misc: hide not found text when flag plain is enabled

feat(cli): persistant `file` vault passphrase

.github/workflows/build-binaries.yml

@@ -14,7 +14,6 @@ defaults:
 
 jobs:
     build-and-deploy:
-        runs-on: ubuntu-20.04
         strategy:
             matrix:
                 arch: [x64, arm64]
@@ -24,6 +23,7 @@ jobs:
                       target: node20-linux
                     - os: win
                       target: node20-win
+        runs-on: ${{ (matrix.arch == 'arm64' && matrix.os == 'linux') && 'ubuntu24-arm64' || 'ubuntu-latest' }}
 
         steps:
             - name: Checkout code
@@ -49,9 +49,9 @@ jobs:
             - name: Package into node binary
               run: |
                   if [ "${{ matrix.os }}" != "linux" ]; then
-                    pkg --no-bytecode --public-packages "*" --public --compress Brotli --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
+                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
                   else
-                    pkg --no-bytecode --public-packages "*" --public --compress Brotli --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
+                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
                   fi
 
             # Set up .deb package structure (Debian/Ubuntu only)
@@ -84,7 +84,12 @@ jobs:
                   mv infisical-core.deb ./binary/infisical-core-${{matrix.arch}}.deb
 
             - uses: actions/setup-python@v4
-            - run: pip install --upgrade cloudsmith-cli
+              with:
+                  python-version: "3.x" # Specify the Python version you need
+            - name: Install Python dependencies
+              run: |
+                  python -m pip install --upgrade pip
+                  pip install --upgrade cloudsmith-cli
 
             # Publish .deb file to Cloudsmith (Debian/Ubuntu only)
             - name: Publish to Cloudsmith (Debian/Ubuntu)

.github/workflows/check-api-for-breaking-changes.yml

@@ -22,14 +22,14 @@ jobs:
       # uncomment this when testing locally using nektos/act
       - uses: KengoTODA/actions-setup-docker-compose@v1
         if: ${{ env.ACT }}
-        name: Install `docker-compose` for local simulations
+        name: Install `docker compose` for local simulations
         with:
           version: "2.14.2"
       - name: 📦Build the latest image
         run: docker build --tag infisical-api .
         working-directory: backend
       - name: Start postgres and redis
-        run: touch .env && docker-compose -f docker-compose.dev.yml up -d db redis
+        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
       - name: Start the server
         run: |
             echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
@@ -72,6 +72,6 @@ jobs:
         run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
       - name: cleanup
         run: |
-          docker-compose -f "docker-compose.dev.yml" down
+          docker compose -f "docker-compose.dev.yml" down
           docker stop infisical-api
           docker remove infisical-api

.github/workflows/run-backend-tests.yml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@v3
       - uses: KengoTODA/actions-setup-docker-compose@v1
         if: ${{ env.ACT }}
-        name: Install `docker-compose` for local simulations
+        name: Install `docker compose` for local simulations
         with:
           version: "2.14.2"
       - name: 🔧 Setup Node 20
@@ -33,7 +33,7 @@ jobs:
         run: npm install
         working-directory: backend
       - name: Start postgres and redis
-        run: touch .env && docker-compose -f docker-compose.dev.yml up -d db redis
+        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
       - name: Start integration test
         run: npm run test:e2e
         working-directory: backend
@@ -44,4 +44,4 @@ jobs:
           ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
       - name: cleanup
         run: |
-          docker-compose -f "docker-compose.dev.yml" down
+          docker compose -f "docker-compose.dev.yml" down

backend/package.json

@@ -41,7 +41,7 @@
     "lint:fix": "eslint --fix --ext js,ts ./src",
     "lint": "eslint 'src/**/*.ts'",
     "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
-    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=<value>",
+    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
     "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
     "generate:component": "tsx ./scripts/create-backend-file.ts",
     "generate:schema": "tsx ./scripts/generate-schema-types.ts",

backend/src/@types/fastify.d.ts

@@ -50,6 +50,7 @@ import { TIntegrationServiceFactory } from "@app/services/integration/integratio
 import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
 import { TOrgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { TOrgServiceFactory } from "@app/services/org/org-service";
+import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@@ -165,6 +166,7 @@ declare module "fastify" {
       rateLimit: TRateLimitServiceFactory;
       userEngagement: TUserEngagementServiceFactory;
       externalKms: TExternalKmsServiceFactory;
+      orgAdmin: TOrgAdminServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/db/migrations/20240717184929_add-enforcement-level-secrets-policies.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { EnforcementLevel } from "@app/lib/types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "enforcementLevel");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalPolicy, (table) => {
+      table.string("enforcementLevel", 10).notNullable().defaultTo(EnforcementLevel.Hard);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "enforcementLevel");
+  if (hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalPolicy, (table) => {
+      table.dropColumn("enforcementLevel");
+    });
+  }
+}

backend/src/db/migrations/20240717194958_add-enforcement-level-access-policies.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { EnforcementLevel } from "@app/lib/types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "enforcementLevel");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.AccessApprovalPolicy, (table) => {
+      table.string("enforcementLevel", 10).notNullable().defaultTo(EnforcementLevel.Hard);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "enforcementLevel");
+  if (hasColumn) {
+    await knex.schema.table(TableName.AccessApprovalPolicy, (table) => {
+      table.dropColumn("enforcementLevel");
+    });
+  }
+}

backend/src/db/migrations/20240718170955_add-access-secret-sharing.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { SecretSharingAccessType } from "@app/lib/types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretSharing, "accessType");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.SecretSharing, (table) => {
+      table.string("accessType").notNullable().defaultTo(SecretSharingAccessType.Anyone);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretSharing, "accessType");
+  if (hasColumn) {
+    await knex.schema.table(TableName.SecretSharing, (table) => {
+      table.dropColumn("accessType");
+    });
+  }
+}

backend/src/db/migrations/20240719182539_add-bypass-reason-secret-approval-requets.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "bypassReason");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalRequest, (table) => {
+      table.string("bypassReason").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "bypassReason");
+  if (hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalRequest, (table) => {
+      table.dropColumn("bypassReason");
+    });
+  }
+}

backend/src/db/migrations/20240728010334_secret-sharing-name.ts

@@ -0,0 +1,39 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const doesNameExist = await knex.schema.hasColumn(TableName.SecretSharing, "name");
+    if (!doesNameExist) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.string("name").nullable();
+      });
+    }
+
+    const doesLastViewedAtExist = await knex.schema.hasColumn(TableName.SecretSharing, "lastViewedAt");
+    if (!doesLastViewedAtExist) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.timestamp("lastViewedAt").nullable();
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const doesNameExist = await knex.schema.hasColumn(TableName.SecretSharing, "name");
+    if (doesNameExist) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.dropColumn("name");
+      });
+    }
+
+    const doesLastViewedAtExist = await knex.schema.hasColumn(TableName.SecretSharing, "lastViewedAt");
+    if (doesLastViewedAtExist) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.dropColumn("lastViewedAt");
+      });
+    }
+  }
+}

backend/src/db/migrations/20240730181850_secret-v2.ts

@@ -1,3 +1,4 @@
+/* eslint-disable @typescript-eslint/ban-ts-comment */
 import { Knex } from "knex";
 
 import { SecretType, TableName } from "../schemas";
@@ -22,6 +23,7 @@ export async function up(knex: Knex): Promise<void> {
       t.uuid("folderId").notNullable();
       t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
       t.timestamps(true, true, true);
+      t.index(["folderId", "userId"]);
     });
   }
   await createOnUpdateTrigger(knex, TableName.SecretV2);
@@ -105,12 +107,12 @@ export async function up(knex: Knex): Promise<void> {
   if (!(await knex.schema.hasTable(TableName.SnapshotSecretV2))) {
     await knex.schema.createTable(TableName.SnapshotSecretV2, (t) => {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("envId").notNullable();
+      t.uuid("envId").index().notNullable();
       t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
       // not a relation kept like that to keep it when rolled back
-      t.uuid("secretVersionId").notNullable();
+      t.uuid("secretVersionId").index().notNullable();
       t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
-      t.uuid("snapshotId").notNullable();
+      t.uuid("snapshotId").index().notNullable();
       t.foreign("snapshotId").references("id").inTable(TableName.Snapshot).onDelete("CASCADE");
       t.timestamps(true, true, true);
     });

backend/src/db/migrations/utils/kms.ts

@@ -0,0 +1,105 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { randomSecureBytes } from "@app/lib/crypto";
+import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+const getInstanceRootKey = async (knex: Knex) => {
+  const encryptionKey = process.env.ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
+  // if root key its base64 encoded
+  const isBase64 = !process.env.ENCRYPTION_KEY;
+  if (!encryptionKey) throw new Error("ENCRYPTION_KEY variable needed for migration");
+  const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
+
+  const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
+  const kmsRootConfig = await knex(TableName.KmsServerRootConfig).where({ id: KMS_ROOT_CONFIG_UUID }).first();
+  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+  if (kmsRootConfig) {
+    const decryptedRootKey = cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
+    // set the flag so that other instancen nodes can start
+    return decryptedRootKey;
+  }
+
+  const newRootKey = randomSecureBytes(32);
+  const encryptedRootKey = cipher.encrypt(newRootKey, encryptionKeyBuffer);
+  await knex(TableName.KmsServerRootConfig).insert({
+    encryptedRootKey,
+    // eslint-disable-next-line
+    // @ts-ignore id is kept as fixed for idempotence and to avoid race condition
+    id: KMS_ROOT_CONFIG_UUID
+  });
+  return encryptedRootKey;
+};
+
+export const getSecretManagerDataKey = async (knex: Knex, projectId: string) => {
+  const KMS_VERSION = "v01";
+  const KMS_VERSION_BLOB_LENGTH = 3;
+  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+  const project = await knex(TableName.Project).where({ id: projectId }).first();
+  if (!project) throw new Error("Missing project id");
+
+  const ROOT_ENCRYPTION_KEY = await getInstanceRootKey(knex);
+
+  let secretManagerKmsKey;
+  const projectSecretManagerKmsId = project?.kmsSecretManagerKeyId;
+  if (projectSecretManagerKmsId) {
+    const kmsDoc = await knex(TableName.KmsKey)
+      .leftJoin(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
+      .where({ [`${TableName.KmsKey}.id` as "id"]: projectSecretManagerKmsId })
+      .first();
+    if (!kmsDoc) throw new Error("missing kms");
+    secretManagerKmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
+  } else {
+    const [kmsDoc] = await knex(TableName.KmsKey)
+      .insert({
+        slug: slugify(alphaNumericNanoId(8).toLowerCase()),
+        orgId: project.orgId,
+        isReserved: false
+      })
+      .returning("*");
+
+    secretManagerKmsKey = randomSecureBytes(32);
+    const encryptedKeyMaterial = cipher.encrypt(secretManagerKmsKey, ROOT_ENCRYPTION_KEY);
+    await knex(TableName.InternalKms).insert({
+      version: 1,
+      encryptedKey: encryptedKeyMaterial,
+      encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
+      kmsKeyId: kmsDoc.id
+    });
+  }
+
+  const encryptedSecretManagerDataKey = project?.kmsSecretManagerEncryptedDataKey;
+  let dataKey: Buffer;
+  if (!encryptedSecretManagerDataKey) {
+    dataKey = randomSecureBytes();
+    // the below versioning we do it automatically in kms service
+    const unversionedDataKey = cipher.encrypt(dataKey, secretManagerKmsKey);
+    const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
+    await knex(TableName.Project)
+      .where({ id: projectId })
+      .update({
+        kmsSecretManagerEncryptedDataKey: Buffer.concat([unversionedDataKey, versionBlob])
+      });
+  } else {
+    const cipherTextBlob = encryptedSecretManagerDataKey.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+    dataKey = cipher.decrypt(cipherTextBlob, secretManagerKmsKey);
+  }
+
+  return {
+    encryptor: ({ plainText }: { plainText: Buffer }) => {
+      const encryptedPlainTextBlob = cipher.encrypt(plainText, dataKey);
+
+      // Buffer#1 encrypted text + Buffer#2 version number
+      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
+      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
+      return { cipherTextBlob };
+    },
+    decryptor: ({ cipherTextBlob: versionedCipherTextBlob }: { cipherTextBlob: Buffer }) => {
+      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+      const decryptedBlob = cipher.decrypt(cipherTextBlob, dataKey);
+      return decryptedBlob;
+    }
+  };
+};

backend/src/db/schemas/access-approval-policies.ts

@@ -14,7 +14,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   secretPath: z.string().nullable().optional(),
   envId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  enforcementLevel: z.string().default("hard")
 });
 
 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;

backend/src/db/schemas/integration-auths.ts

@@ -35,7 +35,6 @@ export const IntegrationAuthsSchema = z.object({
   awsAssumeIamRoleArnCipherText: z.string().nullable().optional(),
   awsAssumeIamRoleArnIV: z.string().nullable().optional(),
   awsAssumeIamRoleArnTag: z.string().nullable().optional(),
-  encryptedAwsIamAssumRole: zodBuffer.nullable().optional(),
   encryptedAccess: zodBuffer.nullable().optional(),
   encryptedAccessId: zodBuffer.nullable().optional(),
   encryptedRefresh: zodBuffer.nullable().optional(),

backend/src/db/schemas/secret-approval-policies.ts

@@ -14,7 +14,8 @@ export const SecretApprovalPoliciesSchema = z.object({
   approvals: z.number().default(1),
   envId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  enforcementLevel: z.string().default("hard")
 });
 
 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;

backend/src/db/schemas/secret-approval-requests.ts

@@ -19,7 +19,8 @@ export const SecretApprovalRequestsSchema = z.object({
   updatedAt: z.date(),
   isReplicated: z.boolean().nullable().optional(),
   committerUserId: z.string().uuid(),
-  statusChangedByUserId: z.string().uuid().nullable().optional()
+  statusChangedByUserId: z.string().uuid().nullable().optional(),
+  bypassReason: z.string().nullable().optional()
 });
 
 export type TSecretApprovalRequests = z.infer<typeof SecretApprovalRequestsSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -18,7 +18,10 @@ export const SecretSharingSchema = z.object({
   orgId: z.string().uuid().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  expiresAfterViews: z.number().nullable().optional()
+  expiresAfterViews: z.number().nullable().optional(),
+  accessType: z.string().default("anyone"),
+  name: z.string().nullable().optional(),
+  lastViewedAt: z.date().nullable().optional()
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
+import { EnforcementLevel } from "@app/lib/types";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -17,7 +18,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
           secretPath: z.string().trim().default("/"),
           environment: z.string(),
           approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1)
+          approvals: z.number().min(1).default(1),
+          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
         })
         .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],
@@ -38,7 +40,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         ...req.body,
         projectSlug: req.body.projectSlug,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
+        enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
     }
@@ -115,7 +118,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
             .optional()
             .transform((val) => (val === "" ? "/" : val)),
           approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1)
+          approvals: z.number().min(1).default(1),
+          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
         })
         .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -99,7 +99,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               approvals: z.number(),
               approvers: z.string().array(),
               secretPath: z.string().nullish(),
-              envId: z.string()
+              envId: z.string(),
+              enforcementLevel: z.string()
             }),
             reviewers: z
               .object({

backend/src/ee/routes/v1/org-role-router.ts

@@ -52,6 +52,36 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:organizationId/roles/:roleId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        organizationId: z.string().trim(),
+        roleId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          role: OrgRolesSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const role = await server.services.orgRole.getRole(
+        req.permission.id,
+        req.params.organizationId,
+        req.params.roleId,
+        req.permission.authMethod,
+        req.permission.orgId
+      );
+      return { role };
+    }
+  });
+
   server.route({
     method: "PATCH",
     url: "/:organizationId/roles/:roleId",
@@ -69,7 +99,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           .trim()
           .optional()
           .refine(
-            (val) => typeof val === "undefined" || Object.keys(OrgMembershipRole).includes(val),
+            (val) => typeof val !== "undefined" && !Object.keys(OrgMembershipRole).includes(val),
             "Please choose a different slug, the slug you have entered is reserved."
           )
           .refine((val) => typeof val === "undefined" || slugify(val) === val, {
@@ -77,7 +107,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           }),
         name: z.string().trim().optional(),
         description: z.string().trim().optional(),
-        permissions: z.any().array()
+        permissions: z.any().array().optional()
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/project-role-router.ts

@@ -101,7 +101,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
             message: "Slug must be a valid"
           }),
         name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.UPDATE.permissions)
+        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
       }),
       response: {
         200: z.object({
@@ -120,7 +120,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         roleId: req.params.roleId,
         data: {
           ...req.body,
-          permissions: JSON.stringify(packRules(req.body.permissions))
+          permissions: req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined
         }
       });
       return { role };

backend/src/ee/routes/v1/project-router.ts

@@ -349,4 +349,35 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       return backup;
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/:workspaceId/migrate-v3",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        workspaceId: z.string().trim()
+      }),
+
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const migration = await server.services.secret.startSecretV2Migration({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.workspaceId
+      });
+
+      return migration;
+    }
+  });
 };

backend/src/ee/routes/v1/scim-router.ts

@@ -350,7 +350,12 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
               schemas: z.array(z.string()),
               id: z.string().trim(),
               displayName: z.string().trim(),
-              members: z.array(z.any()).length(0),
+              members: z.array(
+                z.object({
+                  value: z.string(),
+                  display: z.string()
+                })
+              ),
               meta: z.object({
                 resourceType: z.string().trim()
               })
@@ -423,7 +428,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
         displayName: z.string().trim(),
         members: z.array(
           z.object({
-            value: z.string(), // infisical orgMembershipId
+            value: z.string(),
             display: z.string()
           })
         )

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -2,6 +2,7 @@ import { nanoid } from "nanoid";
 import { z } from "zod";
 
 import { removeTrailingSlash } from "@app/lib/fn";
+import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
@@ -24,11 +25,13 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
             .string()
             .optional()
             .nullable()
+            .default("/")
             .transform((val) => (val ? removeTrailingSlash(val) : val)),
-          approverUserIds: z.string().array().min(1),
-          approvals: z.number().min(1).default(1)
+          approvers: z.string().array().min(1),
+          approvals: z.number().min(1).default(1),
+          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
         })
-        .refine((data) => data.approvals <= data.approverUserIds.length, {
+        .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],
           message: "The number of approvals should be lower than the number of approvers."
         }),
@@ -47,7 +50,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         projectId: req.body.workspaceId,
         ...req.body,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
+        enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
     }
@@ -66,15 +70,17 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       body: z
         .object({
           name: z.string().optional(),
-          approverUserIds: z.string().array().min(1),
+          approvers: z.string().array().min(1),
           approvals: z.number().min(1).default(1),
           secretPath: z
             .string()
             .optional()
             .nullable()
             .transform((val) => (val ? removeTrailingSlash(val) : val))
+            .transform((val) => (val === "" ? "/" : val)),
+          enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
         })
-        .refine((data) => data.approvals <= data.approverUserIds.length, {
+        .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],
           message: "The number of approvals should be lower than the number of approvers."
         }),

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -47,7 +47,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               name: z.string(),
               approvals: z.number(),
               approvers: z.string().array(),
-              secretPath: z.string().optional().nullable()
+              secretPath: z.string().optional().nullable(),
+              enforcementLevel: z.string()
             }),
             committerUser: approvalRequestUser,
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
@@ -114,6 +115,9 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
       params: z.object({
         id: z.string()
       }),
+      body: z.object({
+        bypassReason: z.string().optional()
+      }),
       response: {
         200: z.object({
           approval: SecretApprovalRequestsSchema
@@ -127,7 +131,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
         actor: req.permission.type,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        approvalId: req.params.id
+        approvalId: req.params.id,
+        bypassReason: req.body.bypassReason
       });
       return { approval };
     }
@@ -246,7 +251,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 name: z.string(),
                 approvals: z.number(),
                 approvers: approvalRequestUser.array(),
-                secretPath: z.string().optional().nullable()
+                secretPath: z.string().optional().nullable(),
+                enforcementLevel: z.string()
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -47,7 +47,8 @@ export const accessApprovalPolicyServiceFactory = ({
     approvals,
     approvers,
     projectSlug,
-    environment
+    environment,
+    enforcementLevel
   }: TCreateAccessApprovalPolicy) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new BadRequestError({ message: "Project not found" });
@@ -94,7 +95,8 @@ export const accessApprovalPolicyServiceFactory = ({
           envId: env.id,
           approvals,
           secretPath,
-          name
+          name,
+          enforcementLevel
         },
         tx
       );
@@ -143,7 +145,8 @@ export const accessApprovalPolicyServiceFactory = ({
     actor,
     actorOrgId,
     actorAuthMethod,
-    approvals
+    approvals,
+    enforcementLevel
   }: TUpdateAccessApprovalPolicy) => {
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
     if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
@@ -163,7 +166,8 @@ export const accessApprovalPolicyServiceFactory = ({
         {
           approvals,
           secretPath,
-          name
+          name,
+          enforcementLevel
         },
         tx
       );

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -1,4 +1,4 @@
-import { TProjectPermission } from "@app/lib/types";
+import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
 import { ActorAuthMethod } from "@app/services/auth/auth-type";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
@@ -20,6 +20,7 @@ export type TCreateAccessApprovalPolicy = {
   approvers: string[];
   projectSlug: string;
   name: string;
+  enforcementLevel: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateAccessApprovalPolicy = {
@@ -28,6 +29,7 @@ export type TUpdateAccessApprovalPolicy = {
   approvers?: string[];
   secretPath?: string;
   name?: string;
+  enforcementLevel?: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteAccessApprovalPolicy = {

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -48,6 +48,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
           db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
           db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
+          db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId")
         )
 
@@ -98,6 +99,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             name: doc.policyName,
             approvals: doc.policyApprovals,
             secretPath: doc.policySecretPath,
+            enforcementLevel: doc.policyEnforcementLevel,
             envId: doc.policyEnvId
           },
           privilege: doc.privilegeId
@@ -165,6 +167,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("projectId").withSchema(TableName.Environment),
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
+        tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
         tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
         tx.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover)
       );
@@ -184,7 +187,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             id: el.policyId,
             name: el.policyName,
             approvals: el.policyApprovals,
-            secretPath: el.policySecretPath
+            secretPath: el.policySecretPath,
+            enforcementLevel: el.policyEnforcementLevel
           }
         }),
         childrenMapper: [

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -106,6 +106,7 @@ export enum EventType {
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
+  GET_ENVIRONMENT = "get-environment",
   ADD_WORKSPACE_MEMBER = "add-workspace-member",
   ADD_BATCH_WORKSPACE_MEMBER = "add-workspace-members",
   REMOVE_WORKSPACE_MEMBER = "remove-workspace-member",
@@ -135,6 +136,7 @@ export enum EventType {
   IMPORT_CA_CERT = "import-certificate-authority-cert",
   GET_CA_CRL = "get-certificate-authority-crl",
   ISSUE_CERT = "issue-cert",
+  SIGN_CERT = "sign-cert",
   GET_CERT = "get-cert",
   DELETE_CERT = "delete-cert",
   REVOKE_CERT = "revoke-cert",
@@ -145,7 +147,8 @@ export enum EventType {
   GET_KMS = "get-kms",
   UPDATE_PROJECT_KMS = "update-project-kms",
   GET_PROJECT_KMS_BACKUP = "get-project-kms-backup",
-  LOAD_PROJECT_KMS_BACKUP = "load-project-kms-backup"
+  LOAD_PROJECT_KMS_BACKUP = "load-project-kms-backup",
+  ORG_ADMIN_ACCESS_PROJECT = "org-admin-accessed-project"
 }
 
 interface UserActorMetadata {
@@ -838,6 +841,13 @@ interface CreateEnvironmentEvent {
   };
 }
 
+interface GetEnvironmentEvent {
+  type: EventType.GET_ENVIRONMENT;
+  metadata: {
+    id: string;
+  };
+}
+
 interface UpdateEnvironmentEvent {
   type: EventType.UPDATE_ENVIRONMENT;
   metadata: {
@@ -1135,6 +1145,15 @@ interface IssueCert {
   };
 }
 
+interface SignCert {
+  type: EventType.SIGN_CERT;
+  metadata: {
+    caId: string;
+    dn: string;
+    serialNumber: string;
+  };
+}
+
 interface GetCert {
   type: EventType.GET_CERT;
   metadata: {
@@ -1227,6 +1246,16 @@ interface LoadProjectKmsBackupEvent {
   metadata: Record<string, string>; // no metadata yet
 }
 
+interface OrgAdminAccessProjectEvent {
+  type: EventType.ORG_ADMIN_ACCESS_PROJECT;
+  metadata: {
+    userId: string;
+    username: string;
+    email: string;
+    projectId: string;
+  }; // no metadata yet
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -1293,6 +1322,7 @@ export type Event =
   | UpdateIdentityOidcAuthEvent
   | GetIdentityOidcAuthEvent
   | CreateEnvironmentEvent
+  | GetEnvironmentEvent
   | UpdateEnvironmentEvent
   | DeleteEnvironmentEvent
   | AddWorkspaceMemberEvent
@@ -1324,6 +1354,7 @@ export type Event =
   | ImportCaCert
   | GetCaCrl
   | IssueCert
+  | SignCert
   | GetCert
   | DeleteCert
   | RevokeCert
@@ -1334,4 +1365,5 @@ export type Event =
   | GetKmsEvent
   | UpdateProjectKmsEvent
   | GetProjectKmsBackupEvent
-  | LoadProjectKmsBackupEvent;
+  | LoadProjectKmsBackupEvent
+  | OrgAdminAccessProjectEvent;

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal.ts

@@ -12,10 +12,7 @@ export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
 
   const countLeasesForDynamicSecret = async (dynamicSecretId: string, tx?: Knex) => {
     try {
-      const doc = await (tx || db.replicaNode())(TableName.DynamicSecretLease)
-        .count("*")
-        .where({ dynamicSecretId })
-        .first();
+      const doc = await (tx || db)(TableName.DynamicSecretLease).count("*").where({ dynamicSecretId }).first();
       return parseInt(doc || "0", 10);
     } catch (error) {
       throw new DatabaseError({ error, name: "DynamicSecretCountLeases" });
@@ -24,7 +21,7 @@ export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
 
   const findById = async (id: string, tx?: Knex) => {
     try {
-      const doc = await (tx || db.replicaNode())(TableName.DynamicSecretLease)
+      const doc = await (tx || db)(TableName.DynamicSecretLease)
         .where({ [`${TableName.DynamicSecretLease}.id` as "id"]: id })
         .first()
         .join(

backend/src/ee/services/group/group-fns.ts

@@ -336,31 +336,36 @@ export const removeUsersFromGroupByUserIds = async ({
         )
       );
 
-      // TODO: this part can be optimized
-      for await (const userId of userIds) {
-        const t = await userGroupMembershipDAL.filterProjectsByUserMembership(userId, group.id, projectIds, tx);
-        const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p));
+      const promises: Array<Promise<void>> = [];
+      for (const userId of userIds) {
+        promises.push(
+          (async () => {
+            const t = await userGroupMembershipDAL.filterProjectsByUserMembership(userId, group.id, projectIds, tx);
+            const projectsToDeleteKeyFor = projectIds.filter((p) => !t.has(p));
 
-        if (projectsToDeleteKeyFor.length) {
-          await projectKeyDAL.delete(
-            {
-              receiverId: userId,
-              $in: {
-                projectId: projectsToDeleteKeyFor
-              }
-            },
-            tx
-          );
-        }
+            if (projectsToDeleteKeyFor.length) {
+              await projectKeyDAL.delete(
+                {
+                  receiverId: userId,
+                  $in: {
+                    projectId: projectsToDeleteKeyFor
+                  }
+                },
+                tx
+              );
+            }
 
-        await userGroupMembershipDAL.delete(
-          {
-            groupId: group.id,
-            userId
-          },
-          tx
+            await userGroupMembershipDAL.delete(
+              {
+                groupId: group.id,
+                userId
+              },
+              tx
+            );
+          })()
         );
       }
+      await Promise.all(promises);
     }
 
     if (membersToRemoveFromGroupPending.length) {

backend/src/ee/services/group/user-group-membership-dal.ts

@@ -162,17 +162,50 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findUserGroupMembershipsInOrg = async (userId: string, orgId: string) => {
+  const findGroupMembershipsByUserIdInOrg = async (userId: string, orgId: string) => {
     try {
       const docs = await db
         .replicaNode()(TableName.UserGroupMembership)
         .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
+        .join(TableName.OrgMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.OrgMembership}.userId`)
+        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
         .where(`${TableName.UserGroupMembership}.userId`, userId)
-        .where(`${TableName.Groups}.orgId`, orgId);
+        .where(`${TableName.Groups}.orgId`, orgId)
+        .select(
+          db.ref("id").withSchema(TableName.UserGroupMembership),
+          db.ref("groupId").withSchema(TableName.UserGroupMembership),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"),
+          db.ref("firstName").withSchema(TableName.Users).as("firstName"),
+          db.ref("lastName").withSchema(TableName.Users).as("lastName")
+        );
 
       return docs;
     } catch (error) {
-      throw new DatabaseError({ error, name: "findTest" });
+      throw new DatabaseError({ error, name: "Find group memberships by user id in org" });
+    }
+  };
+
+  const findGroupMembershipsByGroupIdInOrg = async (groupId: string, orgId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.UserGroupMembership)
+        .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
+        .join(TableName.OrgMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.OrgMembership}.userId`)
+        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
+        .where(`${TableName.Groups}.id`, groupId)
+        .where(`${TableName.Groups}.orgId`, orgId)
+        .select(
+          db.ref("id").withSchema(TableName.UserGroupMembership),
+          db.ref("groupId").withSchema(TableName.UserGroupMembership),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"),
+          db.ref("firstName").withSchema(TableName.Users).as("firstName"),
+          db.ref("lastName").withSchema(TableName.Users).as("lastName")
+        );
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find group memberships by group id in org" });
     }
   };
 
@@ -182,6 +215,7 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
     findUserGroupMembershipsInProject,
     findGroupMembersNotInProject,
     deletePendingUserGroupMembershipsByUserIds,
-    findUserGroupMembershipsInOrg
+    findGroupMembershipsByUserIdInOrg,
+    findGroupMembershipsByGroupIdInOrg
   };
 };

backend/src/ee/services/permission/org-permission.ts

@@ -9,6 +9,10 @@ export enum OrgPermissionActions {
   Delete = "delete"
 }
 
+export enum OrgPermissionAdminConsoleAction {
+  AccessAllProjects = "access-all-projects"
+}
+
 export enum OrgPermissionSubjects {
   Workspace = "workspace",
   Role = "role",
@@ -22,7 +26,8 @@ export enum OrgPermissionSubjects {
   Billing = "billing",
   SecretScanning = "secret-scanning",
   Identity = "identity",
-  Kms = "kms"
+  Kms = "kms",
+  AdminConsole = "organization-admin-console"
 }
 
 export type OrgPermissionSet =
@@ -39,7 +44,8 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
   | [OrgPermissionActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionActions, OrgPermissionSubjects.Identity]
-  | [OrgPermissionActions, OrgPermissionSubjects.Kms];
+  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
+  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 
 const buildAdminPermission = () => {
   const { can, build } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
@@ -107,6 +113,8 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.Kms);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);
 
+  can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
+
   return build({ conditionsMatcher });
 };
 

backend/src/ee/services/permission/project-permission.ts

@@ -23,6 +23,7 @@ export enum ProjectPermissionSub {
   IpAllowList = "ip-allowlist",
   Project = "workspace",
   Secrets = "secrets",
+  SecretFolders = "secret-folders",
   SecretRollback = "secret-rollback",
   SecretApproval = "secret-approval",
   SecretRotation = "secret-rotation",
@@ -42,6 +43,10 @@ export type ProjectPermissionSet =
       ProjectPermissionActions,
       ProjectPermissionSub.Secrets | (ForcedSubject<ProjectPermissionSub.Secrets> & SubjectFields)
     ]
+  | [
+      ProjectPermissionActions,
+      ProjectPermissionSub.SecretFolders | (ForcedSubject<ProjectPermissionSub.SecretFolders> & SubjectFields)
+    ]
   | [ProjectPermissionActions, ProjectPermissionSub.Role]
   | [ProjectPermissionActions, ProjectPermissionSub.Tags]
   | [ProjectPermissionActions, ProjectPermissionSub.Member]

backend/src/ee/services/scim/scim-service.ts

@@ -9,6 +9,7 @@ import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-grou
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
 import { AuthTokenType } from "@app/services/auth/auth-type";
@@ -51,6 +52,7 @@ import {
   TListScimUsers,
   TListScimUsersDTO,
   TReplaceScimUserDTO,
+  TScimGroup,
   TScimTokenJwtPayload,
   TUpdateScimGroupNamePatchDTO,
   TUpdateScimGroupNamePutDTO,
@@ -83,7 +85,8 @@ type TScimServiceFactoryDep = {
     | "insertMany"
     | "filterProjectsByUserMembership"
     | "delete"
-    | "findUserGroupMembershipsInOrg"
+    | "findGroupMembershipsByUserIdInOrg"
+    | "findGroupMembershipsByGroupIdInOrg"
   >;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
@@ -252,7 +255,10 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    const groupMembershipsInOrg = await userGroupMembershipDAL.findUserGroupMembershipsInOrg(membership.userId, orgId);
+    const groupMembershipsInOrg = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(
+      membership.userId,
+      orgId
+    );
 
     return buildScimUser({
       orgMembershipId: membership.id,
@@ -263,7 +269,7 @@ export const scimServiceFactory = ({
       active: membership.isActive,
       groups: groupMembershipsInOrg.map((group) => ({
         value: group.groupId,
-        display: group.name
+        display: group.groupName
       }))
     });
   };
@@ -509,7 +515,10 @@ export const scimServiceFactory = ({
       isActive: active
     });
 
-    const groupMembershipsInOrg = await userGroupMembershipDAL.findUserGroupMembershipsInOrg(membership.userId, orgId);
+    const groupMembershipsInOrg = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(
+      membership.userId,
+      orgId
+    );
 
     return buildScimUser({
       orgMembershipId: membership.id,
@@ -520,7 +529,7 @@ export const scimServiceFactory = ({
       active,
       groups: groupMembershipsInOrg.map((group) => ({
         value: group.groupId,
-        display: group.name
+        display: group.groupName
       }))
     });
   };
@@ -589,13 +598,20 @@ export const scimServiceFactory = ({
       }
     );
 
-    const scimGroups = groups.map((group) =>
-      buildScimGroup({
+    const scimGroups: TScimGroup[] = [];
+
+    for await (const group of groups) {
+      const members = await userGroupMembershipDAL.findGroupMembershipsByGroupIdInOrg(group.id, orgId);
+      const scimGroup = buildScimGroup({
         groupId: group.id,
         name: group.name,
-        members: [] // does this need to be populated?
-      })
-    );
+        members: members.map((member) => ({
+          value: member.orgMembershipId,
+          display: `${member.firstName ?? ""} ${member.lastName ?? ""}`
+        }))
+      });
+      scimGroups.push(scimGroup);
+    }
 
     return buildScimGroupList({
       scimGroups,
@@ -872,23 +888,27 @@ export const scimServiceFactory = ({
           break;
         }
         case "add": {
-          const orgMemberships = await orgMembershipDAL.find({
-            $in: {
-              id: operation.value.map((member) => member.value)
-            }
-          });
+          try {
+            const orgMemberships = await orgMembershipDAL.find({
+              $in: {
+                id: operation.value.map((member) => member.value)
+              }
+            });
 
-          await addUsersToGroupByUserIds({
-            group,
-            userIds: orgMemberships.map((membership) => membership.userId as string),
-            userDAL,
-            userGroupMembershipDAL,
-            orgDAL,
-            groupProjectDAL,
-            projectKeyDAL,
-            projectDAL,
-            projectBotDAL
-          });
+            await addUsersToGroupByUserIds({
+              group,
+              userIds: orgMemberships.map((membership) => membership.userId as string),
+              userDAL,
+              userGroupMembershipDAL,
+              orgDAL,
+              groupProjectDAL,
+              projectKeyDAL,
+              projectDAL,
+              projectBotDAL
+            });
+          } catch {
+            logger.info("Repeat SCIM user-group add operation");
+          }
 
           break;
         }
@@ -916,10 +936,15 @@ export const scimServiceFactory = ({
       }
     }
 
+    const members = await userGroupMembershipDAL.findGroupMembershipsByGroupIdInOrg(group.id, orgId);
+
     return buildScimGroup({
       groupId: group.id,
       name: group.name,
-      members: []
+      members: members.map((member) => ({
+        value: member.orgMembershipId,
+        display: `${member.firstName ?? ""} ${member.lastName ?? ""}`
+      }))
     });
   };
 

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -45,12 +45,13 @@ export const secretApprovalPolicyServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     approvals,
-    approverUserIds,
+    approvers,
     projectId,
     secretPath,
-    environment
+    environment,
+    enforcementLevel
   }: TCreateSapDTO) => {
-    if (approvals > approverUserIds.length)
+    if (approvals > approvers.length)
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
 
     const { permission } = await permissionService.getProjectPermission(
@@ -73,12 +74,13 @@ export const secretApprovalPolicyServiceFactory = ({
           envId: env.id,
           approvals,
           secretPath,
-          name
+          name,
+          enforcementLevel
         },
         tx
       );
       await secretApprovalPolicyApproverDAL.insertMany(
-        approverUserIds.map((approverUserId) => ({
+        approvers.map((approverUserId) => ({
           approverUserId,
           policyId: doc.id
         })),
@@ -90,7 +92,7 @@ export const secretApprovalPolicyServiceFactory = ({
   };
 
   const updateSecretApprovalPolicy = async ({
-    approverUserIds,
+    approvers,
     secretPath,
     name,
     actorId,
@@ -98,7 +100,8 @@ export const secretApprovalPolicyServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     approvals,
-    secretPolicyId
+    secretPolicyId,
+    enforcementLevel
   }: TUpdateSapDTO) => {
     const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
     if (!secretApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
@@ -118,14 +121,15 @@ export const secretApprovalPolicyServiceFactory = ({
         {
           approvals,
           secretPath,
-          name
+          name,
+          enforcementLevel
         },
         tx
       );
-      if (approverUserIds) {
+      if (approvers) {
         await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
         await secretApprovalPolicyApproverDAL.insertMany(
-          approverUserIds.map((approverUserId) => ({
+          approvers.map((approverUserId) => ({
             approverUserId,
             policyId: doc.id
           })),

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -1,20 +1,22 @@
-import { TProjectPermission } from "@app/lib/types";
+import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
 
 export type TCreateSapDTO = {
   approvals: number;
   secretPath?: string | null;
   environment: string;
-  approverUserIds: string[];
+  approvers: string[];
   projectId: string;
   name: string;
+  enforcementLevel: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
   secretPath?: string | null;
-  approverUserIds: string[];
+  approvers: string[];
   name?: string;
+  enforcementLevel?: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteSapDTO = {

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -94,6 +94,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("projectId").withSchema(TableName.Environment),
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
+        tx.ref("envId").withSchema(TableName.SecretApprovalPolicy).as("policyEnvId"),
+        tx.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
         tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals")
       );
 
@@ -128,7 +130,9 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             id: el.policyId,
             name: el.policyName,
             approvals: el.policyApprovals,
-            secretPath: el.policySecretPath
+            secretPath: el.policySecretPath,
+            enforcementLevel: el.policyEnforcementLevel,
+            envId: el.policyEnvId
           }
         }),
         childrenMapper: [
@@ -282,6 +286,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             `DENSE_RANK() OVER (partition by ${TableName.Environment}."projectId" ORDER BY ${TableName.SecretApprovalRequest}."id" DESC) as rank`
           ),
           db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
+          db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
@@ -308,7 +313,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             id: el.policyId,
             name: el.policyName,
             approvals: el.policyApprovals,
-            secretPath: el.policySecretPath
+            secretPath: el.policySecretPath,
+            enforcementLevel: el.policyEnforcementLevel
           },
           committerUser: {
             userId: el.committerUserId,
@@ -416,6 +422,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           ),
           db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
+          db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
           db.ref("username").withSchema("committerUser").as("committerUserUsername"),
@@ -441,7 +448,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             id: el.policyId,
             name: el.policyName,
             approvals: el.policyApprovals,
-            secretPath: el.policySecretPath
+            secretPath: el.policySecretPath,
+            enforcementLevel: el.policyEnforcementLevel
           },
           committerUser: {
             userId: el.committerUserId,
@@ -483,11 +491,26 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
     }
   };
 
+  const deleteByProjectId = async (projectId: string, tx?: Knex) => {
+    try {
+      const query = await (tx || db)(TableName.SecretApprovalRequest)
+        .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
+        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .where({ projectId })
+        .delete();
+
+      return query;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "DeleteByProjectId" });
+    }
+  };
+
   return {
     ...secretApprovalRequestOrm,
     findById,
     findProjectRequestCount,
     findByProjectId,
-    findByProjectIdBridgeSecretV2
+    findByProjectIdBridgeSecretV2,
+    deleteByProjectId
   };
 };

backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts

@@ -354,12 +354,66 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
       throw new DatabaseError({ error, name: "FindByRequestId" });
     }
   };
+  // special query for migration to v2 secret
+  const findByProjectId = async (projectId: string, tx?: Knex) => {
+    try {
+      const docs = await (tx || db)(TableName.SecretApprovalRequestSecret)
+        .join(
+          TableName.SecretApprovalRequest,
+          `${TableName.SecretApprovalRequest}.id`,
+          `${TableName.SecretApprovalRequestSecret}.requestId`
+        )
+        .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
+        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .leftJoin(
+          TableName.SecretApprovalRequestSecretTag,
+          `${TableName.SecretApprovalRequestSecret}.id`,
+          `${TableName.SecretApprovalRequestSecretTag}.secretId`
+        )
+        .where({ projectId })
+        .select(selectAllTableCols(TableName.SecretApprovalRequestSecret))
+        .select(
+          db.ref("id").withSchema(TableName.SecretApprovalRequestSecretTag).as("secretApprovalTagId"),
+          db.ref("secretId").withSchema(TableName.SecretApprovalRequestSecretTag).as("secretApprovalTagSecretId"),
+          db.ref("tagId").withSchema(TableName.SecretApprovalRequestSecretTag).as("secretApprovalTagSecretTagId"),
+          db.ref("createdAt").withSchema(TableName.SecretApprovalRequestSecretTag).as("secretApprovalTagCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.SecretApprovalRequestSecretTag).as("secretApprovalTagUpdatedAt")
+        );
+      const formatedDoc = sqlNestRelationships({
+        data: docs,
+        key: "id",
+        parentMapper: (data) => SecretApprovalRequestsSecretsSchema.parse(data),
+        childrenMapper: [
+          {
+            key: "secretApprovalTagId",
+            label: "tags" as const,
+            mapper: ({
+              secretApprovalTagSecretId,
+              secretApprovalTagId,
+              secretApprovalTagUpdatedAt,
+              secretApprovalTagCreatedAt
+            }) => ({
+              secretApprovalTagSecretId,
+              secretApprovalTagId,
+              secretApprovalTagUpdatedAt,
+              secretApprovalTagCreatedAt
+            })
+          }
+        ]
+      });
+      return formatedDoc;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindByRequestId" });
+    }
+  };
+
   return {
     ...secretApprovalRequestSecretOrm,
     insertV2Bridge: secretApprovalRequestSecretV2Orm.insertMany,
     findByRequestId,
     findByRequestIdBridgeSecretV2,
     bulkUpdateNoVersionIncrement,
+    findByProjectId,
     insertApprovalSecretTags: secretApprovalRequestSecretTagOrm.insertMany,
     insertApprovalSecretV2Tags: secretApprovalRequestSecretV2TagOrm.insertMany
   };

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -8,16 +8,19 @@ import {
   TSecretApprovalRequestsSecretsInsert,
   TSecretApprovalRequestsSecretsV2Insert
 } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { setKnexStringValue } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { EnforcementLevel } from "@app/lib/types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
+import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import {
   decryptSecretWithBot,
@@ -44,6 +47,8 @@ import {
 } from "@app/services/secret-v2-bridge/secret-v2-bridge-fns";
 import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
+import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
@@ -80,7 +85,10 @@ type TSecretApprovalRequestServiceFactoryDep = {
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
-  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findById">;
+  smtpService: Pick<TSmtpService, "sendMail">;
+  userDAL: Pick<TUserDALFactory, "find" | "findOne">;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findById" | "findProjectById">;
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "removeSecretReminder">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "encryptWithInputKey" | "decryptWithInputKey">;
   secretV2BridgeDAL: Pick<
@@ -108,6 +116,9 @@ export const secretApprovalRequestServiceFactory = ({
   secretVersionDAL,
   secretQueueService,
   projectBotService,
+  smtpService,
+  userDAL,
+  projectEnvDAL,
   kmsService,
   secretV2BridgeDAL,
   secretVersionV2BridgeDAL,
@@ -370,7 +381,8 @@ export const secretApprovalRequestServiceFactory = ({
     actor,
     actorId,
     actorOrgId,
-    actorAuthMethod
+    actorAuthMethod,
+    bypassReason
   }: TMergeSecretApprovalRequestDTO) => {
     const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
     if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
@@ -401,8 +413,11 @@ export const secretApprovalRequestServiceFactory = ({
       secretApprovalRequest.policy.approvers.filter(
         ({ userId: approverId }) => reviewers[approverId.toString()] === ApprovalStatus.APPROVED
       ).length;
+    const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;
+
+    if (!hasMinApproval && !isSoftEnforcement)
+      throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
 
-    if (!hasMinApproval) throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     let mergeStatus;
     if (shouldUseSecretV2Bridge) {
@@ -745,6 +760,35 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       actor
     });
+
+    if (isSoftEnforcement) {
+      const cfg = getConfig();
+      const project = await projectDAL.findProjectById(projectId);
+      const env = await projectEnvDAL.findOne({ id: policy.envId });
+      const requestedByUser = await userDAL.findOne({ id: actorId });
+      const approverUsers = await userDAL.find({
+        $in: {
+          id: policy.approvers.map((approver: { userId: string }) => approver.userId)
+        }
+      });
+
+      await smtpService.sendMail({
+        recipients: approverUsers.filter((approver) => approver.email).map((approver) => approver.email!),
+        subjectLine: "Infisical Secret Change Policy Bypassed",
+
+        substitutions: {
+          projectName: project.name,
+          requesterFullName: `${requestedByUser.firstName} ${requestedByUser.lastName}`,
+          requesterEmail: requestedByUser.email,
+          bypassReason,
+          secretPath: policy.secretPath,
+          environment: env.name,
+          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
+        },
+        template: SmtpTemplates.AccessSecretRequestBypassed
+      });
+    }
+
     return mergeStatus;
   };
 
@@ -1230,7 +1274,7 @@ export const secretApprovalRequestServiceFactory = ({
 
       const commitsGroupByKey = groupBy(approvalCommits, (i) => i.key);
       if (tagIds.length) {
-        await secretApprovalRequestSecretDAL.insertApprovalSecretTags(
+        await secretApprovalRequestSecretDAL.insertApprovalSecretV2Tags(
           Object.keys(commitTagIds).flatMap((blindIndex) =>
             commitTagIds[blindIndex]
               ? commitTagIds[blindIndex].map((tagId) => ({

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -67,6 +67,7 @@ export type TGenerateSecretApprovalRequestV2BridgeDTO = {
 
 export type TMergeSecretApprovalRequestDTO = {
   approvalId: string;
+  bypassReason?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TStatusChangeDTO = {

backend/src/ee/services/secret-rotation/secret-rotation-dal.ts

@@ -144,6 +144,8 @@ export const secretRotationDALFactory = (db: TDbClient) => {
   const findRotationOutputsV2ByRotationId = async (rotationId: string) =>
     secretRotationOutputV2Orm.find({ rotationId });
 
+  // special query
+
   return {
     ...secretRotationOrm,
     find,

backend/src/ee/services/secret-snapshot/snapshot-dal.ts

@@ -1,5 +1,6 @@
 /* eslint-disable no-await-in-loop */
 import { Knex } from "knex";
+import { z } from "zod";
 
 import { TDbClient } from "@app/db";
 import {
@@ -719,6 +720,97 @@ export const snapshotDALFactory = (db: TDbClient) => {
     }
   };
 
+  // special query for migration for secret v2
+  const findNSecretV1SnapshotByFolderId = async (folderId: string, n = 15, tx?: Knex) => {
+    try {
+      const query = (tx || db.replicaNode())(TableName.Snapshot)
+        .leftJoin(TableName.SnapshotSecret, `${TableName.Snapshot}.id`, `${TableName.SnapshotSecret}.snapshotId`)
+        .leftJoin(
+          TableName.SecretVersion,
+          `${TableName.SnapshotSecret}.secretVersionId`,
+          `${TableName.SecretVersion}.id`
+        )
+        .leftJoin(
+          TableName.SecretVersionTag,
+          `${TableName.SecretVersionTag}.${TableName.SecretVersion}Id`,
+          `${TableName.SecretVersion}.id`
+        )
+        .select(selectAllTableCols(TableName.SecretVersion))
+        .select(
+          db.ref("id").withSchema(TableName.Snapshot).as("snapshotId"),
+          db.ref("createdAt").withSchema(TableName.Snapshot).as("snapshotCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.Snapshot).as("snapshotUpdatedAt"),
+          db.ref("envId").withSchema(TableName.SnapshotSecret).as("snapshotEnvId"),
+          db.ref("id").withSchema(TableName.SecretVersionTag).as("secretVersionTagId"),
+          db.ref("secret_versionsId").withSchema(TableName.SecretVersionTag).as("secretVersionTagSecretId"),
+          db.ref("secret_tagsId").withSchema(TableName.SecretVersionTag).as("secretVersionTagSecretTagId"),
+          db.raw(
+            `DENSE_RANK() OVER (partition by ${TableName.Snapshot}."id" ORDER BY ${TableName.SecretVersion}."createdAt") as rank`
+          )
+        )
+        .orderBy(`${TableName.Snapshot}.createdAt`, "desc")
+        .where(`${TableName.Snapshot}.folderId`, folderId);
+      const data = await (tx || db)
+        .with("w", query)
+        .select("*")
+        .from<Awaited<typeof query>[number]>("w")
+        .andWhere("w.rank", "<", n);
+
+      return sqlNestRelationships({
+        data,
+        key: "snapshotId",
+        parentMapper: ({ snapshotId: id, snapshotCreatedAt: createdAt, snapshotUpdatedAt: updatedAt }) => ({
+          id,
+          folderId,
+          createdAt,
+          updatedAt
+        }),
+        childrenMapper: [
+          {
+            key: "id",
+            label: "secretVersions" as const,
+            mapper: (el) => SecretVersionsSchema.extend({ snapshotEnvId: z.string() }).parse(el),
+            childrenMapper: [
+              {
+                key: "secretVersionTagId",
+                label: "tags" as const,
+                mapper: ({ secretVersionTagId, secretVersionTagSecretId, secretVersionTagSecretTagId }) => ({
+                  id: secretVersionTagId,
+                  secretVersionId: secretVersionTagSecretId,
+                  secretTagId: secretVersionTagSecretTagId
+                })
+              }
+            ]
+          }
+        ]
+      });
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindSecretSnapshotDataById" });
+    }
+  };
+
+  const deleteSnapshotsAboveLimit = async (folderId: string, n = 15, tx?: Knex) => {
+    try {
+      const query = await (tx || db)
+        .with("to_delete", (qb) => {
+          void qb
+            .select("id")
+            .from(TableName.Snapshot)
+            .where("folderId", folderId)
+            .orderBy("createdAt", "desc")
+            .offset(n);
+        })
+        .from(TableName.Snapshot)
+        .whereIn("id", (qb) => {
+          void qb.select("id").from("to_delete");
+        })
+        .delete();
+      return query;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "DeleteSnapshotsAboveLimit" });
+    }
+  };
+
   return {
     ...secretSnapshotOrm,
     findById,
@@ -728,6 +820,8 @@ export const snapshotDALFactory = (db: TDbClient) => {
     countOfSnapshotsByFolderId,
     findSecretSnapshotDataById,
     findSecretSnapshotV2DataById,
-    pruneExcessSnapshots
+    pruneExcessSnapshots,
+    findNSecretV1SnapshotByFolderId,
+    deleteSnapshotsAboveLimit
   };
 };

backend/src/lib/api-docs/constants.ts

@@ -348,10 +348,15 @@ export const ORGANIZATIONS = {
   LIST_USER_MEMBERSHIPS: {
     organizationId: "The ID of the organization to get memberships from."
   },
+  GET_USER_MEMBERSHIP: {
+    organizationId: "The ID of the organization to get the membership for.",
+    membershipId: "The ID of the membership to get."
+  },
   UPDATE_USER_MEMBERSHIP: {
     organizationId: "The ID of the organization to update the membership for.",
     membershipId: "The ID of the membership to update.",
-    role: "The new role of the membership."
+    role: "The new role of the membership.",
+    isActive: "The active status of the membership"
   },
   DELETE_USER_MEMBERSHIP: {
     organizationId: "The ID of the organization to delete the membership from.",
@@ -420,6 +425,21 @@ export const PROJECTS = {
   },
   LIST_INTEGRATION_AUTHORIZATION: {
     workspaceId: "The ID of the project to list integration auths for."
+  },
+  LIST_CAS: {
+    slug: "The slug of the project to list CAs for.",
+    status: "The status of the CA to filter by.",
+    friendlyName: "The friendly name of the CA to filter by.",
+    commonName: "The common name of the CA to filter by.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th CA.",
+    limit: "The number of CAs to return."
+  },
+  LIST_CERTIFICATES: {
+    slug: "The slug of the project to list certificates for.",
+    friendlyName: "The friendly name of the certificate to filter by.",
+    commonName: "The common name of the certificate to filter by.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th certificate.",
+    limit: "The number of certificates to return."
   }
 } as const;
 
@@ -505,6 +525,10 @@ export const ENVIRONMENTS = {
   DELETE: {
     workspaceId: "The ID of the project to delete the environment from.",
     id: "The ID of the environment to delete."
+  },
+  GET: {
+    workspaceId: "The ID of the project the environment belongs to.",
+    id: "The ID of the environment to fetch."
   }
 } as const;
 
@@ -1032,7 +1056,7 @@ export const CERTIFICATE_AUTHORITIES = {
   },
   SIGN_INTERMEDIATE: {
     caId: "The ID of the CA to sign the intermediate certificate with",
-    csr: "The CSR to sign with the CA",
+    csr: "The pem-encoded CSR to sign with the CA",
     notBefore: "The date and time when the intermediate CA becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
     notAfter: "The date and time when the intermediate CA expires in YYYY-MM-DDTHH:mm:ss.sssZ format",
     maxPathLength:
@@ -1062,6 +1086,21 @@ export const CERTIFICATE_AUTHORITIES = {
     privateKey: "The private key of the issued certificate",
     serialNumber: "The serial number of the issued certificate"
   },
+  SIGN_CERT: {
+    caId: "The ID of the CA to issue the certificate from",
+    csr: "The pem-encoded CSR to sign with the CA to be used for certificate issuance",
+    friendlyName: "A friendly name for the certificate",
+    commonName: "The common name (CN) for the certificate",
+    altNames:
+      "A comma-delimited list of Subject Alternative Names (SANs) for the certificate; these can be host names or email addresses.",
+    ttl: "The time to live for the certificate such as 1m, 1h, 1d, 1y, ...",
+    notBefore: "The date and time when the certificate becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
+    notAfter: "The date and time when the certificate expires in YYYY-MM-DDTHH:mm:ss.sssZ format",
+    certificate: "The issued certificate",
+    issuingCaCertificate: "The certificate of the issuing CA",
+    certificateChain: "The certificate chain of the issued certificate",
+    serialNumber: "The serial number of the issued certificate"
+  },
   GET_CRL: {
     caId: "The ID of the CA to get the certificate revocation list (CRL) for",
     crl: "The certificate revocation list (CRL) of the CA"

backend/src/lib/crypto/encryption.ts

@@ -226,8 +226,9 @@ export const infisicalSymmetricDecrypt = <T = string>({
   keyEncoding: SecretKeyEncoding;
 }) => {
   const appCfg = getConfig();
-  const rootEncryptionKey = appCfg.ROOT_ENCRYPTION_KEY;
-  const encryptionKey = appCfg.ENCRYPTION_KEY;
+  // the or gate is used used in migration
+  const rootEncryptionKey = appCfg?.ROOT_ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
+  const encryptionKey = appCfg?.ENCRYPTION_KEY || process.env.ENCRYPTION_KEY;
   if (rootEncryptionKey && keyEncoding === SecretKeyEncoding.BASE64) {
     const data = decryptSymmetric({ key: rootEncryptionKey, iv, tag, ciphertext });
     return data as T;

backend/src/lib/fn/array.ts

@@ -17,6 +17,23 @@ export const groupBy = <T, Key extends string | number | symbol>(
     {} as Record<Key, T[]>
   );
 
+/**
+ * Sorts an array of items into groups. The return value is a map where the keys are
+ * the group ids the given getGroupId function produced and the value will be the last found one for the group key
+ */
+export const groupByUnique = <T, Key extends string | number | symbol>(
+  array: readonly T[],
+  getGroupId: (item: T) => Key
+): Record<Key, T> =>
+  array.reduce(
+    (acc, item) => {
+      const groupId = getGroupId(item);
+      acc[groupId] = item;
+      return acc;
+    },
+    {} as Record<Key, T>
+  );
+
 /**
  * Given a list of items returns a new list with only
  * unique items. Accepts an optional identity function

backend/src/lib/knex/index.ts

@@ -19,23 +19,43 @@ export const withTransaction = <K extends object>(db: Knex, dal: K) => ({
 
 export type TFindFilter<R extends object = object> = Partial<R> & {
   $in?: Partial<{ [k in keyof R]: R[k][] }>;
+  $search?: Partial<{ [k in keyof R]: R[k] }>;
 };
 export const buildFindFilter =
-  <R extends object = object>({ $in, ...filter }: TFindFilter<R>) =>
+  <R extends object = object>({ $in, $search, ...filter }: TFindFilter<R>) =>
   (bd: Knex.QueryBuilder<R, R>) => {
     void bd.where(filter);
     if ($in) {
       Object.entries($in).forEach(([key, val]) => {
-        void bd.whereIn(key as never, val as never);
+        if (val) {
+          void bd.whereIn(key as never, val as never);
+        }
+      });
+    }
+    if ($search) {
+      Object.entries($search).forEach(([key, val]) => {
+        if (val) {
+          void bd.whereILike(key as never, val as never);
+        }
       });
     }
     return bd;
   };
 
-export type TFindOpt<R extends object = object> = {
+export type TFindReturn<TQuery extends Knex.QueryBuilder, TCount extends boolean = false> = Array<
+  Awaited<TQuery>[0] &
+    (TCount extends true
+      ? {
+          count: string;
+        }
+      : unknown)
+>;
+
+export type TFindOpt<R extends object = object, TCount extends boolean = boolean> = {
   limit?: number;
   offset?: number;
   sort?: Array<[keyof R, "asc" | "desc"] | [keyof R, "asc" | "desc", "first" | "last"]>;
+  count?: TCount;
   tx?: Knex;
 };
 
@@ -66,18 +86,22 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
       throw new DatabaseError({ error, name: "Find one" });
     }
   },
-  find: async (
+  find: async <TCount extends boolean = false>(
     filter: TFindFilter<Tables[Tname]["base"]>,
-    { offset, limit, sort, tx }: TFindOpt<Tables[Tname]["base"]> = {}
+    { offset, limit, sort, count, tx }: TFindOpt<Tables[Tname]["base"], TCount> = {}
   ) => {
     try {
       const query = (tx || db.replicaNode())(tableName).where(buildFindFilter(filter));
+      if (count) {
+        void query.select(db.raw("COUNT(*) OVER() AS count"));
+        void query.select("*");
+      }
       if (limit) void query.limit(limit);
       if (offset) void query.offset(offset);
       if (sort) {
         void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
       }
-      const res = await query;
+      const res = (await query) as TFindReturn<typeof query, TCount>;
       return res;
     } catch (error) {
       throw new DatabaseError({ error, name: "Find one" });
@@ -104,6 +128,19 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
       throw new DatabaseError({ error, name: "Create" });
     }
   },
+  upsert: async (data: readonly Tables[Tname]["insert"][], onConflictField: keyof Tables[Tname]["base"], tx?: Knex) => {
+    try {
+      if (!data.length) return [];
+      const res = await (tx || db)(tableName)
+        .insert(data as never)
+        .onConflict(onConflictField as never)
+        .merge()
+        .returning("*");
+      return res;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Create" });
+    }
+  },
   updateById: async (
     id: string,
     {

backend/src/lib/types/index.ts

@@ -42,3 +42,13 @@ export type RequiredKeys<T> = {
 }[keyof T];
 
 export type PickRequired<T> = Pick<T, RequiredKeys<T>>;
+
+export enum EnforcementLevel {
+  Hard = "hard",
+  Soft = "soft"
+}
+
+export enum SecretSharingAccessType {
+  Anyone = "anyone",
+  Organization = "organization"
+}

backend/src/queue/queue-service.ts

@@ -25,7 +25,8 @@ export enum QueueName {
   DynamicSecretRevocation = "dynamic-secret-revocation",
   CaCrlRotation = "ca-crl-rotation",
   SecretReplication = "secret-replication",
-  SecretSync = "secret-sync" // parent queue to push integration sync, webhook, and secret replication
+  SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
+  ProjectV3Migration = "project-v3-migration"
 }
 
 export enum QueueJobs {
@@ -44,7 +45,8 @@ export enum QueueJobs {
   DynamicSecretPruning = "dynamic-secret-pruning",
   CaCrlRotation = "ca-crl-rotation-job",
   SecretReplication = "secret-replication",
-  SecretSync = "secret-sync" // parent queue to push integration sync, webhook, and secret replication
+  SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
+  ProjectV3Migration = "project-v3-migration"
 }
 
 export type TQueueJobTypes = {
@@ -136,6 +138,10 @@ export type TQueueJobTypes = {
     name: QueueJobs.SecretSync;
     payload: TSyncSecretsDTO;
   };
+  [QueueName.ProjectV3Migration]: {
+    name: QueueJobs.ProjectV3Migration;
+    payload: { projectId: string };
+  };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
@@ -210,6 +216,7 @@ export const queueServiceFactory = (redisUrl: string) => {
     const job = await q.getJob(jobId);
     if (!job) return true;
     if (!job.repeatJobKey) return true;
+    await job.remove();
     return q.removeRepeatableByKey(job.repeatJobKey);
   };
 

backend/src/server/routes/index.ts

@@ -129,6 +129,7 @@ import { orgDALFactory } from "@app/services/org/org-dal";
 import { orgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { orgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { orgServiceFactory } from "@app/services/org/org-service";
+import { orgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
 import { orgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
@@ -468,6 +469,7 @@ export const registerRoutes = async (
     tokenService,
     projectDAL,
     projectMembershipDAL,
+    orgMembershipDAL,
     projectKeyDAL,
     smtpService,
     userDAL,
@@ -497,6 +499,16 @@ export const registerRoutes = async (
     keyStore,
     licenseService
   });
+  const orgAdminService = orgAdminServiceFactory({
+    projectDAL,
+    permissionService,
+    projectUserMembershipRoleDAL,
+    userDAL,
+    projectBotDAL,
+    projectKeyDAL,
+    projectMembershipDAL
+  });
+
   const rateLimitService = rateLimitServiceFactory({
     rateLimitDAL,
     licenseService
@@ -634,7 +646,8 @@ export const registerRoutes = async (
     projectUserMembershipRoleDAL,
     identityProjectMembershipRoleDAL,
     keyStore,
-    kmsService
+    kmsService,
+    projectBotDAL
   });
 
   const projectEnvService = projectEnvServiceFactory({
@@ -718,7 +731,12 @@ export const registerRoutes = async (
     kmsService,
     secretVersionV2BridgeDAL,
     secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL
+    secretVersionTagV2BridgeDAL,
+    secretRotationDAL,
+    integrationAuthDAL,
+    snapshotDAL,
+    snapshotSecretV2BridgeDAL,
+    secretApprovalRequestDAL
   });
   const secretImportService = secretImportServiceFactory({
     licenseService,
@@ -774,7 +792,10 @@ export const registerRoutes = async (
     kmsService,
     secretV2BridgeDAL,
     secretVersionV2BridgeDAL,
-    secretVersionTagV2BridgeDAL
+    secretVersionTagV2BridgeDAL,
+    smtpService,
+    projectEnvDAL,
+    userDAL
   });
 
   const secretService = secretServiceFactory({
@@ -800,7 +821,8 @@ export const registerRoutes = async (
 
   const secretSharingService = secretSharingServiceFactory({
     permissionService,
-    secretSharingDAL
+    secretSharingDAL,
+    orgDAL
   });
 
   const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
@@ -1006,7 +1028,8 @@ export const registerRoutes = async (
     secretFolderVersionDAL: folderVersionDAL,
     snapshotDAL,
     identityAccessTokenDAL,
-    secretSharingDAL
+    secretSharingDAL,
+    secretVersionV2DAL: secretVersionV2BridgeDAL
   });
 
   const oidcService = oidcConfigServiceFactory({
@@ -1101,7 +1124,8 @@ export const registerRoutes = async (
     identityProjectAdditionalPrivilege: identityProjectAdditionalPrivilegeService,
     secretSharing: secretSharingService,
     userEngagement: userEngagementService,
-    externalKms: externalKmsService
+    externalKms: externalKmsService,
+    orgAdmin: orgAdminService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/sanitizedSchemas.ts

@@ -5,6 +5,7 @@ import {
   IdentityProjectAdditionalPrivilegeSchema,
   IntegrationAuthsSchema,
   ProjectRolesSchema,
+  ProjectsSchema,
   SecretApprovalPoliciesSchema,
   UsersSchema
 } from "@app/db/schemas";
@@ -141,3 +142,18 @@ export const SanitizedAuditLogStreamSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date()
 });
+
+export const SanitizedProjectSchema = ProjectsSchema.pick({
+  id: true,
+  name: true,
+  slug: true,
+  autoCapitalization: true,
+  orgId: true,
+  createdAt: true,
+  updatedAt: true,
+  version: true,
+  upgradeStatus: true,
+  pitVersionLimit: true,
+  kmsCertificateKeyId: true,
+  auditLogsRetentionDays: true
+});

backend/src/server/routes/v1/certificate-authority-router.ts

@@ -337,7 +337,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.caId)
       }),
       body: z.object({
-        csr: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.csr),
+        csr: z.string().trim().min(1).describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.csr),
         notBefore: validateCaDateField.optional().describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.notBefore),
         notAfter: validateCaDateField.describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.notAfter),
         maxPathLength: z.number().min(-1).default(-1).describe(CERTIFICATE_AUTHORITIES.SIGN_INTERMEDIATE.maxPathLength)
@@ -453,7 +453,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }),
       body: z
         .object({
-          friendlyName: z.string().optional().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.friendlyName),
+          friendlyName: z.string().trim().optional().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.friendlyName),
           commonName: z.string().trim().min(1).describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.commonName),
           altNames: validateAltNamesField.describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.altNames),
           ttl: z
@@ -516,4 +516,81 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       };
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/:caId/sign-certificate",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Sign certificate from CA",
+      params: z.object({
+        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.caId)
+      }),
+      body: z
+        .object({
+          csr: z.string().trim().min(1).describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.csr),
+          friendlyName: z.string().trim().optional().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.friendlyName),
+          commonName: z.string().trim().min(1).optional().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.commonName),
+          altNames: validateAltNamesField.describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.altNames),
+          ttl: z
+            .string()
+            .refine((val) => ms(val) > 0, "TTL must be a positive number")
+            .describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.ttl),
+          notBefore: validateCaDateField.optional().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.notBefore),
+          notAfter: validateCaDateField.optional().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.notAfter)
+        })
+        .refine(
+          (data) => {
+            const { ttl, notAfter } = data;
+            return (ttl !== undefined && notAfter === undefined) || (ttl === undefined && notAfter !== undefined);
+          },
+          {
+            message: "Either ttl or notAfter must be present, but not both",
+            path: ["ttl", "notAfter"]
+          }
+        ),
+      response: {
+        200: z.object({
+          certificate: z.string().trim().describe(CERTIFICATE_AUTHORITIES.SIGN_CERT.certificate),
+          issuingCaCertificate: z.string().trim().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.issuingCaCertificate),
+          certificateChain: z.string().trim().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.certificateChain),
+          serialNumber: z.string().trim().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.serialNumber)
+        })
+      }
+    },
+    handler: async (req) => {
+      const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca } =
+        await server.services.certificateAuthority.signCertFromCa({
+          caId: req.params.caId,
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          ...req.body
+        });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: ca.projectId,
+        event: {
+          type: EventType.SIGN_CERT,
+          metadata: {
+            caId: ca.id,
+            dn: ca.dn,
+            serialNumber
+          }
+        }
+      });
+
+      return {
+        certificate,
+        certificateChain,
+        issuingCaCertificate,
+        serialNumber
+      };
+    }
+  });
 };

backend/src/server/routes/v1/identity-router.ts

@@ -1,12 +1,6 @@
 import { z } from "zod";
 
-import {
-  IdentitiesSchema,
-  IdentityOrgMembershipsSchema,
-  OrgMembershipRole,
-  OrgRolesSchema,
-  ProjectsSchema
-} from "@app/db/schemas";
+import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgMembershipRole, OrgRolesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { IDENTITIES } from "@app/lib/api-docs";
 import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -15,6 +9,8 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
+import { SanitizedProjectSchema } from "../sanitizedSchemas";
+
 export const registerIdentityRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -307,7 +303,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
                 })
               ),
               identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true }),
-              project: ProjectsSchema.pick({ name: true, id: true })
+              project: SanitizedProjectSchema.pick({ name: true, id: true })
             })
           )
         })

backend/src/server/routes/v1/index.ts

@@ -15,6 +15,7 @@ import { registerIdentityUaRouter } from "./identity-universal-auth-router";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
 import { registerIntegrationRouter } from "./integration-router";
 import { registerInviteOrgRouter } from "./invite-org-router";
+import { registerOrgAdminRouter } from "./org-admin-router";
 import { registerOrgRouter } from "./organization-router";
 import { registerPasswordRouter } from "./password-router";
 import { registerProjectEnvRouter } from "./project-env-router";
@@ -50,6 +51,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerPasswordRouter, { prefix: "/password" });
   await server.register(registerOrgRouter, { prefix: "/organization" });
   await server.register(registerAdminRouter, { prefix: "/admin" });
+  await server.register(registerOrgAdminRouter, { prefix: "/organization-admin" });
   await server.register(registerUserRouter, { prefix: "/user" });
   await server.register(registerInviteOrgRouter, { prefix: "/invite-org" });
   await server.register(registerUserActionRouter, { prefix: "/user-action" });

backend/src/server/routes/v1/org-admin-router.ts

@@ -0,0 +1,90 @@
+import { z } from "zod";
+
+import { ProjectMembershipsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { SanitizedProjectSchema } from "../sanitizedSchemas";
+
+export const registerOrgAdminRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/projects",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        search: z.string().optional(),
+        offset: z.coerce.number().default(0),
+        limit: z.coerce.number().max(100).default(50)
+      }),
+      response: {
+        200: z.object({
+          projects: SanitizedProjectSchema.array(),
+          count: z.coerce.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { projects, count } = await server.services.orgAdmin.listOrgProjects({
+        limit: req.query.limit,
+        offset: req.query.offset,
+        search: req.query.search,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actor: req.permission.type
+      });
+      return { projects, count };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/projects/:projectId/grant-admin-access",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        projectId: z.string()
+      }),
+      response: {
+        200: z.object({
+          membership: ProjectMembershipsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { membership } = await server.services.orgAdmin.grantProjectAdminAccess({
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        projectId: req.params.projectId
+      });
+      if (req.auth.authMode === AuthMode.JWT) {
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          projectId: req.params.projectId,
+          event: {
+            type: EventType.ORG_ADMIN_ACCESS_PROJECT,
+            metadata: {
+              projectId: req.params.projectId,
+              username: req.auth.user.username,
+              email: req.auth.user.email || "",
+              userId: req.auth.userId
+            }
+          }
+        });
+      }
+
+      return { membership };
+    }
+  });
+};

backend/src/server/routes/v1/project-env-router.ts

@@ -9,6 +9,55 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/:workspaceId/environments/:envId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Get Environment",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        workspaceId: z.string().trim().describe(ENVIRONMENTS.GET.workspaceId),
+        envId: z.string().trim().describe(ENVIRONMENTS.GET.id)
+      }),
+      response: {
+        200: z.object({
+          environment: ProjectEnvironmentsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const environment = await server.services.projectEnv.getEnvironmentById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        projectId: req.params.workspaceId,
+        id: req.params.envId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: environment.projectId,
+        event: {
+          type: EventType.GET_ENVIRONMENT,
+          metadata: {
+            id: environment.id
+          }
+        }
+      });
+
+      return { environment };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/:workspaceId/environments",

backend/src/server/routes/v1/project-router.ts

@@ -1,22 +1,16 @@
 import { z } from "zod";
 
-import {
-  IntegrationsSchema,
-  ProjectMembershipsSchema,
-  ProjectsSchema,
-  UserEncryptionKeysSchema,
-  UsersSchema
-} from "@app/db/schemas";
+import { IntegrationsSchema, ProjectMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
 
-import { integrationAuthPubSchema } from "../sanitizedSchemas";
+import { integrationAuthPubSchema, SanitizedProjectSchema } from "../sanitizedSchemas";
 import { sanitizedServiceTokenSchema } from "../v2/service-token-router";
 
-const projectWithEnv = ProjectsSchema.merge(
+const projectWithEnv = SanitizedProjectSchema.merge(
   z.object({
     _id: z.string(),
     environments: z.object({ name: z.string(), slug: z.string(), id: z.string() }).array()
@@ -78,6 +72,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
               lastName: true,
               id: true
             }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+            project: SanitizedProjectSchema.pick({ name: true, id: true }),
             roles: z.array(
               z.object({
                 id: z.string(),
@@ -187,7 +182,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          workspace: ProjectsSchema.optional()
+          workspace: SanitizedProjectSchema.optional()
         })
       }
     },
@@ -223,7 +218,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           message: z.string(),
-          workspace: ProjectsSchema
+          workspace: SanitizedProjectSchema
         })
       }
     },
@@ -271,7 +266,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          workspace: ProjectsSchema
+          workspace: SanitizedProjectSchema
         })
       }
     },
@@ -313,7 +308,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           message: z.string(),
-          workspace: ProjectsSchema
+          workspace: SanitizedProjectSchema
         })
       }
     },
@@ -350,7 +345,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           message: z.string(),
-          workspace: ProjectsSchema
+          workspace: SanitizedProjectSchema
         })
       }
     },
@@ -388,7 +383,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           message: z.string(),
-          workspace: ProjectsSchema
+          workspace: SanitizedProjectSchema
         })
       }
     },

backend/src/server/routes/v1/secret-sharing-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { SecretSharingSchema } from "@app/db/schemas";
+import { SecretSharingAccessType } from "@app/lib/types";
 import {
   publicEndpointLimit,
   publicSecretShareCreationLimit,
@@ -18,21 +19,31 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
       rateLimit: readLimit
     },
     schema: {
+      querystring: z.object({
+        offset: z.coerce.number().min(0).max(100).default(0),
+        limit: z.coerce.number().min(1).max(100).default(25)
+      }),
       response: {
-        200: z.array(SecretSharingSchema)
+        200: z.object({
+          secrets: z.array(SecretSharingSchema),
+          totalCount: z.number()
+        })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const sharedSecrets = await req.server.services.secretSharing.getSharedSecrets({
+      const { secrets, totalCount } = await req.server.services.secretSharing.getSharedSecrets({
         actor: req.permission.type,
         actorId: req.permission.id,
-        orgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
+        actorOrgId: req.permission.orgId,
+        ...req.query
       });
 
-      return sharedSecrets;
+      return {
+        secrets,
+        totalCount
+      };
     }
   });
 
@@ -47,7 +58,7 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         id: z.string().uuid()
       }),
       querystring: z.object({
-        hashedHex: z.string()
+        hashedHex: z.string().min(1)
       }),
       response: {
         200: SecretSharingSchema.pick({
@@ -55,22 +66,28 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
           iv: true,
           tag: true,
           expiresAt: true,
-          expiresAfterViews: true
+          expiresAfterViews: true,
+          accessType: true
+        }).extend({
+          orgName: z.string().optional()
         })
       }
     },
     handler: async (req) => {
-      const sharedSecret = await req.server.services.secretSharing.getActiveSharedSecretByIdAndHashedHex(
-        req.params.id,
-        req.query.hashedHex
-      );
+      const sharedSecret = await req.server.services.secretSharing.getActiveSharedSecretById({
+        sharedSecretId: req.params.id,
+        hashedHex: req.query.hashedHex,
+        orgId: req.permission?.orgId
+      });
       if (!sharedSecret) return undefined;
       return {
         encryptedValue: sharedSecret.encryptedValue,
         iv: sharedSecret.iv,
         tag: sharedSecret.tag,
         expiresAt: sharedSecret.expiresAt,
-        expiresAfterViews: sharedSecret.expiresAfterViews
+        expiresAfterViews: sharedSecret.expiresAfterViews,
+        accessType: sharedSecret.accessType,
+        orgName: sharedSecret.orgName
       };
     }
   });
@@ -84,11 +101,11 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
     schema: {
       body: z.object({
         encryptedValue: z.string(),
+        hashedHex: z.string(),
         iv: z.string(),
         tag: z.string(),
-        hashedHex: z.string(),
         expiresAt: z.string(),
-        expiresAfterViews: z.number()
+        expiresAfterViews: z.number().min(1).optional()
       }),
       response: {
         200: z.object({
@@ -97,14 +114,9 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
       }
     },
     handler: async (req) => {
-      const { encryptedValue, iv, tag, hashedHex, expiresAt, expiresAfterViews } = req.body;
       const sharedSecret = await req.server.services.secretSharing.createPublicSharedSecret({
-        encryptedValue,
-        iv,
-        tag,
-        hashedHex,
-        expiresAt: new Date(expiresAt),
-        expiresAfterViews
+        ...req.body,
+        accessType: SecretSharingAccessType.Anyone
       });
       return { id: sharedSecret.id };
     }
@@ -118,12 +130,14 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
     },
     schema: {
       body: z.object({
+        name: z.string().max(50).optional(),
         encryptedValue: z.string(),
+        hashedHex: z.string(),
         iv: z.string(),
         tag: z.string(),
-        hashedHex: z.string(),
         expiresAt: z.string(),
-        expiresAfterViews: z.number()
+        expiresAfterViews: z.number().min(1).optional(),
+        accessType: z.nativeEnum(SecretSharingAccessType).default(SecretSharingAccessType.Organization)
       }),
       response: {
         200: z.object({
@@ -133,19 +147,13 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const { encryptedValue, iv, tag, hashedHex, expiresAt, expiresAfterViews } = req.body;
       const sharedSecret = await req.server.services.secretSharing.createSharedSecret({
         actor: req.permission.type,
         actorId: req.permission.id,
         orgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        encryptedValue,
-        iv,
-        tag,
-        hashedHex,
-        expiresAt: new Date(expiresAt),
-        expiresAfterViews
+        ...req.body
       });
       return { id: sharedSecret.id };
     }

backend/src/server/routes/v1/webhook-router.ts

@@ -8,25 +8,24 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { WebhookType } from "@app/services/webhook/webhook-types";
 
-export const sanitizedWebhookSchema = WebhooksSchema.omit({
-  encryptedSecretKey: true,
-  iv: true,
-  tag: true,
-  algorithm: true,
-  keyEncoding: true,
-  urlCipherText: true,
-  urlIV: true,
-  urlTag: true
-}).merge(
-  z.object({
-    projectId: z.string(),
-    environment: z.object({
-      id: z.string(),
-      name: z.string(),
-      slug: z.string()
-    })
+export const sanitizedWebhookSchema = WebhooksSchema.pick({
+  id: true,
+  secretPath: true,
+  lastStatus: true,
+  lastRunErrorMessage: true,
+  isDisabled: true,
+  createdAt: true,
+  updatedAt: true,
+  envId: true,
+  type: true
+}).extend({
+  projectId: z.string(),
+  environment: z.object({
+    id: z.string(),
+    name: z.string(),
+    slug: z.string()
   })
-);
+});
 
 export const registerWebhookRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -228,7 +227,7 @@ export const registerWebhookRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           message: z.string(),
-          webhooks: sanitizedWebhookSchema.array()
+          webhooks: sanitizedWebhookSchema.extend({ url: z.string() }).array()
         })
       }
     },

backend/src/server/routes/v2/identity-project-router.ts

@@ -5,7 +5,6 @@ import {
   IdentitiesSchema,
   IdentityProjectMembershipsSchema,
   ProjectMembershipRole,
-  ProjectsSchema,
   ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
 import { PROJECT_IDENTITIES } from "@app/lib/api-docs";
@@ -15,6 +14,8 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
 
+import { SanitizedProjectSchema } from "../sanitizedSchemas";
+
 export const registerIdentityProjectRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -236,7 +237,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
                 })
               ),
               identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true }),
-              project: ProjectsSchema.pick({ name: true, id: true })
+              project: SanitizedProjectSchema.pick({ name: true, id: true })
             })
             .array()
         })
@@ -294,7 +295,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
               })
             ),
             identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true }),
-            project: ProjectsSchema.pick({ name: true, id: true })
+            project: SanitizedProjectSchema.pick({ name: true, id: true })
           })
         })
       }

backend/src/server/routes/v2/organization-router.ts

@@ -1,6 +1,13 @@
 import { z } from "zod";
 
-import { OrganizationsSchema, OrgMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
+import {
+  OrganizationsSchema,
+  OrgMembershipsSchema,
+  ProjectMembershipsSchema,
+  ProjectsSchema,
+  UserEncryptionKeysSchema,
+  UsersSchema
+} from "@app/db/schemas";
 import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -30,6 +37,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
               user: UsersSchema.pick({
                 username: true,
                 email: true,
+                isEmailVerified: true,
                 firstName: true,
                 lastName: true,
                 id: true
@@ -103,6 +111,54 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:organizationId/memberships/:membershipId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Get organization user membership",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        organizationId: z.string().trim().describe(ORGANIZATIONS.GET_USER_MEMBERSHIP.organizationId),
+        membershipId: z.string().trim().describe(ORGANIZATIONS.GET_USER_MEMBERSHIP.membershipId)
+      }),
+      response: {
+        200: z.object({
+          membership: OrgMembershipsSchema.merge(
+            z.object({
+              user: UsersSchema.pick({
+                username: true,
+                email: true,
+                isEmailVerified: true,
+                firstName: true,
+                lastName: true,
+                id: true
+              }).merge(z.object({ publicKey: z.string().nullable() }))
+            })
+          ).omit({ createdAt: true, updatedAt: true })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const membership = await server.services.org.getOrgMembership({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.params.organizationId,
+        membershipId: req.params.membershipId
+      });
+      return { membership };
+    }
+  });
+
   server.route({
     method: "PATCH",
     url: "/:organizationId/memberships/:membershipId",
@@ -121,7 +177,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         membershipId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.membershipId)
       }),
       body: z.object({
-        role: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.role)
+        role: z.string().trim().optional().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.role),
+        isActive: z.boolean().optional().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.isActive)
       }),
       response: {
         200: z.object({
@@ -129,17 +186,17 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       if (req.auth.actor !== ActorType.USER) return;
 
       const membership = await server.services.org.updateOrgMembership({
         userId: req.permission.id,
-        role: req.body.role,
         actorAuthMethod: req.permission.authMethod,
         orgId: req.params.organizationId,
         membershipId: req.params.membershipId,
-        actorOrgId: req.permission.orgId
+        actorOrgId: req.permission.orgId,
+        ...req.body
       });
       return { membership };
     }
@@ -183,6 +240,69 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    // TODO: re-think endpoint structure in future so users only need to pass in membershipId bc organizationId is redundant
+    method: "GET",
+    url: "/:organizationId/memberships/:membershipId/project-memberships",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Get project memberships given organization membership",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        organizationId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.organizationId),
+        membershipId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.membershipId)
+      }),
+      response: {
+        200: z.object({
+          memberships: ProjectMembershipsSchema.extend({
+            user: UsersSchema.pick({
+              email: true,
+              username: true,
+              firstName: true,
+              lastName: true,
+              id: true
+            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+            project: ProjectsSchema.pick({ name: true, id: true }),
+            roles: z.array(
+              z.object({
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
+              })
+            )
+          })
+            .omit({ createdAt: true, updatedAt: true })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const memberships = await server.services.org.listProjectMembershipsByOrgMembershipId({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.params.organizationId,
+        orgMembershipId: req.params.membershipId
+      });
+      return { memberships };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/",

backend/src/server/routes/v2/project-router.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
-import { CertificateAuthoritiesSchema, CertificatesSchema, ProjectKeysSchema, ProjectsSchema } from "@app/db/schemas";
+import { CertificateAuthoritiesSchema, CertificatesSchema, ProjectKeysSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { PROJECTS } from "@app/lib/api-docs";
 import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -12,12 +12,12 @@ import { CaStatus } from "@app/services/certificate-authority/certificate-author
 import { ProjectFilterType } from "@app/services/project/project-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
-const projectWithEnv = ProjectsSchema.merge(
-  z.object({
-    _id: z.string(),
-    environments: z.object({ name: z.string(), slug: z.string(), id: z.string() }).array()
-  })
-);
+import { SanitizedProjectSchema } from "../sanitizedSchemas";
+
+const projectWithEnv = SanitizedProjectSchema.extend({
+  _id: z.string(),
+  environments: z.object({ name: z.string(), slug: z.string(), id: z.string() }).array()
+});
 
 const slugSchema = z
   .string()
@@ -214,7 +214,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         slug: slugSchema.describe("The slug of the project to delete.")
       }),
       response: {
-        200: ProjectsSchema
+        200: SanitizedProjectSchema
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -285,7 +285,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         autoCapitalization: z.boolean().optional().describe("The new auto-capitalization setting.")
       }),
       response: {
-        200: ProjectsSchema
+        200: SanitizedProjectSchema
       }
     },
 
@@ -319,10 +319,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       params: z.object({
-        slug: slugSchema.describe("The slug of the project to list CAs.")
+        slug: slugSchema.describe(PROJECTS.LIST_CAS.slug)
       }),
       querystring: z.object({
-        status: z.enum([CaStatus.ACTIVE, CaStatus.PENDING_CERTIFICATE]).optional()
+        status: z.enum([CaStatus.ACTIVE, CaStatus.PENDING_CERTIFICATE]).optional().describe(PROJECTS.LIST_CAS.status),
+        friendlyName: z.string().optional().describe(PROJECTS.LIST_CAS.friendlyName),
+        commonName: z.string().optional().describe(PROJECTS.LIST_CAS.commonName),
+        offset: z.coerce.number().min(0).max(100).default(0).describe(PROJECTS.LIST_CAS.offset),
+        limit: z.coerce.number().min(1).max(100).default(25).describe(PROJECTS.LIST_CAS.limit)
       }),
       response: {
         200: z.object({
@@ -338,11 +342,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           orgId: req.permission.orgId,
           type: ProjectFilterType.SLUG
         },
-        status: req.query.status,
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
-        actor: req.permission.type
+        actor: req.permission.type,
+        ...req.query
       });
       return { cas };
     }
@@ -356,11 +360,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       params: z.object({
-        slug: slugSchema.describe("The slug of the project to list certificates.")
+        slug: slugSchema.describe(PROJECTS.LIST_CERTIFICATES.slug)
       }),
       querystring: z.object({
-        offset: z.coerce.number().min(0).max(100).default(0),
-        limit: z.coerce.number().min(1).max(100).default(25)
+        friendlyName: z.string().optional().describe(PROJECTS.LIST_CERTIFICATES.friendlyName),
+        commonName: z.string().optional().describe(PROJECTS.LIST_CERTIFICATES.commonName),
+        offset: z.coerce.number().min(0).max(100).default(0).describe(PROJECTS.LIST_CERTIFICATES.offset),
+        limit: z.coerce.number().min(1).max(100).default(25).describe(PROJECTS.LIST_CERTIFICATES.limit)
       }),
       response: {
         200: z.object({

backend/src/services/certificate-authority/certificate-authority-fns.ts

@@ -18,6 +18,40 @@ export const createDistinguishedName = (parts: TDNParts) => {
   return dnParts.join(", ");
 };
 
+export const parseDistinguishedName = (dn: string): TDNParts => {
+  const parts: TDNParts = {};
+  const dnParts = dn.split(/,\s*/);
+
+  for (const part of dnParts) {
+    const [key, value] = part.split("=");
+    switch (key.toUpperCase()) {
+      case "C":
+        parts.country = value;
+        break;
+      case "O":
+        parts.organization = value;
+        break;
+      case "OU":
+        parts.ou = value;
+        break;
+      case "ST":
+        parts.province = value;
+        break;
+      case "CN":
+        parts.commonName = value;
+        break;
+      case "L":
+        parts.locality = value;
+        break;
+      default:
+        // Ignore unrecognized keys
+        break;
+    }
+  }
+
+  return parts;
+};
+
 export const keyAlgorithmToAlgCfg = (keyAlgorithm: CertKeyAlgorithm) => {
   switch (keyAlgorithm) {
     case CertKeyAlgorithm.RSA_4096:

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -22,7 +22,8 @@ import {
   createDistinguishedName,
   getCaCertChain,
   getCaCredentials,
-  keyAlgorithmToAlgCfg
+  keyAlgorithmToAlgCfg,
+  parseDistinguishedName
 } from "./certificate-authority-fns";
 import { TCertificateAuthorityQueueFactory } from "./certificate-authority-queue";
 import { TCertificateAuthoritySecretDALFactory } from "./certificate-authority-secret-dal";
@@ -36,6 +37,7 @@ import {
   TGetCaDTO,
   TImportCertToCaDTO,
   TIssueCertFromCaDTO,
+  TSignCertFromCaDTO,
   TSignIntermediateDTO,
   TUpdateCaDTO
 } from "./certificate-authority-types";
@@ -651,7 +653,8 @@ export const certificateAuthorityServiceFactory = ({
   };
 
   /**
-   * Return new leaf certificate issued by CA with id [caId]
+   * Return new leaf certificate issued by CA with id [caId] and private key.
+   * Note: private key and CSR are generated within Infisical.
    */
   const issueCertFromCa = async ({
     caId,
@@ -851,6 +854,204 @@ export const certificateAuthorityServiceFactory = ({
     };
   };
 
+  /**
+   * Return new leaf certificate issued by CA with id [caId].
+   * Note: CSR is generated externally and submitted to Infisical.
+   */
+  const signCertFromCa = async ({
+    caId,
+    csr,
+    friendlyName,
+    commonName,
+    altNames,
+    ttl,
+    notBefore,
+    notAfter,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TSignCertFromCaDTO) => {
+    const ca = await certificateAuthorityDAL.findById(caId);
+    if (!ca) throw new BadRequestError({ message: "CA not found" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      ca.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Certificates);
+
+    if (ca.status === CaStatus.DISABLED) throw new BadRequestError({ message: "CA is disabled" });
+
+    const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
+    if (!caCert) throw new BadRequestError({ message: "CA does not have a certificate installed" });
+
+    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
+      projectId: ca.projectId,
+      projectDAL,
+      kmsService
+    });
+
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
+
+    const decryptedCaCert = await kmsDecryptor({
+      cipherTextBlob: caCert.encryptedCertificate
+    });
+
+    const caCertObj = new x509.X509Certificate(decryptedCaCert);
+
+    const notBeforeDate = notBefore ? new Date(notBefore) : new Date();
+
+    let notAfterDate = new Date(new Date().setFullYear(new Date().getFullYear() + 1));
+    if (notAfter) {
+      notAfterDate = new Date(notAfter);
+    } else if (ttl) {
+      notAfterDate = new Date(new Date().getTime() + ms(ttl));
+    }
+
+    const caCertNotBeforeDate = new Date(caCertObj.notBefore);
+    const caCertNotAfterDate = new Date(caCertObj.notAfter);
+
+    // check not before constraint
+    if (notBeforeDate < caCertNotBeforeDate) {
+      throw new BadRequestError({ message: "notBefore date is before CA certificate's notBefore date" });
+    }
+
+    if (notBeforeDate > notAfterDate) throw new BadRequestError({ message: "notBefore date is after notAfter date" });
+
+    // check not after constraint
+    if (notAfterDate > caCertNotAfterDate) {
+      throw new BadRequestError({ message: "notAfter date is after CA certificate's notAfter date" });
+    }
+
+    const alg = keyAlgorithmToAlgCfg(ca.keyAlgorithm as CertKeyAlgorithm);
+
+    const csrObj = new x509.Pkcs10CertificateRequest(csr);
+
+    const dn = parseDistinguishedName(csrObj.subject);
+    const cn = commonName || dn.commonName;
+
+    if (!cn)
+      throw new BadRequestError({
+        message: "A common name (CN) is required in the CSR or as a parameter to this endpoint"
+      });
+
+    const { caPrivateKey } = await getCaCredentials({
+      caId: ca.id,
+      certificateAuthorityDAL,
+      certificateAuthoritySecretDAL,
+      projectDAL,
+      kmsService
+    });
+
+    const extensions: x509.Extension[] = [
+      new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment, true),
+      new x509.BasicConstraintsExtension(false),
+      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
+      await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey)
+    ];
+
+    if (altNames) {
+      const altNamesArray: {
+        type: "email" | "dns";
+        value: string;
+      }[] = altNames
+        .split(",")
+        .map((name) => name.trim())
+        .map((altName) => {
+          // check if the altName is a valid email
+          if (z.string().email().safeParse(altName).success) {
+            return {
+              type: "email",
+              value: altName
+            };
+          }
+
+          // check if the altName is a valid hostname
+          if (hostnameRegex.test(altName)) {
+            return {
+              type: "dns",
+              value: altName
+            };
+          }
+
+          // If altName is neither a valid email nor a valid hostname, throw an error or handle it accordingly
+          throw new Error(`Invalid altName: ${altName}`);
+        });
+
+      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
+      extensions.push(altNamesExtension);
+    }
+
+    const serialNumber = crypto.randomBytes(32).toString("hex");
+    const leafCert = await x509.X509CertificateGenerator.create({
+      serialNumber,
+      subject: csrObj.subject,
+      issuer: caCertObj.subject,
+      notBefore: notBeforeDate,
+      notAfter: notAfterDate,
+      signingKey: caPrivateKey,
+      publicKey: csrObj.publicKey,
+      signingAlgorithm: alg,
+      extensions
+    });
+
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
+    const { cipherTextBlob: encryptedCertificate } = await kmsEncryptor({
+      plainText: Buffer.from(new Uint8Array(leafCert.rawData))
+    });
+
+    await certificateDAL.transaction(async (tx) => {
+      const cert = await certificateDAL.create(
+        {
+          caId: ca.id,
+          status: CertStatus.ACTIVE,
+          friendlyName: friendlyName || csrObj.subject,
+          commonName: cn,
+          altNames,
+          serialNumber,
+          notBefore: notBeforeDate,
+          notAfter: notAfterDate
+        },
+        tx
+      );
+
+      await certificateBodyDAL.create(
+        {
+          certId: cert.id,
+          encryptedCertificate
+        },
+        tx
+      );
+
+      return cert;
+    });
+
+    const { caCert: issuingCaCertificate, caCertChain } = await getCaCertChain({
+      caId: ca.id,
+      certificateAuthorityDAL,
+      certificateAuthorityCertDAL,
+      projectDAL,
+      kmsService
+    });
+
+    return {
+      certificate: leafCert.toString("pem"),
+      certificateChain: `${issuingCaCertificate}\n${caCertChain}`.trim(),
+      issuingCaCertificate,
+      serialNumber,
+      ca
+    };
+  };
+
   return {
     createCa,
     getCaById,
@@ -860,6 +1061,7 @@ export const certificateAuthorityServiceFactory = ({
     getCaCert,
     signIntermediate,
     importCertToCa,
-    issueCertFromCa
+    issueCertFromCa,
+    signCertFromCa
   };
 };

backend/src/services/certificate-authority/certificate-authority-types.ts

@@ -81,6 +81,17 @@ export type TIssueCertFromCaDTO = {
   notAfter?: string;
 } & Omit<TProjectPermission, "projectId">;
 
+export type TSignCertFromCaDTO = {
+  caId: string;
+  csr: string;
+  friendlyName?: string;
+  commonName?: string;
+  altNames: string;
+  ttl: string;
+  notBefore?: string;
+  notAfter?: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TDNParts = {
   commonName?: string;
   organization?: string;

backend/src/services/certificate/certificate-dal.ts

@@ -8,19 +8,35 @@ export type TCertificateDALFactory = ReturnType<typeof certificateDALFactory>;
 export const certificateDALFactory = (db: TDbClient) => {
   const certificateOrm = ormify(db, TableName.Certificate);
 
-  const countCertificatesInProject = async (projectId: string) => {
+  const countCertificatesInProject = async ({
+    projectId,
+    friendlyName,
+    commonName
+  }: {
+    projectId: string;
+    friendlyName?: string;
+    commonName?: string;
+  }) => {
     try {
       interface CountResult {
         count: string;
       }
 
-      const count = await db
+      let query = db
         .replicaNode()(TableName.Certificate)
         .join(TableName.CertificateAuthority, `${TableName.Certificate}.caId`, `${TableName.CertificateAuthority}.id`)
         .join(TableName.Project, `${TableName.CertificateAuthority}.projectId`, `${TableName.Project}.id`)
-        .where(`${TableName.Project}.id`, projectId)
-        .count("*")
-        .first();
+        .where(`${TableName.Project}.id`, projectId);
+
+      if (friendlyName) {
+        query = query.andWhere(`${TableName.Certificate}.friendlyName`, friendlyName);
+      }
+
+      if (commonName) {
+        query = query.andWhere(`${TableName.Certificate}.commonName`, commonName);
+      }
+
+      const count = await query.count("*").first();
 
       return parseInt((count as unknown as CountResult).count || "0", 10);
     } catch (error) {

backend/src/services/integration-auth/integration-auth-service.ts

@@ -269,7 +269,7 @@ export const integrationAuthServiceFactory = ({
           const awsAssumeIamRoleArnEncrypted = secretManagerEncryptor({
             plainText: Buffer.from(awsAssumeIamRoleArn)
           }).cipherTextBlob;
-          updateDoc.encryptedAwsIamAssumRole = awsAssumeIamRoleArnEncrypted;
+          updateDoc.encryptedAwsAssumeIamRoleArn = awsAssumeIamRoleArnEncrypted;
         }
       }
     } else {

backend/src/services/kms/kms-service.ts

@@ -102,6 +102,13 @@ export const kmsServiceFactory = ({
     return doc;
   };
 
+  const deleteInternalKms = async (kmsId: string, orgId: string, tx?: Knex) => {
+    const kms = await kmsDAL.findByIdWithAssociatedKms(kmsId, tx);
+    if (kms.isExternal) return;
+    if (kms.orgId !== orgId) throw new BadRequestError({ message: "KMS doesn't belong to organization" });
+    return kmsDAL.deleteById(kmsId, tx);
+  };
+
   /*
    * Simple encryption service function to do all the encryption tasks in infisical
    * This can be even later exposed directly as api for encryption as function
@@ -568,6 +575,7 @@ export const kmsServiceFactory = ({
 
   // by keeping the decrypted data key in inner scope
   // none of the entities outside can interact directly or expose the data key
+  // NOTICE: If changing here update migrations/utils/kms
   const createCipherPairWithDataKey = async (encryptionContext: TEncryptWithKmsDataKeyDTO) => {
     const dataKey = await $getDataKey(encryptionContext);
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
@@ -746,6 +754,7 @@ export const kmsServiceFactory = ({
     return { id, slug, orgId, isExternal };
   };
 
+  // akhilmhdh: a copy of this is made in migrations/utils/kms
   const startService = async () => {
     const appCfg = getConfig();
     // This will switch to a seal process and HMS flow in future
@@ -794,6 +803,7 @@ export const kmsServiceFactory = ({
   return {
     startService,
     generateKmsKey,
+    deleteInternalKms,
     encryptWithKmsKey,
     decryptWithKmsKey,
     encryptWithInputKey,

backend/src/services/org-admin/org-admin-dal.ts

@@ -0,0 +1,5 @@
+export type TOrgAdminDALFactory = ReturnType<typeof orgAdminDALFactory>;
+
+export const orgAdminDALFactory = () => {
+  return {};
+};

backend/src/services/org-admin/org-admin-service.ts

@@ -0,0 +1,191 @@
+import { ForbiddenError } from "@casl/ability";
+
+import { ProjectMembershipRole, ProjectVersion, SecretKeyEncoding } from "@app/db/schemas";
+import { OrgPermissionAdminConsoleAction, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { BadRequestError } from "@app/lib/errors";
+
+import { TProjectDALFactory } from "../project/project-dal";
+import { assignWorkspaceKeysToMembers } from "../project/project-fns";
+import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
+import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
+import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
+import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
+import { TUserDALFactory } from "../user/user-dal";
+import { TAccessProjectDTO, TListOrgProjectsDTO } from "./org-admin-types";
+
+type TOrgAdminServiceFactoryDep = {
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  projectDAL: Pick<TProjectDALFactory, "find" | "findById" | "findProjectGhostUser">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findOne" | "create" | "transaction" | "delete">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "create">;
+  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
+  userDAL: Pick<TUserDALFactory, "findUserEncKeyByUserId">;
+  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create" | "delete">;
+};
+
+export type TOrgAdminServiceFactory = ReturnType<typeof orgAdminServiceFactory>;
+
+export const orgAdminServiceFactory = ({
+  permissionService,
+  projectDAL,
+  projectMembershipDAL,
+  projectKeyDAL,
+  projectBotDAL,
+  userDAL,
+  projectUserMembershipRoleDAL
+}: TOrgAdminServiceFactoryDep) => {
+  const listOrgProjects = async ({
+    actor,
+    limit,
+    actorId,
+    offset,
+    search,
+    actorOrgId,
+    actorAuthMethod
+  }: TListOrgProjectsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAdminConsoleAction.AccessAllProjects,
+      OrgPermissionSubjects.AdminConsole
+    );
+    const projects = await projectDAL.find(
+      {
+        orgId: actorOrgId,
+        $search: {
+          name: search ? `%${search}%` : undefined
+        }
+      },
+      { offset, limit, sort: [["name", "asc"]], count: true }
+    );
+
+    const count = projects?.[0]?.count ? parseInt(projects?.[0]?.count, 10) : 0;
+    return { projects, count };
+  };
+
+  const grantProjectAdminAccess = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId
+  }: TAccessProjectDTO) => {
+    const { permission, membership } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionAdminConsoleAction.AccessAllProjects,
+      OrgPermissionSubjects.AdminConsole
+    );
+
+    const project = await projectDAL.findById(projectId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+
+    if (project.version === ProjectVersion.V1) {
+      throw new BadRequestError({ message: "Please upgrade your project on your dashboard" });
+    }
+
+    // check already there exist a membership if there return it
+    const projectMembership = await projectMembershipDAL.findOne({
+      projectId,
+      userId: actorId
+    });
+    if (projectMembership) {
+      // reset and make the user admin
+      await projectMembershipDAL.transaction(async (tx) => {
+        await projectUserMembershipRoleDAL.delete({ projectMembershipId: projectMembership.id }, tx);
+        await projectUserMembershipRoleDAL.create(
+          {
+            projectMembershipId: projectMembership.id,
+            role: ProjectMembershipRole.Admin
+          },
+          tx
+        );
+      });
+      return { isExistingMember: true, membership: projectMembership };
+    }
+
+    // missing membership thus add admin back as admin to project
+    const ghostUser = await projectDAL.findProjectGhostUser(projectId);
+    if (!ghostUser) {
+      throw new BadRequestError({
+        message: "Failed to find sudo user"
+      });
+    }
+
+    const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId);
+    if (!ghostUserLatestKey) {
+      throw new BadRequestError({
+        message: "Failed to find sudo user latest key"
+      });
+    }
+
+    const bot = await projectBotDAL.findOne({ projectId });
+    if (!bot) {
+      throw new BadRequestError({
+        message: "Failed to find bot"
+      });
+    }
+
+    const botPrivateKey = infisicalSymmetricDecrypt({
+      keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+      iv: bot.iv,
+      tag: bot.tag,
+      ciphertext: bot.encryptedPrivateKey
+    });
+
+    const userEncryptionKey = await userDAL.findUserEncKeyByUserId(actorId);
+    if (!userEncryptionKey) throw new BadRequestError({ message: "user encryption key not found" });
+    const [newWsMember] = assignWorkspaceKeysToMembers({
+      decryptKey: ghostUserLatestKey,
+      userPrivateKey: botPrivateKey,
+      members: [
+        {
+          orgMembershipId: membership.id,
+          projectMembershipRole: ProjectMembershipRole.Admin,
+          userPublicKey: userEncryptionKey.publicKey
+        }
+      ]
+    });
+
+    const updatedMembership = await projectMembershipDAL.transaction(async (tx) => {
+      const newProjectMembership = await projectMembershipDAL.create(
+        {
+          projectId,
+          userId: actorId
+        },
+        tx
+      );
+      await projectUserMembershipRoleDAL.create(
+        { projectMembershipId: newProjectMembership.id, role: ProjectMembershipRole.Admin },
+        tx
+      );
+
+      await projectKeyDAL.create(
+        {
+          encryptedKey: newWsMember.workspaceEncryptedKey,
+          nonce: newWsMember.workspaceEncryptedNonce,
+          senderId: ghostUser.id,
+          receiverId: actorId,
+          projectId
+        },
+        tx
+      );
+      return newProjectMembership;
+    });
+    return { isExistingMember: false, membership: updatedMembership };
+  };
+
+  return { listOrgProjects, grantProjectAdminAccess };
+};

backend/src/services/org-admin/org-admin-types.ts

@@ -0,0 +1,11 @@
+import { TOrgPermission } from "@app/lib/types";
+
+export type TListOrgProjectsDTO = {
+  limit?: number;
+  offset?: number;
+  search?: string;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TAccessProjectDTO = {
+  projectId: string;
+} & Omit<TOrgPermission, "orgId">;

backend/src/services/org-membership/org-membership-dal.ts

@@ -1,5 +1,6 @@
 import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
+import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";
 
 export type TOrgMembershipDALFactory = ReturnType<typeof orgMembershipDALFactory>;
@@ -7,7 +8,51 @@ export type TOrgMembershipDALFactory = ReturnType<typeof orgMembershipDALFactory
 export const orgMembershipDALFactory = (db: TDbClient) => {
   const orgMembershipOrm = ormify(db, TableName.OrgMembership);
 
+  const findOrgMembershipById = async (membershipId: string) => {
+    try {
+      const member = await db
+        .replicaNode()(TableName.OrgMembership)
+        .where(`${TableName.OrgMembership}.id`, membershipId)
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin<TUserEncryptionKeys>(
+          TableName.UserEncryptionKey,
+          `${TableName.UserEncryptionKey}.userId`,
+          `${TableName.Users}.id`
+        )
+        .select(
+          db.ref("id").withSchema(TableName.OrgMembership),
+          db.ref("inviteEmail").withSchema(TableName.OrgMembership),
+          db.ref("orgId").withSchema(TableName.OrgMembership),
+          db.ref("role").withSchema(TableName.OrgMembership),
+          db.ref("roleId").withSchema(TableName.OrgMembership),
+          db.ref("status").withSchema(TableName.OrgMembership),
+          db.ref("isActive").withSchema(TableName.OrgMembership),
+          db.ref("email").withSchema(TableName.Users),
+          db.ref("username").withSchema(TableName.Users),
+          db.ref("firstName").withSchema(TableName.Users),
+          db.ref("lastName").withSchema(TableName.Users),
+          db.ref("isEmailVerified").withSchema(TableName.Users),
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
+        )
+        .where({ isGhost: false }) // MAKE SURE USER IS NOT A GHOST USER
+        .first();
+
+      if (!member) return undefined;
+
+      const { email, isEmailVerified, username, firstName, lastName, userId, publicKey, ...data } = member;
+
+      return {
+        ...data,
+        user: { email, isEmailVerified, username, firstName, lastName, id: userId, publicKey }
+      };
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find org membership by id" });
+    }
+  };
+
   return {
-    ...orgMembershipOrm
+    ...orgMembershipOrm,
+    findOrgMembershipById
   };
 };

backend/src/services/org/org-dal.ts

@@ -76,6 +76,7 @@ export const orgDALFactory = (db: TDbClient) => {
           db.ref("status").withSchema(TableName.OrgMembership),
           db.ref("isActive").withSchema(TableName.OrgMembership),
           db.ref("email").withSchema(TableName.Users),
+          db.ref("isEmailVerified").withSchema(TableName.Users),
           db.ref("username").withSchema(TableName.Users),
           db.ref("firstName").withSchema(TableName.Users),
           db.ref("lastName").withSchema(TableName.Users),
@@ -84,9 +85,9 @@ export const orgDALFactory = (db: TDbClient) => {
         )
         .where({ isGhost: false }); // MAKE SURE USER IS NOT A GHOST USER
 
-      return members.map(({ email, username, firstName, lastName, userId, publicKey, ...data }) => ({
+      return members.map(({ email, isEmailVerified, username, firstName, lastName, userId, publicKey, ...data }) => ({
         ...data,
-        user: { email, username, firstName, lastName, id: userId, publicKey }
+        user: { email, isEmailVerified, username, firstName, lastName, id: userId, publicKey }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "Find all org members" });

backend/src/services/org/org-role-service.ts

@@ -42,6 +42,61 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
     return role;
   };
 
+  const getRole = async (
+    userId: string,
+    orgId: string,
+    roleId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
+    const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
+
+    switch (roleId) {
+      case "b11b49a9-09a9-4443-916a-4246f9ff2c69": {
+        return {
+          id: roleId,
+          orgId,
+          name: "Admin",
+          slug: "admin",
+          description: "Complete administration access over the organization",
+          permissions: packRules(orgAdminPermissions.rules),
+          createdAt: new Date(),
+          updatedAt: new Date()
+        };
+      }
+      case "b11b49a9-09a9-4443-916a-4246f9ff2c70": {
+        return {
+          id: roleId,
+          orgId,
+          name: "Member",
+          slug: "member",
+          description: "Non-administrative role in an organization",
+          permissions: packRules(orgMemberPermissions.rules),
+          createdAt: new Date(),
+          updatedAt: new Date()
+        };
+      }
+      case "b10d49a9-09a9-4443-916a-4246f9ff2c72": {
+        return {
+          id: "b10d49a9-09a9-4443-916a-4246f9ff2c72", // dummy user for zod validation in response
+          orgId,
+          name: "No Access",
+          slug: "no-access",
+          description: "No access to any resources in the organization",
+          permissions: packRules(orgNoAccessPermissions.rules),
+          createdAt: new Date(),
+          updatedAt: new Date()
+        };
+      }
+      default: {
+        const role = await orgRoleDAL.findOne({ id: roleId, orgId });
+        if (!role) throw new BadRequestError({ message: "Role not found", name: "Get role" });
+        return role;
+      }
+    }
+  };
+
   const updateRole = async (
     userId: string,
     orgId: string,
@@ -144,5 +199,5 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, permissionService }: TOrgRol
     return { permissions: packRules(permission.rules), membership };
   };
 
-  return { createRole, updateRole, deleteRole, listRoles, getUserPermission };
+  return { createRole, getRole, updateRole, deleteRole, listRoles, getUserPermission };
 };

backend/src/services/org/org-service.ts

@@ -15,9 +15,10 @@ import { getConfig } from "@app/lib/config/env";
 import { generateAsymmetricKeyPair } from "@app/lib/crypto";
 import { generateSymmetricKey, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { generateUserSrpKeys } from "@app/lib/crypto/srp";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { isDisposableEmail } from "@app/lib/validator";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
 
 import { ActorAuthMethod, ActorType, AuthMethod, AuthTokenType } from "../auth/auth-type";
@@ -38,7 +39,9 @@ import {
   TFindAllWorkspacesDTO,
   TFindOrgMembersByEmailDTO,
   TGetOrgGroupsDTO,
+  TGetOrgMembershipDTO,
   TInviteUserToOrgDTO,
+  TListProjectMembershipsByOrgMembershipIdDTO,
   TUpdateOrgDTO,
   TUpdateOrgMembershipDTO,
   TVerifyUserToOrgDTO
@@ -54,6 +57,7 @@ type TOrgServiceFactoryDep = {
   projectDAL: TProjectDALFactory;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findProjectMembershipsByUserId" | "delete">;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "findOrgMembershipById" | "findOne">;
   incidentContactDAL: TIncidentContactsDALFactory;
   samlConfigDAL: Pick<TSamlConfigDALFactory, "findOne" | "findEnforceableSamlCfg">;
   smtpService: TSmtpService;
@@ -79,6 +83,7 @@ export const orgServiceFactory = ({
   projectDAL,
   projectMembershipDAL,
   projectKeyDAL,
+  orgMembershipDAL,
   tokenService,
   orgBotDAL,
   licenseService,
@@ -364,6 +369,7 @@ export const orgServiceFactory = ({
    * */
   const updateOrgMembership = async ({
     role,
+    isActive,
     orgId,
     userId,
     membershipId,
@@ -373,8 +379,16 @@ export const orgServiceFactory = ({
     const { permission } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Member);
 
+    const foundMembership = await orgMembershipDAL.findOne({
+      id: membershipId,
+      orgId
+    });
+    if (!foundMembership) throw new NotFoundError({ message: "Failed to find organization membership" });
+    if (foundMembership.userId === userId)
+      throw new BadRequestError({ message: "Cannot update own organization membership" });
+
     const isCustomRole = !Object.values(OrgMembershipRole).includes(role as OrgMembershipRole);
-    if (isCustomRole) {
+    if (role && isCustomRole) {
       const customRole = await orgRoleDAL.findOne({ slug: role, orgId });
       if (!customRole) throw new BadRequestError({ name: "Update membership", message: "Role not found" });
 
@@ -394,7 +408,7 @@ export const orgServiceFactory = ({
       return membership;
     }
 
-    const [membership] = await orgDAL.updateMembership({ id: membershipId, orgId }, { role, roleId: null });
+    const [membership] = await orgDAL.updateMembership({ id: membershipId, orgId }, { role, roleId: null, isActive });
     return membership;
   };
   /*
@@ -585,6 +599,24 @@ export const orgServiceFactory = ({
     return { token, user };
   };
 
+  const getOrgMembership = async ({
+    membershipId,
+    orgId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TGetOrgMembershipDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
+
+    const membership = await orgMembershipDAL.findOrgMembershipById(membershipId);
+    if (!membership) throw new NotFoundError({ message: "Failed to find organization membership" });
+    if (membership.orgId !== orgId) throw new NotFoundError({ message: "Failed to find organization membership" });
+
+    return membership;
+  };
+
   const deleteOrgMembership = async ({
     orgId,
     userId,
@@ -608,6 +640,26 @@ export const orgServiceFactory = ({
     return deletedMembership;
   };
 
+  const listProjectMembershipsByOrgMembershipId = async ({
+    orgMembershipId,
+    orgId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TListProjectMembershipsByOrgMembershipIdDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
+
+    const membership = await orgMembershipDAL.findOrgMembershipById(orgMembershipId);
+    if (!membership) throw new NotFoundError({ message: "Failed to find organization membership" });
+    if (membership.orgId !== orgId) throw new NotFoundError({ message: "Failed to find organization membership" });
+
+    const projectMemberships = await projectMembershipDAL.findProjectMembershipsByUserId(orgId, membership.user.id);
+
+    return projectMemberships;
+  };
+
   /*
    * CRUD operations of incident contacts
    * */
@@ -668,6 +720,7 @@ export const orgServiceFactory = ({
     findOrgMembersByUsername,
     createOrganization,
     deleteOrganizationById,
+    getOrgMembership,
     deleteOrgMembership,
     findAllWorkspaces,
     addGhostUser,
@@ -676,6 +729,7 @@ export const orgServiceFactory = ({
     findIncidentContacts,
     createIncidentContact,
     deleteIncidentContact,
-    getOrgGroups
+    getOrgGroups,
+    listProjectMembershipsByOrgMembershipId
   };
 };

backend/src/services/org/org-types.ts

@@ -6,11 +6,16 @@ export type TUpdateOrgMembershipDTO = {
   userId: string;
   orgId: string;
   membershipId: string;
-  role: string;
+  role?: string;
+  isActive?: boolean;
   actorOrgId: string | undefined;
   actorAuthMethod: ActorAuthMethod;
 };
 
+export type TGetOrgMembershipDTO = {
+  membershipId: string;
+} & TOrgPermission;
+
 export type TDeleteOrgMembershipDTO = {
   userId: string;
   orgId: string;
@@ -55,3 +60,7 @@ export type TUpdateOrgDTO = {
 } & TOrgPermission;
 
 export type TGetOrgGroupsDTO = TOrgPermission;
+
+export type TListProjectMembershipsByOrgMembershipIdDTO = {
+  orgMembershipId: string;
+} & TOrgPermission;

backend/src/services/project-bot/project-bot-dal.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName, TProjectBots } from "@app/db/schemas";
+import { TableName, TProjectBots, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 
@@ -41,5 +41,43 @@ export const projectBotDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...projectBotOrm, findOne, findProjectByBotId };
+  const findProjectUserWorkspaceKey = async (projectId: string) => {
+    try {
+      const doc = await db
+        .replicaNode()(TableName.ProjectMembership)
+        .where(`${TableName.ProjectMembership}.projectId` as "projectId", projectId)
+        .where(`${TableName.Users}.isGhost` as "isGhost", false)
+        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
+        .join(TableName.ProjectKeys, `${TableName.ProjectMembership}.userId`, `${TableName.ProjectKeys}.receiverId`)
+        .join<TUserEncryptionKeys>(
+          TableName.UserEncryptionKey,
+          `${TableName.UserEncryptionKey}.userId`,
+          `${TableName.Users}.id`
+        )
+        .join<TUserEncryptionKeys>(
+          db(TableName.UserEncryptionKey).as("senderUserEncryption"),
+          `${TableName.ProjectKeys}.senderId`,
+          `senderUserEncryption.userId`
+        )
+        .whereNotNull(`${TableName.UserEncryptionKey}.serverEncryptedPrivateKey`)
+        .whereNotNull(`${TableName.UserEncryptionKey}.serverEncryptedPrivateKeyIV`)
+        .whereNotNull(`${TableName.UserEncryptionKey}.serverEncryptedPrivateKeyTag`)
+        .select(
+          db.ref("serverEncryptedPrivateKey").withSchema(TableName.UserEncryptionKey),
+          db.ref("serverEncryptedPrivateKeyTag").withSchema(TableName.UserEncryptionKey),
+          db.ref("serverEncryptedPrivateKeyIV").withSchema(TableName.UserEncryptionKey),
+          db.ref("serverEncryptedPrivateKeyEncoding").withSchema(TableName.UserEncryptionKey),
+          db.ref("encryptedKey").withSchema(TableName.ProjectKeys).as("projectEncryptedKey"),
+          db.ref("nonce").withSchema(TableName.ProjectKeys).as("projectKeyNonce"),
+          db.ref("publicKey").withSchema("senderUserEncryption").as("senderPublicKey"),
+          db.ref("id").withSchema(TableName.Users).as("userId")
+        )
+        .first();
+      return doc;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find all project members" });
+    }
+  };
+
+  return { ...projectBotOrm, findOne, findProjectByBotId, findProjectUserWorkspaceKey };
 };

backend/src/services/project-bot/project-bot-fns.ts

@@ -1,5 +1,11 @@
 import { SecretKeyEncoding } from "@app/db/schemas";
-import { decryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import {
+  decryptAsymmetric,
+  encryptAsymmetric,
+  generateAsymmetricKeyPair,
+  infisicalSymmetricDecrypt,
+  infisicalSymmetricEncypt
+} from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 
@@ -27,14 +33,68 @@ export const getBotKeyFnFactory = (
     }
 
     const bot = await projectBotDAL.findOne({ projectId: project.id });
+    if (!bot || !bot.isActive || !bot.encryptedProjectKey || !bot.encryptedProjectKeyNonce) {
+      // trying to set bot automatically
+      const projectV1Keys = await projectBotDAL.findProjectUserWorkspaceKey(projectId);
+      if (!projectV1Keys) throw new BadRequestError({ message: "Bot not found. Please ask admin user to login" });
 
-    if (!bot) throw new BadRequestError({ message: "Failed to find bot key" });
-    if (!bot.isActive) throw new BadRequestError({ message: "Bot is not active" });
-    if (!bot.encryptedProjectKeyNonce || !bot.encryptedProjectKey)
-      throw new BadRequestError({ message: "Encryption key missing" });
+      let userPrivateKey = "";
+      if (
+        projectV1Keys?.serverEncryptedPrivateKey &&
+        projectV1Keys.serverEncryptedPrivateKeyIV &&
+        projectV1Keys.serverEncryptedPrivateKeyTag &&
+        projectV1Keys.serverEncryptedPrivateKeyEncoding
+      ) {
+        userPrivateKey = infisicalSymmetricDecrypt({
+          iv: projectV1Keys.serverEncryptedPrivateKeyIV,
+          tag: projectV1Keys.serverEncryptedPrivateKeyTag,
+          ciphertext: projectV1Keys.serverEncryptedPrivateKey,
+          keyEncoding: projectV1Keys.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
+        });
+      }
+      const workspaceKey = decryptAsymmetric({
+        ciphertext: projectV1Keys.projectEncryptedKey,
+        nonce: projectV1Keys.projectKeyNonce,
+        publicKey: projectV1Keys.senderPublicKey,
+        privateKey: userPrivateKey
+      });
+      const botKey = generateAsymmetricKeyPair();
+      const { iv, tag, ciphertext, encoding, algorithm } = infisicalSymmetricEncypt(botKey.privateKey);
+      const encryptedWorkspaceKey = encryptAsymmetric(workspaceKey, botKey.publicKey, userPrivateKey);
+
+      if (!bot) {
+        await projectBotDAL.create({
+          name: "Infisical Bot (Ghost)",
+          projectId,
+          isActive: true,
+          tag,
+          iv,
+          encryptedPrivateKey: ciphertext,
+          publicKey: botKey.publicKey,
+          algorithm,
+          keyEncoding: encoding,
+          encryptedProjectKey: encryptedWorkspaceKey.ciphertext,
+          encryptedProjectKeyNonce: encryptedWorkspaceKey.nonce,
+          senderId: projectV1Keys.userId
+        });
+      } else {
+        await projectBotDAL.updateById(bot.id, {
+          isActive: true,
+          tag,
+          iv,
+          encryptedPrivateKey: ciphertext,
+          publicKey: botKey.publicKey,
+          algorithm,
+          keyEncoding: encoding,
+          encryptedProjectKey: encryptedWorkspaceKey.ciphertext,
+          encryptedProjectKeyNonce: encryptedWorkspaceKey.nonce,
+          senderId: projectV1Keys.userId
+        });
+      }
+      return { botKey: workspaceKey, project, shouldUseSecretV2Bridge: false };
+    }
 
     const botPrivateKey = getBotPrivateKey({ bot });
-
     const botKey = decryptAsymmetric({
       ciphertext: bot.encryptedProjectKey,
       privateKey: botPrivateKey,

backend/src/services/project-bot/project-bot-service.ts

@@ -60,7 +60,7 @@ export const projectBotServiceFactory = ({
 
       const project = await projectDAL.findById(projectId, tx);
 
-      if (project.version === ProjectVersion.V2) {
+      if (project.version === ProjectVersion.V2 || project.version === ProjectVersion.V3) {
         throw new BadRequestError({ message: "Failed to create bot, project is upgraded." });
       }
 

backend/src/services/project-env/project-env-dal.ts

@@ -24,10 +24,15 @@ export const projectEnvDALFactory = (db: TDbClient) => {
   // we are using postion based sorting as its a small list
   // this will return the last value of the position in a folder with secret imports
   const findLastEnvPosition = async (projectId: string, tx?: Knex) => {
+    // acquire update lock on project environments.
+    // this ensures that concurrent invocations will wait and execute sequentially
+    await (tx || db)(TableName.Environment).where({ projectId }).forUpdate();
+
     const lastPos = await (tx || db)(TableName.Environment)
       .where({ projectId })
       .max("position", { as: "position" })
       .first();
+
     return lastPos?.position || 0;
   };
 

backend/src/services/project-env/project-env-service.ts

@@ -3,12 +3,12 @@ import { ForbiddenError } from "@casl/ability";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 
 import { TProjectDALFactory } from "../project/project-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TProjectEnvDALFactory } from "./project-env-dal";
-import { TCreateEnvDTO, TDeleteEnvDTO, TUpdateEnvDTO } from "./project-env-types";
+import { TCreateEnvDTO, TDeleteEnvDTO, TGetEnvDTO, TUpdateEnvDTO } from "./project-env-types";
 
 type TProjectEnvServiceFactoryDep = {
   projectEnvDAL: TProjectEnvDALFactory;
@@ -139,9 +139,35 @@ export const projectEnvServiceFactory = ({
     return env;
   };
 
+  const getEnvironmentById = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod, id }: TGetEnvDTO) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
+
+    const [env] = await projectEnvDAL.find({
+      id,
+      projectId
+    });
+
+    if (!env) {
+      throw new NotFoundError({
+        message: "Environment does not exist"
+      });
+    }
+
+    return env;
+  };
+
   return {
     createEnvironment,
     updateEnvironment,
-    deleteEnvironment
+    deleteEnvironment,
+    getEnvironmentById
   };
 };

backend/src/services/project-env/project-env-types.ts

@@ -20,3 +20,7 @@ export type TReorderEnvDTO = {
   id: string;
   pos: number;
 } & TProjectPermission;
+
+export type TGetEnvDTO = {
+  id: string;
+} & TProjectPermission;

backend/src/services/project-membership/project-membership-dal.ts

@@ -16,6 +16,7 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
       const docs = await db
         .replicaNode()(TableName.ProjectMembership)
         .where({ [`${TableName.ProjectMembership}.projectId` as "projectId"]: projectId })
+        .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
         .where((qb) => {
           if (filter.usernames) {
@@ -58,17 +59,22 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
           db.ref("isTemporary").withSchema(TableName.ProjectUserMembershipRole),
           db.ref("temporaryRange").withSchema(TableName.ProjectUserMembershipRole),
           db.ref("temporaryAccessStartTime").withSchema(TableName.ProjectUserMembershipRole),
-          db.ref("temporaryAccessEndTime").withSchema(TableName.ProjectUserMembershipRole)
+          db.ref("temporaryAccessEndTime").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("name").as("projectName").withSchema(TableName.Project)
         )
         .where({ isGhost: false });
 
       const members = sqlNestRelationships({
         data: docs,
-        parentMapper: ({ email, firstName, username, lastName, publicKey, isGhost, id, userId }) => ({
+        parentMapper: ({ email, firstName, username, lastName, publicKey, isGhost, id, userId, projectName }) => ({
           id,
           userId,
           projectId,
-          user: { email, username, firstName, lastName, id: userId, publicKey, isGhost }
+          user: { email, username, firstName, lastName, id: userId, publicKey, isGhost },
+          project: {
+            id: projectId,
+            name: projectName
+          }
         }),
         key: "id",
         childrenMapper: [
@@ -151,14 +157,95 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
 
   const findProjectMembershipsByUserId = async (orgId: string, userId: string) => {
     try {
-      const memberships = await db
+      const docs = await db
         .replicaNode()(TableName.ProjectMembership)
-        .where({ userId })
         .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
-        .where({ [`${TableName.Project}.orgId` as "orgId"]: orgId })
-        .select(selectAllTableCols(TableName.ProjectMembership));
+        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
+        .where(`${TableName.Users}.id`, userId)
+        .where(`${TableName.Project}.orgId`, orgId)
+        .join<TUserEncryptionKeys>(
+          TableName.UserEncryptionKey,
+          `${TableName.UserEncryptionKey}.userId`,
+          `${TableName.Users}.id`
+        )
+        .join(
+          TableName.ProjectUserMembershipRole,
+          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
+          `${TableName.ProjectMembership}.id`
+        )
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.ProjectUserMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
+        .select(
+          db.ref("id").withSchema(TableName.ProjectMembership),
+          db.ref("isGhost").withSchema(TableName.Users),
+          db.ref("username").withSchema(TableName.Users),
+          db.ref("email").withSchema(TableName.Users),
+          db.ref("publicKey").withSchema(TableName.UserEncryptionKey),
+          db.ref("firstName").withSchema(TableName.Users),
+          db.ref("lastName").withSchema(TableName.Users),
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("role").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("membershipRoleId"),
+          db.ref("customRoleId").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("name").withSchema(TableName.ProjectRoles).as("customRoleName"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
+          db.ref("temporaryMode").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("isTemporary").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("temporaryRange").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("temporaryAccessStartTime").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("temporaryAccessEndTime").withSchema(TableName.ProjectUserMembershipRole),
+          db.ref("name").as("projectName").withSchema(TableName.Project),
+          db.ref("id").as("projectId").withSchema(TableName.Project)
+        )
+        .where({ isGhost: false });
 
-      return memberships;
+      const members = sqlNestRelationships({
+        data: docs,
+        parentMapper: ({ email, firstName, username, lastName, publicKey, isGhost, id, projectId, projectName }) => ({
+          id,
+          userId,
+          projectId,
+          user: { email, username, firstName, lastName, id: userId, publicKey, isGhost },
+          project: {
+            id: projectId,
+            name: projectName
+          }
+        }),
+        key: "id",
+        childrenMapper: [
+          {
+            label: "roles" as const,
+            key: "membershipRoleId",
+            mapper: ({
+              role,
+              customRoleId,
+              customRoleName,
+              customRoleSlug,
+              membershipRoleId,
+              temporaryRange,
+              temporaryMode,
+              temporaryAccessEndTime,
+              temporaryAccessStartTime,
+              isTemporary
+            }) => ({
+              id: membershipRoleId,
+              role,
+              customRoleId,
+              customRoleName,
+              customRoleSlug,
+              temporaryRange,
+              temporaryMode,
+              temporaryAccessEndTime,
+              temporaryAccessStartTime,
+              isTemporary
+            })
+          }
+        ]
+      });
+      return members;
     } catch (error) {
       throw new DatabaseError({ error, name: "Find project memberships by user id" });
     }

backend/src/services/project-membership/project-membership-service.ts

@@ -256,7 +256,6 @@ export const projectMembershipServiceFactory = ({
     }
 
     const bot = await projectBotDAL.findOne({ projectId });
-
     if (!bot) {
       throw new BadRequestError({
         message: "Failed to find bot"
@@ -540,7 +539,7 @@ export const projectMembershipServiceFactory = ({
     const project = await projectDAL.findById(projectId);
     if (!project) throw new BadRequestError({ message: "Project not found" });
 
-    if (project.version !== ProjectVersion.V2) {
+    if (project.version === ProjectVersion.V1) {
       throw new BadRequestError({
         message: "Please ask your project administrator to upgrade the project before leaving."
       });

backend/src/services/project-role/project-role-service.ts

@@ -162,12 +162,19 @@ export const projectRoleServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Role);
+
     if (data?.slug) {
       const existingRole = await projectRoleDAL.findOne({ slug: data.slug, projectId });
       if (existingRole && existingRole.id !== roleId)
         throw new BadRequestError({ name: "Update Role", message: "Duplicate role" });
     }
-    const [updatedRole] = await projectRoleDAL.update({ id: roleId, projectId }, data);
+    const [updatedRole] = await projectRoleDAL.update(
+      { id: roleId, projectId },
+      {
+        ...data,
+        permissions: data.permissions ? data.permissions : undefined
+      }
+    );
     if (!updatedRole) throw new BadRequestError({ message: "Role not found", name: "Update role" });
     return { ...updatedRole, permissions: unpackPermissions(updatedRole.permissions) };
   };

backend/src/services/project/project-service.ts

@@ -22,6 +22,7 @@ import { TIdentityProjectMembershipRoleDALFactory } from "../identity-project/id
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { TOrgDALFactory } from "../org/org-dal";
 import { TOrgServiceFactory } from "../org/org-service";
+import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
@@ -74,6 +75,7 @@ type TProjectServiceFactoryDep = {
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   orgDAL: Pick<TOrgDALFactory, "findOne">;
   keyStore: Pick<TKeyStoreFactory, "deleteItem">;
+  projectBotDAL: Pick<TProjectBotDALFactory, "create">;
   kmsService: Pick<
     TKmsServiceFactory,
     | "updateProjectSecretManagerKmsKey"
@@ -81,6 +83,7 @@ type TProjectServiceFactoryDep = {
     | "loadProjectKeyBackup"
     | "getKmsById"
     | "getProjectSecretManagerKmsKeyId"
+    | "deleteInternalKms"
   >;
 };
 
@@ -105,7 +108,8 @@ export const projectServiceFactory = ({
   certificateAuthorityDAL,
   certificateDAL,
   keyStore,
-  kmsService
+  kmsService,
+  projectBotDAL
 }: TProjectServiceFactoryDep) => {
   /*
    * Create workspace. Make user the admin
@@ -205,7 +209,26 @@ export const projectServiceFactory = ({
         tx
       );
 
-      // const { iv, tag, ciphertext, encoding, algorithm } = infisicalSymmetricEncypt(ghostUser.keys.plainPrivateKey);
+      const { iv, tag, ciphertext, encoding, algorithm } = infisicalSymmetricEncypt(ghostUser.keys.plainPrivateKey);
+
+      // 5. Create & a bot for the project
+      await projectBotDAL.create(
+        {
+          name: "Infisical Bot (Ghost)",
+          projectId: project.id,
+          tag,
+          iv,
+          encryptedProjectKey,
+          encryptedProjectKeyNonce: encryptedProjectKeyIv,
+          encryptedPrivateKey: ciphertext,
+          isActive: true,
+          publicKey: ghostUser.keys.publicKey,
+          senderId: ghostUser.user.id,
+          algorithm,
+          keyEncoding: encoding
+        },
+        tx
+      );
 
       // Find the ghost users latest key
       const latestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.user.id, project.id, tx);
@@ -337,7 +360,12 @@ export const projectServiceFactory = ({
     const deletedProject = await projectDAL.transaction(async (tx) => {
       const delProject = await projectDAL.deleteById(project.id, tx);
       const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(project.id, tx).catch(() => null);
-
+      if (delProject.kmsCertificateKeyId) {
+        await kmsService.deleteInternalKms(delProject.kmsCertificateKeyId, delProject.orgId, tx);
+      }
+      if (delProject.kmsSecretManagerKeyId) {
+        await kmsService.deleteInternalKms(delProject.kmsSecretManagerKeyId, delProject.orgId, tx);
+      }
       // Delete the org membership for the ghost user if it's found.
       if (projectGhostUser) {
         await userDAL.deleteById(projectGhostUser.id, tx);
@@ -559,6 +587,10 @@ export const projectServiceFactory = ({
    */
   const listProjectCas = async ({
     status,
+    friendlyName,
+    commonName,
+    limit = 25,
+    offset = 0,
     actorId,
     actorOrgId,
     actorAuthMethod,
@@ -580,10 +612,15 @@ export const projectServiceFactory = ({
       ProjectPermissionSub.CertificateAuthorities
     );
 
-    const cas = await certificateAuthorityDAL.find({
-      projectId: project.id,
-      ...(status && { status })
-    });
+    const cas = await certificateAuthorityDAL.find(
+      {
+        projectId: project.id,
+        ...(status && { status }),
+        ...(friendlyName && { friendlyName }),
+        ...(commonName && { commonName })
+      },
+      { offset, limit, sort: [["updatedAt", "desc"]] }
+    );
 
     return cas;
   };
@@ -592,8 +629,10 @@ export const projectServiceFactory = ({
    * Return list of certificates for project
    */
   const listProjectCertificates = async ({
-    offset,
-    limit,
+    limit = 25,
+    offset = 0,
+    friendlyName,
+    commonName,
     actorId,
     actorOrgId,
     actorAuthMethod,
@@ -618,12 +657,18 @@ export const projectServiceFactory = ({
       {
         $in: {
           caId: cas.map((ca) => ca.id)
-        }
+        },
+        ...(friendlyName && { friendlyName }),
+        ...(commonName && { commonName })
       },
       { offset, limit, sort: [["updatedAt", "desc"]] }
     );
 
-    const count = await certificateDAL.countCertificatesInProject(project.id);
+    const count = await certificateDAL.countCertificatesInProject({
+      projectId: project.id,
+      friendlyName,
+      commonName
+    });
 
     return {
       certificates,

backend/src/services/project/project-types.ts

@@ -91,6 +91,10 @@ export type AddUserToWsDTO = {
 
 export type TListProjectCasDTO = {
   status?: CaStatus;
+  friendlyName?: string;
+  offset?: number;
+  limit?: number;
+  commonName?: string;
   filter: Filter;
 } & Omit<TProjectPermission, "projectId">;
 
@@ -98,6 +102,8 @@ export type TListProjectCertsDTO = {
   filter: Filter;
   offset: number;
   limit: number;
+  friendlyName?: string;
+  commonName?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateProjectKmsDTO = {

backend/src/services/resource-cleanup/resource-cleanup-queue.ts

@@ -7,11 +7,13 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TSecretVersionDALFactory } from "../secret/secret-version-dal";
 import { TSecretFolderVersionDALFactory } from "../secret-folder/secret-folder-version-dal";
 import { TSecretSharingDALFactory } from "../secret-sharing/secret-sharing-dal";
+import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
 
 type TDailyResourceCleanUpQueueServiceFactoryDep = {
   auditLogDAL: Pick<TAuditLogDALFactory, "pruneAuditLog">;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "removeExpiredTokens">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "pruneExcessVersions">;
+  secretVersionV2DAL: Pick<TSecretVersionV2DALFactory, "pruneExcessVersions">;
   secretFolderVersionDAL: Pick<TSecretFolderVersionDALFactory, "pruneExcessVersions">;
   snapshotDAL: Pick<TSnapshotDALFactory, "pruneExcessSnapshots">;
   secretSharingDAL: Pick<TSecretSharingDALFactory, "pruneExpiredSharedSecrets">;
@@ -27,7 +29,8 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
   secretVersionDAL,
   secretFolderVersionDAL,
   identityAccessTokenDAL,
-  secretSharingDAL
+  secretSharingDAL,
+  secretVersionV2DAL
 }: TDailyResourceCleanUpQueueServiceFactoryDep) => {
   queueService.start(QueueName.DailyResourceCleanUp, async () => {
     logger.info(`${QueueName.DailyResourceCleanUp}: queue task started`);
@@ -36,6 +39,7 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
     await secretSharingDAL.pruneExpiredSharedSecrets();
     await snapshotDAL.pruneExcessSnapshots();
     await secretVersionDAL.pruneExcessVersions();
+    await secretVersionV2DAL.pruneExcessVersions();
     await secretFolderVersionDAL.pruneExcessVersions();
     logger.info(`${QueueName.DailyResourceCleanUp}: queue task completed`);
   });

backend/src/services/secret-folder/secret-folder-dal.ts

@@ -331,6 +331,27 @@ export const secretFolderDALFactory = (db: TDbClient) => {
     }
   };
 
+  // special query for project migration
+  const findByProjectId = async (projectId: string, tx?: Knex) => {
+    try {
+      const folders = await (tx || db.replicaNode())(TableName.SecretFolder)
+        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .join(TableName.Project, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
+        .select(selectAllTableCols(TableName.SecretFolder))
+        .where({ projectId })
+        .select(
+          db.ref("id").withSchema(TableName.Environment).as("envId"),
+          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
+          db.ref("name").withSchema(TableName.Environment).as("envName"),
+          db.ref("projectId").withSchema(TableName.Environment),
+          db.ref("version").withSchema(TableName.Project).as("projectVersion")
+        );
+      return folders;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find by id" });
+    }
+  };
+
   return {
     ...secretFolderOrm,
     update,
@@ -338,6 +359,7 @@ export const secretFolderDALFactory = (db: TDbClient) => {
     findById,
     findByManySecretPath,
     findSecretPathByFolderIds,
-    findClosestFolder
+    findClosestFolder,
+    findByProjectId
   };
 };

backend/src/services/secret-folder/secret-folder-fns.ts

@@ -0,0 +1,6 @@
+import { RawRule } from "@casl/ability";
+
+import { ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+
+export const shouldCheckFolderPermission = (rules: RawRule[]) =>
+  rules.some((rule) => (rule.subject as ProjectPermissionSub[]).includes(ProjectPermissionSub.SecretFolders));

backend/src/services/secret-folder/secret-folder-service.ts

@@ -11,6 +11,7 @@ import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretFolderDALFactory } from "./secret-folder-dal";
+import { shouldCheckFolderPermission } from "./secret-folder-fns";
 import {
   TCreateFolderDTO,
   TDeleteFolderDTO,
@@ -57,10 +58,21 @@ export const secretFolderServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
+
+    // we do this because we've split Secret and SecretFolder resources
+    // previously, if one can create/update/read/delete secrets then they can do the same for folders
+    // for backwards compatibility, we handle authorization only when SecretFolders subject is used
+    if (shouldCheckFolderPermission(permission.rules)) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    }
 
     const env = await projectEnvDAL.findOne({ projectId, slug: environment });
     if (!env) throw new BadRequestError({ message: "Environment not found", name: "Create folder" });
@@ -148,10 +160,20 @@ export const secretFolderServiceFactory = ({
     );
 
     folders.forEach(({ environment, path: secretPath }) => {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionActions.Edit,
-        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-      );
+      // we do this because we've split Secret and SecretFolder resources
+      // previously, if one can create/update/read/delete secrets then they can do the same for folders
+      // for backwards compatibility, we handle authorization only when SecretFolders subject is used
+      if (shouldCheckFolderPermission(permission.rules)) {
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionActions.Edit,
+          subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
+        );
+      } else {
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionActions.Edit,
+          subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+        );
+      }
     });
 
     const result = await folderDAL.transaction(async (tx) =>
@@ -243,10 +265,21 @@ export const secretFolderServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
+
+    // we do this because we've split Secret and SecretFolder resources
+    // previously, if one can create/update/read/delete secrets then they can do the same for folders
+    // for backwards compatibility, we handle authorization differently only when SecretFolders subject is used
+    if (shouldCheckFolderPermission(permission.rules)) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Edit,
+        subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Edit,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    }
 
     const parentFolder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!parentFolder) throw new BadRequestError({ message: "Secret path not found" });
@@ -316,10 +349,21 @@ export const secretFolderServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
+
+    // we do this because we've split Secret and SecretFolder resources
+    // previously, if one can create/update/read/delete secrets then they can do the same for folders
+    // for backwards compatibility, we handle authorization differently only when SecretFolders subject is used
+    if (shouldCheckFolderPermission(permission.rules)) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Delete,
+        subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Delete,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    }
 
     const env = await projectEnvDAL.findOne({ projectId, slug: environment });
     if (!env) throw new BadRequestError({ message: "Environment not found", name: "Create folder" });

backend/src/services/secret-import/secret-import-fns.ts

@@ -1,5 +1,5 @@
 import { SecretType, TSecretImports, TSecrets, TSecretsV2 } from "@app/db/schemas";
-import { groupBy } from "@app/lib/fn";
+import { groupBy, unique } from "@app/lib/fn";
 
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
@@ -113,7 +113,7 @@ export const fnSecretsFromImports = async ({
   const secretsFromdeeperImportGroupedByFolderId = groupBy(secretsFromDeeperImports, (i) => i.importFolderId);
 
   const secrets = allowedImports.map(({ importPath, importEnv, id, folderId }, i) => {
-    const sourceImportFolder = importedFolderGroupBySourceImport[`${importEnv.id}-${importPath}`][0];
+    const sourceImportFolder = importedFolderGroupBySourceImport?.[`${importEnv.id}-${importPath}`]?.[0];
     const folderDeeperImportSecrets =
       secretsFromdeeperImportGroupedByFolderId?.[sourceImportFolder?.id || ""]?.[0]?.secrets || [];
 
@@ -146,7 +146,8 @@ export const fnSecretsV2FromImports = async ({
   secretImportDAL,
   depth = 0,
   cyclicDetector = new Set(),
-  decryptor
+  decryptor,
+  expandSecretReferences
 }: {
   allowedImports: (Omit<TSecretImports, "importEnv"> & {
     importEnv: { id: string; slug: string; name: string };
@@ -157,6 +158,9 @@ export const fnSecretsV2FromImports = async ({
   depth?: number;
   cyclicDetector?: Set<string>;
   decryptor: (value?: Buffer | null) => string | undefined;
+  expandSecretReferences?: (
+    secrets: Record<string, { value?: string; comment?: string; skipMultilineEncoding?: boolean | null }>
+  ) => Promise<Record<string, { value?: string; comment?: string; skipMultilineEncoding?: boolean | null }>>;
 }) => {
   // avoid going more than a depth
   if (depth >= LEVEL_BREAK) return [];
@@ -206,16 +210,27 @@ export const fnSecretsV2FromImports = async ({
       secretDAL,
       depth: depth + 1,
       cyclicDetector,
-      decryptor
+      decryptor,
+      expandSecretReferences
     });
   }
   const secretsFromdeeperImportGroupedByFolderId = groupBy(secretsFromDeeperImports, (i) => i.importFolderId);
 
-  const secrets = allowedImports.map(({ importPath, importEnv, id, folderId }, i) => {
+  const processedImports = allowedImports.map(({ importPath, importEnv, id, folderId }, i) => {
     const sourceImportFolder = importedFolderGroupBySourceImport[`${importEnv.id}-${importPath}`][0];
     const folderDeeperImportSecrets =
       secretsFromdeeperImportGroupedByFolderId?.[sourceImportFolder?.id || ""]?.[0]?.secrets || [];
-
+    const secretsWithDuplicate = (importedSecretsGroupByFolderId?.[importedFolders?.[i]?.id as string] || [])
+      .map((item) => ({
+        ...item,
+        secretKey: item.key,
+        secretValue: decryptor(item.encryptedValue),
+        secretComment: decryptor(item.encryptedComment),
+        environment: importEnv.slug,
+        workspace: "", // This field should not be used, it's only here to keep the older Python SDK versions backwards compatible with the new Postgres backend.
+        _id: item.id // The old Python SDK depends on the _id field being returned. We return this to keep the older Python SDK versions backwards compatible with the new Postgres backend.
+      }))
+      .concat(folderDeeperImportSecrets);
     return {
       secretPath: importPath,
       environment: importEnv.slug,
@@ -223,19 +238,33 @@ export const fnSecretsV2FromImports = async ({
       folderId: importedFolders?.[i]?.id,
       id,
       importFolderId: folderId,
-      secrets: (importedSecretsGroupByFolderId?.[importedFolders?.[i]?.id as string] || [])
-        .map((item) => ({
-          ...item,
-          secretKey: item.key,
-          secretValue: decryptor(item.encryptedValue),
-          secretComment: decryptor(item.encryptedComment),
-          environment: importEnv.slug,
-          workspace: "", // This field should not be used, it's only here to keep the older Python SDK versions backwards compatible with the new Postgres backend.
-          _id: item.id // The old Python SDK depends on the _id field being returned. We return this to keep the older Python SDK versions backwards compatible with the new Postgres backend.
-        }))
-        .concat(folderDeeperImportSecrets)
+      secrets: unique(secretsWithDuplicate, (el) => el.secretKey)
     };
   });
 
-  return secrets;
+  if (expandSecretReferences) {
+    await Promise.all(
+      processedImports.map(async (processedImport) => {
+        const secretsGroupByKey = processedImport.secrets.reduce(
+          (acc, item) => {
+            acc[item.secretKey] = {
+              value: item.secretValue,
+              comment: item.secretComment,
+              skipMultilineEncoding: item.skipMultilineEncoding
+            };
+            return acc;
+          },
+          {} as Record<string, { value?: string; comment?: string; skipMultilineEncoding?: boolean | null }>
+        );
+        // eslint-disable-next-line
+        await expandSecretReferences(secretsGroupByKey);
+        processedImport.secrets.forEach((decryptedSecret) => {
+          // eslint-disable-next-line no-param-reassign
+          decryptedSecret.secretValue = secretsGroupByKey[decryptedSecret.secretKey].value;
+        });
+      })
+    );
+  }
+
+  return processedImports;
 };

backend/src/services/secret-sharing/secret-sharing-dal.ts

@@ -10,6 +10,25 @@ export type TSecretSharingDALFactory = ReturnType<typeof secretSharingDALFactory
 export const secretSharingDALFactory = (db: TDbClient) => {
   const sharedSecretOrm = ormify(db, TableName.SecretSharing);
 
+  const countAllUserOrgSharedSecrets = async ({ orgId, userId }: { orgId: string; userId: string }) => {
+    try {
+      interface CountResult {
+        count: string;
+      }
+
+      const count = await db
+        .replicaNode()(TableName.SecretSharing)
+        .where(`${TableName.SecretSharing}.orgId`, orgId)
+        .where(`${TableName.SecretSharing}.userId`, userId)
+        .count("*")
+        .first();
+
+      return parseInt((count as unknown as CountResult).count || "0", 10);
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Count all user-org shared secrets" });
+    }
+  };
+
   const pruneExpiredSharedSecrets = async (tx?: Knex) => {
     try {
       const today = new Date();
@@ -19,8 +38,7 @@ export const secretSharingDALFactory = (db: TDbClient) => {
         .update({
           encryptedValue: "",
           tag: "",
-          iv: "",
-          hashedHex: ""
+          iv: ""
         });
       return docs;
     } catch (error) {
@@ -50,8 +68,7 @@ export const secretSharingDALFactory = (db: TDbClient) => {
       await sharedSecretOrm.updateById(id, {
         encryptedValue: "",
         iv: "",
-        tag: "",
-        hashedHex: ""
+        tag: ""
       });
     } catch (error) {
       throw new DatabaseError({
@@ -63,6 +80,7 @@ export const secretSharingDALFactory = (db: TDbClient) => {
 
   return {
     ...sharedSecretOrm,
+    countAllUserOrgSharedSecrets,
     pruneExpiredSharedSecrets,
     softDeleteById,
     findActiveSharedSecrets

backend/src/services/secret-sharing/secret-sharing-service.ts

@@ -1,39 +1,45 @@
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import { SecretSharingAccessType } from "@app/lib/types";
 
+import { TOrgDALFactory } from "../org/org-dal";
 import { TSecretSharingDALFactory } from "./secret-sharing-dal";
 import {
   TCreatePublicSharedSecretDTO,
   TCreateSharedSecretDTO,
   TDeleteSharedSecretDTO,
-  TSharedSecretPermission
+  TGetActiveSharedSecretByIdDTO,
+  TGetSharedSecretsDTO
 } from "./secret-sharing-types";
 
 type TSecretSharingServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   secretSharingDAL: TSecretSharingDALFactory;
+  orgDAL: TOrgDALFactory;
 };
 
 export type TSecretSharingServiceFactory = ReturnType<typeof secretSharingServiceFactory>;
 
 export const secretSharingServiceFactory = ({
   permissionService,
-  secretSharingDAL
+  secretSharingDAL,
+  orgDAL
 }: TSecretSharingServiceFactoryDep) => {
-  const createSharedSecret = async (createSharedSecretInput: TCreateSharedSecretDTO) => {
-    const {
-      actor,
-      actorId,
-      orgId,
-      actorAuthMethod,
-      actorOrgId,
-      encryptedValue,
-      iv,
-      tag,
-      hashedHex,
-      expiresAt,
-      expiresAfterViews
-    } = createSharedSecretInput;
+  const createSharedSecret = async ({
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId,
+    encryptedValue,
+    hashedHex,
+    iv,
+    tag,
+    name,
+    accessType,
+    expiresAt,
+    expiresAfterViews
+  }: TCreateSharedSecretDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     if (!permission) throw new UnauthorizedError({ name: "User not in org" });
 
@@ -55,20 +61,30 @@ export const secretSharingServiceFactory = ({
     }
 
     const newSharedSecret = await secretSharingDAL.create({
+      name,
       encryptedValue,
+      hashedHex,
       iv,
       tag,
-      hashedHex,
-      expiresAt,
+      expiresAt: new Date(expiresAt),
       expiresAfterViews,
       userId: actorId,
-      orgId
+      orgId,
+      accessType
     });
+
     return { id: newSharedSecret.id };
   };
 
-  const createPublicSharedSecret = async (createSharedSecretInput: TCreatePublicSharedSecretDTO) => {
-    const { encryptedValue, iv, tag, hashedHex, expiresAt, expiresAfterViews } = createSharedSecretInput;
+  const createPublicSharedSecret = async ({
+    encryptedValue,
+    hashedHex,
+    iv,
+    tag,
+    expiresAt,
+    expiresAfterViews,
+    accessType
+  }: TCreatePublicSharedSecretDTO) => {
     if (new Date(expiresAt) < new Date()) {
       throw new BadRequestError({ message: "Expiration date cannot be in the past" });
     }
@@ -88,37 +104,103 @@ export const secretSharingServiceFactory = ({
 
     const newSharedSecret = await secretSharingDAL.create({
       encryptedValue,
+      hashedHex,
       iv,
       tag,
-      hashedHex,
-      expiresAt,
-      expiresAfterViews
+      expiresAt: new Date(expiresAt),
+      expiresAfterViews,
+      accessType
     });
     return { id: newSharedSecret.id };
   };
 
-  const getSharedSecrets = async (getSharedSecretsInput: TSharedSecretPermission) => {
-    const { actor, actorId, orgId, actorAuthMethod, actorOrgId } = getSharedSecretsInput;
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+  const getSharedSecrets = async ({
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId,
+    offset,
+    limit
+  }: TGetSharedSecretsDTO) => {
+    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
     if (!permission) throw new UnauthorizedError({ name: "User not in org" });
-    const userSharedSecrets = await secretSharingDAL.findActiveSharedSecrets({ userId: actorId, orgId });
-    return userSharedSecrets;
+
+    const secrets = await secretSharingDAL.find(
+      {
+        userId: actorId,
+        orgId: actorOrgId
+      },
+      { offset, limit, sort: [["createdAt", "desc"]] }
+    );
+
+    const count = await secretSharingDAL.countAllUserOrgSharedSecrets({
+      orgId: actorOrgId,
+      userId: actorId
+    });
+
+    return {
+      secrets,
+      totalCount: count
+    };
   };
 
-  const getActiveSharedSecretByIdAndHashedHex = async (sharedSecretId: string, hashedHex: string) => {
-    const sharedSecret = await secretSharingDAL.findOne({ id: sharedSecretId, hashedHex });
-    if (!sharedSecret) return;
-    if (sharedSecret.expiresAt && sharedSecret.expiresAt < new Date()) {
-      return;
+  const getActiveSharedSecretById = async ({ sharedSecretId, hashedHex, orgId }: TGetActiveSharedSecretByIdDTO) => {
+    const sharedSecret = await secretSharingDAL.findOne({
+      id: sharedSecretId,
+      hashedHex
+    });
+    if (!sharedSecret)
+      throw new NotFoundError({
+        message: "Shared secret not found"
+      });
+
+    const { accessType, expiresAt, expiresAfterViews } = sharedSecret;
+
+    const orgName = sharedSecret.orgId ? (await orgDAL.findOrgById(sharedSecret.orgId))?.name : "";
+
+    if (accessType === SecretSharingAccessType.Organization && orgId !== sharedSecret.orgId)
+      throw new UnauthorizedError();
+
+    if (expiresAt !== null && expiresAt < new Date()) {
+      // check lifetime expiry
+      await secretSharingDAL.softDeleteById(sharedSecretId);
+      throw new ForbiddenRequestError({
+        message: "Access denied: Secret has expired by lifetime"
+      });
     }
-    if (sharedSecret.expiresAfterViews != null && sharedSecret.expiresAfterViews >= 0) {
-      if (sharedSecret.expiresAfterViews === 0) {
-        await secretSharingDAL.softDeleteById(sharedSecretId);
-        return;
-      }
+
+    if (expiresAfterViews !== null && expiresAfterViews === 0) {
+      // check view count expiry
+      await secretSharingDAL.softDeleteById(sharedSecretId);
+      throw new ForbiddenRequestError({
+        message: "Access denied: Secret has expired by view count"
+      });
+    }
+
+    if (expiresAfterViews) {
+      // decrement view count if view count expiry set
       await secretSharingDAL.updateById(sharedSecretId, { $decr: { expiresAfterViews: 1 } });
     }
-    return sharedSecret;
+
+    await secretSharingDAL.updateById(sharedSecretId, {
+      lastViewedAt: new Date()
+    });
+
+    return {
+      ...sharedSecret,
+      orgName:
+        sharedSecret.accessType === SecretSharingAccessType.Organization && orgId === sharedSecret.orgId
+          ? orgName
+          : undefined
+    };
   };
 
   const deleteSharedSecretById = async (deleteSharedSecretInput: TDeleteSharedSecretDTO) => {
@@ -134,6 +216,6 @@ export const secretSharingServiceFactory = ({
     createPublicSharedSecret,
     getSharedSecrets,
     deleteSharedSecretById,
-    getActiveSharedSecretByIdAndHashedHex
+    getActiveSharedSecretById
   };
 };

backend/src/services/secret-sharing/secret-sharing-types.ts

@@ -1,20 +1,36 @@
+import { SecretSharingAccessType, TGenericPermission } from "@app/lib/types";
+
 import { ActorAuthMethod, ActorType } from "../auth/auth-type";
 
+export type TGetSharedSecretsDTO = {
+  offset: number;
+  limit: number;
+} & TGenericPermission;
+
 export type TSharedSecretPermission = {
   actor: ActorType;
   actorId: string;
   actorAuthMethod: ActorAuthMethod;
   actorOrgId: string;
   orgId: string;
+  accessType?: SecretSharingAccessType;
+  name?: string;
 };
 
 export type TCreatePublicSharedSecretDTO = {
   encryptedValue: string;
+  hashedHex: string;
   iv: string;
   tag: string;
+  expiresAt: string;
+  expiresAfterViews?: number;
+  accessType: SecretSharingAccessType;
+};
+
+export type TGetActiveSharedSecretByIdDTO = {
+  sharedSecretId: string;
   hashedHex: string;
-  expiresAt: Date;
-  expiresAfterViews: number;
+  orgId?: string;
 };
 
 export type TCreateSharedSecretDTO = TSharedSecretPermission & TCreatePublicSharedSecretDTO;

backend/src/services/secret-tag/secret-tag-dal.ts

@@ -3,7 +3,7 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify } from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 
 export type TSecretTagDALFactory = ReturnType<typeof secretTagDALFactory>;
 
@@ -35,12 +35,25 @@ export const secretTagDALFactory = (db: TDbClient) => {
     }
   };
 
+  // special query for migration
+  const findSecretTagsByProjectId = async (projectId: string, tx?: Knex) => {
+    try {
+      const tags = await (tx || db.replicaNode())(TableName.JnSecretTag)
+        .join(TableName.SecretTag, `${TableName.JnSecretTag}.secret_tagsId`, `${TableName.SecretTag}.id`)
+        .where({ projectId })
+        .select(selectAllTableCols(TableName.JnSecretTag));
+      return tags;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find all by ids" });
+    }
+  };
   return {
     ...secretTagOrm,
     saveTagsToSecret: secretJnTagOrm.insertMany,
     deleteTagsToSecret: secretJnTagOrm.delete,
     saveTagsToSecretV2: secretV2JnTagOrm.insertMany,
     deleteTagsToSecretV2: secretV2JnTagOrm.delete,
+    findSecretTagsByProjectId,
     deleteTagsManySecret,
     findManyTagsById
   };

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -363,49 +363,60 @@ export const recursivelyGetSecretPaths = async ({
 
   return allowedPaths;
 };
+// used to convert multi line ones to quotes ones with \n
+const formatMultiValueEnv = (val?: string) => {
+  if (!val) return "";
+  if (!val.match("\n")) return val;
+  return `"${val.replace(/\n/g, "\\n")}"`;
+};
 
 type TInterpolateSecretArg = {
   projectId: string;
-  decryptSecret: (encryptedValue?: Buffer | null) => string | undefined;
+  decryptSecretValue: (encryptedValue?: Buffer | null) => string | undefined;
   secretDAL: Pick<TSecretV2BridgeDALFactory, "findByFolderId">;
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
 };
 
-export const interpolateSecrets = ({ projectId, decryptSecret, secretDAL, folderDAL }: TInterpolateSecretArg) => {
-  const fetchSecretsCrossEnv = () => {
-    const fetchCache: Record<string, Record<string, string>> = {};
+export const expandSecretReferencesFactory = ({
+  projectId,
+  decryptSecretValue: decryptSecret,
+  secretDAL,
+  folderDAL
+}: TInterpolateSecretArg) => {
+  const fetchSecretFactory = () => {
+    const secretCache: Record<string, Record<string, string>> = {};
 
     return async (secRefEnv: string, secRefPath: string[], secRefKey: string) => {
-      const secRefPathUrl = path.join("/", ...secRefPath);
-      const uniqKey = `${secRefEnv}-${secRefPathUrl}`;
+      const referredSecretPathURL = path.join("/", ...secRefPath);
+      const uniqueKey = `${secRefEnv}-${referredSecretPathURL}`;
 
-      if (fetchCache?.[uniqKey]) {
-        return fetchCache[uniqKey][secRefKey];
+      if (secretCache?.[uniqueKey]) {
+        return secretCache[uniqueKey][secRefKey];
       }
 
-      const folder = await folderDAL.findBySecretPath(projectId, secRefEnv, secRefPathUrl);
+      const folder = await folderDAL.findBySecretPath(projectId, secRefEnv, referredSecretPathURL);
       if (!folder) return "";
       const secrets = await secretDAL.findByFolderId(folder.id);
 
-      const decryptedSec = secrets.reduce<Record<string, string>>((prev, secret) => {
+      const decryptedSecret = secrets.reduce<Record<string, string>>((prev, secret) => {
         // eslint-disable-next-line
         prev[secret.key] = decryptSecret(secret.encryptedValue) || "";
         return prev;
       }, {});
 
-      fetchCache[uniqKey] = decryptedSec;
+      secretCache[uniqueKey] = decryptedSecret;
 
-      return fetchCache[uniqKey][secRefKey];
+      return secretCache[uniqueKey][secRefKey];
     };
   };
 
   const recursivelyExpandSecret = async (
-    expandedSec: Record<string, string>,
-    interpolatedSec: Record<string, string>,
-    fetchCrossEnv: (env: string, secPath: string[], secKey: string) => Promise<string>,
+    expandedSec: Record<string, string | undefined>,
+    interpolatedSec: Record<string, string | undefined>,
+    fetchSecret: (env: string, secPath: string[], secKey: string) => Promise<string>,
     recursionChainBreaker: Record<string, boolean>,
     key: string
-  ) => {
+  ): Promise<string | undefined> => {
     if (expandedSec?.[key] !== undefined) {
       return expandedSec[key];
     }
@@ -433,7 +444,7 @@ export const interpolateSecrets = ({ projectId, decryptSecret, secretDAL, folder
           const val = await recursivelyExpandSecret(
             expandedSec,
             interpolatedSec,
-            fetchCrossEnv,
+            fetchSecret,
             recursionChainBreaker,
             interpolationKey
           );
@@ -450,7 +461,7 @@ export const interpolateSecrets = ({ projectId, decryptSecret, secretDAL, folder
           const secRefKey = entities[entities.length - 1];
 
           // eslint-disable-next-line
-          const val = await fetchCrossEnv(secRefEnv, secRefPath, secRefKey);
+          const val = await fetchSecret(secRefEnv, secRefPath, secRefKey);
           if (val) {
             interpolatedValue = interpolatedValue.replaceAll(interpolationSyntax, val);
           }
@@ -463,36 +474,28 @@ export const interpolateSecrets = ({ projectId, decryptSecret, secretDAL, folder
     return interpolatedValue;
   };
 
-  // used to convert multi line ones to quotes ones with \n
-  const formatMultiValueEnv = (val?: string) => {
-    if (!val) return "";
-    if (!val.match("\n")) return val;
-    return `"${val.replace(/\n/g, "\\n")}"`;
-  };
-
+  const fetchSecret = fetchSecretFactory();
   const expandSecrets = async (
-    secrets: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean | null }>
+    inputSecrets: Record<string, { value?: string; comment?: string; skipMultilineEncoding?: boolean | null }>
   ) => {
-    const expandedSec: Record<string, string> = {};
-    const interpolatedSec: Record<string, string> = {};
+    const expandedSecrets: Record<string, string | undefined> = {};
+    const toBeExpandedSecrets: Record<string, string | undefined> = {};
 
-    const crossSecEnvFetch = fetchSecretsCrossEnv();
-
-    Object.keys(secrets).forEach((key) => {
-      if (secrets[key].value.match(INTERPOLATION_SYNTAX_REG)) {
-        interpolatedSec[key] = secrets[key].value;
+    Object.keys(inputSecrets).forEach((key) => {
+      if (inputSecrets[key].value?.match(INTERPOLATION_SYNTAX_REG)) {
+        toBeExpandedSecrets[key] = inputSecrets[key].value;
       } else {
-        expandedSec[key] = secrets[key].value;
+        expandedSecrets[key] = inputSecrets[key].value;
       }
     });
 
-    for (const key of Object.keys(secrets)) {
-      if (expandedSec?.[key]) {
+    for (const key of Object.keys(inputSecrets)) {
+      if (expandedSecrets?.[key]) {
         // should not do multi line encoding if user has set it to skip
         // eslint-disable-next-line
-        secrets[key].value = secrets[key].skipMultilineEncoding
-          ? formatMultiValueEnv(expandedSec[key])
-          : expandedSec[key];
+        inputSecrets[key].value = inputSecrets[key].skipMultilineEncoding
+          ? formatMultiValueEnv(expandedSecrets[key])
+          : expandedSecrets[key];
         // eslint-disable-next-line
         continue;
       }
@@ -502,18 +505,20 @@ export const interpolateSecrets = ({ projectId, decryptSecret, secretDAL, folder
       const recursionChainBreaker: Record<string, boolean> = {};
       // eslint-disable-next-line
       const expandedVal = await recursivelyExpandSecret(
-        expandedSec,
-        interpolatedSec,
-        crossSecEnvFetch,
+        expandedSecrets,
+        toBeExpandedSecrets,
+        fetchSecret,
         recursionChainBreaker,
         key
       );
 
       // eslint-disable-next-line
-      secrets[key].value = secrets[key].skipMultilineEncoding ? formatMultiValueEnv(expandedVal) : expandedVal;
+      inputSecrets[key].value = inputSecrets[key].skipMultilineEncoding
+        ? formatMultiValueEnv(expandedVal)
+        : expandedVal;
     }
 
-    return secrets;
+    return inputSecrets;
   };
   return expandSecrets;
 };

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -24,11 +24,11 @@ import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import {
+  expandSecretReferencesFactory,
   fnSecretBulkDelete,
   fnSecretBulkInsert,
   fnSecretBulkUpdate,
   getAllNestedSecretReferences,
-  interpolateSecrets,
   recursivelyGetSecretPaths,
   reshapeBridgeSecret
 } from "./secret-v2-bridge-fns";
@@ -428,7 +428,8 @@ export const secretV2BridgeServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     includeImports,
-    recursive // TODO(akhilmhdh-sev2): add logic for expandSecretReferences
+    recursive,
+    expandSecretReferences: shouldExpandSecretReferences
   }: TGetSecretsDTO) => {
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -484,57 +485,81 @@ export const secretV2BridgeServiceFactory = ({
       projectId
     });
 
-    if (includeImports) {
-      const secretImports = await secretImportDAL.findByFolderIds(paths.map((p) => p.folderId));
-      const allowedImports = secretImports.filter(({ importEnv, importPath, isReplication }) =>
-        !isReplication &&
-        // if its service token allow full access over imported one
-        actor === ActorType.SERVICE
-          ? true
-          : permission.can(
-              ProjectPermissionActions.Read,
-              subject(ProjectPermissionSub.Secrets, {
-                environment: importEnv.slug,
-                secretPath: importPath
-              })
-            )
-      );
-      const importedSecrets = await fnSecretsV2FromImports({
-        allowedImports,
-        secretDAL,
-        folderDAL,
-        secretImportDAL,
-        decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined)
-      });
+    const decryptedSecrets = secrets.map((secret) =>
+      reshapeBridgeSecret(projectId, environment, groupedPaths[secret.folderId][0].path, {
+        ...secret,
+        value: secret.encryptedValue
+          ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedValue }).toString()
+          : "",
+        comment: secret.encryptedComment
+          ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedComment }).toString()
+          : ""
+      })
+    );
+    const expandSecretReferences = expandSecretReferencesFactory({
+      projectId,
+      folderDAL,
+      secretDAL,
+      decryptSecretValue: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined)
+    });
 
+    if (shouldExpandSecretReferences) {
+      const secretsGroupByPath = groupBy(decryptedSecrets, (i) => i.secretPath);
+      for (const secretPathKey in secretsGroupByPath) {
+        if (Object.hasOwn(secretsGroupByPath, secretPathKey)) {
+          const secretsGroupByKey = secretsGroupByPath[secretPathKey].reduce(
+            (acc, item) => {
+              acc[item.secretKey] = {
+                value: item.secretValue,
+                comment: item.secretComment,
+                skipMultilineEncoding: item.skipMultilineEncoding
+              };
+              return acc;
+            },
+            {} as Record<string, { value?: string; comment?: string; skipMultilineEncoding?: boolean | null }>
+          );
+          // eslint-disable-next-line
+          await expandSecretReferences(secretsGroupByKey);
+          secretsGroupByPath[secretPathKey].forEach((decryptedSecret) => {
+            // eslint-disable-next-line no-param-reassign
+            decryptedSecret.secretValue = secretsGroupByKey[decryptedSecret.secretKey].value;
+          });
+        }
+      }
+    }
+
+    if (!includeImports) {
       return {
-        secrets: secrets.map((secret) =>
-          reshapeBridgeSecret(projectId, environment, groupedPaths[secret.folderId][0].path, {
-            ...secret,
-            value: secret.encryptedValue
-              ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedValue }).toString()
-              : undefined,
-            comment: secret.encryptedComment
-              ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedComment }).toString()
-              : undefined
-          })
-        ),
-        imports: importedSecrets
+        secrets: decryptedSecrets
       };
     }
 
+    const secretImports = await secretImportDAL.findByFolderIds(paths.map((p) => p.folderId));
+    const allowedImports = secretImports.filter(({ importEnv, importPath, isReplication }) =>
+      !isReplication &&
+      // if its service token allow full access over imported one
+      actor === ActorType.SERVICE
+        ? true
+        : permission.can(
+            ProjectPermissionActions.Read,
+            subject(ProjectPermissionSub.Secrets, {
+              environment: importEnv.slug,
+              secretPath: importPath
+            })
+          )
+    );
+    const importedSecrets = await fnSecretsV2FromImports({
+      allowedImports,
+      secretDAL,
+      folderDAL,
+      secretImportDAL,
+      expandSecretReferences,
+      decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined)
+    });
+
     return {
-      secrets: secrets.map((secret) =>
-        reshapeBridgeSecret(projectId, environment, groupedPaths[secret.folderId][0].path, {
-          ...secret,
-          value: secret.encryptedValue
-            ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedValue }).toString()
-            : undefined,
-          comment: secret.encryptedComment
-            ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedComment }).toString()
-            : undefined
-        })
-      )
+      secrets: decryptedSecrets,
+      imports: importedSecrets
     };
   };
 
@@ -550,7 +575,7 @@ export const secretV2BridgeServiceFactory = ({
     secretName,
     version,
     includeImports,
-    expandSecretReferences
+    expandSecretReferences: shouldExpandSecretReferences
   }: TGetASecretDTO) => {
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -600,11 +625,11 @@ export const secretV2BridgeServiceFactory = ({
           })
           .then((el) => SecretsV2Schema.parse({ ...el, id: el.secretId })));
 
-    const interpolateInlineSecretReference = interpolateSecrets({
+    const expandSecretReferences = expandSecretReferencesFactory({
       projectId,
-      decryptSecret: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined),
+      folderDAL,
       secretDAL,
-      folderDAL
+      decryptSecretValue: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined)
     });
 
     // now if secret is not found
@@ -629,33 +654,20 @@ export const secretV2BridgeServiceFactory = ({
         secretDAL,
         folderDAL,
         secretImportDAL,
-        decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined)
+        decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : undefined),
+        expandSecretReferences: shouldExpandSecretReferences ? expandSecretReferences : undefined
       });
 
       for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {
         for (let j = 0; j < importedSecrets[i].secrets.length; j += 1) {
-          if (secretName === importedSecrets[i].secrets[j].key) {
-            const importedSecret = importedSecrets[i].secrets[j];
-            let secretValue = importedSecret.encryptedValue
-              ? secretManagerDecryptor({ cipherTextBlob: importedSecret.encryptedValue }).toString()
-              : undefined;
-
-            if (expandSecretReferences && secretValue) {
-              const secretReferenceExpandedString = {
-                [importedSecret.key]: { value: secretValue }
-              };
-              // eslint-disable-next-line
-              await interpolateInlineSecretReference(secretReferenceExpandedString);
-              secretValue = secretReferenceExpandedString[importedSecret.key].value;
-            }
-
-            return reshapeBridgeSecret(projectId, importedSecrets[i].environment, importedSecrets[i].secretPath, {
-              ...importedSecret,
-              value: secretValue,
-              comment: importedSecret.encryptedComment
-                ? secretManagerDecryptor({ cipherTextBlob: importedSecret.encryptedComment }).toString()
-                : undefined
-            });
+          const importedSecret = importedSecrets[i].secrets[j];
+          if (secretName === importedSecret.key) {
+            return reshapeBridgeSecret(
+              projectId,
+              importedSecrets[i].environment,
+              importedSecrets[i].secretPath,
+              importedSecret
+            );
           }
         }
       }
@@ -665,13 +677,13 @@ export const secretV2BridgeServiceFactory = ({
     let secretValue = secret.encryptedValue
       ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedValue }).toString()
       : undefined;
-    if (expandSecretReferences && secretValue) {
-      const secretReferenceExpandedString = {
+    if (shouldExpandSecretReferences && secretValue) {
+      const secretReferenceExpandedRecord = {
         [secret.key]: { value: secretValue }
       };
       // eslint-disable-next-line
-      await interpolateInlineSecretReference(secretReferenceExpandedString);
-      secretValue = secretReferenceExpandedString[secret.key].value;
+      await expandSecretReferences(secretReferenceExpandedRecord);
+      secretValue = secretReferenceExpandedRecord[secret.key].value;
     }
 
     return reshapeBridgeSecret(projectId, environment, path, {