Merge pull request #3575 from akhilmhdh/fix/octokit

feat: resolved esm error in octokit

Dockerfile.fips.standalone-infisical

@@ -171,6 +171,7 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+ENV NODE_OPTIONS="--max-old-space-size=1024"
 
 WORKDIR /backend
 

Dockerfile.standalone-infisical

@@ -168,6 +168,7 @@ ENV HTTPS_ENABLED false
 ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
+ENV NODE_OPTIONS="--max-old-space-size=1024"
 
 WORKDIR /backend
 

backend/e2e-test/mocks/keystore.ts

@@ -1,4 +1,8 @@
+import RE2 from "re2";
+
 import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { applyJitter } from "@app/lib/dates";
+import { delay as delayMs } from "@app/lib/delay";
 import { Lock } from "@app/lib/red-lock";
 
 export const mockKeyStore = (): TKeyStoreFactory => {
@@ -18,6 +22,27 @@ export const mockKeyStore = (): TKeyStoreFactory => {
       delete store[key];
       return 1;
     },
+    deleteItems: async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }) => {
+      const regex = new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
+      let totalDeleted = 0;
+      const keys = Object.keys(store);
+
+      for (let i = 0; i < keys.length; i += batchSize) {
+        const batch = keys.slice(i, i + batchSize);
+
+        for (const key of batch) {
+          if (regex.test(key)) {
+            delete store[key];
+            totalDeleted += 1;
+          }
+        }
+
+        // eslint-disable-next-line no-await-in-loop
+        await delayMs(Math.max(0, applyJitter(delay, jitter)));
+      }
+
+      return totalDeleted;
+    },
     getItem: async (key) => {
       const value = store[key];
       if (typeof value === "string") {

backend/package-lock.json

@@ -33,7 +33,8 @@
         "@infisical/quic": "^1.0.8",
         "@node-saml/passport-saml": "^5.0.1",
         "@octokit/auth-app": "^7.1.1",
-        "@octokit/plugin-paginate-graphql": "^5.2.4",
+        "@octokit/core": "^5.2.1",
+        "@octokit/plugin-paginate-graphql": "^4.0.1",
         "@octokit/plugin-retry": "^5.0.5",
         "@octokit/rest": "^20.0.2",
         "@octokit/webhooks-types": "^7.3.1",
@@ -7805,119 +7806,38 @@
       }
     },
     "node_modules/@octokit/core": {
-      "version": "6.1.5",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-6.1.5.tgz",
-      "integrity": "sha512-vvmsN0r7rguA+FySiCsbaTTobSftpIDIpPW81trAmsv9TGxg3YCujAxRYp/Uy8xmDgYCzzgulG62H7KYUFmeIg==",
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.1.tgz",
+      "integrity": "sha512-dKYCMuPO1bmrpuogcjQ8z7ICCH3FP6WmxpwC03yjzGfZhj9fTJg6+bS1+UAplekbN2C+M61UNllGOOoAfGCrdQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
-        "@octokit/auth-token": "^5.0.0",
-        "@octokit/graphql": "^8.2.2",
-        "@octokit/request": "^9.2.3",
-        "@octokit/request-error": "^6.1.8",
-        "@octokit/types": "^14.0.0",
-        "before-after-hook": "^3.0.2",
-        "universal-user-agent": "^7.0.0"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/@octokit/core/node_modules/@octokit/auth-token": {
-      "version": "5.1.2",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-5.1.2.tgz",
-      "integrity": "sha512-JcQDsBdg49Yky2w2ld20IHAlwr8d/d8N6NiOXbtuoPCqzbsiJgF633mVUw3x4mo0H5ypataQIX7SFu3yy44Mpw==",
-      "license": "MIT",
-      "peer": true,
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/@octokit/core/node_modules/@octokit/endpoint": {
-      "version": "10.1.4",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.4.tgz",
-      "integrity": "sha512-OlYOlZIsfEVZm5HCSR8aSg02T2lbUWOsCQoPKfTXJwDzcHQBrVBGdGXb89dv2Kw2ToZaRtudp8O3ZIYoaOjKlA==",
-      "license": "MIT",
-      "peer": true,
-      "dependencies": {
-        "@octokit/types": "^14.0.0",
-        "universal-user-agent": "^7.0.2"
+        "@octokit/auth-token": "^4.0.0",
+        "@octokit/graphql": "^7.1.0",
+        "@octokit/request": "^8.4.1",
+        "@octokit/request-error": "^5.1.1",
+        "@octokit/types": "^13.0.0",
+        "before-after-hook": "^2.2.0",
+        "universal-user-agent": "^6.0.0"
       },
       "engines": {
         "node": ">= 18"
       }
     },
     "node_modules/@octokit/core/node_modules/@octokit/openapi-types": {
-      "version": "25.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-25.0.0.tgz",
-      "integrity": "sha512-FZvktFu7HfOIJf2BScLKIEYjDsw6RKc7rBJCdvCTfKsVnx2GEB/Nbzjr29DUdb7vQhlzS/j8qDzdditP0OC6aw==",
-      "license": "MIT",
-      "peer": true
-    },
-    "node_modules/@octokit/core/node_modules/@octokit/request": {
-      "version": "9.2.3",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.2.3.tgz",
-      "integrity": "sha512-Ma+pZU8PXLOEYzsWf0cn/gY+ME57Wq8f49WTXA8FMHp2Ps9djKw//xYJ1je8Hm0pR2lU9FUGeJRWOtxq6olt4w==",
-      "license": "MIT",
-      "peer": true,
-      "dependencies": {
-        "@octokit/endpoint": "^10.1.4",
-        "@octokit/request-error": "^6.1.8",
-        "@octokit/types": "^14.0.0",
-        "fast-content-type-parse": "^2.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/@octokit/core/node_modules/@octokit/request-error": {
-      "version": "6.1.8",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.8.tgz",
-      "integrity": "sha512-WEi/R0Jmq+IJKydWlKDmryPcmdYSVjL3ekaiEL1L9eo1sUnqMJ+grqmC9cjk7CA7+b2/T397tO5d8YLOH3qYpQ==",
-      "license": "MIT",
-      "peer": true,
-      "dependencies": {
-        "@octokit/types": "^14.0.0"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
     },
     "node_modules/@octokit/core/node_modules/@octokit/types": {
-      "version": "14.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-14.0.0.tgz",
-      "integrity": "sha512-VVmZP0lEhbo2O1pdq63gZFiGCKkm8PPp8AUOijlwPO6hojEVjspA0MWKP7E4hbvGxzFKNqKr6p0IYtOH/Wf/zA==",
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
-        "@octokit/openapi-types": "^25.0.0"
+        "@octokit/openapi-types": "^24.2.0"
       }
     },
-    "node_modules/@octokit/core/node_modules/fast-content-type-parse": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-2.0.1.tgz",
-      "integrity": "sha512-nGqtvLrj5w0naR6tDPfB4cUmYCqouzyQiz6C5y/LtcDllJdrcc6WaWW6iXyIIOErTa/XRybj28aasdn4LkVk6Q==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/fastify"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/fastify"
-        }
-      ],
-      "license": "MIT",
-      "peer": true
-    },
-    "node_modules/@octokit/core/node_modules/universal-user-agent": {
-      "version": "7.0.2",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
-      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q==",
-      "license": "ISC",
-      "peer": true
-    },
     "node_modules/@octokit/endpoint": {
       "version": "9.0.6",
       "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz",
@@ -7947,105 +7867,34 @@
       }
     },
     "node_modules/@octokit/graphql": {
-      "version": "8.2.2",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-8.2.2.tgz",
-      "integrity": "sha512-Yi8hcoqsrXGdt0yObxbebHXFOiUA+2v3n53epuOg1QUgOB6c4XzvisBNVXJSl8RYA5KrDuSL2yq9Qmqe5N0ryA==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.1.tgz",
+      "integrity": "sha512-3mkDltSfcDUoa176nlGoA32RGjeWjl3K7F/BwHwRMJUW/IteSa4bnSV8p2ThNkcIcZU2umkZWxwETSSCJf2Q7g==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
-        "@octokit/request": "^9.2.3",
-        "@octokit/types": "^14.0.0",
-        "universal-user-agent": "^7.0.0"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/@octokit/graphql/node_modules/@octokit/endpoint": {
-      "version": "10.1.4",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.4.tgz",
-      "integrity": "sha512-OlYOlZIsfEVZm5HCSR8aSg02T2lbUWOsCQoPKfTXJwDzcHQBrVBGdGXb89dv2Kw2ToZaRtudp8O3ZIYoaOjKlA==",
-      "license": "MIT",
-      "peer": true,
-      "dependencies": {
-        "@octokit/types": "^14.0.0",
-        "universal-user-agent": "^7.0.2"
+        "@octokit/request": "^8.4.1",
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^6.0.0"
       },
       "engines": {
         "node": ">= 18"
       }
     },
     "node_modules/@octokit/graphql/node_modules/@octokit/openapi-types": {
-      "version": "25.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-25.0.0.tgz",
-      "integrity": "sha512-FZvktFu7HfOIJf2BScLKIEYjDsw6RKc7rBJCdvCTfKsVnx2GEB/Nbzjr29DUdb7vQhlzS/j8qDzdditP0OC6aw==",
-      "license": "MIT",
-      "peer": true
-    },
-    "node_modules/@octokit/graphql/node_modules/@octokit/request": {
-      "version": "9.2.3",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.2.3.tgz",
-      "integrity": "sha512-Ma+pZU8PXLOEYzsWf0cn/gY+ME57Wq8f49WTXA8FMHp2Ps9djKw//xYJ1je8Hm0pR2lU9FUGeJRWOtxq6olt4w==",
-      "license": "MIT",
-      "peer": true,
-      "dependencies": {
-        "@octokit/endpoint": "^10.1.4",
-        "@octokit/request-error": "^6.1.8",
-        "@octokit/types": "^14.0.0",
-        "fast-content-type-parse": "^2.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/@octokit/graphql/node_modules/@octokit/request-error": {
-      "version": "6.1.8",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.8.tgz",
-      "integrity": "sha512-WEi/R0Jmq+IJKydWlKDmryPcmdYSVjL3ekaiEL1L9eo1sUnqMJ+grqmC9cjk7CA7+b2/T397tO5d8YLOH3qYpQ==",
-      "license": "MIT",
-      "peer": true,
-      "dependencies": {
-        "@octokit/types": "^14.0.0"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
     },
     "node_modules/@octokit/graphql/node_modules/@octokit/types": {
-      "version": "14.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-14.0.0.tgz",
-      "integrity": "sha512-VVmZP0lEhbo2O1pdq63gZFiGCKkm8PPp8AUOijlwPO6hojEVjspA0MWKP7E4hbvGxzFKNqKr6p0IYtOH/Wf/zA==",
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
-        "@octokit/openapi-types": "^25.0.0"
+        "@octokit/openapi-types": "^24.2.0"
       }
     },
-    "node_modules/@octokit/graphql/node_modules/fast-content-type-parse": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-2.0.1.tgz",
-      "integrity": "sha512-nGqtvLrj5w0naR6tDPfB4cUmYCqouzyQiz6C5y/LtcDllJdrcc6WaWW6iXyIIOErTa/XRybj28aasdn4LkVk6Q==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/fastify"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/fastify"
-        }
-      ],
-      "license": "MIT",
-      "peer": true
-    },
-    "node_modules/@octokit/graphql/node_modules/universal-user-agent": {
-      "version": "7.0.2",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
-      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q==",
-      "license": "ISC",
-      "peer": true
-    },
     "node_modules/@octokit/oauth-authorization-url": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-7.1.1.tgz",
@@ -8141,15 +7990,15 @@
       }
     },
     "node_modules/@octokit/plugin-paginate-graphql": {
-      "version": "5.2.4",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-graphql/-/plugin-paginate-graphql-5.2.4.tgz",
-      "integrity": "sha512-pLZES1jWaOynXKHOqdnwZ5ULeVR6tVVCMm+AUbp0htdcyXDU95WbkYdU4R2ej1wKj5Tu94Mee2Ne0PjPO9cCyA==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-graphql/-/plugin-paginate-graphql-4.0.1.tgz",
+      "integrity": "sha512-R8ZQNmrIKKpHWC6V2gum4x9LG2qF1RxRjo27gjQcG3j+vf2tLsEfE7I/wRWEPzYMaenr1M+qDAtNcwZve1ce1A==",
       "license": "MIT",
       "engines": {
         "node": ">= 18"
       },
       "peerDependencies": {
-        "@octokit/core": ">=6"
+        "@octokit/core": ">=5"
       }
     },
     "node_modules/@octokit/plugin-paginate-rest": {
@@ -8302,59 +8151,6 @@
         "node": ">= 18"
       }
     },
-    "node_modules/@octokit/rest/node_modules/@octokit/core": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.1.tgz",
-      "integrity": "sha512-dKYCMuPO1bmrpuogcjQ8z7ICCH3FP6WmxpwC03yjzGfZhj9fTJg6+bS1+UAplekbN2C+M61UNllGOOoAfGCrdQ==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/auth-token": "^4.0.0",
-        "@octokit/graphql": "^7.1.0",
-        "@octokit/request": "^8.4.1",
-        "@octokit/request-error": "^5.1.1",
-        "@octokit/types": "^13.0.0",
-        "before-after-hook": "^2.2.0",
-        "universal-user-agent": "^6.0.0"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/@octokit/rest/node_modules/@octokit/graphql": {
-      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.1.tgz",
-      "integrity": "sha512-3mkDltSfcDUoa176nlGoA32RGjeWjl3K7F/BwHwRMJUW/IteSa4bnSV8p2ThNkcIcZU2umkZWxwETSSCJf2Q7g==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/request": "^8.4.1",
-        "@octokit/types": "^13.0.0",
-        "universal-user-agent": "^6.0.0"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/@octokit/rest/node_modules/@octokit/openapi-types": {
-      "version": "24.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
-      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
-      "license": "MIT"
-    },
-    "node_modules/@octokit/rest/node_modules/@octokit/types": {
-      "version": "13.10.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
-      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/openapi-types": "^24.2.0"
-      }
-    },
-    "node_modules/@octokit/rest/node_modules/before-after-hook": {
-      "version": "2.2.3",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
-      "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==",
-      "license": "Apache-2.0"
-    },
     "node_modules/@octokit/types": {
       "version": "12.4.0",
       "resolved": "https://registry.npmjs.org/@octokit/types/-/types-12.4.0.tgz",
@@ -12799,11 +12595,10 @@
       "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ=="
     },
     "node_modules/before-after-hook": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-3.0.2.tgz",
-      "integrity": "sha512-Nik3Sc0ncrMK4UUdXQmAnRtzmNQTAAXmXIopizwZ1W1t8QmfJj+zL4OA2I7XPTPW5z5TDqv4hRo/JzouDJnX3A==",
-      "license": "Apache-2.0",
-      "peer": true
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
+      "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==",
+      "license": "Apache-2.0"
     },
     "node_modules/big-integer": {
       "version": "1.6.52",
@@ -21602,62 +21397,6 @@
         "node": ">=18"
       }
     },
-    "node_modules/probot/node_modules/@octokit/core": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.1.tgz",
-      "integrity": "sha512-dKYCMuPO1bmrpuogcjQ8z7ICCH3FP6WmxpwC03yjzGfZhj9fTJg6+bS1+UAplekbN2C+M61UNllGOOoAfGCrdQ==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/auth-token": "^4.0.0",
-        "@octokit/graphql": "^7.1.0",
-        "@octokit/request": "^8.4.1",
-        "@octokit/request-error": "^5.1.1",
-        "@octokit/types": "^13.0.0",
-        "before-after-hook": "^2.2.0",
-        "universal-user-agent": "^6.0.0"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/probot/node_modules/@octokit/core/node_modules/@octokit/types": {
-      "version": "13.10.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
-      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/openapi-types": "^24.2.0"
-      }
-    },
-    "node_modules/probot/node_modules/@octokit/graphql": {
-      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.1.tgz",
-      "integrity": "sha512-3mkDltSfcDUoa176nlGoA32RGjeWjl3K7F/BwHwRMJUW/IteSa4bnSV8p2ThNkcIcZU2umkZWxwETSSCJf2Q7g==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/request": "^8.4.1",
-        "@octokit/types": "^13.0.0",
-        "universal-user-agent": "^6.0.0"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
-    "node_modules/probot/node_modules/@octokit/graphql/node_modules/@octokit/types": {
-      "version": "13.10.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
-      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/openapi-types": "^24.2.0"
-      }
-    },
-    "node_modules/probot/node_modules/@octokit/openapi-types": {
-      "version": "24.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
-      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
-      "license": "MIT"
-    },
     "node_modules/probot/node_modules/@octokit/plugin-retry": {
       "version": "6.0.1",
       "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-6.0.1.tgz",
@@ -21690,12 +21429,6 @@
         "@octokit/core": "^5.0.0"
       }
     },
-    "node_modules/probot/node_modules/before-after-hook": {
-      "version": "2.2.3",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
-      "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==",
-      "license": "Apache-2.0"
-    },
     "node_modules/probot/node_modules/commander": {
       "version": "12.1.0",
       "resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz",

backend/package.json

@@ -152,7 +152,8 @@
     "@infisical/quic": "^1.0.8",
     "@node-saml/passport-saml": "^5.0.1",
     "@octokit/auth-app": "^7.1.1",
-    "@octokit/plugin-paginate-graphql": "^5.2.4",
+    "@octokit/core": "^5.2.1",
+    "@octokit/plugin-paginate-graphql": "^4.0.1",
     "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",

backend/src/@types/fastify.d.ts

@@ -66,6 +66,8 @@ import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-a
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
+import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
+import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
@@ -146,6 +148,13 @@ declare module "fastify" {
       providerAuthToken: string;
       externalProviderAccessToken?: string;
     };
+    passportMachineIdentity: {
+      identityId: string;
+      user: {
+        uid: string;
+        mail?: string;
+      };
+    };
     kmipUser: {
       projectId: string;
       clientId: string;
@@ -153,7 +162,9 @@ declare module "fastify" {
     };
     auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
     ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
-    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
+    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>> & {
+      allowedFields?: TAllowedFields[];
+    };
   }
 
   interface FastifyInstance {
@@ -199,6 +210,7 @@ declare module "fastify" {
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
       identityOidcAuth: TIdentityOidcAuthServiceFactory;
       identityJwtAuth: TIdentityJwtAuthServiceFactory;
+      identityLdapAuth: TIdentityLdapAuthServiceFactory;
       accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
       accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;

backend/src/@types/knex.d.ts

@@ -432,6 +432,11 @@ import {
   TWorkflowIntegrationsInsert,
   TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
+import {
+  TIdentityLdapAuths,
+  TIdentityLdapAuthsInsert,
+  TIdentityLdapAuthsUpdate
+} from "@app/db/schemas/identity-ldap-auths";
 import {
   TMicrosoftTeamsIntegrations,
   TMicrosoftTeamsIntegrationsInsert,
@@ -735,6 +740,11 @@ declare module "knex/types/tables" {
       TIdentityJwtAuthsInsert,
       TIdentityJwtAuthsUpdate
     >;
+    [TableName.IdentityLdapAuth]: KnexOriginal.CompositeTableType<
+      TIdentityLdapAuths,
+      TIdentityLdapAuthsInsert,
+      TIdentityLdapAuthsUpdate
+    >;
     [TableName.IdentityUaClientSecret]: KnexOriginal.CompositeTableType<
       TIdentityUaClientSecrets,
       TIdentityUaClientSecretsInsert,

backend/src/db/migrations/20250429232917_store-cert-secret-key-and-chain.ts

@@ -3,7 +3,7 @@ import { Knex } from "knex";
 import { TableName } from "../schemas";
 
 export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.CertificateBody)) {
+  if (!(await knex.schema.hasColumn(TableName.CertificateBody, "encryptedCertificateChain"))) {
     await knex.schema.alterTable(TableName.CertificateBody, (t) => {
       t.binary("encryptedCertificateChain").nullable();
     });
@@ -25,7 +25,7 @@ export async function down(knex: Knex): Promise<void> {
     await knex.schema.dropTable(TableName.CertificateSecret);
   }
 
-  if (await knex.schema.hasTable(TableName.CertificateBody)) {
+  if (await knex.schema.hasColumn(TableName.CertificateBody, "encryptedCertificateChain")) {
     await knex.schema.alterTable(TableName.CertificateBody, (t) => {
       t.dropColumn("encryptedCertificateChain");
     });

backend/src/db/migrations/20250505203703_project-templates-type-col.ts

@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { ProjectType, TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.ProjectTemplates, "type"))) {
+    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+      // defaulting to sm for migration to set existing, new ones will always be specified on creation
+      t.string("type").defaultTo(ProjectType.SecretManager).notNullable();
+      t.jsonb("environments").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.ProjectTemplates, "type")) {
+    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+      t.dropColumn("type");
+      // not reverting nullable environments
+    });
+  }
+}

backend/src/db/migrations/20250507003056_identity-ldap-auth.ts

@@ -0,0 +1,39 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityLdapAuth))) {
+    await knex.schema.createTable(TableName.IdentityLdapAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+
+      t.binary("encryptedBindDN").notNullable();
+      t.binary("encryptedBindPass").notNullable();
+      t.binary("encryptedLdapCaCertificate").nullable();
+
+      t.string("url").notNullable();
+      t.string("searchBase").notNullable();
+      t.string("searchFilter").notNullable();
+
+      t.jsonb("allowedFields").nullable();
+
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityLdapAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityLdapAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityLdapAuth);
+}

backend/src/db/schemas/identity-ldap-auths.ts

@@ -0,0 +1,32 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityLdapAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  identityId: z.string().uuid(),
+  encryptedBindDN: zodBuffer,
+  encryptedBindPass: zodBuffer,
+  encryptedLdapCaCertificate: zodBuffer.nullable().optional(),
+  url: z.string(),
+  searchBase: z.string(),
+  searchFilter: z.string(),
+  allowedFields: z.unknown().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityLdapAuths = z.infer<typeof IdentityLdapAuthsSchema>;
+export type TIdentityLdapAuthsInsert = Omit<z.input<typeof IdentityLdapAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityLdapAuthsUpdate = Partial<Omit<z.input<typeof IdentityLdapAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/models.ts

@@ -80,6 +80,7 @@ export enum TableName {
   IdentityAwsAuth = "identity_aws_auths",
   IdentityOidcAuth = "identity_oidc_auths",
   IdentityJwtAuth = "identity_jwt_auths",
+  IdentityLdapAuth = "identity_ldap_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
@@ -185,11 +186,16 @@ export enum OrgMembershipStatus {
 }
 
 export enum ProjectMembershipRole {
+  // general
   Admin = "admin",
   Member = "member",
   Custom = "custom",
   Viewer = "viewer",
-  NoAccess = "no-access"
+  NoAccess = "no-access",
+  // ssh
+  SshHostBootstrapper = "ssh-host-bootstrapper",
+  // kms
+  KmsCryptographicOperator = "cryptographic-operator"
 }
 
 export enum SecretEncryptionAlgo {
@@ -227,7 +233,8 @@ export enum IdentityAuthMethod {
   AWS_AUTH = "aws-auth",
   AZURE_AUTH = "azure-auth",
   OIDC_AUTH = "oidc-auth",
-  JWT_AUTH = "jwt-auth"
+  JWT_AUTH = "jwt-auth",
+  LDAP_AUTH = "ldap-auth"
 }
 
 export enum ProjectType {

backend/src/db/schemas/project-templates.ts

@@ -12,10 +12,11 @@ export const ProjectTemplatesSchema = z.object({
   name: z.string(),
   description: z.string().nullable().optional(),
   roles: z.unknown(),
-  environments: z.unknown(),
+  environments: z.unknown().nullable().optional(),
   orgId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  type: z.string().default("secret-manager")
 });
 
 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;

backend/src/ee/routes/v1/project-template-router.ts

@@ -1,9 +1,8 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
 import { ApiDocsTags, ProjectTemplates } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -35,6 +34,7 @@ const SanitizedProjectTemplateSchema = ProjectTemplatesSchema.extend({
       position: z.number().min(1)
     })
     .array()
+    .nullable()
 });
 
 const ProjectTemplateRolesSchema = z
@@ -104,6 +104,9 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       hide: false,
       tags: [ApiDocsTags.ProjectTemplates],
       description: "List project templates for the current organization.",
+      querystring: z.object({
+        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
+      }),
       response: {
         200: z.object({
           projectTemplates: SanitizedProjectTemplateSchema.array()
@@ -112,7 +115,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
+      const { type } = req.query;
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission, type);
 
       const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
 
@@ -184,6 +188,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       tags: [ApiDocsTags.ProjectTemplates],
       description: "Create a project template.",
       body: z.object({
+        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
         name: slugSchema({ field: "name" })
           .refine((val) => !isInfisicalProjectTemplate(val), {
             message: `The requested project template name is reserved.`
@@ -191,9 +196,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
           .describe(ProjectTemplates.CREATE.name),
         description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
         roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
-        environments: ProjectTemplateEnvironmentsSchema.default(ProjectTemplateDefaultEnvironments).describe(
-          ProjectTemplates.CREATE.environments
-        )
+        environments: ProjectTemplateEnvironmentsSchema.describe(ProjectTemplates.CREATE.environments).optional()
       }),
       response: {
         200: z.object({

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -34,6 +34,7 @@ import { WorkflowIntegration } from "@app/services/workflow-integration/workflow
 
 import { KmipPermission } from "../kmip/kmip-enum";
 import { ApprovalStatus } from "../secret-approval-request/secret-approval-request-types";
+import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 
 export type TListProjectAuditLogDTO = {
   filter: {
@@ -119,44 +120,60 @@ export enum EventType {
   CREATE_TOKEN_IDENTITY_TOKEN_AUTH = "create-token-identity-token-auth",
   UPDATE_TOKEN_IDENTITY_TOKEN_AUTH = "update-token-identity-token-auth",
   GET_TOKENS_IDENTITY_TOKEN_AUTH = "get-tokens-identity-token-auth",
+
   ADD_IDENTITY_TOKEN_AUTH = "add-identity-token-auth",
   UPDATE_IDENTITY_TOKEN_AUTH = "update-identity-token-auth",
   GET_IDENTITY_TOKEN_AUTH = "get-identity-token-auth",
   REVOKE_IDENTITY_TOKEN_AUTH = "revoke-identity-token-auth",
+
   LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
   ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
   UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
   GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
   REVOKE_IDENTITY_KUBERNETES_AUTH = "revoke-identity-kubernetes-auth",
+
   LOGIN_IDENTITY_OIDC_AUTH = "login-identity-oidc-auth",
   ADD_IDENTITY_OIDC_AUTH = "add-identity-oidc-auth",
   UPDATE_IDENTITY_OIDC_AUTH = "update-identity-oidc-auth",
   GET_IDENTITY_OIDC_AUTH = "get-identity-oidc-auth",
   REVOKE_IDENTITY_OIDC_AUTH = "revoke-identity-oidc-auth",
+
   LOGIN_IDENTITY_JWT_AUTH = "login-identity-jwt-auth",
   ADD_IDENTITY_JWT_AUTH = "add-identity-jwt-auth",
   UPDATE_IDENTITY_JWT_AUTH = "update-identity-jwt-auth",
   GET_IDENTITY_JWT_AUTH = "get-identity-jwt-auth",
   REVOKE_IDENTITY_JWT_AUTH = "revoke-identity-jwt-auth",
+
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
+
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID = "get-identity-universal-auth-client-secret-by-id",
+
   LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
   ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
   UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
   REVOKE_IDENTITY_GCP_AUTH = "revoke-identity-gcp-auth",
   GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
+
   LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
   ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
   UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
   REVOKE_IDENTITY_AWS_AUTH = "revoke-identity-aws-auth",
   GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
+
   LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
   ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
   UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
   GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
   REVOKE_IDENTITY_AZURE_AUTH = "revoke-identity-azure-auth",
+
+  LOGIN_IDENTITY_LDAP_AUTH = "login-identity-ldap-auth",
+  ADD_IDENTITY_LDAP_AUTH = "add-identity-ldap-auth",
+  UPDATE_IDENTITY_LDAP_AUTH = "update-identity-ldap-auth",
+  GET_IDENTITY_LDAP_AUTH = "get-identity-ldap-auth",
+  REVOKE_IDENTITY_LDAP_AUTH = "revoke-identity-ldap-auth",
+
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
@@ -1034,6 +1051,55 @@ interface GetIdentityAzureAuthEvent {
   };
 }
 
+interface LoginIdentityLdapAuthEvent {
+  type: EventType.LOGIN_IDENTITY_LDAP_AUTH;
+  metadata: {
+    identityId: string;
+    ldapUsername: string;
+    ldapEmail?: string;
+  };
+}
+
+interface AddIdentityLdapAuthEvent {
+  type: EventType.ADD_IDENTITY_LDAP_AUTH;
+  metadata: {
+    identityId: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+    allowedFields?: TAllowedFields[];
+    url: string;
+  };
+}
+
+interface UpdateIdentityLdapAuthEvent {
+  type: EventType.UPDATE_IDENTITY_LDAP_AUTH;
+  metadata: {
+    identityId: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+    allowedFields?: TAllowedFields[];
+    url?: string;
+  };
+}
+
+interface GetIdentityLdapAuthEvent {
+  type: EventType.GET_IDENTITY_LDAP_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface RevokeIdentityLdapAuthEvent {
+  type: EventType.REVOKE_IDENTITY_LDAP_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityOidcAuthEvent {
   type: EventType.LOGIN_IDENTITY_OIDC_AUTH;
   metadata: {
@@ -2785,6 +2851,11 @@ export type Event =
   | UpdateIdentityJwtAuthEvent
   | GetIdentityJwtAuthEvent
   | DeleteIdentityJwtAuthEvent
+  | LoginIdentityLdapAuthEvent
+  | AddIdentityLdapAuthEvent
+  | UpdateIdentityLdapAuthEvent
+  | GetIdentityLdapAuthEvent
+  | RevokeIdentityLdapAuthEvent
   | CreateEnvironmentEvent
   | GetEnvironmentEvent
   | UpdateEnvironmentEvent

backend/src/ee/services/github-org-sync/github-org-sync-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { Octokit } from "@octokit/core";
-import { paginateGraphQL } from "@octokit/plugin-paginate-graphql";
+import { paginateGraphql } from "@octokit/plugin-paginate-graphql";
 import { Octokit as OctokitRest } from "@octokit/rest";
 
 import { OrgMembershipRole } from "@app/db/schemas";
@@ -18,7 +18,7 @@ import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TGithubOrgSyncDALFactory } from "./github-org-sync-dal";
 import { TCreateGithubOrgSyncDTO, TDeleteGithubOrgSyncDTO, TUpdateGithubOrgSyncDTO } from "./github-org-sync-types";
 
-const OctokitWithPlugin = Octokit.plugin(paginateGraphQL);
+const OctokitWithPlugin = Octokit.plugin(paginateGraphql);
 
 type TGithubOrgSyncServiceFactoryDep = {
   githubOrgSyncDAL: TGithubOrgSyncDALFactory;

backend/src/ee/services/ldap-config/ldap-config-types.ts

@@ -14,6 +14,11 @@ export type TLDAPConfig = {
   caCert: string;
 };
 
+export type TTestLDAPConfigDTO = Omit<
+  TLDAPConfig,
+  "organization" | "id" | "groupSearchBase" | "groupSearchFilter" | "isActive" | "uniqueUserAttribute" | "searchBase"
+>;
+
 export type TCreateLdapCfgDTO = {
   orgId: string;
   isActive: boolean;

backend/src/ee/services/ldap-config/ldap-fns.ts

@@ -2,15 +2,14 @@ import ldapjs from "ldapjs";
 
 import { logger } from "@app/lib/logger";
 
-import { TLDAPConfig } from "./ldap-config-types";
+import { TLDAPConfig, TTestLDAPConfigDTO } from "./ldap-config-types";
 
 export const isValidLdapFilter = (filter: string) => {
   try {
     ldapjs.parseFilter(filter);
     return true;
   } catch (error) {
-    logger.error("Invalid LDAP filter");
-    logger.error(error);
+    logger.error(error, "Invalid LDAP filter");
     return false;
   }
 };
@@ -20,7 +19,7 @@ export const isValidLdapFilter = (filter: string) => {
  * @param ldapConfig - The LDAP configuration to test
  * @returns {Boolean} isConnected - Whether or not the connection was successful
  */
-export const testLDAPConfig = async (ldapConfig: TLDAPConfig): Promise<boolean> => {
+export const testLDAPConfig = async (ldapConfig: TTestLDAPConfigDTO): Promise<boolean> => {
   return new Promise((resolve) => {
     const ldapClient = ldapjs.createClient({
       url: ldapConfig.url,

backend/src/ee/services/permission/default-roles.ts

@@ -0,0 +1,448 @@
+import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";
+
+import {
+  ProjectPermissionActions,
+  ProjectPermissionCertificateActions,
+  ProjectPermissionCmekActions,
+  ProjectPermissionDynamicSecretActions,
+  ProjectPermissionGroupActions,
+  ProjectPermissionIdentityActions,
+  ProjectPermissionKmipActions,
+  ProjectPermissionMemberActions,
+  ProjectPermissionSecretActions,
+  ProjectPermissionSecretRotationActions,
+  ProjectPermissionSecretSyncActions,
+  ProjectPermissionSet,
+  ProjectPermissionSshHostActions,
+  ProjectPermissionSub
+} from "@app/ee/services/permission/project-permission";
+
+const buildAdminPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+
+  // Admins get full access to everything
+  [
+    ProjectPermissionSub.SecretFolders,
+    ProjectPermissionSub.SecretImports,
+    ProjectPermissionSub.SecretApproval,
+    ProjectPermissionSub.Role,
+    ProjectPermissionSub.Integrations,
+    ProjectPermissionSub.Webhooks,
+    ProjectPermissionSub.ServiceTokens,
+    ProjectPermissionSub.Settings,
+    ProjectPermissionSub.Environments,
+    ProjectPermissionSub.Tags,
+    ProjectPermissionSub.AuditLogs,
+    ProjectPermissionSub.IpAllowList,
+    ProjectPermissionSub.CertificateAuthorities,
+    ProjectPermissionSub.CertificateTemplates,
+    ProjectPermissionSub.PkiAlerts,
+    ProjectPermissionSub.PkiCollections,
+    ProjectPermissionSub.SshCertificateAuthorities,
+    ProjectPermissionSub.SshCertificates,
+    ProjectPermissionSub.SshCertificateTemplates,
+    ProjectPermissionSub.SshHostGroups
+  ].forEach((el) => {
+    can(
+      [
+        ProjectPermissionActions.Read,
+        ProjectPermissionActions.Edit,
+        ProjectPermissionActions.Create,
+        ProjectPermissionActions.Delete
+      ],
+      el
+    );
+  });
+
+  can(
+    [
+      ProjectPermissionCertificateActions.Read,
+      ProjectPermissionCertificateActions.Edit,
+      ProjectPermissionCertificateActions.Create,
+      ProjectPermissionCertificateActions.Delete,
+      ProjectPermissionCertificateActions.ReadPrivateKey
+    ],
+    ProjectPermissionSub.Certificates
+  );
+
+  can(
+    [
+      ProjectPermissionSshHostActions.Edit,
+      ProjectPermissionSshHostActions.Read,
+      ProjectPermissionSshHostActions.Create,
+      ProjectPermissionSshHostActions.Delete,
+      ProjectPermissionSshHostActions.IssueHostCert
+    ],
+    ProjectPermissionSub.SshHosts
+  );
+
+  can(
+    [
+      ProjectPermissionMemberActions.Create,
+      ProjectPermissionMemberActions.Edit,
+      ProjectPermissionMemberActions.Delete,
+      ProjectPermissionMemberActions.Read,
+      ProjectPermissionMemberActions.GrantPrivileges,
+      ProjectPermissionMemberActions.AssumePrivileges
+    ],
+    ProjectPermissionSub.Member
+  );
+
+  can(
+    [
+      ProjectPermissionGroupActions.Create,
+      ProjectPermissionGroupActions.Edit,
+      ProjectPermissionGroupActions.Delete,
+      ProjectPermissionGroupActions.Read,
+      ProjectPermissionGroupActions.GrantPrivileges
+    ],
+    ProjectPermissionSub.Groups
+  );
+
+  can(
+    [
+      ProjectPermissionIdentityActions.Create,
+      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionIdentityActions.Delete,
+      ProjectPermissionIdentityActions.Read,
+      ProjectPermissionIdentityActions.GrantPrivileges,
+      ProjectPermissionIdentityActions.AssumePrivileges
+    ],
+    ProjectPermissionSub.Identity
+  );
+
+  can(
+    [
+      ProjectPermissionSecretActions.DescribeAndReadValue,
+      ProjectPermissionSecretActions.DescribeSecret,
+      ProjectPermissionSecretActions.ReadValue,
+      ProjectPermissionSecretActions.Create,
+      ProjectPermissionSecretActions.Edit,
+      ProjectPermissionSecretActions.Delete
+    ],
+    ProjectPermissionSub.Secrets
+  );
+
+  can(
+    [
+      ProjectPermissionDynamicSecretActions.ReadRootCredential,
+      ProjectPermissionDynamicSecretActions.EditRootCredential,
+      ProjectPermissionDynamicSecretActions.CreateRootCredential,
+      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
+      ProjectPermissionDynamicSecretActions.Lease
+    ],
+    ProjectPermissionSub.DynamicSecrets
+  );
+
+  can([ProjectPermissionActions.Edit, ProjectPermissionActions.Delete], ProjectPermissionSub.Project);
+  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
+  can([ProjectPermissionActions.Edit], ProjectPermissionSub.Kms);
+  can(
+    [
+      ProjectPermissionCmekActions.Create,
+      ProjectPermissionCmekActions.Edit,
+      ProjectPermissionCmekActions.Delete,
+      ProjectPermissionCmekActions.Read,
+      ProjectPermissionCmekActions.Encrypt,
+      ProjectPermissionCmekActions.Decrypt,
+      ProjectPermissionCmekActions.Sign,
+      ProjectPermissionCmekActions.Verify
+    ],
+    ProjectPermissionSub.Cmek
+  );
+  can(
+    [
+      ProjectPermissionSecretSyncActions.Create,
+      ProjectPermissionSecretSyncActions.Edit,
+      ProjectPermissionSecretSyncActions.Delete,
+      ProjectPermissionSecretSyncActions.Read,
+      ProjectPermissionSecretSyncActions.SyncSecrets,
+      ProjectPermissionSecretSyncActions.ImportSecrets,
+      ProjectPermissionSecretSyncActions.RemoveSecrets
+    ],
+    ProjectPermissionSub.SecretSyncs
+  );
+
+  can(
+    [
+      ProjectPermissionKmipActions.CreateClients,
+      ProjectPermissionKmipActions.UpdateClients,
+      ProjectPermissionKmipActions.DeleteClients,
+      ProjectPermissionKmipActions.ReadClients,
+      ProjectPermissionKmipActions.GenerateClientCertificates
+    ],
+    ProjectPermissionSub.Kmip
+  );
+
+  can(
+    [
+      ProjectPermissionSecretRotationActions.Create,
+      ProjectPermissionSecretRotationActions.Edit,
+      ProjectPermissionSecretRotationActions.Delete,
+      ProjectPermissionSecretRotationActions.Read,
+      ProjectPermissionSecretRotationActions.ReadGeneratedCredentials,
+      ProjectPermissionSecretRotationActions.RotateSecrets
+    ],
+    ProjectPermissionSub.SecretRotation
+  );
+
+  return rules;
+};
+
+const buildMemberPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+
+  can(
+    [
+      ProjectPermissionSecretActions.DescribeAndReadValue,
+      ProjectPermissionSecretActions.DescribeSecret,
+      ProjectPermissionSecretActions.ReadValue,
+      ProjectPermissionSecretActions.Edit,
+      ProjectPermissionSecretActions.Create,
+      ProjectPermissionSecretActions.Delete
+    ],
+    ProjectPermissionSub.Secrets
+  );
+  can(
+    [
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.SecretFolders
+  );
+  can(
+    [
+      ProjectPermissionDynamicSecretActions.ReadRootCredential,
+      ProjectPermissionDynamicSecretActions.EditRootCredential,
+      ProjectPermissionDynamicSecretActions.CreateRootCredential,
+      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
+      ProjectPermissionDynamicSecretActions.Lease
+    ],
+    ProjectPermissionSub.DynamicSecrets
+  );
+  can(
+    [
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.SecretImports
+  );
+
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
+  can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
+
+  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
+
+  can([ProjectPermissionMemberActions.Read, ProjectPermissionMemberActions.Create], ProjectPermissionSub.Member);
+
+  can([ProjectPermissionGroupActions.Read], ProjectPermissionSub.Groups);
+
+  can(
+    [
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Integrations
+  );
+
+  can(
+    [
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Webhooks
+  );
+
+  can(
+    [
+      ProjectPermissionIdentityActions.Read,
+      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionIdentityActions.Create,
+      ProjectPermissionIdentityActions.Delete
+    ],
+    ProjectPermissionSub.Identity
+  );
+
+  can(
+    [
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.ServiceTokens
+  );
+
+  can(
+    [
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Settings
+  );
+
+  can(
+    [
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Environments
+  );
+
+  can(
+    [
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Tags
+  );
+
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.Role);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.AuditLogs);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.IpAllowList);
+
+  // double check if all CRUD are needed for CA and Certificates
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateAuthorities);
+
+  can(
+    [
+      ProjectPermissionCertificateActions.Read,
+      ProjectPermissionCertificateActions.Edit,
+      ProjectPermissionCertificateActions.Create,
+      ProjectPermissionCertificateActions.Delete
+    ],
+    ProjectPermissionSub.Certificates
+  );
+
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateTemplates);
+
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
+
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificates);
+  can([ProjectPermissionActions.Create], ProjectPermissionSub.SshCertificates);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateTemplates);
+
+  can([ProjectPermissionSshHostActions.Read], ProjectPermissionSub.SshHosts);
+
+  can(
+    [
+      ProjectPermissionCmekActions.Create,
+      ProjectPermissionCmekActions.Edit,
+      ProjectPermissionCmekActions.Delete,
+      ProjectPermissionCmekActions.Read,
+      ProjectPermissionCmekActions.Encrypt,
+      ProjectPermissionCmekActions.Decrypt,
+      ProjectPermissionCmekActions.Sign,
+      ProjectPermissionCmekActions.Verify
+    ],
+    ProjectPermissionSub.Cmek
+  );
+
+  can(
+    [
+      ProjectPermissionSecretSyncActions.Create,
+      ProjectPermissionSecretSyncActions.Edit,
+      ProjectPermissionSecretSyncActions.Delete,
+      ProjectPermissionSecretSyncActions.Read,
+      ProjectPermissionSecretSyncActions.SyncSecrets,
+      ProjectPermissionSecretSyncActions.ImportSecrets,
+      ProjectPermissionSecretSyncActions.RemoveSecrets
+    ],
+    ProjectPermissionSub.SecretSyncs
+  );
+
+  return rules;
+};
+
+const buildViewerPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+
+  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
+  can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
+  can(ProjectPermissionSecretRotationActions.Read, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
+  can(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
+  can(ProjectPermissionIdentityActions.Read, ProjectPermissionSub.Identity);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
+  can(ProjectPermissionCertificateActions.Read, ProjectPermissionSub.Certificates);
+  can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
+  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
+
+  return rules;
+};
+
+const buildNoAccessProjectPermission = () => {
+  const { rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+  return rules;
+};
+
+const buildSshHostBootstrapPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+
+  can(
+    [ProjectPermissionSshHostActions.Create, ProjectPermissionSshHostActions.IssueHostCert],
+    ProjectPermissionSub.SshHosts
+  );
+
+  return rules;
+};
+
+const buildCryptographicOperatorPermissionRules = () => {
+  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
+
+  can(
+    [
+      ProjectPermissionCmekActions.Encrypt,
+      ProjectPermissionCmekActions.Decrypt,
+      ProjectPermissionCmekActions.Sign,
+      ProjectPermissionCmekActions.Verify
+    ],
+    ProjectPermissionSub.Cmek
+  );
+
+  return rules;
+};
+
+// General
+export const projectAdminPermissions = buildAdminPermissionRules();
+export const projectMemberPermissions = buildMemberPermissionRules();
+export const projectViewerPermission = buildViewerPermissionRules();
+export const projectNoAccessPermissions = buildNoAccessProjectPermission();
+
+// SSH
+export const sshHostBootstrapPermissions = buildSshHostBootstrapPermissionRules();
+
+// KMS
+export const cryptographicOperatorPermissions = buildCryptographicOperatorPermissionRules();

backend/src/ee/services/permission/permission-service.ts

@@ -12,6 +12,14 @@ import {
   TIdentityProjectMemberships,
   TProjectMemberships
 } from "@app/db/schemas";
+import {
+  cryptographicOperatorPermissions,
+  projectAdminPermissions,
+  projectMemberPermissions,
+  projectNoAccessPermissions,
+  projectViewerPermission,
+  sshHostBootstrapPermissions
+} from "@app/ee/services/permission/default-roles";
 import { conditionsMatcher } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { objectify } from "@app/lib/fn";
@@ -32,14 +40,7 @@ import {
   TGetServiceTokenProjectPermissionArg,
   TGetUserProjectPermissionArg
 } from "./permission-service-types";
-import {
-  buildServiceTokenProjectPermission,
-  projectAdminPermissions,
-  projectMemberPermissions,
-  projectNoAccessPermissions,
-  ProjectPermissionSet,
-  projectViewerPermission
-} from "./project-permission";
+import { buildServiceTokenProjectPermission, ProjectPermissionSet } from "./project-permission";
 
 type TPermissionServiceFactoryDep = {
   orgRoleDAL: Pick<TOrgRoleDALFactory, "findOne">;
@@ -95,6 +96,10 @@ export const permissionServiceFactory = ({
             return projectViewerPermission;
           case ProjectMembershipRole.NoAccess:
             return projectNoAccessPermissions;
+          case ProjectMembershipRole.SshHostBootstrapper:
+            return sshHostBootstrapPermissions;
+          case ProjectMembershipRole.KmsCryptographicOperator:
+            return cryptographicOperatorPermissions;
           case ProjectMembershipRole.Custom: {
             return unpackRules<RawRuleOf<MongoAbility<ProjectPermissionSet>>>(
               permissions as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[]

backend/src/ee/services/permission/project-permission.ts

@@ -678,403 +678,6 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
 
 export type TProjectPermissionV2Schema = z.infer<typeof ProjectPermissionV2Schema>;
 
-const buildAdminPermissionRules = () => {
-  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
-
-  // Admins get full access to everything
-  [
-    ProjectPermissionSub.SecretFolders,
-    ProjectPermissionSub.SecretImports,
-    ProjectPermissionSub.SecretApproval,
-    ProjectPermissionSub.Role,
-    ProjectPermissionSub.Integrations,
-    ProjectPermissionSub.Webhooks,
-    ProjectPermissionSub.ServiceTokens,
-    ProjectPermissionSub.Settings,
-    ProjectPermissionSub.Environments,
-    ProjectPermissionSub.Tags,
-    ProjectPermissionSub.AuditLogs,
-    ProjectPermissionSub.IpAllowList,
-    ProjectPermissionSub.CertificateAuthorities,
-    ProjectPermissionSub.CertificateTemplates,
-    ProjectPermissionSub.PkiAlerts,
-    ProjectPermissionSub.PkiCollections,
-    ProjectPermissionSub.SshCertificateAuthorities,
-    ProjectPermissionSub.SshCertificates,
-    ProjectPermissionSub.SshCertificateTemplates,
-    ProjectPermissionSub.SshHostGroups
-  ].forEach((el) => {
-    can(
-      [
-        ProjectPermissionActions.Read,
-        ProjectPermissionActions.Edit,
-        ProjectPermissionActions.Create,
-        ProjectPermissionActions.Delete
-      ],
-      el
-    );
-  });
-
-  can(
-    [
-      ProjectPermissionCertificateActions.Read,
-      ProjectPermissionCertificateActions.Edit,
-      ProjectPermissionCertificateActions.Create,
-      ProjectPermissionCertificateActions.Delete,
-      ProjectPermissionCertificateActions.ReadPrivateKey
-    ],
-    ProjectPermissionSub.Certificates
-  );
-
-  can(
-    [
-      ProjectPermissionSshHostActions.Edit,
-      ProjectPermissionSshHostActions.Read,
-      ProjectPermissionSshHostActions.Create,
-      ProjectPermissionSshHostActions.Delete,
-      ProjectPermissionSshHostActions.IssueHostCert
-    ],
-    ProjectPermissionSub.SshHosts
-  );
-
-  can(
-    [
-      ProjectPermissionMemberActions.Create,
-      ProjectPermissionMemberActions.Edit,
-      ProjectPermissionMemberActions.Delete,
-      ProjectPermissionMemberActions.Read,
-      ProjectPermissionMemberActions.GrantPrivileges,
-      ProjectPermissionMemberActions.AssumePrivileges
-    ],
-    ProjectPermissionSub.Member
-  );
-
-  can(
-    [
-      ProjectPermissionGroupActions.Create,
-      ProjectPermissionGroupActions.Edit,
-      ProjectPermissionGroupActions.Delete,
-      ProjectPermissionGroupActions.Read,
-      ProjectPermissionGroupActions.GrantPrivileges
-    ],
-    ProjectPermissionSub.Groups
-  );
-
-  can(
-    [
-      ProjectPermissionIdentityActions.Create,
-      ProjectPermissionIdentityActions.Edit,
-      ProjectPermissionIdentityActions.Delete,
-      ProjectPermissionIdentityActions.Read,
-      ProjectPermissionIdentityActions.GrantPrivileges,
-      ProjectPermissionIdentityActions.AssumePrivileges
-    ],
-    ProjectPermissionSub.Identity
-  );
-
-  can(
-    [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      ProjectPermissionSecretActions.DescribeSecret,
-      ProjectPermissionSecretActions.ReadValue,
-      ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Delete
-    ],
-    ProjectPermissionSub.Secrets
-  );
-
-  can(
-    [
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      ProjectPermissionDynamicSecretActions.CreateRootCredential,
-      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
-      ProjectPermissionDynamicSecretActions.Lease
-    ],
-    ProjectPermissionSub.DynamicSecrets
-  );
-
-  can([ProjectPermissionActions.Edit, ProjectPermissionActions.Delete], ProjectPermissionSub.Project);
-  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
-  can([ProjectPermissionActions.Edit], ProjectPermissionSub.Kms);
-  can(
-    [
-      ProjectPermissionCmekActions.Create,
-      ProjectPermissionCmekActions.Edit,
-      ProjectPermissionCmekActions.Delete,
-      ProjectPermissionCmekActions.Read,
-      ProjectPermissionCmekActions.Encrypt,
-      ProjectPermissionCmekActions.Decrypt,
-      ProjectPermissionCmekActions.Sign,
-      ProjectPermissionCmekActions.Verify
-    ],
-    ProjectPermissionSub.Cmek
-  );
-  can(
-    [
-      ProjectPermissionSecretSyncActions.Create,
-      ProjectPermissionSecretSyncActions.Edit,
-      ProjectPermissionSecretSyncActions.Delete,
-      ProjectPermissionSecretSyncActions.Read,
-      ProjectPermissionSecretSyncActions.SyncSecrets,
-      ProjectPermissionSecretSyncActions.ImportSecrets,
-      ProjectPermissionSecretSyncActions.RemoveSecrets
-    ],
-    ProjectPermissionSub.SecretSyncs
-  );
-
-  can(
-    [
-      ProjectPermissionKmipActions.CreateClients,
-      ProjectPermissionKmipActions.UpdateClients,
-      ProjectPermissionKmipActions.DeleteClients,
-      ProjectPermissionKmipActions.ReadClients,
-      ProjectPermissionKmipActions.GenerateClientCertificates
-    ],
-    ProjectPermissionSub.Kmip
-  );
-
-  can(
-    [
-      ProjectPermissionSecretRotationActions.Create,
-      ProjectPermissionSecretRotationActions.Edit,
-      ProjectPermissionSecretRotationActions.Delete,
-      ProjectPermissionSecretRotationActions.Read,
-      ProjectPermissionSecretRotationActions.ReadGeneratedCredentials,
-      ProjectPermissionSecretRotationActions.RotateSecrets
-    ],
-    ProjectPermissionSub.SecretRotation
-  );
-
-  return rules;
-};
-
-export const projectAdminPermissions = buildAdminPermissionRules();
-
-const buildMemberPermissionRules = () => {
-  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
-
-  can(
-    [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      ProjectPermissionSecretActions.DescribeSecret,
-      ProjectPermissionSecretActions.ReadValue,
-      ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Delete
-    ],
-    ProjectPermissionSub.Secrets
-  );
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.SecretFolders
-  );
-  can(
-    [
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      ProjectPermissionDynamicSecretActions.CreateRootCredential,
-      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
-      ProjectPermissionDynamicSecretActions.Lease
-    ],
-    ProjectPermissionSub.DynamicSecrets
-  );
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.SecretImports
-  );
-
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
-  can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
-
-  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
-
-  can([ProjectPermissionMemberActions.Read, ProjectPermissionMemberActions.Create], ProjectPermissionSub.Member);
-
-  can([ProjectPermissionGroupActions.Read], ProjectPermissionSub.Groups);
-
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.Integrations
-  );
-
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.Webhooks
-  );
-
-  can(
-    [
-      ProjectPermissionIdentityActions.Read,
-      ProjectPermissionIdentityActions.Edit,
-      ProjectPermissionIdentityActions.Create,
-      ProjectPermissionIdentityActions.Delete
-    ],
-    ProjectPermissionSub.Identity
-  );
-
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.ServiceTokens
-  );
-
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.Settings
-  );
-
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.Environments
-  );
-
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.Tags
-  );
-
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.Role);
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.AuditLogs);
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.IpAllowList);
-
-  // double check if all CRUD are needed for CA and Certificates
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateAuthorities);
-
-  can(
-    [
-      ProjectPermissionCertificateActions.Read,
-      ProjectPermissionCertificateActions.Edit,
-      ProjectPermissionCertificateActions.Create,
-      ProjectPermissionCertificateActions.Delete
-    ],
-    ProjectPermissionSub.Certificates
-  );
-
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateTemplates);
-
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
-
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificates);
-  can([ProjectPermissionActions.Create], ProjectPermissionSub.SshCertificates);
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateTemplates);
-
-  can([ProjectPermissionSshHostActions.Read], ProjectPermissionSub.SshHosts);
-
-  can(
-    [
-      ProjectPermissionCmekActions.Create,
-      ProjectPermissionCmekActions.Edit,
-      ProjectPermissionCmekActions.Delete,
-      ProjectPermissionCmekActions.Read,
-      ProjectPermissionCmekActions.Encrypt,
-      ProjectPermissionCmekActions.Decrypt,
-      ProjectPermissionCmekActions.Sign,
-      ProjectPermissionCmekActions.Verify
-    ],
-    ProjectPermissionSub.Cmek
-  );
-
-  can(
-    [
-      ProjectPermissionSecretSyncActions.Create,
-      ProjectPermissionSecretSyncActions.Edit,
-      ProjectPermissionSecretSyncActions.Delete,
-      ProjectPermissionSecretSyncActions.Read,
-      ProjectPermissionSecretSyncActions.SyncSecrets,
-      ProjectPermissionSecretSyncActions.ImportSecrets,
-      ProjectPermissionSecretSyncActions.RemoveSecrets
-    ],
-    ProjectPermissionSub.SecretSyncs
-  );
-
-  return rules;
-};
-
-export const projectMemberPermissions = buildMemberPermissionRules();
-
-const buildViewerPermissionRules = () => {
-  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
-
-  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
-  can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
-  can(ProjectPermissionSecretRotationActions.Read, ProjectPermissionSub.SecretRotation);
-  can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
-  can(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
-  can(ProjectPermissionIdentityActions.Read, ProjectPermissionSub.Identity);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
-  can(ProjectPermissionCertificateActions.Read, ProjectPermissionSub.Certificates);
-  can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
-  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
-
-  return rules;
-};
-
-export const projectViewerPermission = buildViewerPermissionRules();
-
-const buildNoAccessProjectPermission = () => {
-  const { rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
-  return rules;
-};
-
 export const buildServiceTokenProjectPermission = (
   scopes: Array<{ secretPath: string; environment: string }>,
   permission: string[]
@@ -1116,8 +719,6 @@ export const buildServiceTokenProjectPermission = (
   return build({ conditionsMatcher });
 };
 
-export const projectNoAccessPermissions = buildNoAccessProjectPermission();
-
 /* eslint-disable */
 
 /**

backend/src/ee/services/project-template/project-template-fns.ts

@@ -1,22 +1,27 @@
-import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
+import { ProjectType } from "@app/db/schemas";
 import {
   InfisicalProjectTemplate,
   TUnpackedPermission
 } from "@app/ee/services/project-template/project-template-types";
 import { getPredefinedRoles } from "@app/services/project-role/project-role-fns";
 
-export const getDefaultProjectTemplate = (orgId: string) => ({
+import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";
+
+export const getDefaultProjectTemplate = (orgId: string, type: ProjectType) => ({
   id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
+  type,
   name: InfisicalProjectTemplate.Default,
   createdAt: new Date(),
   updatedAt: new Date(),
-  description: "Infisical's default project template",
-  environments: ProjectTemplateDefaultEnvironments,
-  roles: [...getPredefinedRoles("project-template")].map(({ name, slug, permissions }) => ({
-    name,
-    slug,
-    permissions: permissions as TUnpackedPermission[]
-  })),
+  description: `Infisical's ${type} default project template`,
+  environments: type === ProjectType.SecretManager ? ProjectTemplateDefaultEnvironments : null,
+  roles: [...getPredefinedRoles({ projectId: "project-template", projectType: type })].map(
+    ({ name, slug, permissions }) => ({
+      name,
+      slug,
+      permissions: permissions as TUnpackedPermission[]
+    })
+  ),
   orgId
 });
 

backend/src/ee/services/project-template/project-template-service.ts

@@ -1,10 +1,11 @@
 import { ForbiddenError } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { TProjectTemplates } from "@app/db/schemas";
+import { ProjectType, TProjectTemplates } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
 import { getDefaultProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
 import {
   TCreateProjectTemplateDTO,
@@ -32,11 +33,13 @@ const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTempla
   ...rest,
   environments: environments as TProjectTemplateEnvironment[],
   roles: [
-    ...getPredefinedRoles("project-template").map(({ name, slug, permissions }) => ({
-      name,
-      slug,
-      permissions: permissions as TUnpackedPermission[]
-    })),
+    ...getPredefinedRoles({ projectId: "project-template", projectType: rest.type as ProjectType }).map(
+      ({ name, slug, permissions }) => ({
+        name,
+        slug,
+        permissions: permissions as TUnpackedPermission[]
+      })
+    ),
     ...(roles as TProjectTemplateRole[]).map((role) => ({
       ...role,
       permissions: unpackPermissions(role.permissions)
@@ -49,7 +52,7 @@ export const projectTemplateServiceFactory = ({
   permissionService,
   projectTemplateDAL
 }: TProjectTemplatesServiceFactoryDep) => {
-  const listProjectTemplatesByOrg = async (actor: OrgServiceActor) => {
+  const listProjectTemplatesByOrg = async (actor: OrgServiceActor, type?: ProjectType) => {
     const plan = await licenseService.getPlan(actor.orgId);
 
     if (!plan.projectTemplates)
@@ -68,11 +71,14 @@ export const projectTemplateServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
 
     const projectTemplates = await projectTemplateDAL.find({
-      orgId: actor.orgId
+      orgId: actor.orgId,
+      ...(type ? { type } : {})
     });
 
     return [
-      getDefaultProjectTemplate(actor.orgId),
+      ...(type
+        ? [getDefaultProjectTemplate(actor.orgId, type)]
+        : Object.values(ProjectType).map((projectType) => getDefaultProjectTemplate(actor.orgId, projectType))),
       ...projectTemplates.map((template) => $unpackProjectTemplate(template))
     ];
   };
@@ -134,7 +140,7 @@ export const projectTemplateServiceFactory = ({
   };
 
   const createProjectTemplate = async (
-    { roles, environments, ...params }: TCreateProjectTemplateDTO,
+    { roles, environments, type, ...params }: TCreateProjectTemplateDTO,
     actor: OrgServiceActor
   ) => {
     const plan = await licenseService.getPlan(actor.orgId);
@@ -154,6 +160,17 @@ export const projectTemplateServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
 
+    if (environments && type !== ProjectType.SecretManager) {
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+    }
+
+    if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
+      throw new BadRequestError({
+        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+        message: `Failed to create project template due to environment count exceeding your current limit of ${plan.environmentLimit}. Contact Infisical to increase limit.`
+      });
+    }
+
     const isConflictingName = Boolean(
       await projectTemplateDAL.findOne({
         name: params.name,
@@ -169,8 +186,10 @@ export const projectTemplateServiceFactory = ({
     const projectTemplate = await projectTemplateDAL.create({
       ...params,
       roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
-      environments: JSON.stringify(environments),
-      orgId: actor.orgId
+      environments:
+        type === ProjectType.SecretManager ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
+      orgId: actor.orgId,
+      type
     });
 
     return $unpackProjectTemplate(projectTemplate);
@@ -202,6 +221,19 @@ export const projectTemplateServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
 
+    if (projectTemplate.type !== ProjectType.SecretManager && environments)
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+
+    if (projectTemplate.type === ProjectType.SecretManager && environments === null)
+      throw new BadRequestError({ message: "Environments cannot be removed for SecretManager project templates" });
+
+    if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
+      throw new BadRequestError({
+        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+        message: `Failed to update project template due to environment count exceeding your current limit of ${plan.environmentLimit}. Contact Infisical to increase limit.`
+      });
+    }
+
     if (params.name && projectTemplate.name !== params.name) {
       const isConflictingName = Boolean(
         await projectTemplateDAL.findOne({

backend/src/ee/services/project-template/project-template-types.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { TProjectEnvironments } from "@app/db/schemas";
+import { ProjectType, TProjectEnvironments } from "@app/db/schemas";
 import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 
@@ -15,8 +15,9 @@ export type TProjectTemplateRole = {
 export type TCreateProjectTemplateDTO = {
   name: string;
   description?: string;
+  type: ProjectType;
   roles: TProjectTemplateRole[];
-  environments: TProjectTemplateEnvironment[];
+  environments?: TProjectTemplateEnvironment[] | null;
 };
 
 export type TUpdateProjectTemplateDTO = Partial<TCreateProjectTemplateDTO>;

backend/src/keystore/keystore.ts

@@ -1,6 +1,8 @@
 import { Redis } from "ioredis";
 
 import { pgAdvisoryLockHashText } from "@app/lib/crypto/hashtext";
+import { applyJitter } from "@app/lib/dates";
+import { delay as delayMs } from "@app/lib/delay";
 import { Redlock, Settings } from "@app/lib/red-lock";
 
 export const PgSqlLock = {
@@ -48,6 +50,13 @@ export const KeyStoreTtls = {
   AccessTokenStatusUpdateInSeconds: 120
 };
 
+type TDeleteItems = {
+  pattern: string;
+  batchSize?: number;
+  delay?: number;
+  jitter?: number;
+};
+
 type TWaitTillReady = {
   key: string;
   waitingCb?: () => void;
@@ -75,6 +84,35 @@ export const keyStoreFactory = (redisUrl: string) => {
 
   const deleteItem = async (key: string) => redis.del(key);
 
+  const deleteItems = async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }: TDeleteItems) => {
+    let cursor = "0";
+    let totalDeleted = 0;
+
+    do {
+      // Await in loop is needed so that Redis is not overwhelmed
+      // eslint-disable-next-line no-await-in-loop
+      const [nextCursor, keys] = await redis.scan(cursor, "MATCH", pattern, "COUNT", 1000); // Count should be 1000 - 5000 for prod loads
+      cursor = nextCursor;
+
+      for (let i = 0; i < keys.length; i += batchSize) {
+        const batch = keys.slice(i, i + batchSize);
+        const pipeline = redis.pipeline();
+        for (const key of batch) {
+          pipeline.unlink(key);
+        }
+        // eslint-disable-next-line no-await-in-loop
+        await pipeline.exec();
+        totalDeleted += batch.length;
+        console.log("BATCH DONE");
+
+        // eslint-disable-next-line no-await-in-loop
+        await delayMs(Math.max(0, applyJitter(delay, jitter)));
+      }
+    } while (cursor !== "0");
+
+    return totalDeleted;
+  };
+
   const incrementBy = async (key: string, value: number) => redis.incrby(key, value);
 
   const setExpiry = async (key: string, expiryInSeconds: number) => redis.expire(key, expiryInSeconds);
@@ -94,7 +132,7 @@ export const keyStoreFactory = (redisUrl: string) => {
       // eslint-disable-next-line
       await new Promise((resolve) => {
         waitingCb?.();
-        setTimeout(resolve, Math.max(0, delay + Math.floor((Math.random() * 2 - 1) * jitter)));
+        setTimeout(resolve, Math.max(0, applyJitter(delay, jitter)));
       });
       attempts += 1;
       // eslint-disable-next-line
@@ -108,6 +146,7 @@ export const keyStoreFactory = (redisUrl: string) => {
     setExpiry,
     setItemWithExpiry,
     deleteItem,
+    deleteItems,
     incrementBy,
     acquireLock(resources: string[], duration: number, settings?: Partial<Settings>) {
       return redisLock.acquire(resources, duration, settings);

backend/src/keystore/memory.ts

@@ -1,3 +1,7 @@
+import RE2 from "re2";
+
+import { applyJitter } from "@app/lib/dates";
+import { delay as delayMs } from "@app/lib/delay";
 import { Lock } from "@app/lib/red-lock";
 
 import { TKeyStoreFactory } from "./keystore";
@@ -19,6 +23,27 @@ export const inMemoryKeyStore = (): TKeyStoreFactory => {
       delete store[key];
       return 1;
     },
+    deleteItems: async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }) => {
+      const regex = new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
+      let totalDeleted = 0;
+      const keys = Object.keys(store);
+
+      for (let i = 0; i < keys.length; i += batchSize) {
+        const batch = keys.slice(i, i + batchSize);
+
+        for (const key of batch) {
+          if (regex.test(key)) {
+            delete store[key];
+            totalDeleted += 1;
+          }
+        }
+
+        // eslint-disable-next-line no-await-in-loop
+        await delayMs(Math.max(0, applyJitter(delay, jitter)));
+      }
+
+      return totalDeleted;
+    },
     getItem: async (key) => {
       const value = store[key];
       if (typeof value === "string") {

backend/src/lib/api-docs/constants.ts

@@ -18,6 +18,7 @@ export enum ApiDocsTags {
   KubernetesAuth = "Kubernetes Auth",
   JwtAuth = "JWT Auth",
   OidcAuth = "OIDC Auth",
+  LdapAuth = "LDAP Auth",
   Groups = "Groups",
   Organizations = "Organizations",
   Projects = "Projects",
@@ -184,6 +185,49 @@ export const UNIVERSAL_AUTH = {
   }
 } as const;
 
+export const LDAP_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login.",
+    username: "The username of the LDAP user to login.",
+    password: "The password of the LDAP user to login."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    url: "The URL of the LDAP server.",
+    allowedFields:
+      "The comma-separated array of key/value pairs of required fields that the LDAP entry must have in order to authenticate.",
+    searchBase: "The base DN to search for the LDAP user.",
+    searchFilter: "The filter to use to search for the LDAP user.",
+    bindDN: "The DN of the user to bind to the LDAP server.",
+    bindPass: "The password of the user to bind to the LDAP server.",
+    ldapCaCertificate: "The PEM-encoded CA certificate for the LDAP server.",
+    accessTokenTTL: "The lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the configuration for.",
+    url: "The new URL of the LDAP server.",
+    allowedFields: "The comma-separated list of allowed fields to return from the LDAP user.",
+    searchBase: "The new base DN to search for the LDAP user.",
+    searchFilter: "The new filter to use to search for the LDAP user.",
+    bindDN: "The new DN of the user to bind to the LDAP server.",
+    bindPass: "The new password of the user to bind to the LDAP server.",
+    ldapCaCertificate: "The new PEM-encoded CA certificate for the LDAP server.",
+    accessTokenTTL: "The new lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the configuration for."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke the configuration for."
+  }
+} as const;
+
 export const AWS_AUTH = {
   LOGIN: {
     identityId: "The ID of the identity to login.",
@@ -1822,8 +1866,12 @@ export const KMS = {
 };
 
 export const ProjectTemplates = {
+  LIST: {
+    type: "The type of project template to list."
+  },
   CREATE: {
     name: "The name of the project template to be created. Must be slug-friendly.",
+    type: "The type of project template to be created.",
     description: "An optional description of the project template.",
     roles: "The roles to be created when the template is applied to a project.",
     environments: "The environments to be created when the template is applied to a project."

backend/src/lib/delay/index.ts

@@ -0,0 +1,4 @@
+export const delay = (ms: number) =>
+  new Promise<void>((resolve) => {
+    setTimeout(resolve, ms);
+  });

backend/src/lib/logger/logger.ts

@@ -84,7 +84,9 @@ const redactedKeys = [
   "secrets",
   "key",
   "password",
-  "config"
+  "config",
+  "bindPass",
+  "bindDN"
 ];
 
 const UNKNOWN_REQUEST_ID = "UNKNOWN_REQUEST_ID";

backend/src/queue/queue-service.ts

@@ -25,6 +25,7 @@ import {
   TQueueSecretSyncSyncSecretsByIdDTO,
   TQueueSendSecretSyncActionFailedNotificationsDTO
 } from "@app/services/secret-sync/secret-sync-types";
+import { CacheType } from "@app/services/super-admin/super-admin-types";
 import { TWebhookPayloads } from "@app/services/webhook/webhook-types";
 
 export enum QueueName {
@@ -49,7 +50,8 @@ export enum QueueName {
   AccessTokenStatusUpdate = "access-token-status-update",
   ImportSecretsFromExternalSource = "import-secrets-from-external-source",
   AppConnectionSecretSync = "app-connection-secret-sync",
-  SecretRotationV2 = "secret-rotation-v2"
+  SecretRotationV2 = "secret-rotation-v2",
+  InvalidateCache = "invalidate-cache"
 }
 
 export enum QueueJobs {
@@ -81,7 +83,8 @@ export enum QueueJobs {
   SecretSyncSendActionFailedNotifications = "secret-sync-send-action-failed-notifications",
   SecretRotationV2QueueRotations = "secret-rotation-v2-queue-rotations",
   SecretRotationV2RotateSecrets = "secret-rotation-v2-rotate-secrets",
-  SecretRotationV2SendNotification = "secret-rotation-v2-send-notification"
+  SecretRotationV2SendNotification = "secret-rotation-v2-send-notification",
+  InvalidateCache = "invalidate-cache"
 }
 
 export type TQueueJobTypes = {
@@ -234,6 +237,14 @@ export type TQueueJobTypes = {
         name: QueueJobs.SecretRotationV2SendNotification;
         payload: TSecretRotationSendNotificationJobPayload;
       };
+  [QueueName.InvalidateCache]: {
+    name: QueueJobs.InvalidateCache;
+    payload: {
+      data: {
+        type: CacheType;
+      };
+    };
+  };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;

backend/src/server/config/rateLimiter.ts

@@ -100,3 +100,10 @@ export const publicSshCaLimit: RateLimitOptions = {
   max: 30, // conservative default
   keyGenerator: (req) => req.realIp
 };
+
+export const invalidateCacheLimit: RateLimitOptions = {
+  timeWindow: 60 * 1000,
+  hook: "preValidation",
+  max: 1,
+  keyGenerator: (req) => req.realIp
+};

backend/src/server/routes/index.ts

@@ -160,6 +160,8 @@ import { identityJwtAuthDALFactory } from "@app/services/identity-jwt-auth/ident
 import { identityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
 import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
 import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
+import { identityLdapAuthDALFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-dal";
+import { identityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
 import { identityOidcAuthDALFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-dal";
 import { identityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
@@ -242,6 +244,7 @@ import { projectSlackConfigDALFactory } from "@app/services/slack/project-slack-
 import { slackIntegrationDALFactory } from "@app/services/slack/slack-integration-dal";
 import { slackServiceFactory } from "@app/services/slack/slack-service";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
+import { invalidateCacheQueueFactory } from "@app/services/super-admin/invalidate-cache-queue";
 import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 import { getServerCfg, superAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { telemetryDALFactory } from "@app/services/telemetry/telemetry-dal";
@@ -353,6 +356,7 @@ export const registerRoutes = async (
   const identityOidcAuthDAL = identityOidcAuthDALFactory(db);
   const identityJwtAuthDAL = identityJwtAuthDALFactory(db);
   const identityAzureAuthDAL = identityAzureAuthDALFactory(db);
+  const identityLdapAuthDAL = identityLdapAuthDALFactory(db);
 
   const auditLogDAL = auditLogDALFactory(auditLogDb ?? db);
   const auditLogStreamDAL = auditLogStreamDALFactory(db);
@@ -611,6 +615,11 @@ export const registerRoutes = async (
     queueService
   });
 
+  const invalidateCacheQueue = invalidateCacheQueueFactory({
+    keyStore,
+    queueService
+  });
+
   const userService = userServiceFactory({
     userDAL,
     userAliasDAL,
@@ -722,7 +731,8 @@ export const registerRoutes = async (
     keyStore,
     licenseService,
     kmsService,
-    microsoftTeamsService
+    microsoftTeamsService,
+    invalidateCacheQueue
   });
 
   const orgAdminService = orgAdminServiceFactory({
@@ -1438,6 +1448,16 @@ export const registerRoutes = async (
     kmsService
   });
 
+  const identityLdapAuthService = identityLdapAuthServiceFactory({
+    identityLdapAuthDAL,
+    permissionService,
+    kmsService,
+    identityAccessTokenDAL,
+    identityOrgMembershipDAL,
+    licenseService,
+    identityDAL
+  });
+
   const gatewayService = gatewayServiceFactory({
     permissionService,
     gatewayDAL,
@@ -1698,6 +1718,7 @@ export const registerRoutes = async (
     identityAzureAuth: identityAzureAuthService,
     identityOidcAuth: identityOidcAuthService,
     identityJwtAuth: identityJwtAuthService,
+    identityLdapAuth: identityLdapAuthService,
     accessApprovalPolicy: accessApprovalPolicyService,
     accessApprovalRequest: accessApprovalRequestService,
     secretApprovalPolicy: secretApprovalPolicyService,

backend/src/server/routes/v1/admin-router.ts

@@ -4,13 +4,14 @@ import { z } from "zod";
 import { IdentitiesSchema, OrganizationsSchema, SuperAdminSchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { invalidateCacheLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { RootKeyEncryptionStrategy } from "@app/services/kms/kms-types";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
-import { LoginMethod } from "@app/services/super-admin/super-admin-types";
+import { CacheType, LoginMethod } from "@app/services/super-admin/super-admin-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerAdminRouter = async (server: FastifyZodProvider) => {
@@ -548,4 +549,69 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       };
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/invalidate-cache",
+    config: {
+      rateLimit: invalidateCacheLimit
+    },
+    schema: {
+      body: z.object({
+        type: z.nativeEnum(CacheType)
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      await server.services.superAdmin.invalidateCache(req.body.type);
+
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.InvalidateCache,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          ...req.auditLogInfo
+        }
+      });
+
+      return {
+        message: "Cache invalidation job started"
+      };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/invalidating-cache-status",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          invalidating: z.boolean()
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async () => {
+      const invalidating = await server.services.superAdmin.checkIfInvalidatingCache();
+
+      return {
+        invalidating
+      };
+    }
+  });
 };

backend/src/server/routes/v1/identity-ldap-auth-router.ts

@@ -0,0 +1,497 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/no-unsafe-return */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+/* eslint-disable @typescript-eslint/no-unsafe-call */
+/* eslint-disable @typescript-eslint/no-unsafe-argument */
+// All the any rules are disabled because passport typesense with fastify is really poor
+
+import { Authenticator } from "@fastify/passport";
+import fastifySession from "@fastify/session";
+import { FastifyRequest } from "fastify";
+import { IncomingMessage } from "http";
+import LdapStrategy from "passport-ldapauth";
+import { z } from "zod";
+
+import { IdentityLdapAuthsSchema } from "@app/db/schemas/identity-ldap-auths";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { isValidLdapFilter } from "@app/ee/services/ldap-config/ldap-fns";
+import { ApiDocsTags, LDAP_AUTH } from "@app/lib/api-docs";
+import { getConfig } from "@app/lib/config/env";
+import { UnauthorizedError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { AllowedFieldsSchema } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
+
+export const registerIdentityLdapAuthRouter = async (server: FastifyZodProvider) => {
+  const appCfg = getConfig();
+  const passport = new Authenticator({ key: "ldap-identity-auth", userProperty: "passportMachineIdentity" });
+  await server.register(fastifySession, { secret: appCfg.COOKIE_SECRET_SIGN_KEY });
+  await server.register(passport.initialize());
+  await server.register(passport.secureSession());
+
+  const getLdapPassportOpts = (req: FastifyRequest, done: any) => {
+    const { identityId } = req.body as {
+      identityId: string;
+    };
+
+    process.nextTick(async () => {
+      try {
+        const { ldapConfig, opts } = await server.services.identityLdapAuth.getLdapConfig(identityId);
+        req.ldapConfig = {
+          ...ldapConfig,
+          isActive: true,
+          groupSearchBase: "",
+          uniqueUserAttribute: "",
+          groupSearchFilter: ""
+        };
+
+        done(null, opts);
+      } catch (err) {
+        logger.error(err, "Error in LDAP verification callback");
+        done(err);
+      }
+    });
+  };
+
+  passport.use(
+    new LdapStrategy(
+      getLdapPassportOpts as any,
+      // eslint-disable-next-line
+      async (req: IncomingMessage, user, cb) => {
+        try {
+          const requestBody = (req as unknown as FastifyRequest).body as {
+            username: string;
+            password: string;
+            identityId: string;
+          };
+
+          if (!requestBody.username || !requestBody.password) {
+            return cb(new UnauthorizedError({ message: "Invalid request. Missing username or password." }), false);
+          }
+
+          if (!requestBody.identityId) {
+            return cb(new UnauthorizedError({ message: "Invalid request. Missing identity ID." }), false);
+          }
+
+          const { ldapConfig } = req as unknown as FastifyRequest;
+
+          if (ldapConfig.allowedFields) {
+            for (const field of ldapConfig.allowedFields) {
+              if (!user[field.key]) {
+                return cb(
+                  new UnauthorizedError({ message: `Invalid request. Missing field ${field.key} on user.` }),
+                  false
+                );
+              }
+
+              const value = field.value.split(",");
+
+              if (!value.includes(user[field.key])) {
+                return cb(
+                  new UnauthorizedError({
+                    message: `Invalid request. User field '${field.key}' does not match required fields.`
+                  }),
+                  false
+                );
+              }
+            }
+          }
+
+          return cb(null, { identityId: requestBody.identityId, user });
+        } catch (error) {
+          logger.error(error, "Error in LDAP verification callback");
+          return cb(error, false);
+        }
+      }
+    )
+  );
+
+  server.route({
+    method: "POST",
+    url: "/ldap-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapAuth],
+      description: "Login with LDAP Auth",
+      body: z.object({
+        identityId: z.string().trim().describe(LDAP_AUTH.LOGIN.identityId),
+        username: z.string().describe(LDAP_AUTH.LOGIN.username),
+        password: z.string().describe(LDAP_AUTH.LOGIN.password)
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    preValidation: passport.authenticate("ldapauth", {
+      failWithError: true,
+      session: false
+    }) as any,
+
+    errorHandler: (error) => {
+      if (error.name === "AuthenticationError") {
+        throw new UnauthorizedError({ message: "Invalid credentials" });
+      }
+
+      throw error;
+    },
+
+    handler: async (req) => {
+      if (!req.passportMachineIdentity?.identityId) {
+        throw new UnauthorizedError({ message: "Invalid request. Missing identity ID or LDAP entry details." });
+      }
+
+      const { identityId, user } = req.passportMachineIdentity;
+
+      const { accessToken, identityLdapAuth, identityMembershipOrg } = await server.services.identityLdapAuth.login({
+        identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_LDAP_AUTH,
+          metadata: {
+            identityId,
+            ldapEmail: user.mail,
+            ldapUsername: user.uid
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityLdapAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityLdapAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/ldap-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapAuth],
+      description: "Attach LDAP Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim().describe(LDAP_AUTH.ATTACH.identityId)
+      }),
+      body: z
+        .object({
+          url: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.url),
+          bindDN: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.bindDN),
+          bindPass: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.bindPass),
+          searchBase: z.string().trim().min(1).describe(LDAP_AUTH.ATTACH.searchBase),
+          searchFilter: z
+            .string()
+            .trim()
+            .min(1)
+            .default("(uid={{username}})")
+            .refine(isValidLdapFilter, "Invalid LDAP search filter")
+            .describe(LDAP_AUTH.ATTACH.searchFilter),
+          allowedFields: AllowedFieldsSchema.array().optional().describe(LDAP_AUTH.ATTACH.allowedFields),
+          ldapCaCertificate: z.string().trim().optional().describe(LDAP_AUTH.ATTACH.ldapCaCertificate),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(LDAP_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(LDAP_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(1)
+            .max(315360000)
+            .default(2592000)
+            .describe(LDAP_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(LDAP_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
+      response: {
+        200: z.object({
+          identityLdapAuth: IdentityLdapAuthsSchema.omit({
+            encryptedBindDN: true,
+            encryptedBindPass: true,
+            encryptedLdapCaCertificate: true
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityLdapAuth = await server.services.identityLdapAuth.attachLdapAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_LDAP_AUTH,
+          metadata: {
+            identityId: req.params.identityId,
+            url: identityLdapAuth.url,
+            accessTokenMaxTTL: identityLdapAuth.accessTokenMaxTTL,
+            accessTokenTTL: identityLdapAuth.accessTokenTTL,
+            accessTokenNumUsesLimit: identityLdapAuth.accessTokenNumUsesLimit,
+            allowedFields: req.body.allowedFields
+          }
+        }
+      });
+
+      return { identityLdapAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/ldap-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapAuth],
+      description: "Update LDAP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim().describe(LDAP_AUTH.UPDATE.identityId)
+      }),
+      body: z
+        .object({
+          url: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.url),
+          bindDN: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.bindDN),
+          bindPass: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.bindPass),
+          searchBase: z.string().trim().min(1).optional().describe(LDAP_AUTH.UPDATE.searchBase),
+          searchFilter: z
+            .string()
+            .trim()
+            .min(1)
+            .optional()
+            .refine((v) => v === undefined || isValidLdapFilter(v), "Invalid LDAP search filter")
+            .describe(LDAP_AUTH.UPDATE.searchFilter),
+          allowedFields: AllowedFieldsSchema.array().optional().describe(LDAP_AUTH.UPDATE.allowedFields),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(LDAP_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(LDAP_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .optional()
+            .describe(LDAP_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .max(315360000)
+            .min(0)
+            .optional()
+            .describe(LDAP_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
+      response: {
+        200: z.object({
+          identityLdapAuth: IdentityLdapAuthsSchema.omit({
+            encryptedBindDN: true,
+            encryptedBindPass: true,
+            encryptedLdapCaCertificate: true
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityLdapAuth = await server.services.identityLdapAuth.updateLdapAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_LDAP_AUTH,
+          metadata: {
+            identityId: req.params.identityId,
+            url: identityLdapAuth.url,
+            accessTokenMaxTTL: identityLdapAuth.accessTokenMaxTTL,
+            accessTokenTTL: identityLdapAuth.accessTokenTTL,
+            accessTokenNumUsesLimit: identityLdapAuth.accessTokenNumUsesLimit,
+            accessTokenTrustedIps: identityLdapAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            allowedFields: req.body.allowedFields
+          }
+        }
+      });
+
+      return { identityLdapAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/ldap-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapAuth],
+      description: "Retrieve LDAP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim().describe(LDAP_AUTH.RETRIEVE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityLdapAuth: IdentityLdapAuthsSchema.omit({
+            encryptedBindDN: true,
+            encryptedBindPass: true,
+            encryptedLdapCaCertificate: true
+          }).extend({
+            bindDN: z.string(),
+            bindPass: z.string(),
+            ldapCaCertificate: z.string().optional()
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityLdapAuth = await server.services.identityLdapAuth.getLdapAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_LDAP_AUTH,
+          metadata: {
+            identityId: identityLdapAuth.identityId
+          }
+        }
+      });
+
+      return { identityLdapAuth };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/ldap-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapAuth],
+      description: "Delete LDAP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim().describe(LDAP_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityLdapAuth: IdentityLdapAuthsSchema.omit({
+            encryptedBindDN: true,
+            encryptedBindPass: true,
+            encryptedLdapCaCertificate: true
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityLdapAuth = await server.services.identityLdapAuth.revokeIdentityLdapAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_LDAP_AUTH,
+          metadata: {
+            identityId: identityLdapAuth.identityId
+          }
+        }
+      });
+
+      return { identityLdapAuth };
+    }
+  });
+};

backend/src/server/routes/v1/index.ts

@@ -19,6 +19,7 @@ import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityJwtAuthRouter } from "./identity-jwt-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
+import { registerIdentityLdapAuthRouter } from "./identity-ldap-auth-router";
 import { registerIdentityOidcAuthRouter } from "./identity-oidc-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityTokenAuthRouter } from "./identity-token-auth-router";
@@ -63,6 +64,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
       await authRouter.register(registerIdentityAzureAuthRouter);
       await authRouter.register(registerIdentityOidcAuthRouter);
       await authRouter.register(registerIdentityJwtAuthRouter);
+      await authRouter.register(registerIdentityLdapAuthRouter);
     },
     { prefix: "/auth" }
   );

backend/src/server/routes/v2/project-router.ts

@@ -170,7 +170,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           .optional()
           .default(InfisicalProjectTemplate.Default)
           .describe(PROJECTS.CREATE.template),
-        type: z.nativeEnum(ProjectType).default(ProjectType.SecretManager)
+        type: z.nativeEnum(ProjectType).default(ProjectType.SecretManager),
+        shouldCreateDefaultEnvs: z.boolean().optional().default(true)
       }),
       response: {
         200: z.object({
@@ -190,7 +191,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         slug: req.body.slug,
         kmsKeyId: req.body.kmsKeyId,
         template: req.body.template,
-        type: req.body.type
+        type: req.body.type,
+        createDefaultEnvs: req.body.shouldCreateDefaultEnvs
       });
 
       await server.services.telemetry.sendPostHogEvents({
@@ -272,7 +274,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       params: z.object({
-        slug: slugSchema({ min: 5, max: 36 }).describe("The slug of the project to get.")
+        slug: slugSchema({ max: 36 }).describe("The slug of the project to get.")
       }),
       response: {
         200: projectWithEnv

backend/src/services/identity-access-token/identity-access-token-dal.ts

@@ -30,6 +30,7 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
         .leftJoin(TableName.IdentityGcpAuth, `${TableName.Identity}.id`, `${TableName.IdentityGcpAuth}.identityId`)
         .leftJoin(TableName.IdentityAwsAuth, `${TableName.Identity}.id`, `${TableName.IdentityAwsAuth}.identityId`)
         .leftJoin(TableName.IdentityAzureAuth, `${TableName.Identity}.id`, `${TableName.IdentityAzureAuth}.identityId`)
+        .leftJoin(TableName.IdentityLdapAuth, `${TableName.Identity}.id`, `${TableName.IdentityLdapAuth}.identityId`)
         .leftJoin(
           TableName.IdentityKubernetesAuth,
           `${TableName.Identity}.id`,
@@ -48,6 +49,7 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityOidcAuth).as("accessTokenTrustedIpsOidc"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityTokenAuth).as("accessTokenTrustedIpsToken"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityJwtAuth).as("accessTokenTrustedIpsJwt"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityLdapAuth).as("accessTokenTrustedIpsLdap"),
           db.ref("name").withSchema(TableName.Identity)
         )
         .first();
@@ -63,7 +65,8 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
         trustedIpsKubernetesAuth: doc.accessTokenTrustedIpsK8s,
         trustedIpsOidcAuth: doc.accessTokenTrustedIpsOidc,
         trustedIpsAccessTokenAuth: doc.accessTokenTrustedIpsToken,
-        trustedIpsAccessJwtAuth: doc.accessTokenTrustedIpsJwt
+        trustedIpsAccessJwtAuth: doc.accessTokenTrustedIpsJwt,
+        trustedIpsAccessLdapAuth: doc.accessTokenTrustedIpsLdap
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "IdAccessTokenFindOne" });

backend/src/services/identity-access-token/identity-access-token-service.ts

@@ -186,7 +186,8 @@ export const identityAccessTokenServiceFactory = ({
       [IdentityAuthMethod.KUBERNETES_AUTH]: identityAccessToken.trustedIpsKubernetesAuth,
       [IdentityAuthMethod.OIDC_AUTH]: identityAccessToken.trustedIpsOidcAuth,
       [IdentityAuthMethod.TOKEN_AUTH]: identityAccessToken.trustedIpsAccessTokenAuth,
-      [IdentityAuthMethod.JWT_AUTH]: identityAccessToken.trustedIpsAccessJwtAuth
+      [IdentityAuthMethod.JWT_AUTH]: identityAccessToken.trustedIpsAccessJwtAuth,
+      [IdentityAuthMethod.LDAP_AUTH]: identityAccessToken.trustedIpsAccessLdapAuth
     };
 
     const trustedIps = trustedIpsMap[identityAccessToken.authMethod as IdentityAuthMethod];

backend/src/services/identity-ldap-auth/identity-ldap-auth-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityLdapAuthDALFactory = ReturnType<typeof identityLdapAuthDALFactory>;
+
+export const identityLdapAuthDALFactory = (db: TDbClient) => {
+  const ldapAuthOrm = ormify(db, TableName.IdentityLdapAuth);
+
+  return ldapAuthOrm;
+};

backend/src/services/identity-ldap-auth/identity-ldap-auth-service.ts

@@ -0,0 +1,543 @@
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+import { ForbiddenError } from "@casl/ability";
+import jwt from "jsonwebtoken";
+
+import { IdentityAuthMethod } from "@app/db/schemas";
+import { testLDAPConfig } from "@app/ee/services/ldap-config/ldap-fns";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  constructPermissionErrorMessage,
+  validatePrivilegeChangeOperation
+} from "@app/ee/services/permission/permission-fns";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+
+import { ActorType, AuthTokenType } from "../auth/auth-type";
+import { TIdentityDALFactory } from "../identity/identity-dal";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TKmsServiceFactory } from "../kms/kms-service";
+import { KmsDataKey } from "../kms/kms-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
+import { TIdentityLdapAuthDALFactory } from "./identity-ldap-auth-dal";
+import {
+  AllowedFieldsSchema,
+  TAttachLdapAuthDTO,
+  TGetLdapAuthDTO,
+  TLoginLdapAuthDTO,
+  TRevokeLdapAuthDTO,
+  TUpdateLdapAuthDTO
+} from "./identity-ldap-auth-types";
+
+type TIdentityLdapAuthServiceFactoryDep = {
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
+  identityLdapAuthDAL: Pick<
+    TIdentityLdapAuthDALFactory,
+    "findOne" | "transaction" | "create" | "updateById" | "delete"
+  >;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  kmsService: TKmsServiceFactory;
+  identityDAL: TIdentityDALFactory;
+};
+
+export type TIdentityLdapAuthServiceFactory = ReturnType<typeof identityLdapAuthServiceFactory>;
+
+export const identityLdapAuthServiceFactory = ({
+  identityAccessTokenDAL,
+  identityDAL,
+  identityLdapAuthDAL,
+  identityOrgMembershipDAL,
+  licenseService,
+  permissionService,
+  kmsService
+}: TIdentityLdapAuthServiceFactoryDep) => {
+  const getLdapConfig = async (identityId: string) => {
+    const identity = await identityDAL.findOne({ id: identityId });
+    if (!identity) throw new NotFoundError({ message: `Identity with ID '${identityId}' not found` });
+
+    const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: identity.id });
+    if (!identityOrgMembership) throw new NotFoundError({ message: `Identity with ID '${identityId}' not found` });
+
+    const ldapAuth = await identityLdapAuthDAL.findOne({ identityId: identity.id });
+    if (!ldapAuth) throw new NotFoundError({ message: `LDAP auth with ID '${identityId}' not found` });
+
+    const parsedAllowedFields = ldapAuth.allowedFields
+      ? AllowedFieldsSchema.array().parse(ldapAuth.allowedFields)
+      : undefined;
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: identityOrgMembership.orgId
+    });
+
+    const bindDN = decryptor({ cipherTextBlob: ldapAuth.encryptedBindDN }).toString();
+    const bindPass = decryptor({ cipherTextBlob: ldapAuth.encryptedBindPass }).toString();
+    const ldapCaCertificate = ldapAuth.encryptedLdapCaCertificate
+      ? decryptor({ cipherTextBlob: ldapAuth.encryptedLdapCaCertificate }).toString()
+      : undefined;
+
+    const ldapConfig = {
+      id: ldapAuth.id,
+      organization: identityOrgMembership.orgId,
+      url: ldapAuth.url,
+      bindDN,
+      bindPass,
+      searchBase: ldapAuth.searchBase,
+      searchFilter: ldapAuth.searchFilter,
+      caCert: ldapCaCertificate || "",
+      allowedFields: parsedAllowedFields
+    };
+
+    const opts = {
+      server: {
+        url: ldapAuth.url,
+        bindDN,
+        bindCredentials: bindPass,
+        searchBase: ldapAuth.searchBase,
+        searchFilter: ldapAuth.searchFilter,
+        ...(ldapCaCertificate
+          ? {
+              tlsOptions: {
+                ca: [ldapCaCertificate]
+              }
+            }
+          : {})
+      },
+      passReqToCallback: true
+    };
+
+    return { opts, ldapConfig };
+  };
+
+  const login = async ({ identityId }: TLoginLdapAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+
+    if (!identityMembershipOrg) {
+      throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+    }
+
+    const identityLdapAuth = await identityLdapAuthDAL.findOne({ identityId });
+
+    if (!identityLdapAuth) {
+      throw new NotFoundError({ message: `Failed to find LDAP auth for identity with ID ${identityId}` });
+    }
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    if (!plan.ldap) {
+      throw new BadRequestError({
+        message:
+          "Failed to login to identity due to plan restriction. Upgrade plan to login to use LDAP authentication."
+      });
+    }
+
+    const identityAccessToken = await identityLdapAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityLdapAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityLdapAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityLdapAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityLdapAuth.accessTokenNumUsesLimit,
+          authMethod: IdentityAuthMethod.LDAP_AUTH
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityLdapAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
+    );
+
+    return { accessToken, identityLdapAuth, identityAccessToken, identityMembershipOrg };
+  };
+
+  const attachLdapAuth = async ({
+    identityId,
+    url,
+    searchBase,
+    searchFilter,
+    bindDN,
+    bindPass,
+    ldapCaCertificate,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId,
+    isActorSuperAdmin,
+    allowedFields
+  }: TAttachLdapAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    if (identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.LDAP_AUTH)) {
+      throw new BadRequestError({
+        message: "Failed to add LDAP Auth to already configured identity"
+      });
+    }
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+
+    if (!plan.ldap) {
+      throw new BadRequestError({
+        message: "Failed to add LDAP Auth to identity due to plan restriction. Upgrade plan to add LDAP Auth."
+      });
+    }
+
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    if (allowedFields) AllowedFieldsSchema.array().parse(allowedFields);
+
+    const identityLdapAuth = await identityLdapAuthDAL.transaction(async (tx) => {
+      const { encryptor } = await kmsService.createCipherPairWithDataKey({
+        type: KmsDataKey.Organization,
+        orgId: identityMembershipOrg.orgId
+      });
+
+      const { cipherTextBlob: encryptedBindPass } = encryptor({
+        plainText: Buffer.from(bindPass)
+      });
+
+      let encryptedLdapCaCertificate: Buffer | undefined;
+      if (ldapCaCertificate) {
+        const { cipherTextBlob: encryptedCertificate } = encryptor({
+          plainText: Buffer.from(ldapCaCertificate)
+        });
+
+        encryptedLdapCaCertificate = encryptedCertificate;
+      }
+
+      const { cipherTextBlob: encryptedBindDN } = encryptor({
+        plainText: Buffer.from(bindDN)
+      });
+
+      const isConnected = await testLDAPConfig({
+        bindDN,
+        bindPass,
+        caCert: ldapCaCertificate || "",
+        url
+      });
+
+      if (!isConnected) {
+        throw new BadRequestError({
+          message:
+            "Failed to connect to LDAP server. Please ensure that the LDAP server is running and your credentials are correct."
+        });
+      }
+
+      const doc = await identityLdapAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          encryptedBindDN,
+          encryptedBindPass,
+          searchBase,
+          searchFilter,
+          url,
+          encryptedLdapCaCertificate,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps),
+          allowedFields: allowedFields ? JSON.stringify(allowedFields) : undefined
+        },
+        tx
+      );
+      return doc;
+    });
+    return { ...identityLdapAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateLdapAuth = async ({
+    identityId,
+    url,
+    searchBase,
+    searchFilter,
+    bindDN,
+    bindPass,
+    ldapCaCertificate,
+    allowedFields,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateLdapAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.LDAP_AUTH)) {
+      throw new NotFoundError({
+        message: "The identity does not have LDAP Auth attached"
+      });
+    }
+
+    const identityLdapAuth = await identityLdapAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityLdapAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityLdapAuth.accessTokenTTL) > (accessTokenMaxTTL || identityLdapAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+
+    if (!plan.ldap) {
+      throw new BadRequestError({
+        message: "Failed to update LDAP Auth due to plan restriction. Upgrade plan to update LDAP Auth."
+      });
+    }
+
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    if (allowedFields) AllowedFieldsSchema.array().parse(allowedFields);
+
+    const { encryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: identityMembershipOrg.orgId
+    });
+
+    let encryptedBindPass: Buffer | undefined;
+    if (bindPass) {
+      const { cipherTextBlob: bindPassCiphertext } = encryptor({
+        plainText: Buffer.from(bindPass)
+      });
+
+      encryptedBindPass = bindPassCiphertext;
+    }
+
+    let encryptedLdapCaCertificate: Buffer | undefined;
+    if (ldapCaCertificate) {
+      const { cipherTextBlob: ldapCaCertificateCiphertext } = encryptor({
+        plainText: Buffer.from(ldapCaCertificate)
+      });
+
+      encryptedLdapCaCertificate = ldapCaCertificateCiphertext;
+    }
+
+    let encryptedBindDN: Buffer | undefined;
+    if (bindDN) {
+      const { cipherTextBlob: bindDNCiphertext } = encryptor({
+        plainText: Buffer.from(bindDN)
+      });
+
+      encryptedBindDN = bindDNCiphertext;
+    }
+
+    const { ldapConfig } = await getLdapConfig(identityId);
+
+    const isConnected = await testLDAPConfig({
+      bindDN: bindDN || ldapConfig.bindDN,
+      bindPass: bindPass || ldapConfig.bindPass,
+      caCert: ldapCaCertificate || ldapConfig.caCert,
+      url: url || ldapConfig.url
+    });
+
+    if (!isConnected) {
+      throw new BadRequestError({
+        message:
+          "Failed to connect to LDAP server. Please ensure that the LDAP server is running and your credentials are correct."
+      });
+    }
+
+    const updatedLdapAuth = await identityLdapAuthDAL.updateById(identityLdapAuth.id, {
+      url,
+      searchBase,
+      searchFilter,
+      encryptedBindDN,
+      encryptedBindPass,
+      encryptedLdapCaCertificate,
+      allowedFields: allowedFields ? JSON.stringify(allowedFields) : undefined,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    });
+
+    return { ...updatedLdapAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const getLdapAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetLdapAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.LDAP_AUTH)) {
+      throw new BadRequestError({
+        message: "The identity does not have LDAP Auth attached"
+      });
+    }
+
+    const ldapIdentityAuth = await identityLdapAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: identityMembershipOrg.orgId
+    });
+
+    const bindDN = decryptor({ cipherTextBlob: ldapIdentityAuth.encryptedBindDN }).toString();
+    const bindPass = decryptor({ cipherTextBlob: ldapIdentityAuth.encryptedBindPass }).toString();
+    const ldapCaCertificate = ldapIdentityAuth.encryptedLdapCaCertificate
+      ? decryptor({ cipherTextBlob: ldapIdentityAuth.encryptedLdapCaCertificate }).toString()
+      : undefined;
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    return { ...ldapIdentityAuth, orgId: identityMembershipOrg.orgId, bindDN, bindPass, ldapCaCertificate };
+  };
+
+  const revokeIdentityLdapAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeLdapAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.LDAP_AUTH)) {
+      throw new BadRequestError({
+        message: "The identity does not have LDAP Auth attached"
+      });
+    }
+    const { permission, membership } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionIdentityActions.RevokeAuth,
+      OrgPermissionSubjects.Identity,
+      permission,
+      rolePermission
+    );
+
+    if (!permissionBoundary.isValid)
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to revoke LDAP auth of identity with more privileged role",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionIdentityActions.RevokeAuth,
+          OrgPermissionSubjects.Identity
+        ),
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
+
+    const revokedIdentityLdapAuth = await identityLdapAuthDAL.transaction(async (tx) => {
+      const [deletedLdapAuth] = await identityLdapAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.LDAP_AUTH }, tx);
+
+      return { ...deletedLdapAuth, orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityLdapAuth;
+  };
+
+  return {
+    attachLdapAuth,
+    getLdapConfig,
+    updateLdapAuth,
+    login,
+    revokeIdentityLdapAuth,
+    getLdapAuth
+  };
+};

backend/src/services/identity-ldap-auth/identity-ldap-auth-types.ts

@@ -0,0 +1,56 @@
+import { z } from "zod";
+
+import { TProjectPermission } from "@app/lib/types";
+
+export const AllowedFieldsSchema = z.object({
+  key: z.string().trim(),
+  value: z
+    .string()
+    .trim()
+    .transform((val) => val.replace(/\s/g, ""))
+});
+
+export type TAllowedFields = z.infer<typeof AllowedFieldsSchema>;
+
+export type TAttachLdapAuthDTO = {
+  identityId: string;
+  url: string;
+  searchBase: string;
+  searchFilter: string;
+  bindDN: string;
+  bindPass: string;
+  ldapCaCertificate?: string;
+  allowedFields?: TAllowedFields[];
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateLdapAuthDTO = {
+  identityId: string;
+  url?: string;
+  searchBase?: string;
+  searchFilter?: string;
+  bindDN?: string;
+  bindPass?: string;
+  allowedFields?: TAllowedFields[];
+  ldapCaCertificate?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetLdapAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TLoginLdapAuthDTO = {
+  identityId: string;
+};
+
+export type TRevokeLdapAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity/identity-fns.ts

@@ -8,7 +8,8 @@ export const buildAuthMethods = ({
   oidcId,
   azureId,
   tokenId,
-  jwtId
+  jwtId,
+  ldapId
 }: {
   uaId?: string;
   gcpId?: string;
@@ -18,6 +19,7 @@ export const buildAuthMethods = ({
   azureId?: string;
   tokenId?: string;
   jwtId?: string;
+  ldapId?: string;
 }) => {
   return [
     ...[uaId ? IdentityAuthMethod.UNIVERSAL_AUTH : null],
@@ -27,6 +29,7 @@ export const buildAuthMethods = ({
     ...[oidcId ? IdentityAuthMethod.OIDC_AUTH : null],
     ...[azureId ? IdentityAuthMethod.AZURE_AUTH : null],
     ...[tokenId ? IdentityAuthMethod.TOKEN_AUTH : null],
-    ...[jwtId ? IdentityAuthMethod.JWT_AUTH : null]
+    ...[jwtId ? IdentityAuthMethod.JWT_AUTH : null],
+    ...[ldapId ? IdentityAuthMethod.LDAP_AUTH : null]
   ].filter((authMethod) => authMethod) as IdentityAuthMethod[];
 };

backend/src/services/identity/identity-org-dal.ts

@@ -14,6 +14,7 @@ import {
   TIdentityUniversalAuths,
   TOrgRoles
 } from "@app/db/schemas";
+import { TIdentityLdapAuths } from "@app/db/schemas/identity-ldap-auths";
 import { BadRequestError, DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 import { buildKnexFilterForSearchResource } from "@app/lib/search-resource/db";
@@ -81,6 +82,11 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           `${TableName.IdentityOrgMembership}.identityId`,
           `${TableName.IdentityJwtAuth}.identityId`
         )
+        .leftJoin<TIdentityLdapAuths>(
+          TableName.IdentityLdapAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityLdapAuth}.identityId`
+        )
 
         .select(
           selectAllTableCols(TableName.IdentityOrgMembership),
@@ -93,7 +99,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
           db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth),
           db.ref("id").as("jwtId").withSchema(TableName.IdentityJwtAuth),
-
+          db.ref("id").as("ldapId").withSchema(TableName.IdentityLdapAuth),
           db.ref("name").withSchema(TableName.Identity)
         );
 
@@ -200,6 +206,12 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           "paginatedIdentity.identityId",
           `${TableName.IdentityJwtAuth}.identityId`
         )
+        .leftJoin<TIdentityLdapAuths>(
+          TableName.IdentityLdapAuth,
+          "paginatedIdentity.identityId",
+          `${TableName.IdentityLdapAuth}.identityId`
+        )
+
         .select(
           db.ref("id").withSchema("paginatedIdentity"),
           db.ref("role").withSchema("paginatedIdentity"),
@@ -217,7 +229,8 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
           db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
           db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth),
-          db.ref("id").as("jwtId").withSchema(TableName.IdentityJwtAuth)
+          db.ref("id").as("jwtId").withSchema(TableName.IdentityJwtAuth),
+          db.ref("id").as("ldapId").withSchema(TableName.IdentityLdapAuth)
         )
         // cr stands for custom role
         .select(db.ref("id").as("crId").withSchema(TableName.OrgRoles))
@@ -259,6 +272,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           oidcId,
           azureId,
           tokenId,
+          ldapId,
           createdAt,
           updatedAt
         }) => ({
@@ -290,7 +304,8 @@ export const identityOrgDALFactory = (db: TDbClient) => {
               oidcId,
               azureId,
               tokenId,
-              jwtId
+              jwtId,
+              ldapId
             })
           }
         }),
@@ -406,6 +421,11 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           `${TableName.IdentityOrgMembership}.identityId`,
           `${TableName.IdentityJwtAuth}.identityId`
         )
+        .leftJoin(
+          TableName.IdentityLdapAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityLdapAuth}.identityId`
+        )
         .select(
           db.ref("id").withSchema(TableName.IdentityOrgMembership),
           db.ref("total_count").withSchema("searchedIdentities"),
@@ -424,7 +444,8 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
           db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
           db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth),
-          db.ref("id").as("jwtId").withSchema(TableName.IdentityJwtAuth)
+          db.ref("id").as("jwtId").withSchema(TableName.IdentityJwtAuth),
+          db.ref("id").as("ldapId").withSchema(TableName.IdentityLdapAuth)
         )
         // cr stands for custom role
         .select(db.ref("id").as("crId").withSchema(TableName.OrgRoles))
@@ -467,6 +488,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           oidcId,
           azureId,
           tokenId,
+          ldapId,
           createdAt,
           updatedAt
         }) => ({
@@ -498,7 +520,8 @@ export const identityOrgDALFactory = (db: TDbClient) => {
               oidcId,
               azureId,
               tokenId,
-              jwtId
+              jwtId,
+              ldapId
             })
           }
         }),

backend/src/services/integration-auth/integration-delete-secret.ts

@@ -177,7 +177,6 @@ export const deleteGithubSecrets = async ({
     selected_repositories_url?: string | undefined;
   }
 
-  // @ts-expect-error just octokit ts compatiability issue
   const OctokitWithRetry = Octokit.plugin(retry);
   let octokit: Octokit;
   const appCfg = getConfig();

backend/src/services/project-role/project-role-fns.ts

@@ -1,15 +1,20 @@
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { v4 as uuidv4 } from "uuid";
+
+import { ProjectMembershipRole, ProjectType } from "@app/db/schemas";
 import {
+  cryptographicOperatorPermissions,
   projectAdminPermissions,
   projectMemberPermissions,
   projectNoAccessPermissions,
-  projectViewerPermission
-} from "@app/ee/services/permission/project-permission";
+  projectViewerPermission,
+  sshHostBootstrapPermissions
+} from "@app/ee/services/permission/default-roles";
+import { TGetPredefinedRolesDTO } from "@app/services/project-role/project-role-types";
 
-export const getPredefinedRoles = (projectId: string, roleFilter?: ProjectMembershipRole) => {
+export const getPredefinedRoles = ({ projectId, projectType, roleFilter }: TGetPredefinedRolesDTO) => {
   return [
     {
-      id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // dummy userid
+      id: uuidv4(),
       projectId,
       name: "Admin",
       slug: ProjectMembershipRole.Admin,
@@ -19,7 +24,7 @@ export const getPredefinedRoles = (projectId: string, roleFilter?: ProjectMember
       updatedAt: new Date()
     },
     {
-      id: "b11b49a9-09a9-4443-916a-4246f9ff2c70", // dummy user for zod validation in response
+      id: uuidv4(),
       projectId,
       name: "Developer",
       slug: ProjectMembershipRole.Member,
@@ -29,7 +34,29 @@ export const getPredefinedRoles = (projectId: string, roleFilter?: ProjectMember
       updatedAt: new Date()
     },
     {
-      id: "b11b49a9-09a9-4443-916a-4246f9ff2c71", // dummy user for zod validation in response
+      id: uuidv4(),
+      projectId,
+      name: "SSH Host Bootstrapper",
+      slug: ProjectMembershipRole.SshHostBootstrapper,
+      permissions: sshHostBootstrapPermissions,
+      description: "Create and issue SSH Hosts in a project",
+      createdAt: new Date(),
+      updatedAt: new Date(),
+      type: ProjectType.SSH
+    },
+    {
+      id: uuidv4(),
+      projectId,
+      name: "Cryptographic Operator",
+      slug: ProjectMembershipRole.KmsCryptographicOperator,
+      permissions: cryptographicOperatorPermissions,
+      description: "Perform cryptographic operations, such as encryption and signing, in a project",
+      createdAt: new Date(),
+      updatedAt: new Date(),
+      type: ProjectType.KMS
+    },
+    {
+      id: uuidv4(),
       projectId,
       name: "Viewer",
       slug: ProjectMembershipRole.Viewer,
@@ -39,7 +66,7 @@ export const getPredefinedRoles = (projectId: string, roleFilter?: ProjectMember
       updatedAt: new Date()
     },
     {
-      id: "b11b49a9-09a9-4443-916a-4246f9ff2c72", // dummy user for zod validation in response
+      id: uuidv4(),
       projectId,
       name: "No Access",
       slug: ProjectMembershipRole.NoAccess,
@@ -48,5 +75,5 @@ export const getPredefinedRoles = (projectId: string, roleFilter?: ProjectMember
       createdAt: new Date(),
       updatedAt: new Date()
     }
-  ].filter(({ slug }) => !roleFilter || roleFilter.includes(slug));
+  ].filter(({ slug, type }) => (type ? type === projectType : true) && (!roleFilter || roleFilter === slug));
 };

backend/src/services/project-role/project-role-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import { requestContext } from "@fastify/request-context";
 
-import { ActionProjectType, ProjectMembershipRole, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole, ProjectType, TableName, TProjects } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
   ProjectPermissionActions,
@@ -34,7 +34,7 @@ type TProjectRoleServiceFactoryDep = {
   projectRoleDAL: TProjectRoleDALFactory;
   identityDAL: Pick<TIdentityDALFactory, "findById">;
   userDAL: Pick<TUserDALFactory, "findById">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug" | "findProjectById">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getUserProjectPermission">;
   identityProjectMembershipRoleDAL: TIdentityProjectMembershipRoleDALFactory;
   projectUserMembershipRoleDAL: TProjectUserMembershipRoleDALFactory;
@@ -98,30 +98,37 @@ export const projectRoleServiceFactory = ({
     roleSlug,
     filter
   }: TGetRoleDetailsDTO) => {
-    let projectId = "";
+    let project: TProjects;
     if (filter.type === ProjectRoleServiceIdentifierType.SLUG) {
-      const project = await projectDAL.findProjectBySlug(filter.projectSlug, actorOrgId);
-      if (!project) throw new NotFoundError({ message: "Project not found" });
-      projectId = project.id;
+      project = await projectDAL.findProjectBySlug(filter.projectSlug, actorOrgId);
     } else {
-      projectId = filter.projectId;
+      project = await projectDAL.findProjectById(filter.projectId);
     }
 
+    if (!project) throw new NotFoundError({ message: "Project not found" });
+
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
-      projectId,
+      projectId: project.id,
       actorAuthMethod,
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
     if (roleSlug !== "custom" && Object.values(ProjectMembershipRole).includes(roleSlug as ProjectMembershipRole)) {
-      const predefinedRole = getPredefinedRoles(projectId, roleSlug as ProjectMembershipRole)[0];
+      const [predefinedRole] = getPredefinedRoles({
+        projectId: project.id,
+        projectType: project.type as ProjectType,
+        roleFilter: roleSlug as ProjectMembershipRole
+      });
+
+      if (!predefinedRole) throw new NotFoundError({ message: `Default role with slug '${roleSlug}' not found` });
+
       return { ...predefinedRole, permissions: UnpackedPermissionSchema.array().parse(predefinedRole.permissions) };
     }
 
-    const customRole = await projectRoleDAL.findOne({ slug: roleSlug, projectId });
+    const customRole = await projectRoleDAL.findOne({ slug: roleSlug, projectId: project.id });
     if (!customRole) throw new NotFoundError({ message: `Project role with slug '${roleSlug}' not found` });
     return { ...customRole, permissions: unpackPermissions(customRole.permissions) };
   };
@@ -194,29 +201,32 @@ export const projectRoleServiceFactory = ({
   };
 
   const listRoles = async ({ actorOrgId, actorAuthMethod, actorId, actor, filter }: TListRolesDTO) => {
-    let projectId = "";
+    let project: TProjects;
     if (filter.type === ProjectRoleServiceIdentifierType.SLUG) {
-      const project = await projectDAL.findProjectBySlug(filter.projectSlug, actorOrgId);
-      if (!project) throw new BadRequestError({ message: "Project not found" });
-      projectId = project.id;
+      project = await projectDAL.findProjectBySlug(filter.projectSlug, actorOrgId);
     } else {
-      projectId = filter.projectId;
+      project = await projectDAL.findProjectById(filter.projectId);
     }
 
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
-      projectId,
+      projectId: project.id,
       actorAuthMethod,
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
     const customRoles = await projectRoleDAL.find(
-      { projectId },
+      { projectId: project.id },
       { sort: [[`${TableName.ProjectRoles}.slug` as "slug", "asc"]] }
     );
-    const roles = [...getPredefinedRoles(projectId), ...(customRoles || [])];
+    const roles = [
+      ...getPredefinedRoles({ projectId: project.id, projectType: project.type as ProjectType }),
+      ...(customRoles || [])
+    ];
 
     return roles;
   };

backend/src/services/project-role/project-role-types.ts

@@ -1,4 +1,4 @@
-import { TOrgRolesUpdate, TProjectRolesInsert } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectType, TOrgRolesUpdate, TProjectRolesInsert } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
 
 export enum ProjectRoleServiceIdentifierType {
@@ -34,3 +34,9 @@ export type TListRolesDTO = {
     | { type: ProjectRoleServiceIdentifierType.SLUG; projectSlug: string }
     | { type: ProjectRoleServiceIdentifierType.ID; projectId: string };
 } & Omit<TProjectPermission, "projectId">;
+
+export type TGetPredefinedRolesDTO = {
+  projectId: string;
+  projectType: ProjectType;
+  roleFilter?: ProjectMembershipRole;
+};

backend/src/services/project/project-service.ts

@@ -329,14 +329,16 @@ export const projectServiceFactory = ({
       // set default environments and root folder for provided environments
       let envs: TProjectEnvironments[] = [];
       if (projectTemplate) {
-        envs = await projectEnvDAL.insertMany(
-          projectTemplate.environments.map((env) => ({ ...env, projectId: project.id })),
-          tx
-        );
-        await folderDAL.insertMany(
-          envs.map(({ id }) => ({ name: ROOT_FOLDER_NAME, envId: id, version: 1 })),
-          tx
-        );
+        if (projectTemplate.environments) {
+          envs = await projectEnvDAL.insertMany(
+            projectTemplate.environments.map((env) => ({ ...env, projectId: project.id })),
+            tx
+          );
+          await folderDAL.insertMany(
+            envs.map(({ id }) => ({ name: ROOT_FOLDER_NAME, envId: id, version: 1 })),
+            tx
+          );
+        }
         await projectRoleDAL.insertMany(
           projectTemplate.packedRoles.map((role) => ({
             ...role,
@@ -592,7 +594,10 @@ export const projectServiceFactory = ({
         workspaces.map(async (workspace) => {
           return {
             ...workspace,
-            roles: [...(workspaceMappedToRoles[workspace.id] || []), ...getPredefinedRoles(workspace.id)]
+            roles: [
+              ...(workspaceMappedToRoles[workspace.id] || []),
+              ...getPredefinedRoles({ projectId: workspace.id, projectType: workspace.type as ProjectType })
+            ]
           };
         })
       );

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts

@@ -169,7 +169,7 @@ const getParameterStoreTagsRecord = async (
 
         throw new SecretSyncError({
           message:
-            "IAM role has inadequate permissions to manage resource tags. Ensure the following polices are present: ssm:ListTagsForResource, ssm:AddTagsToResource, and ssm:RemoveTagsFromResource",
+            "IAM role has inadequate permissions to manage resource tags. Ensure the following policies are present: ssm:ListTagsForResource, ssm:AddTagsToResource, and ssm:RemoveTagsFromResource",
           shouldRetry: false
         });
       }

backend/src/services/super-admin/invalidate-cache-queue.ts

@@ -0,0 +1,49 @@
+import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { logger } from "@app/lib/logger";
+import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+
+import { CacheType } from "./super-admin-types";
+
+export type TInvalidateCacheQueueFactoryDep = {
+  queueService: TQueueServiceFactory;
+
+  keyStore: Pick<TKeyStoreFactory, "deleteItems" | "setItemWithExpiry" | "deleteItem">;
+};
+
+export type TInvalidateCacheQueueFactory = ReturnType<typeof invalidateCacheQueueFactory>;
+
+export const invalidateCacheQueueFactory = ({ queueService, keyStore }: TInvalidateCacheQueueFactoryDep) => {
+  const startInvalidate = async (dto: {
+    data: {
+      type: CacheType;
+    };
+  }) => {
+    await queueService.queue(QueueName.InvalidateCache, QueueJobs.InvalidateCache, dto, {
+      removeOnComplete: true,
+      removeOnFail: true,
+      jobId: `invalidate-cache-${dto.data.type}`
+    });
+  };
+
+  queueService.start(QueueName.InvalidateCache, async (job) => {
+    try {
+      const {
+        data: { type }
+      } = job.data;
+
+      await keyStore.setItemWithExpiry("invalidating-cache", 1800, "true"); // 30 minutes max (in case the job somehow silently fails)
+
+      if (type === CacheType.ALL || type === CacheType.SECRETS)
+        await keyStore.deleteItems({ pattern: "secret-manager:*" });
+
+      await keyStore.deleteItem("invalidating-cache");
+    } catch (err) {
+      logger.error(err, "Failed to invalidate cache");
+      await keyStore.deleteItem("invalidating-cache");
+    }
+  });
+
+  return {
+    startInvalidate
+  };
+};

backend/src/services/super-admin/super-admin-service.ts

@@ -25,8 +25,10 @@ import { TOrgServiceFactory } from "../org/org-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TUserAliasDALFactory } from "../user-alias/user-alias-dal";
 import { UserAliasType } from "../user-alias/user-alias-types";
+import { TInvalidateCacheQueueFactory } from "./invalidate-cache-queue";
 import { TSuperAdminDALFactory } from "./super-admin-dal";
 import {
+  CacheType,
   LoginMethod,
   TAdminBootstrapInstanceDTO,
   TAdminGetIdentitiesDTO,
@@ -46,9 +48,10 @@ type TSuperAdminServiceFactoryDep = {
   kmsService: Pick<TKmsServiceFactory, "encryptWithRootKey" | "decryptWithRootKey" | "updateEncryptionStrategy">;
   kmsRootConfigDAL: TKmsRootConfigDALFactory;
   orgService: Pick<TOrgServiceFactory, "createOrganization">;
-  keyStore: Pick<TKeyStoreFactory, "getItem" | "setItemWithExpiry" | "deleteItem">;
+  keyStore: Pick<TKeyStoreFactory, "getItem" | "setItemWithExpiry" | "deleteItem" | "deleteItems">;
   licenseService: Pick<TLicenseServiceFactory, "onPremFeatures">;
   microsoftTeamsService: Pick<TMicrosoftTeamsServiceFactory, "initializeTeamsBot">;
+  invalidateCacheQueue: TInvalidateCacheQueueFactory;
 };
 
 export type TSuperAdminServiceFactory = ReturnType<typeof superAdminServiceFactory>;
@@ -64,7 +67,7 @@ export let getServerCfg: () => Promise<
 
 const ADMIN_CONFIG_KEY = "infisical-admin-cfg";
 const ADMIN_CONFIG_KEY_EXP = 60; // 60s
-const ADMIN_CONFIG_DB_UUID = "00000000-0000-0000-0000-000000000000";
+export const ADMIN_CONFIG_DB_UUID = "00000000-0000-0000-0000-000000000000";
 
 export const superAdminServiceFactory = ({
   serverCfgDAL,
@@ -80,7 +83,8 @@ export const superAdminServiceFactory = ({
   identityAccessTokenDAL,
   identityTokenAuthDAL,
   identityOrgMembershipDAL,
-  microsoftTeamsService
+  microsoftTeamsService,
+  invalidateCacheQueue
 }: TSuperAdminServiceFactoryDep) => {
   const initServerCfg = async () => {
     // TODO(akhilmhdh): bad  pattern time less change this later to me itself
@@ -631,6 +635,16 @@ export const superAdminServiceFactory = ({
     await kmsService.updateEncryptionStrategy(strategy);
   };
 
+  const invalidateCache = async (type: CacheType) => {
+    await invalidateCacheQueue.startInvalidate({
+      data: { type }
+    });
+  };
+
+  const checkIfInvalidatingCache = async () => {
+    return (await keyStore.getItem("invalidating-cache")) !== null;
+  };
+
   return {
     initServerCfg,
     updateServerCfg,
@@ -644,6 +658,8 @@ export const superAdminServiceFactory = ({
     getConfiguredEncryptionStrategies,
     grantServerAdminAccessToUser,
     deleteIdentitySuperAdminAccess,
-    deleteUserSuperAdminAccess
+    deleteUserSuperAdminAccess,
+    invalidateCache,
+    checkIfInvalidatingCache
   };
 };

backend/src/services/super-admin/super-admin-types.ts

@@ -44,3 +44,8 @@ export enum LoginMethod {
   LDAP = "ldap",
   OIDC = "oidc"
 }
+
+export enum CacheType {
+  ALL = "all",
+  SECRETS = "secrets"
+}

backend/src/services/telemetry/telemetry-types.ts

@@ -21,7 +21,8 @@ export enum PostHogEventTypes {
   IssueSshHostUserCert = "Issue SSH Host User Certificate",
   IssueSshHostHostCert = "Issue SSH Host Host Certificate",
   SignCert = "Sign PKI Certificate",
-  IssueCert = "Issue PKI Certificate"
+  IssueCert = "Issue PKI Certificate",
+  InvalidateCache = "Invalidate Cache"
 }
 
 export type TSecretModifiedEvent = {
@@ -203,6 +204,13 @@ export type TIssueCertificateEvent = {
   };
 };
 
+export type TInvalidateCacheEvent = {
+  event: PostHogEventTypes.InvalidateCache;
+  properties: {
+    userAgent?: string;
+  };
+};
+
 export type TPostHogEvent = { distinctId: string } & (
   | TSecretModifiedEvent
   | TAdminInitEvent
@@ -221,4 +229,5 @@ export type TPostHogEvent = { distinctId: string } & (
   | TIssueSshHostHostCertEvent
   | TSignCertificateEvent
   | TIssueCertificateEvent
+  | TInvalidateCacheEvent
 );

docs/api-reference/endpoints/certificates/bundle.mdx

@@ -1,6 +1,6 @@
 ---
 title: "Get Certificate Bundle"
-openapi: "GET /api/v2/workspace/{slug}/bundle"
+openapi: "GET /api/v1/pki/certificates/{serialNumber}/bundle"
 ---
 
 <Note>

docs/api-reference/endpoints/certificates/private-key.mdx

@@ -1,4 +1,4 @@
 ---
 title: "Get Certificate Private Key"
-openapi: "GET /api/v2/workspace/{slug}/private-key"
+openapi: "GET /api/v1/pki/certificates/{serialNumber}/private-key"
 ---

docs/api-reference/endpoints/ldap-auth/attach.mdx

@@ -0,0 +1,4 @@
+---
+title: "Attach"
+openapi: "POST /api/v1/auth/ldap-auth/identities/{identityId}"
+---

docs/api-reference/endpoints/ldap-auth/login.mdx

@@ -0,0 +1,4 @@
+---
+title: "Login"
+openapi: "POST /api/v1/auth/ldap-auth/login"
+---

docs/api-reference/endpoints/ldap-auth/retrieve.mdx

@@ -0,0 +1,4 @@
+---
+title: "Retrieve"
+openapi: "GET /api/v1/auth/ldap-auth/identities/{identityId}"
+---

docs/api-reference/endpoints/ldap-auth/revoke.mdx

@@ -0,0 +1,4 @@
+---
+title: "Revoke"
+openapi: "DELETE /api/v1/auth/ldap-auth/identities/{identityId}"
+---

docs/api-reference/endpoints/ldap-auth/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/auth/ldap-auth/identities/{identityId}"
+---

docs/documentation/platform/access-controls/abac/managing-user-metadata.mdx

@@ -27,7 +27,7 @@ User identities can have metadata attributes assigned directly. These attributes
 </Tabs>
 
 #### Applying ABAC Policies with User Metadata
-Attribute-based access controls are currently only available for polices defined on Secrets Manager projects. 
+Attribute-based access controls are currently only available for policies defined on Secrets Manager projects.
 You can set ABAC permissions to dynamically set access to environments, folders, secrets, and secret tags.
 
 <img src="/images/platform/access-controls/example-abac-1.png" />

docs/documentation/platform/identities/aws-auth.mdx

@@ -62,7 +62,7 @@ access the Infisical API using the AWS Auth authentication method.
 
 <Steps>
     <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 

docs/documentation/platform/identities/azure-auth.mdx

@@ -62,7 +62,7 @@ access the Infisical API using the Azure Auth authentication method.
 
 <Steps>
     <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 

docs/documentation/platform/identities/gcp-auth.mdx

@@ -68,7 +68,7 @@ access the Infisical API using the GCP ID Token authentication method.
 
 <Steps>
     <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 
@@ -237,7 +237,7 @@ access the Infisical API using the GCP IAM authentication method.
 
 <Steps>
     <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 

docs/documentation/platform/identities/jwt-auth.mdx

@@ -57,7 +57,7 @@ In the following steps, we explore how to create and use identities to access th
 
 <Steps>
 <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 

docs/documentation/platform/identities/kubernetes-auth.mdx

@@ -163,7 +163,7 @@ In the following steps, we explore how to create and use identities for your app
 </Step>
 
   <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 

docs/documentation/platform/identities/ldap-auth/general.mdx

@@ -0,0 +1,87 @@
+---
+title: General
+description: "Learn how to authenticate with Infisical using LDAP."
+---
+
+**LDAP Auth** is an LDAP based authentication method that allows you to authenticate with Infisical using a machine identity configured with an [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) directory.
+
+## Guide
+<Steps>
+  <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
+
+    ![Create identity](/images/platform/identities/ldap/identities-org-create-identity.png)
+
+    When creating an identity, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+    ![Create identity modal](/images/platform/identities/ldap/identities-org-create-identity-modal.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the Organization Roles tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+    Once you've created an identity, you'll be redirected to a page where you can manage the identity.
+  </Step>
+
+  <Step title="Configuring LDAP auth for your identity">
+    To configure LDAP auth for your identity, press the **Add Auth Method** button on the identity's page.
+
+    ![Add auth method](/images/platform/identities/ldap/identities-org-add-auth-method.png)
+    
+    Now select **LDAP Auth** from the list of available auth methods for the identity.
+
+    ![Select LDAP auth](/images/platform/identities/ldap/identities-org-add-auth-method-modal.png)
+    
+    
+    After selecting **LDAP Auth**, you'll see the form you need to fill out to configure LDAP auth for your identity. The following fields are available:
+
+    - `URL`: The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` _(for connection over SSL/TLS)_, etc.
+    - `Bind DN`: The DN to bind to the LDAP server with.
+    - `Bind Pass`: The password to bind to the LDAP server with.
+    - `Search Base / DN`: Base DN under which to perform user search such as `ou=Users,dc=acme,dc=com`.
+    - `User Search Filter`: Template used to construct the LDAP user search filter such as `(uid={{username}})`; use literal `{{username}}` to have the given username used in the search. The default is `(uid={{username}})` which is compatible with several common directory schemas.
+    - `Required Attributes`: A key/value pair of attributes that must be present in the LDAP user entry for them to be authenticated. As an example, if you set key `uid` to value `user1,user2,user3`, then only users with `uid` of `user1`, `user2`, or `user3` will be able to login with this identity. Each value is a comma separated list of attributes.
+    - `CA Certificate`: The CA certificate to use when verifying the LDAP server certificate. This field is optional but recommended.
+    - `Access Token TTL` _(default is 2592000 equivalent to 30 days)_: The lifetime for an access token in seconds. This value will be referenced at renewal time.
+    - `Access Token Max TTL` _(default is 2592000 equivalent to 30 days)_: The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.
+    - `Access Token Max Number of Uses` _(default is 0)_: The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses.
+    - `Access Token Trusted IPs`: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the 0.0.0.0/0, allowing usage from any network address.
+
+    Once you've filled out the form, press **Add** to save your changes.
+
+    ![Configure LDAP auth](/images/platform/identities/ldap/identities-org-configure-ldap.png)
+
+    <Step title="Authenticating with the identity">
+      After configuring LDAP auth for your identity, you can authenticate with the identity and obtain an access token using your LDAP credentials.
+
+      ```bash
+        curl --request POST \
+          --url https://app.infisical.com/api/v1/auth/ldap-auth/login \
+          --header 'Content-Type: application/json' \
+          --data '{
+          "identityId": "<string>",
+          "username": "<string>",
+          "password": "<string>"
+        }'
+      ```
+
+      <Note>
+        For EU Cloud and Self-Hosted users, make sure to replace `https://app.infisical.com` with `https://eu.infisical.com` or your self-hosted instance's URL in the request URL.
+      </Note>
+
+      If successful, you'll receive an access token in the response body.
+
+      ```json
+      {
+        "accessToken": "your-access-token",
+        "expiresIn": 2592000,
+        "accessTokenMaxTTL": 2592000,
+        "tokenType": "Bearer"
+      }
+      ```
+
+      You can read more about the login API endpoint [here](/api-reference/endpoints/ldap-auth/login).
+    </Step>
+  </Step>
+</Steps>

docs/documentation/platform/identities/ldap-auth/jumpcloud.mdx

@@ -0,0 +1,97 @@
+---
+title: JumpCloud
+description: "Learn how to authenticate with Infisical using LDAP with JumpCloud."
+---
+
+**LDAP Auth** is an LDAP based authentication method that allows you to authenticate with Infisical using a machine identity configured with an [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) directory.
+
+## Guide
+<Steps>
+
+  <Step title="Prepare LDAP in JumpCloud">
+    In JumpCloud, head to USER MANAGEMENT > Users and create a new user via the Manual user entry option.
+    This user will be used as a privileged service account to facilitate Infisical's ability to bind/search the LDAP directory.
+
+    Next after creating the user, under User Security Settings and Permissions > Permission Settings, check the box next to Enable as LDAP Bind DN.
+
+    ![User management](/images/platform/identities/ldap/jumpcloud-users-management.png)
+  </Step>
+
+  <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
+
+    ![Create identity](/images/platform/identities/ldap/identities-org-create-identity.png)
+
+    When creating an identity, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+    ![Create identity modal](/images/platform/identities/ldap/identities-org-create-identity-modal.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the Organization Roles tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+    Once you've created an identity, you'll be redirected to a page where you can manage the identity.
+  </Step>
+
+  <Step title="Configuring LDAP auth for your identity">
+    To configure LDAP auth for your identity, press the **Add Auth Method** button on the identity's page.
+
+    ![Add auth method](/images/platform/identities/ldap/identities-org-add-auth-method.png)
+    
+    Now select **LDAP Auth** from the list of available auth methods for the identity.
+
+    ![Select LDAP auth](/images/platform/identities/ldap/identities-org-add-auth-method-modal.png)
+    
+    
+    After selecting **LDAP Auth**, you'll see the form you need to fill out to configure LDAP auth for your identity. The following fields are available:
+
+    - `URL`: The LDAP server to connect to (`ldaps://ldap.jumpcloud.com:636`).
+    - `Bind DN`: The distinguished name of object to bind when performing the user search (`uid=<ldap-user-username>,ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+    - `Bind Pass`: The password to use along with Bind DN when performing the user search. This is the password for the user created in the previous step.
+    - `Search Base / DN`: Base DN under which to perform user search (`ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+    - `User Search Filter`: Template used to construct the LDAP user search filter (`(uid={{username}})`).
+    - `Required Attributes`: A key/value pair of attributes that must be present in the LDAP user entry for them to be authenticated. As an example, if you set key `uid` to value `user1,user2,user3`, then only users with `uid` of `user1`, `user2`, or `user3` will be able to login with this identity. Each value is a comma separated list of attributes.
+    - `CA Certificate`: The CA certificate to use when verifying the LDAP server certificate (instructions to obtain the certificate for JumpCloud [here](https://jumpcloud.com/support/connect-to-ldap-with-tls-ssl)).
+    - `Access Token TTL` _(default is 2592000 equivalent to 30 days)_: The lifetime for an access token in seconds. This value will be referenced at renewal time.
+    - `Access Token Max TTL` _(default is 2592000 equivalent to 30 days)_: The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.
+    - `Access Token Max Number of Uses` _(default is 0)_: The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses.
+    - `Access Token Trusted IPs`: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the 0.0.0.0/0, allowing usage from any network address.
+
+    Once you've filled out the form, press **Add** to save your changes.
+
+    ![Configure LDAP auth](/images/platform/identities/ldap/identities-org-configure-ldap.png)
+
+    <Step title="Authenticating with the identity">
+      After configuring LDAP auth for your identity, you can authenticate with the identity and obtain an access token using your LDAP credentials.
+
+      ```bash
+        curl --request POST \
+          --url https://app.infisical.com/api/v1/auth/ldap-auth/login \
+          --header 'Content-Type: application/json' \
+          --data '{
+          "identityId": "<string>",
+          "username": "<string>",
+          "password": "<string>"
+        }'
+      ```
+
+      <Note>
+        For EU Cloud and Self-Hosted users, make sure to replace `https://app.infisical.com` with `https://eu.infisical.com` or your self-hosted instance's URL in the request URL.
+      </Note>
+
+      If successful, you'll receive an access token in the response body.
+
+      ```json
+      {
+        "accessToken": "your-access-token",
+        "expiresIn": 2592000,
+        "accessTokenMaxTTL": 2592000,
+        "tokenType": "Bearer"
+      }
+      ```
+
+      You can read more about the login API endpoint [here](/api-reference/endpoints/ldap-auth/login).
+    </Step>
+  </Step>
+</Steps>

docs/documentation/platform/identities/oidc-auth/circleci.mdx

@@ -52,7 +52,7 @@ In the following steps, we explore how to create and use identities to access th
 
 <Steps>
     <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 

docs/documentation/platform/identities/oidc-auth/general.mdx

@@ -56,7 +56,7 @@ In the following steps, we explore how to create and use identities to access th
 
 <Steps>
     <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 

docs/documentation/platform/identities/oidc-auth/github.mdx

@@ -55,7 +55,7 @@ In the following steps, we explore how to create and use identities to access th
 
 <Steps>
     <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 

docs/documentation/platform/identities/oidc-auth/gitlab.mdx

@@ -55,7 +55,7 @@ In the following steps, we explore how to create and use identities to access th
 
 <Steps>
     <Step title="Creating an identity">
-        To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**. 
+        To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**. 
         
         ![identities organization](/images/platform/identities/identities-org.png)
         

docs/documentation/platform/identities/token-auth.mdx

@@ -38,7 +38,7 @@ using the Token Auth authentication method.
 
 <Steps>
   <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 

docs/documentation/platform/identities/universal-auth.mdx

@@ -42,7 +42,7 @@ using the Universal Auth authentication method.
 
 <Steps>
   <Step title="Creating an identity">
-    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+    To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
     ![identities organization](/images/platform/identities/identities-org.png)
 

docs/documentation/platform/project-templates.mdx

@@ -33,7 +33,7 @@ In the following steps, we'll explore how to set up a project template.
     <Tab title="Infisical UI">
         <Steps>
             <Step title="Creating a Project Template">
-                Navigate to the Project Templates tab on the Organization Settings page and tap on the **Add Template** button.
+                Navigate to the **Project Templates** tab on the Feature Settings page for the project type you want to create a template for and tap on the **Add Template** button.
                 ![project template add button](/images/platform/project-templates/project-template-add-button.png)
 
                 Specify your template details. Here's some guidance on each field:
@@ -67,6 +67,7 @@ In the following steps, we'll explore how to set up a project template.
         --header 'Content-Type: application/json' \
         --data '{
             "name": "my-project-template",
+            "type": "secret-manager",
             "description": "...",
             "environments": "[...]",
             "roles": "[...]",

docs/documentation/platform/ssh/overview.mdx

@@ -31,16 +31,9 @@ we will register a remote host with Infisical through a [machine identity](/docu
 
 <Steps>
   <Step title="Create an Infisical SSH project">
-    1.1. Start by creating a new Infisical SSH project in Infisical.
+    Start by creating a new Infisical SSH project in Infisical.
     
     ![ssh project create](/images/platform/ssh/v2/ssh-create-project.png)
-    
-    1.2. Create a custom role in the project under Access Control > Project Roles to grant the machine identity that we will create in step 2 the ability to **Create** and **Issue Host Certificates** on the **SSH Host** resource; this will enable the linked machine identity to bootstrap a remote host with Infisical
-    and establish the necessary configuration on it.
-    
-    ![ssh custom role bootstrap 1](/images/platform/ssh/v2/ssh-add-bootstrap-role-1.png)
-    
-    ![ssh custom role bootstrap 2](/images/platform/ssh/v2/ssh-add-bootstrap-role-2.png)
   </Step>
   <Step title="Create a machine identity for bootstrapping Infisical SSH">
     2.1. Follow the instructions [here](/documentation/platform/identities/universal-auth) to configure a [machine identity](/documentation/platform/identities/machine-identities) in Infisical with Universal Auth.
@@ -52,7 +45,14 @@ we will register a remote host with Infisical through a [machine identity](/docu
         You may use other authentication methods as suitable (e.g. [AWS Auth](/documentation/platform/identities/aws-auth), [Azure Auth](/documentation/platform/identities/azure-auth), [GCP Auth](/documentation/platform/identities/gcp-auth), etc.) as part of the machine identity configuration but, to keep this example simple, we will be using Universal Auth.
     </Note>
 
-    2.2. Add the machine identity to the Infisical SSH project you created in the previous step and assign it the custom role you created in step 1.2.
+    2.2. Add the machine identity to the Infisical SSH project you created in the previous step and assign it the **SSH Host Bootstrapper** role.
+
+      This role grants the ability to **Create** and **Issue Host Certificates** on the **SSH Host** resource; this will enable the linked machine identity to bootstrap a remote host with Infisical
+      and establish the necessary configuration on it.
+
+      <Tip>
+          If you plan to use a custom role to bootstrap SSH hosts, ensure the role has the **Create** and **Issue Host Certificates** on the **SSH Host** resource.
+      </Tip>
 
     ![ssh add identity to project](/images/platform/ssh/v2/ssh-add-identity-to-project.png)
 

docs/integrations/platforms/kubernetes/infisical-dynamic-secret-crd.mdx

@@ -165,7 +165,7 @@ spec:
 </Accordion>
 
   <Accordion title="managedSecretReference.creationPolicy">
-    Creation polices allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator. 
+    Creation policies allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator.
     This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
 
     #### Available options

docs/integrations/platforms/kubernetes/infisical-push-secret-crd.mdx

@@ -34,7 +34,7 @@ Before applying the InfisicalPushSecret CRD, you need to create a Kubernetes sec
   metadata:
     name: infisical-push-secret-demo
   spec:
-    resyncInterval: 1m
+    resyncInterval: 1m # Remove this field to disable automatic reconciliation of the InfisicalPushSecret CRD.
     hostAPI: https://app.infisical.com/api
 
     # Optional, defaults to no replacement.
@@ -124,7 +124,9 @@ After applying the InfisicalPushSecret CRD, you should notice that the secrets y
 
 <Accordion title="resyncInterval">
 
-  The `resyncInterval` is a string-formatted duration that defines the time between each resync.
+  The `resyncInterval` is a string-formatted duration that defines the time between each resync. The field is optional, and will default to no automatic resync if not defined.
+
+  If you don't want to automatically reconcile the InfisicalPushSecret CRD on an interval, you can remove the `resyncInterval` field entirely from your InfisicalPushSecret CRD.
 
   The format of the field is `[duration][unit]` where `duration` is a number and `unit` is a string representing the unit of time.
 
@@ -239,7 +241,21 @@ After applying the InfisicalPushSecret CRD, you should notice that the secrets y
         DATABASE_URL: postgres://127.0.0.1:5432
         ENCRYPTION_KEY: fabcc12-a22-facbaa4-11aa568aab
     ```
+  </Accordion>
+  <Accordion title="generators[]">
+    The `generators[]` field is used to define the generators you want to use for your InfisicalPushSecret CRD.
+    You can follow the guide for [using generators to push secrets](#using-generators-to-push-secrets) for more information.
 
+    Example:
+
+    ```yaml
+      push:
+        generators:
+          - destinationSecretName: password-generator-test
+            generatorRef:
+              kind: Password
+              name: password-generator
+    ```
   </Accordion>
 </Accordion>
 
@@ -459,6 +475,148 @@ Using Go templates, you can format, combine, and create new key-value pairs of s
   Please refer to the [templating functions documentation](/integrations/platforms/kubernetes/overview#available-helper-functions) for more information.
 </Accordion>
 
+## Using generators to push secrets
+
+Generators allow secrets to be dynamically generated during each reconciliation cycle and then pushed to Infisical. They are useful for use cases where a new secret value is needed on every sync, such as ephemeral credentials or one-time-use tokens.
+
+A generator is defined as a custom resource (`ClusterGenerator`) within the cluster, which specifies the logic for generating secret values. Generators are stateless, each invocation triggers the creation of a new set of values, with no tracking or persistence of previously generated data.
+
+Because of this behavior, you may want to disable automatic syncing for the `InfisicalPushSecret` resource to avoid continuous regeneration of secrets. This can be done by omitting the `resyncInterval` field from the InfisicalPushSecret CRD.
+
+### Example usage 
+```yaml
+  push:
+    secret:
+      secretName: push-secret-source-secret
+      secretNamespace: dev
+    generators:
+      - destinationSecretName: password-generator # Name of the secret that will be created in Infisical
+        generatorRef:
+          kind: Password # Kind of the resource, must match the generator kind.
+          name: custom-generator # Name of the generator resource
+```
+
+To use a generator, you must specify at least one generator in the `push.generators[]` field.
+
+
+<Accordion title="push.generators[]">
+  This field holds an array of the generators you want to use for your InfisicalPushSecret CRD.
+</Accordion>
+
+<Accordion title="push.generators[].destinationSecretName">
+  The name of the secret that will be created in Infisical.
+</Accordion>
+
+<Accordion title="push.generators[].generatorRef">
+  The reference to the generator resource.
+
+  Valid fields:
+  - `kind`: The kind of the generator resource, must match the generator kind.
+  - `name`: The name of the generator resource.
+</Accordion>
+
+<Accordion title="push.generators[].generatorRef.kind">
+  The kind of the generator resource, must match the generator kind.
+
+  Valid values:
+  - `Password`
+  - `UUID`
+</Accordion>
+
+<Accordion title="push.generators[].generatorRef.name">
+  The name of the generator resource.
+</Accordion>
+
+### Supported Generators
+Below are the currently supported generators for the InfisicalPushSecret CRD. Each generator is a `ClusterGenerator` custom resource that can be used to customize the generated secret.
+
+<Accordion title="Password Generator">
+  ### Password Generator
+
+  The Password generator is a custom resource that is installed on the cluster that defines the logic for generating a password.
+    - `kind`: The kind of the generator resource, must match the generator kind. For the Password generator, the kind is `Password`.
+    - `generator.passwordSpec`: The spec of the password generator.
+
+    <Accordion title="generator.kind">
+    The `generator.kind` field must match the kind of the generator resource. For the Password generator, the kind should always be set to  `Password`.
+    </Accordion>
+    <Accordion title="generator.passwordSpec">
+    - `length`: The length of the password.
+    - `digits`: The number of digits in the password.
+    - `symbols`: The number of symbols in the password.
+    - `symbolCharacters`: The characters to use for the symbols in the password.
+    - `noUpper`: Whether to include uppercase letters in the password.
+    - `allowRepeat`: Whether to allow repeating characters in the password.
+    </Accordion>
+
+  ```yaml password-cluster-generator.yaml
+  apiVersion: secrets.infisical.com/v1alpha1
+  kind: ClusterGenerator
+  metadata:
+    name: password-generator
+  spec:
+    kind: Password
+    generator:
+      passwordSpec:
+        length: 10
+        digits: 5
+        symbols: 5
+        symbolCharacters: "-_$@"
+        noUpper: false
+        allowRepeat: true
+  ```
+
+  Example InfisicalPushSecret CRD using the Password generator:
+  ```yaml infisical-push-secret-crd.yaml
+    push:
+      generators:
+        - destinationSecretName: password-generator-test
+          generatorRef:
+            kind: Password
+            name: password-generator
+  ```
+</Accordion>
+<Accordion title="UUID Generator">
+  ### UUID Generator
+
+  The UUID generator is a custom resource that is installed on the cluster that defines the logic for generating a UUID.
+  - `kind`: The kind of the generator resource, must match the generator kind. For the UUID generator, the kind is `UUID`.
+  - `generator.uuidSpec`: The spec of the UUID generator. For UUID's, this can be left empty.
+
+  <Accordion title="generator.kind">
+    The `generator.kind` field must match the kind of the generator resource. For the UUID generator, the kind should always be set to  `UUID`.
+  </Accordion>
+
+  <Accordion title="generator.uuidSpec">
+    The spec of the UUID generator. For UUID's, this can be left empty.
+  </Accordion>
+
+  ```yaml uuid-cluster-generator.yaml
+    apiVersion: secrets.infisical.com/v1alpha1
+    kind: ClusterGenerator
+    metadata:
+      name: uuid-generator
+    spec:
+      kind: UUID
+      generator:
+        uuidSpec:
+  ```
+
+  Example InfisicalPushSecret CRD using the UUID generator:
+
+  ```yaml infisical-push-secret-crd.yaml
+    push:
+      generators:
+        - destinationSecretName: uuid-generator-test
+          generatorRef:
+            kind: UUID
+            name: uuid-generator
+  ```
+</Accordion>
+
+
+
+
 ## Applying the InfisicalPushSecret CRD to your cluster
 
 Once you have configured the `InfisicalPushSecret` CRD with the required fields, you can apply it to your cluster.

docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx

@@ -232,7 +232,7 @@ spec:
         </Step>
 
         <Step title="Creating an identity">
-          To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+          To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
           ![identities organization](/images/platform/identities/identities-org.png)
 
@@ -407,7 +407,7 @@ spec:
         </Step>
 
         <Step title="Creating an identity">
-          To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+          To create an identity, head to your Organization Settings > Access Control > Identities and press **Create identity**.
 
           ![identities organization](/images/platform/identities/identities-org.png)
 
@@ -832,7 +832,7 @@ The namespace of the managed Kubernetes secret to be created.
 Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets.
 </Accordion>
 <Accordion title="managedKubeSecretReferences[].creationPolicy">
-Creation polices allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator. 
+Creation policies allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator.
 This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
 
 #### Available options
@@ -940,7 +940,7 @@ The Infisical operator will automatically create the Kubernetes config map in th
   The namespace of the managed Kubernetes config map that your Infisical data will be stored in. 
 </Accordion>
 <Accordion title="managedKubeConfigMapReferences[].creationPolicy">
-  Creation polices allow you to control whether or not owner references should be added to the managed Kubernetes config map that is generated by the Infisical operator. 
+  Creation policies allow you to control whether or not owner references should be added to the managed Kubernetes config map that is generated by the Infisical operator.
   This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
 
   #### Available options

docs/mint.json

@@ -247,68 +247,88 @@
     {
       "group": "Authentication Methods",
       "pages": [
-        "documentation/platform/auth-methods/email-password",
-        "documentation/platform/token",
-        "documentation/platform/identities/token-auth",
-        "documentation/platform/identities/universal-auth",
-        "documentation/platform/identities/kubernetes-auth",
-        "documentation/platform/identities/gcp-auth",
-        "documentation/platform/identities/azure-auth",
-        "documentation/platform/identities/aws-auth",
-        "documentation/platform/identities/jwt-auth",
         {
-          "group": "OIDC Auth",
+          "group": "User Authentication",
           "pages": [
-            "documentation/platform/identities/oidc-auth/general",
-            "documentation/platform/identities/oidc-auth/github",
-            "documentation/platform/identities/oidc-auth/circleci",
-            "documentation/platform/identities/oidc-auth/gitlab",
-            "documentation/platform/identities/oidc-auth/terraform-cloud"
-          ]
-        },
-        "documentation/platform/mfa",
-        {
-          "group": "SSO",
-          "pages": [
-            "documentation/platform/sso/overview",
-            "documentation/platform/sso/google",
-            "documentation/platform/sso/github",
-            "documentation/platform/sso/gitlab",
-            "documentation/platform/sso/okta",
-            "documentation/platform/sso/azure",
-            "documentation/platform/sso/jumpcloud",
-            "documentation/platform/sso/keycloak-saml",
-            "documentation/platform/sso/google-saml",
-            "documentation/platform/sso/auth0-saml",
+            "documentation/platform/auth-methods/email-password",
             {
-              "group": "Keycloak OIDC",
+              "group": "SSO",
               "pages": [
-                "documentation/platform/sso/keycloak-oidc/overview",
-                "documentation/platform/sso/keycloak-oidc/group-membership-mapping"
+                "documentation/platform/sso/overview",
+                "documentation/platform/sso/google",
+                "documentation/platform/sso/github",
+                "documentation/platform/sso/gitlab",
+                "documentation/platform/sso/okta",
+                "documentation/platform/sso/azure",
+                "documentation/platform/sso/jumpcloud",
+                "documentation/platform/sso/keycloak-saml",
+                "documentation/platform/sso/google-saml",
+                "documentation/platform/sso/auth0-saml",
+                {
+                  "group": "Keycloak OIDC",
+                  "pages": [
+                    "documentation/platform/sso/keycloak-oidc/overview",
+                    "documentation/platform/sso/keycloak-oidc/group-membership-mapping"
+                  ]
+                },
+                "documentation/platform/sso/auth0-oidc",
+                "documentation/platform/sso/general-oidc"
               ]
             },
-            "documentation/platform/sso/auth0-oidc",
-            "documentation/platform/sso/general-oidc"
+            {
+              "group": "LDAP",
+              "pages": [
+                "documentation/platform/ldap/overview",
+                "documentation/platform/ldap/jumpcloud",
+                "documentation/platform/ldap/general"
+              ]
+            },
+            {
+              "group": "SCIM",
+              "pages": [
+                "documentation/platform/scim/overview",
+                "documentation/platform/scim/okta",
+                "documentation/platform/scim/azure",
+                "documentation/platform/scim/jumpcloud",
+                "documentation/platform/scim/group-mappings"
+              ]
+            }
           ]
         },
+
         {
-          "group": "LDAP",
+          "group": "Machine Identities",
           "pages": [
-            "documentation/platform/ldap/overview",
-            "documentation/platform/ldap/jumpcloud",
-            "documentation/platform/ldap/general"
-          ]
-        },
-        {
-          "group": "SCIM",
-          "pages": [
-            "documentation/platform/scim/overview",
-            "documentation/platform/scim/okta",
-            "documentation/platform/scim/azure",
-            "documentation/platform/scim/jumpcloud",
-            "documentation/platform/scim/group-mappings"
+            "documentation/platform/identities/token-auth",
+            "documentation/platform/identities/universal-auth",
+            "documentation/platform/identities/kubernetes-auth",
+            "documentation/platform/identities/gcp-auth",
+            "documentation/platform/identities/azure-auth",
+            "documentation/platform/identities/aws-auth",
+            "documentation/platform/identities/jwt-auth",
+
+            {
+              "group": "OIDC Auth",
+              "pages": [
+                "documentation/platform/identities/oidc-auth/general",
+                "documentation/platform/identities/oidc-auth/github",
+                "documentation/platform/identities/oidc-auth/circleci",
+                "documentation/platform/identities/oidc-auth/gitlab",
+                "documentation/platform/identities/oidc-auth/terraform-cloud"
+              ]
+            },
+
+            {
+              "group": "LDAP Auth",
+              "pages": [
+                "documentation/platform/identities/ldap-auth/general",
+                "documentation/platform/identities/ldap-auth/jumpcloud"
+              ]
+            }
           ]
         },
+        "documentation/platform/token",        
+        "documentation/platform/mfa",
         "documentation/platform/github-org-sync"
       ]
     },
@@ -715,6 +735,16 @@
             "api-reference/endpoints/jwt-auth/revoke"
           ]
         },
+        {
+          "group": "LDAP Auth",
+          "pages": [
+            "api-reference/endpoints/ldap-auth/login",
+            "api-reference/endpoints/ldap-auth/attach",
+            "api-reference/endpoints/ldap-auth/retrieve",
+            "api-reference/endpoints/ldap-auth/update",
+            "api-reference/endpoints/ldap-auth/revoke"
+          ]
+        },
         {
           "group": "Groups",
           "pages": [

frontend/src/components/projects/NewProjectModal.tsx

@@ -72,7 +72,7 @@ const NewProjectForm = ({ onOpenChange, projectType }: NewProjectFormProps) => {
     OrgPermissionSubjects.ProjectTemplates
   );
 
-  const { data: projectTemplates = [] } = useListProjectTemplates({
+  const { data: projectTemplates = [] } = useListProjectTemplates(projectType, {
     enabled: Boolean(canReadProjectTemplates && subscription?.projectTemplates)
   });
 

frontend/src/components/projects/ProjectSettings/ProjectSettings.tsx

@@ -0,0 +1,30 @@
+import { useState } from "react";
+
+import { Tab, TabList, TabPanel, Tabs } from "@app/components/v2";
+
+import { ProjectTemplatesTab } from "./components";
+
+const tabs = [
+  { name: "Project Templates", key: "project-templates", component: ProjectTemplatesTab }
+];
+
+export const ProjectSettings = () => {
+  const [selectedTab, setSelectedTab] = useState(tabs[0].key);
+
+  return (
+    <Tabs value={selectedTab} onValueChange={setSelectedTab}>
+      <TabList>
+        {tabs.map((tab) => (
+          <Tab value={tab.key} key={tab.key}>
+            {tab.name}
+          </Tab>
+        ))}
+      </TabList>
+      {tabs.map(({ key, component: Component }) => (
+        <TabPanel value={key} key={`tab-panel-${key}`}>
+          <Component />
+        </TabPanel>
+      ))}
+    </Tabs>
+  );
+};