remove org read check on projects fetch

misc: moved aws creds to constructor

backend/package.json

@@ -106,6 +106,7 @@
   },
   "dependencies": {
     "@aws-sdk/client-iam": "^3.525.0",
+    "@aws-sdk/client-kms": "^3.609.0",
     "@aws-sdk/client-secrets-manager": "^3.504.0",
     "@aws-sdk/client-sts": "^3.600.0",
     "@casl/ability": "^6.5.0",

backend/src/@types/fastify.d.ts

@@ -9,6 +9,7 @@ import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream
 import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-service";
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
@@ -163,6 +164,7 @@ declare module "fastify" {
       secretSharing: TSecretSharingServiceFactory;
       rateLimit: TRateLimitServiceFactory;
       userEngagement: TUserEngagementServiceFactory;
+      externalKms: TExternalKmsServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -59,6 +59,9 @@ import {
   TDynamicSecrets,
   TDynamicSecretsInsert,
   TDynamicSecretsUpdate,
+  TExternalKms,
+  TExternalKmsInsert,
+  TExternalKmsUpdate,
   TGitAppInstallSessions,
   TGitAppInstallSessionsInsert,
   TGitAppInstallSessionsUpdate,
@@ -125,6 +128,9 @@ import {
   TIntegrations,
   TIntegrationsInsert,
   TIntegrationsUpdate,
+  TInternalKms,
+  TInternalKmsInsert,
+  TInternalKmsUpdate,
   TKmsKeys,
   TKmsKeysInsert,
   TKmsKeysUpdate,
@@ -656,6 +662,8 @@ declare module "knex/types/tables" {
       TKmsRootConfigInsert,
       TKmsRootConfigUpdate
     >;
+    [TableName.InternalKms]: KnexOriginal.CompositeTableType<TInternalKms, TInternalKmsInsert, TInternalKmsUpdate>;
+    [TableName.ExternalKms]: KnexOriginal.CompositeTableType<TExternalKms, TExternalKmsInsert, TExternalKmsUpdate>;
     [TableName.KmsKey]: KnexOriginal.CompositeTableType<TKmsKeys, TKmsKeysInsert, TKmsKeysUpdate>;
     [TableName.KmsKeyVersion]: KnexOriginal.CompositeTableType<
       TKmsKeyVersions,

backend/src/db/migrations/20240708100026_external-kms.ts

@@ -0,0 +1,256 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TableName } from "../schemas";
+
+const createInternalKmsTableAndBackfillData = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+
+  // building the internal kms table by filling from old kms table
+  if (doesOldKmsKeyTableExist && !doesInternalKmsTableExist) {
+    await knex.schema.createTable(TableName.InternalKms, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.binary("encryptedKey").notNullable();
+      tb.string("encryptionAlgorithm").notNullable();
+      tb.integer("version").defaultTo(1).notNullable();
+      tb.uuid("kmsKeyId").unique().notNullable();
+      tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
+    });
+
+    // copy the old kms and backfill
+    const oldKmsKey = await knex(TableName.KmsKey).select("version", "encryptedKey", "encryptionAlgorithm", "id");
+    if (oldKmsKey.length) {
+      await knex(TableName.InternalKms).insert(
+        oldKmsKey.map((el) => ({
+          encryptionAlgorithm: el.encryptionAlgorithm,
+          encryptedKey: el.encryptedKey,
+          kmsKeyId: el.id,
+          version: el.version
+        }))
+      );
+    }
+  }
+};
+
+const renameKmsKeyVersionTableAsInternalKmsKeyVersion = async (knex: Knex) => {
+  const doesOldKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.KmsKeyVersion);
+  const doesNewKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.InternalKmsKeyVersion);
+
+  if (doesOldKmsKeyVersionTableExist && !doesNewKmsKeyVersionTableExist) {
+    // because we haven't started using versioning for kms thus no data exist
+    await knex.schema.renameTable(TableName.KmsKeyVersion, TableName.InternalKmsKeyVersion);
+    const hasKmsKeyIdColumn = await knex.schema.hasColumn(TableName.InternalKmsKeyVersion, "kmsKeyId");
+    const hasInternalKmsIdColumn = await knex.schema.hasColumn(TableName.InternalKmsKeyVersion, "internalKmsId");
+
+    await knex.schema.alterTable(TableName.InternalKmsKeyVersion, (tb) => {
+      if (hasKmsKeyIdColumn) tb.dropColumn("kmsKeyId");
+      if (!hasInternalKmsIdColumn) {
+        tb.uuid("internalKmsId").notNullable();
+        tb.foreign("internalKmsId").references("id").inTable(TableName.InternalKms).onDelete("CASCADE");
+      }
+    });
+  }
+};
+
+const createExternalKmsKeyTable = async (knex: Knex) => {
+  const doesExternalKmsServiceExist = await knex.schema.hasTable(TableName.ExternalKms);
+  if (!doesExternalKmsServiceExist) {
+    await knex.schema.createTable(TableName.ExternalKms, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.string("provider").notNullable();
+      tb.binary("encryptedProviderInputs").notNullable();
+      tb.string("status");
+      tb.string("statusDetails");
+      tb.uuid("kmsKeyId").unique().notNullable();
+      tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
+    });
+  }
+};
+
+const removeNonRequiredFieldsFromKmsKeyTableAndBackfillRequiredData = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+
+  // building the internal kms table by filling from old kms table
+  if (doesOldKmsKeyTableExist) {
+    const hasSlugColumn = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+    const hasEncryptedKeyColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptedKey");
+    const hasEncryptionAlgorithmColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptionAlgorithm");
+    const hasVersionColumn = await knex.schema.hasColumn(TableName.KmsKey, "version");
+    const hasTimestamps = await knex.schema.hasColumn(TableName.KmsKey, "createdAt");
+    const hasProjectId = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
+    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      if (!hasSlugColumn) tb.string("slug", 32);
+      if (hasEncryptedKeyColumn) tb.dropColumn("encryptedKey");
+      if (hasEncryptionAlgorithmColumn) tb.dropColumn("encryptionAlgorithm");
+      if (hasVersionColumn) tb.dropColumn("version");
+      if (!hasTimestamps) tb.timestamps(true, true, true);
+    });
+
+    // backfill all org id in kms key because its gonna be changed to non nullable
+    if (hasProjectId && hasOrgId) {
+      await knex(TableName.KmsKey)
+        .whereNull("orgId")
+        .update({
+          // eslint-disable-next-line
+          // @ts-ignore because generate schema happens after this
+          orgId: knex(TableName.Project)
+            .select("orgId")
+            .where("id", knex.raw("??", [`${TableName.KmsKey}.projectId`]))
+        });
+    }
+
+    // backfill slugs in kms
+    const missingSlugs = await knex(TableName.KmsKey).whereNull("slug").select("id");
+    if (missingSlugs.length) {
+      await knex(TableName.KmsKey)
+        // eslint-disable-next-line
+        // @ts-ignore because generate schema happens after this
+        .insert(missingSlugs.map(({ id }) => ({ id, slug: slugify(alphaNumericNanoId(8).toLowerCase()) })))
+        .onConflict("id")
+        .merge();
+    }
+
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      if (hasOrgId) tb.uuid("orgId").notNullable().alter();
+      tb.string("slug", 32).notNullable().alter();
+      if (hasProjectId) tb.dropColumn("projectId");
+      if (hasOrgId) tb.unique(["orgId", "slug"]);
+    });
+  }
+};
+
+/*
+ * The goal for this migration is split the existing kms key into three table
+ * the kms-key table would be a container table that contains
+ * the internal kms key table and external kms table
+ */
+export async function up(knex: Knex): Promise<void> {
+  await createInternalKmsTableAndBackfillData(knex);
+  await renameKmsKeyVersionTableAsInternalKmsKeyVersion(knex);
+  await removeNonRequiredFieldsFromKmsKeyTableAndBackfillRequiredData(knex);
+  await createExternalKmsKeyTable(knex);
+
+  const doesOrgKmsKeyExist = await knex.schema.hasColumn(TableName.Organization, "kmsDefaultKeyId");
+  if (!doesOrgKmsKeyExist) {
+    await knex.schema.alterTable(TableName.Organization, (tb) => {
+      tb.uuid("kmsDefaultKeyId").nullable();
+      tb.foreign("kmsDefaultKeyId").references("id").inTable(TableName.KmsKey);
+    });
+  }
+
+  const doesProjectKmsSecretManagerKeyExist = await knex.schema.hasColumn(TableName.Project, "kmsSecretManagerKeyId");
+  if (!doesProjectKmsSecretManagerKeyExist) {
+    await knex.schema.alterTable(TableName.Project, (tb) => {
+      tb.uuid("kmsSecretManagerKeyId").nullable();
+      tb.foreign("kmsSecretManagerKeyId").references("id").inTable(TableName.KmsKey);
+    });
+  }
+}
+
+const renameInternalKmsKeyVersionBackToKmsKeyVersion = async (knex: Knex) => {
+  const doesInternalKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.InternalKmsKeyVersion);
+  const doesKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.KmsKeyVersion);
+  if (doesInternalKmsKeyVersionTableExist && !doesKmsKeyVersionTableExist) {
+    // because we haven't started using versioning for kms thus no data exist
+    await knex.schema.renameTable(TableName.InternalKmsKeyVersion, TableName.KmsKeyVersion);
+    const hasInternalKmsIdColumn = await knex.schema.hasColumn(TableName.KmsKeyVersion, "internalKmsId");
+    const hasKmsKeyIdColumn = await knex.schema.hasColumn(TableName.KmsKeyVersion, "kmsKeyId");
+
+    await knex.schema.alterTable(TableName.KmsKeyVersion, (tb) => {
+      if (hasInternalKmsIdColumn) tb.dropColumn("internalKmsId");
+      if (!hasKmsKeyIdColumn) {
+        tb.uuid("kmsKeyId").notNullable();
+        tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
+      }
+    });
+  }
+};
+
+const bringBackKmsKeyFields = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+  if (doesOldKmsKeyTableExist && doesInternalKmsTableExist) {
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+    const hasEncryptedKeyColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptedKey");
+    const hasEncryptionAlgorithmColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptionAlgorithm");
+    const hasVersionColumn = await knex.schema.hasColumn(TableName.KmsKey, "version");
+    const hasNullableOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
+
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      if (!hasEncryptedKeyColumn) tb.binary("encryptedKey");
+      if (!hasEncryptionAlgorithmColumn) tb.string("encryptionAlgorithm");
+      if (!hasVersionColumn) tb.integer("version").defaultTo(1);
+      if (hasNullableOrgId) tb.uuid("orgId").nullable().alter();
+      if (!hasProjectIdColumn) {
+        tb.string("projectId");
+        tb.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      }
+      if (hasSlug) tb.dropColumn("slug");
+    });
+  }
+};
+
+const backfillKmsKeyFromInternalKmsTable = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+  if (doesInternalKmsTableExist && doesOldKmsKeyTableExist) {
+    // backfill kms key with internal kms data
+    await knex(TableName.KmsKey).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      encryptedKey: knex(TableName.InternalKms)
+        .select("encryptedKey")
+        .where("kmsKeyId", knex.raw("??", [`${TableName.KmsKey}.id`])),
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      encryptionAlgorithm: knex(TableName.InternalKms)
+        .select("encryptionAlgorithm")
+        .where("kmsKeyId", knex.raw("??", [`${TableName.KmsKey}.id`])),
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      projectId: knex(TableName.Project)
+        .select("id")
+        .where("kmsCertificateKeyId", knex.raw("??", [`${TableName.KmsKey}.id`]))
+    });
+  }
+};
+
+export async function down(knex: Knex): Promise<void> {
+  const doesOrgKmsKeyExist = await knex.schema.hasColumn(TableName.Organization, "kmsDefaultKeyId");
+  if (doesOrgKmsKeyExist) {
+    await knex.schema.alterTable(TableName.Organization, (tb) => {
+      tb.dropColumn("kmsDefaultKeyId");
+    });
+  }
+
+  const doesProjectKmsSecretManagerKeyExist = await knex.schema.hasColumn(TableName.Project, "kmsSecretManagerKeyId");
+  if (doesProjectKmsSecretManagerKeyExist) {
+    await knex.schema.alterTable(TableName.Project, (tb) => {
+      tb.dropColumn("kmsSecretManagerKeyId");
+    });
+  }
+
+  await renameInternalKmsKeyVersionBackToKmsKeyVersion(knex);
+  await bringBackKmsKeyFields(knex);
+  await backfillKmsKeyFromInternalKmsTable(knex);
+
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  if (doesOldKmsKeyTableExist) {
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      tb.binary("encryptedKey").notNullable().alter();
+      tb.string("encryptionAlgorithm").notNullable().alter();
+    });
+  }
+
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+  if (doesInternalKmsTableExist) await knex.schema.dropTable(TableName.InternalKms);
+
+  const doesExternalKmsServiceExist = await knex.schema.hasTable(TableName.ExternalKms);
+  if (doesExternalKmsServiceExist) await knex.schema.dropTable(TableName.ExternalKms);
+}

backend/src/db/migrations/20240715113110_org-membership-active-status.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.OrgMembership)) {
-    const doesUserIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "userId");
-    const doesOrgIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "orgId");
-    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-      t.boolean("isActive").notNullable().defaultTo(true);
-      if (doesUserIdExist && doesOrgIdExist) t.index(["userId", "orgId"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.OrgMembership)) {
-    const doesUserIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "userId");
-    const doesOrgIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "orgId");
-    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-      t.dropColumn("isActive");
-      if (doesUserIdExist && doesOrgIdExist) t.dropIndex(["userId", "orgId"]);
-    });
-  }
-}

backend/src/db/schemas/external-kms.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ExternalKmsSchema = z.object({
+  id: z.string().uuid(),
+  provider: z.string(),
+  encryptedProviderInputs: zodBuffer,
+  status: z.string().nullable().optional(),
+  statusDetails: z.string().nullable().optional(),
+  kmsKeyId: z.string().uuid()
+});
+
+export type TExternalKms = z.infer<typeof ExternalKmsSchema>;
+export type TExternalKmsInsert = Omit<z.input<typeof ExternalKmsSchema>, TImmutableDBKeys>;
+export type TExternalKmsUpdate = Partial<Omit<z.input<typeof ExternalKmsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -17,6 +17,7 @@ export * from "./certificate-secrets";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
+export * from "./external-kms";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./group-project-membership-roles";
@@ -39,6 +40,7 @@ export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
+export * from "./internal-kms";
 export * from "./kms-key-versions";
 export * from "./kms-keys";
 export * from "./kms-root-config";

backend/src/db/schemas/internal-kms-key-version.ts

@@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const InternalKmsKeyVersionSchema = z.object({
+  id: z.string().uuid(),
+  encryptedKey: zodBuffer,
+  version: z.number(),
+  internalKmsId: z.string().uuid()
+});
+
+export type TInternalKmsKeyVersion = z.infer<typeof InternalKmsKeyVersionSchema>;
+export type TInternalKmsKeyVersionInsert = Omit<z.input<typeof InternalKmsKeyVersionSchema>, TImmutableDBKeys>;
+export type TInternalKmsKeyVersionUpdate = Partial<Omit<z.input<typeof InternalKmsKeyVersionSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/internal-kms.ts

@@ -0,0 +1,22 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const InternalKmsSchema = z.object({
+  id: z.string().uuid(),
+  encryptedKey: zodBuffer,
+  encryptionAlgorithm: z.string(),
+  version: z.number().default(1),
+  kmsKeyId: z.string().uuid()
+});
+
+export type TInternalKms = z.infer<typeof InternalKmsSchema>;
+export type TInternalKmsInsert = Omit<z.input<typeof InternalKmsSchema>, TImmutableDBKeys>;
+export type TInternalKmsUpdate = Partial<Omit<z.input<typeof InternalKmsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/kms-keys.ts

@@ -5,20 +5,17 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const KmsKeysSchema = z.object({
   id: z.string().uuid(),
-  encryptedKey: zodBuffer,
-  encryptionAlgorithm: z.string(),
-  version: z.number().default(1),
   description: z.string().nullable().optional(),
   isDisabled: z.boolean().default(false).nullable().optional(),
   isReserved: z.boolean().default(true).nullable().optional(),
-  projectId: z.string().nullable().optional(),
-  orgId: z.string().uuid().nullable().optional()
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  slug: z.string()
 });
 
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;

backend/src/db/schemas/models.ts

@@ -96,6 +96,10 @@ export enum TableName {
   // KMS Service
   KmsServerRootConfig = "kms_root_config",
   KmsKey = "kms_keys",
+  ExternalKms = "external_kms",
+  InternalKms = "internal_kms",
+  InternalKmsKeyVersion = "internal_kms_key_version",
+  // @depreciated
   KmsKeyVersion = "kms_key_versions"
 }
 

backend/src/db/schemas/org-memberships.ts

@@ -17,8 +17,7 @@ export const OrgMembershipsSchema = z.object({
   userId: z.string().uuid().nullable().optional(),
   orgId: z.string().uuid(),
   roleId: z.string().uuid().nullable().optional(),
-  projectFavorites: z.string().array().nullable().optional(),
-  isActive: z.boolean()
+  projectFavorites: z.string().array().nullable().optional()
 });
 
 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;

backend/src/db/schemas/organizations.ts

@@ -15,7 +15,8 @@ export const OrganizationsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   authEnforced: z.boolean().default(false).nullable().optional(),
-  scimEnabled: z.boolean().default(false).nullable().optional()
+  scimEnabled: z.boolean().default(false).nullable().optional(),
+  kmsDefaultKeyId: z.string().uuid().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/projects.ts

@@ -19,7 +19,8 @@ export const ProjectsSchema = z.object({
   upgradeStatus: z.string().nullable().optional(),
   pitVersionLimit: z.number().default(10),
   kmsCertificateKeyId: z.string().uuid().nullable().optional(),
-  auditLogsRetentionDays: z.number().nullable().optional()
+  auditLogsRetentionDays: z.number().nullable().optional(),
+  kmsSecretManagerKeyId: z.string().uuid().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/seeds/2-org.ts

@@ -29,8 +29,7 @@ export async function seed(knex: Knex): Promise<void> {
       role: OrgMembershipRole.Admin,
       orgId: org.id,
       status: OrgMembershipStatus.Accepted,
-      userId: user.id,
-      isActive: true
+      userId: user.id
     }
   ]);
 }

backend/src/ee/routes/v1/external-kms-router.ts

@@ -0,0 +1,190 @@
+import { z } from "zod";
+
+import { ExternalKmsSchema, KmsKeysSchema } from "@app/db/schemas";
+import {
+  ExternalKmsAwsSchema,
+  ExternalKmsInputSchema,
+  ExternalKmsInputUpdateSchema
+} from "@app/ee/services/external-kms/providers/model";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const sanitizedExternalSchema = KmsKeysSchema.extend({
+  external: ExternalKmsSchema.pick({
+    id: true,
+    status: true,
+    statusDetails: true,
+    provider: true
+  })
+});
+
+const sanitizedExternalSchemaForGetById = KmsKeysSchema.extend({
+  external: ExternalKmsSchema.pick({
+    id: true,
+    status: true,
+    statusDetails: true,
+    provider: true
+  }).extend({
+    providerInput: ExternalKmsAwsSchema
+  })
+});
+
+export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        slug: z.string().min(1).trim().optional(),
+        description: z.string().min(1).trim().optional(),
+        provider: ExternalKmsInputSchema
+      }),
+      response: {
+        200: z.object({
+          externalKms: sanitizedExternalSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const externalKms = await server.services.externalKms.create({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        slug: req.body.slug,
+        provider: req.body.provider,
+        description: req.body.description
+      });
+      return { externalKms };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string().trim().min(1)
+      }),
+      body: z.object({
+        slug: z.string().min(1).trim().optional(),
+        description: z.string().min(1).trim().optional(),
+        provider: ExternalKmsInputUpdateSchema
+      }),
+      response: {
+        200: z.object({
+          externalKms: sanitizedExternalSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const externalKms = await server.services.externalKms.updateById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        slug: req.body.slug,
+        provider: req.body.provider,
+        description: req.body.description,
+        id: req.params.id
+      });
+      return { externalKms };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          externalKms: sanitizedExternalSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const externalKms = await server.services.externalKms.deleteById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+      return { externalKms };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          externalKms: sanitizedExternalSchemaForGetById
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const externalKms = await server.services.externalKms.findById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+      return { externalKms };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/slug/:slug",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        slug: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          externalKms: sanitizedExternalSchemaForGetById
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const externalKms = await server.services.externalKms.findBySlug({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        slug: req.params.slug
+      });
+      return { externalKms };
+    }
+  });
+};

backend/src/ee/routes/v1/scim-router.ts

@@ -186,13 +186,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
             })
           ),
           displayName: z.string().trim(),
-          active: z.boolean(),
-          groups: z.array(
-            z.object({
-              value: z.string().trim(),
-              display: z.string().trim()
-            })
-          )
+          active: z.boolean()
         })
       }
     },
@@ -578,13 +572,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
             })
           ),
           displayName: z.string().trim(),
-          active: z.boolean(),
-          groups: z.array(
-            z.object({
-              value: z.string().trim(),
-              display: z.string().trim()
-            })
-          )
+          active: z.boolean()
         })
       }
     },

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -17,7 +17,7 @@ type TCertificateAuthorityCrlServiceFactoryDep = {
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
   certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "decrypt" | "generateKmsKey">;
+  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -68,11 +68,11 @@ export const certificateAuthorityCrlServiceFactory = ({
       kmsService
     });
 
-    const decryptedCrl = await kmsService.decrypt({
-      kmsId: keyId,
-      cipherTextBlob: caCrl.encryptedCrl
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: keyId
     });
 
+    const decryptedCrl = kmsDecryptor({ cipherTextBlob: caCrl.encryptedCrl });
     const crl = new x509.X509Crl(decryptedCrl);
 
     const base64crl = crl.toString("base64");

backend/src/ee/services/external-kms/external-kms-dal.ts

@@ -0,0 +1,47 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName, TKmsKeys } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+
+export type TExternalKmsDALFactory = ReturnType<typeof externalKmsDALFactory>;
+
+export const externalKmsDALFactory = (db: TDbClient) => {
+  const externalKmsOrm = ormify(db, TableName.ExternalKms);
+
+  const find = async (filter: Partial<TKmsKeys>, tx?: Knex) => {
+    try {
+      const result = await (tx || db.replicaNode())(TableName.ExternalKms)
+        .join(TableName.KmsKey, `${TableName.KmsKey}.id`, `${TableName.ExternalKms}.kmsKeyId`)
+        .where(filter)
+        .select(selectAllTableCols(TableName.KmsKey))
+        .select(
+          db.ref("id").withSchema(TableName.ExternalKms).as("externalKmsId"),
+          db.ref("provider").withSchema(TableName.ExternalKms).as("externalKmsProvider"),
+          db.ref("encryptedProviderInputs").withSchema(TableName.ExternalKms).as("externalKmsEncryptedProviderInput"),
+          db.ref("status").withSchema(TableName.ExternalKms).as("externalKmsStatus"),
+          db.ref("statusDetails").withSchema(TableName.ExternalKms).as("externalKmsStatusDetails")
+        );
+
+      return result.map((el) => ({
+        id: el.id,
+        description: el.description,
+        isDisabled: el.isDisabled,
+        isReserved: el.isReserved,
+        orgId: el.orgId,
+        slug: el.slug,
+        externalKms: {
+          id: el.externalKmsId,
+          provider: el.externalKmsProvider,
+          status: el.externalKmsStatus,
+          statusDetails: el.externalKmsStatusDetails
+        }
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find" });
+    }
+  };
+
+  return { ...externalKmsOrm, find };
+};

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -0,0 +1,309 @@
+import { ForbiddenError } from "@casl/ability";
+import slugify from "@sindresorhus/slugify";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TExternalKmsDALFactory } from "./external-kms-dal";
+import {
+  TCreateExternalKmsDTO,
+  TDeleteExternalKmsDTO,
+  TGetExternalKmsByIdDTO,
+  TGetExternalKmsBySlugDTO,
+  TListExternalKmsDTO,
+  TUpdateExternalKmsDTO
+} from "./external-kms-types";
+import { AwsKmsProviderFactory } from "./providers/aws-kms";
+import { ExternalKmsAwsSchema, KmsProviders } from "./providers/model";
+
+type TExternalKmsServiceFactoryDep = {
+  externalKmsDAL: TExternalKmsDALFactory;
+  kmsService: Pick<TKmsServiceFactory, "getOrgKmsKeyId" | "encryptWithKmsKey" | "decryptWithKmsKey">;
+  kmsDAL: Pick<TKmsKeyDALFactory, "create" | "updateById" | "findById" | "deleteById" | "findOne">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+};
+
+export type TExternalKmsServiceFactory = ReturnType<typeof externalKmsServiceFactory>;
+
+export const externalKmsServiceFactory = ({
+  externalKmsDAL,
+  permissionService,
+  kmsService,
+  kmsDAL
+}: TExternalKmsServiceFactoryDep) => {
+  const create = async ({
+    provider,
+    description,
+    actor,
+    slug,
+    actorId,
+    actorOrgId,
+    actorAuthMethod
+  }: TCreateExternalKmsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+    const kmsSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(32));
+
+    let sanitizedProviderInput = "";
+    switch (provider.type) {
+      case KmsProviders.Aws:
+        {
+          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs });
+          await externalKms.validateConnection();
+          // if missing kms key this generate a new kms key id and returns new provider input
+          const newProviderInput = await externalKms.generateInputKmsKey();
+          sanitizedProviderInput = JSON.stringify(newProviderInput);
+        }
+        break;
+      default:
+        throw new BadRequestError({ message: "external kms provided is invalid" });
+    }
+
+    const orgKmsKeyId = await kmsService.getOrgKmsKeyId(actorOrgId);
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
+      kmsId: orgKmsKeyId
+    });
+    const { cipherTextBlob: encryptedProviderInputs } = kmsEncryptor({
+      plainText: Buffer.from(sanitizedProviderInput, "utf8")
+    });
+
+    const externalKms = await externalKmsDAL.transaction(async (tx) => {
+      const kms = await kmsDAL.create(
+        {
+          isReserved: false,
+          description,
+          slug: kmsSlug,
+          orgId: actorOrgId
+        },
+        tx
+      );
+      const externalKmsCfg = await externalKmsDAL.create(
+        {
+          provider: provider.type,
+          encryptedProviderInputs,
+          kmsKeyId: kms.id
+        },
+        tx
+      );
+      return { ...kms, external: externalKmsCfg };
+    });
+
+    return externalKms;
+  };
+
+  const updateById = async ({
+    provider,
+    description,
+    actor,
+    id: kmsId,
+    slug,
+    actorId,
+    actorOrgId,
+    actorAuthMethod
+  }: TUpdateExternalKmsDTO) => {
+    const kmsDoc = await kmsDAL.findById(kmsId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      kmsDoc.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+    const kmsSlug = slug ? slugify(slug) : undefined;
+
+    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
+    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+
+    const orgDefaultKmsId = await kmsService.getOrgKmsKeyId(kmsDoc.orgId);
+    let sanitizedProviderInput = "";
+    if (provider) {
+      const kmsDecryptor = await kmsService.decryptWithKmsKey({
+        kmsId: orgDefaultKmsId
+      });
+      const decryptedProviderInputBlob = kmsDecryptor({
+        cipherTextBlob: externalKmsDoc.encryptedProviderInputs
+      });
+
+      switch (provider.type) {
+        case KmsProviders.Aws:
+          {
+            const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
+              JSON.parse(decryptedProviderInputBlob.toString("utf8"))
+            );
+            const updatedProviderInput = { ...decryptedProviderInput, ...provider.inputs };
+            const externalKms = await AwsKmsProviderFactory({ inputs: updatedProviderInput });
+            await externalKms.validateConnection();
+            sanitizedProviderInput = JSON.stringify(updatedProviderInput);
+          }
+          break;
+        default:
+          throw new BadRequestError({ message: "external kms provided is invalid" });
+      }
+    }
+
+    let encryptedProviderInputs: Buffer | undefined;
+    if (sanitizedProviderInput) {
+      const kmsEncryptor = await kmsService.encryptWithKmsKey({
+        kmsId: orgDefaultKmsId
+      });
+      const { cipherTextBlob } = kmsEncryptor({
+        plainText: Buffer.from(sanitizedProviderInput, "utf8")
+      });
+      encryptedProviderInputs = cipherTextBlob;
+    }
+
+    const externalKms = await externalKmsDAL.transaction(async (tx) => {
+      const kms = await kmsDAL.updateById(
+        kmsDoc.id,
+        {
+          description,
+          slug: kmsSlug
+        },
+        tx
+      );
+      if (encryptedProviderInputs) {
+        const externalKmsCfg = await externalKmsDAL.updateById(
+          externalKmsDoc.id,
+          {
+            encryptedProviderInputs
+          },
+          tx
+        );
+        return { ...kms, external: externalKmsCfg };
+      }
+      return { ...kms, external: externalKmsDoc };
+    });
+
+    return externalKms;
+  };
+
+  const deleteById = async ({ actor, id: kmsId, actorId, actorOrgId, actorAuthMethod }: TDeleteExternalKmsDTO) => {
+    const kmsDoc = await kmsDAL.findById(kmsId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      kmsDoc.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+
+    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
+    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+
+    const externalKms = await externalKmsDAL.transaction(async (tx) => {
+      const kms = await kmsDAL.deleteById(kmsDoc.id, tx);
+      return { ...kms, external: externalKmsDoc };
+    });
+
+    return externalKms;
+  };
+
+  const list = async ({ actor, actorId, actorOrgId, actorAuthMethod }: TListExternalKmsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+
+    const externalKmsDocs = await externalKmsDAL.find({ orgId: actorOrgId });
+
+    return externalKmsDocs;
+  };
+
+  const findById = async ({ actor, actorId, actorOrgId, actorAuthMethod, id: kmsId }: TGetExternalKmsByIdDTO) => {
+    const kmsDoc = await kmsDAL.findById(kmsId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      kmsDoc.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+
+    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
+    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+
+    const orgDefaultKmsId = await kmsService.getOrgKmsKeyId(kmsDoc.orgId);
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: orgDefaultKmsId
+    });
+    const decryptedProviderInputBlob = kmsDecryptor({
+      cipherTextBlob: externalKmsDoc.encryptedProviderInputs
+    });
+    switch (externalKmsDoc.provider) {
+      case KmsProviders.Aws: {
+        const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
+          JSON.parse(decryptedProviderInputBlob.toString("utf8"))
+        );
+        return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
+      }
+      default:
+        throw new BadRequestError({ message: "external kms provided is invalid" });
+    }
+  };
+
+  const findBySlug = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    slug: kmsSlug
+  }: TGetExternalKmsBySlugDTO) => {
+    const kmsDoc = await kmsDAL.findOne({ slug: kmsSlug, orgId: actorOrgId });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      kmsDoc.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+
+    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
+    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+
+    const orgDefaultKmsId = await kmsService.getOrgKmsKeyId(kmsDoc.orgId);
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: orgDefaultKmsId
+    });
+    const decryptedProviderInputBlob = kmsDecryptor({
+      cipherTextBlob: externalKmsDoc.encryptedProviderInputs
+    });
+
+    switch (externalKmsDoc.provider) {
+      case KmsProviders.Aws: {
+        const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
+          JSON.parse(decryptedProviderInputBlob.toString("utf8"))
+        );
+        return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
+      }
+      default:
+        throw new BadRequestError({ message: "external kms provided is invalid" });
+    }
+  };
+
+  return {
+    create,
+    updateById,
+    deleteById,
+    list,
+    findById,
+    findBySlug
+  };
+};

backend/src/ee/services/external-kms/external-kms-types.ts

@@ -0,0 +1,30 @@
+import { TOrgPermission } from "@app/lib/types";
+
+import { TExternalKmsInputSchema, TExternalKmsInputUpdateSchema } from "./providers/model";
+
+export type TCreateExternalKmsDTO = {
+  slug?: string;
+  description?: string;
+  provider: TExternalKmsInputSchema;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TUpdateExternalKmsDTO = {
+  id: string;
+  slug?: string;
+  description?: string;
+  provider?: TExternalKmsInputUpdateSchema;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TDeleteExternalKmsDTO = {
+  id: string;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TListExternalKmsDTO = Omit<TOrgPermission, "orgId">;
+
+export type TGetExternalKmsByIdDTO = {
+  id: string;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TGetExternalKmsBySlugDTO = {
+  slug: string;
+} & Omit<TOrgPermission, "orgId">;

backend/src/ee/services/external-kms/providers/aws-kms.ts

@@ -0,0 +1,102 @@
+import { CreateKeyCommand, DecryptCommand, DescribeKeyCommand, EncryptCommand, KMSClient } from "@aws-sdk/client-kms";
+import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
+import { randomUUID } from "crypto";
+
+import { ExternalKmsAwsSchema, KmsAwsCredentialType, TExternalKmsAwsSchema, TExternalKmsProviderFns } from "./model";
+
+const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
+  if (providerInputs.credential.type === KmsAwsCredentialType.AssumeRole) {
+    const awsCredential = providerInputs.credential.data;
+    const stsClient = new STSClient({
+      region: providerInputs.awsRegion
+    });
+    const command = new AssumeRoleCommand({
+      RoleArn: awsCredential.assumeRoleArn,
+      RoleSessionName: `infisical-kms-${randomUUID()}`,
+      DurationSeconds: 900, // 15mins
+      ExternalId: awsCredential.externalId
+    });
+    const response = await stsClient.send(command);
+    if (!response.Credentials?.AccessKeyId || !response.Credentials?.SecretAccessKey)
+      throw new Error("Failed to assume role");
+
+    const kmsClient = new KMSClient({
+      region: providerInputs.awsRegion,
+      credentials: {
+        accessKeyId: response.Credentials.AccessKeyId,
+        secretAccessKey: response.Credentials.SecretAccessKey,
+        sessionToken: response.Credentials.SessionToken,
+        expiration: response.Credentials.Expiration
+      }
+    });
+    return kmsClient;
+  }
+  const awsCredential = providerInputs.credential.data;
+  const kmsClient = new KMSClient({
+    region: providerInputs.awsRegion,
+    credentials: {
+      accessKeyId: awsCredential.accessKey,
+      secretAccessKey: awsCredential.secretKey
+    }
+  });
+  return kmsClient;
+};
+
+type AwsKmsProviderArgs = {
+  inputs: unknown;
+};
+type TAwsKmsProviderFactoryReturn = TExternalKmsProviderFns & {
+  generateInputKmsKey: () => Promise<TExternalKmsAwsSchema>;
+};
+
+export const AwsKmsProviderFactory = async ({ inputs }: AwsKmsProviderArgs): Promise<TAwsKmsProviderFactoryReturn> => {
+  const providerInputs = await ExternalKmsAwsSchema.parseAsync(inputs);
+  const awsClient = await getAwsKmsClient(providerInputs);
+
+  const generateInputKmsKey = async () => {
+    if (providerInputs.kmsKeyId) return providerInputs;
+
+    const command = new CreateKeyCommand({ Tags: [{ TagKey: "author", TagValue: "infisical" }] });
+    const kmsKey = await awsClient.send(command);
+    if (!kmsKey.KeyMetadata?.KeyId) throw new Error("Failed to generate kms key");
+
+    return { ...providerInputs, kmsKeyId: kmsKey.KeyMetadata?.KeyId };
+  };
+
+  const validateConnection = async () => {
+    const command = new DescribeKeyCommand({
+      KeyId: providerInputs.kmsKeyId
+    });
+    const isConnected = await awsClient.send(command).then(() => true);
+    return isConnected;
+  };
+
+  const encrypt = async (data: Buffer) => {
+    const command = new EncryptCommand({
+      KeyId: providerInputs.kmsKeyId,
+      Plaintext: data
+    });
+    const encryptionCommand = await awsClient.send(command);
+    if (!encryptionCommand.CiphertextBlob) throw new Error("encryption failed");
+
+    return { encryptedBlob: Buffer.from(encryptionCommand.CiphertextBlob) };
+  };
+
+  const decrypt = async (encryptedBlob: Buffer) => {
+    const command = new DecryptCommand({
+      KeyId: providerInputs.kmsKeyId,
+      CiphertextBlob: encryptedBlob
+    });
+    const decryptionCommand = await awsClient.send(command);
+    if (!decryptionCommand.Plaintext) throw new Error("decryption failed");
+
+    return { data: Buffer.from(decryptionCommand.Plaintext) };
+  };
+
+  return {
+    generateInputKmsKey,
+    validateConnection,
+    encrypt,
+    decrypt
+  };
+};

backend/src/ee/services/external-kms/providers/model.ts

@@ -0,0 +1,61 @@
+import { z } from "zod";
+
+export enum KmsProviders {
+  Aws = "aws"
+}
+
+export enum KmsAwsCredentialType {
+  AssumeRole = "assume-role",
+  AccessKey = "access-key"
+}
+
+export const ExternalKmsAwsSchema = z.object({
+  credential: z
+    .discriminatedUnion("type", [
+      z.object({
+        type: z.literal(KmsAwsCredentialType.AccessKey),
+        data: z.object({
+          accessKey: z.string().trim().min(1).describe("AWS user account access key"),
+          secretKey: z.string().trim().min(1).describe("AWS user account secret key")
+        })
+      }),
+      z.object({
+        type: z.literal(KmsAwsCredentialType.AssumeRole),
+        data: z.object({
+          assumeRoleArn: z.string().trim().min(1).describe("AWS user role to be assumed by infisical"),
+          externalId: z
+            .string()
+            .trim()
+            .min(1)
+            .optional()
+            .describe("AWS assume role external id for furthur security in authentication")
+        })
+      })
+    ])
+    .describe("AWS credential information to connect"),
+  awsRegion: z.string().min(1).trim().describe("AWS region to connect"),
+  kmsKeyId: z
+    .string()
+    .trim()
+    .optional()
+    .describe("A pre existing AWS KMS key id to be used for encryption. If not provided a kms key will be generated.")
+});
+export type TExternalKmsAwsSchema = z.infer<typeof ExternalKmsAwsSchema>;
+
+// The root schema of the JSON
+export const ExternalKmsInputSchema = z.discriminatedUnion("type", [
+  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema })
+]);
+export type TExternalKmsInputSchema = z.infer<typeof ExternalKmsInputSchema>;
+
+export const ExternalKmsInputUpdateSchema = z.discriminatedUnion("type", [
+  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema.partial() })
+]);
+export type TExternalKmsInputUpdateSchema = z.infer<typeof ExternalKmsInputUpdateSchema>;
+
+// generic function shared by all provider
+export type TExternalKmsProviderFns = {
+  validateConnection: () => Promise<boolean>;
+  encrypt: (data: Buffer) => Promise<{ encryptedBlob: Buffer }>;
+  decrypt: (encryptedBlob: Buffer) => Promise<{ data: Buffer }>;
+};

backend/src/ee/services/group/user-group-membership-dal.ts

@@ -162,26 +162,11 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findUserGroupMembershipsInOrg = async (userId: string, orgId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.UserGroupMembership)
-        .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
-        .where(`${TableName.UserGroupMembership}.userId`, userId)
-        .where(`${TableName.Groups}.orgId`, orgId);
-
-      return docs;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "findTest" });
-    }
-  };
-
   return {
     ...userGroupMembershipOrm,
     filterProjectsByUserMembership,
     findUserGroupMembershipsInProject,
     findGroupMembersNotInProject,
-    deletePendingUserGroupMembershipsByUserIds,
-    findUserGroupMembershipsInOrg
+    deletePendingUserGroupMembershipsByUserIds
   };
 };

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -449,8 +449,7 @@ export const ldapConfigServiceFactory = ({
               userId: userAlias.userId,
               orgId,
               role: OrgMembershipRole.Member,
-              status: OrgMembershipStatus.Accepted,
-              isActive: true
+              status: OrgMembershipStatus.Accepted
             },
             tx
           );
@@ -535,8 +534,7 @@ export const ldapConfigServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-              isActive: true
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -193,8 +193,7 @@ export const oidcConfigServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-              isActive: true
+              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );
@@ -267,8 +266,7 @@ export const oidcConfigServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-              isActive: true
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );

backend/src/ee/services/permission/permission-service.ts

@@ -109,6 +109,9 @@ export const permissionServiceFactory = ({
     authMethod: ActorAuthMethod,
     userOrgId?: string
   ) => {
+    // when token is scoped, ensure the passed org id is same as user org id
+    if (userOrgId && userOrgId !== orgId)
+      throw new BadRequestError({ message: "Invalid user token. Scoped to different organization." });
     const membership = await permissionDAL.getOrgPermission(userId, orgId);
     if (!membership) throw new UnauthorizedError({ name: "User not in org" });
     if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -370,8 +370,7 @@ export const samlConfigServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-              isActive: true
+              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );
@@ -458,8 +457,7 @@ export const samlConfigServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-              isActive: true
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );

backend/src/ee/services/scim/scim-fns.ts

@@ -32,19 +32,12 @@ export const parseScimFilter = (filterToParse: string | undefined) => {
   return { [attributeName]: parsedValue.replace(/"/g, "") };
 };
 
-export function extractScimValueFromPath(path: string): string | null {
-  const regex = /members\[value eq "([^"]+)"\]/;
-  const match = path.match(regex);
-  return match ? match[1] : null;
-}
-
 export const buildScimUser = ({
   orgMembershipId,
   username,
   email,
   firstName,
   lastName,
-  groups = [],
   active
 }: {
   orgMembershipId: string;
@@ -52,10 +45,6 @@ export const buildScimUser = ({
   email?: string | null;
   firstName: string;
   lastName: string;
-  groups?: {
-    value: string;
-    display: string;
-  }[];
   active: boolean;
 }): TScimUser => {
   const scimUser = {
@@ -78,7 +67,7 @@ export const buildScimUser = ({
         ]
       : [],
     active,
-    groups,
+    groups: [],
     meta: {
       resourceType: "User",
       location: null

backend/src/ee/services/scim/scim-service.ts

@@ -30,14 +30,7 @@ import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import {
-  buildScimGroup,
-  buildScimGroupList,
-  buildScimUser,
-  buildScimUserList,
-  extractScimValueFromPath,
-  parseScimFilter
-} from "./scim-fns";
+import { buildScimGroup, buildScimGroupList, buildScimUser, buildScimUserList, parseScimFilter } from "./scim-fns";
 import {
   TCreateScimGroupDTO,
   TCreateScimTokenDTO,
@@ -68,7 +61,7 @@ type TScimServiceFactoryDep = {
     TOrgDALFactory,
     "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction" | "updateMembershipById"
   >;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById" | "findById">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById">;
   projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser">;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
   groupDAL: Pick<
@@ -78,12 +71,7 @@ type TScimServiceFactoryDep = {
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
   userGroupMembershipDAL: Pick<
     TUserGroupMembershipDALFactory,
-    | "find"
-    | "transaction"
-    | "insertMany"
-    | "filterProjectsByUserMembership"
-    | "delete"
-    | "findUserGroupMembershipsInOrg"
+    "find" | "transaction" | "insertMany" | "filterProjectsByUserMembership" | "delete"
   >;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
@@ -209,14 +197,14 @@ export const scimServiceFactory = ({
       findOpts
     );
 
-    const scimUsers = users.map(({ id, externalId, username, firstName, lastName, email, isActive }) =>
+    const scimUsers = users.map(({ id, externalId, username, firstName, lastName, email }) =>
       buildScimUser({
         orgMembershipId: id ?? "",
         username: externalId ?? username,
         firstName: firstName ?? "",
         lastName: lastName ?? "",
         email,
-        active: isActive
+        active: true
       })
     );
 
@@ -252,19 +240,13 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    const groupMembershipsInOrg = await userGroupMembershipDAL.findUserGroupMembershipsInOrg(membership.userId, orgId);
-
     return buildScimUser({
       orgMembershipId: membership.id,
       username: membership.externalId ?? membership.username,
       email: membership.email ?? "",
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
-      active: membership.isActive,
-      groups: groupMembershipsInOrg.map((group) => ({
-        value: group.groupId,
-        display: group.name
-      }))
+      active: true
     });
   };
 
@@ -314,8 +296,7 @@ export const scimServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-              isActive: true
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );
@@ -383,8 +364,7 @@ export const scimServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-              isActive: true
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );
@@ -421,7 +401,7 @@ export const scimServiceFactory = ({
       firstName: createdUser.firstName as string,
       lastName: createdUser.lastName as string,
       email: createdUser.email ?? "",
-      active: createdOrgMembership.isActive
+      active: true
     });
   };
 
@@ -465,8 +445,14 @@ export const scimServiceFactory = ({
     });
 
     if (!active) {
-      await orgMembershipDAL.updateById(membership.id, {
-        isActive: false
+      await deleteOrgMembershipFn({
+        orgMembershipId: membership.id,
+        orgId: membership.orgId,
+        orgDAL,
+        projectMembershipDAL,
+        projectKeyDAL,
+        userAliasDAL,
+        licenseService
       });
     }
 
@@ -505,11 +491,17 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    await orgMembershipDAL.updateById(membership.id, {
-      isActive: active
-    });
-
-    const groupMembershipsInOrg = await userGroupMembershipDAL.findUserGroupMembershipsInOrg(membership.userId, orgId);
+    if (!active) {
+      await deleteOrgMembershipFn({
+        orgMembershipId: membership.id,
+        orgId: membership.orgId,
+        orgDAL,
+        projectMembershipDAL,
+        projectKeyDAL,
+        userAliasDAL,
+        licenseService
+      });
+    }
 
     return buildScimUser({
       orgMembershipId: membership.id,
@@ -517,11 +509,7 @@ export const scimServiceFactory = ({
       email: membership.email,
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
-      active,
-      groups: groupMembershipsInOrg.map((group) => ({
-        value: group.groupId,
-        display: group.name
-      }))
+      active
     });
   };
 
@@ -893,18 +881,7 @@ export const scimServiceFactory = ({
           break;
         }
         case "remove": {
-          const orgMembershipId = extractScimValueFromPath(operation.path);
-          if (!orgMembershipId) throw new ScimRequestError({ detail: "Invalid path value", status: 400 });
-          const orgMembership = await orgMembershipDAL.findById(orgMembershipId);
-          if (!orgMembership) throw new ScimRequestError({ detail: "Org Membership Not Found", status: 400 });
-          await removeUsersFromGroupByUserIds({
-            group,
-            userIds: [orgMembership.userId as string],
-            userDAL,
-            userGroupMembershipDAL,
-            groupProjectDAL,
-            projectKeyDAL
-          });
+          // TODO
           break;
         }
         default: {

backend/src/ee/services/scim/scim-types.ts

@@ -158,10 +158,7 @@ export type TScimUser = {
     type: string;
   }[];
   active: boolean;
-  groups: {
-    value: string;
-    display: string;
-  }[];
+  groups: string[];
   meta: {
     resourceType: string;
     location: null;

backend/src/server/routes/index.ts

@@ -22,6 +22,8 @@ import { buildDynamicSecretProviders } from "@app/ee/services/dynamic-secret/pro
 import { dynamicSecretLeaseDALFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal";
 import { dynamicSecretLeaseQueueServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue";
 import { dynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { externalKmsDALFactory } from "@app/ee/services/external-kms/external-kms-dal";
+import { externalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { groupDALFactory } from "@app/ee/services/group/group-dal";
 import { groupServiceFactory } from "@app/ee/services/group/group-service";
 import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@@ -116,7 +118,8 @@ import { integrationDALFactory } from "@app/services/integration/integration-dal
 import { integrationServiceFactory } from "@app/services/integration/integration-service";
 import { integrationAuthDALFactory } from "@app/services/integration-auth/integration-auth-dal";
 import { integrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
-import { kmsDALFactory } from "@app/services/kms/kms-dal";
+import { internalKmsDALFactory } from "@app/services/kms/internal-kms-dal";
+import { kmskeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { kmsRootConfigDALFactory } from "@app/services/kms/kms-root-config-dal";
 import { kmsServiceFactory } from "@app/services/kms/kms-service";
 import { incidentContactDALFactory } from "@app/services/org/incident-contacts-dal";
@@ -288,7 +291,9 @@ export const registerRoutes = async (
   const dynamicSecretDAL = dynamicSecretDALFactory(db);
   const dynamicSecretLeaseDAL = dynamicSecretLeaseDALFactory(db);
 
-  const kmsDAL = kmsDALFactory(db);
+  const kmsDAL = kmskeyDALFactory(db);
+  const internalKmsDAL = internalKmsDALFactory(db);
+  const externalKmsDAL = externalKmsDALFactory(db);
   const kmsRootConfigDAL = kmsRootConfigDALFactory(db);
 
   const permissionService = permissionServiceFactory({
@@ -302,7 +307,16 @@ export const registerRoutes = async (
   const kmsService = kmsServiceFactory({
     kmsRootConfigDAL,
     keyStore,
-    kmsDAL
+    kmsDAL,
+    internalKmsDAL,
+    orgDAL,
+    projectDAL
+  });
+  const externalKmsService = externalKmsServiceFactory({
+    kmsDAL,
+    kmsService,
+    permissionService,
+    externalKmsDAL
   });
 
   const trustedIpService = trustedIpServiceFactory({
@@ -331,7 +345,7 @@ export const registerRoutes = async (
     permissionService,
     secretApprovalPolicyDAL
   });
-  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL, orgMembershipDAL });
+  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
 
   const samlService = samlConfigServiceFactory({
     permissionService,
@@ -645,7 +659,8 @@ export const registerRoutes = async (
   const webhookService = webhookServiceFactory({
     permissionService,
     webhookDAL,
-    projectEnvDAL
+    projectEnvDAL,
+    projectDAL
   });
 
   const secretTagService = secretTagServiceFactory({ secretTagDAL, permissionService });
@@ -1030,7 +1045,8 @@ export const registerRoutes = async (
     projectUserAdditionalPrivilege: projectUserAdditionalPrivilegeService,
     identityProjectAdditionalPrivilege: identityProjectAdditionalPrivilegeService,
     secretSharing: secretSharingService,
-    userEngagement: userEngagementService
+    userEngagement: userEngagementService,
+    externalKms: externalKmsService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/services/auth-token/auth-token-service.ts

@@ -4,8 +4,7 @@ import bcrypt from "bcrypt";
 
 import { TAuthTokens, TAuthTokenSessions } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
-import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
+import { UnauthorizedError } from "@app/lib/errors";
 
 import { AuthModeJwtTokenPayload } from "../auth/auth-type";
 import { TUserDALFactory } from "../user/user-dal";
@@ -15,7 +14,6 @@ import { TCreateTokenForUserDTO, TIssueAuthTokenDTO, TokenType, TValidateTokenFo
 type TAuthTokenServiceFactoryDep = {
   tokenDAL: TTokenDALFactory;
   userDAL: Pick<TUserDALFactory, "findById" | "transaction">;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "findOne">;
 };
 
 export type TAuthTokenServiceFactory = ReturnType<typeof tokenServiceFactory>;
@@ -69,7 +67,7 @@ export const getTokenConfig = (tokenType: TokenType) => {
   }
 };
 
-export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAuthTokenServiceFactoryDep) => {
+export const tokenServiceFactory = ({ tokenDAL, userDAL }: TAuthTokenServiceFactoryDep) => {
   const createTokenForUser = async ({ type, userId, orgId }: TCreateTokenForUserDTO) => {
     const { token, ...tkCfg } = getTokenConfig(type);
     const appCfg = getConfig();
@@ -156,16 +154,6 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
     const user = await userDAL.findById(session.userId);
     if (!user || !user.isAccepted) throw new UnauthorizedError({ name: "Token user not found" });
 
-    if (token.organizationId) {
-      const orgMembership = await orgMembershipDAL.findOne({
-        userId: user.id,
-        orgId: token.organizationId
-      });
-
-      if (!orgMembership) throw new ForbiddenRequestError({ message: "User not member of organization" });
-      if (!orgMembership.isActive) throw new ForbiddenRequestError({ message: "User not active in organization" });
-    }
-
     return { user, tokenVersionId: token.tokenVersionId, orgId: token.organizationId };
   };
 

backend/src/services/certificate-authority/certificate-authority-fns.ts

@@ -75,8 +75,10 @@ export const getCaCredentials = async ({
     kmsService
   });
 
-  const decryptedPrivateKey = await kmsService.decrypt({
-    kmsId: keyId,
+  const kmsDecryptor = await kmsService.decryptWithKmsKey({
+    kmsId: keyId
+  });
+  const decryptedPrivateKey = kmsDecryptor({
     cipherTextBlob: caSecret.encryptedPrivateKey
   });
 
@@ -123,15 +125,17 @@ export const getCaCertChain = async ({
     kmsService
   });
 
-  const decryptedCaCert = await kmsService.decrypt({
-    kmsId: keyId,
+  const kmsDecryptor = await kmsService.decryptWithKmsKey({
+    kmsId: keyId
+  });
+
+  const decryptedCaCert = kmsDecryptor({
     cipherTextBlob: caCert.encryptedCertificate
   });
 
   const caCertObj = new x509.X509Certificate(decryptedCaCert);
 
-  const decryptedChain = await kmsService.decrypt({
-    kmsId: keyId,
+  const decryptedChain = kmsDecryptor({
     cipherTextBlob: caCert.encryptedCertificateChain
   });
 
@@ -168,8 +172,11 @@ export const rebuildCaCrl = async ({
     kmsService
   });
 
-  const privateKey = await kmsService.decrypt({
-    kmsId: keyId,
+  const kmsDecryptor = await kmsService.decryptWithKmsKey({
+    kmsId: keyId
+  });
+
+  const privateKey = kmsDecryptor({
     cipherTextBlob: caSecret.encryptedPrivateKey
   });
 
@@ -200,8 +207,10 @@ export const rebuildCaCrl = async ({
     signingKey: sk
   });
 
-  const { cipherTextBlob: encryptedCrl } = await kmsService.encrypt({
-    kmsId: keyId,
+  const kmsEncryptor = await kmsService.encryptWithKmsKey({
+    kmsId: keyId
+  });
+  const { cipherTextBlob: encryptedCrl } = kmsEncryptor({
     plainText: Buffer.from(new Uint8Array(crl.rawData))
   });
 

backend/src/services/certificate-authority/certificate-authority-queue.ts

@@ -25,7 +25,7 @@ type TCertificateAuthorityQueueFactoryDep = {
   certificateAuthoritySecretDAL: TCertificateAuthoritySecretDALFactory;
   certificateDAL: TCertificateDALFactory;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug" | "findOne" | "updateById" | "findById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encrypt" | "decrypt">;
+  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey">;
   queueService: TQueueServiceFactory;
 };
 export type TCertificateAuthorityQueueFactory = ReturnType<typeof certificateAuthorityQueueFactory>;
@@ -88,8 +88,10 @@ export const certificateAuthorityQueueFactory = ({
       kmsService
     });
 
-    const privateKey = await kmsService.decrypt({
-      kmsId: keyId,
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: keyId
+    });
+    const privateKey = kmsDecryptor({
       cipherTextBlob: caSecret.encryptedPrivateKey
     });
 
@@ -120,8 +122,10 @@ export const certificateAuthorityQueueFactory = ({
       signingKey: sk
     });
 
-    const { cipherTextBlob: encryptedCrl } = await kmsService.encrypt({
-      kmsId: keyId,
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
+      kmsId: keyId
+    });
+    const { cipherTextBlob: encryptedCrl } = kmsEncryptor({
       plainText: Buffer.from(new Uint8Array(crl.rawData))
     });
 

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -53,7 +53,7 @@ type TCertificateAuthorityServiceFactoryDep = {
   certificateDAL: Pick<TCertificateDALFactory, "transaction" | "create" | "find">;
   certificateBodyDAL: Pick<TCertificateBodyDALFactory, "create">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug" | "findOne" | "updateById" | "findById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encrypt" | "decrypt">;
+  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
 
@@ -154,11 +154,14 @@ export const certificateAuthorityServiceFactory = ({
         tx
       );
 
-      const keyId = await getProjectKmsCertificateKeyId({
+      const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
         projectId: project.id,
         projectDAL,
         kmsService
       });
+      const kmsEncryptor = await kmsService.encryptWithKmsKey({
+        kmsId: certificateManagerKmsId
+      });
 
       if (type === CaType.ROOT) {
         // note: create self-signed cert only applicable for root CA
@@ -178,13 +181,11 @@ export const certificateAuthorityServiceFactory = ({
           ]
         });
 
-        const { cipherTextBlob: encryptedCertificate } = await kmsService.encrypt({
-          kmsId: keyId,
+        const { cipherTextBlob: encryptedCertificate } = kmsEncryptor({
           plainText: Buffer.from(new Uint8Array(cert.rawData))
         });
 
-        const { cipherTextBlob: encryptedCertificateChain } = await kmsService.encrypt({
-          kmsId: keyId,
+        const { cipherTextBlob: encryptedCertificateChain } = kmsEncryptor({
           plainText: Buffer.alloc(0)
         });
 
@@ -208,8 +209,7 @@ export const certificateAuthorityServiceFactory = ({
         signingKey: keys.privateKey
       });
 
-      const { cipherTextBlob: encryptedCrl } = await kmsService.encrypt({
-        kmsId: keyId,
+      const { cipherTextBlob: encryptedCrl } = kmsEncryptor({
         plainText: Buffer.from(new Uint8Array(crl.rawData))
       });
 
@@ -224,8 +224,7 @@ export const certificateAuthorityServiceFactory = ({
       // https://nodejs.org/api/crypto.html#static-method-keyobjectfromkey
       const skObj = KeyObject.from(keys.privateKey);
 
-      const { cipherTextBlob: encryptedPrivateKey } = await kmsService.encrypt({
-        kmsId: keyId,
+      const { cipherTextBlob: encryptedPrivateKey } = kmsEncryptor({
         plainText: skObj.export({
           type: "pkcs8",
           format: "der"
@@ -449,15 +448,17 @@ export const certificateAuthorityServiceFactory = ({
 
     const alg = keyAlgorithmToAlgCfg(ca.keyAlgorithm as CertKeyAlgorithm);
 
-    const keyId = await getProjectKmsCertificateKeyId({
+    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
       projectDAL,
       kmsService
     });
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
 
     const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
-    const decryptedCaCert = await kmsService.decrypt({
-      kmsId: keyId,
+    const decryptedCaCert = kmsDecryptor({
       cipherTextBlob: caCert.encryptedCertificate
     });
 
@@ -605,19 +606,20 @@ export const certificateAuthorityServiceFactory = ({
       dn: parentCertSubject
     });
 
-    const keyId = await getProjectKmsCertificateKeyId({
+    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
       projectDAL,
       kmsService
     });
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
 
-    const { cipherTextBlob: encryptedCertificate } = await kmsService.encrypt({
-      kmsId: keyId,
+    const { cipherTextBlob: encryptedCertificate } = kmsEncryptor({
       plainText: Buffer.from(new Uint8Array(certObj.rawData))
     });
 
-    const { cipherTextBlob: encryptedCertificateChain } = await kmsService.encrypt({
-      kmsId: keyId,
+    const { cipherTextBlob: encryptedCertificateChain } = kmsEncryptor({
       plainText: Buffer.from(certificateChain)
     });
 
@@ -682,14 +684,16 @@ export const certificateAuthorityServiceFactory = ({
     const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
     if (!caCert) throw new BadRequestError({ message: "CA does not have a certificate installed" });
 
-    const keyId = await getProjectKmsCertificateKeyId({
+    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
       projectDAL,
       kmsService
     });
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
 
-    const decryptedCaCert = await kmsService.decrypt({
-      kmsId: keyId,
+    const decryptedCaCert = kmsDecryptor({
       cipherTextBlob: caCert.encryptedCertificate
     });
 
@@ -796,8 +800,10 @@ export const certificateAuthorityServiceFactory = ({
     const skLeafObj = KeyObject.from(leafKeys.privateKey);
     const skLeaf = skLeafObj.export({ format: "pem", type: "pkcs8" }) as string;
 
-    const { cipherTextBlob: encryptedCertificate } = await kmsService.encrypt({
-      kmsId: keyId,
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
+    const { cipherTextBlob: encryptedCertificate } = kmsEncryptor({
       plainText: Buffer.from(new Uint8Array(leafCert.rawData))
     });
 

backend/src/services/certificate-authority/certificate-authority-types.ts

@@ -95,7 +95,7 @@ export type TGetCaCredentialsDTO = {
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
   certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "decrypt" | "generateKmsKey">;
+  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
 };
 
 export type TGetCaCertChainDTO = {
@@ -103,7 +103,7 @@ export type TGetCaCertChainDTO = {
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
   certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "decrypt" | "generateKmsKey">;
+  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
 };
 
 export type TRebuildCaCrlDTO = {
@@ -113,7 +113,7 @@ export type TRebuildCaCrlDTO = {
   certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   certificateDAL: Pick<TCertificateDALFactory, "find">;
-  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "decrypt" | "encrypt">;
+  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "decryptWithKmsKey" | "encryptWithKmsKey">;
 };
 
 export type TRotateCaCrlTriggerDTO = {

backend/src/services/certificate/certificate-service.ts

@@ -25,7 +25,7 @@ type TCertificateServiceFactoryDep = {
   certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "update">;
   certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "findById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encrypt" | "decrypt">;
+  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
 
@@ -164,14 +164,16 @@ export const certificateServiceFactory = ({
 
     const certBody = await certificateBodyDAL.findOne({ certId: cert.id });
 
-    const keyId = await getProjectKmsCertificateKeyId({
+    const certificateManagerKeyId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
       projectDAL,
       kmsService
     });
 
-    const decryptedCert = await kmsService.decrypt({
-      kmsId: keyId,
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: certificateManagerKeyId
+    });
+    const decryptedCert = kmsDecryptor({
       cipherTextBlob: certBody.encryptedCertificate
     });
 

backend/src/services/integration-auth/integration-auth-service.ts

@@ -574,14 +574,14 @@ export const integrationAuthServiceFactory = ({
     const botKey = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessId, accessToken } = await getIntegrationAccessToken(integrationAuth, botKey);
 
-    AWS.config.update({
+    const kms = new AWS.KMS({
       region,
       credentials: {
         accessKeyId: String(accessId),
         secretAccessKey: accessToken
       }
     });
-    const kms = new AWS.KMS();
+
     const aliases = await kms.listAliases({}).promise();
 
     const keyAliases = aliases.Aliases!.filter((alias) => {

backend/src/services/kms/internal-kms-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TInternalKmsDALFactory = ReturnType<typeof internalKmsDALFactory>;
+
+export const internalKmsDALFactory = (db: TDbClient) => {
+  const internalKmsOrm = ormify(db, TableName.InternalKms);
+  return internalKmsOrm;
+};

backend/src/services/kms/kms-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TKmsDALFactory = ReturnType<typeof kmsDALFactory>;
-
-export const kmsDALFactory = (db: TDbClient) => {
-  const kmsOrm = ormify(db, TableName.KmsKey);
-  return kmsOrm;
-};

backend/src/services/kms/kms-key-dal.ts

@@ -0,0 +1,64 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { KmsKeysSchema, TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+
+export type TKmsKeyDALFactory = ReturnType<typeof kmskeyDALFactory>;
+
+export const kmskeyDALFactory = (db: TDbClient) => {
+  const kmsOrm = ormify(db, TableName.KmsKey);
+
+  const findByIdWithAssociatedKms = async (id: string, tx?: Knex) => {
+    try {
+      const result = await (tx || db.replicaNode())(TableName.KmsKey)
+        .where({ [`${TableName.KmsKey}.id` as "id"]: id })
+        .leftJoin(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
+        .leftJoin(TableName.ExternalKms, `${TableName.KmsKey}.id`, `${TableName.ExternalKms}.kmsKeyId`)
+        .first()
+        .select(selectAllTableCols(TableName.KmsKey))
+        .select(
+          db.ref("id").withSchema(TableName.InternalKms).as("internalKmsId"),
+          db.ref("encryptedKey").withSchema(TableName.InternalKms).as("internalKmsEncryptedKey"),
+          db.ref("encryptionAlgorithm").withSchema(TableName.InternalKms).as("internalKmsEncryptionAlgorithm"),
+          db.ref("version").withSchema(TableName.InternalKms).as("internalKmsVersion"),
+          db.ref("id").withSchema(TableName.InternalKms).as("internalKmsId")
+        )
+        .select(
+          db.ref("id").withSchema(TableName.ExternalKms).as("externalKmsId"),
+          db.ref("provider").withSchema(TableName.ExternalKms).as("externalKmsProvider"),
+          db.ref("encryptedProviderInputs").withSchema(TableName.ExternalKms).as("externalKmsEncryptedProviderInput"),
+          db.ref("status").withSchema(TableName.ExternalKms).as("externalKmsStatus"),
+          db.ref("statusDetails").withSchema(TableName.ExternalKms).as("externalKmsStatusDetails")
+        );
+
+      const data = {
+        ...KmsKeysSchema.parse(result),
+        isExternal: Boolean(result?.externalKmsId),
+        externalKms: result?.externalKmsId
+          ? {
+              id: result.externalKmsId,
+              provider: result.externalKmsProvider,
+              encryptedProviderInput: result.externalKmsEncryptedProviderInput,
+              status: result.externalKmsStatus,
+              statusDetails: result.externalKmsStatusDetails
+            }
+          : undefined,
+        internalKms: result?.internalKmsId
+          ? {
+              id: result.internalKmsId,
+              encryptedKey: result.internalKmsEncryptedKey,
+              encryptionAlgorithm: result.internalKmsEncryptionAlgorithm,
+              version: result.internalKmsVersion
+            }
+          : undefined
+      };
+      return data;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find by id" });
+    }
+  };
+
+  return { ...kmsOrm, findByIdWithAssociatedKms };
+};

backend/src/services/kms/kms-service.ts

@@ -1,18 +1,34 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { randomSecureBytes } from "@app/lib/crypto";
 import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
 
-import { TKmsDALFactory } from "./kms-dal";
+import { TOrgDALFactory } from "../org/org-dal";
+import { TProjectDALFactory } from "../project/project-dal";
+import { TInternalKmsDALFactory } from "./internal-kms-dal";
+import { TKmsKeyDALFactory } from "./kms-key-dal";
 import { TKmsRootConfigDALFactory } from "./kms-root-config-dal";
-import { TDecryptWithKmsDTO, TEncryptWithKmsDTO, TGenerateKMSDTO } from "./kms-types";
+import {
+  TDecryptWithKeyDTO,
+  TDecryptWithKmsDTO,
+  TEncryptionWithKeyDTO,
+  TEncryptWithKmsDTO,
+  TGenerateKMSDTO
+} from "./kms-types";
 
 type TKmsServiceFactoryDep = {
-  kmsDAL: TKmsDALFactory;
+  kmsDAL: TKmsKeyDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "findById" | "updateById" | "transaction">;
+  orgDAL: Pick<TOrgDALFactory, "findById" | "updateById" | "transaction">;
   kmsRootConfigDAL: Pick<TKmsRootConfigDALFactory, "findById" | "create">;
   keyStore: Pick<TKeyStoreFactory, "acquireLock" | "waitTillReady" | "setItemWithExpiry">;
+  internalKmsDAL: Pick<TInternalKmsDALFactory, "create">;
 };
 
 export type TKmsServiceFactory = ReturnType<typeof kmsServiceFactory>;
@@ -25,54 +41,158 @@ const KMS_ROOT_CREATION_WAIT_TIME = 10;
 // akhilmhdh: Don't edit this value. This is measured for blob concatination in kms
 const KMS_VERSION = "v01";
 const KMS_VERSION_BLOB_LENGTH = 3;
-export const kmsServiceFactory = ({ kmsDAL, kmsRootConfigDAL, keyStore }: TKmsServiceFactoryDep) => {
+export const kmsServiceFactory = ({
+  kmsDAL,
+  kmsRootConfigDAL,
+  keyStore,
+  internalKmsDAL,
+  orgDAL,
+  projectDAL
+}: TKmsServiceFactoryDep) => {
   let ROOT_ENCRYPTION_KEY = Buffer.alloc(0);
 
   // this is used symmetric encryption
-  const generateKmsKey = async ({ scopeId, scopeType, isReserved = true, tx }: TGenerateKMSDTO) => {
+  const generateKmsKey = async ({ orgId, isReserved = true, tx, slug }: TGenerateKMSDTO) => {
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
     const kmsKeyMaterial = randomSecureBytes(32);
     const encryptedKeyMaterial = cipher.encrypt(kmsKeyMaterial, ROOT_ENCRYPTION_KEY);
+    const sanitizedSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(32));
+    const dbQuery = async (db: Knex) => {
+      const kmsDoc = await kmsDAL.create({
+        slug: sanitizedSlug,
+        orgId,
+        isReserved
+      });
 
-    const { encryptedKey, ...doc } = await kmsDAL.create(
-      {
-        version: 1,
-        encryptedKey: encryptedKeyMaterial,
-        encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
-        isReserved,
-        orgId: scopeType === "org" ? scopeId : undefined,
-        projectId: scopeType === "project" ? scopeId : undefined
-      },
-      tx
-    );
+      const { encryptedKey, ...doc } = await internalKmsDAL.create(
+        {
+          version: 1,
+          encryptedKey: encryptedKeyMaterial,
+          encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
+          kmsKeyId: kmsDoc.id
+        },
+        db
+      );
+      return doc;
+    };
+    if (tx) return dbQuery(tx);
+    const doc = await kmsDAL.transaction(async (tx2) => dbQuery(tx2));
     return doc;
   };
 
-  const encrypt = async ({ kmsId, plainText }: TEncryptWithKmsDTO) => {
-    const kmsDoc = await kmsDAL.findById(kmsId);
+  const encryptWithKmsKey = async ({ kmsId }: Omit<TEncryptWithKmsDTO, "plainText">) => {
+    const kmsDoc = await kmsDAL.findByIdWithAssociatedKms(kmsId);
     if (!kmsDoc) throw new BadRequestError({ message: "KMS ID not found" });
     // akhilmhdh: as more encryption are added do a check here on kmsDoc.encryptionAlgorithm
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    return ({ plainText }: Pick<TEncryptWithKmsDTO, "plainText">) => {
+      const kmsKey = cipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
+      const encryptedPlainTextBlob = cipher.encrypt(plainText, kmsKey);
 
-    const kmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
-    const encryptedPlainTextBlob = cipher.encrypt(plainText, kmsKey);
-
-    // Buffer#1 encrypted text + Buffer#2 version number
-    const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
-    const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
-    return { cipherTextBlob };
+      // Buffer#1 encrypted text + Buffer#2 version number
+      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
+      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
+      return { cipherTextBlob };
+    };
   };
 
-  const decrypt = async ({ cipherTextBlob: versionedCipherTextBlob, kmsId }: TDecryptWithKmsDTO) => {
-    const kmsDoc = await kmsDAL.findById(kmsId);
-    if (!kmsDoc) throw new BadRequestError({ message: "KMS ID not found" });
+  const encryptWithInputKey = async ({ key }: Omit<TEncryptionWithKeyDTO, "plainText">) => {
     // akhilmhdh: as more encryption are added do a check here on kmsDoc.encryptionAlgorithm
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    const kmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
+    return ({ plainText }: Pick<TEncryptWithKmsDTO, "plainText">) => {
+      const encryptedPlainTextBlob = cipher.encrypt(plainText, key);
+      // Buffer#1 encrypted text + Buffer#2 version number
+      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
+      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
+      return { cipherTextBlob };
+    };
+  };
 
-    const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-    const decryptedBlob = cipher.decrypt(cipherTextBlob, kmsKey);
-    return decryptedBlob;
+  const decryptWithKmsKey = async ({ kmsId }: Omit<TDecryptWithKmsDTO, "cipherTextBlob">) => {
+    const kmsDoc = await kmsDAL.findByIdWithAssociatedKms(kmsId);
+    if (!kmsDoc) throw new BadRequestError({ message: "KMS ID not found" });
+    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    const kmsKey = cipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
+
+    return ({ cipherTextBlob: versionedCipherTextBlob }: Pick<TDecryptWithKmsDTO, "cipherTextBlob">) => {
+      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+      const decryptedBlob = cipher.decrypt(cipherTextBlob, kmsKey);
+      return decryptedBlob;
+    };
+  };
+
+  const decryptWithInputKey = async ({ key }: Omit<TDecryptWithKeyDTO, "cipherTextBlob">) => {
+    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+
+    return ({ cipherTextBlob: versionedCipherTextBlob }: Pick<TDecryptWithKeyDTO, "cipherTextBlob">) => {
+      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+      const decryptedBlob = cipher.decrypt(cipherTextBlob, key);
+      return decryptedBlob;
+    };
+  };
+
+  const getOrgKmsKeyId = async (orgId: string) => {
+    const keyId = await orgDAL.transaction(async (tx) => {
+      const org = await orgDAL.findById(orgId, tx);
+      if (!org) {
+        throw new BadRequestError({ message: "Org not found" });
+      }
+
+      if (!org.kmsDefaultKeyId) {
+        // create default kms key for certificate service
+        const key = await generateKmsKey({
+          isReserved: true,
+          orgId: org.id,
+          tx
+        });
+
+        await orgDAL.updateById(
+          org.id,
+          {
+            kmsDefaultKeyId: key.id
+          },
+          tx
+        );
+
+        return key.id;
+      }
+
+      return org.kmsDefaultKeyId;
+    });
+
+    return keyId;
+  };
+
+  const getProjectSecretManagerKmsKeyId = async (projectId: string) => {
+    const keyId = await projectDAL.transaction(async (tx) => {
+      const project = await projectDAL.findById(projectId, tx);
+      if (!project) {
+        throw new BadRequestError({ message: "Project not found" });
+      }
+
+      if (!project.kmsSecretManagerKeyId) {
+        // create default kms key for certificate service
+        const key = await generateKmsKey({
+          isReserved: true,
+          orgId: project.orgId,
+          tx
+        });
+
+        await projectDAL.updateById(
+          projectId,
+          {
+            kmsSecretManagerKeyId: key.id
+          },
+          tx
+        );
+
+        return key.id;
+      }
+
+      return project.kmsSecretManagerKeyId;
+    });
+
+    return keyId;
   };
 
   const startService = async () => {
@@ -123,7 +243,11 @@ export const kmsServiceFactory = ({ kmsDAL, kmsRootConfigDAL, keyStore }: TKmsSe
   return {
     startService,
     generateKmsKey,
-    encrypt,
-    decrypt
+    encryptWithKmsKey,
+    encryptWithInputKey,
+    decryptWithKmsKey,
+    decryptWithInputKey,
+    getOrgKmsKeyId,
+    getProjectSecretManagerKmsKeyId
   };
 };

backend/src/services/kms/kms-types.ts

@@ -1,9 +1,9 @@
 import { Knex } from "knex";
 
 export type TGenerateKMSDTO = {
-  scopeType: "project" | "org";
-  scopeId: string;
+  orgId: string;
   isReserved?: boolean;
+  slug?: string;
   tx?: Knex;
 };
 
@@ -12,7 +12,17 @@ export type TEncryptWithKmsDTO = {
   plainText: Buffer;
 };
 
+export type TEncryptionWithKeyDTO = {
+  key: Buffer;
+  plainText: Buffer;
+};
+
 export type TDecryptWithKmsDTO = {
   kmsId: string;
   cipherTextBlob: Buffer;
 };
+
+export type TDecryptWithKeyDTO = {
+  key: Buffer;
+  cipherTextBlob: Buffer;
+};

backend/src/services/org/org-dal.ts

@@ -74,7 +74,6 @@ export const orgDALFactory = (db: TDbClient) => {
           db.ref("role").withSchema(TableName.OrgMembership),
           db.ref("roleId").withSchema(TableName.OrgMembership),
           db.ref("status").withSchema(TableName.OrgMembership),
-          db.ref("isActive").withSchema(TableName.OrgMembership),
           db.ref("email").withSchema(TableName.Users),
           db.ref("username").withSchema(TableName.Users),
           db.ref("firstName").withSchema(TableName.Users),
@@ -208,9 +207,9 @@ export const orgDALFactory = (db: TDbClient) => {
     }
   };
 
-  const updateById = async (orgId: string, data: Partial<TOrganizations>) => {
+  const updateById = async (orgId: string, data: Partial<TOrganizations>, tx?: Knex) => {
     try {
-      const [org] = await db(TableName.Organization)
+      const [org] = await (tx || db)(TableName.Organization)
         .where({ id: orgId })
         .update({ ...data })
         .returning("*");

backend/src/services/org/org-service.ts

@@ -144,10 +144,7 @@ export const orgServiceFactory = ({
     return members;
   };
 
-  const findAllWorkspaces = async ({ actor, actorId, actorOrgId, actorAuthMethod, orgId }: TFindAllWorkspacesDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);
-
+  const findAllWorkspaces = async ({ actor, actorId, orgId }: TFindAllWorkspacesDTO) => {
     const organizationWorkspaceIds = new Set((await projectDAL.find({ orgId })).map((workspace) => workspace.id));
 
     let workspaces: (TProjects & { organization: string } & {
@@ -207,8 +204,7 @@ export const orgServiceFactory = ({
       orgId,
       userId: user.id,
       role: OrgMembershipRole.Admin,
-      status: OrgMembershipStatus.Accepted,
-      isActive: true
+      status: OrgMembershipStatus.Accepted
     };
 
     await orgDAL.createMembership(createMembershipData, tx);
@@ -312,8 +308,7 @@ export const orgServiceFactory = ({
           userId,
           orgId: org.id,
           role: OrgMembershipRole.Admin,
-          status: OrgMembershipStatus.Accepted,
-          isActive: true
+          status: OrgMembershipStatus.Accepted
         },
         tx
       );
@@ -462,8 +457,7 @@ export const orgServiceFactory = ({
               inviteEmail: inviteeEmail,
               orgId,
               role: OrgMembershipRole.Member,
-              status: OrgMembershipStatus.Invited,
-              isActive: true
+              status: OrgMembershipStatus.Invited
             },
             tx
           );
@@ -494,8 +488,7 @@ export const orgServiceFactory = ({
           orgId,
           userId: user.id,
           role: OrgMembershipRole.Member,
-          status: OrgMembershipStatus.Invited,
-          isActive: true
+          status: OrgMembershipStatus.Invited
         },
         tx
       );

backend/src/services/project/project-fns.ts

@@ -71,9 +71,8 @@ export const getProjectKmsCertificateKeyId = async ({
     if (!project.kmsCertificateKeyId) {
       // create default kms key for certificate service
       const key = await kmsService.generateKmsKey({
-        scopeId: projectId,
-        scopeType: "project",
         isReserved: true,
+        orgId: project.orgId,
         tx
       });
 

backend/src/services/secret/secret-queue.ts

@@ -642,7 +642,7 @@ export const secretQueueFactory = ({
   });
 
   queueService.start(QueueName.SecretWebhook, async (job) => {
-    await fnTriggerWebhook({ ...job.data, projectEnvDAL, webhookDAL });
+    await fnTriggerWebhook({ ...job.data, projectEnvDAL, webhookDAL, projectDAL });
   });
 
   return {

backend/src/services/webhook/webhook-fns.ts

@@ -9,6 +9,7 @@ import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TWebhookDALFactory } from "./webhook-dal";
 import { WebhookType } from "./webhook-types";
@@ -66,11 +67,16 @@ export const triggerWebhookRequest = async (webhook: TWebhooks, data: Record<str
 
 export const getWebhookPayload = (
   eventName: string,
-  workspaceId: string,
-  environment: string,
-  secretPath?: string,
-  type?: string | null
+  details: {
+    workspaceName: string;
+    workspaceId: string;
+    environment: string;
+    secretPath?: string;
+    type?: string | null;
+  }
 ) => {
+  const { workspaceName, workspaceId, environment, secretPath, type } = details;
+
   switch (type) {
     case WebhookType.SLACK:
       return {
@@ -80,8 +86,8 @@ export const getWebhookPayload = (
             color: "#E7F256",
             fields: [
               {
-                title: "Workspace ID",
-                value: workspaceId,
+                title: "Project",
+                value: workspaceName,
                 short: false
               },
               {
@@ -117,7 +123,9 @@ export type TFnTriggerWebhookDTO = {
   environment: string;
   webhookDAL: Pick<TWebhookDALFactory, "findAllWebhooks" | "transaction" | "update" | "bulkUpdate">;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+  projectDAL: Pick<TProjectDALFactory, "findById">;
 };
+
 // this is reusable function
 // used in secret queue to trigger webhook and update status when secrets changes
 export const fnTriggerWebhook = async ({
@@ -125,7 +133,8 @@ export const fnTriggerWebhook = async ({
   secretPath,
   projectId,
   webhookDAL,
-  projectEnvDAL
+  projectEnvDAL,
+  projectDAL
 }: TFnTriggerWebhookDTO) => {
   const webhooks = await webhookDAL.findAllWebhooks(projectId, environment);
   const toBeTriggeredHooks = webhooks.filter(
@@ -134,9 +143,19 @@ export const fnTriggerWebhook = async ({
   );
   if (!toBeTriggeredHooks.length) return;
   logger.info("Secret webhook job started", { environment, secretPath, projectId });
+  const project = await projectDAL.findById(projectId);
   const webhooksTriggered = await Promise.allSettled(
     toBeTriggeredHooks.map((hook) =>
-      triggerWebhookRequest(hook, getWebhookPayload("secrets.modified", projectId, environment, secretPath, hook.type))
+      triggerWebhookRequest(
+        hook,
+        getWebhookPayload("secrets.modified", {
+          workspaceName: project.name,
+          workspaceId: projectId,
+          environment,
+          secretPath,
+          type: hook.type
+        })
+      )
     )
   );
 

backend/src/services/webhook/webhook-service.ts

@@ -6,6 +6,7 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TWebhookDALFactory } from "./webhook-dal";
 import { decryptWebhookDetails, getWebhookPayload, triggerWebhookRequest } from "./webhook-fns";
@@ -20,12 +21,18 @@ import {
 type TWebhookServiceFactoryDep = {
   webhookDAL: TWebhookDALFactory;
   projectEnvDAL: TProjectEnvDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "findById">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
 
 export type TWebhookServiceFactory = ReturnType<typeof webhookServiceFactory>;
 
-export const webhookServiceFactory = ({ webhookDAL, projectEnvDAL, permissionService }: TWebhookServiceFactoryDep) => {
+export const webhookServiceFactory = ({
+  webhookDAL,
+  projectEnvDAL,
+  permissionService,
+  projectDAL
+}: TWebhookServiceFactoryDep) => {
   const createWebhook = async ({
     actor,
     actorId,
@@ -124,13 +131,21 @@ export const webhookServiceFactory = ({ webhookDAL, projectEnvDAL, permissionSer
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
 
+    const project = await projectDAL.findById(webhook.projectId);
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
     let webhookError: string | undefined;
     try {
       await triggerWebhookRequest(
         webhook,
-        getWebhookPayload("test", webhook.projectId, webhook.environment.slug, webhook.secretPath, webhook.type)
+        getWebhookPayload("test", {
+          workspaceName: project.name,
+          workspaceId: webhook.projectId,
+          environment: webhook.environment.slug,
+          secretPath: webhook.secretPath,
+          type: webhook.type
+        })
       );
     } catch (err) {
       webhookError = (err as Error).message;

frontend/src/hooks/api/users/types.ts

@@ -60,7 +60,6 @@ export type OrgUser = {
   status: "invited" | "accepted" | "verified" | "completed";
   deniedPermissions: any[];
   roleId: string;
-  isActive: boolean;
 };
 
 export type TProjectMembership = {

frontend/src/views/Org/MembersPage/components/OrgMembersTab/components/OrgMembersSection/OrgMembersTable.tsx

@@ -171,14 +171,14 @@ export const OrgMembersTable = ({ handlePopUpOpen, setCompleteInviteLink }: Prop
             {isLoading && <TableSkeleton columns={5} innerKey="org-members" />}
             {!isLoading &&
               filterdUser?.map(
-                ({ user: u, inviteEmail, role, roleId, id: orgMembershipId, status, isActive }) => {
+                ({ user: u, inviteEmail, role, roleId, id: orgMembershipId, status }) => {
                   const name = u && u.firstName ? `${u.firstName} ${u.lastName}` : "-";
                   const email = u?.email || inviteEmail;
                   const username = u?.username ?? inviteEmail ?? "-";
                   return (
                     <Tr key={`org-membership-${orgMembershipId}`} className="w-full">
-                      <Td className={isActive ? "" : "text-mineshaft-400"}>{name}</Td>
-                      <Td className={isActive ? "" : "text-mineshaft-400"}>{username}</Td>
+                      <Td>{name}</Td>
+                      <Td>{username}</Td>
                       <Td>
                         <OrgPermissionCan
                           I={OrgPermissionActions.Edit}
@@ -186,18 +186,7 @@ export const OrgMembersTable = ({ handlePopUpOpen, setCompleteInviteLink }: Prop
                         >
                           {(isAllowed) => (
                             <>
-                              {!isActive && (
-                                <Button
-                                  isDisabled
-                                  className="w-40"
-                                  colorSchema="primary"
-                                  variant="outline_bg"
-                                  onClick={() => {}}
-                                >
-                                  Suspended
-                                </Button>
-                              )}
-                              {isActive && status === "accepted" && (
+                              {status === "accepted" && (
                                 <Select
                                   value={role === "custom" ? findRoleFromId(roleId)?.slug : role}
                                   isDisabled={userId === u?.id || !isAllowed}
@@ -218,8 +207,7 @@ export const OrgMembersTable = ({ handlePopUpOpen, setCompleteInviteLink }: Prop
                                     ))}
                                 </Select>
                               )}
-                              {isActive &&
-                                (status === "invited" || status === "verified") &&
+                              {(status === "invited" || status === "verified") &&
                                 email &&
                                 serverDetails?.emailConfigured && (
                                   <Button