MIT",
       "dependencies": {
         "accepts": "~1.3.8",
         "array-flatten": "1.1.1",
-        "body-parser": "1.20.2",
+        "body-parser": "1.20.3",
         "content-disposition": "0.5.4",
         "content-type": "~1.0.4",
         "cookie": "0.6.0",
         "cookie-signature": "1.0.6",
         "debug": "2.6.9",
         "depd": "2.0.0",
-        "encodeurl": "~1.0.2",
+        "encodeurl": "~2.0.0",
         "escape-html": "~1.0.3",
         "etag": "~1.8.1",
-        "finalhandler": "1.2.0",
+        "finalhandler": "1.3.1",
         "fresh": "0.5.2",
         "http-errors": "2.0.0",
-        "merge-descriptors": "1.0.1",
+        "merge-descriptors": "1.0.3",
         "methods": "~1.1.2",
         "on-finished": "2.4.1",
         "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.7",
+        "path-to-regexp": "0.1.10",
         "proxy-addr": "~2.0.7",
-        "qs": "6.11.0",
+        "qs": "6.13.0",
         "range-parser": "~1.2.1",
         "safe-buffer": "5.2.1",
-        "send": "0.18.0",
-        "serve-static": "1.15.0",
+        "send": "0.19.0",
+        "serve-static": "1.16.2",
         "setprototypeof": "1.2.0",
         "statuses": "2.0.1",
         "type-is": "~1.6.18",
@@ -10588,6 +10641,7 @@
       "version": "0.6.0",
       "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
       "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.6"
       }
@@ -10595,12 +10649,14 @@
     "node_modules/express/node_modules/cookie-signature": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
-      "integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="
+      "integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==",
+      "license": "MIT"
     },
     "node_modules/express/node_modules/debug": {
       "version": "2.6.9",
       "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
       "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
       "dependencies": {
         "ms": "2.0.0"
       }
@@ -10608,7 +10664,8 @@
     "node_modules/express/node_modules/ms": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
     },
     "node_modules/extend": {
       "version": "3.0.2",
@@ -10815,12 +10872,13 @@
       }
     },
     "node_modules/finalhandler": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.2.0.tgz",
-      "integrity": "sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg==",
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.1.tgz",
+      "integrity": "sha512-6BN9trH7bp3qvnrRyzsBz+g3lZxTNZTbVO2EV1CS0WIcDbawYVdYvGflME/9QP0h0pYlCDBCTjYa9nZzMDpyxQ==",
+      "license": "MIT",
       "dependencies": {
         "debug": "2.6.9",
-        "encodeurl": "~1.0.2",
+        "encodeurl": "~2.0.0",
         "escape-html": "~1.0.3",
         "on-finished": "2.4.1",
         "parseurl": "~1.3.3",
@@ -10835,6 +10893,7 @@
       "version": "2.6.9",
       "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
       "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
       "dependencies": {
         "ms": "2.0.0"
       }
@@ -10842,7 +10901,8 @@
     "node_modules/finalhandler/node_modules/ms": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
     },
     "node_modules/find-my-way": {
       "version": "8.1.0",
@@ -11008,6 +11068,7 @@
       "version": "0.5.2",
       "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
       "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.6"
       }
@@ -11365,15 +11426,20 @@
       }
     },
     "node_modules/get-intrinsic": {
-      "version": "1.2.2",
-      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.2.tgz",
-      "integrity": "sha512-0gSo4ml/0j98Y3lngkFEot/zhiCeWsbYIlZ+uZOVgzLyLaUw7wxUL+nCTP0XJvJg1AXulJRI3UJi8GsbDuxdGA==",
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.4.tgz",
+      "integrity": "sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ==",
+      "license": "MIT",
       "dependencies": {
+        "es-errors": "^1.3.0",
         "function-bind": "^1.1.2",
         "has-proto": "^1.0.1",
         "has-symbols": "^1.0.3",
         "hasown": "^2.0.0"
       },
+      "engines": {
+        "node": ">= 0.4"
+      },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
       }
@@ -11719,11 +11785,12 @@
       }
     },
     "node_modules/has-property-descriptors": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/has-property-descriptors/-/has-property-descriptors-1.0.1.tgz",
-      "integrity": "sha512-VsX8eaIewvas0xnvinAe9bw4WfIeODpGYikiWYLH+dma0Jw6KHYqWiWfhQlgOVK8D6PvjubK5Uc4P0iIhIcNVg==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/has-property-descriptors/-/has-property-descriptors-1.0.2.tgz",
+      "integrity": "sha512-55JNKuIW+vq4Ke1BjOTjM2YctQIvCT7GFzHwmfZPGo5wnrgkid0YQtnAleFSqumZm4az3n2BS+erby5ipJdgrg==",
+      "license": "MIT",
       "dependencies": {
-        "get-intrinsic": "^1.2.2"
+        "es-define-property": "^1.0.0"
       },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
@@ -13276,6 +13343,7 @@
       "version": "0.3.0",
       "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
       "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.6"
       }
@@ -13286,9 +13354,13 @@
       "integrity": "sha512-ZS4Bp4r/Zoeq6+NLJpP+0Zzm0pR8whtGPf1XExKLJBAczGMnSi3It14OiNCStjQjM6NU1okjQGSxgEZN8eBYKg=="
     },
     "node_modules/merge-descriptors": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz",
-      "integrity": "sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w=="
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz",
+      "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
     },
     "node_modules/merge-stream": {
       "version": "2.0.0",
@@ -13309,6 +13381,7 @@
       "version": "1.1.2",
       "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
       "integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.6"
       }
@@ -13748,6 +13821,7 @@
       "version": "0.6.3",
       "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
       "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.6"
       }
@@ -14099,6 +14173,7 @@
       "version": "2.4.1",
       "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
       "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==",
+      "license": "MIT",
       "dependencies": {
         "ee-first": "1.1.1"
       },
@@ -14511,9 +14586,10 @@
       }
     },
     "node_modules/path-to-regexp": {
-      "version": "0.1.7",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
-      "integrity": "sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ=="
+      "version": "0.1.10",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz",
+      "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==",
+      "license": "MIT"
     },
     "node_modules/path-type": {
       "version": "4.0.0",
@@ -14716,20 +14792,78 @@
       }
     },
     "node_modules/pino-http": {
-      "version": "8.6.1",
-      "resolved": "https://registry.npmjs.org/pino-http/-/pino-http-8.6.1.tgz",
-      "integrity": "sha512-J0hiJgUExtBXP2BjrK4VB305tHXS31sCmWJ9XJo2wPkLHa1NFPuW4V9wjG27PAc2fmBCigiNhQKpvrx+kntBPA==",
+      "version": "10.3.0",
+      "resolved": "https://registry.npmjs.org/pino-http/-/pino-http-10.3.0.tgz",
+      "integrity": "sha512-kaHQqt1i5S9LXWmyuw6aPPqYW/TjoDPizPs4PnDW4hSpajz2Uo/oisNliLf7We1xzpiLacdntmw8yaZiEkppQQ==",
+      "license": "MIT",
       "dependencies": {
         "get-caller-file": "^2.0.5",
-        "pino": "^8.17.1",
-        "pino-std-serializers": "^6.2.2",
-        "process-warning": "^3.0.0"
+        "pino": "^9.0.0",
+        "pino-std-serializers": "^7.0.0",
+        "process-warning": "^4.0.0"
       }
     },
+    "node_modules/pino-http/node_modules/pino": {
+      "version": "9.4.0",
+      "resolved": "https://registry.npmjs.org/pino/-/pino-9.4.0.tgz",
+      "integrity": "sha512-nbkQb5+9YPhQRz/BeQmrWpEknAaqjpAqRK8NwJpmrX/JHu7JuZC5G1CeAwJDJfGes4h+YihC6in3Q2nGb+Y09w==",
+      "license": "MIT",
+      "dependencies": {
+        "atomic-sleep": "^1.0.0",
+        "fast-redact": "^3.1.1",
+        "on-exit-leak-free": "^2.1.0",
+        "pino-abstract-transport": "^1.2.0",
+        "pino-std-serializers": "^7.0.0",
+        "process-warning": "^4.0.0",
+        "quick-format-unescaped": "^4.0.3",
+        "real-require": "^0.2.0",
+        "safe-stable-stringify": "^2.3.1",
+        "sonic-boom": "^4.0.1",
+        "thread-stream": "^3.0.0"
+      },
+      "bin": {
+        "pino": "bin.js"
+      }
+    },
+    "node_modules/pino-http/node_modules/pino-abstract-transport": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/pino-abstract-transport/-/pino-abstract-transport-1.2.0.tgz",
+      "integrity": "sha512-Guhh8EZfPCfH+PMXAb6rKOjGQEoy0xlAIn+irODG5kgfYV+BQ0rGYYWTIel3P5mmyXqkYkPmdIkywsn6QKUR1Q==",
+      "license": "MIT",
+      "dependencies": {
+        "readable-stream": "^4.0.0",
+        "split2": "^4.0.0"
+      }
+    },
+    "node_modules/pino-http/node_modules/pino-std-serializers": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/pino-std-serializers/-/pino-std-serializers-7.0.0.tgz",
+      "integrity": "sha512-e906FRY0+tV27iq4juKzSYPbUj2do2X2JX4EzSca1631EB2QJQUqGbDuERal7LCtOpxl6x3+nvo9NPZcmjkiFA==",
+      "license": "MIT"
+    },
     "node_modules/pino-http/node_modules/process-warning": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/process-warning/-/process-warning-3.0.0.tgz",
-      "integrity": "sha512-mqn0kFRl0EoqhnL0GQ0veqFHyIN1yig9RHh/InzORTUiZHFRAur+aMtRkELNwGs9aNwKS6tg/An4NYBPGwvtzQ=="
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/process-warning/-/process-warning-4.0.0.tgz",
+      "integrity": "sha512-/MyYDxttz7DfGMMHiysAsFE4qF+pQYAA8ziO/3NcRVrQ5fSk+Mns4QZA/oRPFzvcqNoVJXQNWNAsdwBXLUkQKw==",
+      "license": "MIT"
+    },
+    "node_modules/pino-http/node_modules/sonic-boom": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-4.1.0.tgz",
+      "integrity": "sha512-NGipjjRicyJJ03rPiZCJYjwlsuP2d1/5QUviozRXC7S3WdVWNK5e3Ojieb9CCyfhq2UC+3+SRd9nG3I2lPRvUw==",
+      "license": "MIT",
+      "dependencies": {
+        "atomic-sleep": "^1.0.0"
+      }
+    },
+    "node_modules/pino-http/node_modules/thread-stream": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/thread-stream/-/thread-stream-3.1.0.tgz",
+      "integrity": "sha512-OqyPZ9u96VohAyMfJykzmivOrY2wfMSf3C5TtFJVgN+Hm6aj+voFhlK+kZEIv2FBh1X6Xp3DlnCOfEQ3B2J86A==",
+      "license": "MIT",
+      "dependencies": {
+        "real-require": "^0.2.0"
+      }
     },
     "node_modules/pino-pretty": {
       "version": "10.2.3",
@@ -15096,9 +15230,10 @@
       }
     },
     "node_modules/probot": {
-      "version": "13.0.0",
-      "resolved": "https://registry.npmjs.org/probot/-/probot-13.0.0.tgz",
-      "integrity": "sha512-3ht9kAJ+ISjLyWLLCKVdrLE5xs/x+zUx07J5kYTxAyIxUvwF6Acr8xT5fiNihbBHAsEl4+A4CMYZQvZ5hx5bgw==",
+      "version": "13.3.8",
+      "resolved": "https://registry.npmjs.org/probot/-/probot-13.3.8.tgz",
+      "integrity": "sha512-xc+KBC0mp1JKFMsPbMyj1SpmN0B7Q8uFO7ze4PBbNv74q8AyPGqYL3TmkZSOmcOjFTeFrZTnMYEoXi+z1anyLA==",
+      "license": "ISC",
       "dependencies": {
         "@octokit/core": "^5.0.2",
         "@octokit/plugin-enterprise-compatibility": "^4.0.1",
@@ -15113,19 +15248,18 @@
         "@probot/octokit-plugin-config": "^2.0.1",
         "@probot/pino": "^2.3.5",
         "@types/express": "^4.17.21",
-        "commander": "^11.1.0",
+        "bottleneck": "^2.19.5",
+        "commander": "^12.0.0",
         "deepmerge": "^4.3.1",
         "dotenv": "^16.3.1",
-        "eventsource": "^2.0.2",
-        "express": "^4.18.2",
+        "express": "^4.21.0",
         "ioredis": "^5.3.2",
         "js-yaml": "^4.1.0",
         "lru-cache": "^10.0.3",
         "octokit-auth-probot": "^2.0.0",
-        "pino": "^8.16.1",
-        "pino-http": "^8.5.1",
+        "pino": "^9.0.0",
+        "pino-http": "^10.0.0",
         "pkg-conf": "^3.1.0",
-        "resolve": "^1.22.8",
         "update-dotenv": "^1.1.1"
       },
       "bin": {
@@ -15152,11 +15286,12 @@
       }
     },
     "node_modules/probot/node_modules/commander": {
-      "version": "11.1.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-11.1.0.tgz",
-      "integrity": "sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==",
+      "version": "12.1.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz",
+      "integrity": "sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==",
+      "license": "MIT",
       "engines": {
-        "node": ">=16"
+        "node": ">=18"
       }
     },
     "node_modules/probot/node_modules/lru-cache": {
@@ -15167,6 +15302,68 @@
         "node": "14 || >=16.14"
       }
     },
+    "node_modules/probot/node_modules/pino": {
+      "version": "9.4.0",
+      "resolved": "https://registry.npmjs.org/pino/-/pino-9.4.0.tgz",
+      "integrity": "sha512-nbkQb5+9YPhQRz/BeQmrWpEknAaqjpAqRK8NwJpmrX/JHu7JuZC5G1CeAwJDJfGes4h+YihC6in3Q2nGb+Y09w==",
+      "license": "MIT",
+      "dependencies": {
+        "atomic-sleep": "^1.0.0",
+        "fast-redact": "^3.1.1",
+        "on-exit-leak-free": "^2.1.0",
+        "pino-abstract-transport": "^1.2.0",
+        "pino-std-serializers": "^7.0.0",
+        "process-warning": "^4.0.0",
+        "quick-format-unescaped": "^4.0.3",
+        "real-require": "^0.2.0",
+        "safe-stable-stringify": "^2.3.1",
+        "sonic-boom": "^4.0.1",
+        "thread-stream": "^3.0.0"
+      },
+      "bin": {
+        "pino": "bin.js"
+      }
+    },
+    "node_modules/probot/node_modules/pino-abstract-transport": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/pino-abstract-transport/-/pino-abstract-transport-1.2.0.tgz",
+      "integrity": "sha512-Guhh8EZfPCfH+PMXAb6rKOjGQEoy0xlAIn+irODG5kgfYV+BQ0rGYYWTIel3P5mmyXqkYkPmdIkywsn6QKUR1Q==",
+      "license": "MIT",
+      "dependencies": {
+        "readable-stream": "^4.0.0",
+        "split2": "^4.0.0"
+      }
+    },
+    "node_modules/probot/node_modules/pino-std-serializers": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/pino-std-serializers/-/pino-std-serializers-7.0.0.tgz",
+      "integrity": "sha512-e906FRY0+tV27iq4juKzSYPbUj2do2X2JX4EzSca1631EB2QJQUqGbDuERal7LCtOpxl6x3+nvo9NPZcmjkiFA==",
+      "license": "MIT"
+    },
+    "node_modules/probot/node_modules/process-warning": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/process-warning/-/process-warning-4.0.0.tgz",
+      "integrity": "sha512-/MyYDxttz7DfGMMHiysAsFE4qF+pQYAA8ziO/3NcRVrQ5fSk+Mns4QZA/oRPFzvcqNoVJXQNWNAsdwBXLUkQKw==",
+      "license": "MIT"
+    },
+    "node_modules/probot/node_modules/sonic-boom": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-4.1.0.tgz",
+      "integrity": "sha512-NGipjjRicyJJ03rPiZCJYjwlsuP2d1/5QUviozRXC7S3WdVWNK5e3Ojieb9CCyfhq2UC+3+SRd9nG3I2lPRvUw==",
+      "license": "MIT",
+      "dependencies": {
+        "atomic-sleep": "^1.0.0"
+      }
+    },
+    "node_modules/probot/node_modules/thread-stream": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/thread-stream/-/thread-stream-3.1.0.tgz",
+      "integrity": "sha512-OqyPZ9u96VohAyMfJykzmivOrY2wfMSf3C5TtFJVgN+Hm6aj+voFhlK+kZEIv2FBh1X6Xp3DlnCOfEQ3B2J86A==",
+      "license": "MIT",
+      "dependencies": {
+        "real-require": "^0.2.0"
+      }
+    },
     "node_modules/process": {
       "version": "0.11.10",
       "resolved": "https://registry.npmjs.org/process/-/process-0.11.10.tgz",
@@ -15282,11 +15479,12 @@
       }
     },
     "node_modules/qs": {
-      "version": "6.11.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
-      "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
+      "version": "6.13.0",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz",
+      "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==",
+      "license": "BSD-3-Clause",
       "dependencies": {
-        "side-channel": "^1.0.4"
+        "side-channel": "^1.0.6"
       },
       "engines": {
         "node": ">=0.6"
@@ -15359,6 +15557,7 @@
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
       "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.6"
       }
@@ -15367,6 +15566,7 @@
       "version": "2.5.2",
       "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
       "integrity": "sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==",
+      "license": "MIT",
       "dependencies": {
         "bytes": "3.1.2",
         "http-errors": "2.0.0",
@@ -15381,6 +15581,7 @@
       "version": "0.4.24",
       "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
       "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "license": "MIT",
       "dependencies": {
         "safer-buffer": ">= 2.1.2 < 3"
       },
@@ -15961,9 +16162,10 @@
       }
     },
     "node_modules/send": {
-      "version": "0.18.0",
-      "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz",
-      "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==",
+      "version": "0.19.0",
+      "resolved": "https://registry.npmjs.org/send/-/send-0.19.0.tgz",
+      "integrity": "sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==",
+      "license": "MIT",
       "dependencies": {
         "debug": "2.6.9",
         "depd": "2.0.0",
@@ -15987,6 +16189,7 @@
       "version": "2.6.9",
       "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
       "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
       "dependencies": {
         "ms": "2.0.0"
       }
@@ -15994,12 +16197,23 @@
     "node_modules/send/node_modules/debug/node_modules/ms": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
+    },
+    "node_modules/send/node_modules/encodeurl": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
+      "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
     },
     "node_modules/send/node_modules/mime": {
       "version": "1.6.0",
       "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
       "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
+      "license": "MIT",
       "bin": {
         "mime": "cli.js"
       },
@@ -16013,14 +16227,15 @@
       "integrity": "sha512-hr3Wtp/GZIc/6DAGPDcV4/9WoZhjrkXsi5B/07QgX8tsdc6ilr7BFM6PM6rbdAX1kFSDYeZGLipIZZKyQP0O5Q=="
     },
     "node_modules/serve-static": {
-      "version": "1.15.0",
-      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz",
-      "integrity": "sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g==",
+      "version": "1.16.2",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.2.tgz",
+      "integrity": "sha512-VqpjJZKadQB/PEbEwvFdO43Ax5dFBZ2UECszz8bQ7pi7wt//PWe1P6MN7eCnjsatYtBT6EuiClbjSWP2WrIoTw==",
+      "license": "MIT",
       "dependencies": {
-        "encodeurl": "~1.0.2",
+        "encodeurl": "~2.0.0",
         "escape-html": "~1.0.3",
         "parseurl": "~1.3.3",
-        "send": "0.18.0"
+        "send": "0.19.0"
       },
       "engines": {
         "node": ">= 0.8.0"
@@ -16037,14 +16252,17 @@
       "integrity": "sha512-RVnVQxTXuerk653XfuliOxBP81Sf0+qfQE73LIYKcyMYHG94AuH0kgrQpRDuTZnSmjpysHmzxJXKNfa6PjFhyQ=="
     },
     "node_modules/set-function-length": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.1.1.tgz",
-      "integrity": "sha512-VoaqjbBJKiWtg4yRcKBQ7g7wnGnLV3M8oLvVWwOk2PdYY6PEFegR1vezXR0tw6fZGF9csVakIRjrJiy2veSBFQ==",
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.2.2.tgz",
+      "integrity": "sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg==",
+      "license": "MIT",
       "dependencies": {
-        "define-data-property": "^1.1.1",
-        "get-intrinsic": "^1.2.1",
+        "define-data-property": "^1.1.4",
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2",
+        "get-intrinsic": "^1.2.4",
         "gopd": "^1.0.1",
-        "has-property-descriptors": "^1.0.0"
+        "has-property-descriptors": "^1.0.2"
       },
       "engines": {
         "node": ">= 0.4"
@@ -16103,13 +16321,18 @@
       }
     },
     "node_modules/side-channel": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.4.tgz",
-      "integrity": "sha512-q5XPytqFEIKHkGdiMIrY10mvLRvnQh42/+GoBlFW3b2LXLE2xxJpZFdm94we0BaoV3RwJyGqg5wS7epxTv0Zvw==",
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.6.tgz",
+      "integrity": "sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA==",
+      "license": "MIT",
       "dependencies": {
-        "call-bind": "^1.0.0",
-        "get-intrinsic": "^1.0.2",
-        "object-inspect": "^1.9.0"
+        "call-bind": "^1.0.7",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.4",
+        "object-inspect": "^1.13.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
       },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
@@ -16183,6 +16406,15 @@
         "node": ">=10"
       }
     },
+    "node_modules/sjcl": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/sjcl/-/sjcl-1.0.8.tgz",
+      "integrity": "sha512-LzIjEQ0S0DpIgnxMEayM1rq9aGwGRG4OnZhCdjx7glTaJtf4zRfpg87ImfjSJjoW9vKpagd82McDOwbRT5kQKQ==",
+      "license": "(BSD-2-Clause OR GPL-2.0-only)",
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/slash": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/slash/-/slash-3.0.0.tgz",
@@ -17660,12 +17892,14 @@
     "node_modules/tweetnacl": {
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-1.0.3.tgz",
-      "integrity": "sha512-6rt+RN7aOi1nGMyC4Xa5DdYiukl2UWCbcJft7YhxReBGQD7OAM8Pbxw6YMo4r2diNEA8FEmu32YOn9rhaiE5yw=="
+      "integrity": "sha512-6rt+RN7aOi1nGMyC4Xa5DdYiukl2UWCbcJft7YhxReBGQD7OAM8Pbxw6YMo4r2diNEA8FEmu32YOn9rhaiE5yw==",
+      "license": "Unlicense"
     },
     "node_modules/tweetnacl-util": {
       "version": "0.15.1",
       "resolved": "https://registry.npmjs.org/tweetnacl-util/-/tweetnacl-util-0.15.1.tgz",
-      "integrity": "sha512-RKJBIj8lySrShN4w6i/BonWp2Z/uxwC3h4y7xsRrpP59ZboCd0GpEVsOnMDYLMmKBpYhb5TgHzZXy7wTfYFBRw=="
+      "integrity": "sha512-RKJBIj8lySrShN4w6i/BonWp2Z/uxwC3h4y7xsRrpP59ZboCd0GpEVsOnMDYLMmKBpYhb5TgHzZXy7wTfYFBRw==",
+      "license": "Unlicense"
     },
     "node_modules/type-check": {
       "version": "0.4.0",
@@ -17704,6 +17938,7 @@
       "version": "1.6.18",
       "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
       "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
+      "license": "MIT",
       "dependencies": {
         "media-typer": "0.3.0",
         "mime-types": "~2.1.24"
@@ -17927,6 +18162,7 @@
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
       "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.8"
       }
@@ -18051,6 +18287,7 @@
       "version": "1.1.2",
       "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
       "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
+      "license": "MIT",
       "engines": {
         "node": ">= 0.8"
       }

backend/package.json

@@ -80,6 +80,7 @@
     "@types/prompt-sync": "^4.2.3",
     "@types/resolve": "^1.20.6",
     "@types/safe-regex": "^1.1.6",
+    "@types/sjcl": "^1.0.34",
     "@types/uuid": "^9.0.7",
     "@typescript-eslint/eslint-plugin": "^6.20.0",
     "@typescript-eslint/parser": "^6.20.0",
@@ -178,10 +179,11 @@
     "pino": "^8.16.2",
     "pkijs": "^3.2.4",
     "posthog-node": "^3.6.2",
-    "probot": "^13.0.0",
+    "probot": "^13.3.8",
     "safe-regex": "^2.1.1",
     "scim-patch": "^0.8.3",
     "scim2-parse-filter": "^0.2.10",
+    "sjcl": "^1.0.8",
     "smee-client": "^2.0.0",
     "tedious": "^18.2.1",
     "tweetnacl": "^1.0.3",

backend/src/@types/fastify.d.ts

@@ -38,6 +38,7 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
+import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
@@ -181,6 +182,7 @@ declare module "fastify" {
       orgAdmin: TOrgAdminServiceFactory;
       slack: TSlackServiceFactory;
       workflowIntegration: TWorkflowIntegrationServiceFactory;
+      migration: TExternalMigrationServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/db/migrations/20240918005344_add-group-approvals.ts

@@ -0,0 +1,76 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAccessApproverGroupId = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasAccessApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
+  const hasSecretApproverGroupId = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasSecretApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
+  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
+      // add column approverGroupId to AccessApprovalPolicyApprover
+      if (!hasAccessApproverGroupId) {
+        table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      }
+
+      // make approverUserId nullable
+      if (hasAccessApproverUserId) {
+        table.uuid("approverUserId").nullable().alter();
+      }
+    });
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
+      // add column approverGroupId to SecretApprovalPolicyApprover
+      if (!hasSecretApproverGroupId) {
+        table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      }
+
+      // make approverUserId nullable
+      if (hasSecretApproverUserId) {
+        table.uuid("approverUserId").nullable().alter();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasAccessApproverGroupId = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasAccessApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
+  const hasSecretApproverGroupId = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasSecretApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
+
+  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
+      if (hasAccessApproverGroupId) {
+        table.dropColumn("approverGroupId");
+      }
+      // make approverUserId not nullable
+      if (hasAccessApproverUserId) {
+        table.uuid("approverUserId").notNullable().alter();
+      }
+    });
+
+    // remove
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
+      if (hasSecretApproverGroupId) {
+        table.dropColumn("approverGroupId");
+      }
+      // make approverUserId not nullable
+      if (hasSecretApproverUserId) {
+        table.uuid("approverUserId").notNullable().alter();
+      }
+    });
+  }
+}

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -12,7 +12,8 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
   policyId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  approverUserId: z.string().uuid()
+  approverUserId: z.string().uuid().nullable().optional(),
+  approverGroupId: z.string().uuid().nullable().optional()
 });
 
 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;

backend/src/db/schemas/secret-approval-policies-approvers.ts

@@ -12,7 +12,8 @@ export const SecretApprovalPoliciesApproversSchema = z.object({
   policyId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  approverUserId: z.string().uuid()
+  approverUserId: z.string().uuid().nullable().optional(),
+  approverGroupId: z.string().uuid().nullable().optional()
 });
 
 export type TSecretApprovalPoliciesApprovers = z.infer<typeof SecretApprovalPoliciesApproversSchema>;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -1,7 +1,9 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { EnforcementLevel } from "@app/lib/types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -10,28 +12,32 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
   server.route({
     url: "/",
     method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
     schema: {
-      body: z
-        .object({
-          projectSlug: z.string().trim(),
-          name: z.string().optional(),
-          secretPath: z.string().trim().default("/"),
-          environment: z.string(),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        projectSlug: z.string().trim(),
+        name: z.string().optional(),
+        secretPath: z.string().trim().default("/"),
+        environment: z.string(),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
       response: {
         200: z.object({
           approval: sapPubSchema
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const approval = await server.services.accessApprovalPolicy.createAccessApprovalPolicy({
         actor: req.permission.type,
@@ -50,6 +56,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
   server.route({
     url: "/",
     method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
     schema: {
       querystring: z.object({
         projectSlug: z.string().trim()
@@ -58,14 +67,15 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         200: z.object({
           approvals: sapPubSchema
             .extend({
-              userApprovers: z
-                .object({
-                  userId: z.string()
-                })
-                .array(),
-              secretPath: z.string().optional().nullable()
+              approvers: z
+                .object({ type: z.nativeEnum(ApproverType), id: z.string().nullable().optional() })
+                .array()
+                .nullable()
+                .optional()
             })
             .array()
+            .nullable()
+            .optional()
         })
       }
     },
@@ -115,33 +125,37 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
   server.route({
     url: "/:policyId",
     method: "PATCH",
+    config: {
+      rateLimit: writeLimit
+    },
     schema: {
       params: z.object({
         policyId: z.string()
       }),
-      body: z
-        .object({
-          name: z.string().optional(),
-          secretPath: z
-            .string()
-            .trim()
-            .optional()
-            .transform((val) => (val === "" ? "/" : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        name: z.string().optional(),
+        secretPath: z
+          .string()
+          .trim()
+          .optional()
+          .transform((val) => (val === "" ? "/" : val)),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).optional(),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
       response: {
         200: z.object({
           approval: sapPubSchema
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       await server.services.accessApprovalPolicy.updateAccessApprovalPolicy({
         policyId: req.params.policyId,
@@ -157,6 +171,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
   server.route({
     url: "/:policyId",
     method: "DELETE",
+    config: {
+      rateLimit: writeLimit
+    },
     schema: {
       params: z.object({
         policyId: z.string()
@@ -167,7 +184,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const approval = await server.services.accessApprovalPolicy.deleteAccessApprovalPolicy({
         actor: req.permission.type,
@@ -179,4 +196,44 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
       return { approval };
     }
   });
+
+  server.route({
+    url: "/:policyId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        policyId: z.string()
+      }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema.extend({
+            approvers: z
+              .object({
+                type: z.nativeEnum(ApproverType),
+                id: z.string().nullable().optional(),
+                name: z.string().nullable().optional()
+              })
+              .array()
+              .nullable()
+              .optional()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const approval = await server.services.accessApprovalPolicy.getAccessApprovalPolicyById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      return { approval };
+    }
+  });
 };

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -77,6 +77,39 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
     }
   });
 
+  server.route({
+    method: "POST",
+    url: "/entra-id/users",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      body: z.object({
+        tenantId: z.string().min(1).describe("The tenant ID of the Azure Entra ID"),
+        applicationId: z.string().min(1).describe("The application ID of the Azure Entra ID App Registration"),
+        clientSecret: z.string().min(1).describe("The client secret of the Azure Entra ID App Registration")
+      }),
+      response: {
+        200: z
+          .object({
+            name: z.string().min(1).describe("The name of the user"),
+            id: z.string().min(1).describe("The ID of the user"),
+            email: z.string().min(1).describe("The email of the user")
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const data = await server.services.dynamicSecret.fetchAzureEntraIdUsers({
+        tenantId: req.body.tenantId,
+        applicationId: req.body.applicationId,
+        clientSecret: req.body.clientSecret
+      });
+      return data;
+    }
+  });
+
   server.route({
     method: "PATCH",
     url: "/:name",
@@ -237,7 +270,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const dynamicSecretCfgs = await server.services.dynamicSecret.list({
+      const dynamicSecretCfgs = await server.services.dynamicSecret.listDynamicSecretsByEnv({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,

backend/src/ee/routes/v1/group-router.ts

@@ -10,7 +10,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/",
     method: "POST",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
       body: z.object({
         name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
@@ -43,12 +43,59 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
   });
 
   server.route({
-    url: "/:currentSlug",
-    method: "PATCH",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
       params: z.object({
-        currentSlug: z.string().trim().describe(GROUPS.UPDATE.currentSlug)
+        id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
+      }),
+      response: {
+        200: GroupsSchema
+      }
+    },
+    handler: async (req) => {
+      const group = await server.services.group.getGroupById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+
+      return group;
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      response: {
+        200: GroupsSchema.array()
+      }
+    },
+    handler: async (req) => {
+      const groups = await server.services.org.getOrgGroups({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return groups;
+    }
+  });
+
+  server.route({
+    url: "/:id",
+    method: "PATCH",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      params: z.object({
+        id: z.string().trim().describe(GROUPS.UPDATE.id)
       }),
       body: z
         .object({
@@ -70,7 +117,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const group = await server.services.group.updateGroup({
-        currentSlug: req.params.currentSlug,
+        id: req.params.id,
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -83,12 +130,12 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
   });
 
   server.route({
-    url: "/:slug",
+    url: "/:id",
     method: "DELETE",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
       params: z.object({
-        slug: z.string().trim().describe(GROUPS.DELETE.slug)
+        id: z.string().trim().describe(GROUPS.DELETE.id)
       }),
       response: {
         200: GroupsSchema
@@ -96,7 +143,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const group = await server.services.group.deleteGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -109,11 +156,11 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
 
   server.route({
     method: "GET",
-    url: "/:slug/users",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
       params: z.object({
-        slug: z.string().trim().describe(GROUPS.LIST_USERS.slug)
+        id: z.string().trim().describe(GROUPS.LIST_USERS.id)
       }),
       querystring: z.object({
         offset: z.coerce.number().min(0).max(100).default(0).describe(GROUPS.LIST_USERS.offset),
@@ -141,24 +188,25 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { users, totalCount } = await server.services.group.listGroupUsers({
-        groupSlug: req.params.slug,
+        id: req.params.id,
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.query
       });
+
       return { users, totalCount };
     }
   });
 
   server.route({
     method: "POST",
-    url: "/:slug/users/:username",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
       params: z.object({
-        slug: z.string().trim().describe(GROUPS.ADD_USER.slug),
+        id: z.string().trim().describe(GROUPS.ADD_USER.id),
         username: z.string().trim().describe(GROUPS.ADD_USER.username)
       }),
       response: {
@@ -173,7 +221,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const user = await server.services.group.addUserToGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
         username: req.params.username,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -187,11 +235,11 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
 
   server.route({
     method: "DELETE",
-    url: "/:slug/users/:username",
-    onRequest: verifyAuth([AuthMode.JWT]),
+    url: "/:id/users/:username",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
       params: z.object({
-        slug: z.string().trim().describe(GROUPS.DELETE_USER.slug),
+        id: z.string().trim().describe(GROUPS.DELETE_USER.id),
         username: z.string().trim().describe(GROUPS.DELETE_USER.username)
       }),
       response: {
@@ -206,7 +254,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const user = await server.services.group.removeUserFromGroup({
-        groupSlug: req.params.slug,
+        id: req.params.id,
         username: req.params.username,
         actor: req.permission.type,
         actorId: req.permission.id,

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -5,7 +5,7 @@ import { z } from "zod";
 
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
-import { BadRequestError } from "@app/lib/errors";
+import { UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -61,7 +61,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
     handler: async (req) => {
       const { permissions, privilegePermission } = req.body;
       if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
       }
 
       const permission = privilegePermission
@@ -140,7 +140,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
     handler: async (req) => {
       const { permissions, privilegePermission } = req.body;
       if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
       }
 
       const permission = privilegePermission
@@ -224,7 +224,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
     handler: async (req) => {
       const { permissions, privilegePermission, ...updatedInfo } = req.body.privilegeDetails;
       if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
       }
 
       const permission = privilegePermission

backend/src/ee/routes/v1/project-role-router.ts

@@ -101,6 +101,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
             message: "Slug must be a valid"
           }),
         name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
+        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
         permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
       }),
       response: {

backend/src/ee/routes/v1/project-router.ts

@@ -87,6 +87,12 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  /*
+   * Daniel: This endpoint is no longer is use.
+   * We are keeping it for now because it has been exposed in our public api docs for a while, so by removing it we are likely to break users workflows.
+   *
+   * Please refer to the new endpoint, GET /api/v1/organization/audit-logs, for the same (and more) functionality.
+   */
   server.route({
     method: "GET",
     url: "/:workspaceId/audit-logs",
@@ -101,7 +107,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.workspaceId)
+        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.projectId)
       }),
       querystring: z.object({
         eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
@@ -122,10 +128,12 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           })
             .merge(
               z.object({
-                project: z.object({
-                  name: z.string(),
-                  slug: z.string()
-                }),
+                project: z
+                  .object({
+                    name: z.string(),
+                    slug: z.string()
+                  })
+                  .optional(),
                 event: z.object({
                   type: z.string(),
                   metadata: z.any()
@@ -146,12 +154,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
-        projectId: req.params.workspaceId,
-        ...req.query,
-        endDate: req.query.endDate,
-        startDate: req.query.startDate || getLastMidnightDateISO(),
-        auditLogActor: req.query.actor,
-        actor: req.permission.type
+        actor: req.permission.type,
+
+        filter: {
+          ...req.query,
+          projectId: req.params.workspaceId,
+          endDate: req.query.endDate,
+          startDate: req.query.startDate || getLastMidnightDateISO(),
+          auditLogActorId: req.query.actor,
+          eventType: req.query.eventType ? [req.query.eventType] : undefined
+        }
       });
       return { auditLogs };
     }

backend/src/ee/routes/v1/rate-limit-router.ts

@@ -1,7 +1,7 @@
 import { z } from "zod";
 
 import { RateLimitSchema } from "@app/db/schemas";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -29,7 +29,7 @@ export const registerRateLimitRouter = async (server: FastifyZodProvider) => {
     handler: async () => {
       const rateLimit = await server.services.rateLimit.getRateLimits();
       if (!rateLimit) {
-        throw new BadRequestError({
+        throw new NotFoundError({
           name: "Get Rate Limit Error",
           message: "Rate limit configuration does not exist."
         });

backend/src/ee/routes/v1/saml-router.ts

@@ -61,7 +61,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                 id: samlConfigId
               };
             } else {
-              throw new BadRequestError({ message: "Missing sso identitier or org slug" });
+              throw new BadRequestError({ message: "Missing sso identifier or org slug" });
             }
 
             const ssoConfig = await server.services.saml.getSaml(ssoLookupDetails);

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -16,32 +17,33 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       rateLimit: writeLimit
     },
     schema: {
-      body: z
-        .object({
-          workspaceId: z.string(),
-          name: z.string().optional(),
-          environment: z.string(),
-          secretPath: z
-            .string()
-            .optional()
-            .nullable()
-            .default("/")
-            .transform((val) => (val ? removeTrailingSlash(val) : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        workspaceId: z.string(),
+        name: z.string().optional(),
+        environment: z.string(),
+        secretPath: z
+          .string()
+          .optional()
+          .nullable()
+          .default("/")
+          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+      }),
       response: {
         200: z.object({
           approval: sapPubSchema
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const approval = await server.services.secretApprovalPolicy.createSecretApprovalPolicy({
         actor: req.permission.type,
@@ -67,30 +69,31 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       params: z.object({
         sapId: z.string()
       }),
-      body: z
-        .object({
-          name: z.string().optional(),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1),
-          secretPath: z
-            .string()
-            .optional()
-            .nullable()
-            .transform((val) => (val ? removeTrailingSlash(val) : val))
-            .transform((val) => (val === "" ? "/" : val)),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
+      body: z.object({
+        name: z.string().optional(),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" }),
+        approvals: z.number().min(1).default(1),
+        secretPath: z
+          .string()
+          .optional()
+          .nullable()
+          .transform((val) => (val ? removeTrailingSlash(val) : val))
+          .transform((val) => (val === "" ? "/" : val)),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
+      }),
       response: {
         200: z.object({
           approval: sapPubSchema
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const approval = await server.services.secretApprovalPolicy.updateSecretApprovalPolicy({
         actor: req.permission.type,
@@ -120,7 +123,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const approval = await server.services.secretApprovalPolicy.deleteSecretApprovalPolicy({
         actor: req.permission.type,
@@ -147,9 +150,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         200: z.object({
           approvals: sapPubSchema
             .extend({
-              userApprovers: z
+              approvers: z
                 .object({
-                  userId: z.string()
+                  id: z.string().nullable().optional(),
+                  type: z.nativeEnum(ApproverType)
                 })
                 .array()
             })
@@ -170,6 +174,44 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
     }
   });
 
+  server.route({
+    url: "/:sapId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        sapId: z.string()
+      }),
+      response: {
+        200: z.object({
+          approval: sapPubSchema.extend({
+            approvers: z
+              .object({
+                id: z.string().nullable().optional(),
+                type: z.nativeEnum(ApproverType),
+                name: z.string().nullable().optional()
+              })
+              .array()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const approval = await server.services.secretApprovalPolicy.getSecretApprovalPolicyById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      return { approval };
+    }
+  });
+
   server.route({
     url: "/board",
     method: "GET",
@@ -186,7 +228,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         200: z.object({
           policy: sapPubSchema
             .extend({
-              userApprovers: z.object({ userId: z.string() }).array()
+              userApprovers: z.object({ userId: z.string().nullable().optional() }).array()
             })
             .optional()
         })

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -13,7 +13,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
-const approvalRequestUser = z.object({ userId: z.string() }).merge(
+const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
   UsersSchema.pick({
     email: true,
     firstName: true,
@@ -46,7 +46,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               id: z.string(),
               name: z.string(),
               approvals: z.number(),
-              approvers: z.string().array(),
+              approvers: z
+                .object({
+                  userId: z.string().nullable().optional()
+                })
+                .array(),
               secretPath: z.string().optional().nullable(),
               enforcementLevel: z.string()
             }),
@@ -54,7 +58,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
             environment: z.string(),
             reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
-            approvers: z.string().array()
+            approvers: z
+              .object({
+                userId: z.string().nullable().optional()
+              })
+              .array()
           }).array()
         })
       }

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -5,22 +5,38 @@ import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies } from
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
+import { ApproverType } from "./access-approval-policy-types";
+
 export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;
 
 export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
   const accessApprovalPolicyOrm = ormify(db, TableName.AccessApprovalPolicy);
 
-  const accessApprovalPolicyFindQuery = async (tx: Knex, filter: TFindFilter<TAccessApprovalPolicies>) => {
+  const accessApprovalPolicyFindQuery = async (
+    tx: Knex,
+    filter: TFindFilter<TAccessApprovalPolicies>,
+    customFilter?: {
+      policyId?: string;
+    }
+  ) => {
     const result = await tx(TableName.AccessApprovalPolicy)
       // eslint-disable-next-line
       .where(buildFindFilter(filter))
+      .where((qb) => {
+        if (customFilter?.policyId) {
+          void qb.where(`${TableName.AccessApprovalPolicy}.id`, "=", customFilter.policyId);
+        }
+      })
       .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
       .leftJoin(
         TableName.AccessApprovalPolicyApprover,
         `${TableName.AccessApprovalPolicy}.id`,
         `${TableName.AccessApprovalPolicyApprover}.policyId`
       )
+      .leftJoin(TableName.Users, `${TableName.AccessApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
+      .select(tx.ref("username").withSchema(TableName.Users).as("approverUsername"))
       .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
+      .select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
       .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
       .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
       .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@@ -30,10 +46,10 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
     return result;
   };
 
-  const findById = async (id: string, tx?: Knex) => {
+  const findById = async (policyId: string, tx?: Knex) => {
     try {
       const doc = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), {
-        [`${TableName.AccessApprovalPolicy}.id` as "id"]: id
+        [`${TableName.AccessApprovalPolicy}.id` as "id"]: policyId
       });
       const formattedDoc = sqlNestRelationships({
         data: doc,
@@ -50,9 +66,18 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
         childrenMapper: [
           {
             key: "approverUserId",
-            label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id }) => ({
+              id,
+              type: "user"
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              id,
+              type: "group"
             })
           }
         ]
@@ -64,9 +89,15 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
     }
   };
 
-  const find = async (filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>, tx?: Knex) => {
+  const find = async (
+    filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
+    customFilter?: {
+      policyId?: string;
+    },
+    tx?: Knex
+  ) => {
     try {
-      const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter);
+      const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter, customFilter);
 
       const formattedDocs = sqlNestRelationships({
         data: docs,
@@ -84,9 +115,19 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
         childrenMapper: [
           {
             key: "approverUserId",
-            label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id, approverUsername }) => ({
+              id,
+              type: ApproverType.User,
+              name: approverUsername
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              id,
+              type: ApproverType.Group
             })
           }
         ]

backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts

@@ -1,12 +1,11 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 
 import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
-import { TVerifyApprovers } from "./access-approval-policy-types";
+import { TIsApproversValid } from "./access-approval-policy-types";
 
-export const verifyApprovers = async ({
+export const isApproversValid = async ({
   userIds,
   projectId,
   orgId,
@@ -14,9 +13,9 @@ export const verifyApprovers = async ({
   actorAuthMethod,
   secretPath,
   permissionService
-}: TVerifyApprovers) => {
-  for await (const userId of userIds) {
-    try {
+}: TIsApproversValid) => {
+  try {
+    for await (const userId of userIds) {
       const { permission: approverPermission } = await permissionService.getProjectPermission(
         ActorType.USER,
         userId,
@@ -29,8 +28,9 @@ export const verifyApprovers = async ({
         ProjectPermissionActions.Create,
         subject(ProjectPermissionSub.Secrets, { environment: envSlug, secretPath })
       );
-    } catch (err) {
-      throw new BadRequestError({ message: "One or more approvers doesn't have access to be specified secret path" });
     }
+  } catch {
+    return false;
   }
+  return true;
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -2,17 +2,21 @@ import { ForbiddenError } from "@casl/ability";
 
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";
 
+import { TGroupDALFactory } from "../group/group-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { verifyApprovers } from "./access-approval-policy-fns";
+import { isApproversValid } from "./access-approval-policy-fns";
 import {
+  ApproverType,
   TCreateAccessApprovalPolicy,
   TDeleteAccessApprovalPolicy,
+  TGetAccessApprovalPolicyByIdDTO,
   TGetAccessPolicyCountByEnvironmentDTO,
   TListAccessApprovalPoliciesDTO,
   TUpdateAccessApprovalPolicy
@@ -25,6 +29,8 @@ type TSecretApprovalPolicyServiceFactoryDep = {
   projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
   accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
+  groupDAL: TGroupDALFactory;
+  userDAL: Pick<TUserDALFactory, "find">;
 };
 
 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@@ -32,9 +38,11 @@ export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprov
 export const accessApprovalPolicyServiceFactory = ({
   accessApprovalPolicyDAL,
   accessApprovalPolicyApproverDAL,
+  groupDAL,
   permissionService,
   projectEnvDAL,
-  projectDAL
+  projectDAL,
+  userDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
   const createAccessApprovalPolicy = async ({
     name,
@@ -50,9 +58,23 @@ export const accessApprovalPolicyServiceFactory = ({
     enforcementLevel
   }: TCreateAccessApprovalPolicy) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
-    if (approvals > approvers.length)
+    // If there is a group approver people might be added to the group later to meet the approvers quota
+    const groupApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id) as string[];
+
+    const userApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id)
+      .filter(Boolean) as string[];
+
+    const userApproverNames = approvers
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .filter(Boolean) as string[];
+
+    if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
 
     const { permission } = await permissionService.getProjectPermission(
@@ -67,18 +89,65 @@ export const accessApprovalPolicyServiceFactory = ({
       ProjectPermissionSub.SecretApproval
     );
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
+    if (!env) throw new NotFoundError({ message: "Environment not found" });
 
-    await verifyApprovers({
+    let approverUserIds = userApprovers;
+    if (userApproverNames.length) {
+      const approverUsers = await userDAL.find({
+        $in: {
+          username: userApproverNames
+        }
+      });
+
+      const approverNamesFromDb = approverUsers.map((user) => user.username);
+      const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
+
+      if (invalidUsernames.length) {
+        throw new BadRequestError({
+          message: `Invalid approver user: ${invalidUsernames.join(", ")}`
+        });
+      }
+
+      approverUserIds = approverUserIds.concat(approverUsers.map((user) => user.id));
+    }
+
+    const usersPromises: Promise<
+      {
+        id: string;
+        email: string | null | undefined;
+        username: string;
+        firstName: string | null | undefined;
+        lastName: string | null | undefined;
+        isPartOfGroup: boolean;
+      }[]
+    >[] = [];
+    const verifyAllApprovers = [...approverUserIds];
+
+    for (const groupId of groupApprovers) {
+      usersPromises.push(groupDAL.findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 }));
+    }
+    const verifyGroupApprovers = (await Promise.all(usersPromises))
+      .flat()
+      .filter((user) => user.isPartOfGroup)
+      .map((user) => user.id);
+    verifyAllApprovers.push(...verifyGroupApprovers);
+
+    const approversValid = await isApproversValid({
       projectId: project.id,
       orgId: actorOrgId,
       envSlug: environment,
       secretPath,
       actorAuthMethod,
       permissionService,
-      userIds: approvers
+      userIds: verifyAllApprovers
     });
 
+    if (!approversValid) {
+      throw new BadRequestError({
+        message: "One or more approvers doesn't have access to be specified secret path"
+      });
+    }
+
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
@@ -90,13 +159,26 @@ export const accessApprovalPolicyServiceFactory = ({
         },
         tx
       );
-      await accessApprovalPolicyApproverDAL.insertMany(
-        approvers.map((userId) => ({
-          approverUserId: userId,
-          policyId: doc.id
-        })),
-        tx
-      );
+      if (approverUserIds.length) {
+        await accessApprovalPolicyApproverDAL.insertMany(
+          approverUserIds.map((userId) => ({
+            approverUserId: userId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
+      if (groupApprovers) {
+        await accessApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((groupId) => ({
+            approverGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
       return doc;
     });
     return { ...accessApproval, environment: env, projectId: project.id };
@@ -110,7 +192,7 @@ export const accessApprovalPolicyServiceFactory = ({
     projectSlug
   }: TListAccessApprovalPoliciesDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     // Anyone in the project should be able to get the policies.
     /* const { permission } = */ await permissionService.getProjectPermission(
@@ -138,8 +220,30 @@ export const accessApprovalPolicyServiceFactory = ({
     approvals,
     enforcementLevel
   }: TUpdateAccessApprovalPolicy) => {
+    const groupApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id) as string[];
+
+    const userApprovers = approvers
+      .filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id)
+      .filter(Boolean) as string[];
+
+    const userApproverNames = approvers
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .filter(Boolean) as string[];
+
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    const currentAppovals = approvals || accessApprovalPolicy.approvals;
+    if (
+      groupApprovers?.length === 0 &&
+      userApprovers &&
+      currentAppovals > userApprovers.length + userApproverNames.length
+    ) {
+      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
+    }
+
+    if (!accessApprovalPolicy) throw new NotFoundError({ message: "Secret approval policy not found" });
     const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
@@ -161,26 +265,100 @@ export const accessApprovalPolicyServiceFactory = ({
         },
         tx
       );
-      if (approvers) {
-        await verifyApprovers({
+
+      await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+
+      if (userApprovers.length || userApproverNames.length) {
+        let userApproverIds = userApprovers;
+        if (userApproverNames.length) {
+          const approverUsers = await userDAL.find({
+            $in: {
+              username: userApproverNames
+            }
+          });
+
+          const approverNamesFromDb = approverUsers.map((user) => user.username);
+          const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
+
+          if (invalidUsernames.length) {
+            throw new BadRequestError({
+              message: `Invalid approver user: ${invalidUsernames.join(", ")}`
+            });
+          }
+
+          userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
+        }
+
+        const approversValid = await isApproversValid({
           projectId: accessApprovalPolicy.projectId,
           orgId: actorOrgId,
           envSlug: accessApprovalPolicy.environment.slug,
           secretPath: doc.secretPath!,
           actorAuthMethod,
           permissionService,
-          userIds: approvers
+          userIds: userApproverIds
         });
 
-        await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+        if (!approversValid) {
+          throw new BadRequestError({
+            message: "One or more approvers doesn't have access to be specified secret path"
+          });
+        }
+
         await accessApprovalPolicyApproverDAL.insertMany(
-          approvers.map((userId) => ({
+          userApproverIds.map((userId) => ({
             approverUserId: userId,
             policyId: doc.id
           })),
           tx
         );
       }
+
+      if (groupApprovers) {
+        const usersPromises: Promise<
+          {
+            id: string;
+            email: string | null | undefined;
+            username: string;
+            firstName: string | null | undefined;
+            lastName: string | null | undefined;
+            isPartOfGroup: boolean;
+          }[]
+        >[] = [];
+
+        for (const groupId of groupApprovers) {
+          usersPromises.push(groupDAL.findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 }));
+        }
+        const verifyGroupApprovers = (await Promise.all(usersPromises))
+          .flat()
+          .filter((user) => user.isPartOfGroup)
+          .map((user) => user.id);
+
+        const approversValid = await isApproversValid({
+          projectId: accessApprovalPolicy.projectId,
+          orgId: actorOrgId,
+          envSlug: accessApprovalPolicy.environment.slug,
+          secretPath: doc.secretPath!,
+          actorAuthMethod,
+          permissionService,
+          userIds: verifyGroupApprovers
+        });
+
+        if (!approversValid) {
+          throw new BadRequestError({
+            message: "One or more approvers doesn't have access to be specified secret path"
+          });
+        }
+
+        await accessApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((groupId) => ({
+            approverGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
       return doc;
     });
     return {
@@ -198,7 +376,7 @@ export const accessApprovalPolicyServiceFactory = ({
     actorOrgId
   }: TDeleteAccessApprovalPolicy) => {
     const policy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!policy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!policy) throw new NotFoundError({ message: "Secret approval policy not found" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -226,7 +404,7 @@ export const accessApprovalPolicyServiceFactory = ({
   }: TGetAccessPolicyCountByEnvironmentDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
 
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const { membership } = await permissionService.getProjectPermission(
       actor,
@@ -235,22 +413,53 @@ export const accessApprovalPolicyServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
 
     const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
-    if (!environment) throw new BadRequestError({ message: "Environment not found" });
+    if (!environment) throw new NotFoundError({ message: "Environment not found" });
 
     const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
-    if (!policies) throw new BadRequestError({ message: "No policies found" });
+    if (!policies) throw new NotFoundError({ message: "No policies found" });
 
     return { count: policies.length };
   };
 
+  const getAccessApprovalPolicyById = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    policyId
+  }: TGetAccessApprovalPolicyByIdDTO) => {
+    const [policy] = await accessApprovalPolicyDAL.find({}, { policyId });
+
+    if (!policy) {
+      throw new NotFoundError({
+        message: "Cannot find access approval policy"
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      policy.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+
+    return policy;
+  };
+
   return {
     getAccessPolicyCountByEnvSlug,
     createAccessApprovalPolicy,
     deleteAccessApprovalPolicy,
     updateAccessApprovalPolicy,
-    getAccessApprovalPolicyByProjectSlug
+    getAccessApprovalPolicyByProjectSlug,
+    getAccessApprovalPolicyById
   };
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -3,7 +3,7 @@ import { ActorAuthMethod } from "@app/services/auth/auth-type";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
 
-export type TVerifyApprovers = {
+export type TIsApproversValid = {
   userIds: string[];
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   envSlug: string;
@@ -13,11 +13,16 @@ export type TVerifyApprovers = {
   orgId: string;
 };
 
+export enum ApproverType {
+  Group = "group",
+  User = "user"
+}
+
 export type TCreateAccessApprovalPolicy = {
   approvals: number;
   secretPath: string;
   environment: string;
-  approvers: string[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   projectSlug: string;
   name: string;
   enforcementLevel: EnforcementLevel;
@@ -26,7 +31,7 @@ export type TCreateAccessApprovalPolicy = {
 export type TUpdateAccessApprovalPolicy = {
   policyId: string;
   approvals?: number;
-  approvers?: string[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   secretPath?: string;
   name?: string;
   enforcementLevel?: EnforcementLevel;
@@ -41,6 +46,10 @@ export type TGetAccessPolicyCountByEnvironmentDTO = {
   projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
 
+export type TGetAccessApprovalPolicyByIdDTO = {
+  policyId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TListAccessApprovalPoliciesDTO = {
   projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -39,6 +39,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.AccessApprovalPolicy}.id`,
           `${TableName.AccessApprovalPolicyApprover}.policyId`
         )
+        .leftJoin(
+          TableName.UserGroupMembership,
+          `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
+        .leftJoin(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
 
         .join<TUsers>(
           db(TableName.Users).as("requestedByUser"),
@@ -59,6 +65,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         )
 
         .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
+        .select(db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"))
 
         .select(
           db.ref("projectId").withSchema(TableName.Environment),
@@ -142,7 +149,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             label: "reviewers" as const,
             mapper: ({ reviewerUserId: userId, reviewerStatus: status }) => (userId ? { userId, status } : undefined)
           },
-          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId }
+          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupUserId }) => approverGroupUserId
+          }
         ]
       });
 
@@ -172,17 +184,28 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         `requestedByUser.id`
       )
 
-      .join(
+      .leftJoin(
         TableName.AccessApprovalPolicyApprover,
         `${TableName.AccessApprovalPolicy}.id`,
         `${TableName.AccessApprovalPolicyApprover}.policyId`
       )
 
-      .join<TUsers>(
+      .leftJoin<TUsers>(
         db(TableName.Users).as("accessApprovalPolicyApproverUser"),
         `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
         "accessApprovalPolicyApproverUser.id"
       )
+      .leftJoin(
+        TableName.UserGroupMembership,
+        `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
+        `${TableName.UserGroupMembership}.groupId`
+      )
+
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("accessApprovalPolicyGroupApproverUser"),
+        `${TableName.UserGroupMembership}.userId`,
+        "accessApprovalPolicyGroupApproverUser.id"
+      )
 
       .leftJoin(
         TableName.AccessApprovalRequestReviewer,
@@ -200,10 +223,15 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
       .select(selectAllTableCols(TableName.AccessApprovalRequest))
       .select(
         tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership),
         tx.ref("email").withSchema("accessApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("email").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
         tx.ref("username").withSchema("accessApprovalPolicyApproverUser").as("approverUsername"),
+        tx.ref("username").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupUsername"),
         tx.ref("firstName").withSchema("accessApprovalPolicyApproverUser").as("approverFirstName"),
+        tx.ref("firstName").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupFirstName"),
         tx.ref("lastName").withSchema("accessApprovalPolicyApproverUser").as("approverLastName"),
+        tx.ref("lastName").withSchema("accessApprovalPolicyGroupApproverUser").as("approverGroupLastName"),
         tx.ref("email").withSchema("requestedByUser").as("requestedByUserEmail"),
         tx.ref("username").withSchema("requestedByUser").as("requestedByUserUsername"),
         tx.ref("firstName").withSchema("requestedByUser").as("requestedByUserFirstName"),
@@ -282,6 +310,23 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
               lastName,
               username
             })
+          },
+          {
+            key: "userId",
+            label: "approvers" as const,
+            mapper: ({
+              userId,
+              approverGroupEmail: email,
+              approverGroupUsername: username,
+              approverGroupLastName: lastName,
+              approverFirstName: firstName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
           }
         ]
       });

backend/src/ee/services/access-approval-request/access-approval-request-fns.ts

@@ -1,6 +1,6 @@
 import { PackRule, unpackRules } from "@casl/ability/extra";
 
-import { UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 
 import { TVerifyPermission } from "./access-approval-request-types";
 
@@ -19,7 +19,7 @@ export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) =
   );
 
   if (!permission || !permission.length) {
-    throw new UnauthorizedError({ message: "No permission provided" });
+    throw new BadRequestError({ message: "No permission provided" });
   }
 
   const requestedPermissions: string[] = [];
@@ -39,10 +39,10 @@ export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) =
   const permissionEnv = firstPermission.conditions?.environment;
 
   if (!permissionEnv || typeof permissionEnv !== "string") {
-    throw new UnauthorizedError({ message: "Permission environment is not a string" });
+    throw new BadRequestError({ message: "Permission environment is not a string" });
   }
   if (!permissionSecretPath || typeof permissionSecretPath !== "string") {
-    throw new UnauthorizedError({ message: "Permission path is not a string" });
+    throw new BadRequestError({ message: "Permission path is not a string" });
   }
 
   return {

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -3,7 +3,7 @@ import ms from "ms";
 
 import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -17,7 +17,8 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
-import { verifyApprovers } from "../access-approval-policy/access-approval-policy-fns";
+import { isApproversValid } from "../access-approval-policy/access-approval-policy-fns";
+import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
@@ -57,6 +58,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
     TAccessApprovalRequestReviewerDALFactory,
     "create" | "find" | "findOne" | "transaction"
   >;
+  groupDAL: Pick<TGroupDALFactory, "findAllGroupPossibleMembers">;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
   smtpService: Pick<TSmtpService, "sendMail">;
   userDAL: Pick<
@@ -70,6 +72,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
 export type TAccessApprovalRequestServiceFactory = ReturnType<typeof accessApprovalRequestServiceFactory>;
 
 export const accessApprovalRequestServiceFactory = ({
+  groupDAL,
   projectDAL,
   projectEnvDAL,
   permissionService,
@@ -96,7 +99,7 @@ export const accessApprovalRequestServiceFactory = ({
   }: TCreateAccessApprovalRequestDTO) => {
     const cfg = getConfig();
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     // Anyone can create an access approval request.
     const { membership } = await permissionService.getProjectPermission(
@@ -106,31 +109,56 @@ export const accessApprovalRequestServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
 
     const requestedByUser = await userDAL.findById(actorId);
-    if (!requestedByUser) throw new UnauthorizedError({ message: "User not found" });
+    if (!requestedByUser) throw new ForbiddenRequestError({ message: "User not found" });
 
     await projectDAL.checkProjectUpgradeStatus(project.id);
 
     const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({ permissions: requestedPermissions });
     const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
 
-    if (!environment) throw new UnauthorizedError({ message: "Environment not found" });
+    if (!environment) throw new NotFoundError({ message: "Environment not found" });
 
     const policy = await accessApprovalPolicyDAL.findOne({
       envId: environment.id,
       secretPath
     });
-    if (!policy) throw new UnauthorizedError({ message: "No policy matching criteria was found." });
+    if (!policy) throw new NotFoundError({ message: "No policy matching criteria was found." });
+
+    const approverIds: string[] = [];
+    const approverGroupIds: string[] = [];
 
     const approvers = await accessApprovalPolicyApproverDAL.find({
       policyId: policy.id
     });
 
+    approvers.forEach((approver) => {
+      if (approver.approverUserId) {
+        approverIds.push(approver.approverUserId);
+      } else if (approver.approverGroupId) {
+        approverGroupIds.push(approver.approverGroupId);
+      }
+    });
+
+    const groupUsers = (
+      await Promise.all(
+        approverGroupIds.map((groupApproverId) =>
+          groupDAL.findAllGroupPossibleMembers({
+            orgId: actorOrgId,
+            groupId: groupApproverId
+          })
+        )
+      )
+    ).flat();
+    approverIds.push(...groupUsers.filter((user) => user.isPartOfGroup).map((user) => user.id));
+
     const approverUsers = await userDAL.find({
       $in: {
-        id: approvers.map((approver) => approver.approverUserId)
+        id: [...new Set(approverIds)]
       }
     });
 
@@ -236,7 +264,7 @@ export const accessApprovalRequestServiceFactory = ({
     actorAuthMethod
   }: TListApprovalRequestsDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const { membership } = await permissionService.getProjectPermission(
       actor,
@@ -245,7 +273,9 @@ export const accessApprovalRequestServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
 
     const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
     let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));
@@ -270,7 +300,7 @@ export const accessApprovalRequestServiceFactory = ({
     actorOrgId
   }: TReviewAccessRequestDTO) => {
     const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
-    if (!accessApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!accessApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
 
     const { policy } = accessApprovalRequest;
     const { membership, hasRole } = await permissionService.getProjectPermission(
@@ -281,19 +311,21 @@ export const accessApprovalRequestServiceFactory = ({
       actorOrgId
     );
 
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
 
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
       !policy.approvers.find((approver) => approver.userId === actorId) // The request isn't performed by an assigned approver
     ) {
-      throw new UnauthorizedError({ message: "You are not authorized to approve this request" });
+      throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
     }
 
     const reviewerProjectMembership = await projectMembershipDAL.findById(membership.id);
 
-    await verifyApprovers({
+    const approversValid = await isApproversValid({
       projectId: accessApprovalRequest.projectId,
       orgId: actorOrgId,
       envSlug: accessApprovalRequest.environment,
@@ -303,6 +335,10 @@ export const accessApprovalRequestServiceFactory = ({
       userIds: [reviewerProjectMembership.userId]
     });
 
+    if (!approversValid) {
+      throw new ForbiddenRequestError({ message: "You don't have access to approve this request" });
+    }
+
     const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
     if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
       throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
@@ -385,7 +421,7 @@ export const accessApprovalRequestServiceFactory = ({
 
   const getCount = async ({ projectSlug, actor, actorAuthMethod, actorId, actorOrgId }: TGetAccessRequestCountDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const { membership } = await permissionService.getProjectPermission(
       actor,
@@ -394,7 +430,9 @@ export const accessApprovalRequestServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
 
     const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });
 

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -5,7 +5,7 @@ import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 
 import { AUDIT_LOG_STREAM_TIMEOUT } from "../audit-log/audit-log-queue";
@@ -43,14 +43,15 @@ export const auditLogStreamServiceFactory = ({
     actorOrgId,
     actorAuthMethod
   }: TCreateAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });
 
     const appCfg = getConfig();
     const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan.auditLogStreams)
+    if (!plan.auditLogStreams) {
       throw new BadRequestError({
         message: "Failed to create audit log streams due to plan restriction. Upgrade plan to create group."
       });
+    }
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -120,7 +121,7 @@ export const auditLogStreamServiceFactory = ({
     actorOrgId,
     actorAuthMethod
   }: TUpdateAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.auditLogStreams)
@@ -129,7 +130,7 @@ export const auditLogStreamServiceFactory = ({
       });
 
     const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: "Audit log stream not found" });
 
     const { orgId } = logStream;
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@@ -178,10 +179,10 @@ export const auditLogStreamServiceFactory = ({
   };
 
   const deleteById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TDeleteAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });
 
     const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: "Audit log stream not found" });
 
     const { orgId } = logStream;
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@@ -193,7 +194,7 @@ export const auditLogStreamServiceFactory = ({
 
   const getById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TGetDetailsAuditLogStreamDTO) => {
     const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: "Audit log stream not found" });
 
     const { orgId } = logStream;
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -3,9 +3,12 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { AuditLogsSchema, TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols, stripUndefinedInWhere } from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";
+import { ActorType } from "@app/services/auth/auth-type";
+
+import { EventType } from "./audit-log-types";
 
 export type TAuditLogDALFactory = ReturnType<typeof auditLogDALFactory>;
 
@@ -25,37 +28,81 @@ export const auditLogDALFactory = (db: TDbClient) => {
   const auditLogOrm = ormify(db, TableName.AuditLog);
 
   const find = async (
-    { orgId, projectId, userAgentType, startDate, endDate, limit = 20, offset = 0, actor, eventType }: TFindQuery,
+    {
+      orgId,
+      projectId,
+      userAgentType,
+      startDate,
+      endDate,
+      limit = 20,
+      offset = 0,
+      actorId,
+      actorType,
+      eventType,
+      eventMetadata
+    }: Omit<TFindQuery, "actor" | "eventType"> & {
+      actorId?: string;
+      actorType?: ActorType;
+      eventType?: EventType[];
+      eventMetadata?: Record<string, string>;
+    },
     tx?: Knex
   ) => {
+    if (!orgId && !projectId) {
+      throw new Error("Either orgId or projectId must be provided");
+    }
+
     try {
+      // Find statements
       const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
-        .where(
-          stripUndefinedInWhere({
-            projectId,
-            [`${TableName.AuditLog}.orgId`]: orgId,
-            eventType,
-            userAgentType
-          })
-        )
-
         .leftJoin(TableName.Project, `${TableName.AuditLog}.projectId`, `${TableName.Project}.id`)
+        // eslint-disable-next-line func-names
+        .where(function () {
+          if (orgId) {
+            void this.where(`${TableName.Project}.orgId`, orgId).orWhere(`${TableName.AuditLog}.orgId`, orgId);
+          } else if (projectId) {
+            void this.where(`${TableName.AuditLog}.projectId`, projectId);
+          }
+        });
 
+      if (userAgentType) {
+        void sqlQuery.where("userAgentType", userAgentType);
+      }
+
+      // Select statements
+      void sqlQuery
         .select(selectAllTableCols(TableName.AuditLog))
-
         .select(
           db.ref("name").withSchema(TableName.Project).as("projectName"),
           db.ref("slug").withSchema(TableName.Project).as("projectSlug")
         )
-
         .limit(limit)
         .offset(offset)
         .orderBy(`${TableName.AuditLog}.createdAt`, "desc");
 
-      if (actor) {
-        void sqlQuery.whereRaw(`"actorMetadata"->>'userId' = ?`, [actor]);
+      // Special case: Filter by actor ID
+      if (actorId) {
+        void sqlQuery.whereRaw(`"actorMetadata"->>'userId' = ?`, [actorId]);
       }
 
+      // Special case: Filter by key/value pairs in eventMetadata field
+      if (eventMetadata && Object.keys(eventMetadata).length) {
+        Object.entries(eventMetadata).forEach(([key, value]) => {
+          void sqlQuery.whereRaw(`"eventMetadata"->>'${key}' = ?`, [value]);
+        });
+      }
+
+      // Filter by actor type
+      if (actorType) {
+        void sqlQuery.where("actor", actorType);
+      }
+
+      // Filter by event types
+      if (eventType?.length) {
+        void sqlQuery.whereIn("eventType", eventType);
+      }
+
+      // Filter by date range
       if (startDate) {
         void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
       }
@@ -64,13 +111,21 @@ export const auditLogDALFactory = (db: TDbClient) => {
       }
       const docs = await sqlQuery;
 
-      return docs.map((doc) => ({
-        ...AuditLogsSchema.parse(doc),
-        project: {
-          name: doc.projectName,
-          slug: doc.projectSlug
-        }
-      }));
+      return docs.map((doc) => {
+        // Our type system refuses to acknowledge that the project name and slug are present in the doc, due to the disjointed query structure above.
+        // This is a quick and dirty way to get around the types.
+        const projectDoc = doc as unknown as { projectName: string; projectSlug: string };
+
+        return {
+          ...AuditLogsSchema.parse(doc),
+          ...(projectDoc?.projectSlug && {
+            project: {
+              name: projectDoc.projectName,
+              slug: projectDoc.projectSlug
+            }
+          })
+        };
+      });
     } catch (error) {
       throw new DatabaseError({ error });
     }

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -23,30 +23,19 @@ export const auditLogServiceFactory = ({
   auditLogQueue,
   permissionService
 }: TAuditLogServiceFactoryDep) => {
-  const listAuditLogs = async ({
-    userAgentType,
-    eventType,
-    offset,
-    limit,
-    endDate,
-    startDate,
-    actor,
-    actorId,
-    actorOrgId,
-    actorAuthMethod,
-    projectId,
-    auditLogActor
-  }: TListProjectAuditLogDTO) => {
-    if (projectId) {
+  const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
+    // Filter logs for specific project
+    if (filter.projectId) {
       const { permission } = await permissionService.getProjectPermission(
         actor,
         actorId,
-        projectId,
+        filter.projectId,
         actorAuthMethod,
         actorOrgId
       );
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {
+      // Organization-wide logs
       const { permission } = await permissionService.getOrgPermission(
         actor,
         actorId,
@@ -57,22 +46,23 @@ export const auditLogServiceFactory = ({
 
       /**
        * NOTE (dangtony98): Update this to organization-level audit log permission check once audit logs are moved
-       * to the organization level
+       * to the organization level ✅
        */
-      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
+      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
     }
 
     // If project ID is not provided, then we need to return all the audit logs for the organization itself.
-
     const auditLogs = await auditLogDAL.find({
-      startDate,
-      endDate,
-      limit,
-      offset,
-      eventType,
-      userAgentType,
-      actor: auditLogActor,
-      ...(projectId ? { projectId } : { orgId: actorOrgId })
+      startDate: filter.startDate,
+      endDate: filter.endDate,
+      limit: filter.limit,
+      offset: filter.offset,
+      eventType: filter.eventType,
+      userAgentType: filter.userAgentType,
+      actorId: filter.auditLogActorId,
+      actorType: filter.actorType,
+      eventMetadata: filter.eventMetadata,
+      ...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
     });
 
     return auditLogs.map(({ eventType: logEventType, actor: eActor, actorMetadata, eventMetadata, ...el }) => ({

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -5,19 +5,23 @@ import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
 
 export type TListProjectAuditLogDTO = {
-  auditLogActor?: string;
-  projectId?: string;
-  eventType?: string;
-  startDate?: string;
-  endDate?: string;
-  userAgentType?: string;
-  limit?: number;
-  offset?: number;
+  filter: {
+    userAgentType?: UserAgentType;
+    eventType?: EventType[];
+    offset?: number;
+    limit: number;
+    endDate?: string;
+    startDate?: string;
+    projectId?: string;
+    auditLogActorId?: string;
+    actorType?: ActorType;
+    eventMetadata?: Record<string, string>;
+  };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TCreateAuditLogDTO = {
   event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
   orgId?: string;
   projectId?: string;
 } & BaseAuthData;
@@ -177,7 +181,8 @@ export enum EventType {
   UPDATE_SLACK_INTEGRATION = "update-slack-integration",
   DELETE_SLACK_INTEGRATION = "delete-slack-integration",
   GET_PROJECT_SLACK_CONFIG = "get-project-slack-config",
-  UPDATE_PROJECT_SLACK_CONFIG = "update-project-slack-config"
+  UPDATE_PROJECT_SLACK_CONFIG = "update-project-slack-config",
+  INTEGRATION_SYNCED = "integration-synced"
 }
 
 interface UserActorMetadata {
@@ -198,6 +203,8 @@ interface IdentityActorMetadata {
 
 interface ScimClientActorMetadata {}
 
+interface PlatformActorMetadata {}
+
 export interface UserActor {
   type: ActorType.USER;
   metadata: UserActorMetadata;
@@ -208,6 +215,11 @@ export interface ServiceActor {
   metadata: ServiceActorMetadata;
 }
 
+export interface PlatformActor {
+  type: ActorType.PLATFORM;
+  metadata: PlatformActorMetadata;
+}
+
 export interface IdentityActor {
   type: ActorType.IDENTITY;
   metadata: IdentityActorMetadata;
@@ -218,7 +230,7 @@ export interface ScimClientActor {
   metadata: ScimClientActorMetadata;
 }
 
-export type Actor = UserActor | ServiceActor | IdentityActor | ScimClientActor;
+export type Actor = UserActor | ServiceActor | IdentityActor | ScimClientActor | PlatformActor;
 
 interface GetSecretsEvent {
   type: EventType.GET_SECRETS;
@@ -1518,6 +1530,16 @@ interface GetProjectSlackConfig {
     id: string;
   };
 }
+interface IntegrationSyncedEvent {
+  type: EventType.INTEGRATION_SYNCED;
+  metadata: {
+    integrationId: string;
+    lastSyncJobId: string;
+    lastUsed: Date;
+    syncMessage: string;
+    isSynced: boolean;
+  };
+}
 
 export type Event =
   | GetSecretsEvent
@@ -1657,4 +1679,5 @@ export type Event =
   | DeleteSlackIntegration
   | GetSlackIntegration
   | UpdateProjectSlackConfig
-  | GetProjectSlackConfig;
+  | GetProjectSlackConfig
+  | IntegrationSyncedEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -2,10 +2,9 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
-// import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -19,7 +18,6 @@ type TCertificateAuthorityCrlServiceFactoryDep = {
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  // licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
 
 export type TCertificateAuthorityCrlServiceFactory = ReturnType<typeof certificateAuthorityCrlServiceFactory>;
@@ -66,7 +64,7 @@ export const certificateAuthorityCrlServiceFactory = ({
    */
   const getCaCrls = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCrlsDTO) => {
     const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -81,13 +79,6 @@ export const certificateAuthorityCrlServiceFactory = ({
       ProjectPermissionSub.CertificateAuthorities
     );
 
-    // const plan = await licenseService.getPlan(actorOrgId);
-    // if (!plan.caCrl)
-    //   throw new BadRequestError({
-    //     message:
-    //       "Failed to get CA certificate revocation lists (CRLs) due to plan restriction. Upgrade plan to get the CA CRL."
-    //   });
-
     const caCrls = await certificateAuthorityCrlDAL.find({ caId: ca.id }, { sort: [["createdAt", "desc"]] });
 
     const keyId = await getProjectKmsCertificateKeyId({

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -7,7 +7,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
@@ -61,7 +61,7 @@ export const dynamicSecretLeaseServiceFactory = ({
   }: TCreateDynamicSecretLeaseDTO) => {
     const appCfg = getConfig();
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const projectId = project.id;
     const { permission } = await permissionService.getProjectPermission(
@@ -84,10 +84,10 @@ export const dynamicSecretLeaseServiceFactory = ({
     }
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });
 
     const totalLeasesTaken = await dynamicSecretLeaseDAL.countLeasesForDynamicSecret(dynamicSecretCfg.id);
     if (totalLeasesTaken >= appCfg.MAX_LEASE_LIMIT)
@@ -134,7 +134,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     leaseId
   }: TRenewDynamicSecretLeaseDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const projectId = project.id;
     const { permission } = await permissionService.getProjectPermission(
@@ -157,10 +157,10 @@ export const dynamicSecretLeaseServiceFactory = ({
     }
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease) throw new NotFoundError({ message: "Dynamic secret lease not found" });
 
     const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
@@ -208,7 +208,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     isForced
   }: TDeleteDynamicSecretLeaseDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const projectId = project.id;
     const { permission } = await permissionService.getProjectPermission(
@@ -224,10 +224,10 @@ export const dynamicSecretLeaseServiceFactory = ({
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease) throw new NotFoundError({ message: "Dynamic secret lease not found" });
 
     const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
@@ -273,7 +273,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     actorAuthMethod
   }: TListDynamicSecretLeasesDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const projectId = project.id;
     const { permission } = await permissionService.getProjectPermission(
@@ -289,10 +289,10 @@ export const dynamicSecretLeaseServiceFactory = ({
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });
 
     const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
     return dynamicSecretLeases;
@@ -309,7 +309,7 @@ export const dynamicSecretLeaseServiceFactory = ({
     actorAuthMethod
   }: TDetailsDynamicSecretLeaseDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const projectId = project.id;
     const { permission } = await permissionService.getProjectPermission(
@@ -325,10 +325,10 @@ export const dynamicSecretLeaseServiceFactory = ({
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease) throw new NotFoundError({ message: "Dynamic secret lease not found" });
 
     return dynamicSecretLease;
   };

backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts

@@ -1,10 +1,70 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
 export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory>;
 
 export const dynamicSecretDALFactory = (db: TDbClient) => {
   const orm = ormify(db, TableName.DynamicSecret);
-  return orm;
+
+  // find dynamic secrets for multiple environments (folder IDs are cross env, thus need to rank for pagination)
+  const listDynamicSecretsByFolderIds = async (
+    {
+      folderIds,
+      search,
+      limit,
+      offset = 0,
+      orderBy = SecretsOrderBy.Name,
+      orderDirection = OrderByDirection.ASC
+    }: {
+      folderIds: string[];
+      search?: string;
+      limit?: number;
+      offset?: number;
+      orderBy?: SecretsOrderBy;
+      orderDirection?: OrderByDirection;
+    },
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db.replicaNode())(TableName.DynamicSecret)
+        .whereIn("folderId", folderIds)
+        .where((bd) => {
+          if (search) {
+            void bd.whereILike(`${TableName.DynamicSecret}.name`, `%${search}%`);
+          }
+        })
+        .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
+        .leftJoin(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .select(
+          selectAllTableCols(TableName.DynamicSecret),
+          db.ref("slug").withSchema(TableName.Environment).as("environment"),
+          db.raw(`DENSE_RANK() OVER (ORDER BY ${TableName.DynamicSecret}."name" ${orderDirection}) as rank`)
+        )
+        .orderBy(`${TableName.DynamicSecret}.${orderBy}`, orderDirection);
+
+      if (limit) {
+        const rankOffset = offset + 1;
+        return await (tx || db)
+          .with("w", query)
+          .select("*")
+          .from<Awaited<typeof query>[number]>("w")
+          .where("w.rank", ">=", rankOffset)
+          .andWhere("w.rank", "<", rankOffset + limit);
+      }
+
+      const dynamicSecrets = await query;
+
+      return dynamicSecrets;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "List dynamic secret multi env" });
+    }
+  };
+
+  return { ...orm, listDynamicSecretsByFolderIds };
 };

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -5,7 +5,8 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { OrderByDirection } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 
@@ -17,9 +18,12 @@ import {
   TCreateDynamicSecretDTO,
   TDeleteDynamicSecretDTO,
   TDetailsDynamicSecretDTO,
+  TGetDynamicSecretsCountDTO,
   TListDynamicSecretsDTO,
+  TListDynamicSecretsMultiEnvDTO,
   TUpdateDynamicSecretDTO
 } from "./dynamic-secret-types";
+import { AzureEntraIDProvider } from "./providers/azure-entra-id";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./providers/models";
 
 type TDynamicSecretServiceFactoryDep = {
@@ -31,7 +35,7 @@ type TDynamicSecretServiceFactoryDep = {
     "pruneDynamicSecret" | "unsetLeaseRevocation"
   >;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
@@ -62,7 +66,7 @@ export const dynamicSecretServiceFactory = ({
     actorAuthMethod
   }: TCreateDynamicSecretDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const projectId = project.id;
     const { permission } = await permissionService.getProjectPermission(
@@ -85,7 +89,7 @@ export const dynamicSecretServiceFactory = ({
     }
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     const existingDynamicSecret = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
     if (existingDynamicSecret)
@@ -130,7 +134,7 @@ export const dynamicSecretServiceFactory = ({
     actorAuthMethod
   }: TUpdateDynamicSecretDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const projectId = project.id;
 
@@ -154,10 +158,10 @@ export const dynamicSecretServiceFactory = ({
     }
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });
 
     if (newName) {
       const existingDynamicSecret = await dynamicSecretDAL.findOne({ name: newName, folderId: folder.id });
@@ -209,7 +213,7 @@ export const dynamicSecretServiceFactory = ({
     isForced
   }: TDeleteDynamicSecretDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const projectId = project.id;
 
@@ -226,7 +230,7 @@ export const dynamicSecretServiceFactory = ({
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
     if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
@@ -267,7 +271,7 @@ export const dynamicSecretServiceFactory = ({
     actor
   }: TDetailsDynamicSecretDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     const projectId = project.id;
     const { permission } = await permissionService.getProjectPermission(
@@ -283,10 +287,10 @@ export const dynamicSecretServiceFactory = ({
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });
     const decryptedStoredInput = JSON.parse(
       infisicalSymmetricDecrypt({
         keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
@@ -300,19 +304,58 @@ export const dynamicSecretServiceFactory = ({
     return { ...dynamicSecretCfg, inputs: providerInputs };
   };
 
-  const list = async ({
+  // get unique dynamic secret count across multiple envs
+  const getCountMultiEnv = async ({
     actorAuthMethod,
     actorOrgId,
     actorId,
     actor,
-    projectSlug,
+    projectId,
     path,
-    environmentSlug
-  }: TListDynamicSecretsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    environmentSlugs,
+    search,
+    isInternal
+  }: TListDynamicSecretsMultiEnvDTO) => {
+    if (!isInternal) {
+      const { permission } = await permissionService.getProjectPermission(
+        actor,
+        actorId,
+        projectId,
+        actorAuthMethod,
+        actorOrgId
+      );
 
-    const projectId = project.id;
+      // verify user has access to each env in request
+      environmentSlugs.forEach((environmentSlug) =>
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionActions.Read,
+          subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+        )
+      );
+    }
+
+    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
+    if (!folders.length) throw new NotFoundError({ message: "Folders not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { $in: { folderId: folders.map((folder) => folder.id) }, $search: search ? { name: `%${search}%` } : undefined },
+      { countDistinct: "name" }
+    );
+
+    return Number(dynamicSecretCfg[0]?.count ?? 0);
+  };
+
+  // get dynamic secret count for a single env
+  const getDynamicSecretCount = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    path,
+    environmentSlug,
+    search,
+    projectId
+  }: TGetDynamicSecretsCountDTO) => {
     const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
@@ -326,17 +369,132 @@ export const dynamicSecretServiceFactory = ({
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
-    const dynamicSecretCfg = await dynamicSecretDAL.find({ folderId: folder.id });
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
+      { count: true }
+    );
+    return Number(dynamicSecretCfg[0]?.count ?? 0);
+  };
+
+  const listDynamicSecretsByEnv = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    projectSlug,
+    path,
+    environmentSlug,
+    limit,
+    offset,
+    orderBy,
+    orderDirection = OrderByDirection.ASC,
+    search,
+    ...params
+  }: TListDynamicSecretsDTO) => {
+    let { projectId } = params;
+
+    if (!projectId) {
+      if (!projectSlug) throw new BadRequestError({ message: "Project ID or slug required" });
+      const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+      if (!project) throw new NotFoundError({ message: "Project not found" });
+      projectId = project.id;
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+    );
+
+    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.find(
+      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
+      {
+        limit,
+        offset,
+        sort: orderBy ? [[orderBy, orderDirection]] : undefined
+      }
+    );
     return dynamicSecretCfg;
   };
 
+  // get dynamic secrets for multiple envs
+  const listDynamicSecretsByFolderIds = async ({
+    actorAuthMethod,
+    actorOrgId,
+    actorId,
+    actor,
+    path,
+    environmentSlugs,
+    projectId,
+    isInternal,
+    ...params
+  }: TListDynamicSecretsMultiEnvDTO) => {
+    if (!isInternal) {
+      const { permission } = await permissionService.getProjectPermission(
+        actor,
+        actorId,
+        projectId,
+        actorAuthMethod,
+        actorOrgId
+      );
+
+      // verify user has access to each env in request
+      environmentSlugs.forEach((environmentSlug) =>
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionActions.Read,
+          subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
+        )
+      );
+    }
+
+    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
+    if (!folders.length) throw new NotFoundError({ message: "Folders not found" });
+
+    const dynamicSecretCfg = await dynamicSecretDAL.listDynamicSecretsByFolderIds({
+      folderIds: folders.map((folder) => folder.id),
+      ...params
+    });
+
+    return dynamicSecretCfg;
+  };
+
+  const fetchAzureEntraIdUsers = async ({
+    tenantId,
+    applicationId,
+    clientSecret
+  }: {
+    tenantId: string;
+    applicationId: string;
+    clientSecret: string;
+  }) => {
+    const azureEntraIdUsers = await AzureEntraIDProvider().fetchAzureEntraIdUsers(
+      tenantId,
+      applicationId,
+      clientSecret
+    );
+    return azureEntraIdUsers;
+  };
+
   return {
     create,
     updateByName,
     deleteByName,
     getDetails,
-    list
+    listDynamicSecretsByEnv,
+    listDynamicSecretsByFolderIds,
+    getDynamicSecretCount,
+    getCountMultiEnv,
+    fetchAzureEntraIdUsers
   };
 };

backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
-import { TProjectPermission } from "@app/lib/types";
+import { OrderByDirection, TProjectPermission } from "@app/lib/types";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
 import { DynamicSecretProviderSchema } from "./providers/models";
 
@@ -50,5 +51,20 @@ export type TDetailsDynamicSecretDTO = {
 export type TListDynamicSecretsDTO = {
   path: string;
   environmentSlug: string;
-  projectSlug: string;
+  projectSlug?: string;
+  projectId?: string;
+  offset?: number;
+  limit?: number;
+  orderBy?: SecretsOrderBy;
+  orderDirection?: OrderByDirection;
+  search?: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TListDynamicSecretsMultiEnvDTO = Omit<
+  TListDynamicSecretsDTO,
+  "projectId" | "environmentSlug" | "projectSlug"
+> & { projectId: string; environmentSlugs: string[]; isInternal?: boolean };
+
+export type TGetDynamicSecretsCountDTO = Omit<TListDynamicSecretsDTO, "projectSlug" | "projectId"> & {
+  projectId: string;
+};

backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts

@@ -0,0 +1,138 @@
+import axios from "axios";
+import { customAlphabet } from "nanoid";
+
+import { BadRequestError } from "@app/lib/errors";
+
+import { AzureEntraIDSchema, TDynamicProviderFns } from "./models";
+
+const MSFT_GRAPH_API_URL = "https://graph.microsoft.com/v1.0/";
+const MSFT_LOGIN_URL = "https://login.microsoftonline.com";
+
+const generatePassword = () => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  return customAlphabet(charset, 64)();
+};
+
+type User = { name: string; id: string; email: string };
+
+export const AzureEntraIDProvider = (): TDynamicProviderFns & {
+  fetchAzureEntraIdUsers: (tenantId: string, applicationId: string, clientSecret: string) => Promise<User[]>;
+} => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await AzureEntraIDSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const getToken = async (
+    tenantId: string,
+    applicationId: string,
+    clientSecret: string
+  ): Promise<{ token?: string; success: boolean }> => {
+    const response = await axios.post<{ access_token: string }>(
+      `${MSFT_LOGIN_URL}/${tenantId}/oauth2/v2.0/token`,
+      {
+        grant_type: "client_credentials",
+        client_id: applicationId,
+        client_secret: clientSecret,
+        scope: "https://graph.microsoft.com/.default"
+      },
+      {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        }
+      }
+    );
+
+    if (response.status === 200) {
+      return { token: response.data.access_token, success: true };
+    }
+    return { success: false };
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    return data.success;
+  };
+
+  const renew = async (inputs: unknown, entityId: string) => {
+    // Do nothing
+    return { entityId };
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    if (!data.success) {
+      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
+    }
+
+    const password = generatePassword();
+
+    const response = await axios.patch(
+      `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
+      {
+        passwordProfile: {
+          forceChangePasswordNextSignIn: false,
+          password
+        }
+      },
+      {
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${data.token}`
+        }
+      }
+    );
+    if (response.status !== 204) {
+      throw new BadRequestError({ message: "Failed to update password" });
+    }
+
+    return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    // Creates a new password
+    await create(inputs);
+    return { entityId };
+  };
+
+  const fetchAzureEntraIdUsers = async (tenantId: string, applicationId: string, clientSecret: string) => {
+    const data = await getToken(tenantId, applicationId, clientSecret);
+    if (!data.success) {
+      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
+    }
+
+    const response = await axios.get<{ value: [{ id: string; displayName: string; userPrincipalName: string }] }>(
+      `${MSFT_GRAPH_API_URL}/users`,
+      {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          Authorization: `Bearer ${data.token}`
+        }
+      }
+    );
+
+    if (response.status !== 200) {
+      throw new BadRequestError({ message: "Failed to fetch users" });
+    }
+
+    const users = response.data.value.map((user) => {
+      return {
+        name: user.displayName,
+        id: user.id,
+        email: user.userPrincipalName
+      };
+    });
+    return users;
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew,
+    fetchAzureEntraIdUsers
+  };
+};

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -1,5 +1,6 @@
 import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
+import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
 import { DynamicSecretProviders } from "./models";
@@ -18,5 +19,6 @@ export const buildDynamicSecretProviders = () => ({
   [DynamicSecretProviders.MongoAtlas]: MongoAtlasProvider(),
   [DynamicSecretProviders.MongoDB]: MongoDBProvider(),
   [DynamicSecretProviders.ElasticSearch]: ElasticSearchProvider(),
-  [DynamicSecretProviders.RabbitMq]: RabbitMqProvider()
+  [DynamicSecretProviders.RabbitMq]: RabbitMqProvider(),
+  [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider()
 });

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -166,6 +166,14 @@ export const DynamicSecretMongoDBSchema = z.object({
     )
 });
 
+export const AzureEntraIDSchema = z.object({
+  tenantId: z.string().trim().min(1),
+  userId: z.string().trim().min(1),
+  email: z.string().trim().min(1),
+  applicationId: z.string().trim().min(1),
+  clientSecret: z.string().trim().min(1)
+});
+
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
   Cassandra = "cassandra",
@@ -175,7 +183,8 @@ export enum DynamicSecretProviders {
   MongoAtlas = "mongo-db-atlas",
   ElasticSearch = "elastic-search",
   MongoDB = "mongo-db",
-  RabbitMq = "rabbit-mq"
+  RabbitMq = "rabbit-mq",
+  AzureEntraID = "azure-entra-id"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -187,7 +196,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.MongoAtlas), inputs: DynamicSecretMongoAtlasSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.ElasticSearch), inputs: DynamicSecretElasticSearchSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.MongoDB), inputs: DynamicSecretMongoDBSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -145,7 +145,7 @@ export const externalKmsServiceFactory = ({
     const kmsSlug = slug ? slugify(slug) : undefined;
 
     const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });
 
     let sanitizedProviderInput = "";
     const { encryptor: orgDataKeyEncryptor, decryptor: orgDataKeyDecryptor } =
@@ -220,7 +220,7 @@ export const externalKmsServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);
 
     const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });
 
     const externalKms = await externalKmsDAL.transaction(async (tx) => {
       const kms = await kmsDAL.deleteById(kmsDoc.id, tx);
@@ -258,7 +258,7 @@ export const externalKmsServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Kms);
 
     const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });
 
     const { decryptor: orgDataKeyDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.Organization,
@@ -298,7 +298,7 @@ export const externalKmsServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Kms);
 
     const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });
 
     const { decryptor: orgDataKeyDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.Organization,

backend/src/ee/services/group/group-dal.ts

@@ -60,7 +60,7 @@ export const groupDALFactory = (db: TDbClient) => {
   };
 
   // special query
-  const findAllGroupMembers = async ({
+  const findAllGroupPossibleMembers = async ({
     orgId,
     groupId,
     offset = 0,
@@ -125,7 +125,7 @@ export const groupDALFactory = (db: TDbClient) => {
   return {
     findGroups,
     findByOrgId,
-    findAllGroupMembers,
+    findAllGroupPossibleMembers,
     ...groupOrm
   };
 };

backend/src/ee/services/group/group-fns.ts

@@ -2,7 +2,7 @@ import { Knex } from "knex";
 
 import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError, ScimRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, ScimRequestError } from "@app/lib/errors";
 
 import {
   TAddUsersToGroup,
@@ -73,24 +73,24 @@ const addAcceptedUsersToGroup = async ({
       const ghostUser = await projectDAL.findProjectGhostUser(projectId, tx);
 
       if (!ghostUser) {
-        throw new BadRequestError({
-          message: "Failed to find sudo user"
+        throw new NotFoundError({
+          message: "Failed to find project owner"
         });
       }
 
       const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, tx);
 
       if (!ghostUserLatestKey) {
-        throw new BadRequestError({
-          message: "Failed to find sudo user latest key"
+        throw new NotFoundError({
+          message: "Failed to find project owner's latest key"
         });
       }
 
       const bot = await projectBotDAL.findOne({ projectId }, tx);
 
       if (!bot) {
-        throw new BadRequestError({
-          message: "Failed to find bot"
+        throw new NotFoundError({
+          message: "Failed to find project bot"
         });
       }
 
@@ -200,7 +200,7 @@ export const addUsersToGroupByUserIds = async ({
 
     userIds.forEach((userId) => {
       if (!existingUserOrgMembershipsUserIdsSet.has(userId))
-        throw new BadRequestError({
+        throw new ForbiddenRequestError({
           message: `User with id ${userId} is not part of the organization`
         });
     });
@@ -303,7 +303,7 @@ export const removeUsersFromGroupByUserIds = async ({
 
     userIds.forEach((userId) => {
       if (!existingUserGroupMembershipsUserIdsSet.has(userId))
-        throw new BadRequestError({
+        throw new ForbiddenRequestError({
           message: `User(s) are not part of the group ${group.slug}`
         });
     });
@@ -415,7 +415,7 @@ export const convertPendingGroupAdditionsToGroupMemberships = async ({
     const usersUserIdsSet = new Set(users.map((u) => u.id));
     userIds.forEach((userId) => {
       if (!usersUserIdsSet.has(userId)) {
-        throw new BadRequestError({
+        throw new NotFoundError({
           message: `Failed to find user with id ${userId}`
         });
       }

backend/src/ee/services/group/group-service.ts

@@ -3,7 +3,7 @@ import slugify from "@sindresorhus/slugify";
 
 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -21,6 +21,7 @@ import {
   TAddUserToGroupDTO,
   TCreateGroupDTO,
   TDeleteGroupDTO,
+  TGetGroupByIdDTO,
   TListGroupUsersDTO,
   TRemoveUserFromGroupDTO,
   TUpdateGroupDTO
@@ -29,7 +30,10 @@ import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";
 
 type TGroupServiceFactoryDep = {
   userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
-  groupDAL: Pick<TGroupDALFactory, "create" | "findOne" | "update" | "delete" | "findAllGroupMembers">;
+  groupDAL: Pick<
+    TGroupDALFactory,
+    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
+  >;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
   orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
   userGroupMembershipDAL: Pick<
@@ -58,7 +62,7 @@ export const groupServiceFactory = ({
   licenseService
 }: TGroupServiceFactoryDep) => {
   const createGroup = async ({ name, slug, role, actor, actorId, actorAuthMethod, actorOrgId }: TCreateGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -81,7 +85,8 @@ export const groupServiceFactory = ({
     );
     const isCustomRole = Boolean(customRole);
     const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
-    if (!hasRequiredPriviledges) throw new BadRequestError({ message: "Failed to create a more privileged group" });
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
 
     const group = await groupDAL.create({
       name,
@@ -95,7 +100,7 @@ export const groupServiceFactory = ({
   };
 
   const updateGroup = async ({
-    currentSlug,
+    id,
     name,
     slug,
     role,
@@ -104,7 +109,7 @@ export const groupServiceFactory = ({
     actorAuthMethod,
     actorOrgId
   }: TUpdateGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -121,8 +126,10 @@ export const groupServiceFactory = ({
         message: "Failed to update group due to plan restrictio Upgrade plan to update group."
       });
 
-    const group = await groupDAL.findOne({ orgId: actorOrgId, slug: currentSlug });
-    if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${currentSlug}` });
+    const group = await groupDAL.findOne({ orgId: actorOrgId, id });
+    if (!group) {
+      throw new NotFoundError({ message: `Failed to find group with ID ${id}` });
+    }
 
     let customRole: TOrgRoles | undefined;
     if (role) {
@@ -134,14 +141,13 @@ export const groupServiceFactory = ({
       const isCustomRole = Boolean(customOrgRole);
       const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
       if (!hasRequiredNewRolePermission)
-        throw new BadRequestError({ message: "Failed to create a more privileged group" });
+        throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
       if (isCustomRole) customRole = customOrgRole;
     }
 
     const [updatedGroup] = await groupDAL.update(
       {
-        orgId: actorOrgId,
-        slug: currentSlug
+        id: group.id
       },
       {
         name,
@@ -158,8 +164,8 @@ export const groupServiceFactory = ({
     return updatedGroup;
   };
 
-  const deleteGroup = async ({ groupSlug, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+  const deleteGroup = async ({ id, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteGroupDTO) => {
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -178,15 +184,37 @@ export const groupServiceFactory = ({
       });
 
     const [group] = await groupDAL.delete({
-      orgId: actorOrgId,
-      slug: groupSlug
+      id,
+      orgId: actorOrgId
     });
 
     return group;
   };
 
+  const getGroupById = async ({ id, actor, actorId, actorAuthMethod, actorOrgId }: TGetGroupByIdDTO) => {
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+
+    const group = await groupDAL.findById(id);
+    if (!group) {
+      throw new NotFoundError({
+        message: `Cannot find group with ID ${id}`
+      });
+    }
+
+    return group;
+  };
+
   const listGroupUsers = async ({
-    groupSlug,
+    id,
     offset,
     limit,
     username,
@@ -195,7 +223,7 @@ export const groupServiceFactory = ({
     actorAuthMethod,
     actorOrgId
   }: TListGroupUsersDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -208,15 +236,15 @@ export const groupServiceFactory = ({
 
     const group = await groupDAL.findOne({
       orgId: actorOrgId,
-      slug: groupSlug
+      id
     });
 
     if (!group)
-      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+      throw new NotFoundError({
+        message: `Failed to find group with ID ${id}`
       });
 
-    const users = await groupDAL.findAllGroupMembers({
+    const users = await groupDAL.findAllGroupPossibleMembers({
       orgId: group.orgId,
       groupId: group.id,
       offset,
@@ -229,15 +257,8 @@ export const groupServiceFactory = ({
     return { users, totalCount: count };
   };
 
-  const addUserToGroup = async ({
-    groupSlug,
-    username,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TAddUserToGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+  const addUserToGroup = async ({ id, username, actor, actorId, actorAuthMethod, actorOrgId }: TAddUserToGroupDTO) => {
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -251,12 +272,12 @@ export const groupServiceFactory = ({
     // check if group with slug exists
     const group = await groupDAL.findOne({
       orgId: actorOrgId,
-      slug: groupSlug
+      id
     });
 
     if (!group)
-      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+      throw new NotFoundError({
+        message: `Failed to find group with ID ${id}`
       });
 
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
@@ -267,7 +288,7 @@ export const groupServiceFactory = ({
       throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" });
 
     const user = await userDAL.findOne({ username });
-    if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` });
+    if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
 
     const users = await addUsersToGroupByUserIds({
       group,
@@ -285,14 +306,14 @@ export const groupServiceFactory = ({
   };
 
   const removeUserFromGroup = async ({
-    groupSlug,
+    id,
     username,
     actor,
     actorId,
     actorAuthMethod,
     actorOrgId
   }: TRemoveUserFromGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -306,12 +327,12 @@ export const groupServiceFactory = ({
     // check if group with slug exists
     const group = await groupDAL.findOne({
       orgId: actorOrgId,
-      slug: groupSlug
+      id
     });
 
     if (!group)
-      throw new BadRequestError({
-        message: `Failed to find group with slug ${groupSlug}`
+      throw new NotFoundError({
+        message: `Failed to find group with ID ${id}`
       });
 
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
@@ -322,7 +343,7 @@ export const groupServiceFactory = ({
       throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" });
 
     const user = await userDAL.findOne({ username });
-    if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` });
+    if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
 
     const users = await removeUsersFromGroupByUserIds({
       group,
@@ -342,6 +363,7 @@ export const groupServiceFactory = ({
     deleteGroup,
     listGroupUsers,
     addUserToGroup,
-    removeUserFromGroup
+    removeUserFromGroup,
+    getGroupById
   };
 };

backend/src/ee/services/group/group-types.ts

@@ -17,7 +17,7 @@ export type TCreateGroupDTO = {
 } & TGenericPermission;
 
 export type TUpdateGroupDTO = {
-  currentSlug: string;
+  id: string;
 } & Partial<{
   name: string;
   slug: string;
@@ -26,23 +26,27 @@ export type TUpdateGroupDTO = {
   TGenericPermission;
 
 export type TDeleteGroupDTO = {
-  groupSlug: string;
+  id: string;
+} & TGenericPermission;
+
+export type TGetGroupByIdDTO = {
+  id: string;
 } & TGenericPermission;
 
 export type TListGroupUsersDTO = {
-  groupSlug: string;
+  id: string;
   offset: number;
   limit: number;
   username?: string;
 } & TGenericPermission;
 
 export type TAddUserToGroupDTO = {
-  groupSlug: string;
+  id: string;
   username: string;
 } & TGenericPermission;
 
 export type TRemoveUserFromGroupDTO = {
-  groupSlug: string;
+  id: string;
   username: string;
 } & TGenericPermission;
 

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -4,7 +4,7 @@ import ms from "ms";
 import { z } from "zod";
 
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -71,12 +71,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     ...dto
   }: TCreateIdentityPrivilegeDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
     const projectId = project.id;
 
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -143,12 +143,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     actorAuthMethod
   }: TUpdateIdentityPrivilegeDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
     const projectId = project.id;
 
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -173,7 +173,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       slug,
       projectMembershipId: identityProjectMembership.id
     });
-    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });
     if (data?.slug) {
       const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
         slug: data.slug,
@@ -224,12 +224,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     actorAuthMethod
   }: TDeleteIdentityPrivilegeDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
     const projectId = project.id;
 
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -254,7 +254,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       slug,
       projectMembershipId: identityProjectMembership.id
     });
-    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });
 
     const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
     return {
@@ -274,12 +274,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     actorAuthMethod
   }: TGetIdentityPrivilegeDetailsDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
     const projectId = project.id;
 
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
     const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
@@ -293,7 +293,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       slug,
       projectMembershipId: identityProjectMembership.id
     });
-    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });
 
     return {
       ...identityPrivilege,
@@ -310,12 +310,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     projectSlug
   }: TListIdentityPrivilegesDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
     const projectId = project.id;
 
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
     const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -21,7 +21,7 @@ import {
   infisicalSymmetricDecrypt,
   infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
@@ -253,7 +253,7 @@ export const ldapConfigServiceFactory = ({
     };
 
     const orgBot = await orgBotDAL.findOne({ orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
     const key = infisicalSymmetricDecrypt({
       ciphertext: orgBot.encryptedSymmetricKey,
       iv: orgBot.symmetricKeyIV,
@@ -289,10 +289,10 @@ export const ldapConfigServiceFactory = ({
 
   const getLdapCfg = async (filter: { orgId: string; isActive?: boolean; id?: string }) => {
     const ldapConfig = await ldapConfigDAL.findOne(filter);
-    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+    if (!ldapConfig) throw new NotFoundError({ message: "Failed to find organization LDAP data" });
 
     const orgBot = await orgBotDAL.findOne({ orgId: ldapConfig.orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
 
     const key = infisicalSymmetricDecrypt({
       ciphertext: orgBot.encryptedSymmetricKey,
@@ -375,7 +375,7 @@ export const ldapConfigServiceFactory = ({
 
   const bootLdap = async (organizationSlug: string) => {
     const organization = await orgDAL.findOne({ slug: organizationSlug });
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });
 
     const ldapConfig = await getLdapCfg({
       orgId: organization.id,
@@ -420,7 +420,7 @@ export const ldapConfigServiceFactory = ({
     const serverCfg = await getServerCfg();
 
     if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.LDAP)) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
         message: "Login with LDAP is disabled by administrator."
       });
     }
@@ -432,7 +432,7 @@ export const ldapConfigServiceFactory = ({
     });
 
     const organization = await orgDAL.findOrgById(orgId);
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });
 
     if (userAlias) {
       await userDAL.transaction(async (tx) => {
@@ -700,7 +700,7 @@ export const ldapConfigServiceFactory = ({
       orgId
     });
 
-    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+    if (!ldapConfig) throw new NotFoundError({ message: "Failed to find organization LDAP data" });
 
     const groupMaps = await ldapGroupMapDAL.findLdapGroupMapsByLdapConfigId(ldapConfigId);
 
@@ -741,13 +741,13 @@ export const ldapConfigServiceFactory = ({
     const groups = await searchGroups(ldapConfig, groupSearchFilter, ldapConfig.groupSearchBase);
 
     if (!groups.some((g) => g.cn === ldapGroupCN)) {
-      throw new BadRequestError({
+      throw new NotFoundError({
         message: "Failed to find LDAP Group CN"
       });
     }
 
     const group = await groupDAL.findOne({ slug: groupSlug, orgId });
-    if (!group) throw new BadRequestError({ message: "Failed to find group" });
+    if (!group) throw new NotFoundError({ message: "Failed to find group" });
 
     const groupMap = await ldapGroupMapDAL.create({
       ldapConfigId,
@@ -781,7 +781,7 @@ export const ldapConfigServiceFactory = ({
       orgId
     });
 
-    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+    if (!ldapConfig) throw new NotFoundError({ message: "Failed to find organization LDAP data" });
 
     const [deletedGroupMap] = await ldapGroupMapDAL.delete({
       ldapConfigId: ldapConfig.id,

backend/src/ee/services/license/license-service.ts

@@ -10,7 +10,7 @@ import { Knex } from "knex";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { verifyOfflineLicense } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 
@@ -145,7 +145,7 @@ export const licenseServiceFactory = ({
         if (cachedPlan) return JSON.parse(cachedPlan) as TFeatureSet;
 
         const org = await orgDAL.findOrgById(orgId);
-        if (!org) throw new BadRequestError({ message: "Org not found" });
+        if (!org) throw new NotFoundError({ message: "Organization not found" });
         const {
           data: { currentPlan }
         } = await licenseServerCloudApi.request.get<{ currentPlan: TFeatureSet }>(
@@ -204,7 +204,7 @@ export const licenseServiceFactory = ({
   const updateSubscriptionOrgMemberCount = async (orgId: string, tx?: Knex) => {
     if (instanceType === InstanceType.Cloud) {
       const org = await orgDAL.findOrgById(orgId);
-      if (!org) throw new BadRequestError({ message: "Org not found" });
+      if (!org) throw new NotFoundError({ message: "Organization not found" });
 
       const quantity = await licenseDAL.countOfOrgMembers(orgId, tx);
       const quantityIdentities = await licenseDAL.countOrgUsersAndIdentities(orgId, tx);
@@ -266,8 +266,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
 
@@ -294,8 +294,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
 
@@ -340,8 +340,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
     const { data } = await licenseServerCloudApi.request.get(
@@ -357,8 +357,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
     const { data } = await licenseServerCloudApi.request.get(
@@ -373,8 +373,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
 
@@ -398,8 +398,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
     const { data } = await licenseServerCloudApi.request.patch(
@@ -418,8 +418,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
 
@@ -445,8 +445,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
     const {
@@ -474,8 +474,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
 
@@ -491,8 +491,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
     const {
@@ -509,8 +509,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
 
@@ -530,8 +530,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
 
@@ -547,8 +547,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
 
@@ -564,8 +564,8 @@ export const licenseServiceFactory = ({
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
-      throw new BadRequestError({
-        message: "Failed to find organization"
+      throw new NotFoundError({
+        message: "Organization not found"
       });
     }
 

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -17,7 +17,7 @@ import {
   infisicalSymmetricDecrypt,
   infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
@@ -77,7 +77,7 @@ export const oidcConfigServiceFactory = ({
   const getOidc = async (dto: TGetOidcCfgDTO) => {
     const org = await orgDAL.findOne({ slug: dto.orgSlug });
     if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
         message: "Organization not found",
         name: "OrgNotFound"
       });
@@ -98,7 +98,7 @@ export const oidcConfigServiceFactory = ({
     });
 
     if (!oidcCfg) {
-      throw new BadRequestError({
+      throw new NotFoundError({
         message: "Failed to find organization OIDC configuration"
       });
     }
@@ -106,7 +106,7 @@ export const oidcConfigServiceFactory = ({
     // decrypt and return cfg
     const orgBot = await orgBotDAL.findOne({ orgId: oidcCfg.orgId });
     if (!orgBot) {
-      throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+      throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
     }
 
     const key = infisicalSymmetricDecrypt({
@@ -160,7 +160,7 @@ export const oidcConfigServiceFactory = ({
     const serverCfg = await getServerCfg();
 
     if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.OIDC)) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
         message: "Login with OIDC is disabled by administrator."
       });
     }
@@ -173,7 +173,7 @@ export const oidcConfigServiceFactory = ({
     });
 
     const organization = await orgDAL.findOrgById(orgId);
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });
 
     let user: TUsers;
     if (userAlias) {
@@ -356,7 +356,7 @@ export const oidcConfigServiceFactory = ({
     });
 
     if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
         message: "Organization not found"
       });
     }
@@ -378,7 +378,7 @@ export const oidcConfigServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Sso);
 
     const orgBot = await orgBotDAL.findOne({ orgId: org.id });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
     const key = infisicalSymmetricDecrypt({
       ciphertext: orgBot.encryptedSymmetricKey,
       iv: orgBot.symmetricKeyIV,
@@ -443,7 +443,7 @@ export const oidcConfigServiceFactory = ({
       slug: orgSlug
     });
     if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
         message: "Organization not found"
       });
     }
@@ -549,7 +549,7 @@ export const oidcConfigServiceFactory = ({
     });
 
     if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
         message: "Organization not found."
       });
     }
@@ -560,7 +560,7 @@ export const oidcConfigServiceFactory = ({
     });
 
     if (!oidcCfg || !oidcCfg.isActive) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
         message: "Failed to authenticate with OIDC SSO"
       });
     }
@@ -617,7 +617,7 @@ export const oidcConfigServiceFactory = ({
         if (oidcCfg.allowedEmailDomains) {
           const allowedDomains = oidcCfg.allowedEmailDomains.split(", ");
           if (!allowedDomains.includes(claims.email.split("@")[1])) {
-            throw new BadRequestError({
+            throw new ForbiddenRequestError({
               message: "Email not allowed."
             });
           }

backend/src/ee/services/permission/org-permission.ts

@@ -1,7 +1,5 @@
 import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";
 
-import { conditionsMatcher } from "@app/lib/casl";
-
 export enum OrgPermissionActions {
   Read = "read",
   Create = "create",
@@ -27,7 +25,8 @@ export enum OrgPermissionSubjects {
   SecretScanning = "secret-scanning",
   Identity = "identity",
   Kms = "kms",
-  AdminConsole = "organization-admin-console"
+  AdminConsole = "organization-admin-console",
+  AuditLogs = "audit-logs"
 }
 
 export type OrgPermissionSet =
@@ -45,10 +44,11 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionActions, OrgPermissionSubjects.Identity]
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
+  | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 
 const buildAdminPermission = () => {
-  const { can, build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
+  const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
   // ws permissions
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);
   can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
@@ -113,15 +113,20 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.Kms);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);
 
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AuditLogs);
+
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
-  return build({ conditionsMatcher });
+  return rules;
 };
 
 export const orgAdminPermissions = buildAdminPermission();
 
 const buildMemberPermission = () => {
-  const { can, build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
+  const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);
   can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
@@ -142,14 +147,16 @@ const buildMemberPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
 
-  return build({ conditionsMatcher });
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
+
+  return rules;
 };
 
 export const orgMemberPermissions = buildMemberPermission();
 
 const buildNoAccessPermission = () => {
-  const { build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
-  return build({ conditionsMatcher });
+  const { rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
+  return rules;
 };
 
 export const orgNoAccessPermissions = buildNoAccessPermission();

backend/src/ee/services/permission/permission-dal.ts

@@ -1,7 +1,13 @@
 import { z } from "zod";
 
 import { TDbClient } from "@app/db";
-import { IdentityProjectMembershipRoleSchema, ProjectUserMembershipRolesSchema, TableName } from "@app/db/schemas";
+import {
+  IdentityProjectMembershipRoleSchema,
+  OrgMembershipsSchema,
+  TableName,
+  TProjectRoles,
+  TProjects
+} from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 
@@ -10,18 +16,92 @@ export type TPermissionDALFactory = ReturnType<typeof permissionDALFactory>;
 export const permissionDALFactory = (db: TDbClient) => {
   const getOrgPermission = async (userId: string, orgId: string) => {
     try {
+      const groupSubQuery = db(TableName.Groups)
+        .where(`${TableName.Groups}.orgId`, orgId)
+        .join(TableName.UserGroupMembership, (queryBuilder) => {
+          queryBuilder
+            .on(`${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
+            .andOn(`${TableName.UserGroupMembership}.userId`, db.raw("?", [userId]));
+        })
+        .leftJoin(TableName.OrgRoles, `${TableName.Groups}.roleId`, `${TableName.OrgRoles}.id`)
+        .select(
+          db.ref("id").withSchema(TableName.Groups).as("groupId"),
+          db.ref("orgId").withSchema(TableName.Groups).as("groupOrgId"),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("slug").withSchema(TableName.Groups).as("groupSlug"),
+          db.ref("role").withSchema(TableName.Groups).as("groupRole"),
+          db.ref("roleId").withSchema(TableName.Groups).as("groupRoleId"),
+          db.ref("createdAt").withSchema(TableName.Groups).as("groupCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.Groups).as("groupUpdatedAt"),
+          db.ref("permissions").withSchema(TableName.OrgRoles).as("groupCustomRolePermission")
+        );
+
       const membership = await db
         .replicaNode()(TableName.OrgMembership)
-        .leftJoin(TableName.OrgRoles, `${TableName.OrgMembership}.roleId`, `${TableName.OrgRoles}.id`)
-        .join(TableName.Organization, `${TableName.OrgMembership}.orgId`, `${TableName.Organization}.id`)
-        .where("userId", userId)
         .where(`${TableName.OrgMembership}.orgId`, orgId)
-        .select(db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"))
-        .select("permissions")
-        .select(selectAllTableCols(TableName.OrgMembership))
-        .first();
+        .where(`${TableName.OrgMembership}.userId`, userId)
+        .leftJoin(TableName.OrgRoles, `${TableName.OrgRoles}.id`, `${TableName.OrgMembership}.roleId`)
+        .leftJoin<Awaited<typeof groupSubQuery>[0]>(
+          groupSubQuery.as("userGroups"),
+          "userGroups.groupOrgId",
+          db.raw("?", [orgId])
+        )
+        .join(TableName.Organization, `${TableName.Organization}.id`, `${TableName.OrgMembership}.orgId`)
+        .select(
+          selectAllTableCols(TableName.OrgMembership),
+          db.ref("slug").withSchema(TableName.OrgRoles).withSchema(TableName.OrgRoles).as("customRoleSlug"),
+          db.ref("permissions").withSchema(TableName.OrgRoles),
+          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("groupId").withSchema("userGroups"),
+          db.ref("groupOrgId").withSchema("userGroups"),
+          db.ref("groupName").withSchema("userGroups"),
+          db.ref("groupSlug").withSchema("userGroups"),
+          db.ref("groupRole").withSchema("userGroups"),
+          db.ref("groupRoleId").withSchema("userGroups"),
+          db.ref("groupCreatedAt").withSchema("userGroups"),
+          db.ref("groupUpdatedAt").withSchema("userGroups"),
+          db.ref("groupCustomRolePermission").withSchema("userGroups")
+        );
 
-      return membership;
+      const [formatedDoc] = sqlNestRelationships({
+        data: membership,
+        key: "id",
+        parentMapper: (el) =>
+          OrgMembershipsSchema.extend({
+            permissions: z.unknown(),
+            orgAuthEnforced: z.boolean().optional().nullable(),
+            customRoleSlug: z.string().optional().nullable()
+          }).parse(el),
+        childrenMapper: [
+          {
+            key: "groupId",
+            label: "groups" as const,
+            mapper: ({
+              groupId,
+              groupUpdatedAt,
+              groupCreatedAt,
+              groupRole,
+              groupRoleId,
+              groupCustomRolePermission,
+              groupName,
+              groupSlug,
+              groupOrgId
+            }) => ({
+              id: groupId,
+              updatedAt: groupUpdatedAt,
+              createdAt: groupCreatedAt,
+              role: groupRole,
+              roleId: groupRoleId,
+              customRolePermission: groupCustomRolePermission,
+              name: groupName,
+              slug: groupSlug,
+              orgId: groupOrgId
+            })
+          }
+        ]
+      });
+
+      return formatedDoc;
     } catch (error) {
       throw new DatabaseError({ error, name: "GetOrgPermission" });
     }
@@ -47,74 +127,31 @@ export const permissionDALFactory = (db: TDbClient) => {
 
   const getProjectPermission = async (userId: string, projectId: string) => {
     try {
-      const groups: string[] = await db
-        .replicaNode()(TableName.GroupProjectMembership)
-        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
-        .pluck(`${TableName.GroupProjectMembership}.groupId`);
-
-      const groupDocs = await db
-        .replicaNode()(TableName.UserGroupMembership)
-        .where(`${TableName.UserGroupMembership}.userId`, userId)
-        .whereIn(`${TableName.UserGroupMembership}.groupId`, groups)
-        .join(
-          TableName.GroupProjectMembership,
-          `${TableName.GroupProjectMembership}.groupId`,
-          `${TableName.UserGroupMembership}.groupId`
-        )
-        .join(
+      const docs = await db
+        .replicaNode()(TableName.Users)
+        .where(`${TableName.Users}.id`, userId)
+        .leftJoin(TableName.UserGroupMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.GroupProjectMembership}.groupId`, `${TableName.UserGroupMembership}.groupId`);
+        })
+        .leftJoin(
           TableName.GroupProjectMembershipRole,
           `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
           `${TableName.GroupProjectMembership}.id`
         )
-
-        .leftJoin(
-          TableName.ProjectRoles,
+        .leftJoin<TProjectRoles>(
+          { groupCustomRoles: TableName.ProjectRoles },
           `${TableName.GroupProjectMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
+          `groupCustomRoles.id`
         )
-        .join(TableName.Project, `${TableName.GroupProjectMembership}.projectId`, `${TableName.Project}.id`)
-        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
-
+        .leftJoin(TableName.ProjectMembership, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.ProjectMembership}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`);
+        })
         .leftJoin(
-          TableName.ProjectUserAdditionalPrivilege,
-          `${TableName.GroupProjectMembership}.projectId`,
-          `${TableName.Project}.id`
-        )
-        .select(selectAllTableCols(TableName.GroupProjectMembershipRole))
-        .select(
-          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
-          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("membershipUpdatedAt"),
-          db.ref("projectId").withSchema(TableName.GroupProjectMembership),
-          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-
-          db.ref("permissions").withSchema(TableName.ProjectRoles).as("permissions"),
-          // db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("apPermissions")
-          // Additional Privileges
-          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApId"),
-          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApPermissions"),
-          db.ref("temporaryMode").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApTemporaryMode"),
-          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApIsTemporary"),
-          db.ref("temporaryRange").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApTemporaryRange"),
-
-          db.ref("projectId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApProjectId"),
-          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApUserId"),
-
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userApTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userApTemporaryAccessEndTime")
-        );
-      // .select(`${TableName.ProjectRoles}.permissions`);
-
-      const docs = await db(TableName.ProjectMembership)
-        .join(
           TableName.ProjectUserMembershipRole,
           `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
           `${TableName.ProjectMembership}.id`
@@ -124,176 +161,229 @@ export const permissionDALFactory = (db: TDbClient) => {
           `${TableName.ProjectUserMembershipRole}.customRoleId`,
           `${TableName.ProjectRoles}.id`
         )
-        .leftJoin(
-          TableName.ProjectUserAdditionalPrivilege,
-          `${TableName.ProjectUserAdditionalPrivilege}.projectId`,
-          `${TableName.ProjectMembership}.projectId`
-        )
-
-        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
+        .leftJoin(TableName.ProjectUserAdditionalPrivilege, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.ProjectUserAdditionalPrivilege}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.ProjectUserAdditionalPrivilege}.userId`, `${TableName.Users}.id`);
+        })
+        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
         .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
-        .where(`${TableName.ProjectMembership}.userId`, userId)
-        .where(`${TableName.ProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.ProjectUserMembershipRole))
         .select(
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          // groups specific
+          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
+          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipUpdatedAt"),
+          db.ref("slug").withSchema("groupCustomRoles").as("userGroupProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema("groupCustomRoles").as("userGroupProjectMembershipRolePermission"),
+          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRole"),
+          db
+            .ref("customRoleId")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleCustomRoleId"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryAccessEndTime"),
+          // user specific
           db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
           db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
           db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
-          db.ref("projectId").withSchema(TableName.ProjectMembership),
-          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles),
-          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApId"),
-          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApPermissions"),
-          db.ref("temporaryMode").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApTemporaryMode"),
-          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApIsTemporary"),
-          db.ref("temporaryRange").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApTemporaryRange"),
-
-          db.ref("projectId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApProjectId"),
-          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userApUserId"),
-
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("userProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles).as("userProjectCustomRolePermission"),
+          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRole"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryAccessEndTime"),
+          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesId"),
+          db
+            .ref("permissions")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesPermissions"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryMode"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryRange"),
+          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesUserId"),
           db
             .ref("temporaryAccessStartTime")
             .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userApTemporaryAccessStartTime"),
+            .as("userAdditionalPrivilegesTemporaryAccessStartTime"),
           db
             .ref("temporaryAccessEndTime")
             .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userApTemporaryAccessEndTime")
+            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
+          // general
+          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("orgId").withSchema(TableName.Project),
+          db.ref("id").withSchema(TableName.Project).as("projectId")
         );
 
-      const permission = sqlNestRelationships({
+      const [userPermission] = sqlNestRelationships({
         data: docs,
         key: "projectId",
-        parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt }) => ({
+        parentMapper: ({
+          orgId,
+          orgAuthEnforced,
+          membershipId,
+          groupMembershipId,
+          membershipCreatedAt,
+          groupMembershipCreatedAt,
+          groupMembershipUpdatedAt,
+          membershipUpdatedAt
+        }) => ({
           orgId,
           orgAuthEnforced,
           userId,
-          id: membershipId,
           projectId,
-          createdAt: membershipCreatedAt,
-          updatedAt: membershipUpdatedAt
+          id: membershipId || groupMembershipId,
+          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
+          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
         }),
         childrenMapper: [
           {
-            key: "id",
-            label: "roles" as const,
-            mapper: (data) =>
-              ProjectUserMembershipRolesSchema.extend({
-                permissions: z.unknown(),
-                customRoleSlug: z.string().optional().nullable()
-              }).parse(data)
+            key: "userGroupProjectMembershipRoleId",
+            label: "userGroupRoles" as const,
+            mapper: ({
+              userGroupProjectMembershipRoleId,
+              userGroupProjectMembershipRole,
+              userGroupProjectMembershipRolePermission,
+              userGroupProjectMembershipRoleCustomRoleSlug,
+              userGroupProjectMembershipRoleIsTemporary,
+              userGroupProjectMembershipRoleTemporaryMode,
+              userGroupProjectMembershipRoleTemporaryAccessEndTime,
+              userGroupProjectMembershipRoleTemporaryAccessStartTime,
+              userGroupProjectMembershipRoleTemporaryRange
+            }) => ({
+              id: userGroupProjectMembershipRoleId,
+              role: userGroupProjectMembershipRole,
+              customRoleSlug: userGroupProjectMembershipRoleCustomRoleSlug,
+              permissions: userGroupProjectMembershipRolePermission,
+              temporaryRange: userGroupProjectMembershipRoleTemporaryRange,
+              temporaryMode: userGroupProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: userGroupProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: userGroupProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: userGroupProjectMembershipRoleIsTemporary
+            })
           },
           {
-            key: "userApId",
+            key: "userProjectMembershipRoleId",
+            label: "projecMembershiptRoles" as const,
+            mapper: ({
+              userProjectMembershipRoleId,
+              userProjectMembershipRole,
+              userProjectCustomRolePermission,
+              userProjectMembershipRoleIsTemporary,
+              userProjectMembershipRoleTemporaryMode,
+              userProjectMembershipRoleTemporaryRange,
+              userProjectMembershipRoleTemporaryAccessEndTime,
+              userProjectMembershipRoleTemporaryAccessStartTime,
+              userProjectMembershipRoleCustomRoleSlug
+            }) => ({
+              id: userProjectMembershipRoleId,
+              role: userProjectMembershipRole,
+              customRoleSlug: userProjectMembershipRoleCustomRoleSlug,
+              permissions: userProjectCustomRolePermission,
+              temporaryRange: userProjectMembershipRoleTemporaryRange,
+              temporaryMode: userProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: userProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: userProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: userProjectMembershipRoleIsTemporary
+            })
+          },
+          {
+            key: "userAdditionalPrivilegesId",
             label: "additionalPrivileges" as const,
             mapper: ({
-              userApId,
-              userApPermissions,
-              userApIsTemporary,
-              userApTemporaryMode,
-              userApTemporaryRange,
-              userApTemporaryAccessEndTime,
-              userApTemporaryAccessStartTime
+              userAdditionalPrivilegesId,
+              userAdditionalPrivilegesPermissions,
+              userAdditionalPrivilegesIsTemporary,
+              userAdditionalPrivilegesTemporaryMode,
+              userAdditionalPrivilegesTemporaryRange,
+              userAdditionalPrivilegesTemporaryAccessEndTime,
+              userAdditionalPrivilegesTemporaryAccessStartTime
             }) => ({
-              id: userApId,
-              permissions: userApPermissions,
-              temporaryRange: userApTemporaryRange,
-              temporaryMode: userApTemporaryMode,
-              temporaryAccessEndTime: userApTemporaryAccessEndTime,
-              temporaryAccessStartTime: userApTemporaryAccessStartTime,
-              isTemporary: userApIsTemporary
+              id: userAdditionalPrivilegesId,
+              permissions: userAdditionalPrivilegesPermissions,
+              temporaryRange: userAdditionalPrivilegesTemporaryRange,
+              temporaryMode: userAdditionalPrivilegesTemporaryMode,
+              temporaryAccessStartTime: userAdditionalPrivilegesTemporaryAccessStartTime,
+              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
+              isTemporary: userAdditionalPrivilegesIsTemporary
             })
           }
         ]
       });
 
-      const groupPermission = groupDocs.length
-        ? sqlNestRelationships({
-            data: groupDocs,
-            key: "projectId",
-            parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt }) => ({
-              orgId,
-              orgAuthEnforced,
-              userId,
-              id: membershipId,
-              projectId,
-              createdAt: membershipCreatedAt,
-              updatedAt: membershipUpdatedAt
-            }),
-            childrenMapper: [
-              {
-                key: "id",
-                label: "roles" as const,
-                mapper: (data) =>
-                  ProjectUserMembershipRolesSchema.extend({
-                    permissions: z.unknown(),
-                    customRoleSlug: z.string().optional().nullable()
-                  }).parse(data)
-              },
-              {
-                key: "userApId",
-                label: "additionalPrivileges" as const,
-                mapper: ({
-                  userApId,
-                  userApProjectId,
-                  userApUserId,
-                  userApPermissions,
-                  userApIsTemporary,
-                  userApTemporaryMode,
-                  userApTemporaryRange,
-                  userApTemporaryAccessEndTime,
-                  userApTemporaryAccessStartTime
-                }) => ({
-                  id: userApId,
-                  userId: userApUserId,
-                  projectId: userApProjectId,
-                  permissions: userApPermissions,
-                  temporaryRange: userApTemporaryRange,
-                  temporaryMode: userApTemporaryMode,
-                  temporaryAccessEndTime: userApTemporaryAccessEndTime,
-                  temporaryAccessStartTime: userApTemporaryAccessStartTime,
-                  isTemporary: userApIsTemporary
-                })
-              }
-            ]
-          })
-        : [];
-
-      if (!permission?.[0] && !groupPermission[0]) return undefined;
+      if (!userPermission) return undefined;
+      if (!userPermission?.userGroupRoles?.[0] && !userPermission?.projecMembershiptRoles?.[0]) return undefined;
 
       // when introducting cron mode change it here
       const activeRoles =
-        permission?.[0]?.roles?.filter(
+        userPermission?.projecMembershiptRoles?.filter(
           ({ isTemporary, temporaryAccessEndTime }) =>
             !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
         ) ?? [];
 
       const activeGroupRoles =
-        groupPermission?.[0]?.roles?.filter(
+        userPermission?.userGroupRoles?.filter(
           ({ isTemporary, temporaryAccessEndTime }) =>
             !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
         ) ?? [];
 
       const activeAdditionalPrivileges =
-        permission?.[0]?.additionalPrivileges?.filter(
+        userPermission?.additionalPrivileges?.filter(
           ({ isTemporary, temporaryAccessEndTime }) =>
             !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
         ) ?? [];
 
-      const activeGroupAdditionalPrivileges =
-        groupPermission?.[0]?.additionalPrivileges?.filter(
-          ({ isTemporary, temporaryAccessEndTime, userId: apUserId, projectId: apProjectId }) =>
-            apProjectId === projectId &&
-            apUserId === userId &&
-            (!isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime))
-        ) ?? [];
-
       return {
-        ...(permission[0] || groupPermission[0]),
+        ...userPermission,
         roles: [...activeRoles, ...activeGroupRoles],
-        additionalPrivileges: [...activeAdditionalPrivileges, ...activeGroupAdditionalPrivileges]
+        additionalPrivileges: activeAdditionalPrivileges
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "GetProjectPermission" });

backend/src/ee/services/permission/permission-fns.ts

@@ -1,5 +1,5 @@
 import { TOrganizations } from "@app/db/schemas";
-import { UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
 
 function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
@@ -20,7 +20,7 @@ function validateOrgSAML(actorAuthMethod: ActorAuthMethod, isSamlEnforced: TOrga
   }
 
   if (isSamlEnforced && actorAuthMethod !== null && !isAuthMethodSaml(actorAuthMethod)) {
-    throw new UnauthorizedError({ name: "Cannot access org-scoped resource" });
+    throw new ForbiddenRequestError({ name: "SAML auth enforced, cannot access org-scoped resource" });
   }
 }
 

backend/src/ee/services/permission/permission-service.ts

@@ -10,7 +10,7 @@ import {
   TProjectMemberships
 } from "@app/db/schemas";
 import { conditionsMatcher } from "@app/lib/casl";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -20,7 +20,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
 import { validateOrgSAML } from "./permission-fns";
-import { TBuildProjectPermissionDTO } from "./permission-types";
+import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-types";
 import {
   buildServiceTokenProjectPermission,
   projectAdminPermissions,
@@ -47,26 +47,29 @@ export const permissionServiceFactory = ({
   serviceTokenDAL,
   projectDAL
 }: TPermissionServiceFactoryDep) => {
-  const buildOrgPermission = (role: string, permission?: unknown) => {
-    switch (role) {
-      case OrgMembershipRole.Admin:
-        return orgAdminPermissions;
-      case OrgMembershipRole.Member:
-        return orgMemberPermissions;
-      case OrgMembershipRole.NoAccess:
-        return orgNoAccessPermissions;
-      case OrgMembershipRole.Custom:
-        return createMongoAbility<OrgPermissionSet>(
-          unpackRules<RawRuleOf<MongoAbility<OrgPermissionSet>>>(
-            permission as PackRule<RawRuleOf<MongoAbility<OrgPermissionSet>>>[]
-          ),
-          {
-            conditionsMatcher
-          }
-        );
-      default:
-        throw new BadRequestError({ name: "OrgRoleInvalid", message: "Org role not found" });
-    }
+  const buildOrgPermission = (orgUserRoles: TBuildOrgPermissionDTO) => {
+    const rules = orgUserRoles
+      .map(({ role, permissions }) => {
+        switch (role) {
+          case OrgMembershipRole.Admin:
+            return orgAdminPermissions;
+          case OrgMembershipRole.Member:
+            return orgMemberPermissions;
+          case OrgMembershipRole.NoAccess:
+            return orgNoAccessPermissions;
+          case OrgMembershipRole.Custom:
+            return unpackRules<RawRuleOf<MongoAbility<OrgPermissionSet>>>(
+              permissions as PackRule<RawRuleOf<MongoAbility<OrgPermissionSet>>>[]
+            );
+          default:
+            throw new NotFoundError({ name: "OrgRoleInvalid", message: "Organization role not found" });
+        }
+      })
+      .reduce((curr, prev) => prev.concat(curr), []);
+
+    return createMongoAbility<OrgPermissionSet>(rules, {
+      conditionsMatcher
+    });
   };
 
   const buildProjectPermission = (projectUserRoles: TBuildProjectPermissionDTO) => {
@@ -87,7 +90,7 @@ export const permissionServiceFactory = ({
             );
           }
           default:
-            throw new BadRequestError({
+            throw new NotFoundError({
               name: "ProjectRoleInvalid",
               message: "Project role not found"
             });
@@ -111,11 +114,11 @@ export const permissionServiceFactory = ({
   ) => {
     // when token is scoped, ensure the passed org id is same as user org id
     if (userOrgId && userOrgId !== orgId)
-      throw new BadRequestError({ message: "Invalid user token. Scoped to different organization." });
+      throw new ForbiddenRequestError({ message: "Invalid user token. Scoped to different organization." });
     const membership = await permissionDAL.getOrgPermission(userId, orgId);
-    if (!membership) throw new UnauthorizedError({ name: "User not in org" });
+    if (!membership) throw new ForbiddenRequestError({ name: "You are not apart of this organization" });
     if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new BadRequestError({ name: "Custom organization permission not found" });
     }
 
     // If the org ID is API_KEY, the request is being made with an API Key.
@@ -124,21 +127,30 @@ export const permissionServiceFactory = ({
     // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
     // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
     if (userOrgId !== "API_KEY" && membership.orgId !== userOrgId) {
-      throw new UnauthorizedError({ name: "You are not logged into this organization" });
+      throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
     }
 
     validateOrgSAML(authMethod, membership.orgAuthEnforced);
 
-    return { permission: buildOrgPermission(membership.role, membership.permissions), membership };
+    const finalPolicyRoles = [{ role: membership.role, permissions: membership.permissions }].concat(
+      membership?.groups?.map(({ role, customRolePermission }) => ({
+        role,
+        permissions: customRolePermission
+      })) || []
+    );
+    return { permission: buildOrgPermission(finalPolicyRoles), membership };
   };
 
   const getIdentityOrgPermission = async (identityId: string, orgId: string) => {
     const membership = await permissionDAL.getOrgIdentityPermission(identityId, orgId);
-    if (!membership) throw new UnauthorizedError({ name: "Identity not in org" });
+    if (!membership) throw new ForbiddenRequestError({ name: "Identity is not apart of this organization" });
     if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new NotFoundError({ name: "Custom organization permission not found" });
     }
-    return { permission: buildOrgPermission(membership.role, membership.permissions), membership };
+    return {
+      permission: buildOrgPermission([{ role: membership.role, permissions: membership.permissions }]),
+      membership
+    };
   };
 
   const getOrgPermission = async (
@@ -154,8 +166,8 @@ export const permissionServiceFactory = ({
       case ActorType.IDENTITY:
         return getIdentityOrgPermission(id, orgId);
       default:
-        throw new UnauthorizedError({
-          message: "Permission not defined",
+        throw new BadRequestError({
+          message: "Invalid actor provided",
           name: "Get org permission"
         });
     }
@@ -167,13 +179,13 @@ export const permissionServiceFactory = ({
     const isCustomRole = !Object.values(OrgMembershipRole).includes(role as OrgMembershipRole);
     if (isCustomRole) {
       const orgRole = await orgRoleDAL.findOne({ slug: role, orgId });
-      if (!orgRole) throw new BadRequestError({ message: "Role not found" });
+      if (!orgRole) throw new NotFoundError({ message: "Specified role was not found" });
       return {
-        permission: buildOrgPermission(OrgMembershipRole.Custom, orgRole.permissions),
+        permission: buildOrgPermission([{ role: OrgMembershipRole.Custom, permissions: orgRole.permissions }]),
         role: orgRole
       };
     }
-    return { permission: buildOrgPermission(role, []) };
+    return { permission: buildOrgPermission([{ role, permissions: [] }]) };
   };
 
   // user permission for a project in an organization
@@ -184,12 +196,12 @@ export const permissionServiceFactory = ({
     userOrgId?: string
   ): Promise<TProjectPermissionRT<ActorType.USER>> => {
     const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
-    if (!userProjectPermission) throw new UnauthorizedError({ name: "User not in project" });
+    if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
 
     if (
       userProjectPermission.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)
     ) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new NotFoundError({ name: "The permission was not found" });
     }
 
     // If the org ID is API_KEY, the request is being made with an API Key.
@@ -198,7 +210,7 @@ export const permissionServiceFactory = ({
     // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
     // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
     if (userOrgId !== "API_KEY" && userProjectPermission.orgId !== userOrgId) {
-      throw new UnauthorizedError({ name: "You are not logged into this organization" });
+      throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
     }
 
     validateOrgSAML(authMethod, userProjectPermission.orgAuthEnforced);
@@ -227,18 +239,19 @@ export const permissionServiceFactory = ({
     identityOrgId: string | undefined
   ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
     const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
-    if (!identityProjectPermission) throw new UnauthorizedError({ name: "Identity not in project" });
+    if (!identityProjectPermission)
+      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified project" });
 
     if (
       identityProjectPermission.roles.some(
         ({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions
       )
     ) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new NotFoundError({ name: "Custom permission not found" });
     }
 
     if (identityProjectPermission.orgId !== identityOrgId) {
-      throw new UnauthorizedError({ name: "You are not a member of this organization" });
+      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
     }
 
     const rolePermissions =
@@ -265,25 +278,23 @@ export const permissionServiceFactory = ({
     actorOrgId: string | undefined
   ) => {
     const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
-    if (!serviceToken) throw new BadRequestError({ message: "Service token not found" });
+    if (!serviceToken) throw new NotFoundError({ message: "Service token not found" });
 
     const serviceTokenProject = await projectDAL.findById(serviceToken.projectId);
 
     if (!serviceTokenProject) throw new BadRequestError({ message: "Service token not linked to a project" });
 
     if (serviceTokenProject.orgId !== actorOrgId) {
-      throw new UnauthorizedError({ message: "Service token not a part of this organization" });
+      throw new ForbiddenRequestError({ message: "Service token not a part of the specified organization" });
     }
 
-    if (serviceToken.projectId !== projectId)
-      throw new UnauthorizedError({
-        message: "Failed to find service authorization for given project"
-      });
+    if (serviceToken.projectId !== projectId) {
+      throw new ForbiddenRequestError({ name: "Service token not a part of the specified project" });
+    }
 
-    if (serviceTokenProject.orgId !== actorOrgId)
-      throw new UnauthorizedError({
-        message: "Failed to find service authorization for given project"
-      });
+    if (serviceTokenProject.orgId !== actorOrgId) {
+      throw new ForbiddenRequestError({ message: "Service token not a part of the specified organization" });
+    }
 
     const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
     return {
@@ -323,8 +334,8 @@ export const permissionServiceFactory = ({
       case ActorType.IDENTITY:
         return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
       default:
-        throw new UnauthorizedError({
-          message: "Permission not defined",
+        throw new BadRequestError({
+          message: "Invalid actor provided",
           name: "Get project permission"
         });
     }
@@ -334,7 +345,7 @@ export const permissionServiceFactory = ({
     const isCustomRole = !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole);
     if (isCustomRole) {
       const projectRole = await projectRoleDAL.findOne({ slug: role, projectId });
-      if (!projectRole) throw new BadRequestError({ message: "Role not found" });
+      if (!projectRole) throw new NotFoundError({ message: `Specified role was not found: ${role}` });
       return {
         permission: buildProjectPermission([
           { role: ProjectMembershipRole.Custom, permissions: projectRole.permissions }

backend/src/ee/services/permission/permission-types.ts

@@ -2,3 +2,8 @@ export type TBuildProjectPermissionDTO = {
   permissions?: unknown;
   role: string;
 }[];
+
+export type TBuildOrgPermissionDTO = {
+  permissions?: unknown;
+  role: string;
+}[];

backend/src/ee/services/permission/project-permission.ts

@@ -145,6 +145,8 @@ export const fullProjectPermissionSet: [ProjectPermissionActions, ProjectPermiss
   [ProjectPermissionActions.Edit, ProjectPermissionSub.Tags],
   [ProjectPermissionActions.Delete, ProjectPermissionSub.Tags],
 
+  // TODO(Daniel): Remove the audit logs permissions from project-level permissions.
+  // TODO: We haven't done this yet because it might break existing roles, since those roles will become "invalid" since the audit log permission defined on those roles, no longer exist in the project-level defined permissions.
   [ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs],
   [ProjectPermissionActions.Create, ProjectPermissionSub.AuditLogs],
   [ProjectPermissionActions.Edit, ProjectPermissionSub.AuditLogs],

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
 
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
@@ -42,7 +42,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     ...dto
   }: TCreateUserPrivilegeDTO) => {
     const projectMembership = await projectMembershipDAL.findById(projectMembershipId);
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -94,14 +94,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     ...dto
   }: TUpdateUserPrivilegeDTO) => {
     const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
-    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+    if (!userPrivilege) throw new NotFoundError({ message: "User additional privilege not found" });
 
     const projectMembership = await projectMembershipDAL.findOne({
       userId: userPrivilege.userId,
       projectId: userPrivilege.projectId
     });
 
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -147,13 +147,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
 
   const deleteById = async ({ actorId, actor, actorOrgId, actorAuthMethod, privilegeId }: TDeleteUserPrivilegeDTO) => {
     const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
-    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+    if (!userPrivilege) throw new NotFoundError({ message: "User additional privilege not found" });
 
     const projectMembership = await projectMembershipDAL.findOne({
       userId: userPrivilege.userId,
       projectId: userPrivilege.projectId
     });
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -176,13 +176,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     actorAuthMethod
   }: TGetUserPrivilegeDetailsDTO) => {
     const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
-    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+    if (!userPrivilege) throw new NotFoundError({ message: "User additional privilege not found" });
 
     const projectMembership = await projectMembershipDAL.findOne({
       userId: userPrivilege.userId,
       projectId: userPrivilege.projectId
     });
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -204,7 +204,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     actorAuthMethod
   }: TListUserPrivilegesDTO) => {
     const projectMembership = await projectMembershipDAL.findById(projectMembershipId);
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -19,7 +19,7 @@ import {
   infisicalSymmetricDecrypt,
   infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
@@ -187,7 +187,7 @@ export const samlConfigServiceFactory = ({
 
     const updateQuery: TSamlConfigsUpdate = { authProvider, isActive, lastUsed: null };
     const orgBot = await orgBotDAL.findOne({ orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
     const key = infisicalSymmetricDecrypt({
       ciphertext: orgBot.encryptedSymmetricKey,
       iv: orgBot.symmetricKeyIV,
@@ -253,7 +253,7 @@ export const samlConfigServiceFactory = ({
 
       ssoConfig = await samlConfigDAL.findById(id);
     }
-    if (!ssoConfig) throw new BadRequestError({ message: "Failed to find organization SSO data" });
+    if (!ssoConfig) throw new NotFoundError({ message: "Failed to find organization SSO data" });
 
     // when dto is type id means it's internally used
     if (dto.type === "org") {
@@ -279,7 +279,7 @@ export const samlConfigServiceFactory = ({
     } = ssoConfig;
 
     const orgBot = await orgBotDAL.findOne({ orgId: ssoConfig.orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
     const key = infisicalSymmetricDecrypt({
       ciphertext: orgBot.encryptedSymmetricKey,
       iv: orgBot.symmetricKeyIV,
@@ -338,7 +338,7 @@ export const samlConfigServiceFactory = ({
     const serverCfg = await getServerCfg();
 
     if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.SAML)) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
         message: "Login with SAML is disabled by administrator."
       });
     }
@@ -350,7 +350,7 @@ export const samlConfigServiceFactory = ({
     });
 
     const organization = await orgDAL.findOrgById(orgId);
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });
 
     let user: TUsers;
     if (userAlias) {

backend/src/ee/services/scim/scim-service.ts

@@ -9,7 +9,7 @@ import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
 import { AuthTokenType } from "@app/services/auth/auth-type";
@@ -75,7 +75,14 @@ type TScimServiceFactoryDep = {
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
   groupDAL: Pick<
     TGroupDALFactory,
-    "create" | "findOne" | "findAllGroupMembers" | "delete" | "findGroups" | "transaction" | "updateById" | "update"
+    | "create"
+    | "findOne"
+    | "findAllGroupPossibleMembers"
+    | "delete"
+    | "findGroups"
+    | "transaction"
+    | "updateById"
+    | "update"
   >;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
   userGroupMembershipDAL: Pick<
@@ -169,7 +176,7 @@ export const scimServiceFactory = ({
 
   const deleteScimToken = async ({ scimTokenId, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteScimTokenDTO) => {
     let scimToken = await scimDAL.findById(scimTokenId);
-    if (!scimToken) throw new BadRequestError({ message: "Failed to find SCIM token to delete" });
+    if (!scimToken) throw new NotFoundError({ message: "Failed to find SCIM token to delete" });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -775,7 +782,7 @@ export const scimServiceFactory = ({
       });
     }
 
-    const users = await groupDAL.findAllGroupMembers({
+    const users = await groupDAL.findAllGroupPossibleMembers({
       orgId: group.orgId,
       groupId: group.id
     });

backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts

@@ -1,33 +1,62 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { SecretApprovalPoliciesSchema, TableName, TSecretApprovalPolicies } from "@app/db/schemas";
+import { SecretApprovalPoliciesSchema, TableName, TSecretApprovalPolicies, TUsers } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
+
 export type TSecretApprovalPolicyDALFactory = ReturnType<typeof secretApprovalPolicyDALFactory>;
 
 export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
   const secretApprovalPolicyOrm = ormify(db, TableName.SecretApprovalPolicy);
 
-  const secretApprovalPolicyFindQuery = (tx: Knex, filter: TFindFilter<TSecretApprovalPolicies>) =>
+  const secretApprovalPolicyFindQuery = (
+    tx: Knex,
+    filter: TFindFilter<TSecretApprovalPolicies>,
+    customFilter?: {
+      sapId?: string;
+    }
+  ) =>
     tx(TableName.SecretApprovalPolicy)
       // eslint-disable-next-line
       .where(buildFindFilter(filter))
+      .where((qb) => {
+        if (customFilter?.sapId) {
+          void qb.where(`${TableName.SecretApprovalPolicy}.id`, "=", customFilter.sapId);
+        }
+      })
       .join(TableName.Environment, `${TableName.SecretApprovalPolicy}.envId`, `${TableName.Environment}.id`)
       .leftJoin(
         TableName.SecretApprovalPolicyApprover,
         `${TableName.SecretApprovalPolicy}.id`,
         `${TableName.SecretApprovalPolicyApprover}.policyId`
       )
-
-      .leftJoin(TableName.Users, `${TableName.SecretApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
-
+      .leftJoin(
+        TableName.UserGroupMembership,
+        `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+        `${TableName.UserGroupMembership}.groupId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("secretApprovalPolicyApproverUser"),
+        `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
+        "secretApprovalPolicyApproverUser.id"
+      )
+      .leftJoin<TUsers>(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
       .select(
-        tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
-        tx.ref("email").withSchema(TableName.Users).as("approverEmail"),
-        tx.ref("firstName").withSchema(TableName.Users).as("approverFirstName"),
-        tx.ref("lastName").withSchema(TableName.Users).as("approverLastName")
+        tx.ref("id").withSchema("secretApprovalPolicyApproverUser").as("approverUserId"),
+        tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("firstName").withSchema("secretApprovalPolicyApproverUser").as("approverFirstName"),
+        tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
+        tx.ref("lastName").withSchema("secretApprovalPolicyApproverUser").as("approverLastName")
+      )
+      .select(
+        tx.ref("approverGroupId").withSchema(TableName.SecretApprovalPolicyApprover),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
+        tx.ref("email").withSchema(TableName.Users).as("approverGroupEmail"),
+        tx.ref("firstName").withSchema(TableName.Users).as("approverGroupFirstName"),
+        tx.ref("lastName").withSchema(TableName.Users).as("approverGroupLastName")
       )
       .select(
         tx.ref("name").withSchema(TableName.Environment).as("envName"),
@@ -55,11 +84,31 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
           {
             key: "approverUserId",
             label: "userApprovers" as const,
-            mapper: ({ approverUserId, approverEmail, approverFirstName, approverLastName }) => ({
-              userId: approverUserId,
-              email: approverEmail,
-              firstName: approverFirstName,
-              lastName: approverLastName
+            mapper: ({
+              approverUserId: userId,
+              approverEmail: email,
+              approverFirstName: firstName,
+              approverLastName: lastName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName
+            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "userApprovers" as const,
+            mapper: ({
+              approverGroupUserId: userId,
+              approverGroupEmail: email,
+              approverGroupFirstName: firstName,
+              approverGroupLastName: lastName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName
             })
           }
         ]
@@ -71,9 +120,15 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
     }
   };
 
-  const find = async (filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>, tx?: Knex) => {
+  const find = async (
+    filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>,
+    customFilter?: {
+      sapId?: string;
+    },
+    tx?: Knex
+  ) => {
     try {
-      const docs = await secretApprovalPolicyFindQuery(tx || db.replicaNode(), filter);
+      const docs = await secretApprovalPolicyFindQuery(tx || db.replicaNode(), filter, customFilter);
       const formatedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
@@ -83,11 +138,35 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
           ...SecretApprovalPoliciesSchema.parse(data)
         }),
         childrenMapper: [
+          {
+            key: "approverUserId",
+            label: "approvers" as const,
+            mapper: ({ approverUserId: id, approverUsername }) => ({
+              type: ApproverType.User,
+              name: approverUsername,
+              id
+            })
+          },
+          {
+            key: "approverGroupId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupId: id }) => ({
+              type: ApproverType.Group,
+              id
+            })
+          },
           {
             key: "approverUserId",
             label: "userApprovers" as const,
-            mapper: ({ approverUserId }) => ({
-              userId: approverUserId
+            mapper: ({ approverUserId: userId }) => ({
+              userId
+            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "userApprovers" as const,
+            mapper: ({ approverGroupUserId: userId }) => ({
+              userId
             })
           }
         ]

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -3,11 +3,13 @@ import picomatch from "picomatch";
 
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { containsGlobPatterns } from "@app/lib/picomatch";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
+import { TUserDALFactory } from "@app/services/user/user-dal";
 
+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TSecretApprovalPolicyApproverDALFactory } from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
@@ -15,6 +17,7 @@ import {
   TCreateSapDTO,
   TDeleteSapDTO,
   TGetBoardSapDTO,
+  TGetSapByIdDTO,
   TListSapDTO,
   TUpdateSapDTO
 } from "./secret-approval-policy-types";
@@ -28,6 +31,7 @@ type TSecretApprovalPolicyServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   secretApprovalPolicyDAL: TSecretApprovalPolicyDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+  userDAL: Pick<TUserDALFactory, "find">;
   secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -39,6 +43,7 @@ export const secretApprovalPolicyServiceFactory = ({
   permissionService,
   secretApprovalPolicyApproverDAL,
   projectEnvDAL,
+  userDAL,
   licenseService
 }: TSecretApprovalPolicyServiceFactoryDep) => {
   const createSecretApprovalPolicy = async ({
@@ -54,7 +59,19 @@ export const secretApprovalPolicyServiceFactory = ({
     environment,
     enforcementLevel
   }: TCreateSapDTO) => {
-    if (approvals > approvers.length)
+    const groupApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id);
+    const userApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id)
+      .filter(Boolean) as string[];
+
+    const userApproverNames = approvers
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .filter(Boolean) as string[];
+
+    if (!groupApprovers.length && approvals > approvers.length)
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
 
     const { permission } = await permissionService.getProjectPermission(
@@ -78,7 +95,7 @@ export const secretApprovalPolicyServiceFactory = ({
     }
 
     const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
+    if (!env) throw new NotFoundError({ message: "Environment not found" });
 
     const secretApproval = await secretApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await secretApprovalPolicyDAL.create(
@@ -91,15 +108,48 @@ export const secretApprovalPolicyServiceFactory = ({
         },
         tx
       );
+
+      let userApproverIds = userApprovers;
+      if (userApproverNames.length) {
+        const approverUsers = await userDAL.find(
+          {
+            $in: {
+              username: userApproverNames
+            }
+          },
+          { tx }
+        );
+
+        const approverNamesFromDb = approverUsers.map((user) => user.username);
+        const invalidUsernames = userApproverNames?.filter((username) => !approverNamesFromDb.includes(username));
+
+        if (invalidUsernames?.length) {
+          throw new BadRequestError({
+            message: `Invalid approver user: ${invalidUsernames.join(", ")}`
+          });
+        }
+
+        userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
+      }
+
       await secretApprovalPolicyApproverDAL.insertMany(
-        approvers.map((approverUserId) => ({
+        userApproverIds.map((approverUserId) => ({
           approverUserId,
           policyId: doc.id
         })),
         tx
       );
+
+      await secretApprovalPolicyApproverDAL.insertMany(
+        groupApprovers.map((approverGroupId) => ({
+          approverGroupId,
+          policyId: doc.id
+        })),
+        tx
+      );
       return doc;
     });
+
     return { ...secretApproval, environment: env, projectId };
   };
 
@@ -115,8 +165,20 @@ export const secretApprovalPolicyServiceFactory = ({
     secretPolicyId,
     enforcementLevel
   }: TUpdateSapDTO) => {
+    const groupApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.Group)
+      .map((approver) => approver.id);
+    const userApprovers = approvers
+      ?.filter((approver) => approver.type === ApproverType.User)
+      .map((approver) => approver.id)
+      .filter(Boolean) as string[];
+
+    const userApproverNames = approvers
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .filter(Boolean) as string[];
+
     const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
-    if (!secretApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!secretApprovalPolicy) throw new NotFoundError({ message: "Secret approval policy not found" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -146,16 +208,52 @@ export const secretApprovalPolicyServiceFactory = ({
         },
         tx
       );
+
+      await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+
       if (approvers) {
-        await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
+        let userApproverIds = userApprovers;
+        if (userApproverNames) {
+          const approverUsers = await userDAL.find(
+            {
+              $in: {
+                username: userApproverNames
+              }
+            },
+            { tx }
+          );
+
+          const approverNamesFromDb = approverUsers.map((user) => user.username);
+          const invalidUsernames = userApproverNames?.filter((username) => !approverNamesFromDb.includes(username));
+
+          if (invalidUsernames?.length) {
+            throw new BadRequestError({
+              message: `Invalid approver user: ${invalidUsernames.join(", ")}`
+            });
+          }
+
+          userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
+        }
+
         await secretApprovalPolicyApproverDAL.insertMany(
-          approvers.map((approverUserId) => ({
+          userApproverIds.map((approverUserId) => ({
             approverUserId,
             policyId: doc.id
           })),
           tx
         );
       }
+
+      if (groupApprovers) {
+        await secretApprovalPolicyApproverDAL.insertMany(
+          groupApprovers.map((approverGroupId) => ({
+            approverGroupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
       return doc;
     });
     return {
@@ -173,7 +271,7 @@ export const secretApprovalPolicyServiceFactory = ({
     actorOrgId
   }: TDeleteSapDTO) => {
     const sapPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
-    if (!sapPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!sapPolicy) throw new NotFoundError({ message: "Secret approval policy not found" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -222,7 +320,7 @@ export const secretApprovalPolicyServiceFactory = ({
   const getSecretApprovalPolicy = async (projectId: string, environment: string, path: string) => {
     const secretPath = removeTrailingSlash(path);
     const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
+    if (!env) throw new NotFoundError({ message: "Environment not found" });
 
     const policies = await secretApprovalPolicyDAL.find({ envId: env.id });
     if (!policies.length) return;
@@ -260,12 +358,41 @@ export const secretApprovalPolicyServiceFactory = ({
     return getSecretApprovalPolicy(projectId, environment, secretPath);
   };
 
+  const getSecretApprovalPolicyById = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    sapId
+  }: TGetSapByIdDTO) => {
+    const [sapPolicy] = await secretApprovalPolicyDAL.find({}, { sapId });
+
+    if (!sapPolicy) {
+      throw new NotFoundError({
+        message: "Cannot find secret approval policy"
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      sapPolicy.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+
+    return sapPolicy;
+  };
+
   return {
     createSecretApprovalPolicy,
     updateSecretApprovalPolicy,
     deleteSecretApprovalPolicy,
     getSecretApprovalPolicy,
     getSecretApprovalPolicyByProjectId,
-    getSecretApprovalPolicyOfFolder
+    getSecretApprovalPolicyOfFolder,
+    getSecretApprovalPolicyById
   };
 };

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -1,10 +1,12 @@
 import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
 
+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
+
 export type TCreateSapDTO = {
   approvals: number;
   secretPath?: string | null;
   environment: string;
-  approvers: string[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   projectId: string;
   name: string;
   enforcementLevel: EnforcementLevel;
@@ -14,7 +16,7 @@ export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
   secretPath?: string | null;
-  approvers: string[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   name?: string;
   enforcementLevel?: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
@@ -25,6 +27,8 @@ export type TDeleteSapDTO = {
 
 export type TListSapDTO = TProjectPermission;
 
+export type TGetSapByIdDTO = Omit<TProjectPermission, "projectId"> & { sapId: string };
+
 export type TGetBoardSapDTO = {
   projectId: string;
   environment: string;

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -48,16 +48,26 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalRequest}.committerUserId`,
         `committerUser.id`
       )
-      .join(
+      .leftJoin(
         TableName.SecretApprovalPolicyApprover,
         `${TableName.SecretApprovalPolicy}.id`,
         `${TableName.SecretApprovalPolicyApprover}.policyId`
       )
-      .join<TUsers>(
+      .leftJoin<TUsers>(
         db(TableName.Users).as("secretApprovalPolicyApproverUser"),
         `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
         "secretApprovalPolicyApproverUser.id"
       )
+      .leftJoin(
+        TableName.UserGroupMembership,
+        `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+        `${TableName.UserGroupMembership}.groupId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("secretApprovalPolicyGroupApproverUser"),
+        `${TableName.UserGroupMembership}.userId`,
+        `secretApprovalPolicyGroupApproverUser.id`
+      )
       .leftJoin(
         TableName.SecretApprovalRequestReviewer,
         `${TableName.SecretApprovalRequest}.id`,
@@ -71,10 +81,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
       .select(selectAllTableCols(TableName.SecretApprovalRequest))
       .select(
         tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
         tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("email").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
         tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
+        tx.ref("username").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupUsername"),
         tx.ref("firstName").withSchema("secretApprovalPolicyApproverUser").as("approverFirstName"),
+        tx.ref("firstName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupFirstName"),
         tx.ref("lastName").withSchema("secretApprovalPolicyApproverUser").as("approverLastName"),
+        tx.ref("lastName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupLastName"),
         tx.ref("email").withSchema("statusChangedByUser").as("statusChangedByUserEmail"),
         tx.ref("username").withSchema("statusChangedByUser").as("statusChangedByUserUsername"),
         tx.ref("firstName").withSchema("statusChangedByUser").as("statusChangedByUserFirstName"),
@@ -152,13 +167,30 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             key: "approverUserId",
             label: "approvers" as const,
             mapper: ({
-              approverUserId,
+              approverUserId: userId,
               approverEmail: email,
               approverUsername: username,
               approverLastName: lastName,
               approverFirstName: firstName
             }) => ({
-              userId: approverUserId,
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({
+              approverGroupUserId: userId,
+              approverGroupEmail: email,
+              approverGroupUsername: username,
+              approverGroupLastName: lastName,
+              approverGroupFirstName: firstName
+            }) => ({
+              userId,
               email,
               firstName,
               lastName,
@@ -236,11 +268,16 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalRequest}.policyId`,
           `${TableName.SecretApprovalPolicy}.id`
         )
-        .join(
+        .leftJoin(
           TableName.SecretApprovalPolicyApprover,
           `${TableName.SecretApprovalPolicy}.id`,
           `${TableName.SecretApprovalPolicyApprover}.policyId`
         )
+        .leftJoin(
+          TableName.UserGroupMembership,
+          `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
         .join<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
@@ -269,6 +306,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             void bd
               .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
               .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
+              .orWhere(`${TableName.UserGroupMembership}.userId`, userId)
         )
         .select(selectAllTableCols(TableName.SecretApprovalRequest))
         .select(
@@ -289,6 +327,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
+          db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
           db.ref("username").withSchema("committerUser").as("committerUserUsername"),
           db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@@ -334,7 +373,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           {
             key: "approverUserId",
             label: "approvers" as const,
-            mapper: ({ approverUserId }) => approverUserId
+            mapper: ({ approverUserId }) => ({ userId: approverUserId })
           },
           {
             key: "commitId",
@@ -344,6 +383,11 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
               id,
               secretId
             })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupUserId }) => ({ userId: approverGroupUserId })
           }
         ]
       });
@@ -371,11 +415,16 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalRequest}.policyId`,
           `${TableName.SecretApprovalPolicy}.id`
         )
-        .join(
+        .leftJoin(
           TableName.SecretApprovalPolicyApprover,
           `${TableName.SecretApprovalPolicy}.id`,
           `${TableName.SecretApprovalPolicyApprover}.policyId`
         )
+        .leftJoin(
+          TableName.UserGroupMembership,
+          `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+          `${TableName.UserGroupMembership}.groupId`
+        )
         .join<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
@@ -404,6 +453,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             void bd
               .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
               .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
+              .orWhere(`${TableName.UserGroupMembership}.userId`, userId)
         )
         .select(selectAllTableCols(TableName.SecretApprovalRequest))
         .select(
@@ -424,6 +474,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
           db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
+          db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
           db.ref("username").withSchema("committerUser").as("committerUserUsername"),
           db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@@ -469,7 +520,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           {
             key: "approverUserId",
             label: "approvers" as const,
-            mapper: ({ approverUserId }) => approverUserId
+            mapper: ({ approverUserId }) => ({ userId: approverUserId })
           },
           {
             key: "commitId",
@@ -479,6 +530,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
               id,
               secretId
             })
+          },
+          {
+            key: "approverGroupUserId",
+            label: "approvers" as const,
+            mapper: ({ approverGroupUserId }) => ({
+              userId: approverGroupUserId
+            })
           }
         ]
       });

backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts

@@ -8,7 +8,7 @@ import {
   TSecretApprovalRequestsSecrets,
   TSecretTags
 } from "@app/db/schemas";
-import { BadRequestError, DatabaseError } from "@app/lib/errors";
+import { DatabaseError, NotFoundError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 
 export type TSecretApprovalRequestSecretDALFactory = ReturnType<typeof secretApprovalRequestSecretDALFactory>;
@@ -31,7 +31,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
       );
 
       if (existingApprovalSecrets.length !== data.length) {
-        throw new BadRequestError({ message: "Some of the secret approvals do not exist" });
+        throw new NotFoundError({ message: "Some of the secret approvals do not exist" });
       }
 
       if (data.length === 0) return [];

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -10,7 +10,7 @@ import {
 } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { setKnexStringValue } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -204,7 +204,7 @@ export const secretApprovalRequestServiceFactory = ({
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
     const secretApprovalRequest = await secretApprovalRequestDAL.findById(id);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
 
     const { projectId } = secretApprovalRequest;
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
@@ -222,7 +222,7 @@ export const secretApprovalRequestServiceFactory = ({
       secretApprovalRequest.committerUserId !== actorId &&
       !policy.approvers.find(({ userId }) => userId === actorId)
     ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
     }
 
     let secrets;
@@ -271,7 +271,7 @@ export const secretApprovalRequestServiceFactory = ({
           : undefined
       }));
     } else {
-      if (!botKey) throw new BadRequestError({ message: "Bot key not found" });
+      if (!botKey) throw new NotFoundError({ message: "Project bot key not found" });
       const encrypedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
       secrets = encrypedSecrets.map((el) => ({
         ...el,
@@ -307,7 +307,7 @@ export const secretApprovalRequestServiceFactory = ({
     actorOrgId
   }: TReviewRequestDTO) => {
     const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
     if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -331,7 +331,7 @@ export const secretApprovalRequestServiceFactory = ({
       secretApprovalRequest.committerUserId !== actorId &&
       !policy.approvers.find(({ userId }) => userId === actorId)
     ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
     }
     const reviewStatus = await secretApprovalRequestReviewerDAL.transaction(async (tx) => {
       const review = await secretApprovalRequestReviewerDAL.findOne(
@@ -365,7 +365,7 @@ export const secretApprovalRequestServiceFactory = ({
     actorAuthMethod
   }: TStatusChangeDTO) => {
     const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
     if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -389,7 +389,7 @@ export const secretApprovalRequestServiceFactory = ({
       secretApprovalRequest.committerUserId !== actorId &&
       !policy.approvers.find(({ userId }) => userId === actorId)
     ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
     }
 
     if (secretApprovalRequest.hasMerged) throw new BadRequestError({ message: "Approval request has been merged" });
@@ -414,7 +414,7 @@ export const secretApprovalRequestServiceFactory = ({
     bypassReason
   }: TMergeSecretApprovalRequestDTO) => {
     const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
     if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -439,7 +439,7 @@ export const secretApprovalRequestServiceFactory = ({
       secretApprovalRequest.committerUserId !== actorId &&
       !policy.approvers.find(({ userId }) => userId === actorId)
     ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
     }
     const reviewers = secretApprovalRequest.reviewers.reduce<Record<string, ApprovalStatus>>(
       (prev, curr) => ({ ...prev, [curr.userId.toString()]: curr.status as ApprovalStatus }),
@@ -447,8 +447,8 @@ export const secretApprovalRequestServiceFactory = ({
     );
     const hasMinApproval =
       secretApprovalRequest.policy.approvals <=
-      secretApprovalRequest.policy.approvers.filter(
-        ({ userId: approverId }) => reviewers[approverId.toString()] === ApprovalStatus.APPROVED
+      secretApprovalRequest.policy.approvers.filter(({ userId: approverId }) =>
+        approverId ? reviewers[approverId] === ApprovalStatus.APPROVED : false
       ).length;
     const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;
 
@@ -462,7 +462,7 @@ export const secretApprovalRequestServiceFactory = ({
       const secretApprovalSecrets = await secretApprovalRequestSecretDAL.findByRequestIdBridgeSecretV2(
         secretApprovalRequest.id
       );
-      if (!secretApprovalSecrets) throw new BadRequestError({ message: "No secrets found" });
+      if (!secretApprovalSecrets) throw new NotFoundError({ message: "No secrets found" });
 
       const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
         type: KmsDataKey.SecretManager,
@@ -602,7 +602,7 @@ export const secretApprovalRequestServiceFactory = ({
       });
     } else {
       const secretApprovalSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
-      if (!secretApprovalSecrets) throw new BadRequestError({ message: "No secrets found" });
+      if (!secretApprovalSecrets) throw new NotFoundError({ message: "No secrets found" });
 
       const conflicts: Array<{ secretId: string; op: SecretOperations }> = [];
       let secretCreationCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Create);
@@ -612,8 +612,8 @@ export const secretApprovalRequestServiceFactory = ({
           secretDAL,
           inputSecrets: secretCreationCommits.map(({ secretBlindIndex }) => {
             if (!secretBlindIndex) {
-              throw new BadRequestError({
-                message: "Missing secret blind index"
+              throw new NotFoundError({
+                message: "Secret blind index not found"
               });
             }
             return { secretBlindIndex };
@@ -639,8 +639,8 @@ export const secretApprovalRequestServiceFactory = ({
             .filter(({ secretBlindIndex, secret }) => secret && secret.secretBlindIndex !== secretBlindIndex)
             .map(({ secretBlindIndex }) => {
               if (!secretBlindIndex) {
-                throw new BadRequestError({
-                  message: "Missing secret blind index"
+                throw new NotFoundError({
+                  message: "Secret blind index not found"
                 });
               }
               return { secretBlindIndex };
@@ -762,8 +762,8 @@ export const secretApprovalRequestServiceFactory = ({
               secretQueueService,
               inputSecrets: secretDeletionCommits.map(({ secretBlindIndex }) => {
                 if (!secretBlindIndex) {
-                  throw new BadRequestError({
-                    message: "Missing secret blind index"
+                  throw new NotFoundError({
+                    message: "Secret blind index not found"
                   });
                 }
                 return { secretBlindIndex, type: SecretType.Shared };
@@ -789,7 +789,7 @@ export const secretApprovalRequestServiceFactory = ({
 
     await snapshotService.performSnapshot(folderId);
     const [folder] = await folderDAL.findSecretPathByFolderIds(projectId, [folderId]);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
     await secretQueueService.syncSecrets({
       projectId,
       secretPath: folder.path,
@@ -805,7 +805,7 @@ export const secretApprovalRequestServiceFactory = ({
       const requestedByUser = await userDAL.findOne({ id: actorId });
       const approverUsers = await userDAL.find({
         $in: {
-          id: policy.approvers.map((approver: { userId: string }) => approver.userId)
+          id: policy.approvers.map((approver: { userId: string | null | undefined }) => approver.userId!)
         }
       });
 
@@ -860,14 +860,14 @@ export const secretApprovalRequestServiceFactory = ({
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
-      throw new BadRequestError({
+      throw new NotFoundError({
         message: "Folder not found for the given environment slug & secret path",
         name: "GenSecretApproval"
       });
     const folderId = folder.id;
 
     const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });
-    if (!blindIndexCfg) throw new BadRequestError({ message: "Blind index not found", name: "Update secret" });
+    if (!blindIndexCfg) throw new NotFoundError({ message: "Blind index not found", name: "Update secret" });
 
     const commits: Omit<TSecretApprovalRequestsSecretsInsert, "requestId">[] = [];
     const commitTagIds: Record<string, string[]> = {};
@@ -961,7 +961,7 @@ export const secretApprovalRequestServiceFactory = ({
         secretDAL
       });
       const secretsGroupedByBlindIndex = groupBy(secrets, (i) => {
-        if (!i.secretBlindIndex) throw new BadRequestError({ message: "Missing secret blind index" });
+        if (!i.secretBlindIndex) throw new NotFoundError({ message: "Secret blind index not found" });
         return i.secretBlindIndex;
       });
       const deletedSecretIds = deletedSecrets.map(
@@ -972,7 +972,7 @@ export const secretApprovalRequestServiceFactory = ({
         ...deletedSecrets.map((el) => {
           const secretId = secretsGroupedByBlindIndex[keyName2BlindIndex[el.secretName]][0].id;
           if (!latestSecretVersions[secretId].secretBlindIndex)
-            throw new BadRequestError({ message: "Failed to find secret blind index" });
+            throw new NotFoundError({ message: "Secret blind index not found" });
           return {
             op: SecretOperations.Delete as const,
             ...latestSecretVersions[secretId],
@@ -988,7 +988,7 @@ export const secretApprovalRequestServiceFactory = ({
 
     const tagIds = unique(Object.values(commitTagIds).flat());
     const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
-    if (tagIds.length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
+    if (tagIds.length !== tags.length) throw new NotFoundError({ message: "Tag not found" });
 
     const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
       const doc = await secretApprovalRequestDAL.create(
@@ -1054,7 +1054,7 @@ export const secretApprovalRequestServiceFactory = ({
 
       const commitsGroupByBlindIndex = groupBy(approvalCommits, (i) => {
         if (!i.secretBlindIndex) {
-          throw new BadRequestError({ message: "Missing secret blind index" });
+          throw new NotFoundError({ message: "Secret blind index not found" });
         }
         return i.secretBlindIndex;
       });
@@ -1132,7 +1132,7 @@ export const secretApprovalRequestServiceFactory = ({
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
-      throw new BadRequestError({
+      throw new NotFoundError({
         message: "Folder not found for the given environment slug & secret path",
         name: "GenSecretApproval"
       });
@@ -1191,8 +1191,8 @@ export const secretApprovalRequestServiceFactory = ({
         }))
       );
       if (secretsToUpdateStoredInDB.length !== secretsToUpdate.length)
-        throw new BadRequestError({
-          message: `Secret not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
+        throw new NotFoundError({
+          message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
         });
 
       // now find any secret that needs to update its name
@@ -1207,8 +1207,8 @@ export const secretApprovalRequestServiceFactory = ({
           }))
         );
         if (secrets.length)
-          throw new BadRequestError({
-            message: `Secret not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
+          throw new NotFoundError({
+            message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
           });
       }
 
@@ -1267,8 +1267,8 @@ export const secretApprovalRequestServiceFactory = ({
         }))
       );
       if (secretsToDeleteInDB.length !== deletedSecrets.length)
-        throw new BadRequestError({
-          message: `Secret not exist: ${secretsToDeleteInDB.map((el) => el.key).join(",")}`
+        throw new NotFoundError({
+          message: `Secret does not exist: ${secretsToDeleteInDB.map((el) => el.key).join(",")}`
         });
       const secretsGroupedByKey = groupBy(secretsToDeleteInDB, (i) => i.key);
       const deletedSecretIds = deletedSecrets.map((el) => secretsGroupedByKey[el.secretKey][0].id);
@@ -1291,7 +1291,7 @@ export const secretApprovalRequestServiceFactory = ({
 
     const tagIds = unique(Object.values(commitTagIds).flat());
     const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
-    if (tagIds.length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
+    if (tagIds.length !== tags.length) throw new NotFoundError({ message: "Tag not found" });
 
     const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
       const doc = await secretApprovalRequestDAL.create(

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -4,7 +4,7 @@ import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approv
 import { TSecretApprovalRequestSecretDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-secret-dal";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { groupBy, unique } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -295,7 +295,7 @@ export const secretReplicationServiceFactory = ({
             const [destinationFolder] = await folderDAL.findSecretPathByFolderIds(projectId, [
               destinationSecretImport.folderId
             ]);
-            if (!destinationFolder) throw new BadRequestError({ message: "Imported folder not found" });
+            if (!destinationFolder) throw new NotFoundError({ message: "Imported folder not found" });
 
             let destinationReplicationFolder = await folderDAL.findOne({
               parentId: destinationFolder.id,
@@ -506,7 +506,7 @@ export const secretReplicationServiceFactory = ({
       return;
     }
 
-    if (!botKey) throw new BadRequestError({ message: "Bot not found" });
+    if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
     // these are the secrets to be added in replicated folders
     const sourceLocalSecrets = await secretDAL.find({ folderId: folder.id, type: SecretType.Shared });
     const sourceSecretImports = await secretImportDAL.find({ folderId: folder.id });
@@ -545,7 +545,7 @@ export const secretReplicationServiceFactory = ({
           const [destinationFolder] = await folderDAL.findSecretPathByFolderIds(projectId, [
             destinationSecretImport.folderId
           ]);
-          if (!destinationFolder) throw new BadRequestError({ message: "Imported folder not found" });
+          if (!destinationFolder) throw new NotFoundError({ message: "Imported folder not found" });
 
           let destinationReplicationFolder = await folderDAL.findOne({
             parentId: destinationFolder.id,

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -13,7 +13,7 @@ import {
   infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
@@ -332,7 +332,7 @@ export const secretRotationQueueFactory = ({
           );
         });
       } else {
-        if (!botKey) throw new BadRequestError({ message: "Bot not found" });
+        if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
         const encryptedSecrets = rotationOutputs.map(({ key: outputKey, secretId }) => ({
           secretId,
           value: encryptSymmetric128BitHexKeyUTF8(
@@ -372,7 +372,7 @@ export const secretRotationQueueFactory = ({
           );
           await secretVersionDAL.insertMany(
             updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => {
-              if (!el.secretBlindIndex) throw new BadRequestError({ message: "Missing blind index" });
+              if (!el.secretBlindIndex) throw new NotFoundError({ message: "Secret blind index not found" });
               return {
                 ...el,
                 secretId: id,

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -3,7 +3,7 @@ import Ajv from "ajv";
 
 import { ProjectVersion } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -94,7 +94,7 @@ export const secretRotationServiceFactory = ({
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
-    if (!folder) throw new BadRequestError({ message: "Secret path not found" });
+    if (!folder) throw new NotFoundError({ message: "Secret path not found" });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath })
@@ -108,14 +108,14 @@ export const secretRotationServiceFactory = ({
         $in: { id: Object.values(outputs) }
       });
       if (selectedSecrets.length !== Object.values(outputs).length)
-        throw new BadRequestError({ message: "Secrets not found" });
+        throw new NotFoundError({ message: "Secrets not found" });
     } else {
       const selectedSecrets = await secretDAL.find({
         folderId: folder.id,
         $in: { id: Object.values(outputs) }
       });
       if (selectedSecrets.length !== Object.values(outputs).length)
-        throw new BadRequestError({ message: "Secrets not found" });
+        throw new NotFoundError({ message: "Secrets not found" });
     }
 
     const plan = await licenseService.getPlan(project.orgId);
@@ -125,7 +125,7 @@ export const secretRotationServiceFactory = ({
       });
 
     const selectedTemplate = rotationTemplates.find(({ name }) => name === provider);
-    if (!selectedTemplate) throw new BadRequestError({ message: "Provider not found" });
+    if (!selectedTemplate) throw new NotFoundError({ message: "Provider not found" });
     const formattedInputs: Record<string, unknown> = {};
     Object.entries(inputs).forEach(([key, value]) => {
       const { type } = selectedTemplate.template.inputs.properties[key];
@@ -198,7 +198,7 @@ export const secretRotationServiceFactory = ({
       return docs;
     }
 
-    if (!botKey) throw new BadRequestError({ message: "bot not found" });
+    if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
     const docs = await secretRotationDAL.find({ projectId });
     return docs.map((el) => ({
       ...el,
@@ -220,7 +220,7 @@ export const secretRotationServiceFactory = ({
 
   const restartById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TRestartDTO) => {
     const doc = await secretRotationDAL.findById(rotationId);
-    if (!doc) throw new BadRequestError({ message: "Rotation not found" });
+    if (!doc) throw new NotFoundError({ message: "Rotation not found" });
 
     const project = await projectDAL.findById(doc.projectId);
     const plan = await licenseService.getPlan(project.orgId);
@@ -244,7 +244,7 @@ export const secretRotationServiceFactory = ({
 
   const deleteById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TDeleteDTO) => {
     const doc = await secretRotationDAL.findById(rotationId);
-    if (!doc) throw new BadRequestError({ message: "Rotation not found" });
+    if (!doc) throw new NotFoundError({ message: "Rotation not found" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -7,7 +7,7 @@ import { ProbotOctokit } from "probot";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { getConfig } from "@app/lib/config/env";
-import { UnauthorizedError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 
 import { TGitAppDALFactory } from "./git-app-dal";
 import { TGitAppInstallSessionDALFactory } from "./git-app-install-session-dal";
@@ -63,7 +63,7 @@ export const secretScanningServiceFactory = ({
     actorOrgId
   }: TLinkInstallSessionDTO) => {
     const session = await gitAppInstallSessionDAL.findOne({ sessionId });
-    if (!session) throw new UnauthorizedError({ message: "Session not found" });
+    if (!session) throw new NotFoundError({ message: "Session was not found" });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 
 import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -99,7 +99,7 @@ export const secretSnapshotServiceFactory = ({
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     return snapshotDAL.countOfSnapshotsByFolderId(folder.id);
   };
@@ -131,7 +131,7 @@ export const secretSnapshotServiceFactory = ({
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
     const snapshots = await snapshotDAL.find({ folderId: folder.id }, { limit, offset, sort: [["createdAt", "desc"]] });
     return snapshots;
@@ -139,7 +139,7 @@ export const secretSnapshotServiceFactory = ({
 
   const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
     const snapshot = await snapshotDAL.findById(id);
-    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
+    if (!snapshot) throw new NotFoundError({ message: "Snapshot not found" });
     const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
@@ -173,7 +173,7 @@ export const secretSnapshotServiceFactory = ({
     } else {
       const encryptedSnapshotDetails = await snapshotDAL.findSecretSnapshotDataById(id);
       const { botKey } = await projectBotService.getBotKey(snapshot.projectId);
-      if (!botKey) throw new BadRequestError({ message: "bot not found" });
+      if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
       snapshotDetails = {
         ...encryptedSnapshotDetails,
         secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => ({
@@ -225,7 +225,7 @@ export const secretSnapshotServiceFactory = ({
     try {
       if (!licenseService.isValidLicense) throw new InternalServerError({ message: "Invalid license" });
       const folder = await folderDAL.findById(folderId);
-      if (!folder) throw new BadRequestError({ message: "Folder not found" });
+      if (!folder) throw new NotFoundError({ message: "Folder not found" });
       const shouldUseSecretV2Bridge = folder.projectVersion === 3;
 
       if (shouldUseSecretV2Bridge) {
@@ -309,7 +309,7 @@ export const secretSnapshotServiceFactory = ({
     actorOrgId
   }: TRollbackSnapshotDTO) => {
     const snapshot = await snapshotDAL.findById(snapshotId);
-    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
+    if (!snapshot) throw new NotFoundError({ message: "Snapshot not found" });
     const shouldUseBridge = snapshot.projectVersion === 3;
 
     const { permission } = await permissionService.getProjectPermission(

backend/src/lib/api-docs/constants.ts

@@ -5,26 +5,30 @@ export const GROUPS = {
     role: "The role of the group to create."
   },
   UPDATE: {
-    currentSlug: "The current slug of the group to update.",
+    id: "The id of the group to update",
     name: "The new name of the group to update to.",
     slug: "The new slug of the group to update to.",
     role: "The new role of the group to update to."
   },
   DELETE: {
+    id: "The id of the group to delete",
     slug: "The slug of the group to delete"
   },
   LIST_USERS: {
-    slug: "The slug of the group to list users for",
+    id: "The id of the group to list users for",
     offset: "The offset to start from. If you enter 10, it will start from the 10th user.",
     limit: "The number of users to return.",
     username: "The username to search for."
   },
   ADD_USER: {
-    slug: "The slug of the group to add the user to.",
+    id: "The id of the group to add the user to.",
     username: "The username of the user to add to the group."
   },
+  GET_BY_ID: {
+    id: "The id of the group to fetch"
+  },
   DELETE_USER: {
-    slug: "The slug of the group to remove the user from.",
+    id: "The id of the group to remove the user from.",
     username: "The username of the user to remove from the group."
   }
 } as const;
@@ -409,21 +413,21 @@ export const PROJECTS = {
     secretSnapshotId: "The ID of the snapshot to rollback to."
   },
   ADD_GROUP_TO_PROJECT: {
-    projectSlug: "The slug of the project to add the group to.",
-    groupSlug: "The slug of the group to add to the project.",
+    projectId: "The ID of the project to add the group to.",
+    groupId: "The ID of the group to add to the project.",
     role: "The role for the group to assume in the project."
   },
   UPDATE_GROUP_IN_PROJECT: {
-    projectSlug: "The slug of the project to update the group in.",
-    groupSlug: "The slug of the group to update in the project.",
+    projectId: "The ID of the project to update the group in.",
+    groupId: "The ID of the group to update in the project.",
     roles: "A list of roles to update the group to."
   },
   REMOVE_GROUP_FROM_PROJECT: {
-    projectSlug: "The slug of the project to delete the group from.",
-    groupSlug: "The slug of the group to delete from the project."
+    projectId: "The ID of the project to delete the group from.",
+    groupId: "The ID of the group to delete from the project."
   },
   LIST_GROUPS_IN_PROJECT: {
-    projectSlug: "The slug of the project to list groups for."
+    projectId: "The ID of the project to list groups for."
   },
   LIST_INTEGRATION: {
     workspaceId: "The ID of the project to list integrations for."
@@ -697,11 +701,46 @@ export const SECRET_IMPORTS = {
   }
 } as const;
 
+export const DASHBOARD = {
+  SECRET_OVERVIEW_LIST: {
+    projectId: "The ID of the project to list secrets/folders from.",
+    environments:
+      "The slugs of the environments to list secrets/folders from (comma separated, ie 'environments=dev,staging,prod').",
+    secretPath: "The secret path to list secrets/folders from.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th secret/folder.",
+    limit: "The number of secrets/folders to return.",
+    orderBy: "The column to order secrets/folders by.",
+    orderDirection: "The direction to order secrets/folders in.",
+    search: "The text string to filter secret keys and folder names by.",
+    includeSecrets: "Whether to include project secrets in the response.",
+    includeFolders: "Whether to include project folders in the response.",
+    includeDynamicSecrets: "Whether to include dynamic project secrets in the response."
+  },
+  SECRET_DETAILS_LIST: {
+    projectId: "The ID of the project to list secrets/folders from.",
+    environment: "The slug of the environment to list secrets/folders from.",
+    secretPath: "The secret path to list secrets/folders from.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th secret/folder.",
+    limit: "The number of secrets/folders to return.",
+    orderBy: "The column to order secrets/folders by.",
+    orderDirection: "The direction to order secrets/folders in.",
+    search: "The text string to filter secret keys and folder names by.",
+    tags: "The tags to filter secrets by (comma separated, ie 'tags=billing,engineering').",
+    includeSecrets: "Whether to include project secrets in the response.",
+    includeFolders: "Whether to include project folders in the response.",
+    includeImports: "Whether to include project secret imports in the response.",
+    includeDynamicSecrets: "Whether to include dynamic project secrets in the response."
+  }
+} as const;
+
 export const AUDIT_LOGS = {
   EXPORT: {
-    workspaceId: "The ID of the project to export audit logs from.",
+    projectId:
+      "Optionally filter logs by project ID. If not provided, logs from the entire organization will be returned.",
     eventType: "The type of the event to export.",
     userAgentType: "Choose which consuming application to export audit logs for.",
+    eventMetadata:
+      "Filter by event metadata key-value pairs. Formatted as `key1=value1,key2=value2`, with comma-separation.",
     startDate: "The date to start the export from.",
     endDate: "The date to end the export at.",
     offset: "The offset to start from. If you enter 10, it will start from the 10th audit log.",

backend/src/lib/config/env.ts

@@ -147,8 +147,8 @@ const envSchema = z
     PLAIN_WISH_LABEL_IDS: zpStr(z.string().optional()),
     DISABLE_AUDIT_LOG_GENERATION: zodStrBool.default("false"),
     SSL_CLIENT_CERTIFICATE_HEADER_KEY: zpStr(z.string().optional()).default("x-ssl-client-cert"),
-    WORKFLOW_SLACK_CLIENT_ID: zpStr(z.string()).optional(),
-    WORKFLOW_SLACK_CLIENT_SECRET: zpStr(z.string()).optional()
+    WORKFLOW_SLACK_CLIENT_ID: zpStr(z.string().optional()),
+    WORKFLOW_SLACK_CLIENT_SECRET: zpStr(z.string().optional())
   })
   .transform((data) => ({
     ...data,

backend/src/lib/errors/index.ts

@@ -40,9 +40,9 @@ export class ForbiddenRequestError extends Error {
 
   error: unknown;
 
-  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown }) {
+  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown } = {}) {
     super(message ?? "You are not allowed to access this resource");
-    this.name = name || "ForbideenError";
+    this.name = name || "ForbiddenError";
     this.error = error;
   }
 }

backend/src/lib/fn/string.ts

@@ -9,3 +9,8 @@ export const removeTrailingSlash = (str: string) => {
 
   return str.endsWith("/") ? str.slice(0, -1) : str;
 };
+
+export const prefixWithSlash = (str: string) => {
+  if (str.startsWith("/")) return str;
+  return `/${str}`;
+};

backend/src/lib/ip/index.ts

@@ -1,6 +1,6 @@
 import net from "node:net";
 
-import { UnauthorizedError } from "../errors";
+import { ForbiddenRequestError } from "../errors";
 
 export enum IPType {
   IPV4 = "ipv4",
@@ -126,7 +126,7 @@ export const checkIPAgainstBlocklist = ({ ipAddress, trustedIps }: { ipAddress:
   const check = blockList.check(ipAddress, type);
 
   if (!check)
-    throw new UnauthorizedError({
-      message: "Failed to authenticate"
+    throw new ForbiddenRequestError({
+      message: "You are not allowed to access this resource from the current IP address"
     });
 };

backend/src/lib/knex/index.ts

@@ -51,11 +51,17 @@ export type TFindReturn<TQuery extends Knex.QueryBuilder, TCount extends boolean
       : unknown)
 >;
 
-export type TFindOpt<R extends object = object, TCount extends boolean = boolean> = {
+export type TFindOpt<
+  R extends object = object,
+  TCount extends boolean = boolean,
+  TCountDistinct extends keyof R | undefined = undefined
+> = {
   limit?: number;
   offset?: number;
   sort?: Array<[keyof R, "asc" | "desc"] | [keyof R, "asc" | "desc", "first" | "last"]>;
+  groupBy?: keyof R;
   count?: TCount;
+  countDistinct?: TCountDistinct;
   tx?: Knex;
 };
 
@@ -86,13 +92,18 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
       throw new DatabaseError({ error, name: "Find one" });
     }
   },
-  find: async <TCount extends boolean = false>(
+  find: async <
+    TCount extends boolean = false,
+    TCountDistinct extends keyof Tables[Tname]["base"] | undefined = undefined
+  >(
     filter: TFindFilter<Tables[Tname]["base"]>,
-    { offset, limit, sort, count, tx }: TFindOpt<Tables[Tname]["base"], TCount> = {}
+    { offset, limit, sort, count, tx, countDistinct }: TFindOpt<Tables[Tname]["base"], TCount, TCountDistinct> = {}
   ) => {
     try {
       const query = (tx || db.replicaNode())(tableName).where(buildFindFilter(filter));
-      if (count) {
+      if (countDistinct) {
+        void query.countDistinct(countDistinct);
+      } else if (count) {
         void query.select(db.raw("COUNT(*) OVER() AS count"));
         void query.select("*");
       }
@@ -101,7 +112,8 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
       if (sort) {
         void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
       }
-      const res = (await query) as TFindReturn<typeof query, TCount>;
+
+      const res = (await query) as TFindReturn<typeof query, TCountDistinct extends undefined ? TCount : true>;
       return res;
     } catch (error) {
       throw new DatabaseError({ error, name: "Find one" });

backend/src/queue/queue-service.ts

@@ -7,7 +7,11 @@ import {
   TScanFullRepoEventPayload,
   TScanPushEventPayload
 } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
-import { TSyncSecretsDTO } from "@app/services/secret/secret-types";
+import {
+  TFailedIntegrationSyncEmailsPayload,
+  TIntegrationSyncPayload,
+  TSyncSecretsDTO
+} from "@app/services/secret/secret-types";
 
 export enum QueueName {
   SecretRotation = "secret-rotation",
@@ -42,6 +46,7 @@ export enum QueueJobs {
   SecWebhook = "secret-webhook-trigger",
   TelemetryInstanceStats = "telemetry-self-hosted-stats",
   IntegrationSync = "secret-integration-pull",
+  SendFailedIntegrationSyncEmails = "send-failed-integration-sync-emails",
   SecretScan = "secret-scan",
   UpgradeProjectToGhost = "upgrade-project-to-ghost-job",
   DynamicSecretRevocation = "dynamic-secret-revocation",
@@ -88,16 +93,26 @@ export type TQueueJobTypes = {
     name: QueueJobs.SecWebhook;
     payload: { projectId: string; environment: string; secretPath: string; depth?: number };
   };
-  [QueueName.IntegrationSync]: {
-    name: QueueJobs.IntegrationSync;
-    payload: {
-      projectId: string;
-      environment: string;
-      secretPath: string;
-      depth?: number;
-      deDupeQueue?: Record<string, boolean>;
-    };
-  };
+
+  [QueueName.AccessTokenStatusUpdate]:
+    | {
+        name: QueueJobs.IdentityAccessTokenStatusUpdate;
+        payload: { identityAccessTokenId: string; numberOfUses: number };
+      }
+    | {
+        name: QueueJobs.ServiceTokenStatusUpdate;
+        payload: { serviceTokenId: string };
+      };
+
+  [QueueName.IntegrationSync]:
+    | {
+        name: QueueJobs.IntegrationSync;
+        payload: TIntegrationSyncPayload;
+      }
+    | {
+        name: QueueJobs.SendFailedIntegrationSyncEmails;
+        payload: TFailedIntegrationSyncEmailsPayload;
+      };
   [QueueName.SecretFullRepoScan]: {
     name: QueueJobs.SecretScan;
     payload: TScanFullRepoEventPayload;
@@ -151,15 +166,6 @@ export type TQueueJobTypes = {
     name: QueueJobs.ProjectV3Migration;
     payload: { projectId: string };
   };
-  [QueueName.AccessTokenStatusUpdate]:
-    | {
-        name: QueueJobs.IdentityAccessTokenStatusUpdate;
-        payload: { identityAccessTokenId: string; numberOfUses: number };
-      }
-    | {
-        name: QueueJobs.ServiceTokenStatusUpdate;
-        payload: { serviceTokenId: string };
-      };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;

backend/src/server/app.ts

@@ -20,6 +20,7 @@ import { TQueueServiceFactory } from "@app/queue";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
 
 import { globalRateLimiterCfg } from "./config/rateLimiter";
+import { addErrorsToResponseSchemas } from "./plugins/add-errors-to-response-schemas";
 import { fastifyErrHandler } from "./plugins/error-handler";
 import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
@@ -75,6 +76,8 @@ export const main = async ({ db, smtp, logger, queue, keyStore }: TMain) => {
       credentials: true,
       origin: appCfg.SITE_URL || true
     });
+
+    await server.register(addErrorsToResponseSchemas);
     // pull ip based on various proxy headers
     await server.register(fastifyIp);
 

backend/src/server/plugins/add-errors-to-response-schemas.ts

@@ -0,0 +1,15 @@
+/* eslint-disable no-param-reassign */
+import fp from "fastify-plugin";
+
+import { DefaultResponseErrorsSchema } from "../routes/sanitizedSchemas";
+
+export const addErrorsToResponseSchemas = fp(async (server) => {
+  server.addHook("onRoute", (routeOptions) => {
+    if (routeOptions.schema && routeOptions.schema.response) {
+      routeOptions.schema.response = {
+        ...DefaultResponseErrorsSchema,
+        ...routeOptions.schema.response
+      };
+    }
+  });
+});

backend/src/server/plugins/audit-log.ts

@@ -70,7 +70,7 @@ export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
         metadata: {}
       };
     } else {
-      throw new BadRequestError({ message: "Missing logic for other actor" });
+      throw new BadRequestError({ message: "Invalid actor type provided" });
     }
     req.auditLogInfo = payload;
   });

backend/src/server/plugins/auth/inject-identity.ts

@@ -5,7 +5,7 @@ import jwt, { JwtPayload } from "jsonwebtoken";
 import { TServiceTokens, TUsers } from "@app/db/schemas";
 import { TScimTokenJwtPayload } from "@app/ee/services/scim/scim-types";
 import { getConfig } from "@app/lib/config/env";
-import { UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { ActorType, AuthMethod, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
 import { TIdentityAccessTokenJwtPayload } from "@app/services/identity-access-token/identity-access-token-types";
 
@@ -167,7 +167,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
         break;
       }
       default:
-        throw new UnauthorizedError({ name: "Unknown token strategy" });
+        throw new BadRequestError({ message: "Invalid token strategy provided" });
     }
   });
 });

backend/src/server/plugins/auth/superAdmin.ts

@@ -1,6 +1,6 @@
 import { FastifyReply, FastifyRequest, HookHandlerDoneFunction } from "fastify";
 
-import { UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 
 export const verifySuperAdmin = <T extends FastifyRequest>(
@@ -9,9 +9,8 @@ export const verifySuperAdmin = <T extends FastifyRequest>(
   done: HookHandlerDoneFunction
 ) => {
   if (req.auth.actor !== ActorType.USER || !req.auth.user.superAdmin)
-    throw new UnauthorizedError({
-      name: "Unauthorized access",
-      message: "Requires superadmin access"
+    throw new ForbiddenRequestError({
+      message: "Requires elevated super admin privileges"
     });
   done();
 };

backend/src/server/plugins/auth/verify-auth.ts

@@ -1,6 +1,6 @@
 import { FastifyReply, FastifyRequest, HookHandlerDoneFunction } from "fastify";
 
-import { UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 interface TAuthOptions {
@@ -11,11 +11,11 @@ export const verifyAuth =
   <T extends FastifyRequest>(authStrategies: AuthMode[], options: TAuthOptions = { requireOrg: true }) =>
   (req: T, _res: FastifyReply, done: HookHandlerDoneFunction) => {
     if (!Array.isArray(authStrategies)) throw new Error("Auth strategy must be array");
-    if (!req.auth) throw new UnauthorizedError({ name: "Unauthorized access", message: "Token missing" });
+    if (!req.auth) throw new UnauthorizedError({ message: "Token missing" });
 
     const isAccessAllowed = authStrategies.some((strategy) => strategy === req.auth.authMode);
     if (!isAccessAllowed) {
-      throw new UnauthorizedError({ name: `${req.url} Unauthorized Access` });
+      throw new ForbiddenRequestError({ name: `Forbidden access to ${req.url}` });
     }
 
     // New optional option. There are some routes which do not require an organization ID to be present on the request.

backend/src/server/plugins/error-handler.ts

@@ -1,41 +1,95 @@
 import { ForbiddenError } from "@casl/ability";
 import fastifyPlugin from "fastify-plugin";
+import jwt from "jsonwebtoken";
 import { ZodError } from "zod";
 
 import {
   BadRequestError,
   DatabaseError,
+  ForbiddenRequestError,
   InternalServerError,
   NotFoundError,
   ScimRequestError,
   UnauthorizedError
 } from "@app/lib/errors";
 
+enum JWTErrors {
+  JwtExpired = "jwt expired",
+  JwtMalformed = "jwt malformed",
+  InvalidAlgorithm = "invalid algorithm"
+}
+
+enum HttpStatusCodes {
+  BadRequest = 400,
+  NotFound = 404,
+  Unauthorized = 401,
+  Forbidden = 403,
+  // eslint-disable-next-line @typescript-eslint/no-shadow
+  InternalServerError = 500
+}
+
 export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider) => {
   server.setErrorHandler((error, req, res) => {
     req.log.error(error);
     if (error instanceof BadRequestError) {
-      void res.status(400).send({ statusCode: 400, message: error.message, error: error.name });
+      void res
+        .status(HttpStatusCodes.BadRequest)
+        .send({ statusCode: HttpStatusCodes.BadRequest, message: error.message, error: error.name });
     } else if (error instanceof NotFoundError) {
-      void res.status(404).send({ statusCode: 404, message: error.message, error: error.name });
+      void res
+        .status(HttpStatusCodes.NotFound)
+        .send({ statusCode: HttpStatusCodes.NotFound, message: error.message, error: error.name });
     } else if (error instanceof UnauthorizedError) {
-      void res.status(403).send({ statusCode: 403, message: error.message, error: error.name });
+      void res
+        .status(HttpStatusCodes.Unauthorized)
+        .send({ statusCode: HttpStatusCodes.Unauthorized, message: error.message, error: error.name });
     } else if (error instanceof DatabaseError || error instanceof InternalServerError) {
-      void res.status(500).send({ statusCode: 500, message: "Something went wrong", error: error.name });
+      void res
+        .status(HttpStatusCodes.InternalServerError)
+        .send({ statusCode: HttpStatusCodes.InternalServerError, message: "Something went wrong", error: error.name });
     } else if (error instanceof ZodError) {
-      void res.status(403).send({ statusCode: 403, error: "ValidationFailure", message: error.issues });
+      void res
+        .status(HttpStatusCodes.Unauthorized)
+        .send({ statusCode: HttpStatusCodes.Unauthorized, error: "ValidationFailure", message: error.issues });
     } else if (error instanceof ForbiddenError) {
-      void res.status(401).send({
-        statusCode: 401,
+      void res.status(HttpStatusCodes.Forbidden).send({
+        statusCode: HttpStatusCodes.Forbidden,
         error: "PermissionDenied",
         message: `You are not allowed to ${error.action} on ${error.subjectType}`
       });
+    } else if (error instanceof ForbiddenRequestError) {
+      void res.status(HttpStatusCodes.Forbidden).send({
+        statusCode: HttpStatusCodes.Forbidden,
+        message: error.message,
+        error: error.name
+      });
     } else if (error instanceof ScimRequestError) {
       void res.status(error.status).send({
         schemas: error.schemas,
         status: error.status,
         detail: error.detail
       });
+      // Handle JWT errors and make them more human-readable for the end-user.
+    } else if (error instanceof jwt.JsonWebTokenError) {
+      const message = (() => {
+        if (error.message === JWTErrors.JwtExpired) {
+          return "Your token has expired. Please re-authenticate.";
+        }
+        if (error.message === JWTErrors.JwtMalformed) {
+          return "The provided access token is malformed. Please use a valid token or generate a new one and try again.";
+        }
+        if (error.message === JWTErrors.InvalidAlgorithm) {
+          return "The access token is signed with an invalid algorithm. Please provide a valid token and try again.";
+        }
+
+        return error.message;
+      })();
+
+      void res.status(HttpStatusCodes.Forbidden).send({
+        statusCode: HttpStatusCodes.Forbidden,
+        error: "TokenError",
+        message
+      });
     } else {
       void res.send(error);
     }

backend/src/server/routes/index.ts

@@ -1,5 +1,5 @@
 import { CronJob } from "cron";
-import { Redis } from "ioredis";
+// import { Redis } from "ioredis";
 import { Knex } from "knex";
 import { z } from "zod";
 
@@ -74,7 +74,6 @@ import { trustedIpDALFactory } from "@app/ee/services/trusted-ip/trusted-ip-dal"
 import { trustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
-import { logger } from "@app/lib/logger";
 import { TQueueServiceFactory } from "@app/queue";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { accessTokenQueueServiceFactory } from "@app/services/access-token-queue/access-token-queue";
@@ -97,6 +96,7 @@ import { certificateAuthorityServiceFactory } from "@app/services/certificate-au
 import { certificateTemplateDALFactory } from "@app/services/certificate-template/certificate-template-dal";
 import { certificateTemplateEstConfigDALFactory } from "@app/services/certificate-template/certificate-template-est-config-dal";
 import { certificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
+import { externalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { groupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { groupProjectMembershipRoleDALFactory } from "@app/services/group-project/group-project-membership-role-dal";
 import { groupProjectServiceFactory } from "@app/services/group-project/group-project-service";
@@ -380,7 +380,8 @@ export const registerRoutes = async (
     secretApprovalPolicyApproverDAL: sapApproverDAL,
     permissionService,
     secretApprovalPolicyDAL,
-    licenseService
+    licenseService,
+    userDAL
   });
   const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL, orgMembershipDAL });
 
@@ -493,7 +494,6 @@ export const registerRoutes = async (
     orgRoleDAL,
     permissionService,
     orgDAL,
-    userGroupMembershipDAL,
     projectBotDAL,
     incidentContactDAL,
     tokenService,
@@ -811,6 +811,8 @@ export const registerRoutes = async (
     projectEnvDAL,
     webhookDAL,
     orgDAL,
+    auditLogService,
+    userDAL,
     projectMembershipDAL,
     smtpService,
     projectDAL,
@@ -922,10 +924,12 @@ export const registerRoutes = async (
   const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
     accessApprovalPolicyDAL,
     accessApprovalPolicyApproverDAL,
+    groupDAL,
     permissionService,
     projectEnvDAL,
     projectMembershipDAL,
-    projectDAL
+    projectDAL,
+    userDAL
   });
 
   const accessApprovalRequestService = accessApprovalRequestServiceFactory({
@@ -941,7 +945,8 @@ export const registerRoutes = async (
     smtpService,
     accessApprovalPolicyApproverDAL,
     projectSlackConfigDAL,
-    kmsService
+    kmsService,
+    groupDAL
   });
 
   const secretReplicationService = secretReplicationServiceFactory({
@@ -1181,6 +1186,14 @@ export const registerRoutes = async (
     workflowIntegrationDAL
   });
 
+  const migrationService = externalMigrationServiceFactory({
+    projectService,
+    orgService,
+    projectEnvService,
+    permissionService,
+    secretService
+  });
+
   await superAdminService.initServerCfg();
   //
   // setup the communication with license key server
@@ -1264,7 +1277,8 @@ export const registerRoutes = async (
     externalKms: externalKmsService,
     orgAdmin: orgAdminService,
     slack: slackService,
-    workflowIntegration: workflowIntegrationService
+    workflowIntegration: workflowIntegrationService,
+    migration: migrationService
   });
 
   const cronJobs: CronJob[] = [];
@@ -1303,33 +1317,33 @@ export const registerRoutes = async (
         })
       }
     },
-    handler: async (request, reply) => {
+    handler: async () => {
       const cfg = getConfig();
       const serverCfg = await getServerCfg();
 
-      try {
-        await db.raw("SELECT NOW()");
-      } catch (err) {
-        logger.error("Health check: database connection failed", err);
-        return reply.code(503).send({
-          date: new Date(),
-          message: "Service unavailable"
-        });
-      }
+      // try {
+      //   await db.raw("SELECT NOW()");
+      // } catch (err) {
+      //   logger.error("Health check: database connection failed", err);
+      //   return reply.code(503).send({
+      //     date: new Date(),
+      //     message: "Service unavailable"
+      //   });
+      // }
 
-      if (cfg.isRedisConfigured) {
-        const redis = new Redis(cfg.REDIS_URL);
-        try {
-          await redis.ping();
-          redis.disconnect();
-        } catch (err) {
-          logger.error("Health check: redis connection failed", err);
-          return reply.code(503).send({
-            date: new Date(),
-            message: "Service unavailable"
-          });
-        }
-      }
+      // if (cfg.isRedisConfigured) {
+      //   const redis = new Redis(cfg.REDIS_URL);
+      //   try {
+      //     await redis.ping();
+      //     redis.disconnect();
+      //   } catch (err) {
+      //     logger.error("Health check: redis connection failed", err);
+      //     return reply.code(503).send({
+      //       date: new Date(),
+      //       message: "Service unavailable"
+      //     });
+      //   }
+      // }
 
       return {
         date: new Date(),

backend/src/server/routes/sanitizedSchemas.ts

@@ -27,6 +27,34 @@ export const integrationAuthPubSchema = IntegrationAuthsSchema.pick({
   updatedAt: true
 });
 
+export const DefaultResponseErrorsSchema = {
+  400: z.object({
+    statusCode: z.literal(400),
+    message: z.string(),
+    error: z.string()
+  }),
+  404: z.object({
+    statusCode: z.literal(404),
+    message: z.string(),
+    error: z.string()
+  }),
+  401: z.object({
+    statusCode: z.literal(401),
+    message: z.any(),
+    error: z.string()
+  }),
+  403: z.object({
+    statusCode: z.literal(403),
+    message: z.string(),
+    error: z.string()
+  }),
+  500: z.object({
+    statusCode: z.literal(500),
+    message: z.string(),
+    error: z.string()
+  })
+};
+
 export const sapPubSchema = SecretApprovalPoliciesSchema.merge(
   z.object({
     environment: z.object({

backend/src/server/routes/v1/admin-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { OrganizationsSchema, SuperAdminSchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -227,8 +227,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     handler: async (req, res) => {
       const appCfg = getConfig();
       const serverCfg = await getServerCfg();
-      if (serverCfg.initialized)
-        throw new UnauthorizedError({ name: "Admin sign up", message: "Admin has been created" });
+      if (serverCfg.initialized) throw new BadRequestError({ message: "Admin account has already been set up" });
       const { user, token, organization } = await server.services.superAdmin.adminSignUp({
         ...req.body,
         ip: req.realIp,

backend/src/server/routes/v1/auth-router.ts

@@ -2,7 +2,7 @@ import jwt from "jsonwebtoken";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { authRateLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode, AuthModeRefreshJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
@@ -71,23 +71,34 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
       const refreshToken = req.cookies.jid;
       const appCfg = getConfig();
       if (!refreshToken)
-        throw new BadRequestError({
-          name: "Auth token route",
-          message: "Failed  to find refresh token"
+        throw new NotFoundError({
+          name: "AuthTokenNotFound",
+          message: "Failed to find refresh token"
         });
 
       const decodedToken = jwt.verify(refreshToken, appCfg.AUTH_SECRET) as AuthModeRefreshJwtTokenPayload;
       if (decodedToken.authTokenType !== AuthTokenType.REFRESH_TOKEN)
-        throw new UnauthorizedError({ message: "Invalid token", name: "Auth token route" });
+        throw new UnauthorizedError({
+          message: "The token provided is not a refresh token",
+          name: "InvalidToken"
+        });
 
       const tokenVersion = await server.services.authToken.getUserTokenSessionById(
         decodedToken.tokenVersionId,
         decodedToken.userId
       );
-      if (!tokenVersion) throw new UnauthorizedError({ message: "Invalid token", name: "Auth token route" });
+      if (!tokenVersion)
+        throw new UnauthorizedError({
+          message: "Valid token version not found",
+          name: "InvalidToken"
+        });
 
-      if (decodedToken.refreshVersion !== tokenVersion.refreshVersion)
-        throw new UnauthorizedError({ message: "Invalid token", name: "Auth token route" });
+      if (decodedToken.refreshVersion !== tokenVersion.refreshVersion) {
+        throw new UnauthorizedError({
+          message: "Token version mismatch",
+          name: "InvalidToken"
+        });
+      }
 
       const token = jwt.sign(
         {

backend/src/server/routes/v1/dashboard-router.ts

@@ -0,0 +1,633 @@
+import { ForbiddenError, subject } from "@casl/ability";
+import { z } from "zod";
+
+import { SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
+import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { DASHBOARD } from "@app/lib/api-docs";
+import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { OrderByDirection } from "@app/lib/types";
+import { secretsLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
+import { getUserAgentType } from "@app/server/plugins/audit-log";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedDynamicSecretSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { SecretsOrderBy } from "@app/services/secret/secret-types";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
+
+// handle querystring boolean values
+const booleanSchema = z
+  .union([z.boolean(), z.string().trim()])
+  .transform((value) => {
+    if (typeof value === "string") {
+      // ie if not empty, 0 or false, return true
+      return Boolean(value) && Number(value) !== 0 && value.toLowerCase() !== "false";
+    }
+
+    return value;
+  })
+  .optional()
+  .default(true);
+
+export const registerDashboardRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/secrets-overview",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "List project secrets overview",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        projectId: z.string().trim().describe(DASHBOARD.SECRET_OVERVIEW_LIST.projectId),
+        environments: z
+          .string()
+          .trim()
+          .transform(decodeURIComponent)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.environments),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.secretPath),
+        offset: z.coerce.number().min(0).optional().default(0).describe(DASHBOARD.SECRET_OVERVIEW_LIST.offset),
+        limit: z.coerce.number().min(1).max(100).optional().default(100).describe(DASHBOARD.SECRET_OVERVIEW_LIST.limit),
+        orderBy: z
+          .nativeEnum(SecretsOrderBy)
+          .default(SecretsOrderBy.Name)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.orderBy)
+          .optional(),
+        orderDirection: z
+          .nativeEnum(OrderByDirection)
+          .default(OrderByDirection.ASC)
+          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.orderDirection)
+          .optional(),
+        search: z.string().trim().describe(DASHBOARD.SECRET_OVERVIEW_LIST.search).optional(),
+        includeSecrets: booleanSchema.describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeSecrets),
+        includeFolders: booleanSchema.describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeFolders),
+        includeDynamicSecrets: booleanSchema.describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeDynamicSecrets)
+      }),
+      response: {
+        200: z.object({
+          folders: SecretFoldersSchema.extend({ environment: z.string() }).array().optional(),
+          dynamicSecrets: SanitizedDynamicSecretSchema.extend({ environment: z.string() }).array().optional(),
+          secrets: secretRawSchema
+            .extend({
+              secretPath: z.string().optional(),
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
+            })
+            .array()
+            .optional(),
+          totalFolderCount: z.number().optional(),
+          totalDynamicSecretCount: z.number().optional(),
+          totalSecretCount: z.number().optional(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        secretPath,
+        projectId,
+        limit,
+        offset,
+        search,
+        orderBy,
+        orderDirection,
+        includeFolders,
+        includeSecrets,
+        includeDynamicSecrets
+      } = req.query;
+
+      const environments = req.query.environments.split(",");
+
+      if (!projectId || environments.length === 0)
+        throw new BadRequestError({ message: "Missing workspace id or environment(s)" });
+
+      const { shouldUseSecretV2Bridge } = await server.services.projectBot.getBotKey(projectId);
+
+      // prevent older projects from accessing endpoint
+      if (!shouldUseSecretV2Bridge) throw new BadRequestError({ message: "Project version not supported" });
+
+      let remainingLimit = limit;
+      let adjustedOffset = offset;
+
+      let folders: Awaited<ReturnType<typeof server.services.folder.getFoldersMultiEnv>> | undefined;
+      let secrets: Awaited<ReturnType<typeof server.services.secret.getSecretsRawMultiEnv>> | undefined;
+      let dynamicSecrets:
+        | Awaited<ReturnType<typeof server.services.dynamicSecret.listDynamicSecretsByFolderIds>>
+        | undefined;
+
+      let totalFolderCount: number | undefined;
+      let totalDynamicSecretCount: number | undefined;
+      let totalSecretCount: number | undefined;
+
+      if (includeFolders) {
+        // this is the unique count, ie duplicate folders across envs only count as 1
+        totalFolderCount = await server.services.folder.getProjectFolderCount({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId: req.query.projectId,
+          path: secretPath,
+          environments,
+          search
+        });
+
+        if (remainingLimit > 0 && totalFolderCount > adjustedOffset) {
+          folders = await server.services.folder.getFoldersMultiEnv({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            environments,
+            path: secretPath,
+            orderBy,
+            orderDirection,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          // get the count of unique folder names to properly adjust remaining limit
+          const uniqueFolderCount = new Set(folders.map((folder) => folder.name)).size;
+
+          remainingLimit -= uniqueFolderCount;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalFolderCount);
+        }
+      }
+
+      if (!includeDynamicSecrets && !includeSecrets)
+        return {
+          folders,
+          totalFolderCount,
+          totalCount: totalFolderCount ?? 0
+        };
+
+      const { permission } = await server.services.permission.getProjectPermission(
+        req.permission.type,
+        req.permission.id,
+        projectId,
+        req.permission.authMethod,
+        req.permission.orgId
+      );
+
+      const permissiveEnvs = // filter envs user has access to
+        environments.filter((environment) =>
+          permission.can(
+            ProjectPermissionActions.Read,
+            subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+          )
+        );
+
+      if (includeDynamicSecrets) {
+        // this is the unique count, ie duplicate secrets across envs only count as 1
+        totalDynamicSecretCount = await server.services.dynamicSecret.getCountMultiEnv({
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId,
+          search,
+          environmentSlugs: permissiveEnvs,
+          path: secretPath,
+          isInternal: true
+        });
+
+        if (remainingLimit > 0 && totalDynamicSecretCount > adjustedOffset) {
+          dynamicSecrets = await server.services.dynamicSecret.listDynamicSecretsByFolderIds({
+            actor: req.permission.type,
+            actorId: req.permission.id,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            search,
+            orderBy,
+            orderDirection,
+            environmentSlugs: permissiveEnvs,
+            path: secretPath,
+            limit: remainingLimit,
+            offset: adjustedOffset,
+            isInternal: true
+          });
+
+          // get the count of unique dynamic secret names to properly adjust remaining limit
+          const uniqueDynamicSecretsCount = new Set(dynamicSecrets.map((dynamicSecret) => dynamicSecret.name)).size;
+
+          remainingLimit -= uniqueDynamicSecretsCount;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalDynamicSecretCount);
+        }
+      }
+
+      if (includeSecrets) {
+        // this is the unique count, ie duplicate secrets across envs only count as 1
+        totalSecretCount = await server.services.secret.getSecretsCountMultiEnv({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorOrgId: req.permission.orgId,
+          environments: permissiveEnvs,
+          actorAuthMethod: req.permission.authMethod,
+          projectId,
+          path: secretPath,
+          search,
+          isInternal: true
+        });
+
+        if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
+          secrets = await server.services.secret.getSecretsRawMultiEnv({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorOrgId: req.permission.orgId,
+            environments: permissiveEnvs,
+            actorAuthMethod: req.permission.authMethod,
+            projectId,
+            path: secretPath,
+            orderBy,
+            orderDirection,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset,
+            isInternal: true
+          });
+
+          for await (const environment of permissiveEnvs) {
+            const secretCountFromEnv = secrets.filter((secret) => secret.environment === environment).length;
+
+            if (secretCountFromEnv) {
+              await server.services.auditLog.createAuditLog({
+                projectId,
+                ...req.auditLogInfo,
+                event: {
+                  type: EventType.GET_SECRETS,
+                  metadata: {
+                    environment,
+                    secretPath,
+                    numberOfSecrets: secretCountFromEnv
+                  }
+                }
+              });
+
+              if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+                await server.services.telemetry.sendPostHogEvents({
+                  event: PostHogEventTypes.SecretPulled,
+                  distinctId: getTelemetryDistinctId(req),
+                  properties: {
+                    numberOfSecrets: secretCountFromEnv,
+                    workspaceId: projectId,
+                    environment,
+                    secretPath,
+                    channel: getUserAgentType(req.headers["user-agent"]),
+                    ...req.auditLogInfo
+                  }
+                });
+              }
+            }
+          }
+        }
+      }
+
+      return {
+        folders,
+        dynamicSecrets,
+        secrets,
+        totalFolderCount,
+        totalDynamicSecretCount,
+        totalSecretCount,
+        totalCount: (totalFolderCount ?? 0) + (totalDynamicSecretCount ?? 0) + (totalSecretCount ?? 0)
+      };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/secrets-details",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "List project secrets details",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        projectId: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.projectId),
+        environment: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.environment),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.secretPath),
+        offset: z.coerce.number().min(0).optional().default(0).describe(DASHBOARD.SECRET_DETAILS_LIST.offset),
+        limit: z.coerce.number().min(1).max(100).optional().default(100).describe(DASHBOARD.SECRET_DETAILS_LIST.limit),
+        orderBy: z
+          .nativeEnum(SecretsOrderBy)
+          .default(SecretsOrderBy.Name)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.orderBy)
+          .optional(),
+        orderDirection: z
+          .nativeEnum(OrderByDirection)
+          .default(OrderByDirection.ASC)
+          .describe(DASHBOARD.SECRET_DETAILS_LIST.orderDirection)
+          .optional(),
+        search: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.search).optional(),
+        tags: z.string().trim().transform(decodeURIComponent).describe(DASHBOARD.SECRET_DETAILS_LIST.tags).optional(),
+        includeSecrets: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeSecrets),
+        includeFolders: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeFolders),
+        includeDynamicSecrets: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeDynamicSecrets),
+        includeImports: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeImports)
+      }),
+      response: {
+        200: z.object({
+          imports: SecretImportsSchema.omit({ importEnv: true })
+            .extend({
+              importEnv: z.object({ name: z.string(), slug: z.string(), id: z.string() })
+            })
+            .array()
+            .optional(),
+          folders: SecretFoldersSchema.array().optional(),
+          dynamicSecrets: SanitizedDynamicSecretSchema.array().optional(),
+          secrets: secretRawSchema
+            .extend({
+              secretPath: z.string().optional(),
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
+            })
+            .array()
+            .optional(),
+          totalImportCount: z.number().optional(),
+          totalFolderCount: z.number().optional(),
+          totalDynamicSecretCount: z.number().optional(),
+          totalSecretCount: z.number().optional(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        secretPath,
+        environment,
+        projectId,
+        limit,
+        offset,
+        search,
+        orderBy,
+        orderDirection,
+        includeFolders,
+        includeSecrets,
+        includeDynamicSecrets,
+        includeImports
+      } = req.query;
+
+      if (!projectId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
+
+      const { shouldUseSecretV2Bridge } = await server.services.projectBot.getBotKey(projectId);
+
+      // prevent older projects from accessing endpoint
+      if (!shouldUseSecretV2Bridge) throw new BadRequestError({ message: "Project version not supported" });
+
+      const tags = req.query.tags?.split(",") ?? [];
+
+      let remainingLimit = limit;
+      let adjustedOffset = offset;
+
+      let imports: Awaited<ReturnType<typeof server.services.secretImport.getImports>> | undefined;
+      let folders: Awaited<ReturnType<typeof server.services.folder.getFolders>> | undefined;
+      let secrets: Awaited<ReturnType<typeof server.services.secret.getSecretsRaw>>["secrets"] | undefined;
+      let dynamicSecrets: Awaited<ReturnType<typeof server.services.dynamicSecret.listDynamicSecretsByEnv>> | undefined;
+
+      let totalImportCount: number | undefined;
+      let totalFolderCount: number | undefined;
+      let totalDynamicSecretCount: number | undefined;
+      let totalSecretCount: number | undefined;
+
+      if (includeImports) {
+        totalImportCount = await server.services.secretImport.getProjectImportCount({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId,
+          environment,
+          path: secretPath,
+          search
+        });
+
+        if (remainingLimit > 0 && totalImportCount > adjustedOffset) {
+          imports = await server.services.secretImport.getImports({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            environment,
+            path: secretPath,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          await server.services.auditLog.createAuditLog({
+            ...req.auditLogInfo,
+            projectId: req.query.projectId,
+            event: {
+              type: EventType.GET_SECRET_IMPORTS,
+              metadata: {
+                environment,
+                folderId: imports?.[0]?.folderId,
+                numberOfImports: imports.length
+              }
+            }
+          });
+
+          remainingLimit -= imports.length;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalImportCount);
+        }
+      }
+
+      if (includeFolders) {
+        totalFolderCount = await server.services.folder.getProjectFolderCount({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          projectId,
+          path: secretPath,
+          environments: [environment],
+          search
+        });
+
+        if (remainingLimit > 0 && totalFolderCount > adjustedOffset) {
+          folders = await server.services.folder.getFolders({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            environment,
+            path: secretPath,
+            orderBy,
+            orderDirection,
+            search,
+            limit: remainingLimit,
+            offset: adjustedOffset
+          });
+
+          remainingLimit -= folders.length;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalFolderCount);
+        }
+      }
+
+      try {
+        if (includeDynamicSecrets) {
+          totalDynamicSecretCount = await server.services.dynamicSecret.getDynamicSecretCount({
+            actor: req.permission.type,
+            actorId: req.permission.id,
+            actorAuthMethod: req.permission.authMethod,
+            actorOrgId: req.permission.orgId,
+            projectId,
+            search,
+            environmentSlug: environment,
+            path: secretPath
+          });
+
+          if (remainingLimit > 0 && totalDynamicSecretCount > adjustedOffset) {
+            dynamicSecrets = await server.services.dynamicSecret.listDynamicSecretsByEnv({
+              actor: req.permission.type,
+              actorId: req.permission.id,
+              actorAuthMethod: req.permission.authMethod,
+              actorOrgId: req.permission.orgId,
+              projectId,
+              search,
+              orderBy,
+              orderDirection,
+              environmentSlug: environment,
+              path: secretPath,
+              limit: remainingLimit,
+              offset: adjustedOffset
+            });
+
+            remainingLimit -= dynamicSecrets.length;
+            adjustedOffset = 0;
+          } else {
+            adjustedOffset = Math.max(0, adjustedOffset - totalDynamicSecretCount);
+          }
+        }
+
+        if (includeSecrets) {
+          totalSecretCount = await server.services.secret.getSecretsCount({
+            actorId: req.permission.id,
+            actor: req.permission.type,
+            actorOrgId: req.permission.orgId,
+            environment,
+            actorAuthMethod: req.permission.authMethod,
+            projectId,
+            path: secretPath,
+            search,
+            tagSlugs: tags
+          });
+
+          if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
+            const secretsRaw = await server.services.secret.getSecretsRaw({
+              actorId: req.permission.id,
+              actor: req.permission.type,
+              actorOrgId: req.permission.orgId,
+              environment,
+              actorAuthMethod: req.permission.authMethod,
+              projectId,
+              path: secretPath,
+              orderBy,
+              orderDirection,
+              search,
+              limit: remainingLimit,
+              offset: adjustedOffset,
+              tagSlugs: tags
+            });
+
+            secrets = secretsRaw.secrets;
+
+            await server.services.auditLog.createAuditLog({
+              projectId,
+              ...req.auditLogInfo,
+              event: {
+                type: EventType.GET_SECRETS,
+                metadata: {
+                  environment,
+                  secretPath,
+                  numberOfSecrets: secrets.length
+                }
+              }
+            });
+
+            if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+              await server.services.telemetry.sendPostHogEvents({
+                event: PostHogEventTypes.SecretPulled,
+                distinctId: getTelemetryDistinctId(req),
+                properties: {
+                  numberOfSecrets: secrets.length,
+                  workspaceId: projectId,
+                  environment,
+                  secretPath,
+                  channel: getUserAgentType(req.headers["user-agent"]),
+                  ...req.auditLogInfo
+                }
+              });
+            }
+          }
+        }
+      } catch (error) {
+        if (!(error instanceof ForbiddenError)) {
+          throw error;
+        }
+      }
+
+      return {
+        imports,
+        folders,
+        dynamicSecrets,
+        secrets,
+        totalImportCount,
+        totalFolderCount,
+        totalDynamicSecretCount,
+        totalSecretCount,
+        totalCount:
+          (totalImportCount ?? 0) + (totalFolderCount ?? 0) + (totalDynamicSecretCount ?? 0) + (totalSecretCount ?? 0)
+      };
+    }
+  });
+};

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -9,6 +9,8 @@ import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { validateAzureAuthField } from "@app/services/identity-azure-auth/identity-azure-auth-validators";
 
+import {} from "../sanitizedSchemas";
+
 export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",

backend/src/server/routes/v1/index.ts

@@ -1,3 +1,5 @@
+import { registerDashboardRouter } from "@app/server/routes/v1/dashboard-router";
+
 import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
@@ -101,4 +103,6 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerIdentityRouter, { prefix: "/identities" });
   await server.register(registerSecretSharingRouter, { prefix: "/secret-sharing" });
   await server.register(registerUserEngagementRouter, { prefix: "/user-engagement" });
+
+  await server.register(registerDashboardRouter, { prefix: "/dashboard" });
 };

backend/src/server/routes/v1/integration-router.ts

@@ -4,13 +4,15 @@ import { IntegrationsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { INTEGRATION } from "@app/lib/api-docs";
 import { removeTrailingSlash, shake } from "@app/lib/fn";
-import { writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { IntegrationMetadataSchema } from "@app/services/integration/integration-schema";
 import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";
 
+import {} from "../sanitizedSchemas";
+
 export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -154,6 +156,48 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:integrationId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get an integration by integration id",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        integrationId: z.string().trim().describe(INTEGRATION.UPDATE.integrationId)
+      }),
+      response: {
+        200: z.object({
+          integration: IntegrationsSchema.extend({
+            environment: z.object({
+              slug: z.string().trim(),
+              name: z.string().trim(),
+              id: z.string().trim()
+            })
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const integration = await server.services.integration.getIntegration({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.integrationId
+      });
+
+      return { integration };
+    }
+  });
+
   server.route({
     method: "DELETE",
     url: "/:integrationId",

backend/src/server/routes/v1/organization-router.ts

@@ -11,10 +11,12 @@ import {
 } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
 import { getLastMidnightDateISO } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
+import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 
 export const registerOrgRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -74,8 +76,36 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     schema: {
       description: "Get all audit logs for an organization",
       querystring: z.object({
-        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
+        projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
+        actorType: z.nativeEnum(ActorType).optional(),
+        // eventType is split with , for multiple values, we need to transform it to array
+        eventType: z
+          .string()
+          .optional()
+          .transform((val) => (val ? val.split(",") : undefined)),
         userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
+        eventMetadata: z
+          .string()
+          .optional()
+          .transform((val) => {
+            if (!val) {
+              return undefined;
+            }
+
+            const pairs = val.split(",");
+
+            return pairs.reduce(
+              (acc, pair) => {
+                const [key, value] = pair.split("=");
+                if (key && value) {
+                  acc[key] = value;
+                }
+                return acc;
+              },
+              {} as Record<string, string>
+            );
+          })
+          .describe(AUDIT_LOGS.EXPORT.eventMetadata),
         startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
         endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
         offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
@@ -93,10 +123,12 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
           })
             .merge(
               z.object({
-                project: z.object({
-                  name: z.string(),
-                  slug: z.string()
-                }),
+                project: z
+                  .object({
+                    name: z.string(),
+                    slug: z.string()
+                  })
+                  .optional(),
                 event: z.object({
                   type: z.string(),
                   metadata: z.any()
@@ -113,14 +145,25 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
+      const appCfg = getConfig();
+      if (appCfg.isCloud) {
+        throw new BadRequestError({ message: "Infisical cloud audit log is in maintenance mode." });
+      }
+
       const auditLogs = await server.services.auditLog.listAuditLogs({
+        filter: {
+          ...req.query,
+          endDate: req.query.endDate,
+          projectId: req.query.projectId,
+          startDate: req.query.startDate || getLastMidnightDateISO(),
+          auditLogActorId: req.query.actor,
+          actorType: req.query.actorType,
+          eventType: req.query.eventType as EventType[] | undefined
+        },
+
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
-        ...req.query,
-        endDate: req.query.endDate,
-        startDate: req.query.startDate || getLastMidnightDateISO(),
-        auditLogActor: req.query.actor,
         actor: req.permission.type
       });
       return { auditLogs };

backend/src/server/routes/v1/secret-folder-router.ts

@@ -3,7 +3,7 @@ import { z } from "zod";
 import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { FOLDERS } from "@app/lib/api-docs";
-import { removeTrailingSlash } from "@app/lib/fn";
+import { prefixWithSlash, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -26,9 +26,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         workspaceId: z.string().trim().describe(FOLDERS.CREATE.workspaceId),
         environment: z.string().trim().describe(FOLDERS.CREATE.environment),
         name: z.string().trim().describe(FOLDERS.CREATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.CREATE.path),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.CREATE.directory)
       }),
       response: {
         200: z.object({
@@ -86,9 +98,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         workspaceId: z.string().trim().describe(FOLDERS.UPDATE.workspaceId),
         environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
         name: z.string().trim().describe(FOLDERS.UPDATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.UPDATE.path),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.UPDATE.directory)
       }),
       response: {
         200: z.object({
@@ -147,7 +171,13 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
             id: z.string().describe(FOLDERS.UPDATE.folderId),
             environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
             name: z.string().trim().describe(FOLDERS.UPDATE.name),
-            path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path)
+            path: z
+              .string()
+              .trim()
+              .default("/")
+              .transform(prefixWithSlash)
+              .transform(removeTrailingSlash)
+              .describe(FOLDERS.UPDATE.path)
           })
           .array()
           .min(1)
@@ -211,9 +241,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       body: z.object({
         workspaceId: z.string().trim().describe(FOLDERS.DELETE.workspaceId),
         environment: z.string().trim().describe(FOLDERS.DELETE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.DELETE.path),
         // keep this here as cli need directory
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.DELETE.directory)
       }),
       response: {
         200: z.object({
@@ -267,9 +309,21 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       querystring: z.object({
         workspaceId: z.string().trim().describe(FOLDERS.LIST.workspaceId),
         environment: z.string().trim().describe(FOLDERS.LIST.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.path),
+        path: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.LIST.path),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.directory)
+        directory: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(prefixWithSlash)
+          .transform(removeTrailingSlash)
+          .describe(FOLDERS.LIST.directory)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/sso-router.ts

@@ -14,7 +14,7 @@ import { Strategy as GoogleStrategy } from "passport-google-oauth20";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { fetchGithubEmails } from "@app/lib/requests/github";
 import { AuthMethod } from "@app/services/auth/auth-type";
@@ -42,9 +42,9 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
           try {
             const email = profile?.emails?.[0]?.value;
             if (!email)
-              throw new BadRequestError({
+              throw new NotFoundError({
                 message: "Email not found",
-                name: "Oauth Google Register"
+                name: "OauthGoogleRegister"
               });
 
             const { isUserCompleted, providerAuthToken } = await server.services.login.oauth2Login({

backend/src/server/routes/v2/group-project-router.ts

@@ -8,6 +8,7 @@ import {
   ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@@ -15,8 +16,11 @@ import { ProjectUserMembershipTemporaryMode } from "@app/services/project-member
 export const registerGroupProjectRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
-    url: "/:projectSlug/groups/:groupSlug",
+    url: "/:projectId/groups/:groupId",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: writeLimit
+    },
     schema: {
       description: "Add group to project",
       security: [
@@ -25,17 +29,39 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.projectSlug),
-        groupSlug: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupSlug)
-      }),
-      body: z.object({
-        role: z
-          .string()
-          .trim()
-          .min(1)
-          .default(ProjectMembershipRole.NoAccess)
-          .describe(PROJECTS.ADD_GROUP_TO_PROJECT.role)
+        projectId: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.projectId),
+        groupId: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupId)
       }),
+      body: z
+        .object({
+          role: z
+            .string()
+            .trim()
+            .min(1)
+            .default(ProjectMembershipRole.NoAccess)
+            .describe(PROJECTS.ADD_GROUP_TO_PROJECT.role),
+          roles: z
+            .array(
+              z.union([
+                z.object({
+                  role: z.string(),
+                  isTemporary: z.literal(false).default(false)
+                }),
+                z.object({
+                  role: z.string(),
+                  isTemporary: z.literal(true),
+                  temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
+                  temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
+                  temporaryAccessStartTime: z.string().datetime()
+                })
+              ])
+            )
+            .optional()
+        })
+        .refine((data) => data.role || data.roles, {
+          message: "Either role or roles must be present",
+          path: ["role", "roles"]
+        }),
       response: {
         200: z.object({
           groupMembership: GroupProjectMembershipsSchema
@@ -48,17 +74,18 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        groupSlug: req.params.groupSlug,
-        projectSlug: req.params.projectSlug,
-        role: req.body.role
+        roles: req.body.roles || [{ role: req.body.role }],
+        projectId: req.params.projectId,
+        groupId: req.params.groupId
       });
+
       return { groupMembership };
     }
   });
 
   server.route({
     method: "PATCH",
-    url: "/:projectSlug/groups/:groupSlug",
+    url: "/:projectId/groups/:groupId",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
       description: "Update group in project",
@@ -68,8 +95,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.projectSlug),
-        groupSlug: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.groupSlug)
+        projectId: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.projectId),
+        groupId: z.string().trim().describe(PROJECTS.UPDATE_GROUP_IN_PROJECT.groupId)
       }),
       body: z.object({
         roles: z
@@ -103,18 +130,22 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        groupSlug: req.params.groupSlug,
-        projectSlug: req.params.projectSlug,
+        projectId: req.params.projectId,
+        groupId: req.params.groupId,
         roles: req.body.roles
       });
+
       return { roles };
     }
   });
 
   server.route({
     method: "DELETE",
-    url: "/:projectSlug/groups/:groupSlug",
+    url: "/:projectId/groups/:groupId",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: writeLimit
+    },
     schema: {
       description: "Remove group from project",
       security: [
@@ -123,8 +154,8 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.projectSlug),
-        groupSlug: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.groupSlug)
+        projectId: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.projectId),
+        groupId: z.string().trim().describe(PROJECTS.REMOVE_GROUP_FROM_PROJECT.groupId)
       }),
       response: {
         200: z.object({
@@ -138,17 +169,21 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        groupSlug: req.params.groupSlug,
-        projectSlug: req.params.projectSlug
+        groupId: req.params.groupId,
+        projectId: req.params.projectId
       });
+
       return { groupMembership };
     }
   });
 
   server.route({
     method: "GET",
-    url: "/:projectSlug/groups",
+    url: "/:projectId/groups",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: readLimit
+    },
     schema: {
       description: "Return list of groups in project",
       security: [
@@ -157,7 +192,7 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        projectSlug: z.string().trim().describe(PROJECTS.LIST_GROUPS_IN_PROJECT.projectSlug)
+        projectId: z.string().trim().describe(PROJECTS.LIST_GROUPS_IN_PROJECT.projectId)
       }),
       response: {
         200: z.object({
@@ -193,9 +228,67 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        projectSlug: req.params.projectSlug
+        projectId: req.params.projectId
       });
+
       return { groupMemberships };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/:projectId/groups/:groupId",
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Return project group",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        projectId: z.string().trim(),
+        groupId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          groupMembership: z.object({
+            id: z.string(),
+            groupId: z.string(),
+            createdAt: z.date(),
+            updatedAt: z.date(),
+            roles: z.array(
+              z.object({
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
+              })
+            ),
+            group: GroupsSchema.pick({ name: true, id: true, slug: true })
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const groupMembership = await server.services.groupProject.getGroupInProject({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      return { groupMembership };
+    }
+  });
 };

backend/src/server/routes/v2/organization-router.ts

@@ -69,7 +69,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
-      description: "Return projects in organization that user is part of",
+      description: "Return projects in organization that user is apart of",
       security: [
         {
           bearerAuth: []

backend/src/server/routes/v3/external-migration-router.ts

@@ -0,0 +1,35 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerExternalMigrationRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/env-key",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      body: z.object({
+        decryptionKey: z.string().trim().min(1),
+        encryptedJson: z.object({
+          nonce: z.string().trim().min(1),
+          data: z.string().trim().min(1)
+        })
+      })
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      await server.services.migration.importEnvKeyData({
+        decryptionKey: req.body.decryptionKey,
+        encryptedJson: req.body.encryptedJson,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+    }
+  });
+};

backend/src/server/routes/v3/index.ts

@@ -1,3 +1,4 @@
+import { registerExternalMigrationRouter } from "./external-migration-router";
 import { registerLoginRouter } from "./login-router";
 import { registerSecretBlindIndexRouter } from "./secret-blind-index-router";
 import { registerSecretRouter } from "./secret-router";
@@ -10,4 +11,5 @@ export const registerV3Routes = async (server: FastifyZodProvider) => {
   await server.register(registerUserRouter, { prefix: "/users" });
   await server.register(registerSecretRouter, { prefix: "/secrets" });
   await server.register(registerSecretBlindIndexRouter, { prefix: "/workspaces" });
+  await server.register(registerExternalMigrationRouter, { prefix: "/migrate" });
 };

backend/src/server/routes/v3/secret-router.ts

@@ -10,7 +10,7 @@ import {
 } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { secretsLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -240,7 +240,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           actorOrgId: req.permission.orgId
         });
 
-        if (!workspace) throw new BadRequestError({ message: `No project found with slug ${req.query.workspaceSlug}` });
+        if (!workspace) throw new NotFoundError({ message: `No project found with slug ${req.query.workspaceSlug}` });
 
         workspaceId = workspace.id;
       }

backend/src/server/routes/v3/signup-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
+import { ForbiddenRequestError } from "@app/lib/errors";
 import { authRateLimit } from "@app/server/config/rateLimiter";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
@@ -29,8 +29,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
 
       const serverCfg = await getServerCfg();
       if (!serverCfg.allowSignUp) {
-        throw new BadRequestError({
-          message: "Sign up is disabled"
+        throw new ForbiddenRequestError({
+          message: "Signup's are disabled"
         });
       }
 
@@ -38,7 +38,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
         const domain = email.split("@")[1];
         const allowedDomains = serverCfg.allowedSignUpDomain.split(",").map((e) => e.trim());
         if (!allowedDomains.includes(domain)) {
-          throw new BadRequestError({
+          throw new ForbiddenRequestError({
             message: `Email with a domain (@${domain}) is not supported`
           });
         }
@@ -70,13 +70,13 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const serverCfg = await getServerCfg();
       if (!serverCfg.allowSignUp) {
-        throw new BadRequestError({
-          message: "Sign up is disabled"
+        throw new ForbiddenRequestError({
+          message: "Signup's are disabled"
         });
       }
 
       const { token, user } = await server.services.signup.verifyEmailSignup(req.body.email, req.body.code);
-      return { message: "Successfuly verified email", token, user };
+      return { message: "Successfully verified email", token, user };
     }
   });
 
@@ -121,8 +121,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
 
       const serverCfg = await getServerCfg();
       if (!serverCfg.allowSignUp) {
-        throw new BadRequestError({
-          message: "Sign up is disabled"
+        throw new ForbiddenRequestError({
+          message: "Signup's are disabled"
         });
       }
 

backend/src/services/api-key/api-key-service.ts

@@ -4,7 +4,7 @@ import bcrypt from "bcrypt";
 
 import { TApiKeys } from "@app/db/schemas/api-keys";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { NotFoundError, UnauthorizedError } from "@app/lib/errors";
 
 import { TUserDALFactory } from "../user/user-dal";
 import { TApiKeyDALFactory } from "./api-key-dal";
@@ -45,7 +45,7 @@ export const apiKeyServiceFactory = ({ apiKeyDAL, userDAL }: TApiKeyServiceFacto
 
   const deleteApiKey = async (userId: string, apiKeyId: string) => {
     const [apiKeyData] = await apiKeyDAL.delete({ id: apiKeyId, userId });
-    if (!apiKeyData) throw new BadRequestError({ message: "Failed to find api key", name: "delete api key" });
+    if (!apiKeyData) throw new NotFoundError({ message: "API key not found" });
     return formatApiKey(apiKeyData);
   };