Update parseEnvVar.ts

more requested changes
fix(k8s): dynamic secret bugs
2025-07-29 22:37:44 +00:00 · 2024-12-12 03:55:27 +04:00 · 2024-12-12 03:34:08 +04:00 · 2024-12-12 03:27:07 +04:00 · 2024-12-11 21:51:20 +04:00 · 2024-12-11 21:44:42 +04:00
32 changed files with 530 additions and 56 deletions
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@@ -53,7 +53,7 @@ export default {
        extension: "ts"
      });
      const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(cfg.REDIS_URL, cfg.DB_CONNECTION_URI);
+      const queue = queueServiceFactory(cfg.REDIS_URL, { dbConnectionUrl: cfg.DB_CONNECTION_URI });
      const keyStore = keyStoreFactory(cfg.REDIS_URL);

      const hsmModule = initializeHsmModule();
--- a/backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts
+++ b/backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts
@@ -0,0 +1,59 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicy,
+    "deletedAt"
+  );
+  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicy,
+    "deletedAt"
+  );
+
+  if (!hasAccessApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.timestamp("deletedAt");
+    });
+  }
+  if (!hasSecretApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.timestamp("deletedAt");
+    });
+  }
+
+  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+    t.dropForeign(["privilegeId"]);
+
+    // Add the new foreign key constraint with ON DELETE SET NULL
+    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("SET NULL");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicy,
+    "deletedAt"
+  );
+  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicy,
+    "deletedAt"
+  );
+
+  if (hasAccessApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.dropColumn("deletedAt");
+    });
+  }
+  if (hasSecretApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.dropColumn("deletedAt");
+    });
+  }
+
+  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+    t.dropForeign(["privilegeId"]);
+    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
+  });
+}
--- a/backend/src/db/schemas/access-approval-policies.ts
+++ b/backend/src/db/schemas/access-approval-policies.ts
@@ -15,7 +15,8 @@ export const AccessApprovalPoliciesSchema = z.object({
  envId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  enforcementLevel: z.string().default("hard"),
+  deletedAt: z.date().nullable().optional()
 });

 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/secret-approval-policies.ts
+++ b/backend/src/db/schemas/secret-approval-policies.ts
@@ -15,7 +15,8 @@ export const SecretApprovalPoliciesSchema = z.object({
  envId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  enforcementLevel: z.string().default("hard"),
+  deletedAt: z.date().nullable().optional()
 });

 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@@ -109,7 +109,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
              approvers: z.string().array(),
              secretPath: z.string().nullish(),
              envId: z.string(),
-              enforcementLevel: z.string()
+              enforcementLevel: z.string(),
+              deletedAt: z.date().nullish()
            }),
            reviewers: z
              .object({
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@@ -52,7 +52,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                })
                .array(),
              secretPath: z.string().optional().nullable(),
-              enforcementLevel: z.string()
+              enforcementLevel: z.string(),
+              deletedAt: z.date().nullish()
            }),
            committerUser: approvalRequestUser,
            commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
@@ -260,7 +261,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                approvals: z.number(),
                approvers: approvalRequestUser.array(),
                secretPath: z.string().optional().nullable(),
-                enforcementLevel: z.string()
+                enforcementLevel: z.string(),
+                deletedAt: z.date().nullish()
              }),
              environment: z.string(),
              statusChangedByUser: approvalRequestUser.optional(),
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@@ -139,5 +139,10 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
    }
  };

-  return { ...accessApprovalPolicyOrm, find, findById };
+  const softDeleteById = async (policyId: string, tx?: Knex) => {
+    const softDeletedPolicy = await accessApprovalPolicyOrm.updateById(policyId, { deletedAt: new Date() }, tx);
+    return softDeletedPolicy;
+  };
+
+  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById };
 };
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@@ -8,7 +8,11 @@ import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";

+import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
+import { TAccessApprovalRequestReviewerDALFactory } from "../access-approval-request/access-approval-request-reviewer-dal";
+import { ApprovalStatus } from "../access-approval-request/access-approval-request-types";
 import { TGroupDALFactory } from "../group/group-dal";
+import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
 import {
@@ -21,7 +25,7 @@ import {
  TUpdateAccessApprovalPolicy
 } from "./access-approval-policy-types";

-type TSecretApprovalPolicyServiceFactoryDep = {
+type TAccessApprovalPolicyServiceFactoryDep = {
  projectDAL: TProjectDALFactory;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
@@ -30,6 +34,9 @@ type TSecretApprovalPolicyServiceFactoryDep = {
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
  groupDAL: TGroupDALFactory;
  userDAL: Pick<TUserDALFactory, "find">;
+  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update" | "find">;
+  additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
+  accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update">;
 };

 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@@ -41,8 +48,11 @@ export const accessApprovalPolicyServiceFactory = ({
  permissionService,
  projectEnvDAL,
  projectDAL,
-  userDAL
-}: TSecretApprovalPolicyServiceFactoryDep) => {
+  userDAL,
+  accessApprovalRequestDAL,
+  additionalPrivilegeDAL,
+  accessApprovalRequestReviewerDAL
+}: TAccessApprovalPolicyServiceFactoryDep) => {
  const createAccessApprovalPolicy = async ({
    name,
    actor,
@@ -189,7 +199,7 @@ export const accessApprovalPolicyServiceFactory = ({
    );
    // ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

-    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id });
+    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
    return accessApprovalPolicies;
  };

@@ -326,7 +336,29 @@ export const accessApprovalPolicyServiceFactory = ({
      ProjectPermissionSub.SecretApproval
    );

-    await accessApprovalPolicyDAL.deleteById(policyId);
+    await accessApprovalPolicyDAL.transaction(async (tx) => {
+      await accessApprovalPolicyDAL.softDeleteById(policyId, tx);
+      const allAccessApprovalRequests = await accessApprovalRequestDAL.find({ policyId });
+
+      if (allAccessApprovalRequests.length) {
+        const accessApprovalRequestsIds = allAccessApprovalRequests.map((request) => request.id);
+
+        const privilegeIdsArray = allAccessApprovalRequests
+          .map((request) => request.privilegeId)
+          .filter((id): id is string => id != null);
+
+        if (privilegeIdsArray.length) {
+          await additionalPrivilegeDAL.delete({ $in: { id: privilegeIdsArray } }, tx);
+        }
+
+        await accessApprovalRequestReviewerDAL.update(
+          { $in: { id: accessApprovalRequestsIds }, status: ApprovalStatus.PENDING },
+          { status: ApprovalStatus.REJECTED },
+          tx
+        );
+      }
+    });
+
    return policy;
  };

@@ -356,7 +388,11 @@ export const accessApprovalPolicyServiceFactory = ({
    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
    if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });

-    const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
+    const policies = await accessApprovalPolicyDAL.find({
+      envId: environment.id,
+      projectId: project.id,
+      deletedAt: null
+    });
    if (!policies) throw new NotFoundError({ message: `No policies found in environment with slug '${envSlug}'` });

    return { count: policies.length };
--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@@ -61,7 +61,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
          db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
          db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
-          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId")
+          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId"),
+          db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
        )

        .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
@@ -118,7 +119,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
            approvals: doc.policyApprovals,
            secretPath: doc.policySecretPath,
            enforcementLevel: doc.policyEnforcementLevel,
-            envId: doc.policyEnvId
+            envId: doc.policyEnvId,
+            deletedAt: doc.policyDeletedAt
          },
          requestedByUser: {
            userId: doc.requestedByUserId,
@@ -141,7 +143,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
              }
            : null,

-          isApproved: !!doc.privilegeId
+          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId
        }),
        childrenMapper: [
          {
@@ -252,7 +254,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("slug").withSchema(TableName.Environment).as("environment"),
        tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
        tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
-        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals")
+        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
+        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
      );

  const findById = async (id: string, tx?: Knex) => {
@@ -271,7 +274,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
            name: el.policyName,
            approvals: el.policyApprovals,
            secretPath: el.policySecretPath,
-            enforcementLevel: el.policyEnforcementLevel
+            enforcementLevel: el.policyEnforcementLevel,
+            deletedAt: el.policyDeletedAt
          },
          requestedByUser: {
            userId: el.requestedByUserId,
@@ -363,6 +367,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        )

        .where(`${TableName.Environment}.projectId`, projectId)
+        .where(`${TableName.AccessApprovalPolicy}.deletedAt`, null)
        .select(selectAllTableCols(TableName.AccessApprovalRequest))
        .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
        .select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"));
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@@ -130,6 +130,9 @@ export const accessApprovalRequestServiceFactory = ({
        message: `No policy in environment with slug '${environment.slug}' and with secret path '${secretPath}' was found.`
      });
    }
+    if (policy.deletedAt) {
+      throw new BadRequestError({ message: "The policy linked to this request has been deleted" });
+    }

    const approverIds: string[] = [];
    const approverGroupIds: string[] = [];
@@ -309,6 +312,12 @@ export const accessApprovalRequestServiceFactory = ({
    }

    const { policy } = accessApprovalRequest;
+    if (policy.deletedAt) {
+      throw new BadRequestError({
+        message: "The policy associated with this access request has been deleted."
+      });
+    }
+
    const { membership, hasRole } = await permissionService.getProjectPermission(
      actor,
      actorId,
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -60,6 +60,7 @@ export enum EventType {
  DELETE_SECRETS = "delete-secrets",
  GET_WORKSPACE_KEY = "get-workspace-key",
  AUTHORIZE_INTEGRATION = "authorize-integration",
+  UPDATE_INTEGRATION_AUTH = "update-integration-auth",
  UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
  CREATE_INTEGRATION = "create-integration",
  DELETE_INTEGRATION = "delete-integration",
@@ -357,6 +358,13 @@ interface AuthorizeIntegrationEvent {
  };
 }

+interface UpdateIntegrationAuthEvent {
+  type: EventType.UPDATE_INTEGRATION_AUTH;
+  metadata: {
+    integration: string;
+  };
+}
+
 interface UnauthorizeIntegrationEvent {
  type: EventType.UNAUTHORIZE_INTEGRATION;
  metadata: {
@@ -1680,6 +1688,7 @@ export type Event =
  | DeleteSecretBatchEvent
  | GetWorkspaceKeyEvent
  | AuthorizeIntegrationEvent
+  | UpdateIntegrationAuthEvent
  | UnauthorizeIntegrationEvent
  | CreateIntegrationEvent
  | DeleteIntegrationEvent
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts
@@ -177,5 +177,10 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
    }
  };

-  return { ...secretApprovalPolicyOrm, findById, find };
+  const softDeleteById = async (policyId: string, tx?: Knex) => {
+    const softDeletedPolicy = await secretApprovalPolicyOrm.updateById(policyId, { deletedAt: new Date() }, tx);
+    return softDeletedPolicy;
+  };
+
+  return { ...secretApprovalPolicyOrm, findById, find, softDeleteById };
 };
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@@ -11,6 +11,8 @@ import { TUserDALFactory } from "@app/services/user/user-dal";

 import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
 import { TLicenseServiceFactory } from "../license/license-service";
+import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
+import { RequestState } from "../secret-approval-request/secret-approval-request-types";
 import { TSecretApprovalPolicyApproverDALFactory } from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
 import {
@@ -34,6 +36,7 @@ type TSecretApprovalPolicyServiceFactoryDep = {
  userDAL: Pick<TUserDALFactory, "find">;
  secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "update">;
 };

 export type TSecretApprovalPolicyServiceFactory = ReturnType<typeof secretApprovalPolicyServiceFactory>;
@@ -44,7 +47,8 @@ export const secretApprovalPolicyServiceFactory = ({
  secretApprovalPolicyApproverDAL,
  projectEnvDAL,
  userDAL,
-  licenseService
+  licenseService,
+  secretApprovalRequestDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
  const createSecretApprovalPolicy = async ({
    name,
@@ -301,8 +305,16 @@ export const secretApprovalPolicyServiceFactory = ({
      });
    }

-    await secretApprovalPolicyDAL.deleteById(secretPolicyId);
-    return sapPolicy;
+    const deletedPolicy = await secretApprovalPolicyDAL.transaction(async (tx) => {
+      await secretApprovalRequestDAL.update(
+        { policyId: secretPolicyId, status: RequestState.Open },
+        { status: RequestState.Closed },
+        tx
+      );
+      const updatedPolicy = await secretApprovalPolicyDAL.softDeleteById(secretPolicyId, tx);
+      return updatedPolicy;
+    });
+    return { ...deletedPolicy, projectId: sapPolicy.projectId, environment: sapPolicy.environment };
  };

  const getSecretApprovalPolicyByProjectId = async ({
@@ -321,7 +333,7 @@ export const secretApprovalPolicyServiceFactory = ({
    );
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

-    const sapPolicies = await secretApprovalPolicyDAL.find({ projectId });
+    const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
    return sapPolicies;
  };

@@ -334,7 +346,7 @@ export const secretApprovalPolicyServiceFactory = ({
      });
    }

-    const policies = await secretApprovalPolicyDAL.find({ envId: env.id });
+    const policies = await secretApprovalPolicyDAL.find({ envId: env.id, deletedAt: null });
    if (!policies.length) return;
    // this will filter policies either without scoped to secret path or the one that matches with secret path
    const policiesFilteredByPath = policies.filter(
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@@ -111,7 +111,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
        tx.ref("envId").withSchema(TableName.SecretApprovalPolicy).as("policyEnvId"),
        tx.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
-        tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals")
+        tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
+        tx.ref("deletedAt").withSchema(TableName.SecretApprovalPolicy).as("policyDeletedAt")
      );

  const findById = async (id: string, tx?: Knex) => {
@@ -147,7 +148,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            approvals: el.policyApprovals,
            secretPath: el.policySecretPath,
            enforcementLevel: el.policyEnforcementLevel,
-            envId: el.policyEnvId
+            envId: el.policyEnvId,
+            deletedAt: el.policyDeletedAt
          }
        }),
        childrenMapper: [
@@ -222,6 +224,11 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              `${TableName.SecretApprovalRequest}.policyId`,
              `${TableName.SecretApprovalPolicyApprover}.policyId`
            )
+            .join(
+              TableName.SecretApprovalPolicy,
+              `${TableName.SecretApprovalRequest}.policyId`,
+              `${TableName.SecretApprovalPolicy}.id`
+            )
            .where({ projectId })
            .andWhere(
              (bd) =>
@@ -229,6 +236,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
                  .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
                  .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
            )
+            .andWhere((bd) => void bd.where(`${TableName.SecretApprovalPolicy}.deletedAt`, null))
            .select("status", `${TableName.SecretApprovalRequest}.id`)
            .groupBy(`${TableName.SecretApprovalRequest}.id`, "status")
            .count("status")
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -232,10 +232,10 @@ export const secretApprovalRequestServiceFactory = ({
        type: KmsDataKey.SecretManager,
        projectId
      });
-      const encrypedSecrets = await secretApprovalRequestSecretDAL.findByRequestIdBridgeSecretV2(
+      const encryptedSecrets = await secretApprovalRequestSecretDAL.findByRequestIdBridgeSecretV2(
        secretApprovalRequest.id
      );
-      secrets = encrypedSecrets.map((el) => ({
+      secrets = encryptedSecrets.map((el) => ({
        ...el,
        secretKey: el.key,
        id: el.id,
@@ -274,8 +274,8 @@ export const secretApprovalRequestServiceFactory = ({
      }));
    } else {
      if (!botKey) throw new NotFoundError({ message: `Project bot key not found`, name: "BotKeyNotFound" }); // CLI depends on this error message. TODO(daniel): Make API check for name BotKeyNotFound instead of message
-      const encrypedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
-      secrets = encrypedSecrets.map((el) => ({
+      const encryptedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
+      secrets = encryptedSecrets.map((el) => ({
        ...el,
        ...decryptSecretWithBot(el, botKey),
        secret: el.secret
@@ -323,6 +323,12 @@ export const secretApprovalRequestServiceFactory = ({
    }

    const { policy } = secretApprovalRequest;
+    if (policy.deletedAt) {
+      throw new BadRequestError({
+        message: "The policy associated with this secret approval request has been deleted."
+      });
+    }
+
    const { hasRole } = await permissionService.getProjectPermission(
      ActorType.USER,
      actorId,
@@ -383,6 +389,12 @@ export const secretApprovalRequestServiceFactory = ({
    }

    const { policy } = secretApprovalRequest;
+    if (policy.deletedAt) {
+      throw new BadRequestError({
+        message: "The policy associated with this secret approval request has been deleted."
+      });
+    }
+
    const { hasRole } = await permissionService.getProjectPermission(
      ActorType.USER,
      actorId,
@@ -433,6 +445,12 @@ export const secretApprovalRequestServiceFactory = ({
    }

    const { policy, folderId, projectId } = secretApprovalRequest;
+    if (policy.deletedAt) {
+      throw new BadRequestError({
+        message: "The policy associated with this secret approval request has been deleted."
+      });
+    }
+
    const { hasRole } = await permissionService.getProjectPermission(
      ActorType.USER,
      actorId,
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -1032,6 +1032,9 @@ export const INTEGRATION_AUTH = {
  DELETE_BY_ID: {
    integrationAuthId: "The ID of integration authentication object to delete."
  },
+  UPDATE_BY_ID: {
+    integrationAuthId: "The ID of integration authentication object to update."
+  },
  CREATE_ACCESS_TOKEN: {
    workspaceId: "The ID of the project to create the integration auth for.",
    integration: "The slug of integration for the auth object.",
@@ -1088,11 +1091,13 @@ export const INTEGRATION = {
  },
  UPDATE: {
    integrationId: "The ID of the integration object.",
+    region: "AWS region to sync secrets to.",
    app: "The name of the external integration providers app entity that you want to sync secrets with. Used in Netlify, GitHub, Vercel integrations.",
    appId:
      "The ID of the external integration providers app entity that you want to sync secrets with. Used in Netlify, GitHub, Vercel integrations.",
    isActive: "Whether the integration should be active or disabled.",
    secretPath: "The path of the secrets to sync secrets from.",
+    path: "Path to save the synced secrets. Used by Gitlab, AWS Parameter Store, Vault.",
    owner: "External integration providers service entity owner. Used in Github.",
    targetEnvironment:
      "The target environment of the integration provider. Used in cloudflare pages, TeamCity, Gitlab integrations.",
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -57,7 +57,11 @@ const run = async () => {

  const smtp = smtpServiceFactory(formatSmtpConfig());

-  const queue = queueServiceFactory(appCfg.REDIS_URL, appCfg.DB_CONNECTION_URI);
+  const queue = queueServiceFactory(appCfg.REDIS_URL, {
+    dbConnectionUrl: appCfg.DB_CONNECTION_URI,
+    dbRootCert: appCfg.DB_ROOT_CERT
+  });
+
  await queue.initialize();

  const keyStore = keyStoreFactory(appCfg.REDIS_URL);
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -187,7 +187,10 @@ export type TQueueJobTypes = {
 };

 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
-export const queueServiceFactory = (redisUrl: string, dbConnectionUrl: string) => {
+export const queueServiceFactory = (
+  redisUrl: string,
+  { dbConnectionUrl, dbRootCert }: { dbConnectionUrl: string; dbRootCert?: string }
+) => {
  const connection = new Redis(redisUrl, { maxRetriesPerRequest: null });
  const queueContainer = {} as Record<
    QueueName,
@@ -198,7 +201,13 @@ export const queueServiceFactory = (redisUrl: string, dbConnectionUrl: string) =
    connectionString: dbConnectionUrl,
    archiveCompletedAfterSeconds: 60,
    archiveFailedAfterSeconds: 1000, // we want to keep failed jobs for a longer time so that it can be retried
-    deleteAfterSeconds: 30
+    deleteAfterSeconds: 30,
+    ssl: dbRootCert
+      ? {
+          rejectUnauthorized: true,
+          ca: Buffer.from(dbRootCert, "base64").toString("ascii")
+        }
+      : false
  });

  const queueContainerPg = {} as Record<QueueJobs, boolean>;
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -414,7 +414,8 @@ export const registerRoutes = async (
    permissionService,
    secretApprovalPolicyDAL,
    licenseService,
-    userDAL
+    userDAL,
+    secretApprovalRequestDAL
  });
  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL, orgMembershipDAL });

@@ -994,7 +995,10 @@ export const registerRoutes = async (
    projectEnvDAL,
    projectMembershipDAL,
    projectDAL,
-    userDAL
+    userDAL,
+    accessApprovalRequestDAL,
+    additionalPrivilegeDAL: projectUserAdditionalPrivilegeDAL,
+    accessApprovalRequestReviewerDAL
  });

  const accessApprovalRequestService = accessApprovalRequestServiceFactory({
--- a/backend/src/server/routes/v1/integration-auth-router.ts
+++ b/backend/src/server/routes/v1/integration-auth-router.ts
@@ -6,6 +6,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { OctopusDeployScope } from "@app/services/integration-auth/integration-auth-types";
+import { Integrations } from "@app/services/integration-auth/integration-list";

 import { integrationAuthPubSchema } from "../sanitizedSchemas";

@@ -82,6 +83,67 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
    }
  });

+  server.route({
+    method: "PATCH",
+    url: "/:integrationAuthId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update the integration authentication object required for syncing secrets.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        integrationAuthId: z.string().trim().describe(INTEGRATION_AUTH.UPDATE_BY_ID.integrationAuthId)
+      }),
+      body: z.object({
+        integration: z.nativeEnum(Integrations).optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.integration),
+        accessId: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.accessId),
+        accessToken: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.accessToken),
+        awsAssumeIamRoleArn: z
+          .string()
+          .url()
+          .trim()
+          .optional()
+          .describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.awsAssumeIamRoleArn),
+        url: z.string().url().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.url),
+        namespace: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.namespace),
+        refreshToken: z.string().trim().optional().describe(INTEGRATION_AUTH.CREATE_ACCESS_TOKEN.refreshToken)
+      }),
+      response: {
+        200: z.object({
+          integrationAuth: integrationAuthPubSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const integrationAuth = await server.services.integrationAuth.updateIntegrationAuth({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        integrationAuthId: req.query.integrationAuthId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: integrationAuth.projectId,
+        event: {
+          type: EventType.UPDATE_INTEGRATION_AUTH,
+          metadata: {
+            integration: integrationAuth.integration
+          }
+        }
+      });
+      return { integrationAuth };
+    }
+  });
+
  server.route({
    method: "DELETE",
    url: "/",
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@@ -141,7 +141,9 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
        targetEnvironment: z.string().trim().optional().describe(INTEGRATION.UPDATE.targetEnvironment),
        owner: z.string().trim().optional().describe(INTEGRATION.UPDATE.owner),
        environment: z.string().trim().optional().describe(INTEGRATION.UPDATE.environment),
-        metadata: IntegrationMetadataSchema.optional()
+        path: z.string().trim().optional().describe(INTEGRATION.UPDATE.path),
+        metadata: IntegrationMetadataSchema.optional(),
+        region: z.string().trim().optional().describe(INTEGRATION.UPDATE.region)
      }),
      response: {
        200: z.object({
--- a/backend/src/services/integration-auth/integration-auth-service.ts
+++ b/backend/src/services/integration-auth/integration-auth-service.ts
@@ -55,6 +55,7 @@ import {
  TOctopusDeployVariableSet,
  TSaveIntegrationAccessTokenDTO,
  TTeamCityBuildConfig,
+  TUpdateIntegrationAuthDTO,
  TVercelBranches
 } from "./integration-auth-types";
 import { getIntegrationOptions, Integrations, IntegrationUrls } from "./integration-list";
@@ -368,6 +369,148 @@ export const integrationAuthServiceFactory = ({
    return integrationAuthDAL.create(updateDoc);
  };

+  const updateIntegrationAuth = async ({
+    integrationAuthId,
+    refreshToken,
+    actorId,
+    integration: newIntegration,
+    url,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    accessId,
+    namespace,
+    accessToken,
+    awsAssumeIamRoleArn
+  }: TUpdateIntegrationAuthDTO) => {
+    const integrationAuth = await integrationAuthDAL.findById(integrationAuthId);
+    if (!integrationAuth) {
+      throw new NotFoundError({ message: `Integration auth with id ${integrationAuthId} not found.` });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      integrationAuth.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
+
+    const { projectId } = integrationAuth;
+    const integration = newIntegration || integrationAuth.integration;
+
+    const updateDoc: TIntegrationAuthsInsert = {
+      projectId,
+      integration,
+      namespace,
+      url,
+      algorithm: SecretEncryptionAlgo.AES_256_GCM,
+      keyEncoding: SecretKeyEncoding.UTF8,
+      ...(integration === Integrations.GCP_SECRET_MANAGER
+        ? {
+            metadata: {
+              authMethod: "serviceAccount"
+            }
+          }
+        : {})
+    };
+
+    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(projectId);
+    if (shouldUseSecretV2Bridge) {
+      const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
+        type: KmsDataKey.SecretManager,
+        projectId
+      });
+      if (refreshToken) {
+        const tokenDetails = await exchangeRefresh(
+          integration,
+          refreshToken,
+          url,
+          updateDoc.metadata as Record<string, string>
+        );
+        const refreshEncToken = secretManagerEncryptor({
+          plainText: Buffer.from(tokenDetails.refreshToken)
+        }).cipherTextBlob;
+        updateDoc.encryptedRefresh = refreshEncToken;
+
+        const accessEncToken = secretManagerEncryptor({
+          plainText: Buffer.from(tokenDetails.accessToken)
+        }).cipherTextBlob;
+        updateDoc.encryptedAccess = accessEncToken;
+        updateDoc.accessExpiresAt = tokenDetails.accessExpiresAt;
+      }
+
+      if (!refreshToken && (accessId || accessToken || awsAssumeIamRoleArn)) {
+        if (accessToken) {
+          const accessEncToken = secretManagerEncryptor({
+            plainText: Buffer.from(accessToken)
+          }).cipherTextBlob;
+          updateDoc.encryptedAccess = accessEncToken;
+          updateDoc.encryptedAwsAssumeIamRoleArn = null;
+        }
+        if (accessId) {
+          const accessEncToken = secretManagerEncryptor({
+            plainText: Buffer.from(accessId)
+          }).cipherTextBlob;
+          updateDoc.encryptedAccessId = accessEncToken;
+          updateDoc.encryptedAwsAssumeIamRoleArn = null;
+        }
+        if (awsAssumeIamRoleArn) {
+          const awsAssumeIamRoleArnEncrypted = secretManagerEncryptor({
+            plainText: Buffer.from(awsAssumeIamRoleArn)
+          }).cipherTextBlob;
+          updateDoc.encryptedAwsAssumeIamRoleArn = awsAssumeIamRoleArnEncrypted;
+          updateDoc.encryptedAccess = null;
+          updateDoc.encryptedAccessId = null;
+        }
+      }
+    } else {
+      if (!botKey) throw new NotFoundError({ message: `Project bot key for project with ID '${projectId}' not found` });
+      if (refreshToken) {
+        const tokenDetails = await exchangeRefresh(
+          integration,
+          refreshToken,
+          url,
+          updateDoc.metadata as Record<string, string>
+        );
+        const refreshEncToken = encryptSymmetric128BitHexKeyUTF8(tokenDetails.refreshToken, botKey);
+        updateDoc.refreshIV = refreshEncToken.iv;
+        updateDoc.refreshTag = refreshEncToken.tag;
+        updateDoc.refreshCiphertext = refreshEncToken.ciphertext;
+        const accessEncToken = encryptSymmetric128BitHexKeyUTF8(tokenDetails.accessToken, botKey);
+        updateDoc.accessIV = accessEncToken.iv;
+        updateDoc.accessTag = accessEncToken.tag;
+        updateDoc.accessCiphertext = accessEncToken.ciphertext;
+
+        updateDoc.accessExpiresAt = tokenDetails.accessExpiresAt;
+      }
+
+      if (!refreshToken && (accessId || accessToken || awsAssumeIamRoleArn)) {
+        if (accessToken) {
+          const accessEncToken = encryptSymmetric128BitHexKeyUTF8(accessToken, botKey);
+          updateDoc.accessIV = accessEncToken.iv;
+          updateDoc.accessTag = accessEncToken.tag;
+          updateDoc.accessCiphertext = accessEncToken.ciphertext;
+        }
+        if (accessId) {
+          const accessEncToken = encryptSymmetric128BitHexKeyUTF8(accessId, botKey);
+          updateDoc.accessIdIV = accessEncToken.iv;
+          updateDoc.accessIdTag = accessEncToken.tag;
+          updateDoc.accessIdCiphertext = accessEncToken.ciphertext;
+        }
+        if (awsAssumeIamRoleArn) {
+          const awsAssumeIamRoleArnEnc = encryptSymmetric128BitHexKeyUTF8(awsAssumeIamRoleArn, botKey);
+          updateDoc.awsAssumeIamRoleArnCipherText = awsAssumeIamRoleArnEnc.ciphertext;
+          updateDoc.awsAssumeIamRoleArnIV = awsAssumeIamRoleArnEnc.iv;
+          updateDoc.awsAssumeIamRoleArnTag = awsAssumeIamRoleArnEnc.tag;
+        }
+      }
+    }
+
+    return integrationAuthDAL.updateById(integrationAuthId, updateDoc);
+  };
+
  // helper function
  const getIntegrationAccessToken = async (
    integrationAuth: TIntegrationAuths,
@@ -1615,6 +1758,7 @@ export const integrationAuthServiceFactory = ({
    getIntegrationAuth,
    oauthExchange,
    saveIntegrationToken,
+    updateIntegrationAuth,
    deleteIntegrationAuthById,
    deleteIntegrationAuths,
    getIntegrationAuthTeams,
--- a/backend/src/services/integration-auth/integration-auth-types.ts
+++ b/backend/src/services/integration-auth/integration-auth-types.ts
@@ -22,6 +22,11 @@ export type TSaveIntegrationAccessTokenDTO = {
  awsAssumeIamRoleArn?: string;
 } & TProjectPermission;

+export type TUpdateIntegrationAuthDTO = Omit<TSaveIntegrationAccessTokenDTO, "projectId" | "integration"> & {
+  integrationAuthId: string;
+  integration?: string;
+};
+
 export type TDeleteIntegrationAuthsDTO = TProjectPermission & {
  integration: string;
  projectId: string;
--- a/backend/src/services/integration/integration-service.ts
+++ b/backend/src/services/integration/integration-service.ts
@@ -151,7 +151,9 @@ export const integrationServiceFactory = ({
    isActive,
    environment,
    secretPath,
-    metadata
+    region,
+    metadata,
+    path
  }: TUpdateIntegrationDTO) => {
    const integration = await integrationDAL.findById(id);
    if (!integration) throw new NotFoundError({ message: `Integration with ID '${id}' not found` });
@@ -192,7 +194,9 @@ export const integrationServiceFactory = ({
      appId,
      targetEnvironment,
      owner,
+      region,
      secretPath,
+      path,
      metadata: {
        ...(integration.metadata as object),
        ...metadata
--- a/backend/src/services/integration/integration-types.ts
+++ b/backend/src/services/integration/integration-types.ts
@@ -49,6 +49,8 @@ export type TUpdateIntegrationDTO = {
  appId?: string;
  isActive?: boolean;
  secretPath?: string;
+  region?: string;
+  path?: string;
  targetEnvironment?: string;
  owner?: string;
  environment?: string;
--- a/frontend/src/helpers/parseEnvVar.ts
+++ b/frontend/src/helpers/parseEnvVar.ts
@@ -1,14 +1,31 @@
 /** Extracts the key and value from a passed in env string based on the provided delimiters. */
 export const getKeyValue = (pastedContent: string, delimiters: string[]) => {
-  const foundDelimiter = delimiters.find((delimiter) => pastedContent.includes(delimiter));
+  if (!pastedContent) {
+    return { key: "", value: "" };
+  }

-  if (!foundDelimiter) {
+  let firstDelimiterIndex = -1;
+  let foundDelimiter = "";
+
+  delimiters.forEach((delimiter) => {
+    const index = pastedContent.indexOf(delimiter);
+    if (index !== -1 && (firstDelimiterIndex === -1 || index < firstDelimiterIndex)) {
+      firstDelimiterIndex = index;
+      foundDelimiter = delimiter;
+    }
+  });
+
+  const hasValueAfterDelimiter = pastedContent.length > firstDelimiterIndex + foundDelimiter.length;
+
+  if (firstDelimiterIndex === -1 || !hasValueAfterDelimiter) {
    return { key: pastedContent.trim(), value: "" };
  }

-  const [key, value] = pastedContent.split(foundDelimiter);
+  const key = pastedContent.substring(0, firstDelimiterIndex);
+  const value = pastedContent.substring(firstDelimiterIndex + foundDelimiter.length);
+
  return {
    key: key.trim(),
-    value: (value ?? "").trim()
+    value: value.trim()
  };
 };
--- a/frontend/src/hooks/api/accessApproval/types.ts
+++ b/frontend/src/hooks/api/accessApproval/types.ts
@@ -18,15 +18,15 @@ export type TAccessApprovalPolicy = {
  approvers?: Approver[];
 };

-export enum ApproverType{
+export enum ApproverType {
  User = "user",
  Group = "group"
 }

-export type Approver ={
+export type Approver = {
  id: string;
  type: ApproverType;
-}
+};

 export type TAccessApprovalRequest = {
  id: string;
@@ -70,6 +70,7 @@ export type TAccessApprovalRequest = {
    secretPath?: string | null;
    envId: string;
    enforcementLevel: EnforcementLevel;
+    deletedAt: Date | null;
  };

  reviewers: {
--- a/frontend/src/hooks/api/auditLogs/constants.tsx
+++ b/frontend/src/hooks/api/auditLogs/constants.tsx
@@ -8,6 +8,7 @@ export const eventToNameMap: { [K in EventType]: string } = {
  [EventType.DELETE_SECRET]: "Delete secret",
  [EventType.GET_WORKSPACE_KEY]: "Read project key",
  [EventType.AUTHORIZE_INTEGRATION]: "Authorize integration",
+  [EventType.UPDATE_INTEGRATION_AUTH]: "Update integration auth",
  [EventType.UNAUTHORIZE_INTEGRATION]: "Unauthorize integration",
  [EventType.CREATE_INTEGRATION]: "Create integration",
  [EventType.DELETE_INTEGRATION]: "Delete integration",
--- a/frontend/src/hooks/api/auditLogs/enums.tsx
+++ b/frontend/src/hooks/api/auditLogs/enums.tsx
@@ -23,6 +23,7 @@ export enum EventType {
  DELETE_SECRET = "delete-secret",
  GET_WORKSPACE_KEY = "get-workspace-key",
  AUTHORIZE_INTEGRATION = "authorize-integration",
+  UPDATE_INTEGRATION_AUTH = "update-integration-auth",
  UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
  CREATE_INTEGRATION = "create-integration",
  DELETE_INTEGRATION = "delete-integration",
--- a/frontend/src/views/SecretApprovalPage/components/AccessApprovalRequest/AccessApprovalRequest.tsx
+++ b/frontend/src/views/SecretApprovalPage/components/AccessApprovalRequest/AccessApprovalRequest.tsx
@@ -130,12 +130,14 @@ export const AccessApprovalRequest = ({
    if (statusFilter === "open")
      return requests?.filter(
        (request) =>
+          !request.policy.deletedAt &&
          !request.isApproved &&
          !request.reviewers.some((reviewer) => reviewer.status === ApprovalStatus.REJECTED)
      );
    if (statusFilter === "close")
      return requests?.filter(
        (request) =>
+          request.policy.deletedAt ||
          request.isApproved ||
          request.reviewers.some((reviewer) => reviewer.status === ApprovalStatus.REJECTED)
      );
@@ -144,8 +146,6 @@ export const AccessApprovalRequest = ({
  }, [requests, statusFilter, requestedByFilter, envFilter]);

  const generateRequestDetails = (request: TAccessApprovalRequest) => {
-    console.log(request);
-
    const isReviewedByUser = request.reviewers.findIndex(({ member }) => member === user.id) !== -1;
    const isRejectedByAnyone = request.reviewers.some(
      ({ status }) => status === ApprovalStatus.REJECTED
--- a/frontend/src/views/SecretMainPage/components/CreateSecretForm/CreateSecretForm.tsx
+++ b/frontend/src/views/SecretMainPage/components/CreateSecretForm/CreateSecretForm.tsx
@@ -1,4 +1,4 @@
-import { ClipboardEvent } from "react";
+import { ClipboardEvent, useRef } from "react";
 import { Controller, useForm } from "react-hook-form";
 import { faTriangleExclamation } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
@@ -46,6 +46,7 @@ export const CreateSecretForm = ({
    control,
    reset,
    setValue,
+    watch,
    formState: { errors, isSubmitting }
  } = useForm<TFormSchema>({ resolver: zodResolver(typeSchema) });
  const { closePopUp } = usePopUpAction();
@@ -59,6 +60,11 @@ export const CreateSecretForm = ({
    canReadTags ? workspaceId : ""
  );

+  const secretKeyInputRef = useRef<HTMLInputElement>(null);
+  const { ref: setSecretKeyHookRef, ...secretKeyRegisterRest } = register("key");
+
+  const secretKey = watch("key");
+
  const slugSchema = z.string().trim().toLowerCase().min(1);
  const createNewTag = async (slug: string) => {
    // TODO: Replace with slugSchema generic
@@ -108,13 +114,23 @@ export const CreateSecretForm = ({
  };

  const handlePaste = (e: ClipboardEvent<HTMLInputElement>) => {
-    e.preventDefault();
    const delimitters = [":", "="];
    const pastedContent = e.clipboardData.getData("text");
    const { key, value } = getKeyValue(pastedContent, delimitters);

-    setValue("key", key);
-    setValue("value", value);
+    const isWholeKeyHighlighted =
+      secretKeyInputRef.current &&
+      secretKeyInputRef.current.selectionStart === 0 &&
+      secretKeyInputRef.current.selectionEnd === secretKeyInputRef.current.value.length;
+
+    if (!secretKey || isWholeKeyHighlighted) {
+      e.preventDefault();
+
+      setValue("key", key);
+      if (value) {
+        setValue("value", value);
+      }
+    }
  };

  return (
@@ -126,7 +142,12 @@ export const CreateSecretForm = ({
        errorText={errors?.key?.message}
      >
        <Input
-          {...register("key")}
+          {...secretKeyRegisterRest}
+          ref={(e) => {
+            setSecretKeyHookRef(e);
+            // @ts-expect-error this is for multiple ref single component
+            secretKeyInputRef.current = e;
+          }}
          placeholder="Type your secret name"
          onPaste={handlePaste}
          autoCapitalization={autoCapitalize}
--- a/frontend/src/views/SecretOverviewPage/components/CreateSecretForm/CreateSecretForm.tsx
+++ b/frontend/src/views/SecretOverviewPage/components/CreateSecretForm/CreateSecretForm.tsx
@@ -1,4 +1,4 @@
-import { ClipboardEvent } from "react";
+import { ClipboardEvent, useRef } from "react";
 import { Controller, useForm } from "react-hook-form";
 import { subject } from "@casl/ability";
 import { faTriangleExclamation } from "@fortawesome/free-solid-svg-icons";
@@ -46,6 +46,7 @@ export const CreateSecretForm = ({ secretPath = "/", onClose }: Props) => {
    control,
    reset,
    setValue,
+    watch,
    formState: { isSubmitting, errors }
  } = useForm<TFormSchema>({ resolver: zodResolver(typeSchema) });

@@ -61,6 +62,11 @@ export const CreateSecretForm = ({ secretPath = "/", onClose }: Props) => {
    canReadTags ? workspaceId : ""
  );

+  const secretKeyInputRef = useRef<HTMLInputElement>(null);
+  const { ref: setSecretKeyHookRef, ...secretKeyRegisterRest } = register("key");
+
+  const secretKey = watch("key");
+
  const handleFormSubmit = async ({ key, value, environments: selectedEnv, tags }: TFormSchema) => {
    const promises = selectedEnv.map(async (env) => {
      const environment = env.slug;
@@ -152,13 +158,23 @@ export const CreateSecretForm = ({ secretPath = "/", onClose }: Props) => {
  };

  const handlePaste = (e: ClipboardEvent<HTMLInputElement>) => {
-    e.preventDefault();
    const delimitters = [":", "="];
    const pastedContent = e.clipboardData.getData("text");
    const { key, value } = getKeyValue(pastedContent, delimitters);

-    setValue("key", key);
-    setValue("value", value);
+    const isWholeKeyHighlighted =
+      secretKeyInputRef.current &&
+      secretKeyInputRef.current.selectionStart === 0 &&
+      secretKeyInputRef.current.selectionEnd === secretKeyInputRef.current.value.length;
+
+    if (!secretKey || isWholeKeyHighlighted) {
+      e.preventDefault();
+
+      setValue("key", key);
+      if (value) {
+        setValue("value", value);
+      }
+    }
  };

  const createWsTag = useCreateWsTag();
@@ -189,7 +205,12 @@ export const CreateSecretForm = ({ secretPath = "/", onClose }: Props) => {
        errorText={errors?.key?.message}
      >
        <Input
-          {...register("key")}
+          {...secretKeyRegisterRest}
+          ref={(e) => {
+            setSecretKeyHookRef(e);
+            // @ts-expect-error this is for multiple ref single component
+            secretKeyInputRef.current = e;
+          }}
          placeholder="Type your secret name"
          onPaste={handlePaste}
          autoCapitalization={currentWorkspace?.autoCapitalization}
Author	SHA1	Message	Date
Daniel Hougaard	4568370552	Update parseEnvVar.ts	2024-12-12 03:55:27 +04:00
Daniel Hougaard	c000a6f707	more requested changes	2024-12-12 03:34:08 +04:00
Daniel Hougaard	1ace8eebf8	fix(k8s): dynamic secret bugs	2024-12-12 03:27:07 +04:00
Daniel Hougaard	3b3482b280	fix: improve ref handling	2024-12-11 21:51:20 +04:00
Daniel Hougaard	422fd27b9a	fix: requested changes	2024-12-11 21:44:42 +04:00
Daniel Hougaard	3a8219db03	fix: requested changes	2024-12-11 08:32:10 +04:00
Daniel Hougaard	d2b909b72b	fix(dashboard): pasting secrets into create secret modal	2024-12-10 04:01:17 +04:00
Maidul Islam	68988a3e78	Merge pull request #2853 from Infisical/misc/add-ssl-setting-pg-bpss misc: add ssl setting for pg boss	2024-12-09 18:11:09 -05:00
Maidul Islam	a92de1273e	Merge pull request #2855 from akhilmhdh/feat/integration-auth-update-endpoint feat: added endpoint to update integration auth	2024-12-09 14:42:10 -05:00
McPizza	97f85fa8d9	fix(Approval Workflows): Workflows keep approval history after deletion (#2834 ) * improvement: Approval Workflows can be deleted while maintaining history Co-authored-by: Daniel Hougaard <daniel@infisical.com>	2024-12-09 20:03:45 +01:00
=	a808b6d4a0	feat: added new audit log event in ui	2024-12-09 20:24:30 +05:30
=	826916399b	feat: changed integration option to nativeEnum in zod and added audit log event	2024-12-09 20:16:34 +05:30
=	40d69d4620	feat: added endpoint to update integration auth	2024-12-09 19:15:17 +05:30
Sheen Capadngan	3f6b1fe3bd	misc: add ssl setting for pg boss	2024-12-09 13:17:04 +08:00