Merge branch 'main' into docs/update-net-sdk

backend/src/@types/fastify.d.ts

@@ -83,7 +83,6 @@ import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-servi
 import { TPkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-service";
 import { TPkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
 import { TPkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
-import { TPkiTemplatesServiceFactory } from "@app/services/pki-templates/pki-templates-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@@ -272,7 +271,6 @@ declare module "fastify" {
       assumePrivileges: TAssumePrivilegeServiceFactory;
       githubOrgSync: TGithubOrgSyncServiceFactory;
       internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
-      pkiTemplate: TPkiTemplatesServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -6,9 +6,6 @@ import {
   TAccessApprovalPoliciesApprovers,
   TAccessApprovalPoliciesApproversInsert,
   TAccessApprovalPoliciesApproversUpdate,
-  TAccessApprovalPoliciesBypassers,
-  TAccessApprovalPoliciesBypassersInsert,
-  TAccessApprovalPoliciesBypassersUpdate,
   TAccessApprovalPoliciesInsert,
   TAccessApprovalPoliciesUpdate,
   TAccessApprovalRequests,
@@ -279,9 +276,6 @@ import {
   TSecretApprovalPoliciesApprovers,
   TSecretApprovalPoliciesApproversInsert,
   TSecretApprovalPoliciesApproversUpdate,
-  TSecretApprovalPoliciesBypassers,
-  TSecretApprovalPoliciesBypassersInsert,
-  TSecretApprovalPoliciesBypassersUpdate,
   TSecretApprovalPoliciesInsert,
   TSecretApprovalPoliciesUpdate,
   TSecretApprovalRequests,
@@ -826,12 +820,6 @@ declare module "knex/types/tables" {
       TAccessApprovalPoliciesApproversUpdate
     >;
 
-    [TableName.AccessApprovalPolicyBypasser]: KnexOriginal.CompositeTableType<
-      TAccessApprovalPoliciesBypassers,
-      TAccessApprovalPoliciesBypassersInsert,
-      TAccessApprovalPoliciesBypassersUpdate
-    >;
-
     [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
       TAccessApprovalRequests,
       TAccessApprovalRequestsInsert,
@@ -855,11 +843,6 @@ declare module "knex/types/tables" {
       TSecretApprovalPoliciesApproversInsert,
       TSecretApprovalPoliciesApproversUpdate
     >;
-    [TableName.SecretApprovalPolicyBypasser]: KnexOriginal.CompositeTableType<
-      TSecretApprovalPoliciesBypassers,
-      TSecretApprovalPoliciesBypassersInsert,
-      TSecretApprovalPoliciesBypassersUpdate
-    >;
     [TableName.SecretApprovalRequest]: KnexOriginal.CompositeTableType<
       TSecretApprovalRequests,
       TSecretApprovalRequestsInsert,

backend/src/db/migrations/20250527030702_policy-bypassers.ts

@@ -1,48 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyBypasser))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicyBypasser, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("bypasserGroupId").nullable();
-      t.foreign("bypasserGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-
-      t.uuid("bypasserUserId").nullable();
-      t.foreign("bypasserUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyBypasser);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicyBypasser))) {
-    await knex.schema.createTable(TableName.SecretApprovalPolicyBypasser, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("bypasserGroupId").nullable();
-      t.foreign("bypasserGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-
-      t.uuid("bypasserUserId").nullable();
-      t.foreign("bypasserUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.SecretApprovalPolicy).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicyBypasser);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicyBypasser);
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyBypasser);
-
-  await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicyBypasser);
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyBypasser);
-}

backend/src/db/migrations/20250527140639_dynamic-secret-username-template.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "usernameTemplate");
-  if (!hasColumn) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      t.string("usernameTemplate").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "usernameTemplate");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      t.dropColumn("usernameTemplate");
-    });
-  }
-}

backend/src/db/migrations/20250528145356_add-template-slug.ts

@@ -1,24 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasNameCol = await knex.schema.hasColumn(TableName.CertificateTemplate, "name");
-  if (hasNameCol) {
-    const templates = await knex(TableName.CertificateTemplate).select("id", "name");
-    await Promise.all(
-      templates.map((el) => {
-        const slugifiedName = el.name
-          ? slugify(`${el.name.slice(0, 16)}-${alphaNumericNanoId(8)}`)
-          : slugify(alphaNumericNanoId(12));
-
-        return knex(TableName.CertificateTemplate).where({ id: el.id }).update({ name: slugifiedName });
-      })
-    );
-  }
-}
-
-export async function down(): Promise<void> {}

backend/src/db/migrations/20250530152721_add-access-approval-request-deleted-at.ts

@@ -1,63 +0,0 @@
-import { Knex } from "knex";
-
-import { ApprovalStatus } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasPrivilegeDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalRequest,
-    "privilegeDeletedAt"
-  );
-  const hasStatusColumn = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "status");
-
-  if (!hasPrivilegeDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.timestamp("privilegeDeletedAt").nullable();
-    });
-  }
-
-  if (!hasStatusColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.string("status").defaultTo(ApprovalStatus.PENDING).notNullable();
-    });
-
-    // Update existing rows based on business logic
-    // If privilegeId is not null, set status to "approved"
-    await knex(TableName.AccessApprovalRequest).whereNotNull("privilegeId").update({ status: ApprovalStatus.APPROVED });
-
-    // If privilegeId is null and there's a rejected reviewer, set to "rejected"
-    const rejectedRequestIds = await knex(TableName.AccessApprovalRequestReviewer)
-      .select("requestId")
-      .where("status", "rejected")
-      .distinct()
-      .pluck("requestId");
-
-    if (rejectedRequestIds.length > 0) {
-      await knex(TableName.AccessApprovalRequest)
-        .whereNull("privilegeId")
-        .whereIn("id", rejectedRequestIds)
-        .update({ status: ApprovalStatus.REJECTED });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasPrivilegeDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalRequest,
-    "privilegeDeletedAt"
-  );
-  const hasStatusColumn = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "status");
-
-  if (hasPrivilegeDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.dropColumn("privilegeDeletedAt");
-    });
-  }
-
-  if (hasStatusColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.dropColumn("status");
-    });
-  }
-}

backend/src/db/schemas/access-approval-policies-bypassers.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalPoliciesBypassersSchema = z.object({
-  id: z.string().uuid(),
-  bypasserGroupId: z.string().uuid().nullable().optional(),
-  bypasserUserId: z.string().uuid().nullable().optional(),
-  policyId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalPoliciesBypassers = z.infer<typeof AccessApprovalPoliciesBypassersSchema>;
-export type TAccessApprovalPoliciesBypassersInsert = Omit<
-  z.input<typeof AccessApprovalPoliciesBypassersSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalPoliciesBypassersUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalPoliciesBypassersSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-requests.ts

@@ -18,9 +18,7 @@ export const AccessApprovalRequestsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   requestedByUserId: z.string().uuid(),
-  note: z.string().nullable().optional(),
-  privilegeDeletedAt: z.date().nullable().optional(),
-  status: z.string().default("pending")
+  note: z.string().nullable().optional()
 });
 
 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;

backend/src/db/schemas/dynamic-secrets.ts

@@ -28,8 +28,7 @@ export const DynamicSecretsSchema = z.object({
   updatedAt: z.date(),
   encryptedInput: zodBuffer,
   projectGatewayId: z.string().uuid().nullable().optional(),
-  gatewayId: z.string().uuid().nullable().optional(),
-  usernameTemplate: z.string().nullable().optional()
+  gatewayId: z.string().uuid().nullable().optional()
 });
 
 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;

backend/src/db/schemas/index.ts

@@ -1,6 +1,5 @@
 export * from "./access-approval-policies";
 export * from "./access-approval-policies-approvers";
-export * from "./access-approval-policies-bypassers";
 export * from "./access-approval-requests";
 export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
@@ -93,7 +92,6 @@ export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
 export * from "./secret-approval-policies-approvers";
-export * from "./secret-approval-policies-bypassers";
 export * from "./secret-approval-request-secret-tags";
 export * from "./secret-approval-request-secret-tags-v2";
 export * from "./secret-approval-requests";

backend/src/db/schemas/models.ts

@@ -95,12 +95,10 @@ export enum TableName {
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",
-  AccessApprovalPolicyBypasser = "access_approval_policies_bypassers",
   AccessApprovalRequest = "access_approval_requests",
   AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
-  SecretApprovalPolicyBypasser = "secret_approval_policies_bypassers",
   SecretApprovalRequest = "secret_approval_requests",
   SecretApprovalRequestReviewer = "secret_approval_requests_reviewers",
   SecretApprovalRequestSecret = "secret_approval_requests_secrets",

backend/src/db/schemas/secret-approval-policies-bypassers.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretApprovalPoliciesBypassersSchema = z.object({
-  id: z.string().uuid(),
-  bypasserGroupId: z.string().uuid().nullable().optional(),
-  bypasserUserId: z.string().uuid().nullable().optional(),
-  policyId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretApprovalPoliciesBypassers = z.infer<typeof SecretApprovalPoliciesBypassersSchema>;
-export type TSecretApprovalPoliciesBypassersInsert = Omit<
-  z.input<typeof SecretApprovalPoliciesBypassersSchema>,
-  TImmutableDBKeys
->;
-export type TSecretApprovalPoliciesBypassersUpdate = Partial<
-  Omit<z.input<typeof SecretApprovalPoliciesBypassersSchema>, TImmutableDBKeys>
->;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -1,7 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
-import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -24,19 +24,10 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
           ])
           .array()
-          .max(100, "Cannot have more than 100 approvers")
           .min(1, { message: "At least one approver should be provided" }),
-        bypassers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 bypassers")
-          .optional(),
         approvals: z.number().min(1).default(1),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -81,8 +72,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
                 .object({ type: z.nativeEnum(ApproverType), id: z.string().nullable().optional() })
                 .array()
                 .nullable()
-                .optional(),
-              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array()
+                .optional()
             })
             .array()
             .nullable()
@@ -153,19 +143,10 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" })
-          .max(100, "Cannot have more than 100 approvers"),
-        bypassers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 bypassers")
-          .optional(),
+          .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).optional(),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -239,15 +220,6 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
               })
               .array()
               .nullable()
-              .optional(),
-            bypassers: z
-              .object({
-                type: z.nativeEnum(BypasserType),
-                id: z.string().nullable().optional(),
-                name: z.string().nullable().optional()
-              })
-              .array()
-              .nullable()
               .optional()
           })
         })

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -113,7 +113,6 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               name: z.string(),
               approvals: z.number(),
               approvers: z.string().array(),
-              bypassers: z.string().array(),
               secretPath: z.string().nullish(),
               envId: z.string(),
               enforcementLevel: z.string(),

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -6,8 +6,6 @@ import { ApiDocsTags, DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
-import { isValidHandleBarTemplate } from "@app/lib/template/validate-handlebars";
-import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -15,28 +13,6 @@ import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchema
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
-const validateUsernameTemplateCharacters = characterValidator([
-  CharacterType.AlphaNumeric,
-  CharacterType.Underscore,
-  CharacterType.Hyphen,
-  CharacterType.OpenBrace,
-  CharacterType.CloseBrace,
-  CharacterType.CloseBracket,
-  CharacterType.OpenBracket,
-  CharacterType.Fullstop
-]);
-
-const userTemplateSchema = z
-  .string()
-  .trim()
-  .max(255)
-  .refine((el) => validateUsernameTemplateCharacters(el))
-  .refine((el) =>
-    isValidHandleBarTemplate(el, {
-      allowedExpressions: (val) => ["randomUsername", "unixTimestamp"].includes(val)
-    })
-  );
-
 export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -76,8 +52,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
         path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
         environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
         name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name),
-        metadata: ResourceMetadataSchema.optional(),
-        usernameTemplate: userTemplateSchema.optional()
+        metadata: ResourceMetadataSchema.optional()
       }),
       response: {
         200: z.object({
@@ -98,6 +73,39 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
     }
   });
 
+  server.route({
+    method: "POST",
+    url: "/entra-id/users",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      body: z.object({
+        tenantId: z.string().min(1).describe("The tenant ID of the Azure Entra ID"),
+        applicationId: z.string().min(1).describe("The application ID of the Azure Entra ID App Registration"),
+        clientSecret: z.string().min(1).describe("The client secret of the Azure Entra ID App Registration")
+      }),
+      response: {
+        200: z
+          .object({
+            name: z.string().min(1).describe("The name of the user"),
+            id: z.string().min(1).describe("The ID of the user"),
+            email: z.string().min(1).describe("The email of the user")
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const data = await server.services.dynamicSecret.fetchAzureEntraIdUsers({
+        tenantId: req.body.tenantId,
+        applicationId: req.body.applicationId,
+        clientSecret: req.body.clientSecret
+      });
+      return data;
+    }
+  });
+
   server.route({
     method: "PATCH",
     url: "/:name",
@@ -142,8 +150,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
             })
             .nullable(),
           newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional(),
-          metadata: ResourceMetadataSchema.optional(),
-          usernameTemplate: userTemplateSchema.nullable().optional()
+          metadata: ResourceMetadataSchema.optional()
         })
       }),
       response: {
@@ -321,37 +328,4 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       return { leases };
     }
   });
-
-  server.route({
-    method: "POST",
-    url: "/entra-id/users",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      body: z.object({
-        tenantId: z.string().min(1).describe("The tenant ID of the Azure Entra ID"),
-        applicationId: z.string().min(1).describe("The application ID of the Azure Entra ID App Registration"),
-        clientSecret: z.string().min(1).describe("The client secret of the Azure Entra ID App Registration")
-      }),
-      response: {
-        200: z
-          .object({
-            name: z.string().min(1).describe("The name of the user"),
-            id: z.string().min(1).describe("The ID of the user"),
-            email: z.string().min(1).describe("The email of the user")
-          })
-          .array()
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const data = await server.services.dynamicSecret.fetchAzureEntraIdUsers({
-        tenantId: req.body.tenantId,
-        applicationId: req.body.applicationId,
-        clientSecret: req.body.clientSecret
-      });
-      return data;
-    }
-  });
 };

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -1,7 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
-import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -30,19 +30,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" })
-          .max(100, "Cannot have more than 100 approvers"),
-        bypassers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 bypassers")
-          .optional(),
+          .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).default(1),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -84,19 +75,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" })
-          .max(100, "Cannot have more than 100 approvers"),
-        bypassers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 bypassers")
-          .optional(),
+          .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).default(1),
         secretPath: z
           .string()
@@ -175,12 +157,6 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
                   id: z.string().nullable().optional(),
                   type: z.nativeEnum(ApproverType)
                 })
-                .array(),
-              bypassers: z
-                .object({
-                  id: z.string().nullable().optional(),
-                  type: z.nativeEnum(BypasserType)
-                })
                 .array()
             })
             .array()
@@ -217,14 +193,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
               .object({
                 id: z.string().nullable().optional(),
                 type: z.nativeEnum(ApproverType),
-                username: z.string().nullable().optional()
-              })
-              .array(),
-            bypassers: z
-              .object({
-                id: z.string().nullable().optional(),
-                type: z.nativeEnum(BypasserType),
-                username: z.string().nullable().optional()
+                name: z.string().nullable().optional()
               })
               .array()
           })

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -47,11 +47,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                   userId: z.string().nullable().optional()
                 })
                 .array(),
-              bypassers: z
-                .object({
-                  userId: z.string().nullable().optional()
-                })
-                .array(),
               secretPath: z.string().optional().nullable(),
               enforcementLevel: z.string(),
               deletedAt: z.date().nullish(),
@@ -271,7 +266,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 name: z.string(),
                 approvals: z.number(),
                 approvers: approvalRequestUser.array(),
-                bypassers: approvalRequestUser.array(),
                 secretPath: z.string().optional().nullable(),
                 enforcementLevel: z.string(),
                 deletedAt: z.date().nullish(),

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -5,7 +5,6 @@ import { registerAwsIamUserSecretRotationRouter } from "./aws-iam-user-secret-ro
 import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-rotation-router";
 import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
-import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
 export * from "./secret-rotation-v2-router";
@@ -16,7 +15,6 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
 > = {
   [SecretRotation.PostgresCredentials]: registerPostgresCredentialsRotationRouter,
   [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter,
-  [SecretRotation.MySqlCredentials]: registerMySqlCredentialsRotationRouter,
   [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
   [SecretRotation.AzureClientSecret]: registerAzureClientSecretRotationRouter,
   [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,

backend/src/ee/routes/v2/secret-rotation-v2-routers/mysql-credentials-rotation-router.ts

@@ -1,19 +0,0 @@
-import {
-  CreateMySqlCredentialsRotationSchema,
-  MySqlCredentialsRotationSchema,
-  UpdateMySqlCredentialsRotationSchema
-} from "@app/ee/services/secret-rotation-v2/mysql-credentials";
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-import { SqlCredentialsRotationGeneratedCredentialsSchema } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials";
-
-import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
-
-export const registerMySqlCredentialsRotationRouter = async (server: FastifyZodProvider) =>
-  registerSecretRotationEndpoints({
-    type: SecretRotation.MySqlCredentials,
-    server,
-    responseSchema: MySqlCredentialsRotationSchema,
-    createSchema: CreateMySqlCredentialsRotationSchema,
-    updateSchema: UpdateMySqlCredentialsRotationSchema,
-    generatedCredentialsSchema: SqlCredentialsRotationGeneratedCredentialsSchema
-  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -6,7 +6,6 @@ import { AwsIamUserSecretRotationListItemSchema } from "@app/ee/services/secret-
 import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/azure-client-secret";
 import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
-import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
 import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
@@ -17,7 +16,6 @@ import { AuthMode } from "@app/services/auth/auth-type";
 const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationListItemSchema,
   MsSqlCredentialsRotationListItemSchema,
-  MySqlCredentialsRotationListItemSchema,
   Auth0ClientSecretRotationListItemSchema,
   AzureClientSecretRotationListItemSchema,
   AwsIamUserSecretRotationListItemSchema,

backend/src/ee/services/access-approval-policy/access-approval-policy-approver-dal.ts

@@ -8,10 +8,3 @@ export const accessApprovalPolicyApproverDALFactory = (db: TDbClient) => {
   const accessApprovalPolicyApproverOrm = ormify(db, TableName.AccessApprovalPolicyApprover);
   return { ...accessApprovalPolicyApproverOrm };
 };
-
-export type TAccessApprovalPolicyBypasserDALFactory = ReturnType<typeof accessApprovalPolicyBypasserDALFactory>;
-
-export const accessApprovalPolicyBypasserDALFactory = (db: TDbClient) => {
-  const accessApprovalPolicyBypasserOrm = ormify(db, TableName.AccessApprovalPolicyBypasser);
-  return { ...accessApprovalPolicyBypasserOrm };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -1,11 +1,11 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies, TUsers } from "@app/db/schemas";
+import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
-import { ApproverType, BypasserType } from "./access-approval-policy-types";
+import { ApproverType } from "./access-approval-policy-types";
 
 export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;
 
@@ -34,22 +34,9 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicyApprover}.policyId`
       )
       .leftJoin(TableName.Users, `${TableName.AccessApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
-      .leftJoin(
-        TableName.AccessApprovalPolicyBypasser,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyBypasser}.policyId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("bypasserUsers"),
-        `${TableName.AccessApprovalPolicyBypasser}.bypasserUserId`,
-        `bypasserUsers.id`
-      )
       .select(tx.ref("username").withSchema(TableName.Users).as("approverUsername"))
-      .select(tx.ref("username").withSchema("bypasserUsers").as("bypasserUsername"))
       .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
       .select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
-      .select(tx.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
-      .select(tx.ref("bypasserGroupId").withSchema(TableName.AccessApprovalPolicyBypasser))
       .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
       .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
       .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@@ -142,23 +129,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
               id,
               type: ApproverType.Group
             })
-          },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserUserId: id, bypasserUsername }) => ({
-              id,
-              type: BypasserType.User,
-              name: bypasserUsername
-            })
-          },
-          {
-            key: "bypasserGroupId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupId: id }) => ({
-              id,
-              type: BypasserType.Group
-            })
           }
         ]
       });
@@ -174,28 +144,5 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
     return softDeletedPolicy;
   };
 
-  const findLastValidPolicy = async ({ envId, secretPath }: { envId: string; secretPath: string }, tx?: Knex) => {
-    try {
-      const result = await (tx || db.replicaNode())(TableName.AccessApprovalPolicy)
-        .where(
-          // eslint-disable-next-line @typescript-eslint/no-misused-promises
-          buildFindFilter(
-            {
-              envId,
-              secretPath
-            },
-            TableName.AccessApprovalPolicy
-          )
-        )
-        .orderBy("deletedAt", "desc")
-        .orderByRaw(`"deletedAt" IS NULL`)
-        .first();
-
-      return result;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindLastValidPolicy" });
-    }
-  };
-
-  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById, findLastValidPolicy };
+  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById };
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -2,9 +2,8 @@ import { ForbiddenError } from "@casl/ability";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -15,14 +14,10 @@ import { TAccessApprovalRequestReviewerDALFactory } from "../access-approval-req
 import { ApprovalStatus } from "../access-approval-request/access-approval-request-types";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
-import {
-  TAccessApprovalPolicyApproverDALFactory,
-  TAccessApprovalPolicyBypasserDALFactory
-} from "./access-approval-policy-approver-dal";
+import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
 import {
   ApproverType,
-  BypasserType,
   TCreateAccessApprovalPolicy,
   TDeleteAccessApprovalPolicy,
   TGetAccessApprovalPolicyByIdDTO,
@@ -37,14 +32,12 @@ type TAccessApprovalPolicyServiceFactoryDep = {
   accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
   accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
-  accessApprovalPolicyBypasserDAL: TAccessApprovalPolicyBypasserDALFactory;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
   groupDAL: TGroupDALFactory;
   userDAL: Pick<TUserDALFactory, "find">;
   accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update" | "find">;
   additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
   accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update">;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find">;
 };
 
 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@@ -52,7 +45,6 @@ export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprov
 export const accessApprovalPolicyServiceFactory = ({
   accessApprovalPolicyDAL,
   accessApprovalPolicyApproverDAL,
-  accessApprovalPolicyBypasserDAL,
   groupDAL,
   permissionService,
   projectEnvDAL,
@@ -60,8 +52,7 @@ export const accessApprovalPolicyServiceFactory = ({
   userDAL,
   accessApprovalRequestDAL,
   additionalPrivilegeDAL,
-  accessApprovalRequestReviewerDAL,
-  orgMembershipDAL
+  accessApprovalRequestReviewerDAL
 }: TAccessApprovalPolicyServiceFactoryDep) => {
   const createAccessApprovalPolicy = async ({
     name,
@@ -72,7 +63,6 @@ export const accessApprovalPolicyServiceFactory = ({
     actorAuthMethod,
     approvals,
     approvers,
-    bypassers,
     projectSlug,
     environment,
     enforcementLevel,
@@ -92,7 +82,7 @@ export const accessApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
       .filter(Boolean) as string[];
 
     if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
@@ -108,7 +98,7 @@ export const accessApprovalPolicyServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
+      ProjectPermissionApprovalActions.Create,
       ProjectPermissionSub.SecretApproval
     );
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
@@ -157,44 +147,6 @@ export const accessApprovalPolicyServiceFactory = ({
       .map((user) => user.id);
     verifyAllApprovers.push(...verifyGroupApprovers);
 
-    let groupBypassers: string[] = [];
-    let bypasserUserIds: string[] = [];
-
-    if (bypassers && bypassers.length) {
-      groupBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.Group)
-        .map((bypasser) => bypasser.id) as string[];
-
-      const userBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.User)
-        .map((bypasser) => bypasser.id)
-        .filter(Boolean) as string[];
-
-      const userBypasserNames = bypassers
-        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
-        .filter(Boolean) as string[];
-
-      bypasserUserIds = userBypassers;
-      if (userBypasserNames.length) {
-        const bypasserUsers = await userDAL.find({
-          $in: {
-            username: userBypasserNames
-          }
-        });
-
-        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
-        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
-
-        if (invalidUsernames.length) {
-          throw new BadRequestError({
-            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
-          });
-        }
-
-        bypasserUserIds = bypasserUserIds.concat(bypasserUsers.map((user) => user.id));
-      }
-    }
-
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
@@ -207,7 +159,6 @@ export const accessApprovalPolicyServiceFactory = ({
         },
         tx
       );
-
       if (approverUserIds.length) {
         await accessApprovalPolicyApproverDAL.insertMany(
           approverUserIds.map((userId) => ({
@@ -228,29 +179,8 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
-      if (bypasserUserIds.length) {
-        await accessApprovalPolicyBypasserDAL.insertMany(
-          bypasserUserIds.map((userId) => ({
-            bypasserUserId: userId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
-      if (groupBypassers.length) {
-        await accessApprovalPolicyBypasserDAL.insertMany(
-          groupBypassers.map((groupId) => ({
-            bypasserGroupId: groupId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
       return doc;
     });
-
     return { ...accessApproval, environment: env, projectId: project.id };
   };
 
@@ -281,7 +211,6 @@ export const accessApprovalPolicyServiceFactory = ({
   const updateAccessApprovalPolicy = async ({
     policyId,
     approvers,
-    bypassers,
     secretPath,
     name,
     actorId,
@@ -302,15 +231,15 @@ export const accessApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
       .filter(Boolean) as string[];
 
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    const currentApprovals = approvals || accessApprovalPolicy.approvals;
+    const currentAppovals = approvals || accessApprovalPolicy.approvals;
     if (
       groupApprovers?.length === 0 &&
       userApprovers &&
-      currentApprovals > userApprovers.length + userApproverNames.length
+      currentAppovals > userApprovers.length + userApproverNames.length
     ) {
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
@@ -327,79 +256,10 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
-
-    let groupBypassers: string[] = [];
-    let bypasserUserIds: string[] = [];
-
-    if (bypassers && bypassers.length) {
-      groupBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.Group)
-        .map((bypasser) => bypasser.id) as string[];
-
-      groupBypassers = [...new Set(groupBypassers)];
-
-      const userBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.User)
-        .map((bypasser) => bypasser.id)
-        .filter(Boolean) as string[];
-
-      const userBypasserNames = bypassers
-        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
-        .filter(Boolean) as string[];
-
-      bypasserUserIds = userBypassers;
-      if (userBypasserNames.length) {
-        const bypasserUsers = await userDAL.find({
-          $in: {
-            username: userBypasserNames
-          }
-        });
-
-        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
-        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
-
-        if (invalidUsernames.length) {
-          throw new BadRequestError({
-            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
-          });
-        }
-
-        bypasserUserIds = [...new Set(bypasserUserIds.concat(bypasserUsers.map((user) => user.id)))];
-      }
-
-      // Validate user bypassers
-      if (bypasserUserIds.length > 0) {
-        const orgMemberships = await orgMembershipDAL.find({
-          $in: { userId: bypasserUserIds },
-          orgId: actorOrgId
-        });
-
-        if (orgMemberships.length !== bypasserUserIds.length) {
-          const foundUserIdsInOrg = new Set(orgMemberships.map((mem) => mem.userId));
-          const missingUserIds = bypasserUserIds.filter((id) => !foundUserIdsInOrg.has(id));
-          throw new BadRequestError({
-            message: `One or more specified bypasser users are not part of the organization or do not exist. Invalid or non-member user IDs: ${missingUserIds.join(", ")}`
-          });
-        }
-      }
-
-      // Validate group bypassers
-      if (groupBypassers.length > 0) {
-        const orgGroups = await groupDAL.find({
-          $in: { id: groupBypassers },
-          orgId: actorOrgId
-        });
-
-        if (orgGroups.length !== groupBypassers.length) {
-          const foundGroupIdsInOrg = new Set(orgGroups.map((group) => group.id));
-          const missingGroupIds = groupBypassers.filter((id) => !foundGroupIdsInOrg.has(id));
-          throw new BadRequestError({
-            message: `One or more specified bypasser groups are not part of the organization or do not exist. Invalid or non-member group IDs: ${missingGroupIds.join(", ")}`
-          });
-        }
-      }
-    }
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.updateById(
@@ -456,28 +316,6 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
-      await accessApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
-
-      if (bypasserUserIds.length) {
-        await accessApprovalPolicyBypasserDAL.insertMany(
-          bypasserUserIds.map((userId) => ({
-            bypasserUserId: userId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
-      if (groupBypassers.length) {
-        await accessApprovalPolicyBypasserDAL.insertMany(
-          groupBypassers.map((groupId) => ({
-            bypasserGroupId: groupId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
       return doc;
     });
     return {
@@ -506,7 +344,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
+      ProjectPermissionApprovalActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -597,7 +435,10 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     return policy;
   };

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -18,20 +18,11 @@ export enum ApproverType {
   User = "user"
 }
 
-export enum BypasserType {
-  Group = "group",
-  User = "user"
-}
-
 export type TCreateAccessApprovalPolicy = {
   approvals: number;
   secretPath: string;
   environment: string;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
-  bypassers?: (
-    | { type: BypasserType.Group; id: string }
-    | { type: BypasserType.User; id?: string; username?: string }
-  )[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   projectSlug: string;
   name: string;
   enforcementLevel: EnforcementLevel;
@@ -41,11 +32,7 @@ export type TCreateAccessApprovalPolicy = {
 export type TUpdateAccessApprovalPolicy = {
   policyId: string;
   approvals?: number;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
-  bypassers?: (
-    | { type: BypasserType.Group; id: string }
-    | { type: BypasserType.User; id?: string; username?: string }
-  )[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   secretPath?: string;
   name?: string;
   enforcementLevel?: EnforcementLevel;

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -1,13 +1,7 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import {
-  AccessApprovalRequestsSchema,
-  TableName,
-  TAccessApprovalRequests,
-  TUserGroupMembership,
-  TUsers
-} from "@app/db/schemas";
+import { AccessApprovalRequestsSchema, TableName, TAccessApprovalRequests, TUsers } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
@@ -34,12 +28,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.AccessApprovalRequest}.policyId`,
           `${TableName.AccessApprovalPolicy}.id`
         )
+
         .leftJoin(
           TableName.AccessApprovalRequestReviewer,
           `${TableName.AccessApprovalRequest}.id`,
           `${TableName.AccessApprovalRequestReviewer}.requestId`
         )
-
         .leftJoin(
           TableName.AccessApprovalPolicyApprover,
           `${TableName.AccessApprovalPolicy}.id`,
@@ -52,17 +46,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         )
         .leftJoin(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
 
-        .leftJoin(
-          TableName.AccessApprovalPolicyBypasser,
-          `${TableName.AccessApprovalPolicy}.id`,
-          `${TableName.AccessApprovalPolicyBypasser}.policyId`
-        )
-        .leftJoin<TUserGroupMembership>(
-          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-          `${TableName.AccessApprovalPolicyBypasser}.bypasserGroupId`,
-          `bypasserUserGroupMembership.groupId`
-        )
-
         .join<TUsers>(
           db(TableName.Users).as("requestedByUser"),
           `${TableName.AccessApprovalRequest}.requestedByUserId`,
@@ -86,9 +69,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
         .select(db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"))
 
-        .select(db.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
-        .select(db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"))
-
         .select(
           db.ref("projectId").withSchema(TableName.Environment),
           db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
@@ -165,7 +145,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
               }
             : null,
 
-          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId || doc.status !== ApprovalStatus.PENDING
+          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId
         }),
         childrenMapper: [
           {
@@ -178,12 +158,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             key: "approverGroupUserId",
             label: "approvers" as const,
             mapper: ({ approverGroupUserId }) => approverGroupUserId
-          },
-          { key: "bypasserUserId", label: "bypassers" as const, mapper: ({ bypasserUserId }) => bypasserUserId },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupUserId }) => bypasserGroupUserId
           }
         ]
       });
@@ -192,7 +166,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
 
       return formattedDocs.map((doc) => ({
         ...doc,
-        policy: { ...doc.policy, approvers: doc.approvers, bypassers: doc.bypassers }
+        policy: { ...doc.policy, approvers: doc.approvers }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "FindRequestsWithPrivilege" });
@@ -219,6 +193,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicy}.id`,
         `${TableName.AccessApprovalPolicyApprover}.policyId`
       )
+
       .leftJoin<TUsers>(
         db(TableName.Users).as("accessApprovalPolicyApproverUser"),
         `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
@@ -229,33 +204,13 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
         `${TableName.UserGroupMembership}.groupId`
       )
+
       .leftJoin<TUsers>(
         db(TableName.Users).as("accessApprovalPolicyGroupApproverUser"),
         `${TableName.UserGroupMembership}.userId`,
         "accessApprovalPolicyGroupApproverUser.id"
       )
 
-      .leftJoin(
-        TableName.AccessApprovalPolicyBypasser,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyBypasser}.policyId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("accessApprovalPolicyBypasserUser"),
-        `${TableName.AccessApprovalPolicyBypasser}.bypasserUserId`,
-        "accessApprovalPolicyBypasserUser.id"
-      )
-      .leftJoin<TUserGroupMembership>(
-        db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-        `${TableName.AccessApprovalPolicyBypasser}.bypasserGroupId`,
-        `bypasserUserGroupMembership.groupId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("accessApprovalPolicyGroupBypasserUser"),
-        `bypasserUserGroupMembership.userId`,
-        "accessApprovalPolicyGroupBypasserUser.id"
-      )
-
       .leftJoin(
         TableName.AccessApprovalRequestReviewer,
         `${TableName.AccessApprovalRequest}.id`,
@@ -286,18 +241,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("firstName").withSchema("requestedByUser").as("requestedByUserFirstName"),
         tx.ref("lastName").withSchema("requestedByUser").as("requestedByUserLastName"),
 
-        // Bypassers
-        tx.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser),
-        tx.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
-        tx.ref("email").withSchema("accessApprovalPolicyBypasserUser").as("bypasserEmail"),
-        tx.ref("email").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupEmail"),
-        tx.ref("username").withSchema("accessApprovalPolicyBypasserUser").as("bypasserUsername"),
-        tx.ref("username").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupUsername"),
-        tx.ref("firstName").withSchema("accessApprovalPolicyBypasserUser").as("bypasserFirstName"),
-        tx.ref("firstName").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupFirstName"),
-        tx.ref("lastName").withSchema("accessApprovalPolicyBypasserUser").as("bypasserLastName"),
-        tx.ref("lastName").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupLastName"),
-
         tx.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer),
 
         tx.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"),
@@ -322,7 +265,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
     try {
       const sql = findQuery({ [`${TableName.AccessApprovalRequest}.id` as "id"]: id }, tx || db.replicaNode());
       const docs = await sql;
-      const formattedDoc = sqlNestRelationships({
+      const formatedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -392,51 +335,13 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
               lastName,
               username
             })
-          },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({
-              bypasserUserId,
-              bypasserEmail: email,
-              bypasserUsername: username,
-              bypasserLastName: lastName,
-              bypasserFirstName: firstName
-            }) => ({
-              userId: bypasserUserId,
-              email,
-              firstName,
-              lastName,
-              username
-            })
-          },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({
-              userId,
-              bypasserGroupEmail: email,
-              bypasserGroupUsername: username,
-              bypasserGroupLastName: lastName,
-              bypasserFirstName: firstName
-            }) => ({
-              userId,
-              email,
-              firstName,
-              lastName,
-              username
-            })
           }
         ]
       });
-      if (!formattedDoc?.[0]) return;
+      if (!formatedDoc?.[0]) return;
       return {
-        ...formattedDoc[0],
-        policy: {
-          ...formattedDoc[0].policy,
-          approvers: formattedDoc[0].approvers,
-          bypassers: formattedDoc[0].bypassers
-        }
+        ...formatedDoc[0],
+        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "FindByIdAccessApprovalRequest" });
@@ -487,20 +392,14 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         ]
       });
 
-      // an approval is pending if there is no reviewer rejections, no privilege ID is set and the status is pending
+      // an approval is pending if there is no reviewer rejections and no privilege ID is set
       const pendingApprovals = formattedRequests.filter(
-        (req) =>
-          !req.privilegeId &&
-          !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) &&
-          req.status === ApprovalStatus.PENDING
+        (req) => !req.privilegeId && !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
       );
 
-      // an approval is finalized if there are any rejections, a privilege ID is set or the number of approvals is equal to the number of approvals required
+      // an approval is finalized if there are any rejections or a privilege ID is set
       const finalizedApprovals = formattedRequests.filter(
-        (req) =>
-          req.privilegeId ||
-          req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) ||
-          req.status !== ApprovalStatus.PENDING
+        (req) => req.privilegeId || req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
       );
 
       return { pendingCount: pendingApprovals.length, finalizedCount: finalizedApprovals.length };

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -23,6 +23,7 @@ import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-poli
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
 import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
@@ -56,7 +57,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
     | "findOne"
     | "getCount"
   >;
-  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find" | "findLastValidPolicy">;
+  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find">;
   accessApprovalRequestReviewerDAL: Pick<
     TAccessApprovalRequestReviewerDALFactory,
     "create" | "find" | "findOne" | "transaction"
@@ -131,7 +132,7 @@ export const accessApprovalRequestServiceFactory = ({
 
     if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });
 
-    const policy = await accessApprovalPolicyDAL.findLastValidPolicy({
+    const policy = await accessApprovalPolicyDAL.findOne({
       envId: environment.id,
       secretPath
     });
@@ -203,7 +204,7 @@ export const accessApprovalRequestServiceFactory = ({
 
           const isRejected = reviewers.some((reviewer) => reviewer.status === ApprovalStatus.REJECTED);
 
-          if (!isRejected && duplicateRequest.status === ApprovalStatus.PENDING) {
+          if (!isRejected) {
             throw new BadRequestError({ message: "You already have a pending access request with the same criteria" });
           }
         }
@@ -339,7 +340,7 @@ export const accessApprovalRequestServiceFactory = ({
       });
     }
 
-    const { membership, hasRole } = await permissionService.getProjectPermission({
+    const { membership, hasRole, permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
@@ -354,13 +355,13 @@ export const accessApprovalRequestServiceFactory = ({
 
     const isSelfApproval = actorId === accessApprovalRequest.requestedByUserId;
     const isSoftEnforcement = policy.enforcementLevel === EnforcementLevel.Soft;
-    const canBypass = !policy.bypassers.length || policy.bypassers.some((bypasser) => bypasser.userId === actorId);
-    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypass);
+    const canBypassApproval = permission.can(
+      ProjectPermissionApprovalActions.AllowAccessBypass,
+      ProjectPermissionSub.SecretApproval
+    );
+    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypassApproval);
 
-    const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
-
-    // If user is (not an approver OR cant self approve) AND can't bypass policy
-    if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
+    if (!policy.allowedSelfApprovals && isSelfApproval && cannotBypassUnderSoftEnforcement) {
       throw new BadRequestError({
         message: "Failed to review access approval request. Users are not authorized to review their own request."
       });
@@ -369,7 +370,7 @@ export const accessApprovalRequestServiceFactory = ({
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
-      !isApprover // The request isn't performed by an assigned approver
+      !policy.approvers.find((approver) => approver.userId === actorId) // The request isn't performed by an assigned approver
     ) {
       throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
     }
@@ -477,11 +478,7 @@ export const accessApprovalRequestServiceFactory = ({
             );
             privilegeIdToSet = privilege.id;
           }
-          await accessApprovalRequestDAL.updateById(
-            accessApprovalRequest.id,
-            { privilegeId: privilegeIdToSet, status: ApprovalStatus.APPROVED },
-            tx
-          );
+          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId: privilegeIdToSet }, tx);
         }
       }
 

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -132,11 +132,7 @@ export const dynamicSecretLeaseServiceFactory = ({
 
     let result;
     try {
-      result = await selectedProvider.create({
-        inputs: decryptedStoredInput,
-        expireAt: expireAt.getTime(),
-        usernameTemplate: dynamicSecretCfg.usernameTemplate
-      });
+      result = await selectedProvider.create(decryptedStoredInput, expireAt.getTime());
     } catch (error: unknown) {
       if (error && typeof error === "object" && error !== null && "sqlMessage" in error) {
         throw new BadRequestError({ message: error.sqlMessage as string });

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -11,8 +11,6 @@ export const verifyHostInputValidity = async (host: string, isGateway = false) =
 
   if (appCfg.isDevelopmentMode) return [host];
 
-  if (isGateway) return [host];
-
   const reservedHosts = [appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI)].concat(
     (appCfg.DB_READ_REPLICAS || []).map((el) => getDbConnectionHost(el.DB_CONNECTION_URI)),
     getDbConnectionHost(appCfg.REDIS_URL),
@@ -60,7 +58,7 @@ export const verifyHostInputValidity = async (host: string, isGateway = false) =
     }
   }
 
-  if (!(appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP || appCfg.ALLOW_INTERNAL_IP_CONNECTIONS)) {
+  if (!isGateway && !(appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP || appCfg.ALLOW_INTERNAL_IP_CONNECTIONS)) {
     const isInternalIp = inputHostIps.some((el) => isPrivateIp(el));
     if (isInternalIp) throw new BadRequestError({ message: "Invalid db host" });
   }

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -78,8 +78,7 @@ export const dynamicSecretServiceFactory = ({
     actorOrgId,
     defaultTTL,
     actorAuthMethod,
-    metadata,
-    usernameTemplate
+    metadata
   }: TCreateDynamicSecretDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -164,8 +163,7 @@ export const dynamicSecretServiceFactory = ({
           defaultTTL,
           folderId: folder.id,
           name,
-          gatewayId: selectedGatewayId,
-          usernameTemplate
+          gatewayId: selectedGatewayId
         },
         tx
       );
@@ -201,8 +199,7 @@ export const dynamicSecretServiceFactory = ({
     newName,
     actorOrgId,
     actorAuthMethod,
-    metadata,
-    usernameTemplate
+    metadata
   }: TUpdateDynamicSecretDTO) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -314,8 +311,7 @@ export const dynamicSecretServiceFactory = ({
           defaultTTL,
           name: newName ?? name,
           status: null,
-          gatewayId: selectedGatewayId,
-          usernameTemplate
+          gatewayId: selectedGatewayId
         },
         tx
       );

backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts

@@ -22,7 +22,6 @@ export type TCreateDynamicSecretDTO = {
   name: string;
   projectSlug: string;
   metadata?: ResourceMetadataDTO;
-  usernameTemplate?: string | null;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateDynamicSecretDTO = {
@@ -35,7 +34,6 @@ export type TUpdateDynamicSecretDTO = {
   inputs?: TProvider["inputs"];
   projectSlug: string;
   metadata?: ResourceMetadataDTO;
-  usernameTemplate?: string | null;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteDynamicSecretDTO = {

backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts

@@ -132,15 +132,9 @@ const generatePassword = () => {
   return customAlphabet(charset, 64)();
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
+const generateUsername = () => {
   const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-";
-  const randomUsername = `inf-${customAlphabet(charset, 32)()}`;
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+  return `inf-${customAlphabet(charset, 32)()}`; // Username must start with an ascii letter, so we prepend the username with "inf-"
 };
 
 export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
@@ -174,14 +168,13 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
     return true;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
     if (!(await validateConnection(providerInputs))) {
       throw new BadRequestError({ message: "Failed to establish connection" });
     }
 
-    const leaseUsername = generateUsername(usernameTemplate);
+    const leaseUsername = generateUsername();
     const leasePassword = generatePassword();
     const leaseExpiration = new Date(expireAt).toISOString();
 

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -16,7 +16,6 @@ import {
   PutUserPolicyCommand,
   RemoveUserFromGroupCommand
 } from "@aws-sdk/client-iam";
-import handlebars from "handlebars";
 import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
@@ -24,14 +23,8 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = alphaNumericNanoId(32);
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
 };
 
 export const AwsIamProvider = (): TDynamicProviderFns => {
@@ -60,13 +53,11 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
     return isConnected;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
-
+  const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername();
     const { policyArns, userGroups, policyDocument, awsPath, permissionBoundaryPolicyArn } = providerInputs;
     const createUserRes = await client.send(
       new CreateUserCommand({

backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts

@@ -55,7 +55,7 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
     return data.success;
   };
 
-  const create = async ({ inputs }: { inputs: unknown }) => {
+  const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
     const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
     if (!data.success) {
@@ -88,7 +88,7 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     // Creates a new password
-    await create({ inputs });
+    await create(inputs);
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/cassandra.ts

@@ -14,14 +14,8 @@ const generatePassword = (size = 48) => {
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
 };
 
 export const CassandraProvider = (): TDynamicProviderFns => {
@@ -75,12 +69,11 @@ export const CassandraProvider = (): TDynamicProviderFns => {
     return isConnected;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername();
     const password = generatePassword();
     const { keyspace } = providerInputs;
     const expiration = new Date(expireAt).toISOString();

backend/src/ee/services/dynamic-secret/providers/elastic-search.ts

@@ -1,5 +1,4 @@
 import { Client as ElasticSearchClient } from "@elastic/elasticsearch";
-import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
@@ -13,14 +12,8 @@ const generatePassword = () => {
   return customAlphabet(charset, 64)();
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
 };
 
 export const ElasticSearchProvider = (): TDynamicProviderFns => {
@@ -71,12 +64,11 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
     return infoResponse;
   };
 
-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
     const connection = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername();
     const password = generatePassword();
 
     await connection.security.putUser({

backend/src/ee/services/dynamic-secret/providers/kubernetes.ts

@@ -116,7 +116,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
     }
   };
 
-  const create = async ({ inputs, expireAt }: { inputs: unknown; expireAt: number }) => {
+  const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
 
     const tokenRequestCallback = async (host: string, port: number) => {

backend/src/ee/services/dynamic-secret/providers/ldap.ts

@@ -22,14 +22,8 @@ const encodePassword = (password?: string) => {
   return base64Password;
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return alphaNumericNanoId(20);
 };
 
 const generateLDIF = ({
@@ -196,8 +190,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
     return dnArray;
   };
 
-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
@@ -224,7 +217,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
         });
       }
     } else {
-      const username = generateUsername(usernameTemplate);
+      const username = generateUsername();
       const password = generatePassword();
       const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });
 

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -360,11 +360,7 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
 ]);
 
 export type TDynamicProviderFns = {
-  create: (arg: {
-    inputs: unknown;
-    expireAt: number;
-    usernameTemplate?: string | null;
-  }) => Promise<{ entityId: string; data: unknown }>;
+  create: (inputs: unknown, expireAt: number) => Promise<{ entityId: string; data: unknown }>;
   validateConnection: (inputs: unknown) => Promise<boolean>;
   validateProviderInputs: (inputs: object) => Promise<unknown>;
   revoke: (inputs: unknown, entityId: string) => Promise<{ entityId: string }>;

backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts

@@ -1,5 +1,4 @@
 import axios, { AxiosError } from "axios";
-import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
@@ -13,14 +12,8 @@ const generatePassword = (size = 48) => {
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = alphaNumericNanoId(32);
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
 };
 
 export const MongoAtlasProvider = (): TDynamicProviderFns => {
@@ -64,12 +57,11 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
     return isConnected;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername();
     const password = generatePassword();
     const expiration = new Date(expireAt).toISOString();
     await client({

backend/src/ee/services/dynamic-secret/providers/mongo-db.ts

@@ -1,4 +1,3 @@
-import handlebars from "handlebars";
 import { MongoClient } from "mongodb";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
@@ -13,14 +12,8 @@ const generatePassword = (size = 48) => {
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = alphaNumericNanoId(32);
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
 };
 
 export const MongoDBProvider = (): TDynamicProviderFns => {
@@ -60,12 +53,11 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
     return isConnected;
   };
 
-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername();
     const password = generatePassword();
 
     const db = client.db(providerInputs.database);

backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts

@@ -1,5 +1,4 @@
 import axios, { Axios } from "axios";
-import handlebars from "handlebars";
 import https from "https";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
@@ -15,14 +14,8 @@ const generatePassword = () => {
   return customAlphabet(charset, 64)();
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
 };
 
 type TCreateRabbitMQUser = {
@@ -117,12 +110,11 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
     return infoResponse;
   };
 
-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
     const connection = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername();
     const password = generatePassword();
 
     await createRabbitMqUser({

backend/src/ee/services/dynamic-secret/providers/redis.ts

@@ -15,14 +15,8 @@ const generatePassword = () => {
   return customAlphabet(charset, 64)();
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
 };
 
 const executeTransactions = async (connection: Redis, commands: string[]): Promise<(string | null)[] | null> => {
@@ -121,12 +115,11 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
     return pingResponse;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
     const connection = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername();
     const password = generatePassword();
     const expiration = new Date(expireAt).toISOString();
 

backend/src/ee/services/dynamic-secret/providers/sap-ase.ts

@@ -15,14 +15,8 @@ const generatePassword = (size = 48) => {
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = `inf_${alphaNumericNanoId(25)}`; // Username must start with an ascii letter, so we prepend the username with "inf-"
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return alphaNumericNanoId(25);
 };
 
 enum SapCommands {
@@ -87,12 +81,11 @@ export const SapAseProvider = (): TDynamicProviderFns => {
     return true;
   };
 
-  const create = async (data: { inputs: unknown; usernameTemplate?: string | null }) => {
-    const { inputs, usernameTemplate } = data;
+  const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
 
-    const username = generateUsername(usernameTemplate);
-    const password = generatePassword();
+    const username = `inf_${generateUsername()}`;
+    const password = `${generatePassword()}`;
 
     const client = await $getClient(providerInputs);
     const masterClient = await $getClient(providerInputs, true);

backend/src/ee/services/dynamic-secret/providers/sap-hana.ts

@@ -21,14 +21,8 @@ const generatePassword = (size = 48) => {
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = alphaNumericNanoId(32); // Username must start with an ascii letter, so we prepend the username with "inf-"
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
 };
 
 export const SapHanaProvider = (): TDynamicProviderFns => {
@@ -97,11 +91,10 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
     return testResult;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername();
     const password = generatePassword();
     const expiration = new Date(expireAt).toISOString();
 

backend/src/ee/services/dynamic-secret/providers/snowflake.ts

@@ -17,14 +17,8 @@ const generatePassword = (size = 48) => {
   return customAlphabet(charset, 48)(size);
 };
 
-const generateUsername = (usernameTemplate?: string | null) => {
-  const randomUsername = `infisical_${alphaNumericNanoId(32)}`; // Username must start with an ascii letter, so we prepend the username with "inf-"
-  if (!usernameTemplate) return randomUsername;
-
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+const generateUsername = () => {
+  return `infisical_${alphaNumericNanoId(32)}`; // username must start with alpha character, hence prefix
 };
 
 const getDaysToExpiry = (expiryDate: Date) => {
@@ -88,13 +82,12 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
     return isValidConnection;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
+  const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
 
     const client = await $getClient(providerInputs);
 
-    const username = generateUsername(usernameTemplate);
+    const username = generateUsername();
     const password = generatePassword();
 
     try {

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -104,21 +104,11 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
   }
 };
 
-const generateUsername = (provider: SqlProviders, usernameTemplate?: string | null) => {
-  let randomUsername = "";
-
+const generateUsername = (provider: SqlProviders) => {
   // For oracle, the client assumes everything is upper case when not using quotes around the password
-  if (provider === SqlProviders.Oracle) {
-    randomUsername = alphaNumericNanoId(32).toUpperCase();
-  } else {
-    randomUsername = alphaNumericNanoId(32);
-  }
-  if (!usernameTemplate) return randomUsername;
+  if (provider === SqlProviders.Oracle) return alphaNumericNanoId(32).toUpperCase();
 
-  return handlebars.compile(usernameTemplate)({
-    randomUsername,
-    unixTimestamp: Math.floor(Date.now() / 100)
-  });
+  return alphaNumericNanoId(32);
 };
 
 type TSqlDatabaseProviderDTO = {
@@ -220,12 +210,9 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
     return isConnected;
   };
 
-  const create = async (data: { inputs: unknown; expireAt: number; usernameTemplate?: string | null }) => {
-    const { inputs, expireAt, usernameTemplate } = data;
-
+  const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const username = generateUsername(providerInputs.client, usernameTemplate);
-
+    const username = generateUsername(providerInputs.client);
     const password = generatePassword(providerInputs.client, providerInputs.passwordRequirements);
     const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
       const db = await $getClient({ ...providerInputs, port, host });

backend/src/ee/services/license/license-service.ts

@@ -17,7 +17,7 @@ import { TIdentityOrgDALFactory } from "@app/services/identity/identity-org-dal"
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
-import { OrgPermissionBillingActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { BillingPlanRows, BillingPlanTableHead } from "./licence-enums";
 import { TLicenseDALFactory } from "./license-dal";
@@ -288,7 +288,7 @@ export const licenseServiceFactory = ({
     billingCycle
   }: TOrgPlansTableDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
     const { data } = await licenseServerCloudApi.request.get(
       `/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
     );
@@ -310,10 +310,8 @@ export const licenseServiceFactory = ({
     success_url
   }: TStartOrgTrialDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -340,10 +338,8 @@ export const licenseServiceFactory = ({
     actorOrgId
   }: TCreateOrgPortalSession) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -389,7 +385,7 @@ export const licenseServiceFactory = ({
 
   const getOrgBillingInfo = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -417,7 +413,7 @@ export const licenseServiceFactory = ({
   // returns org current plan feature table
   const getOrgPlanTable = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -488,7 +484,7 @@ export const licenseServiceFactory = ({
 
   const getOrgBillingDetails = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -513,10 +509,7 @@ export const licenseServiceFactory = ({
     email
   }: TUpdateOrgBillingDetailsDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -536,7 +529,7 @@ export const licenseServiceFactory = ({
 
   const getOrgPmtMethods = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgPmtMethodsDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -563,10 +556,7 @@ export const licenseServiceFactory = ({
     cancel_url
   }: TAddOrgPmtMethodDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -595,10 +585,7 @@ export const licenseServiceFactory = ({
     pmtMethodId
   }: TDelOrgPmtMethodDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -615,7 +602,7 @@ export const licenseServiceFactory = ({
 
   const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -633,10 +620,7 @@ export const licenseServiceFactory = ({
 
   const addOrgTaxId = async ({ actorId, actor, actorAuthMethod, actorOrgId, orgId, type, value }: TAddOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -657,10 +641,7 @@ export const licenseServiceFactory = ({
 
   const delOrgTaxId = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId, taxId }: TDelOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(
-      OrgPermissionBillingActions.ManageBilling,
-      OrgPermissionSubjects.Billing
-    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -677,7 +658,7 @@ export const licenseServiceFactory = ({
 
   const getOrgTaxInvoices = async ({ actorId, actor, actorOrgId, actorAuthMethod, orgId }: TOrgInvoiceDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -694,7 +675,7 @@ export const licenseServiceFactory = ({
 
   const getOrgLicenses = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgLicensesDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -44,6 +44,7 @@ import {
   TOidcLoginDTO,
   TUpdateOidcCfgDTO
 } from "./oidc-config-types";
+import { logger } from "@app/lib/logger";
 
 type TOidcConfigServiceFactoryDep = {
   userDAL: Pick<
@@ -699,6 +700,7 @@ export const oidcConfigServiceFactory = ({
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       (_req: any, tokenSet: TokenSet, cb: any) => {
         const claims = tokenSet.claims();
+        logger.info(`User OIDC claims received for [orgId=${org.id}] [claims=${JSON.stringify(claims)}]`);
         if (!claims.email || !claims.given_name) {
           throw new BadRequestError({
             message: "Invalid request. Missing email or first name"

backend/src/ee/services/permission/default-roles.ts

@@ -2,6 +2,7 @@ import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability"
 
 import {
   ProjectPermissionActions,
+  ProjectPermissionApprovalActions,
   ProjectPermissionCertificateActions,
   ProjectPermissionCmekActions,
   ProjectPermissionDynamicSecretActions,
@@ -10,7 +11,6 @@ import {
   ProjectPermissionKmipActions,
   ProjectPermissionMemberActions,
   ProjectPermissionPkiSubscriberActions,
-  ProjectPermissionPkiTemplateActions,
   ProjectPermissionSecretActions,
   ProjectPermissionSecretRotationActions,
   ProjectPermissionSecretSyncActions,
@@ -36,6 +36,7 @@ const buildAdminPermissionRules = () => {
     ProjectPermissionSub.AuditLogs,
     ProjectPermissionSub.IpAllowList,
     ProjectPermissionSub.CertificateAuthorities,
+    ProjectPermissionSub.CertificateTemplates,
     ProjectPermissionSub.PkiAlerts,
     ProjectPermissionSub.PkiCollections,
     ProjectPermissionSub.SshCertificateAuthorities,
@@ -56,22 +57,12 @@ const buildAdminPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionPkiTemplateActions.Read,
-      ProjectPermissionPkiTemplateActions.Edit,
-      ProjectPermissionPkiTemplateActions.Create,
-      ProjectPermissionPkiTemplateActions.Delete,
-      ProjectPermissionPkiTemplateActions.IssueCert,
-      ProjectPermissionPkiTemplateActions.ListCerts
-    ],
-    ProjectPermissionSub.CertificateTemplates
-  );
-
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionApprovalActions.Create,
+      ProjectPermissionApprovalActions.Delete,
+      ProjectPermissionApprovalActions.AllowChangeBypass,
+      ProjectPermissionApprovalActions.AllowAccessBypass
     ],
     ProjectPermissionSub.SecretApproval
   );
@@ -264,7 +255,7 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.SecretImports
   );
 
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
+  can([ProjectPermissionApprovalActions.Read], ProjectPermissionSub.SecretApproval);
   can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
 
   can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
@@ -360,7 +351,7 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.Certificates
   );
 
-  can([ProjectPermissionPkiTemplateActions.Read], ProjectPermissionSub.CertificateTemplates);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateTemplates);
 
   can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
   can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
@@ -412,7 +403,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
   can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionApprovalActions.Read, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionSecretRotationActions.Read, ProjectPermissionSub.SecretRotation);
   can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
@@ -429,7 +420,6 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
   can(ProjectPermissionCertificateActions.Read, ProjectPermissionSub.Certificates);
-  can(ProjectPermissionPkiTemplateActions.Read, ProjectPermissionSub.CertificateTemplates);
   can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);

backend/src/ee/services/permission/org-permission.ts

@@ -67,11 +67,6 @@ export enum OrgPermissionGroupActions {
   RemoveMembers = "remove-members"
 }
 
-export enum OrgPermissionBillingActions {
-  Read = "read",
-  ManageBilling = "manage-billing"
-}
-
 export enum OrgPermissionSubjects {
   Workspace = "workspace",
   Role = "role",
@@ -112,7 +107,7 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
   | [OrgPermissionGroupActions, OrgPermissionSubjects.Groups]
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
-  | [OrgPermissionBillingActions, OrgPermissionSubjects.Billing]
+  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionIdentityActions, OrgPermissionSubjects.Identity]
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
@@ -303,8 +298,10 @@ const buildAdminPermission = () => {
   can(OrgPermissionGroupActions.AddMembers, OrgPermissionSubjects.Groups);
   can(OrgPermissionGroupActions.RemoveMembers, OrgPermissionSubjects.Groups);
 
-  can(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
-  can(OrgPermissionBillingActions.ManageBilling, OrgPermissionSubjects.Billing);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Billing);
 
   can(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
   can(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
@@ -365,7 +362,7 @@ const buildMemberPermission = () => {
   can(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Settings);
-  can(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.IncidentAccount);
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);

backend/src/ee/services/permission/project-permission.ts

@@ -34,6 +34,15 @@ export enum ProjectPermissionSecretActions {
   Delete = "delete"
 }
 
+export enum ProjectPermissionApprovalActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  AllowChangeBypass = "allow-change-bypass",
+  AllowAccessBypass = "allow-access-bypass"
+}
+
 export enum ProjectPermissionCmekActions {
   Read = "read",
   Create = "create",
@@ -87,15 +96,6 @@ export enum ProjectPermissionSshHostActions {
   IssueHostCert = "issue-host-cert"
 }
 
-export enum ProjectPermissionPkiTemplateActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  IssueCert = "issue-cert",
-  ListCerts = "list-certs"
-}
-
 export enum ProjectPermissionPkiSubscriberActions {
   Read = "read",
   Create = "create",
@@ -209,11 +209,6 @@ export type SshHostSubjectFields = {
   hostname: string;
 };
 
-export type PkiTemplateSubjectFields = {
-  name: string;
-  // (dangtony98): consider adding [commonName] as a subject field in the future
-};
-
 export type PkiSubscriberSubjectFields = {
   name: string;
   // (dangtony98): consider adding [commonName] as a subject field in the future
@@ -256,7 +251,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
   | [ProjectPermissionActions, ProjectPermissionSub.Settings]
   | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
-  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionApprovalActions, ProjectPermissionSub.SecretApproval]
   | [
       ProjectPermissionSecretRotationActions,
       (
@@ -270,13 +265,7 @@ export type ProjectPermissionSet =
     ]
   | [ProjectPermissionActions, ProjectPermissionSub.CertificateAuthorities]
   | [ProjectPermissionCertificateActions, ProjectPermissionSub.Certificates]
-  | [
-      ProjectPermissionPkiTemplateActions,
-      (
-        | ProjectPermissionSub.CertificateTemplates
-        | (ForcedSubject<ProjectPermissionSub.CertificateTemplates> & PkiTemplateSubjectFields)
-      )
-    ]
+  | [ProjectPermissionActions, ProjectPermissionSub.CertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateAuthorities]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificates]
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
@@ -456,25 +445,10 @@ const PkiSubscriberConditionSchema = z
   })
   .partial();
 
-const PkiTemplateConditionSchema = z
-  .object({
-    name: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-        })
-        .partial()
-    ])
-  })
-  .partial();
-
 const GeneralPermissionSchema = [
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionApprovalActions).describe(
       "Describe what action an entity can take."
     )
   }),
@@ -562,6 +536,12 @@ const GeneralPermissionSchema = [
       "Describe what action an entity can take."
     )
   }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.CertificateTemplates).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+      "Describe what action an entity can take."
+    )
+  }),
   z.object({
     subject: z
       .literal(ProjectPermissionSub.SshCertificateAuthorities)
@@ -739,16 +719,6 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.CertificateTemplates).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionPkiTemplateActions).describe(
-      "Describe what action an entity can take."
-    ),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    conditions: PkiTemplateConditionSchema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretRotation).describe("The entity this permission pertains to."),
     inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
@@ -759,7 +729,6 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
-
   ...GeneralPermissionSchema
 ]);
 

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -9,7 +9,6 @@ import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/per
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 
-import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
 import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import {
@@ -17,7 +16,6 @@ import {
   ProjectPermissionSet,
   ProjectPermissionSub
 } from "../permission/project-permission";
-import { ApprovalStatus } from "../secret-approval-request/secret-approval-request-types";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "./project-user-additional-privilege-dal";
 import {
   ProjectUserAdditionalPrivilegeTemporaryMode,
@@ -32,7 +30,6 @@ type TProjectUserAdditionalPrivilegeServiceFactoryDep = {
   projectUserAdditionalPrivilegeDAL: TProjectUserAdditionalPrivilegeDALFactory;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById" | "findOne">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update">;
 };
 
 export type TProjectUserAdditionalPrivilegeServiceFactory = ReturnType<
@@ -47,8 +44,7 @@ const unpackPermissions = (permissions: unknown) =>
 export const projectUserAdditionalPrivilegeServiceFactory = ({
   projectUserAdditionalPrivilegeDAL,
   projectMembershipDAL,
-  permissionService,
-  accessApprovalRequestDAL
+  permissionService
 }: TProjectUserAdditionalPrivilegeServiceFactoryDep) => {
   const create = async ({
     slug,
@@ -283,15 +279,6 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
 
-    await accessApprovalRequestDAL.update(
-      {
-        privilegeId: userPrivilege.id
-      },
-      {
-        privilegeDeletedAt: new Date(),
-        status: ApprovalStatus.REJECTED
-      }
-    );
     const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
     return {
       ...deletedPrivilege,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-approver-dal.ts

@@ -8,10 +8,3 @@ export const secretApprovalPolicyApproverDALFactory = (db: TDbClient) => {
   const sapApproverOrm = ormify(db, TableName.SecretApprovalPolicyApprover);
   return sapApproverOrm;
 };
-
-export type TSecretApprovalPolicyBypasserDALFactory = ReturnType<typeof secretApprovalPolicyBypasserDALFactory>;
-
-export const secretApprovalPolicyBypasserDALFactory = (db: TDbClient) => {
-  const sapBypasserOrm = ormify(db, TableName.SecretApprovalPolicyBypasser);
-  return sapBypasserOrm;
-};

backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts

@@ -1,17 +1,11 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import {
-  SecretApprovalPoliciesSchema,
-  TableName,
-  TSecretApprovalPolicies,
-  TUserGroupMembership,
-  TUsers
-} from "@app/db/schemas";
+import { SecretApprovalPoliciesSchema, TableName, TSecretApprovalPolicies, TUsers } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
-import { ApproverType, BypasserType } from "../access-approval-policy/access-approval-policy-types";
+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
 
 export type TSecretApprovalPolicyDALFactory = ReturnType<typeof secretApprovalPolicyDALFactory>;
 
@@ -49,22 +43,6 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
         "secretApprovalPolicyApproverUser.id"
       )
-      // Bypasser
-      .leftJoin(
-        TableName.SecretApprovalPolicyBypasser,
-        `${TableName.SecretApprovalPolicy}.id`,
-        `${TableName.SecretApprovalPolicyBypasser}.policyId`
-      )
-      .leftJoin<TUserGroupMembership>(
-        db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-        `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
-        `bypasserUserGroupMembership.groupId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("secretApprovalPolicyBypasserUser"),
-        `${TableName.SecretApprovalPolicyBypasser}.bypasserUserId`,
-        "secretApprovalPolicyBypasserUser.id"
-      )
       .leftJoin<TUsers>(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
       .select(
         tx.ref("id").withSchema("secretApprovalPolicyApproverUser").as("approverUserId"),
@@ -80,20 +58,6 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
         tx.ref("firstName").withSchema(TableName.Users).as("approverGroupFirstName"),
         tx.ref("lastName").withSchema(TableName.Users).as("approverGroupLastName")
       )
-      .select(
-        tx.ref("id").withSchema("secretApprovalPolicyBypasserUser").as("bypasserUserId"),
-        tx.ref("email").withSchema("secretApprovalPolicyBypasserUser").as("bypasserEmail"),
-        tx.ref("firstName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserFirstName"),
-        tx.ref("username").withSchema("secretApprovalPolicyBypasserUser").as("bypasserUsername"),
-        tx.ref("lastName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserLastName")
-      )
-      .select(
-        tx.ref("bypasserGroupId").withSchema(TableName.SecretApprovalPolicyBypasser),
-        tx.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
-        tx.ref("email").withSchema(TableName.Users).as("bypasserGroupEmail"),
-        tx.ref("firstName").withSchema(TableName.Users).as("bypasserGroupFirstName"),
-        tx.ref("lastName").withSchema(TableName.Users).as("bypasserGroupLastName")
-      )
       .select(
         tx.ref("name").withSchema(TableName.Environment).as("envName"),
         tx.ref("slug").withSchema(TableName.Environment).as("envSlug"),
@@ -179,7 +143,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
             label: "approvers" as const,
             mapper: ({ approverUserId: id, approverUsername }) => ({
               type: ApproverType.User,
-              username: approverUsername,
+              name: approverUsername,
               id
             })
           },
@@ -191,23 +155,6 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
               id
             })
           },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserUserId: id, bypasserUsername }) => ({
-              type: BypasserType.User,
-              username: bypasserUsername,
-              id
-            })
-          },
-          {
-            key: "bypasserGroupId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupId: id }) => ({
-              type: BypasserType.Group,
-              id
-            })
-          },
           {
             key: "approverUserId",
             label: "userApprovers" as const,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -3,21 +3,18 @@ import picomatch from "picomatch";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { containsGlobPatterns } from "@app/lib/picomatch";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
-import { ApproverType, BypasserType } from "../access-approval-policy/access-approval-policy-types";
+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
 import { RequestState } from "../secret-approval-request/secret-approval-request-types";
-import {
-  TSecretApprovalPolicyApproverDALFactory,
-  TSecretApprovalPolicyBypasserDALFactory
-} from "./secret-approval-policy-approver-dal";
+import { TSecretApprovalPolicyApproverDALFactory } from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
 import {
   TCreateSapDTO,
@@ -39,7 +36,6 @@ type TSecretApprovalPolicyServiceFactoryDep = {
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   userDAL: Pick<TUserDALFactory, "find">;
   secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
-  secretApprovalPolicyBypasserDAL: TSecretApprovalPolicyBypasserDALFactory;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "update">;
 };
@@ -50,7 +46,6 @@ export const secretApprovalPolicyServiceFactory = ({
   secretApprovalPolicyDAL,
   permissionService,
   secretApprovalPolicyApproverDAL,
-  secretApprovalPolicyBypasserDAL,
   projectEnvDAL,
   userDAL,
   licenseService,
@@ -64,7 +59,6 @@ export const secretApprovalPolicyServiceFactory = ({
     actorAuthMethod,
     approvals,
     approvers,
-    bypassers,
     projectId,
     secretPath,
     environment,
@@ -80,7 +74,7 @@ export const secretApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
       .filter(Boolean) as string[];
 
     if (!groupApprovers.length && approvals > approvers.length)
@@ -95,7 +89,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
+      ProjectPermissionApprovalActions.Create,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -113,44 +107,6 @@ export const secretApprovalPolicyServiceFactory = ({
         message: `Environment with slug '${environment}' not found in project with ID ${projectId}`
       });
 
-    let groupBypassers: string[] = [];
-    let bypasserUserIds: string[] = [];
-
-    if (bypassers && bypassers.length) {
-      groupBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.Group)
-        .map((bypasser) => bypasser.id) as string[];
-
-      const userBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.User)
-        .map((bypasser) => bypasser.id)
-        .filter(Boolean) as string[];
-
-      const userBypasserNames = bypassers
-        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
-        .filter(Boolean) as string[];
-
-      bypasserUserIds = userBypassers;
-      if (userBypasserNames.length) {
-        const bypasserUsers = await userDAL.find({
-          $in: {
-            username: userBypasserNames
-          }
-        });
-
-        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
-        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
-
-        if (invalidUsernames.length) {
-          throw new BadRequestError({
-            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
-          });
-        }
-
-        bypasserUserIds = bypasserUserIds.concat(bypasserUsers.map((user) => user.id));
-      }
-    }
-
     const secretApproval = await secretApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await secretApprovalPolicyDAL.create(
         {
@@ -202,27 +158,6 @@ export const secretApprovalPolicyServiceFactory = ({
         })),
         tx
       );
-
-      if (bypasserUserIds.length) {
-        await secretApprovalPolicyBypasserDAL.insertMany(
-          bypasserUserIds.map((userId) => ({
-            bypasserUserId: userId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
-      if (groupBypassers.length) {
-        await secretApprovalPolicyBypasserDAL.insertMany(
-          groupBypassers.map((groupId) => ({
-            bypasserGroupId: groupId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
       return doc;
     });
 
@@ -231,7 +166,6 @@ export const secretApprovalPolicyServiceFactory = ({
 
   const updateSecretApprovalPolicy = async ({
     approvers,
-    bypassers,
     secretPath,
     name,
     actorId,
@@ -252,7 +186,7 @@ export const secretApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
       .filter(Boolean) as string[];
 
     const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
@@ -270,7 +204,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.secretApproval) {
@@ -280,44 +217,6 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    let groupBypassers: string[] = [];
-    let bypasserUserIds: string[] = [];
-
-    if (bypassers && bypassers.length) {
-      groupBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.Group)
-        .map((bypasser) => bypasser.id) as string[];
-
-      const userBypassers = bypassers
-        .filter((bypasser) => bypasser.type === BypasserType.User)
-        .map((bypasser) => bypasser.id)
-        .filter(Boolean) as string[];
-
-      const userBypasserNames = bypassers
-        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
-        .filter(Boolean) as string[];
-
-      bypasserUserIds = userBypassers;
-      if (userBypasserNames.length) {
-        const bypasserUsers = await userDAL.find({
-          $in: {
-            username: userBypasserNames
-          }
-        });
-
-        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
-        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
-
-        if (invalidUsernames.length) {
-          throw new BadRequestError({
-            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
-          });
-        }
-
-        bypasserUserIds = bypasserUserIds.concat(bypasserUsers.map((user) => user.id));
-      }
-    }
-
     const updatedSap = await secretApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await secretApprovalPolicyDAL.updateById(
         secretApprovalPolicy.id,
@@ -376,28 +275,6 @@ export const secretApprovalPolicyServiceFactory = ({
         );
       }
 
-      await secretApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
-
-      if (bypasserUserIds.length) {
-        await secretApprovalPolicyBypasserDAL.insertMany(
-          bypasserUserIds.map((userId) => ({
-            bypasserUserId: userId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
-      if (groupBypassers.length) {
-        await secretApprovalPolicyBypasserDAL.insertMany(
-          groupBypassers.map((groupId) => ({
-            bypasserGroupId: groupId,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
       return doc;
     });
     return {
@@ -427,7 +304,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
+      ProjectPermissionApprovalActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -466,7 +343,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
     return sapPolicies;
@@ -539,7 +419,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     return sapPolicy;
   };

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -1,16 +1,12 @@
 import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
 
-import { ApproverType, BypasserType } from "../access-approval-policy/access-approval-policy-types";
+import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
 
 export type TCreateSapDTO = {
   approvals: number;
   secretPath?: string | null;
   environment: string;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
-  bypassers?: (
-    | { type: BypasserType.Group; id: string }
-    | { type: BypasserType.User; id?: string; username?: string }
-  )[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   projectId: string;
   name: string;
   enforcementLevel: EnforcementLevel;
@@ -21,11 +17,7 @@ export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
   secretPath?: string | null;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
-  bypassers?: (
-    | { type: BypasserType.Group; id: string }
-    | { type: BypasserType.User; id?: string; username?: string }
-  )[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
   name?: string;
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals?: boolean;

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -6,7 +6,6 @@ import {
   TableName,
   TSecretApprovalRequests,
   TSecretApprovalRequestsSecrets,
-  TUserGroupMembership,
   TUsers
 } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
@@ -59,36 +58,16 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
         "secretApprovalPolicyApproverUser.id"
       )
-      .leftJoin<TUserGroupMembership>(
-        db(TableName.UserGroupMembership).as("approverUserGroupMembership"),
+      .leftJoin(
+        TableName.UserGroupMembership,
         `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
-        `approverUserGroupMembership.groupId`
+        `${TableName.UserGroupMembership}.groupId`
       )
       .leftJoin<TUsers>(
         db(TableName.Users).as("secretApprovalPolicyGroupApproverUser"),
-        `approverUserGroupMembership.userId`,
+        `${TableName.UserGroupMembership}.userId`,
         `secretApprovalPolicyGroupApproverUser.id`
       )
-      .leftJoin(
-        TableName.SecretApprovalPolicyBypasser,
-        `${TableName.SecretApprovalPolicy}.id`,
-        `${TableName.SecretApprovalPolicyBypasser}.policyId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("secretApprovalPolicyBypasserUser"),
-        `${TableName.SecretApprovalPolicyBypasser}.bypasserUserId`,
-        "secretApprovalPolicyBypasserUser.id"
-      )
-      .leftJoin<TUserGroupMembership>(
-        db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-        `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
-        `bypasserUserGroupMembership.groupId`
-      )
-      .leftJoin<TUsers>(
-        db(TableName.Users).as("secretApprovalPolicyGroupBypasserUser"),
-        `bypasserUserGroupMembership.userId`,
-        `secretApprovalPolicyGroupBypasserUser.id`
-      )
       .leftJoin(
         TableName.SecretApprovalRequestReviewer,
         `${TableName.SecretApprovalRequest}.id`,
@@ -102,7 +81,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
       .select(selectAllTableCols(TableName.SecretApprovalRequest))
       .select(
         tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
-        tx.ref("userId").withSchema("approverUserGroupMembership").as("approverGroupUserId"),
+        tx.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
         tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
         tx.ref("email").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
         tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
@@ -111,20 +90,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("firstName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupFirstName"),
         tx.ref("lastName").withSchema("secretApprovalPolicyApproverUser").as("approverLastName"),
         tx.ref("lastName").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupLastName"),
-
-        // Bypasser fields
-        tx.ref("bypasserUserId").withSchema(TableName.SecretApprovalPolicyBypasser),
-        tx.ref("bypasserGroupId").withSchema(TableName.SecretApprovalPolicyBypasser),
-        tx.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
-        tx.ref("email").withSchema("secretApprovalPolicyBypasserUser").as("bypasserEmail"),
-        tx.ref("email").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupEmail"),
-        tx.ref("username").withSchema("secretApprovalPolicyBypasserUser").as("bypasserUsername"),
-        tx.ref("username").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupUsername"),
-        tx.ref("firstName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserFirstName"),
-        tx.ref("firstName").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupFirstName"),
-        tx.ref("lastName").withSchema("secretApprovalPolicyBypasserUser").as("bypasserLastName"),
-        tx.ref("lastName").withSchema("secretApprovalPolicyGroupBypasserUser").as("bypasserGroupLastName"),
-
         tx.ref("email").withSchema("statusChangedByUser").as("statusChangedByUserEmail"),
         tx.ref("username").withSchema("statusChangedByUser").as("statusChangedByUserUsername"),
         tx.ref("firstName").withSchema("statusChangedByUser").as("statusChangedByUserFirstName"),
@@ -156,7 +121,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
     try {
       const sql = findQuery({ [`${TableName.SecretApprovalRequest}.id` as "id"]: id }, tx || db.replicaNode());
       const docs = await sql;
-      const formattedDoc = sqlNestRelationships({
+      const formatedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -238,51 +203,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
               lastName,
               username
             })
-          },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({
-              bypasserUserId: userId,
-              bypasserEmail: email,
-              bypasserUsername: username,
-              bypasserLastName: lastName,
-              bypasserFirstName: firstName
-            }) => ({
-              userId,
-              email,
-              firstName,
-              lastName,
-              username
-            })
-          },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({
-              bypasserGroupUserId: userId,
-              bypasserGroupEmail: email,
-              bypasserGroupUsername: username,
-              bypasserGroupLastName: lastName,
-              bypasserGroupFirstName: firstName
-            }) => ({
-              userId,
-              email,
-              firstName,
-              lastName,
-              username
-            })
           }
         ]
       });
-      if (!formattedDoc?.[0]) return;
+      if (!formatedDoc?.[0]) return;
       return {
-        ...formattedDoc[0],
-        policy: {
-          ...formattedDoc[0].policy,
-          approvers: formattedDoc[0].approvers,
-          bypassers: formattedDoc[0].bypassers
-        }
+        ...formatedDoc[0],
+        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "FindByIdSAR" });
@@ -364,16 +291,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
           `${TableName.UserGroupMembership}.groupId`
         )
-        .leftJoin(
-          TableName.SecretApprovalPolicyBypasser,
-          `${TableName.SecretApprovalPolicy}.id`,
-          `${TableName.SecretApprovalPolicyBypasser}.policyId`
-        )
-        .leftJoin<TUserGroupMembership>(
-          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-          `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
-          `bypasserUserGroupMembership.groupId`
-        )
         .join<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
@@ -425,11 +342,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
-
-          // Bypasser fields
-          db.ref("bypasserUserId").withSchema(TableName.SecretApprovalPolicyBypasser),
-          db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
-
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
           db.ref("username").withSchema("committerUser").as("committerUserUsername"),
           db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@@ -443,7 +355,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         .from<Awaited<typeof query>[number]>("w")
         .where("w.rank", ">=", offset)
         .andWhere("w.rank", "<", offset + limit);
-      const formattedDoc = sqlNestRelationships({
+      const formatedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -491,22 +403,12 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             key: "approverGroupUserId",
             label: "approvers" as const,
             mapper: ({ approverGroupUserId }) => ({ userId: approverGroupUserId })
-          },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserUserId }) => ({ userId: bypasserUserId })
-          },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupUserId }) => ({ userId: bypasserGroupUserId })
           }
         ]
       });
-      return formattedDoc.map((el) => ({
+      return formatedDoc.map((el) => ({
         ...el,
-        policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
+        policy: { ...el.policy, approvers: el.approvers }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "FindSAR" });
@@ -538,16 +440,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
           `${TableName.UserGroupMembership}.groupId`
         )
-        .leftJoin(
-          TableName.SecretApprovalPolicyBypasser,
-          `${TableName.SecretApprovalPolicy}.id`,
-          `${TableName.SecretApprovalPolicyBypasser}.policyId`
-        )
-        .leftJoin<TUserGroupMembership>(
-          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
-          `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
-          `bypasserUserGroupMembership.groupId`
-        )
         .join<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
@@ -599,11 +491,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"),
-
-          // Bypasser
-          db.ref("bypasserUserId").withSchema(TableName.SecretApprovalPolicyBypasser),
-          db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
-
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
           db.ref("username").withSchema("committerUser").as("committerUserUsername"),
           db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
@@ -617,7 +504,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         .from<Awaited<typeof query>[number]>("w")
         .where("w.rank", ">=", offset)
         .andWhere("w.rank", "<", offset + limit);
-      const formattedDoc = sqlNestRelationships({
+      const formatedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -667,24 +554,12 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             mapper: ({ approverGroupUserId }) => ({
               userId: approverGroupUserId
             })
-          },
-          {
-            key: "bypasserUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserUserId }) => ({ userId: bypasserUserId })
-          },
-          {
-            key: "bypasserGroupUserId",
-            label: "bypassers" as const,
-            mapper: ({ bypasserGroupUserId }) => ({
-              userId: bypasserGroupUserId
-            })
           }
         ]
       });
-      return formattedDoc.map((el) => ({
+      return formatedDoc.map((el) => ({
         ...el,
-        policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
+        policy: { ...el.policy, approvers: el.approvers }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "FindSAR" });

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -62,7 +62,11 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
+import {
+  ProjectPermissionApprovalActions,
+  ProjectPermissionSecretActions,
+  ProjectPermissionSub
+} from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
@@ -497,14 +501,14 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { policy, folderId, projectId, bypassers } = secretApprovalRequest;
+    const { policy, folderId, projectId } = secretApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this secret approval request has been deleted."
       });
     }
 
-    const { hasRole } = await permissionService.getProjectPermission({
+    const { hasRole, permission } = await permissionService.getProjectPermission({
       actor: ActorType.USER,
       actorId,
       projectId,
@@ -530,9 +534,14 @@ export const secretApprovalRequestServiceFactory = ({
         approverId ? reviewers[approverId] === ApprovalStatus.APPROVED : false
       ).length;
     const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;
-    const canBypass = !bypassers.length || bypassers.some((bypasser) => bypasser.userId === actorId);
 
-    if (!hasMinApproval && !(isSoftEnforcement && canBypass))
+    if (
+      !hasMinApproval &&
+      !(
+        isSoftEnforcement &&
+        permission.can(ProjectPermissionApprovalActions.AllowChangeBypass, ProjectPermissionSub.SecretApproval)
+      )
+    )
       throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
 
     const { botKey, shouldUseSecretV2Bridge, project } = await projectBotService.getBotKey(projectId);

backend/src/ee/services/secret-rotation-v2/mysql-credentials/index.ts

@@ -1,3 +0,0 @@
-export * from "./mysql-credentials-rotation-constants";
-export * from "./mysql-credentials-rotation-schemas";
-export * from "./mysql-credentials-rotation-types";

backend/src/ee/services/secret-rotation-v2/mysql-credentials/mysql-credentials-rotation-constants.ts

@@ -1,23 +0,0 @@
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const MYSQL_CREDENTIALS_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
-  name: "MySQL Credentials",
-  type: SecretRotation.MySqlCredentials,
-  connection: AppConnection.MySql,
-  template: {
-    createUserStatement: `-- create user
-CREATE USER 'infisical_user'@'%' IDENTIFIED BY 'temporary_password';
-
--- grant all privileges
-GRANT ALL PRIVILEGES ON my_database.* TO 'infisical_user'@'%';
-
--- apply the privilege changes
-FLUSH PRIVILEGES;`,
-    secretsMapping: {
-      username: "MYSQL_USERNAME",
-      password: "MYSQL_PASSWORD"
-    }
-  }
-};

backend/src/ee/services/secret-rotation-v2/mysql-credentials/mysql-credentials-rotation-schemas.ts

@@ -1,41 +0,0 @@
-import { z } from "zod";
-
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-import {
-  BaseCreateSecretRotationSchema,
-  BaseSecretRotationSchema,
-  BaseUpdateSecretRotationSchema
-} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
-import {
-  SqlCredentialsRotationParametersSchema,
-  SqlCredentialsRotationSecretsMappingSchema,
-  SqlCredentialsRotationTemplateSchema
-} from "@app/ee/services/secret-rotation-v2/shared/sql-credentials";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-export const MySqlCredentialsRotationSchema = BaseSecretRotationSchema(SecretRotation.MySqlCredentials).extend({
-  type: z.literal(SecretRotation.MySqlCredentials),
-  parameters: SqlCredentialsRotationParametersSchema,
-  secretsMapping: SqlCredentialsRotationSecretsMappingSchema
-});
-
-export const CreateMySqlCredentialsRotationSchema = BaseCreateSecretRotationSchema(
-  SecretRotation.MySqlCredentials
-).extend({
-  parameters: SqlCredentialsRotationParametersSchema,
-  secretsMapping: SqlCredentialsRotationSecretsMappingSchema
-});
-
-export const UpdateMySqlCredentialsRotationSchema = BaseUpdateSecretRotationSchema(
-  SecretRotation.MySqlCredentials
-).extend({
-  parameters: SqlCredentialsRotationParametersSchema.optional(),
-  secretsMapping: SqlCredentialsRotationSecretsMappingSchema.optional()
-});
-
-export const MySqlCredentialsRotationListItemSchema = z.object({
-  name: z.literal("MySQL Credentials"),
-  connection: z.literal(AppConnection.MySql),
-  type: z.literal(SecretRotation.MySqlCredentials),
-  template: SqlCredentialsRotationTemplateSchema
-});

backend/src/ee/services/secret-rotation-v2/mysql-credentials/mysql-credentials-rotation-types.ts

@@ -1,19 +0,0 @@
-import { z } from "zod";
-
-import { TMySqlConnection } from "@app/services/app-connection/mysql";
-
-import {
-  CreateMySqlCredentialsRotationSchema,
-  MySqlCredentialsRotationListItemSchema,
-  MySqlCredentialsRotationSchema
-} from "./mysql-credentials-rotation-schemas";
-
-export type TMySqlCredentialsRotation = z.infer<typeof MySqlCredentialsRotationSchema>;
-
-export type TMySqlCredentialsRotationInput = z.infer<typeof CreateMySqlCredentialsRotationSchema>;
-
-export type TMySqlCredentialsRotationListItem = z.infer<typeof MySqlCredentialsRotationListItemSchema>;
-
-export type TMySqlCredentialsRotationWithConnection = TMySqlCredentialsRotation & {
-  connection: TMySqlConnection;
-};

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts

@@ -1,7 +1,6 @@
 export enum SecretRotation {
   PostgresCredentials = "postgres-credentials",
   MsSqlCredentials = "mssql-credentials",
-  MySqlCredentials = "mysql-credentials",
   Auth0ClientSecret = "auth0-client-secret",
   AzureClientSecret = "azure-client-secret",
   AwsIamUserSecret = "aws-iam-user-secret",

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -9,7 +9,6 @@ import { AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION } from "./aws-iam-user-secret"
 import { AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./azure-client-secret";
 import { LDAP_PASSWORD_ROTATION_LIST_OPTION, TLdapPasswordRotation } from "./ldap-password";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
-import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
 import { TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
@@ -24,7 +23,6 @@ import {
 const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2ListItem> = {
   [SecretRotation.PostgresCredentials]: POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION,
   [SecretRotation.MsSqlCredentials]: MSSQL_CREDENTIALS_ROTATION_LIST_OPTION,
-  [SecretRotation.MySqlCredentials]: MYSQL_CREDENTIALS_ROTATION_LIST_OPTION,
   [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AzureClientSecret]: AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AwsIamUserSecret]: AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts

@@ -4,7 +4,6 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
   [SecretRotation.PostgresCredentials]: "PostgreSQL Credentials",
   [SecretRotation.MsSqlCredentials]: "Microsoft SQL Server Credentials",
-  [SecretRotation.MySqlCredentials]: "MySQL Credentials",
   [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret",
   [SecretRotation.AzureClientSecret]: "Azure Client Secret",
   [SecretRotation.AwsIamUserSecret]: "AWS IAM User Secret",
@@ -14,7 +13,6 @@ export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
 export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnection> = {
   [SecretRotation.PostgresCredentials]: AppConnection.Postgres,
   [SecretRotation.MsSqlCredentials]: AppConnection.MsSql,
-  [SecretRotation.MySqlCredentials]: AppConnection.MySql,
   [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0,
   [SecretRotation.AzureClientSecret]: AppConnection.AzureClientSecrets,
   [SecretRotation.AwsIamUserSecret]: AppConnection.AWS,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -120,7 +120,6 @@ type TRotationFactoryImplementation = TRotationFactory<
 const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplementation> = {
   [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.MsSqlCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
-  [SecretRotation.MySqlCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AzureClientSecret]: azureClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AwsIamUserSecret]: awsIamUserSecretRotationFactory as TRotationFactoryImplementation,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts

@@ -39,12 +39,6 @@ import {
   TMsSqlCredentialsRotationListItem,
   TMsSqlCredentialsRotationWithConnection
 } from "./mssql-credentials";
-import {
-  TMySqlCredentialsRotation,
-  TMySqlCredentialsRotationInput,
-  TMySqlCredentialsRotationListItem,
-  TMySqlCredentialsRotationWithConnection
-} from "./mysql-credentials";
 import {
   TPostgresCredentialsRotation,
   TPostgresCredentialsRotationInput,
@@ -57,7 +51,6 @@ import { SecretRotation } from "./secret-rotation-v2-enums";
 export type TSecretRotationV2 =
   | TPostgresCredentialsRotation
   | TMsSqlCredentialsRotation
-  | TMySqlCredentialsRotation
   | TAuth0ClientSecretRotation
   | TAzureClientSecretRotation
   | TLdapPasswordRotation
@@ -66,7 +59,6 @@ export type TSecretRotationV2 =
 export type TSecretRotationV2WithConnection =
   | TPostgresCredentialsRotationWithConnection
   | TMsSqlCredentialsRotationWithConnection
-  | TMySqlCredentialsRotationWithConnection
   | TAuth0ClientSecretRotationWithConnection
   | TAzureClientSecretRotationWithConnection
   | TLdapPasswordRotationWithConnection
@@ -82,7 +74,6 @@ export type TSecretRotationV2GeneratedCredentials =
 export type TSecretRotationV2Input =
   | TPostgresCredentialsRotationInput
   | TMsSqlCredentialsRotationInput
-  | TMySqlCredentialsRotationInput
   | TAuth0ClientSecretRotationInput
   | TAzureClientSecretRotationInput
   | TLdapPasswordRotationInput
@@ -91,7 +82,6 @@ export type TSecretRotationV2Input =
 export type TSecretRotationV2ListItem =
   | TPostgresCredentialsRotationListItem
   | TMsSqlCredentialsRotationListItem
-  | TMySqlCredentialsRotationListItem
   | TAuth0ClientSecretRotationListItem
   | TAzureClientSecretRotationListItem
   | TLdapPasswordRotationListItem

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts

@@ -4,7 +4,6 @@ import { Auth0ClientSecretRotationSchema } from "@app/ee/services/secret-rotatio
 import { AzureClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/azure-client-secret";
 import { LdapPasswordRotationSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
-import { MySqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
 import { PostgresCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 
 import { AwsIamUserSecretRotationSchema } from "./aws-iam-user-secret";
@@ -12,7 +11,6 @@ import { AwsIamUserSecretRotationSchema } from "./aws-iam-user-secret";
 export const SecretRotationV2Schema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationSchema,
   MsSqlCredentialsRotationSchema,
-  MySqlCredentialsRotationSchema,
   Auth0ClientSecretRotationSchema,
   AzureClientSecretRotationSchema,
   LdapPasswordRotationSchema,

backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-types.ts

@@ -1,15 +1,13 @@
 import { z } from "zod";
 
 import { TMsSqlCredentialsRotationWithConnection } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
-import { TMySqlCredentialsRotationWithConnection } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
 import { TPostgresCredentialsRotationWithConnection } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 
 import { SqlCredentialsRotationGeneratedCredentialsSchema } from "./sql-credentials-rotation-schemas";
 
 export type TSqlCredentialsRotationWithConnection =
   | TPostgresCredentialsRotationWithConnection
-  | TMsSqlCredentialsRotationWithConnection
-  | TMySqlCredentialsRotationWithConnection;
+  | TMsSqlCredentialsRotationWithConnection;
 
 export type TSqlCredentialsRotationGeneratedCredentials = z.infer<
   typeof SqlCredentialsRotationGeneratedCredentialsSchema

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -171,13 +171,6 @@ export const getDbSetQuery = (db: TDbProviderClients, variables: { username: str
     };
   }
 
-  if (db === TDbProviderClients.MySql) {
-    return {
-      query: `ALTER USER ??@'%' IDENTIFIED BY '${variables.password}'`,
-      variables: [variables.username]
-    };
-  }
-
   // add more based on client
   return {
     query: `ALTER USER ?? IDENTIFIED BY '${variables.password}'`,

backend/src/lib/gateway/index.ts

@@ -44,7 +44,7 @@ const createQuicConnection = async (
         if (!certs || certs.length === 0) return quic.native.CryptoError.CertificateRequired;
         const serverCertificate = new crypto.X509Certificate(Buffer.from(certs[0]));
         const caCertificate = new crypto.X509Certificate(tlsOptions.ca);
-        const isValidServerCertificate = serverCertificate.verify(caCertificate.publicKey);
+        const isValidServerCertificate = serverCertificate.checkIssued(caCertificate);
         if (!isValidServerCertificate) return quic.native.CryptoError.BadCertificate;
 
         const subjectDetails = parseSubjectDetails(serverCertificate.subject);

backend/src/lib/template/validate-handlebars.ts

@@ -19,15 +19,3 @@ export const validateHandlebarTemplate = (templateName: string, template: string
     throw new BadRequestError({ message: `Template sanitization failed: ${templateName}` });
   });
 };
-
-export const isValidHandleBarTemplate = (template: string, dto: SanitizationArg) => {
-  const parsedAst = handlebars.parse(template);
-  return parsedAst.body.every((el) => {
-    if (el.type === "ContentStatement") return true;
-    if (el.type === "MustacheStatement" && "path" in el) {
-      const { path } = el as { type: "MustacheStatement"; path: { type: "PathExpression"; original: string } };
-      if (path.type === "PathExpression" && dto?.allowedExpressions?.(path.original)) return true;
-    }
-    return false;
-  });
-};

backend/src/server/routes/index.ts

@@ -6,10 +6,7 @@ import { z } from "zod";
 import { registerCertificateEstRouter } from "@app/ee/routes/est/certificate-est-router";
 import { registerV1EERoutes } from "@app/ee/routes/v1";
 import { registerV2EERoutes } from "@app/ee/routes/v2";
-import {
-  accessApprovalPolicyApproverDALFactory,
-  accessApprovalPolicyBypasserDALFactory
-} from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
+import { accessApprovalPolicyApproverDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
 import { accessApprovalPolicyDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-dal";
 import { accessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
 import { accessApprovalRequestDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-dal";
@@ -70,10 +67,7 @@ import { samlConfigDALFactory } from "@app/ee/services/saml-config/saml-config-d
 import { samlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { scimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { scimServiceFactory } from "@app/ee/services/scim/scim-service";
-import {
-  secretApprovalPolicyApproverDALFactory,
-  secretApprovalPolicyBypasserDALFactory
-} from "@app/ee/services/secret-approval-policy/secret-approval-policy-approver-dal";
+import { secretApprovalPolicyApproverDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-approver-dal";
 import { secretApprovalPolicyDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-dal";
 import { secretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { secretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
@@ -211,8 +205,6 @@ import { pkiCollectionServiceFactory } from "@app/services/pki-collection/pki-co
 import { pkiSubscriberDALFactory } from "@app/services/pki-subscriber/pki-subscriber-dal";
 import { pkiSubscriberQueueServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-queue";
 import { pkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
-import { pkiTemplatesDALFactory } from "@app/services/pki-templates/pki-templates-dal";
-import { pkiTemplatesServiceFactory } from "@app/services/pki-templates/pki-templates-service";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
 import { projectServiceFactory } from "@app/services/project/project-service";
@@ -393,11 +385,9 @@ export const registerRoutes = async (
   const accessApprovalPolicyDAL = accessApprovalPolicyDALFactory(db);
   const accessApprovalRequestDAL = accessApprovalRequestDALFactory(db);
   const accessApprovalPolicyApproverDAL = accessApprovalPolicyApproverDALFactory(db);
-  const accessApprovalPolicyBypasserDAL = accessApprovalPolicyBypasserDALFactory(db);
   const accessApprovalRequestReviewerDAL = accessApprovalRequestReviewerDALFactory(db);
 
   const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
-  const sapBypasserDAL = secretApprovalPolicyBypasserDALFactory(db);
   const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
   const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
   const secretApprovalRequestReviewerDAL = secretApprovalRequestReviewerDALFactory(db);
@@ -529,7 +519,6 @@ export const registerRoutes = async (
   const secretApprovalPolicyService = secretApprovalPolicyServiceFactory({
     projectEnvDAL,
     secretApprovalPolicyApproverDAL: sapApproverDAL,
-    secretApprovalPolicyBypasserDAL: sapBypasserDAL,
     permissionService,
     secretApprovalPolicyDAL,
     licenseService,
@@ -741,14 +730,12 @@ export const registerRoutes = async (
     userAliasDAL,
     identityTokenAuthDAL,
     identityAccessTokenDAL,
-    orgMembershipDAL,
     identityOrgMembershipDAL,
     authService: loginService,
     serverCfgDAL: superAdminDAL,
     kmsRootConfigDAL,
     orgService,
     keyStore,
-    orgDAL,
     licenseService,
     kmsService,
     microsoftTeamsService,
@@ -807,8 +794,7 @@ export const registerRoutes = async (
   const projectUserAdditionalPrivilegeService = projectUserAdditionalPrivilegeServiceFactory({
     permissionService,
     projectMembershipDAL,
-    projectUserAdditionalPrivilegeDAL,
-    accessApprovalRequestDAL
+    projectUserAdditionalPrivilegeDAL
   });
   const projectKeyService = projectKeyServiceFactory({
     permissionService,
@@ -852,7 +838,6 @@ export const registerRoutes = async (
   const pkiCollectionDAL = pkiCollectionDALFactory(db);
   const pkiCollectionItemDAL = pkiCollectionItemDALFactory(db);
   const pkiSubscriberDAL = pkiSubscriberDALFactory(db);
-  const pkiTemplatesDAL = pkiTemplatesDALFactory(db);
 
   const certificateService = certificateServiceFactory({
     certificateDAL,
@@ -1233,7 +1218,6 @@ export const registerRoutes = async (
   const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
     accessApprovalPolicyDAL,
     accessApprovalPolicyApproverDAL,
-    accessApprovalPolicyBypasserDAL,
     groupDAL,
     permissionService,
     projectEnvDAL,
@@ -1242,8 +1226,7 @@ export const registerRoutes = async (
     userDAL,
     accessApprovalRequestDAL,
     additionalPrivilegeDAL: projectUserAdditionalPrivilegeDAL,
-    accessApprovalRequestReviewerDAL,
-    orgMembershipDAL
+    accessApprovalRequestReviewerDAL
   });
 
   const accessApprovalRequestService = accessApprovalRequestServiceFactory({
@@ -1760,21 +1743,6 @@ export const registerRoutes = async (
     internalCaFns
   });
 
-  const pkiTemplateService = pkiTemplatesServiceFactory({
-    pkiTemplatesDAL,
-    certificateAuthorityDAL,
-    certificateAuthorityCertDAL,
-    certificateAuthoritySecretDAL,
-    certificateAuthorityCrlDAL,
-    certificateDAL,
-    certificateBodyDAL,
-    certificateSecretDAL,
-    projectDAL,
-    kmsService,
-    permissionService,
-    internalCaFns
-  });
-
   await secretRotationV2QueueServiceFactory({
     secretRotationV2Service,
     secretRotationV2DAL,
@@ -1868,7 +1836,6 @@ export const registerRoutes = async (
     pkiAlert: pkiAlertService,
     pkiCollection: pkiCollectionService,
     pkiSubscriber: pkiSubscriberService,
-    pkiTemplate: pkiTemplateService,
     secretScanning: secretScanningService,
     license: licenseService,
     trustedIp: trustedIpService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -235,9 +235,11 @@ export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
   inputIV: true,
   inputTag: true,
   algorithm: true
-}).extend({
-  metadata: ResourceMetadataSchema.optional()
-});
+}).merge(
+  z.object({
+    metadata: ResourceMetadataSchema.optional()
+  })
+);
 
 export const SanitizedAuditLogStreamSchema = z.object({
   id: z.string(),

backend/src/server/routes/v1/admin-router.ts

@@ -1,13 +1,7 @@
 import DOMPurify from "isomorphic-dompurify";
 import { z } from "zod";
 
-import {
-  IdentitiesSchema,
-  OrganizationsSchema,
-  OrgMembershipsSchema,
-  SuperAdminSchema,
-  UsersSchema
-} from "@app/db/schemas";
+import { IdentitiesSchema, OrganizationsSchema, SuperAdminSchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { invalidateCacheLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -167,129 +161,6 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    method: "GET",
-    url: "/organization-management/organizations",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      querystring: z.object({
-        searchTerm: z.string().default(""),
-        offset: z.coerce.number().default(0),
-        limit: z.coerce.number().max(100).default(20)
-      }),
-      response: {
-        200: z.object({
-          organizations: OrganizationsSchema.extend({
-            members: z
-              .object({
-                user: z.object({
-                  id: z.string(),
-                  email: z.string().nullish(),
-                  username: z.string(),
-                  firstName: z.string().nullish(),
-                  lastName: z.string().nullish()
-                }),
-                membershipId: z.string(),
-                role: z.string(),
-                roleId: z.string().nullish()
-              })
-              .array(),
-            projects: z
-              .object({
-                name: z.string(),
-                id: z.string(),
-                slug: z.string(),
-                createdAt: z.date()
-              })
-              .array()
-          }).array()
-        })
-      }
-    },
-    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
-        verifySuperAdmin(req, res, done);
-      });
-    },
-    handler: async (req) => {
-      const organizations = await server.services.superAdmin.getOrganizations({
-        ...req.query
-      });
-
-      return {
-        organizations
-      };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/organization-management/organizations/:organizationId/memberships/:membershipId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        organizationId: z.string(),
-        membershipId: z.string()
-      }),
-      response: {
-        200: z.object({
-          organizationMembership: OrgMembershipsSchema
-        })
-      }
-    },
-    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
-        verifySuperAdmin(req, res, done);
-      });
-    },
-    handler: async (req) => {
-      const organizationMembership = await server.services.superAdmin.deleteOrganizationMembership(
-        req.params.organizationId,
-        req.params.membershipId,
-        req.permission.id,
-        req.permission.type
-      );
-
-      return {
-        organizationMembership
-      };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/organization-management/organizations/:organizationId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        organizationId: z.string()
-      }),
-      response: {
-        200: z.object({
-          organization: OrganizationsSchema
-        })
-      }
-    },
-    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
-        verifySuperAdmin(req, res, done);
-      });
-    },
-    handler: async (req) => {
-      const organization = await server.services.superAdmin.deleteOrganization(req.params.organizationId);
-
-      return {
-        organization
-      };
-    }
-  });
-
   server.route({
     method: "GET",
     url: "/identity-management/identities",

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -43,7 +43,6 @@ import {
 } from "@app/services/app-connection/humanitec";
 import { LdapConnectionListItemSchema, SanitizedLdapConnectionSchema } from "@app/services/app-connection/ldap";
 import { MsSqlConnectionListItemSchema, SanitizedMsSqlConnectionSchema } from "@app/services/app-connection/mssql";
-import { MySqlConnectionListItemSchema, SanitizedMySqlConnectionSchema } from "@app/services/app-connection/mysql";
 import {
   PostgresConnectionListItemSchema,
   SanitizedPostgresConnectionSchema
@@ -76,7 +75,6 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedVercelConnectionSchema.options,
   ...SanitizedPostgresConnectionSchema.options,
   ...SanitizedMsSqlConnectionSchema.options,
-  ...SanitizedMySqlConnectionSchema.options,
   ...SanitizedCamundaConnectionSchema.options,
   ...SanitizedAuth0ConnectionSchema.options,
   ...SanitizedHCVaultConnectionSchema.options,
@@ -100,7 +98,6 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   VercelConnectionListItemSchema,
   PostgresConnectionListItemSchema,
   MsSqlConnectionListItemSchema,
-  MySqlConnectionListItemSchema,
   CamundaConnectionListItemSchema,
   Auth0ConnectionListItemSchema,
   HCVaultConnectionListItemSchema,

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -15,7 +15,6 @@ import { registerHCVaultConnectionRouter } from "./hc-vault-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
 import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
-import { registerMySqlConnectionRouter } from "./mysql-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
 import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
@@ -38,7 +37,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Vercel]: registerVercelConnectionRouter,
     [AppConnection.Postgres]: registerPostgresConnectionRouter,
     [AppConnection.MsSql]: registerMsSqlConnectionRouter,
-    [AppConnection.MySql]: registerMySqlConnectionRouter,
     [AppConnection.Camunda]: registerCamundaConnectionRouter,
     [AppConnection.Windmill]: registerWindmillConnectionRouter,
     [AppConnection.Auth0]: registerAuth0ConnectionRouter,

backend/src/server/routes/v1/app-connection-routers/mysql-connection-router.ts

@@ -1,18 +0,0 @@
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  CreateMySqlConnectionSchema,
-  SanitizedMySqlConnectionSchema,
-  UpdateMySqlConnectionSchema
-} from "@app/services/app-connection/mysql";
-
-import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
-
-export const registerMySqlConnectionRouter = async (server: FastifyZodProvider) => {
-  registerAppConnectionEndpoints({
-    app: AppConnection.MySql,
-    server,
-    sanitizedResponseSchema: SanitizedMySqlConnectionSchema,
-    createSchema: CreateMySqlConnectionSchema,
-    updateSchema: UpdateMySqlConnectionSchema
-  });
-};

backend/src/server/routes/v1/certificate-template-router.ts

@@ -5,7 +5,6 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyUsage } from "@app/services/certificate/certificate-types";
@@ -73,7 +72,7 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
       body: z.object({
         caId: z.string().describe(CERTIFICATE_TEMPLATES.CREATE.caId),
         pkiCollectionId: z.string().optional().describe(CERTIFICATE_TEMPLATES.CREATE.pkiCollectionId),
-        name: slugSchema().describe(CERTIFICATE_TEMPLATES.CREATE.name),
+        name: z.string().min(1).describe(CERTIFICATE_TEMPLATES.CREATE.name),
         commonName: validateTemplateRegexField.describe(CERTIFICATE_TEMPLATES.CREATE.commonName),
         subjectAlternativeName: validateTemplateRegexField.describe(
           CERTIFICATE_TEMPLATES.CREATE.subjectAlternativeName
@@ -142,7 +141,7 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
       body: z.object({
         caId: z.string().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.caId),
         pkiCollectionId: z.string().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.pkiCollectionId),
-        name: slugSchema().optional().describe(CERTIFICATE_TEMPLATES.UPDATE.name),
+        name: z.string().min(1).optional().describe(CERTIFICATE_TEMPLATES.UPDATE.name),
         commonName: validateTemplateRegexField.optional().describe(CERTIFICATE_TEMPLATES.UPDATE.commonName),
         subjectAlternativeName: validateTemplateRegexField
           .optional()

backend/src/server/routes/v2/index.ts

@@ -5,7 +5,6 @@ import { registerIdentityProjectRouter } from "./identity-project-router";
 import { registerMfaRouter } from "./mfa-router";
 import { registerOrgRouter } from "./organization-router";
 import { registerPasswordRouter } from "./password-router";
-import { registerPkiTemplatesRouter } from "./pki-templates-router";
 import { registerProjectMembershipRouter } from "./project-membership-router";
 import { registerProjectRouter } from "./project-router";
 import { registerServiceTokenRouter } from "./service-token-router";
@@ -16,15 +15,7 @@ export const registerV2Routes = async (server: FastifyZodProvider) => {
   await server.register(registerUserRouter, { prefix: "/users" });
   await server.register(registerServiceTokenRouter, { prefix: "/service-token" });
   await server.register(registerPasswordRouter, { prefix: "/password" });
-
-  await server.register(
-    async (pkiRouter) => {
-      await pkiRouter.register(registerCaRouter, { prefix: "/ca" });
-      await pkiRouter.register(registerPkiTemplatesRouter, { prefix: "/certificate-templates" });
-    },
-    { prefix: "/pki" }
-  );
-
+  await server.register(registerCaRouter, { prefix: "/pki/ca" });
   await server.register(
     async (orgRouter) => {
       await orgRouter.register(registerOrgRouter);

backend/src/server/routes/v2/pki-templates-router.ts

@@ -1,309 +0,0 @@
-import { z } from "zod";
-
-import { CertificateTemplatesSchema } from "@app/db/schemas";
-import { ApiDocsTags } from "@app/lib/api-docs";
-import { ms } from "@app/lib/ms";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { slugSchema } from "@app/server/lib/schemas";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { CertExtendedKeyUsage, CertKeyUsage } from "@app/services/certificate/certificate-types";
-import {
-  validateAltNamesField,
-  validateCaDateField
-} from "@app/services/certificate-authority/certificate-authority-validators";
-import { validateTemplateRegexField } from "@app/services/certificate-template/certificate-template-validators";
-
-export const registerPkiTemplatesRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      body: z.object({
-        name: slugSchema(),
-        caName: slugSchema({ field: "caName" }),
-        projectId: z.string(),
-        commonName: validateTemplateRegexField,
-        subjectAlternativeName: validateTemplateRegexField,
-        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
-        keyUsages: z
-          .nativeEnum(CertKeyUsage)
-          .array()
-          .optional()
-          .default([CertKeyUsage.DIGITAL_SIGNATURE, CertKeyUsage.KEY_ENCIPHERMENT]),
-        extendedKeyUsages: z.nativeEnum(CertExtendedKeyUsage).array().optional().default([])
-      }),
-      response: {
-        200: z.object({
-          certificateTemplate: CertificateTemplatesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificateTemplate = await server.services.pkiTemplate.createTemplate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      return { certificateTemplate };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:templateName",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      params: z.object({
-        templateName: slugSchema()
-      }),
-      body: z.object({
-        name: slugSchema().optional(),
-        caName: slugSchema(),
-        projectId: z.string(),
-        commonName: validateTemplateRegexField.optional(),
-        subjectAlternativeName: validateTemplateRegexField.optional(),
-        ttl: z
-          .string()
-          .refine((val) => ms(val) > 0, "TTL must be a positive number")
-          .optional(),
-        keyUsages: z
-          .nativeEnum(CertKeyUsage)
-          .array()
-          .optional()
-          .default([CertKeyUsage.DIGITAL_SIGNATURE, CertKeyUsage.KEY_ENCIPHERMENT]),
-        extendedKeyUsages: z.nativeEnum(CertExtendedKeyUsage).array().optional().default([])
-      }),
-      response: {
-        200: z.object({
-          certificateTemplate: CertificateTemplatesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificateTemplate = await server.services.pkiTemplate.updateTemplate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        templateName: req.params.templateName,
-        ...req.body
-      });
-
-      return { certificateTemplate };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:templateName",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      params: z.object({
-        templateName: z.string().min(1)
-      }),
-      body: z.object({
-        projectId: z.string()
-      }),
-      response: {
-        200: z.object({
-          certificateTemplate: CertificateTemplatesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificateTemplate = await server.services.pkiTemplate.deleteTemplate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        templateName: req.params.templateName,
-        projectId: req.body.projectId
-      });
-
-      return { certificateTemplate };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:templateName",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      params: z.object({
-        templateName: slugSchema()
-      }),
-      querystring: z.object({
-        projectId: z.string()
-      }),
-      response: {
-        200: z.object({
-          certificateTemplate: CertificateTemplatesSchema.extend({
-            ca: z.object({ id: z.string(), name: z.string() })
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificateTemplate = await server.services.pkiTemplate.getTemplateByName({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        templateName: req.params.templateName,
-        projectId: req.query.projectId
-      });
-
-      return { certificateTemplate };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      querystring: z.object({
-        projectId: z.string(),
-        limit: z.coerce.number().default(100),
-        offset: z.coerce.number().default(0)
-      }),
-      response: {
-        200: z.object({
-          certificateTemplates: CertificateTemplatesSchema.extend({
-            ca: z.object({ id: z.string(), name: z.string() })
-          }).array(),
-          totalCount: z.number()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { certificateTemplates, totalCount } = await server.services.pkiTemplate.listTemplate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.query
-      });
-
-      return { certificateTemplates, totalCount };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:templateName/issue-certificate",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      params: z.object({
-        templateName: slugSchema()
-      }),
-      body: z.object({
-        projectId: z.string(),
-        commonName: validateTemplateRegexField,
-        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
-        keyUsages: z.nativeEnum(CertKeyUsage).array().optional(),
-        extendedKeyUsages: z.nativeEnum(CertExtendedKeyUsage).array().optional(),
-        notBefore: validateCaDateField.optional(),
-        notAfter: validateCaDateField.optional(),
-        altNames: validateAltNamesField
-      }),
-      response: {
-        200: z.object({
-          certificate: z.string().trim(),
-          issuingCaCertificate: z.string().trim(),
-          certificateChain: z.string().trim(),
-          privateKey: z.string().trim(),
-          serialNumber: z.string().trim()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const data = await server.services.pkiTemplate.issueCertificate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        templateName: req.params.templateName,
-        ...req.body
-      });
-
-      return data;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:templateName/sign-certificate",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      hide: false,
-      tags: [ApiDocsTags.PkiCertificateTemplates],
-      params: z.object({
-        templateName: slugSchema()
-      }),
-      body: z.object({
-        projectId: z.string(),
-        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
-        csr: z.string().trim().min(1).max(4096)
-      }),
-      response: {
-        200: z.object({
-          certificate: z.string().trim(),
-          issuingCaCertificate: z.string().trim(),
-          certificateChain: z.string().trim(),
-          serialNumber: z.string().trim()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const data = await server.services.pkiTemplate.signCertificate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        templateName: req.params.templateName,
-        ...req.body
-      });
-
-      return data;
-    }
-  });
-};

backend/src/services/app-connection/app-connection-enums.ts

@@ -11,7 +11,6 @@ export enum AppConnection {
   Vercel = "vercel",
   Postgres = "postgres",
   MsSql = "mssql",
-  MySql = "mysql",
   Camunda = "camunda",
   Windmill = "windmill",
   Auth0 = "auth0",

backend/src/services/app-connection/app-connection-fns.ts

@@ -64,8 +64,6 @@ import {
 } from "./humanitec";
 import { getLdapConnectionListItem, LdapConnectionMethod, validateLdapConnectionCredentials } from "./ldap";
 import { getMsSqlConnectionListItem, MsSqlConnectionMethod } from "./mssql";
-import { MySqlConnectionMethod } from "./mysql/mysql-connection-enums";
-import { getMySqlConnectionListItem } from "./mysql/mysql-connection-fns";
 import { getPostgresConnectionListItem, PostgresConnectionMethod } from "./postgres";
 import {
   getTeamCityConnectionListItem,
@@ -98,7 +96,6 @@ export const listAppConnectionOptions = () => {
     getVercelConnectionListItem(),
     getPostgresConnectionListItem(),
     getMsSqlConnectionListItem(),
-    getMySqlConnectionListItem(),
     getCamundaConnectionListItem(),
     getAzureClientSecretsConnectionListItem(),
     getWindmillConnectionListItem(),
@@ -169,7 +166,6 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.Humanitec]: validateHumanitecConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Postgres]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.MsSql]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.MySql]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Camunda]: validateCamundaConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Vercel]: validateVercelConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.TerraformCloud]: validateTerraformCloudConnectionCredentials as TAppConnectionCredentialsValidator,
@@ -212,7 +208,6 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
       return "API Token";
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:
-    case MySqlConnectionMethod.UsernameAndPassword:
       return "Username & Password";
     case WindmillConnectionMethod.AccessToken:
     case HCVaultConnectionMethod.AccessToken:
@@ -264,7 +259,6 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.Humanitec]: platformManagedCredentialsNotSupported,
   [AppConnection.Postgres]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
   [AppConnection.MsSql]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
-  [AppConnection.MySql]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
   [AppConnection.TerraformCloud]: platformManagedCredentialsNotSupported,
   [AppConnection.Camunda]: platformManagedCredentialsNotSupported,
   [AppConnection.Vercel]: platformManagedCredentialsNotSupported,

backend/src/services/app-connection/app-connection-maps.ts

@@ -13,7 +13,6 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Vercel]: "Vercel",
   [AppConnection.Postgres]: "PostgreSQL",
   [AppConnection.MsSql]: "Microsoft SQL Server",
-  [AppConnection.MySql]: "MySQL",
   [AppConnection.Camunda]: "Camunda",
   [AppConnection.Windmill]: "Windmill",
   [AppConnection.Auth0]: "Auth0",
@@ -44,6 +43,5 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.LDAP]: AppConnectionPlanType.Regular,
   [AppConnection.TeamCity]: AppConnectionPlanType.Regular,
   [AppConnection.OCI]: AppConnectionPlanType.Enterprise,
-  [AppConnection.OnePass]: AppConnectionPlanType.Regular,
-  [AppConnection.MySql]: AppConnectionPlanType.Regular
+  [AppConnection.OnePass]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -55,7 +55,6 @@ import { ValidateHumanitecConnectionCredentialsSchema } from "./humanitec";
 import { humanitecConnectionService } from "./humanitec/humanitec-connection-service";
 import { ValidateLdapConnectionCredentialsSchema } from "./ldap";
 import { ValidateMsSqlConnectionCredentialsSchema } from "./mssql";
-import { ValidateMySqlConnectionCredentialsSchema } from "./mysql";
 import { ValidatePostgresConnectionCredentialsSchema } from "./postgres";
 import { ValidateTeamCityConnectionCredentialsSchema } from "./teamcity";
 import { teamcityConnectionService } from "./teamcity/teamcity-connection-service";
@@ -87,7 +86,6 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Vercel]: ValidateVercelConnectionCredentialsSchema,
   [AppConnection.Postgres]: ValidatePostgresConnectionCredentialsSchema,
   [AppConnection.MsSql]: ValidateMsSqlConnectionCredentialsSchema,
-  [AppConnection.MySql]: ValidateMySqlConnectionCredentialsSchema,
   [AppConnection.Camunda]: ValidateCamundaConnectionCredentialsSchema,
   [AppConnection.AzureClientSecrets]: ValidateAzureClientSecretsConnectionCredentialsSchema,
   [AppConnection.Windmill]: ValidateWindmillConnectionCredentialsSchema,

backend/src/services/app-connection/app-connection-types.ts

@@ -88,7 +88,6 @@ import {
   TValidateLdapConnectionCredentialsSchema
 } from "./ldap";
 import { TMsSqlConnection, TMsSqlConnectionInput, TValidateMsSqlConnectionCredentialsSchema } from "./mssql";
-import { TMySqlConnection, TMySqlConnectionInput, TValidateMySqlConnectionCredentialsSchema } from "./mysql";
 import {
   TPostgresConnection,
   TPostgresConnectionInput,
@@ -131,7 +130,6 @@ export type TAppConnection = { id: string } & (
   | TVercelConnection
   | TPostgresConnection
   | TMsSqlConnection
-  | TMySqlConnection
   | TCamundaConnection
   | TAzureClientSecretsConnection
   | TWindmillConnection
@@ -145,7 +143,7 @@ export type TAppConnection = { id: string } & (
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
 
-export type TSqlConnection = TPostgresConnection | TMsSqlConnection | TMySqlConnection;
+export type TSqlConnection = TPostgresConnection | TMsSqlConnection;
 
 export type TAppConnectionInput = { id: string } & (
   | TAwsConnectionInput
@@ -159,7 +157,6 @@ export type TAppConnectionInput = { id: string } & (
   | TVercelConnectionInput
   | TPostgresConnectionInput
   | TMsSqlConnectionInput
-  | TMySqlConnectionInput
   | TCamundaConnectionInput
   | TAzureClientSecretsConnectionInput
   | TWindmillConnectionInput
@@ -171,7 +168,7 @@ export type TAppConnectionInput = { id: string } & (
   | TOnePassConnectionInput
 );
 
-export type TSqlConnectionInput = TPostgresConnectionInput | TMsSqlConnectionInput | TMySqlConnectionInput;
+export type TSqlConnectionInput = TPostgresConnectionInput | TMsSqlConnectionInput;
 
 export type TCreateAppConnectionDTO = Pick<
   TAppConnectionInput,
@@ -214,7 +211,6 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateHumanitecConnectionCredentialsSchema
   | TValidatePostgresConnectionCredentialsSchema
   | TValidateMsSqlConnectionCredentialsSchema
-  | TValidateMySqlConnectionCredentialsSchema
   | TValidateCamundaConnectionCredentialsSchema
   | TValidateVercelConnectionCredentialsSchema
   | TValidateTerraformCloudConnectionCredentialsSchema

backend/src/services/app-connection/mysql/index.ts

@@ -1,4 +0,0 @@
-export * from "./mysql-connection-enums";
-export * from "./mysql-connection-fns";
-export * from "./mysql-connection-schemas";
-export * from "./mysql-connection-types";

backend/src/services/app-connection/mysql/mysql-connection-enums.ts

@@ -1,3 +0,0 @@
-export enum MySqlConnectionMethod {
-  UsernameAndPassword = "username-and-password"
-}

backend/src/services/app-connection/mysql/mysql-connection-fns.ts

@@ -1,12 +0,0 @@
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-import { MySqlConnectionMethod } from "./mysql-connection-enums";
-
-export const getMySqlConnectionListItem = () => {
-  return {
-    name: "MySQL" as const,
-    app: AppConnection.MySql as const,
-    methods: Object.values(MySqlConnectionMethod) as [MySqlConnectionMethod.UsernameAndPassword],
-    supportsPlatformManagement: true as const
-  };
-};

backend/src/services/app-connection/mysql/mysql-connection-schemas.ts

@@ -1,66 +0,0 @@
-import z from "zod";
-
-import { AppConnections } from "@app/lib/api-docs";
-import {
-  BaseAppConnectionSchema,
-  GenericCreateAppConnectionFieldsSchema,
-  GenericUpdateAppConnectionFieldsSchema
-} from "@app/services/app-connection/app-connection-schemas";
-
-import { AppConnection } from "../app-connection-enums";
-import { BaseSqlUsernameAndPasswordConnectionSchema } from "../shared/sql";
-import { MySqlConnectionMethod } from "./mysql-connection-enums";
-
-export const MySqlConnectionAccessTokenCredentialsSchema = BaseSqlUsernameAndPasswordConnectionSchema;
-
-const BaseMySqlConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.MySql) });
-
-export const MySqlConnectionSchema = BaseMySqlConnectionSchema.extend({
-  method: z.literal(MySqlConnectionMethod.UsernameAndPassword),
-  credentials: MySqlConnectionAccessTokenCredentialsSchema
-});
-
-export const SanitizedMySqlConnectionSchema = z.discriminatedUnion("method", [
-  BaseMySqlConnectionSchema.extend({
-    method: z.literal(MySqlConnectionMethod.UsernameAndPassword),
-    credentials: MySqlConnectionAccessTokenCredentialsSchema.pick({
-      host: true,
-      database: true,
-      port: true,
-      username: true,
-      sslEnabled: true,
-      sslRejectUnauthorized: true,
-      sslCertificate: true
-    })
-  })
-]);
-
-export const ValidateMySqlConnectionCredentialsSchema = z.discriminatedUnion("method", [
-  z.object({
-    method: z
-      .literal(MySqlConnectionMethod.UsernameAndPassword)
-      .describe(AppConnections.CREATE(AppConnection.MySql).method),
-    credentials: MySqlConnectionAccessTokenCredentialsSchema.describe(
-      AppConnections.CREATE(AppConnection.MySql).credentials
-    )
-  })
-]);
-
-export const CreateMySqlConnectionSchema = ValidateMySqlConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.MySql, { supportsPlatformManagedCredentials: true })
-);
-
-export const UpdateMySqlConnectionSchema = z
-  .object({
-    credentials: MySqlConnectionAccessTokenCredentialsSchema.optional().describe(
-      AppConnections.UPDATE(AppConnection.MySql).credentials
-    )
-  })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.MySql, { supportsPlatformManagedCredentials: true }));
-
-export const MySqlConnectionListItemSchema = z.object({
-  name: z.literal("MySQL"),
-  app: z.literal(AppConnection.MySql),
-  methods: z.nativeEnum(MySqlConnectionMethod).array(),
-  supportsPlatformManagement: z.literal(true)
-});

backend/src/services/app-connection/mysql/mysql-connection-types.ts

@@ -1,16 +0,0 @@
-import z from "zod";
-
-import { AppConnection } from "../app-connection-enums";
-import {
-  CreateMySqlConnectionSchema,
-  MySqlConnectionSchema,
-  ValidateMySqlConnectionCredentialsSchema
-} from "./mysql-connection-schemas";
-
-export type TMySqlConnection = z.infer<typeof MySqlConnectionSchema>;
-
-export type TMySqlConnectionInput = z.infer<typeof CreateMySqlConnectionSchema> & {
-  app: AppConnection.MySql;
-};
-
-export type TValidateMySqlConnectionCredentialsSchema = typeof ValidateMySqlConnectionCredentialsSchema;

backend/src/services/app-connection/shared/sql/sql-connection-fns.ts

@@ -15,8 +15,7 @@ const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
 
 const SQL_CONNECTION_CLIENT_MAP = {
   [AppConnection.Postgres]: "pg",
-  [AppConnection.MsSql]: "mssql",
-  [AppConnection.MySql]: "mysql2"
+  [AppConnection.MsSql]: "mssql"
 };
 
 const getConnectionConfig = ({
@@ -46,17 +45,6 @@ const getConnectionConfig = ({
           : { encrypt: false }
       };
     }
-    case AppConnection.MySql: {
-      return {
-        ssl: sslEnabled
-          ? {
-              rejectUnauthorized: sslRejectUnauthorized,
-              ca: sslCertificate,
-              servername: host
-            }
-          : false
-      };
-    }
     default:
       throw new Error(`Unhandled SQL Connection Config: ${app as AppConnection}`);
   }
@@ -113,8 +101,7 @@ export const SQL_CONNECTION_ALTER_LOGIN_STATEMENT: Record<
   (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => [string, Knex.RawBinding]
 > = {
   [AppConnection.Postgres]: ({ username, password }) => [`ALTER USER ?? WITH PASSWORD '${password}';`, [username]],
-  [AppConnection.MsSql]: ({ username, password }) => [`ALTER LOGIN ?? WITH PASSWORD = '${password}';`, [username]],
-  [AppConnection.MySql]: ({ username, password }) => [`ALTER USER ??@'%' IDENTIFIED BY '${password}';`, [username]]
+  [AppConnection.MsSql]: ({ username, password }) => [`ALTER LOGIN ?? WITH PASSWORD = '${password}';`, [username]]
 };
 
 export const transferSqlConnectionCredentialsToPlatform = async (

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -311,6 +311,7 @@ export const certificateAuthorityServiceFactory = ({
       }
 
       const updatedCa = await internalCertificateAuthorityService.updateCaById({
+        ...configuration,
         isInternal: true,
         enableDirectIssuance,
         caId: certificateAuthority.id,

backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts

@@ -1,10 +1,8 @@
-/* eslint-disable no-bitwise */
 import * as x509 from "@peculiar/x509";
 import { KeyObject } from "crypto";
-import RE2 from "re2";
 import { z } from "zod";
 
-import { TCertificateTemplates, TPkiSubscribers } from "@app/db/schemas";
+import { TPkiSubscribers } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
@@ -33,7 +31,6 @@ import {
   keyAlgorithmToAlgCfg
 } from "../certificate-authority-fns";
 import { TCertificateAuthoritySecretDALFactory } from "../certificate-authority-secret-dal";
-import { TIssueCertWithTemplateDTO } from "./internal-certificate-authority-types";
 
 type TInternalCertificateAuthorityFnsDeps = {
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa" | "findById">;
@@ -260,274 +257,7 @@ export const InternalCertificateAuthorityFns = ({
     };
   };
 
-  const issueCertificateWithTemplate = async (
-    ca: Awaited<ReturnType<TCertificateAuthorityDALFactory["findByIdWithAssociatedCa"]>>,
-    certificateTemplate: TCertificateTemplates,
-    { altNames, commonName, ttl, extendedKeyUsages, keyUsages, notAfter, notBefore }: TIssueCertWithTemplateDTO
-  ) => {
-    if (ca.status !== CaStatus.ACTIVE) throw new BadRequestError({ message: "CA is not active" });
-    if (!ca.internalCa?.activeCaCertId)
-      throw new BadRequestError({ message: "CA does not have a certificate installed" });
-
-    const caCert = await certificateAuthorityCertDAL.findById(ca.internalCa.activeCaCertId);
-
-    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
-      projectId: ca.projectId,
-      projectDAL,
-      kmsService
-    });
-
-    const kmsDecryptor = await kmsService.decryptWithKmsKey({
-      kmsId: certificateManagerKmsId
-    });
-
-    const decryptedCaCert = await kmsDecryptor({
-      cipherTextBlob: caCert.encryptedCertificate
-    });
-
-    const caCertObj = new x509.X509Certificate(decryptedCaCert);
-    const notBeforeDate = notBefore ? new Date(notBefore) : new Date();
-
-    let notAfterDate = new Date(new Date().setFullYear(new Date().getFullYear() + 1));
-    if (notAfter) {
-      notAfterDate = new Date(notAfter);
-    } else if (ttl) {
-      notAfterDate = new Date(new Date().getTime() + ms(ttl));
-    }
-
-    const caCertNotBeforeDate = new Date(caCertObj.notBefore);
-    const caCertNotAfterDate = new Date(caCertObj.notAfter);
-
-    // check not before constraint
-    if (notBeforeDate < caCertNotBeforeDate) {
-      throw new BadRequestError({ message: "notBefore date is before CA certificate's notBefore date" });
-    }
-
-    // check not after constraint
-    if (notAfterDate > caCertNotAfterDate) {
-      throw new BadRequestError({ message: "notAfter date is after CA certificate's notAfter date" });
-    }
-
-    const commonNameRegex = new RE2(certificateTemplate.commonName);
-    if (!commonNameRegex.test(commonName)) {
-      throw new BadRequestError({
-        message: "Invalid common name based on template policy"
-      });
-    }
-
-    if (notAfterDate.getTime() - notBeforeDate.getTime() > ms(certificateTemplate.ttl)) {
-      throw new BadRequestError({
-        message: "Invalid validity date based on template policy"
-      });
-    }
-
-    const subjectAlternativeNameRegex = new RE2(certificateTemplate.subjectAlternativeName);
-    altNames.split(",").forEach((altName) => {
-      if (!subjectAlternativeNameRegex.test(altName)) {
-        throw new BadRequestError({
-          message: "Invalid subject alternative name based on template policy"
-        });
-      }
-    });
-
-    const alg = keyAlgorithmToAlgCfg(ca.internalCa.keyAlgorithm as CertKeyAlgorithm);
-    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-
-    const csrObj = await x509.Pkcs10CertificateRequestGenerator.create({
-      name: `CN=${commonName}`,
-      keys: leafKeys,
-      signingAlgorithm: alg,
-      extensions: [
-        // eslint-disable-next-line no-bitwise
-        new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment)
-      ],
-      attributes: [new x509.ChallengePasswordAttribute("password")]
-    });
-
-    const { caPrivateKey, caSecret } = await getCaCredentials({
-      caId: ca.id,
-      certificateAuthorityDAL,
-      certificateAuthoritySecretDAL,
-      projectDAL,
-      kmsService
-    });
-
-    const caCrl = await certificateAuthorityCrlDAL.findOne({ caSecretId: caSecret.id });
-    const appCfg = getConfig();
-
-    const distributionPointUrl = `${appCfg.SITE_URL}/api/v1/pki/crl/${caCrl.id}/der`;
-    const caIssuerUrl = `${appCfg.SITE_URL}/api/v1/pki/ca/${ca.id}/certificates/${caCert.id}/der`;
-
-    const extensions: x509.Extension[] = [
-      new x509.BasicConstraintsExtension(false),
-      new x509.CRLDistributionPointsExtension([distributionPointUrl]),
-      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
-      await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey),
-      new x509.AuthorityInfoAccessExtension({
-        caIssuers: new x509.GeneralName("url", caIssuerUrl)
-      }),
-      new x509.CertificatePolicyExtension(["2.5.29.32.0"]) // anyPolicy
-    ];
-
-    let selectedKeyUsages: CertKeyUsage[] = keyUsages ?? [];
-    if (keyUsages === undefined && !certificateTemplate) {
-      selectedKeyUsages = [CertKeyUsage.DIGITAL_SIGNATURE, CertKeyUsage.KEY_ENCIPHERMENT];
-    }
-
-    if (keyUsages === undefined && certificateTemplate) {
-      selectedKeyUsages = (certificateTemplate.keyUsages ?? []) as CertKeyUsage[];
-    }
-
-    if (keyUsages?.length && certificateTemplate) {
-      const validKeyUsages = certificateTemplate.keyUsages || [];
-      if (keyUsages.some((keyUsage) => !validKeyUsages.includes(keyUsage))) {
-        throw new BadRequestError({
-          message: "Invalid key usage value based on template policy"
-        });
-      }
-      selectedKeyUsages = keyUsages;
-    }
-
-    const keyUsagesBitValue = selectedKeyUsages.reduce((accum, keyUsage) => accum | x509.KeyUsageFlags[keyUsage], 0);
-    if (keyUsagesBitValue) {
-      extensions.push(new x509.KeyUsagesExtension(keyUsagesBitValue, true));
-    }
-
-    // handle extended key usages
-    let selectedExtendedKeyUsages: CertExtendedKeyUsage[] = extendedKeyUsages ?? [];
-    if (extendedKeyUsages === undefined && certificateTemplate) {
-      selectedExtendedKeyUsages = (certificateTemplate.extendedKeyUsages ?? []) as CertExtendedKeyUsage[];
-    }
-
-    if (extendedKeyUsages?.length && certificateTemplate) {
-      const validExtendedKeyUsages = certificateTemplate.extendedKeyUsages || [];
-      if (extendedKeyUsages.some((eku) => !validExtendedKeyUsages.includes(eku))) {
-        throw new BadRequestError({
-          message: "Invalid extended key usage value based on template policy"
-        });
-      }
-      selectedExtendedKeyUsages = extendedKeyUsages;
-    }
-
-    if (selectedExtendedKeyUsages.length) {
-      extensions.push(
-        new x509.ExtendedKeyUsageExtension(
-          selectedExtendedKeyUsages.map((eku) => x509.ExtendedKeyUsage[eku]),
-          true
-        )
-      );
-    }
-
-    let altNamesArray: { type: "email" | "dns"; value: string }[] = [];
-
-    if (altNames) {
-      altNamesArray = altNames.split(",").map((altName) => {
-        if (z.string().email().safeParse(altName).success) {
-          return { type: "email", value: altName };
-        }
-
-        if (isFQDN(altName, { allow_wildcard: true })) {
-          return { type: "dns", value: altName };
-        }
-
-        throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
-      });
-
-      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
-      extensions.push(altNamesExtension);
-    }
-
-    const serialNumber = createSerialNumber();
-    const leafCert = await x509.X509CertificateGenerator.create({
-      serialNumber,
-      subject: csrObj.subject,
-      issuer: caCertObj.subject,
-      notBefore: notBeforeDate,
-      notAfter: notAfterDate,
-      signingKey: caPrivateKey,
-      publicKey: csrObj.publicKey,
-      signingAlgorithm: alg,
-      extensions
-    });
-
-    const skLeafObj = KeyObject.from(leafKeys.privateKey);
-    const skLeaf = skLeafObj.export({ format: "pem", type: "pkcs8" }) as string;
-
-    const kmsEncryptor = await kmsService.encryptWithKmsKey({
-      kmsId: certificateManagerKmsId
-    });
-    const { cipherTextBlob: encryptedCertificate } = await kmsEncryptor({
-      plainText: Buffer.from(new Uint8Array(leafCert.rawData))
-    });
-    const { cipherTextBlob: encryptedPrivateKey } = await kmsEncryptor({
-      plainText: Buffer.from(skLeaf)
-    });
-
-    const { caCert: issuingCaCertificate, caCertChain } = await getCaCertChain({
-      caCertId: caCert.id,
-      certificateAuthorityDAL,
-      certificateAuthorityCertDAL,
-      projectDAL,
-      kmsService
-    });
-
-    const certificateChainPem = `${issuingCaCertificate}\n${caCertChain}`.trim();
-
-    const { cipherTextBlob: encryptedCertificateChain } = await kmsEncryptor({
-      plainText: Buffer.from(certificateChainPem)
-    });
-
-    await certificateDAL.transaction(async (tx) => {
-      const cert = await certificateDAL.create(
-        {
-          caId: ca.id,
-          caCertId: caCert.id,
-          status: CertStatus.ACTIVE,
-          friendlyName: commonName,
-          commonName,
-          altNames,
-          serialNumber,
-          notBefore: notBeforeDate,
-          notAfter: notAfterDate,
-          keyUsages: selectedKeyUsages,
-          extendedKeyUsages: selectedExtendedKeyUsages,
-          projectId: ca.projectId,
-          certificateTemplateId: certificateTemplate.id
-        },
-        tx
-      );
-
-      await certificateBodyDAL.create(
-        {
-          certId: cert.id,
-          encryptedCertificate,
-          encryptedCertificateChain
-        },
-        tx
-      );
-
-      await certificateSecretDAL.create(
-        {
-          certId: cert.id,
-          encryptedPrivateKey
-        },
-        tx
-      );
-    });
-
-    return {
-      certificate: leafCert.toString("pem"),
-      certificateChain: certificateChainPem,
-      issuingCaCertificate,
-      privateKey: skLeaf,
-      serialNumber,
-      ca,
-      template: certificateTemplate
-    };
-  };
-
   return {
-    issueCertificate,
-    issueCertificateWithTemplate
+    issueCertificate
   };
 };

backend/src/services/certificate-authority/internal/internal-certificate-authority-schemas.ts

@@ -55,4 +55,8 @@ export const CreateInternalCertificateAuthoritySchema = GenericCreateCertificate
   configuration: InternalCertificateAuthorityConfigurationSchema
 });
 
-export const UpdateInternalCertificateAuthoritySchema = GenericUpdateCertificateAuthorityFieldsSchema(CaType.INTERNAL);
+export const UpdateInternalCertificateAuthoritySchema = GenericUpdateCertificateAuthorityFieldsSchema(
+  CaType.INTERNAL
+).extend({
+  configuration: InternalCertificateAuthorityConfigurationSchema.optional()
+});

backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts

@@ -1,5 +1,5 @@
 /* eslint-disable no-bitwise */
-import { ForbiddenError, subject } from "@casl/ability";
+import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import slugify from "@sindresorhus/slugify";
 import crypto, { KeyObject } from "crypto";
@@ -16,7 +16,6 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import {
   ProjectPermissionActions,
   ProjectPermissionCertificateActions,
-  ProjectPermissionPkiTemplateActions,
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 import { extractX509CertFromChain } from "@app/lib/certificates/extract-certificate";
@@ -1953,15 +1952,15 @@ export const internalCertificateAuthorityServiceFactory = ({
       actionProjectType: ActionProjectType.CertificateManager
     });
 
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      ProjectPermissionSub.CertificateTemplates
+    );
+
     const certificateTemplates = await certificateTemplateDAL.find({ caId });
 
     return {
-      certificateTemplates: certificateTemplates.filter((el) =>
-        permission.can(
-          ProjectPermissionPkiTemplateActions.Read,
-          subject(ProjectPermissionSub.CertificateTemplates, { name: el.name })
-        )
-      ),
+      certificateTemplates,
       ca: expandInternalCa(ca)
     };
   };

backend/src/services/certificate-authority/internal/internal-certificate-authority-types.ts

@@ -221,13 +221,3 @@ export type TOrderCertificateForSubscriberDTO = {
   subscriberId: string;
   caType: CaType;
 };
-
-export type TIssueCertWithTemplateDTO = {
-  commonName: string;
-  altNames: string;
-  ttl: string;
-  notBefore?: string;
-  notAfter?: string;
-  keyUsages?: CertKeyUsage[];
-  extendedKeyUsages?: CertExtendedKeyUsage[];
-};

backend/src/services/certificate-template/certificate-template-schema.ts

@@ -18,20 +18,3 @@ export const sanitizedCertificateTemplate = CertificateTemplatesSchema.pick({
     caName: z.string()
   })
 );
-
-export const sanitizedCertificateTemplateV2 = CertificateTemplatesSchema.pick({
-  id: true,
-  caId: true,
-  name: true,
-  commonName: true,
-  subjectAlternativeName: true,
-  pkiCollectionId: true,
-  ttl: true,
-  keyUsages: true,
-  extendedKeyUsages: true
-}).merge(
-  z.object({
-    projectId: z.string(),
-    caName: z.string()
-  })
-);

backend/src/services/certificate-template/certificate-template-service.ts

@@ -1,14 +1,11 @@
-import { ForbiddenError, subject } from "@casl/ability";
+import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import bcrypt from "bcrypt";
 
 import { ActionProjectType, TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import {
-  ProjectPermissionPkiTemplateActions,
-  ProjectPermissionSub
-} from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { extractX509CertFromChain } from "@app/lib/certificates/extract-certificate";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -81,8 +78,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Create,
-      subject(ProjectPermissionSub.CertificateTemplates, { name })
+      ProjectPermissionActions.Create,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     return certificateTemplateDAL.transaction(async (tx) => {
@@ -143,8 +140,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Edit,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+      ProjectPermissionActions.Edit,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     if (caId) {
@@ -156,13 +153,6 @@ export const certificateTemplateServiceFactory = ({
       }
     }
 
-    if (name) {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionPkiTemplateActions.Create,
-        subject(ProjectPermissionSub.CertificateTemplates, { name })
-      );
-    }
-
     return certificateTemplateDAL.transaction(async (tx) => {
       await certificateTemplateDAL.updateById(
         certTemplate.id,
@@ -208,8 +198,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Delete,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+      ProjectPermissionActions.Delete,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     await certificateTemplateDAL.deleteById(certTemplate.id);
@@ -235,8 +225,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Read,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+      ProjectPermissionActions.Read,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     return certTemplate;
@@ -277,8 +267,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Edit,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+      ProjectPermissionActions.Edit,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     const appCfg = getConfig();
@@ -360,8 +350,8 @@ export const certificateTemplateServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionPkiTemplateActions.Edit,
-      subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+      ProjectPermissionActions.Edit,
+      ProjectPermissionSub.CertificateTemplates
     );
 
     const originalCaEstConfig = await certificateTemplateEstConfigDAL.findOne({
@@ -440,8 +430,8 @@ export const certificateTemplateServiceFactory = ({
       });
 
       ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionPkiTemplateActions.Edit,
-        subject(ProjectPermissionSub.CertificateTemplates, { name: certTemplate.name })
+        ProjectPermissionActions.Edit,
+        ProjectPermissionSub.CertificateTemplates
       );
     }
 

backend/src/services/org-admin/org-admin-service.ts

@@ -196,20 +196,17 @@ export const orgAdminServiceFactory = ({
       .filter(
         (member) => member.roles.some((role) => role.role === ProjectMembershipRole.Admin) && member.userId !== actorId
       )
-      .map((el) => el.user.email!)
-      .filter(Boolean);
+      .map((el) => el.user.email!);
 
-    if (filteredProjectMembers.length) {
-      await smtpService.sendMail({
-        template: SmtpTemplates.OrgAdminProjectDirectAccess,
-        recipients: filteredProjectMembers,
-        subjectLine: "Organization Admin Project Direct Access Issued",
-        substitutions: {
-          projectName: project.name,
-          email: projectMembers.find((el) => el.userId === actorId)?.user?.username
-        }
-      });
-    }
+    await smtpService.sendMail({
+      template: SmtpTemplates.OrgAdminProjectDirectAccess,
+      recipients: filteredProjectMembers,
+      subjectLine: "Organization Admin Project Direct Access Issued",
+      substitutions: {
+        projectName: project.name,
+        email: projectMembers.find((el) => el.userId === actorId)?.user?.username
+      }
+    });
     return { isExistingMember: false, membership: updatedMembership };
   };