Merge pull request #3647 from Infisical/ENG-2814

feat(secret-sync): 1Password Secret Sync + App Connection

backend/src/@types/fastify.d.ts

@@ -68,6 +68,7 @@ import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
+import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
@@ -109,6 +110,7 @@ import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integ
 declare module "@fastify/request-context" {
   interface RequestContextData {
     reqId: string;
+    orgId?: string;
     identityAuthInfo?: {
       identityId: string;
       oidc?: {
@@ -209,6 +211,7 @@ declare module "fastify" {
       identityGcpAuth: TIdentityGcpAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
+      identityOciAuth: TIdentityOciAuthServiceFactory;
       identityOidcAuth: TIdentityOidcAuthServiceFactory;
       identityJwtAuth: TIdentityJwtAuthServiceFactory;
       identityLdapAuth: TIdentityLdapAuthServiceFactory;

backend/src/@types/knex.d.ts

@@ -119,6 +119,9 @@ import {
   TIdentityMetadata,
   TIdentityMetadataInsert,
   TIdentityMetadataUpdate,
+  TIdentityOciAuths,
+  TIdentityOciAuthsInsert,
+  TIdentityOciAuthsUpdate,
   TIdentityOidcAuths,
   TIdentityOidcAuthsInsert,
   TIdentityOidcAuthsUpdate,
@@ -738,6 +741,11 @@ declare module "knex/types/tables" {
       TIdentityAzureAuthsInsert,
       TIdentityAzureAuthsUpdate
     >;
+    [TableName.IdentityOciAuth]: KnexOriginal.CompositeTableType<
+      TIdentityOciAuths,
+      TIdentityOciAuthsInsert,
+      TIdentityOciAuthsUpdate
+    >;
     [TableName.IdentityOidcAuth]: KnexOriginal.CompositeTableType<
       TIdentityOidcAuths,
       TIdentityOidcAuthsInsert,

backend/src/db/migrations/20250430174352_email-case-change.ts

@@ -0,0 +1,47 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEmail = await knex.schema.hasColumn(TableName.Users, "email");
+  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
+  if (hasEmail) {
+    await knex(TableName.Users)
+      .where({ isGhost: false })
+      .update({
+        // @ts-expect-error email assume string this is expected
+        email: knex.raw("lower(email)")
+      });
+  }
+  if (hasUsername) {
+    await knex.schema.raw(`
+      CREATE INDEX IF NOT EXISTS ${TableName.Users}_lower_username_idx 
+      ON ${TableName.Users} (LOWER(username))
+    `);
+
+    const duplicatesSubquery = knex(TableName.Users)
+      .select(knex.raw("lower(username) as lowercase_username"))
+      .groupBy("lowercase_username")
+      .having(knex.raw("count(*)"), ">", 1);
+
+    // Update usernames to lowercase where they won't create duplicates
+    await knex(TableName.Users)
+      .where({ isGhost: false })
+      .whereRaw("username <> lower(username)") // Only update if not already lowercase
+      // @ts-expect-error username assume string this is expected
+      .whereNotIn(knex.raw("lower(username)"), duplicatesSubquery)
+      .update({
+        // @ts-expect-error username assume string this is expected
+        username: knex.raw("lower(username)")
+      });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
+  if (hasUsername) {
+    await knex.schema.raw(`
+  DROP INDEX IF EXISTS ${TableName.Users}_lower_username_idx
+`);
+  }
+}

backend/src/db/migrations/20250508210717_identity-oci-auth.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityOciAuth))) {
+    await knex.schema.createTable(TableName.IdentityOciAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+
+      t.string("tenancyOcid").notNullable();
+      t.string("allowedUsernames").nullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityOciAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityOciAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityOciAuth);
+}

backend/src/db/migrations/20250512103022_identity-kubernetes-auth-gateway.ts

@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
+
+  if (!hasGatewayIdColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.uuid("gatewayId").nullable();
+      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
+
+  if (hasGatewayIdColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.dropForeign("gatewayId");
+      table.dropColumn("gatewayId");
+    });
+  }
+}

backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts

@@ -0,0 +1,110 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+// Note(daniel): We aren't dropping tables or columns in this migrations so we can easily rollback if needed.
+// In the future we need to drop the projectGatewayId on the dynamic secrets table, and drop the project_gateways table entirely.
+
+const BATCH_SIZE = 500;
+
+export async function up(knex: Knex): Promise<void> {
+  // eslint-disable-next-line no-param-reassign
+  knex.replicaNode = () => {
+    return knex;
+  };
+
+  if (!(await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId"))) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
+      table.uuid("gatewayId").nullable();
+      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
+
+      table.index("gatewayId");
+    });
+
+    const existingDynamicSecretsWithProjectGatewayId = await knex(TableName.DynamicSecret)
+      .select(selectAllTableCols(TableName.DynamicSecret))
+      .whereNotNull(`${TableName.DynamicSecret}.projectGatewayId`)
+      .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.id`, `${TableName.DynamicSecret}.projectGatewayId`)
+      .whereNotNull(`${TableName.ProjectGateway}.gatewayId`)
+      .select(
+        knex.ref("projectId").withSchema(TableName.ProjectGateway).as("projectId"),
+        knex.ref("gatewayId").withSchema(TableName.ProjectGateway).as("projectGatewayGatewayId")
+      );
+
+    initLogger();
+    const envConfig = getMigrationEnvConfig();
+    const keyStore = inMemoryKeyStore();
+    const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
+    const updatedDynamicSecrets = await Promise.all(
+      existingDynamicSecretsWithProjectGatewayId.map(async (existingDynamicSecret) => {
+        if (!existingDynamicSecret.projectGatewayGatewayId) {
+          const result = {
+            ...existingDynamicSecret,
+            gatewayId: null
+          };
+
+          const { projectId, projectGatewayGatewayId, ...rest } = result;
+          return rest;
+        }
+
+        const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+          type: KmsDataKey.SecretManager,
+          projectId: existingDynamicSecret.projectId
+        });
+        const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
+          type: KmsDataKey.SecretManager,
+          projectId: existingDynamicSecret.projectId
+        });
+
+        let decryptedStoredInput = JSON.parse(
+          secretManagerDecryptor({ cipherTextBlob: Buffer.from(existingDynamicSecret.encryptedInput) }).toString()
+        ) as object;
+
+        // We're not removing the existing projectGatewayId from the input so we can easily rollback without having to re-encrypt the input
+        decryptedStoredInput = {
+          ...decryptedStoredInput,
+          gatewayId: existingDynamicSecret.projectGatewayGatewayId
+        };
+
+        const encryptedInput = secretManagerEncryptor({
+          plainText: Buffer.from(JSON.stringify(decryptedStoredInput))
+        }).cipherTextBlob;
+
+        const result = {
+          ...existingDynamicSecret,
+          encryptedInput,
+          gatewayId: existingDynamicSecret.projectGatewayGatewayId
+        };
+
+        const { projectId, projectGatewayGatewayId, ...rest } = result;
+        return rest;
+      })
+    );
+
+    for (let i = 0; i < updatedDynamicSecrets.length; i += BATCH_SIZE) {
+      // eslint-disable-next-line no-await-in-loop
+      await knex(TableName.DynamicSecret)
+        .insert(updatedDynamicSecrets.slice(i, i + BATCH_SIZE))
+        .onConflict("id")
+        .merge();
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // no re-encryption needed as we keep the old projectGatewayId in the input
+  if (await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId")) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
+      table.dropForeign("gatewayId");
+      table.dropColumn("gatewayId");
+    });
+  }
+}

backend/src/db/migrations/20250515164622_select-org-products.ts

@@ -0,0 +1,53 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const columns = await knex.table(TableName.Organization).columnInfo();
+
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (!columns.secretsProductEnabled) {
+      t.boolean("secretsProductEnabled").defaultTo(true);
+    }
+    if (!columns.pkiProductEnabled) {
+      t.boolean("pkiProductEnabled").defaultTo(true);
+    }
+    if (!columns.kmsProductEnabled) {
+      t.boolean("kmsProductEnabled").defaultTo(true);
+    }
+    if (!columns.sshProductEnabled) {
+      t.boolean("sshProductEnabled").defaultTo(true);
+    }
+    if (!columns.scannerProductEnabled) {
+      t.boolean("scannerProductEnabled").defaultTo(true);
+    }
+    if (!columns.shareSecretsProductEnabled) {
+      t.boolean("shareSecretsProductEnabled").defaultTo(true);
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const columns = await knex.table(TableName.Organization).columnInfo();
+
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (columns.secretsProductEnabled) {
+      t.dropColumn("secretsProductEnabled");
+    }
+    if (columns.pkiProductEnabled) {
+      t.dropColumn("pkiProductEnabled");
+    }
+    if (columns.kmsProductEnabled) {
+      t.dropColumn("kmsProductEnabled");
+    }
+    if (columns.sshProductEnabled) {
+      t.dropColumn("sshProductEnabled");
+    }
+    if (columns.scannerProductEnabled) {
+      t.dropColumn("scannerProductEnabled");
+    }
+    if (columns.shareSecretsProductEnabled) {
+      t.dropColumn("shareSecretsProductEnabled");
+    }
+  });
+}

backend/src/db/migrations/20250516021501_toggle-secret-sharing-on-project.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
+  if (!hasSecretSharingColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.boolean("secretSharing").notNullable().defaultTo(true);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
+  if (hasSecretSharingColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.dropColumn("secretSharing");
+    });
+  }
+}

backend/src/db/migrations/20250516192508_secret-sharing-limits-for-org.ts

@@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
+  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
+
+  if (!hasLifetimeColumn || !hasViewLimitColumn) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      if (!hasLifetimeColumn) {
+        t.integer("maxSharedSecretLifetime").nullable().defaultTo(2592000); // 30 days in seconds
+      }
+      if (!hasViewLimitColumn) {
+        t.integer("maxSharedSecretViewLimit").nullable();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
+  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
+
+  if (hasLifetimeColumn || hasViewLimitColumn) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      if (hasLifetimeColumn) {
+        t.dropColumn("maxSharedSecretLifetime");
+      }
+      if (hasViewLimitColumn) {
+        t.dropColumn("maxSharedSecretViewLimit");
+      }
+    });
+  }
+}

backend/src/db/migrations/20250517002223_secret-share-to-specific-emails.ts

@@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
+
+    if (!hasEncryptedSalt || !hasAuthorizedEmails) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        // These two columns are only needed when secrets are shared with a specific list of emails
+
+        if (!hasEncryptedSalt) {
+          t.binary("encryptedSalt").nullable();
+        }
+
+        if (!hasAuthorizedEmails) {
+          t.json("authorizedEmails").nullable();
+        }
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
+
+    if (hasEncryptedSalt || hasAuthorizedEmails) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        if (hasEncryptedSalt) {
+          t.dropColumn("encryptedSalt");
+        }
+
+        if (hasAuthorizedEmails) {
+          t.dropColumn("authorizedEmails");
+        }
+      });
+    }
+  }
+}

backend/src/db/migrations/20250521061831_increase-name-sizes.ts

@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.SecretSync, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+  await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+  await knex.schema.alterTable(TableName.AppConnection, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+  await knex.schema.alterTable(TableName.SecretRotationV2, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+}
+
+export async function down(): Promise<void> {
+  // No down migration or it will error
+}

backend/src/db/schemas/dynamic-secrets.ts

@@ -27,7 +27,8 @@ export const DynamicSecretsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedInput: zodBuffer,
-  projectGatewayId: z.string().uuid().nullable().optional()
+  projectGatewayId: z.string().uuid().nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional()
 });
 
 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -29,7 +29,8 @@ export const IdentityKubernetesAuthsSchema = z.object({
   allowedNames: z.string(),
   allowedAudience: z.string(),
   encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
-  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
+  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional()
 });
 
 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;

backend/src/db/schemas/identity-oci-auths.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityOciAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  tenancyOcid: z.string(),
+  allowedUsernames: z.string().nullable().optional()
+});
+
+export type TIdentityOciAuths = z.infer<typeof IdentityOciAuthsSchema>;
+export type TIdentityOciAuthsInsert = Omit<z.input<typeof IdentityOciAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityOciAuthsUpdate = Partial<Omit<z.input<typeof IdentityOciAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -37,6 +37,7 @@ export * from "./identity-gcp-auths";
 export * from "./identity-jwt-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
+export * from "./identity-oci-auths";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";

backend/src/db/schemas/models.ts

@@ -79,6 +79,7 @@ export enum TableName {
   IdentityAzureAuth = "identity_azure_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
   IdentityAwsAuth = "identity_aws_auths",
+  IdentityOciAuth = "identity_oci_auths",
   IdentityOidcAuth = "identity_oidc_auths",
   IdentityJwtAuth = "identity_jwt_auths",
   IdentityLdapAuth = "identity_ldap_auths",
@@ -233,6 +234,7 @@ export enum IdentityAuthMethod {
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",
   AZURE_AUTH = "azure-auth",
+  OCI_AUTH = "oci-auth",
   OIDC_AUTH = "oidc-auth",
   JWT_AUTH = "jwt-auth",
   LDAP_AUTH = "ldap-auth"

backend/src/db/schemas/organizations.ts

@@ -28,7 +28,15 @@ export const OrganizationsSchema = z.object({
   privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
   privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
   bypassOrgAuthEnabled: z.boolean().default(false),
-  userTokenExpiration: z.string().nullable().optional()
+  userTokenExpiration: z.string().nullable().optional(),
+  secretsProductEnabled: z.boolean().default(true).nullable().optional(),
+  pkiProductEnabled: z.boolean().default(true).nullable().optional(),
+  kmsProductEnabled: z.boolean().default(true).nullable().optional(),
+  sshProductEnabled: z.boolean().default(true).nullable().optional(),
+  scannerProductEnabled: z.boolean().default(true).nullable().optional(),
+  shareSecretsProductEnabled: z.boolean().default(true).nullable().optional(),
+  maxSharedSecretLifetime: z.number().default(2592000).nullable().optional(),
+  maxSharedSecretViewLimit: z.number().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/projects.ts

@@ -27,7 +27,8 @@ export const ProjectsSchema = z.object({
   description: z.string().nullable().optional(),
   type: z.string(),
   enforceCapitalization: z.boolean().default(false),
-  hasDeleteProtection: z.boolean().default(false).nullable().optional()
+  hasDeleteProtection: z.boolean().default(false).nullable().optional(),
+  secretSharing: z.boolean().default(true)
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -27,7 +27,9 @@ export const SecretSharingSchema = z.object({
   password: z.string().nullable().optional(),
   encryptedSecret: zodBuffer.nullable().optional(),
   identifier: z.string().nullable().optional(),
-  type: z.string().default("share")
+  type: z.string().default("share"),
+  encryptedSalt: zodBuffer.nullable().optional(),
+  authorizedEmails: z.unknown().nullable().optional()
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -154,7 +154,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         requestId: z.string().trim()
       }),
       body: z.object({
-        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
+        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED]),
+        bypassReason: z.string().min(10).max(1000).optional()
       }),
       response: {
         200: z.object({
@@ -170,7 +171,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         requestId: req.params.requestId,
-        status: req.body.status
+        status: req.body.status,
+        bypassReason: req.body.bypassReason
       });
 
       return { review };

backend/src/ee/routes/v1/app-connection-routers/oci-connection-router.ts

@@ -1,16 +1,16 @@
 import z from "zod";
 
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
   CreateOCIConnectionSchema,
   SanitizedOCIConnectionSchema,
   UpdateOCIConnectionSchema
-} from "@app/services/app-connection/oci";
+} from "@app/ee/services/app-connections/oci";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { AuthMode } from "@app/services/auth/auth-type";
 
-import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+import { registerAppConnectionEndpoints } from "../../../../server/routes/v1/app-connection-routers/app-connection-endpoints";
 
 export const registerOCIConnectionRouter = async (server: FastifyZodProvider) => {
   registerAppConnectionEndpoints({

backend/src/ee/routes/v1/gateway-router.ts

@@ -121,14 +121,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
             identity: z.object({
               name: z.string(),
               id: z.string()
-            }),
-            projects: z
-              .object({
-                name: z.string(),
-                id: z.string(),
-                slug: z.string()
-              })
-              .array()
+            })
           }).array()
         })
       }
@@ -158,17 +151,15 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
             identity: z.object({
               name: z.string(),
               id: z.string()
-            }),
-            projectGatewayId: z.string()
+            })
           }).array()
         })
       }
     },
     onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
     handler: async (req) => {
-      const gateways = await server.services.gateway.getProjectGateways({
-        projectId: req.params.projectId,
-        projectPermission: req.permission
+      const gateways = await server.services.gateway.listGateways({
+        orgPermission: req.permission
       });
       return { gateways };
     }
@@ -216,8 +207,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
         id: z.string()
       }),
       body: z.object({
-        name: slugSchema({ field: "name" }).optional(),
-        projectIds: z.string().array().optional()
+        name: slugSchema({ field: "name" }).optional()
       }),
       response: {
         200: z.object({
@@ -230,8 +220,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
       const gateway = await server.services.gateway.updateGatewayById({
         orgPermission: req.permission,
         id: req.params.id,
-        name: req.body.name,
-        projectIds: req.body.projectIds
+        name: req.body.name
       });
       return { gateway };
     }

backend/src/ee/routes/v1/saml-router.ts

@@ -145,7 +145,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
 
           const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
             externalId: profile.nameID,
-            email,
+            email: email.toLowerCase(),
             firstName,
             lastName: lastName as string,
             relayState: (req.body as { RelayState?: string }).RelayState,

backend/src/ee/routes/v1/secret-sync-routers/oci-vault-sync-router.ts

@@ -2,11 +2,10 @@ import {
   CreateOCIVaultSyncSchema,
   OCIVaultSyncSchema,
   UpdateOCIVaultSyncSchema
-} from "@app/services/secret-sync/oci-vault";
+} from "@app/ee/services/secret-sync/oci-vault";
+import { registerSyncSecretsEndpoints } from "@app/server/routes/v1/secret-sync-routers/secret-sync-endpoints";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
-import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
-
 export const registerOCIVaultSyncRouter = async (server: FastifyZodProvider) =>
   registerSyncSecretsEndpoints({
     destination: SecretSync.OCIVault,

backend/src/ee/routes/v1/ssh-certificate-template-router.ts

@@ -97,7 +97,7 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
           allowCustomKeyIds: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowCustomKeyIds)
         })
         .refine((data) => ms(data.maxTTL) >= ms(data.ttl), {
-          message: "Max TLL must be greater than or equal to TTL",
+          message: "Max TTL must be greater than or equal to TTL",
           path: ["maxTTL"]
         }),
       response: {

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
@@ -98,7 +98,7 @@ export const accessApprovalPolicyServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
+      ProjectPermissionApprovalActions.Create,
       ProjectPermissionSub.SecretApproval
     );
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
@@ -256,7 +256,10 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.updateById(
@@ -341,7 +344,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
+      ProjectPermissionApprovalActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -432,7 +435,10 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     return policy;
   };

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -6,6 +6,7 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { EnforcementLevel } from "@app/lib/types";
 import { triggerWorkflowIntegrationNotification } from "@app/lib/workflow-integrations/trigger-notification";
 import { TriggerFeature } from "@app/lib/workflow-integrations/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -22,6 +23,7 @@ import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-poli
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
 import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
@@ -323,26 +325,22 @@ export const accessApprovalRequestServiceFactory = ({
     status,
     actorId,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    bypassReason
   }: TReviewAccessRequestDTO) => {
     const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
     if (!accessApprovalRequest) {
       throw new NotFoundError({ message: `Secret approval request with ID '${requestId}' not found` });
     }
 
-    const { policy } = accessApprovalRequest;
+    const { policy, environment } = accessApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this access request has been deleted."
       });
     }
-    if (!policy.allowedSelfApprovals && actorId === accessApprovalRequest.requestedByUserId) {
-      throw new BadRequestError({
-        message: "Failed to review access approval request. Users are not authorized to review their own request."
-      });
-    }
 
-    const { membership, hasRole } = await permissionService.getProjectPermission({
+    const { membership, hasRole, permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
@@ -355,6 +353,20 @@ export const accessApprovalRequestServiceFactory = ({
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
 
+    const isSelfApproval = actorId === accessApprovalRequest.requestedByUserId;
+    const isSoftEnforcement = policy.enforcementLevel === EnforcementLevel.Soft;
+    const canBypassApproval = permission.can(
+      ProjectPermissionApprovalActions.AllowAccessBypass,
+      ProjectPermissionSub.SecretApproval
+    );
+    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypassApproval);
+
+    if (!policy.allowedSelfApprovals && isSelfApproval && cannotBypassUnderSoftEnforcement) {
+      throw new BadRequestError({
+        message: "Failed to review access approval request. Users are not authorized to review their own request."
+      });
+    }
+
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
@@ -363,21 +375,49 @@ export const accessApprovalRequestServiceFactory = ({
       throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
     }
 
+    const project = await projectDAL.findById(accessApprovalRequest.projectId);
+    if (!project) {
+      throw new NotFoundError({ message: "The project associated with this access request was not found." });
+    }
+
     const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
     if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
       throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
     }
 
     const reviewStatus = await accessApprovalRequestReviewerDAL.transaction(async (tx) => {
-      const review = await accessApprovalRequestReviewerDAL.findOne(
+      const isBreakGlassApprovalAttempt =
+        policy.enforcementLevel === EnforcementLevel.Soft &&
+        actorId === accessApprovalRequest.requestedByUserId &&
+        status === ApprovalStatus.APPROVED;
+
+      let reviewForThisActorProcessing: {
+        id: string;
+        requestId: string;
+        reviewerUserId: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+      };
+
+      const existingReviewByActorInTx = await accessApprovalRequestReviewerDAL.findOne(
         {
           requestId: accessApprovalRequest.id,
           reviewerUserId: actorId
         },
         tx
       );
-      if (!review) {
-        const newReview = await accessApprovalRequestReviewerDAL.create(
+
+      // Check if review exists for actor
+      if (existingReviewByActorInTx) {
+        // Check if breakglass re-approval
+        if (isBreakGlassApprovalAttempt && existingReviewByActorInTx.status === ApprovalStatus.APPROVED) {
+          reviewForThisActorProcessing = existingReviewByActorInTx;
+        } else {
+          throw new BadRequestError({ message: "You have already reviewed this request" });
+        }
+      } else {
+        reviewForThisActorProcessing = await accessApprovalRequestReviewerDAL.create(
           {
             status,
             requestId: accessApprovalRequest.id,
@@ -385,19 +425,26 @@ export const accessApprovalRequestServiceFactory = ({
           },
           tx
         );
+      }
 
-        const allReviews = [...existingReviews, newReview];
+      const otherReviews = existingReviews.filter((er) => er.reviewerUserId !== actorId);
+      const allUniqueReviews = [...otherReviews, reviewForThisActorProcessing];
 
-        const approvedReviews = allReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
+      const approvedReviews = allUniqueReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
+      const meetsStandardApprovalThreshold = approvedReviews.length >= policy.approvals;
 
-        // approvals is the required number of approvals. If the number of approved reviews is equal to the number of required approvals, then the request is approved.
-        if (approvedReviews.length === policy.approvals) {
+      if (
+        reviewForThisActorProcessing.status === ApprovalStatus.APPROVED &&
+        (meetsStandardApprovalThreshold || isBreakGlassApprovalAttempt)
+      ) {
+        const currentRequestState = await accessApprovalRequestDAL.findById(accessApprovalRequest.id, tx);
+        let privilegeIdToSet = currentRequestState?.privilegeId || null;
+
+        if (!privilegeIdToSet) {
           if (accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
             throw new BadRequestError({ message: "Temporary range is required for temporary access" });
           }
 
-          let privilegeId: string | null = null;
-
           if (!accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
             // Permanent access
             const privilege = await additionalPrivilegeDAL.create(
@@ -409,7 +456,7 @@ export const accessApprovalRequestServiceFactory = ({
               },
               tx
             );
-            privilegeId = privilege.id;
+            privilegeIdToSet = privilege.id;
           } else {
             // Temporary access
             const relativeTempAllocatedTimeInMs = ms(accessApprovalRequest.temporaryRange!);
@@ -421,23 +468,57 @@ export const accessApprovalRequestServiceFactory = ({
                 projectId: accessApprovalRequest.projectId,
                 slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
                 permissions: JSON.stringify(accessApprovalRequest.permissions),
-                isTemporary: true,
+                isTemporary: true, // Explicitly set to true for the privilege
                 temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
                 temporaryRange: accessApprovalRequest.temporaryRange!,
                 temporaryAccessStartTime: startTime,
-                temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
+                temporaryAccessEndTime: new Date(startTime.getTime() + relativeTempAllocatedTimeInMs)
               },
               tx
             );
-            privilegeId = privilege.id;
+            privilegeIdToSet = privilege.id;
           }
-
-          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId }, tx);
+          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId: privilegeIdToSet }, tx);
         }
-
-        return newReview;
       }
-      throw new BadRequestError({ message: "You have already reviewed this request" });
+
+      // Send notification if this was a breakglass approval
+      if (isBreakGlassApprovalAttempt) {
+        const cfg = getConfig();
+        const actingUser = await userDAL.findById(actorId, tx);
+
+        if (actingUser) {
+          const policyApproverUserIds = policy.approvers
+            .map((ap) => ap.userId)
+            .filter((id): id is string => typeof id === "string");
+
+          if (policyApproverUserIds.length > 0) {
+            const approverUsersForEmail = await userDAL.find({ $in: { id: policyApproverUserIds } }, { tx });
+            const recipientEmails = approverUsersForEmail
+              .map((appUser) => appUser.email)
+              .filter((email): email is string => !!email);
+
+            if (recipientEmails.length > 0) {
+              await smtpService.sendMail({
+                recipients: recipientEmails,
+                subjectLine: "Infisical Secret Access Policy Bypassed",
+                substitutions: {
+                  projectName: project.name,
+                  requesterFullName: `${actingUser.firstName} ${actingUser.lastName}`,
+                  requesterEmail: actingUser.email,
+                  bypassReason: bypassReason || "No reason provided",
+                  secretPath: policy.secretPath || "/",
+                  environment,
+                  approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`,
+                  requestType: "access"
+                },
+                template: SmtpTemplates.AccessSecretRequestBypassed
+              });
+            }
+          }
+        }
+      }
+      return reviewForThisActorProcessing;
     });
 
     return reviewStatus;

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -17,6 +17,8 @@ export type TGetAccessRequestCountDTO = {
 export type TReviewAccessRequestDTO = {
   requestId: string;
   status: ApprovalStatus;
+  envName?: string;
+  bypassReason?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TCreateAccessApprovalRequestDTO = {

backend/src/ee/services/app-connections/oci/oci-connection-service.ts

@@ -1,7 +1,9 @@
+import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";
 
-import { AppConnection } from "../app-connection-enums";
+import { AppConnection } from "../../../../services/app-connection/app-connection-enums";
+import { TLicenseServiceFactory } from "../../license/license-service";
 import { listOCICompartments, listOCIVaultKeys, listOCIVaults } from "./oci-connection-fns";
 import { TOCIConnection } from "./oci-connection-types";
 
@@ -22,8 +24,23 @@ type TListOCIVaultKeysDTO = {
   vaultOcid: string;
 };
 
-export const ociConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+// Enterprise check
+export const checkPlan = async (licenseService: Pick<TLicenseServiceFactory, "getPlan">, orgId: string) => {
+  const plan = await licenseService.getPlan(orgId);
+  if (!plan.enterpriseAppConnections)
+    throw new BadRequestError({
+      message:
+        "Failed to use app connection due to plan restriction. Upgrade plan to access enterprise app connections."
+    });
+};
+
+export const ociConnectionService = (
+  getAppConnection: TGetAppConnectionFunc,
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">
+) => {
   const listCompartments = async (connectionId: string, actor: OrgServiceActor) => {
+    await checkPlan(licenseService, actor.orgId);
+
     const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
 
     try {
@@ -36,6 +53,8 @@ export const ociConnectionService = (getAppConnection: TGetAppConnectionFunc) =>
   };
 
   const listVaults = async ({ connectionId, compartmentOcid }: TListOCIVaultsDTO, actor: OrgServiceActor) => {
+    await checkPlan(licenseService, actor.orgId);
+
     const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
 
     try {
@@ -51,6 +70,8 @@ export const ociConnectionService = (getAppConnection: TGetAppConnectionFunc) =>
     { connectionId, compartmentOcid, vaultOcid }: TListOCIVaultKeysDTO,
     actor: OrgServiceActor
   ) => {
+    await checkPlan(licenseService, actor.orgId);
+
     const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
 
     try {

backend/src/ee/services/app-connections/oci/oci-connection-types.ts

@@ -2,7 +2,7 @@ import z from "zod";
 
 import { DiscriminativePick } from "@app/lib/types";
 
-import { AppConnection } from "../app-connection-enums";
+import { AppConnection } from "../../../../services/app-connection/app-connection-enums";
 import {
   CreateOCIConnectionSchema,
   OCIConnectionSchema,

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -1,3 +1,4 @@
+import { ProjectType } from "@app/db/schemas";
 import {
   TCreateProjectTemplateDTO,
   TUpdateProjectTemplateDTO
@@ -162,6 +163,12 @@ export enum EventType {
   REVOKE_IDENTITY_AWS_AUTH = "revoke-identity-aws-auth",
   GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
 
+  LOGIN_IDENTITY_OCI_AUTH = "login-identity-oci-auth",
+  ADD_IDENTITY_OCI_AUTH = "add-identity-oci-auth",
+  UPDATE_IDENTITY_OCI_AUTH = "update-identity-oci-auth",
+  REVOKE_IDENTITY_OCI_AUTH = "revoke-identity-oci-auth",
+  GET_IDENTITY_OCI_AUTH = "get-identity-oci-auth",
+
   LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
   ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
   UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
@@ -309,7 +316,6 @@ export enum EventType {
   CREATE_PROJECT_TEMPLATE = "create-project-template",
   UPDATE_PROJECT_TEMPLATE = "update-project-template",
   DELETE_PROJECT_TEMPLATE = "delete-project-template",
-  APPLY_PROJECT_TEMPLATE = "apply-project-template",
   GET_APP_CONNECTIONS = "get-app-connections",
   GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
   GET_APP_CONNECTION = "get-app-connection",
@@ -369,7 +375,13 @@ export enum EventType {
   MICROSOFT_TEAMS_WORKFLOW_INTEGRATION_LIST = "microsoft-teams-workflow-integration-list",
 
   PROJECT_ASSUME_PRIVILEGE_SESSION_START = "project-assume-privileges-session-start",
-  PROJECT_ASSUME_PRIVILEGE_SESSION_END = "project-assume-privileges-session-end"
+  PROJECT_ASSUME_PRIVILEGE_SESSION_END = "project-assume-privileges-session-end",
+
+  UPDATE_ORG = "update-org",
+
+  CREATE_PROJECT = "create-project",
+  UPDATE_PROJECT = "update-project",
+  DELETE_PROJECT = "delete-project"
 }
 
 export const filterableSecretEvents: EventType[] = [
@@ -1009,6 +1021,55 @@ interface GetIdentityAwsAuthEvent {
   };
 }
 
+interface LoginIdentityOciAuthEvent {
+  type: EventType.LOGIN_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+    identityOciAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityOciAuthEvent {
+  type: EventType.ADD_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+    tenancyOcid: string;
+    allowedUsernames: string | null;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface DeleteIdentityOciAuthEvent {
+  type: EventType.REVOKE_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface UpdateIdentityOciAuthEvent {
+  type: EventType.UPDATE_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+    tenancyOcid?: string;
+    allowedUsernames: string | null;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityOciAuthEvent {
+  type: EventType.GET_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityAzureAuthEvent {
   type: EventType.LOGIN_IDENTITY_AZURE_AUTH;
   metadata: {
@@ -2396,14 +2457,6 @@ interface DeleteProjectTemplateEvent {
   };
 }
 
-interface ApplyProjectTemplateEvent {
-  type: EventType.APPLY_PROJECT_TEMPLATE;
-  metadata: {
-    template: string;
-    projectId: string;
-  };
-}
-
 interface GetAppConnectionsEvent {
   type: EventType.GET_APP_CONNECTIONS;
   metadata: {
@@ -2858,6 +2911,59 @@ interface MicrosoftTeamsWorkflowIntegrationUpdateEvent {
   };
 }
 
+interface OrgUpdateEvent {
+  type: EventType.UPDATE_ORG;
+  metadata: {
+    name?: string;
+    slug?: string;
+    authEnforced?: boolean;
+    scimEnabled?: boolean;
+    defaultMembershipRoleSlug?: string;
+    enforceMfa?: boolean;
+    selectedMfaMethod?: string;
+    allowSecretSharingOutsideOrganization?: boolean;
+    bypassOrgAuthEnabled?: boolean;
+    userTokenExpiration?: string;
+    secretsProductEnabled?: boolean;
+    pkiProductEnabled?: boolean;
+    kmsProductEnabled?: boolean;
+    sshProductEnabled?: boolean;
+    scannerProductEnabled?: boolean;
+    shareSecretsProductEnabled?: boolean;
+  };
+}
+
+interface ProjectCreateEvent {
+  type: EventType.CREATE_PROJECT;
+  metadata: {
+    name: string;
+    slug?: string;
+    type: ProjectType;
+  };
+}
+
+interface ProjectUpdateEvent {
+  type: EventType.UPDATE_PROJECT;
+  metadata: {
+    name?: string;
+    description?: string;
+    autoCapitalization?: boolean;
+    hasDeleteProtection?: boolean;
+    slug?: string;
+    secretSharing?: boolean;
+    pitVersionLimit?: number;
+    auditLogsRetentionDays?: number;
+  };
+}
+
+interface ProjectDeleteEvent {
+  type: EventType.DELETE_PROJECT;
+  metadata: {
+    id: string;
+    name: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2914,6 +3020,11 @@ export type Event =
   | UpdateIdentityAwsAuthEvent
   | GetIdentityAwsAuthEvent
   | DeleteIdentityAwsAuthEvent
+  | LoginIdentityOciAuthEvent
+  | AddIdentityOciAuthEvent
+  | UpdateIdentityOciAuthEvent
+  | GetIdentityOciAuthEvent
+  | DeleteIdentityOciAuthEvent
   | LoginIdentityAzureAuthEvent
   | AddIdentityAzureAuthEvent
   | DeleteIdentityAzureAuthEvent
@@ -3057,7 +3168,6 @@ export type Event =
   | CreateProjectTemplateEvent
   | UpdateProjectTemplateEvent
   | DeleteProjectTemplateEvent
-  | ApplyProjectTemplateEvent
   | GetAppConnectionsEvent
   | GetAvailableAppConnectionsDetailsEvent
   | GetAppConnectionEvent
@@ -3119,4 +3229,8 @@ export type Event =
   | MicrosoftTeamsWorkflowIntegrationGetTeamsEvent
   | MicrosoftTeamsWorkflowIntegrationGetEvent
   | MicrosoftTeamsWorkflowIntegrationListEvent
-  | MicrosoftTeamsWorkflowIntegrationUpdateEvent;
+  | MicrosoftTeamsWorkflowIntegrationUpdateEvent
+  | OrgUpdateEvent
+  | ProjectCreateEvent
+  | ProjectUpdateEvent
+  | ProjectDeleteEvent;

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -17,7 +17,8 @@ import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-fold
 
 import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
 import { TDynamicSecretLeaseQueueServiceFactory } from "../dynamic-secret-lease/dynamic-secret-lease-queue";
-import { TProjectGatewayDALFactory } from "../gateway/project-gateway-dal";
+import { TGatewayDALFactory } from "../gateway/gateway-dal";
+import { OrgPermissionGatewayActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TDynamicSecretDALFactory } from "./dynamic-secret-dal";
 import {
   DynamicSecretStatus,
@@ -44,9 +45,9 @@ type TDynamicSecretServiceFactoryDep = {
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-  projectGatewayDAL: Pick<TProjectGatewayDALFactory, "findOne">;
+  gatewayDAL: Pick<TGatewayDALFactory, "findOne" | "find">;
   resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
@@ -62,7 +63,7 @@ export const dynamicSecretServiceFactory = ({
   dynamicSecretQueueService,
   projectDAL,
   kmsService,
-  projectGatewayDAL,
+  gatewayDAL,
   resourceMetadataDAL
 }: TDynamicSecretServiceFactoryDep) => {
   const create = async ({
@@ -117,15 +118,31 @@ export const dynamicSecretServiceFactory = ({
     const inputs = await selectedProvider.validateProviderInputs(provider.inputs);
 
     let selectedGatewayId: string | null = null;
-    if (inputs && typeof inputs === "object" && "projectGatewayId" in inputs && inputs.projectGatewayId) {
-      const projectGatewayId = inputs.projectGatewayId as string;
+    if (inputs && typeof inputs === "object" && "gatewayId" in inputs && inputs.gatewayId) {
+      const gatewayId = inputs.gatewayId as string;
 
-      const projectGateway = await projectGatewayDAL.findOne({ id: projectGatewayId, projectId });
-      if (!projectGateway)
+      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actorOrgId });
+
+      if (!gateway) {
         throw new NotFoundError({
-          message: `Project gateway with ${projectGatewayId} not found`
+          message: `Gateway with ID ${gatewayId} not found`
         });
-      selectedGatewayId = projectGateway.id;
+      }
+
+      const { permission: orgPermission } = await permissionService.getOrgPermission(
+        actor,
+        actorId,
+        gateway.orgId,
+        actorAuthMethod,
+        actorOrgId
+      );
+
+      ForbiddenError.from(orgPermission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+
+      selectedGatewayId = gateway.id;
     }
 
     const isConnected = await selectedProvider.validateConnection(provider.inputs);
@@ -146,7 +163,7 @@ export const dynamicSecretServiceFactory = ({
           defaultTTL,
           folderId: folder.id,
           name,
-          projectGatewayId: selectedGatewayId
+          gatewayId: selectedGatewayId
         },
         tx
       );
@@ -255,20 +272,30 @@ export const dynamicSecretServiceFactory = ({
     const updatedInput = await selectedProvider.validateProviderInputs(newInput);
 
     let selectedGatewayId: string | null = null;
-    if (
-      updatedInput &&
-      typeof updatedInput === "object" &&
-      "projectGatewayId" in updatedInput &&
-      updatedInput?.projectGatewayId
-    ) {
-      const projectGatewayId = updatedInput.projectGatewayId as string;
+    if (updatedInput && typeof updatedInput === "object" && "gatewayId" in updatedInput && updatedInput?.gatewayId) {
+      const gatewayId = updatedInput.gatewayId as string;
 
-      const projectGateway = await projectGatewayDAL.findOne({ id: projectGatewayId, projectId });
-      if (!projectGateway)
+      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actorOrgId });
+      if (!gateway) {
         throw new NotFoundError({
-          message: `Project gateway with ${projectGatewayId} not found`
+          message: `Gateway with ID ${gatewayId} not found`
         });
-      selectedGatewayId = projectGateway.id;
+      }
+
+      const { permission: orgPermission } = await permissionService.getOrgPermission(
+        actor,
+        actorId,
+        gateway.orgId,
+        actorAuthMethod,
+        actorOrgId
+      );
+
+      ForbiddenError.from(orgPermission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+
+      selectedGatewayId = gateway.id;
     }
 
     const isConnected = await selectedProvider.validateConnection(newInput);
@@ -284,7 +311,7 @@ export const dynamicSecretServiceFactory = ({
           defaultTTL,
           name: newName ?? name,
           status: null,
-          projectGatewayId: selectedGatewayId
+          gatewayId: selectedGatewayId
         },
         tx
       );

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -18,7 +18,7 @@ import { SqlDatabaseProvider } from "./sql-database";
 import { TotpProvider } from "./totp";
 
 type TBuildDynamicSecretProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTls">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };
 
 export const buildDynamicSecretProviders = ({

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -137,7 +137,7 @@ export const DynamicSecretSqlDBSchema = z.object({
   revocationStatement: z.string().trim(),
   renewStatement: z.string().trim().optional(),
   ca: z.string().optional(),
-  projectGatewayId: z.string().nullable().optional()
+  gatewayId: z.string().nullable().optional()
 });
 
 export const DynamicSecretCassandraSchema = z.object({

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -112,14 +112,14 @@ const generateUsername = (provider: SqlProviders) => {
 };
 
 type TSqlDatabaseProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTls">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };
 
 export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
 
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.projectGatewayId));
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.gatewayId));
     validateHandlebarTemplate("SQL creation", providerInputs.creationStatement, {
       allowedExpressions: (val) => ["username", "password", "expiration", "database"].includes(val)
     });
@@ -168,7 +168,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
     providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>,
     gatewayCallback: (host: string, port: number) => Promise<void>
   ) => {
-    const relayDetails = await gatewayService.fnGetGatewayClientTls(providerInputs.projectGatewayId as string);
+    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(providerInputs.gatewayId as string);
     const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
     await withGatewayProxy(
       async (port) => {
@@ -202,7 +202,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
       await db.destroy();
     };
 
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();
@@ -238,7 +238,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         await db.destroy();
       }
     };
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();
@@ -265,7 +265,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         await db.destroy();
       }
     };
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();
@@ -301,7 +301,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         await db.destroy();
       }
     };
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();

backend/src/ee/services/gateway/gateway-dal.ts

@@ -1,37 +1,34 @@
-import { Knex } from "knex";
-
 import { TDbClient } from "@app/db";
 import { GatewaysSchema, TableName, TGateways } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import {
-  buildFindFilter,
-  ormify,
-  selectAllTableCols,
-  sqlNestRelationships,
-  TFindFilter,
-  TFindOpt
-} from "@app/lib/knex";
+import { buildFindFilter, ormify, selectAllTableCols, TFindFilter, TFindOpt } from "@app/lib/knex";
 
 export type TGatewayDALFactory = ReturnType<typeof gatewayDALFactory>;
 
 export const gatewayDALFactory = (db: TDbClient) => {
   const orm = ormify(db, TableName.Gateway);
 
-  const find = async (filter: TFindFilter<TGateways>, { offset, limit, sort, tx }: TFindOpt<TGateways> = {}) => {
+  const find = async (
+    filter: TFindFilter<TGateways> & { orgId?: string },
+    { offset, limit, sort, tx }: TFindOpt<TGateways> = {}
+  ) => {
     try {
       const query = (tx || db)(TableName.Gateway)
         // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter(filter))
+        .where(buildFindFilter(filter, TableName.Gateway, ["orgId"]))
         .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.Gateway}.identityId`)
-        .leftJoin(TableName.ProjectGateway, `${TableName.ProjectGateway}.gatewayId`, `${TableName.Gateway}.id`)
-        .leftJoin(TableName.Project, `${TableName.Project}.id`, `${TableName.ProjectGateway}.projectId`)
+        .join(
+          TableName.IdentityOrgMembership,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.Gateway}.identityId`
+        )
         .select(selectAllTableCols(TableName.Gateway))
-        .select(
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("name").withSchema(TableName.Project).as("projectName"),
-          db.ref("slug").withSchema(TableName.Project).as("projectSlug"),
-          db.ref("id").withSchema(TableName.Project).as("projectId")
-        );
+        .select(db.ref("orgId").withSchema(TableName.IdentityOrgMembership).as("identityOrgId"))
+        .select(db.ref("name").withSchema(TableName.Identity).as("identityName"));
+
+      if (filter.orgId) {
+        void query.where(`${TableName.IdentityOrgMembership}.orgId`, filter.orgId);
+      }
       if (limit) void query.limit(limit);
       if (offset) void query.offset(offset);
       if (sort) {
@@ -39,48 +36,16 @@ export const gatewayDALFactory = (db: TDbClient) => {
       }
 
       const docs = await query;
-      return sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (data) => ({
-          ...GatewaysSchema.parse(data),
-          identity: { id: data.identityId, name: data.identityName }
-        }),
-        childrenMapper: [
-          {
-            key: "projectId",
-            label: "projects" as const,
-            mapper: ({ projectId, projectName, projectSlug }) => ({
-              id: projectId,
-              name: projectName,
-              slug: projectSlug
-            })
-          }
-        ]
-      });
+
+      return docs.map((el) => ({
+        ...GatewaysSchema.parse(el),
+        orgId: el.identityOrgId as string, // todo(daniel): figure out why typescript is not inferring this as a string
+        identity: { id: el.identityId, name: el.identityName }
+      }));
     } catch (error) {
       throw new DatabaseError({ error, name: `${TableName.Gateway}: Find` });
     }
   };
 
-  const findByProjectId = async (projectId: string, tx?: Knex) => {
-    try {
-      const query = (tx || db)(TableName.Gateway)
-        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.Gateway}.identityId`)
-        .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.gatewayId`, `${TableName.Gateway}.id`)
-        .select(selectAllTableCols(TableName.Gateway))
-        .select(
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("id").withSchema(TableName.ProjectGateway).as("projectGatewayId")
-        )
-        .where({ [`${TableName.ProjectGateway}.projectId` as "projectId"]: projectId });
-
-      const docs = await query;
-      return docs.map((el) => ({ ...el, identity: { id: el.identityId, name: el.identityName } }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: `${TableName.Gateway}: Find by project id` });
-    }
-  };
-
-  return { ...orm, find, findByProjectId };
+  return { ...orm, find };
 };

backend/src/ee/services/gateway/gateway-service.ts

@@ -4,7 +4,6 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { z } from "zod";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { KeyStorePrefixes, PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -27,17 +26,14 @@ import { TGatewayDALFactory } from "./gateway-dal";
 import {
   TExchangeAllocatedRelayAddressDTO,
   TGetGatewayByIdDTO,
-  TGetProjectGatewayByIdDTO,
   THeartBeatDTO,
   TListGatewaysDTO,
   TUpdateGatewayByIdDTO
 } from "./gateway-types";
 import { TOrgGatewayConfigDALFactory } from "./org-gateway-config-dal";
-import { TProjectGatewayDALFactory } from "./project-gateway-dal";
 
 type TGatewayServiceFactoryDep = {
   gatewayDAL: TGatewayDALFactory;
-  projectGatewayDAL: TProjectGatewayDALFactory;
   orgGatewayConfigDAL: Pick<TOrgGatewayConfigDALFactory, "findOne" | "create" | "transaction" | "findById">;
   licenseService: Pick<TLicenseServiceFactory, "onPremFeatures" | "getPlan">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "decryptWithRootKey">;
@@ -57,8 +53,7 @@ export const gatewayServiceFactory = ({
   kmsService,
   permissionService,
   orgGatewayConfigDAL,
-  keyStore,
-  projectGatewayDAL
+  keyStore
 }: TGatewayServiceFactoryDep) => {
   const $validateOrgAccessToGateway = async (orgId: string, actorId: string, actorAuthMethod: ActorAuthMethod) => {
     // if (!licenseService.onPremFeatures.gateway) {
@@ -526,7 +521,7 @@ export const gatewayServiceFactory = ({
     return gateway;
   };
 
-  const updateGatewayById = async ({ orgPermission, id, name, projectIds }: TUpdateGatewayByIdDTO) => {
+  const updateGatewayById = async ({ orgPermission, id, name }: TUpdateGatewayByIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(
       orgPermission.type,
       orgPermission.id,
@@ -543,15 +538,6 @@ export const gatewayServiceFactory = ({
 
     const [gateway] = await gatewayDAL.update({ id, orgGatewayRootCaId: orgGatewayConfig.id }, { name });
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${id} not found.` });
-    if (projectIds) {
-      await projectGatewayDAL.transaction(async (tx) => {
-        await projectGatewayDAL.delete({ gatewayId: gateway.id }, tx);
-        await projectGatewayDAL.insertMany(
-          projectIds.map((el) => ({ gatewayId: gateway.id, projectId: el })),
-          tx
-        );
-      });
-    }
 
     return gateway;
   };
@@ -576,27 +562,7 @@ export const gatewayServiceFactory = ({
     return gateway;
   };
 
-  const getProjectGateways = async ({ projectId, projectPermission }: TGetProjectGatewayByIdDTO) => {
-    await permissionService.getProjectPermission({
-      projectId,
-      actor: projectPermission.type,
-      actorId: projectPermission.id,
-      actorOrgId: projectPermission.orgId,
-      actorAuthMethod: projectPermission.authMethod,
-      actionProjectType: ActionProjectType.Any
-    });
-
-    const gateways = await gatewayDAL.findByProjectId(projectId);
-    return gateways;
-  };
-
-  // this has no permission check and used for dynamic secrets directly
-  // assumes permission check is already done
-  const fnGetGatewayClientTls = async (projectGatewayId: string) => {
-    const projectGateway = await projectGatewayDAL.findById(projectGatewayId);
-    if (!projectGateway) throw new NotFoundError({ message: `Project gateway with ID ${projectGatewayId} not found.` });
-
-    const { gatewayId } = projectGateway;
+  const fnGetGatewayClientTlsByGatewayId = async (gatewayId: string) => {
     const gateway = await gatewayDAL.findById(gatewayId);
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });
 
@@ -645,8 +611,7 @@ export const gatewayServiceFactory = ({
     getGatewayById,
     updateGatewayById,
     deleteGatewayById,
-    getProjectGateways,
-    fnGetGatewayClientTls,
+    fnGetGatewayClientTlsByGatewayId,
     heartbeat
   };
 };

backend/src/ee/services/gateway/gateway-types.ts

@@ -20,7 +20,6 @@ export type TGetGatewayByIdDTO = {
 export type TUpdateGatewayByIdDTO = {
   id: string;
   name?: string;
-  projectIds?: string[];
   orgPermission: OrgServiceActor;
 };
 

backend/src/ee/services/gateway/project-gateway-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TProjectGatewayDALFactory = ReturnType<typeof projectGatewayDALFactory>;
-
-export const projectGatewayDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.ProjectGateway);
-  return orm;
-};

backend/src/ee/services/group/group-dal.ts

@@ -111,9 +111,9 @@ export const groupDALFactory = (db: TDbClient) => {
       }
 
       if (search) {
-        void query.andWhereRaw(`CONCAT_WS(' ', "firstName", "lastName", "username") ilike ?`, [`%${search}%`]);
+        void query.andWhereRaw(`CONCAT_WS(' ', "firstName", "lastName", lower("username")) ilike ?`, [`%${search}%`]);
       } else if (username) {
-        void query.andWhere(`${TableName.Users}.username`, "ilike", `%${username}%`);
+        void query.andWhereRaw(`lower("${TableName.Users}"."username") ilike ?`, `%${username}%`);
       }
 
       switch (filter) {

backend/src/ee/services/group/group-service.ts

@@ -30,7 +30,7 @@ import {
 import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";
 
 type TGroupServiceFactoryDep = {
-  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
+  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findUserByUsername">;
   groupDAL: Pick<
     TGroupDALFactory,
     "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById" | "transaction"
@@ -380,7 +380,10 @@ export const groupServiceFactory = ({
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
-    const user = await userDAL.findOne({ username });
+    const usersWithUsername = await userDAL.findUserByUsername(username);
+    // akhilmhdh: case sensitive email resolution
+    const user =
+      usersWithUsername?.length > 1 ? usersWithUsername.find((el) => el.username === username) : usersWithUsername?.[0];
     if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
 
     const users = await addUsersToGroupByUserIds({
@@ -461,7 +464,10 @@ export const groupServiceFactory = ({
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
-    const user = await userDAL.findOne({ username });
+    const usersWithUsername = await userDAL.findUserByUsername(username);
+    // akhilmhdh: case sensitive email resolution
+    const user =
+      usersWithUsername?.length > 1 ? usersWithUsername.find((el) => el.username === username) : usersWithUsername?.[0];
     if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
 
     const users = await removeUsersFromGroupByUserIds({

backend/src/ee/services/hsm/hsm-fns.ts

@@ -24,9 +24,13 @@ export const initializeHsmModule = (envConfig: Pick<TEnvConfig, "isHsmConfigured
       isInitialized = true;
 
       logger.info("PKCS#11 module initialized");
-    } catch (err) {
-      logger.error(err, "Failed to initialize PKCS#11 module");
-      throw err;
+    } catch (error) {
+      if (error instanceof pkcs11js.Pkcs11Error && error.code === pkcs11js.CKR_CRYPTOKI_ALREADY_INITIALIZED) {
+        logger.info("Skipping HSM initialization because it's already initialized.");
+      } else {
+        logger.error(error, "Failed to initialize PKCS#11 module");
+        throw error;
+      }
     }
   };
 

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -380,7 +380,7 @@ export const ldapConfigServiceFactory = ({
         if (serverCfg.trustLdapEmails) {
           newUser = await userDAL.findOne(
             {
-              email,
+              email: email.toLowerCase(),
               isEmailVerified: true
             },
             tx
@@ -391,8 +391,8 @@ export const ldapConfigServiceFactory = ({
           const uniqueUsername = await normalizeUsername(username, userDAL);
           newUser = await userDAL.create(
             {
-              username: serverCfg.trustLdapEmails ? email : uniqueUsername,
-              email,
+              username: serverCfg.trustLdapEmails ? email.toLowerCase() : uniqueUsername,
+              email: email.toLowerCase(),
               isEmailVerified: serverCfg.trustLdapEmails,
               firstName,
               lastName,
@@ -429,7 +429,7 @@ export const ldapConfigServiceFactory = ({
           await orgMembershipDAL.create(
             {
               userId: newUser.id,
-              inviteEmail: email,
+              inviteEmail: email.toLowerCase(),
               orgId,
               role,
               roleId,

backend/src/ee/services/license/__mocks__/license-fns.ts

@@ -29,7 +29,9 @@ export const getDefaultOnPremFeatures = () => {
     secretApproval: true,
     secretRotation: true,
     caCrl: false,
-    sshHostGroups: false
+    sshHostGroups: false,
+    enterpriseSecretSyncs: false,
+    enterpriseAppConnections: false
   };
 };
 

backend/src/ee/services/license/license-dal.ts

@@ -19,7 +19,7 @@ export const licenseDALFactory = (db: TDbClient) => {
         .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
         .where(`${TableName.Users}.isGhost`, false)
         .count();
-      return Number(doc?.[0].count);
+      return Number(doc?.[0]?.count ?? 0);
     } catch (error) {
       throw new DatabaseError({ error, name: "Count of Org Members" });
     }

backend/src/ee/services/license/license-fns.ts

@@ -2,6 +2,7 @@ import axios, { AxiosError } from "axios";
 
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
+import { logger } from "@app/lib/logger";
 
 import { TFeatureSet } from "./license-types";
 
@@ -54,7 +55,9 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   projectTemplates: false,
   kmip: false,
   gateway: false,
-  sshHostGroups: false
+  sshHostGroups: false,
+  enterpriseSecretSyncs: false,
+  enterpriseAppConnections: false
 });
 
 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {
@@ -98,9 +101,10 @@ export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string
     (response) => response,
     async (err) => {
       const originalRequest = (err as AxiosError).config;
-
+      const errStatusCode = Number((err as AxiosError)?.response?.status);
+      logger.error((err as AxiosError)?.response?.data, "License server call error");
       // eslint-disable-next-line
-      if ((err as AxiosError)?.response?.status === 401 && !(originalRequest as any)._retry) {
+      if ((errStatusCode === 401 || errStatusCode === 403) && !(originalRequest as any)._retry) {
         // eslint-disable-next-line
         (originalRequest as any)._retry = true; // injected
 

backend/src/ee/services/license/license-service.ts

@@ -92,6 +92,10 @@ export const licenseServiceFactory = ({
       const {
         data: { currentPlan }
       } = await licenseServerOnPremApi.request.get<{ currentPlan: TFeatureSet }>("/api/license/v1/plan");
+
+      const workspacesUsed = await projectDAL.countOfOrgProjects(null);
+      currentPlan.workspacesUsed = workspacesUsed;
+
       onPremFeatures = currentPlan;
       logger.info("Successfully synchronized license key features");
     } catch (error) {
@@ -185,6 +189,14 @@ export const licenseServiceFactory = ({
         } = await licenseServerCloudApi.request.get<{ currentPlan: TFeatureSet }>(
           `/api/license-server/v1/customers/${org.customerId}/cloud-plan`
         );
+        const workspacesUsed = await projectDAL.countOfOrgProjects(orgId);
+        currentPlan.workspacesUsed = workspacesUsed;
+
+        const membersUsed = await licenseDAL.countOfOrgMembers(orgId);
+        currentPlan.membersUsed = membersUsed;
+        const identityUsed = await licenseDAL.countOrgUsersAndIdentities(orgId);
+        currentPlan.identitiesUsed = identityUsed;
+
         await keyStore.setItemWithExpiry(
           FEATURE_CACHE_KEY(org.id),
           LICENSE_SERVER_CLOUD_PLAN_TTL,
@@ -348,8 +360,8 @@ export const licenseServiceFactory = ({
       } = await licenseServerCloudApi.request.post(
         `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods`,
         {
-          success_url: `${appCfg.SITE_URL}/dashboard`,
-          cancel_url: `${appCfg.SITE_URL}/dashboard`
+          success_url: `${appCfg.SITE_URL}/organization/billing`,
+          cancel_url: `${appCfg.SITE_URL}/organization/billing`
         }
       );
 
@@ -362,7 +374,7 @@ export const licenseServiceFactory = ({
     } = await licenseServerCloudApi.request.post(
       `/api/license-server/v1/customers/${organization.customerId}/billing-details/billing-portal`,
       {
-        return_url: `${appCfg.SITE_URL}/dashboard`
+        return_url: `${appCfg.SITE_URL}/organization/billing`
       }
     );
 
@@ -379,7 +391,7 @@ export const licenseServiceFactory = ({
         message: `Organization with ID '${orgId}' not found`
       });
     }
-    if (instanceType !== InstanceType.OnPrem && instanceType !== InstanceType.EnterpriseOnPremOffline) {
+    if (instanceType === InstanceType.Cloud) {
       const { data } = await licenseServerCloudApi.request.get(
         `/api/license-server/v1/customers/${organization.customerId}/cloud-plan/billing`
       );
@@ -407,11 +419,38 @@ export const licenseServiceFactory = ({
         message: `Organization with ID '${orgId}' not found`
       });
     }
-    if (instanceType !== InstanceType.OnPrem && instanceType !== InstanceType.EnterpriseOnPremOffline) {
-      const { data } = await licenseServerCloudApi.request.get(
-        `/api/license-server/v1/customers/${organization.customerId}/cloud-plan/table`
-      );
-      return data;
+
+    const orgMembersUsed = await orgDAL.countAllOrgMembers(orgId);
+    const identityUsed = await identityOrgMembershipDAL.countAllOrgIdentities({ orgId });
+    const projects = await projectDAL.find({ orgId });
+    const projectCount = projects.length;
+
+    if (instanceType === InstanceType.Cloud) {
+      const { data } = await licenseServerCloudApi.request.get<{
+        head: { name: string }[];
+        rows: { name: string; allowed: boolean }[];
+      }>(`/api/license-server/v1/customers/${organization.customerId}/cloud-plan/table`);
+
+      const formattedData = {
+        head: data.head,
+        rows: data.rows.map((el) => {
+          let used = "-";
+
+          if (el.name === BillingPlanRows.MemberLimit.name) {
+            used = orgMembersUsed.toString();
+          } else if (el.name === BillingPlanRows.WorkspaceLimit.name) {
+            used = projectCount.toString();
+          } else if (el.name === BillingPlanRows.IdentityLimit.name) {
+            used = (identityUsed + orgMembersUsed).toString();
+          }
+
+          return {
+            ...el,
+            used
+          };
+        })
+      };
+      return formattedData;
     }
 
     const mappedRows = await Promise.all(
@@ -420,14 +459,11 @@ export const licenseServiceFactory = ({
         let used = "-";
 
         if (field === BillingPlanRows.MemberLimit.field) {
-          const orgMemberships = await orgDAL.countAllOrgMembers(orgId);
-          used = orgMemberships.toString();
+          used = orgMembersUsed.toString();
         } else if (field === BillingPlanRows.WorkspaceLimit.field) {
-          const projects = await projectDAL.find({ orgId });
-          used = projects.length.toString();
+          used = projectCount.toString();
         } else if (field === BillingPlanRows.IdentityLimit.field) {
-          const identities = await identityOrgMembershipDAL.countAllOrgIdentities({ orgId });
-          used = identities.toString();
+          used = identityUsed.toString();
         }
 
         return {

backend/src/ee/services/license/license-types.ts

@@ -27,7 +27,7 @@ export type TFeatureSet = {
   slug: null;
   tier: -1;
   workspaceLimit: null;
-  workspacesUsed: 0;
+  workspacesUsed: number;
   dynamicSecret: false;
   memberLimit: null;
   membersUsed: number;
@@ -72,6 +72,8 @@ export type TFeatureSet = {
   kmip: false;
   gateway: false;
   sshHostGroups: false;
+  enterpriseSecretSyncs: false;
+  enterpriseAppConnections: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -171,8 +171,8 @@ export const oidcConfigServiceFactory = ({
   };
 
   const oidcLogin = async ({
-    externalId,
     email,
+    externalId,
     firstName,
     lastName,
     orgId,
@@ -714,13 +714,15 @@ export const oidcConfigServiceFactory = ({
           }
         }
 
+        const groups = typeof claims.groups === "string" ? [claims.groups] : (claims.groups as string[] | undefined);
+
         oidcLogin({
-          email: claims.email,
+          email: claims.email.toLowerCase(),
           externalId: claims.sub,
           firstName: claims.given_name ?? "",
           lastName: claims.family_name ?? "",
           orgId: org.id,
-          groups: claims.groups as string[] | undefined,
+          groups,
           callbackPort,
           manageGroupMemberships: oidcCfg.manageGroupMemberships
         })

backend/src/ee/services/permission/default-roles.ts

@@ -2,6 +2,7 @@ import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability"
 
 import {
   ProjectPermissionActions,
+  ProjectPermissionApprovalActions,
   ProjectPermissionCertificateActions,
   ProjectPermissionCmekActions,
   ProjectPermissionDynamicSecretActions,
@@ -25,7 +26,6 @@ const buildAdminPermissionRules = () => {
   [
     ProjectPermissionSub.SecretFolders,
     ProjectPermissionSub.SecretImports,
-    ProjectPermissionSub.SecretApproval,
     ProjectPermissionSub.Role,
     ProjectPermissionSub.Integrations,
     ProjectPermissionSub.Webhooks,
@@ -55,6 +55,18 @@ const buildAdminPermissionRules = () => {
     );
   });
 
+  can(
+    [
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionApprovalActions.Create,
+      ProjectPermissionApprovalActions.Delete,
+      ProjectPermissionApprovalActions.AllowChangeBypass,
+      ProjectPermissionApprovalActions.AllowAccessBypass
+    ],
+    ProjectPermissionSub.SecretApproval
+  );
+
   can(
     [
       ProjectPermissionCertificateActions.Read,
@@ -126,7 +138,6 @@ const buildAdminPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
       ProjectPermissionSecretActions.DescribeSecret,
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Create,
@@ -207,7 +218,6 @@ const buildMemberPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
       ProjectPermissionSecretActions.DescribeSecret,
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Edit,
@@ -245,7 +255,7 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.SecretImports
   );
 
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
+  can([ProjectPermissionApprovalActions.Read], ProjectPermissionSub.SecretApproval);
   can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
 
   can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
@@ -386,13 +396,14 @@ const buildMemberPermissionRules = () => {
 const buildViewerPermissionRules = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
-  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
+  can(
+    [ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSecretActions.ReadValue],
+    ProjectPermissionSub.Secrets
+  );
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
   can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionApprovalActions.Read, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionSecretRotationActions.Read, ProjectPermissionSub.SecretRotation);
   can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);

backend/src/ee/services/permission/org-permission.ts

@@ -41,7 +41,8 @@ export enum OrgPermissionGatewayActions {
   CreateGateways = "create-gateways",
   ListGateways = "list-gateways",
   EditGateways = "edit-gateways",
-  DeleteGateways = "delete-gateways"
+  DeleteGateways = "delete-gateways",
+  AttachGateways = "attach-gateways"
 }
 
 export enum OrgPermissionIdentityActions {
@@ -337,6 +338,7 @@ const buildAdminPermission = () => {
   can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
   can(OrgPermissionGatewayActions.EditGateways, OrgPermissionSubjects.Gateway);
   can(OrgPermissionGatewayActions.DeleteGateways, OrgPermissionSubjects.Gateway);
+  can(OrgPermissionGatewayActions.AttachGateways, OrgPermissionSubjects.Gateway);
 
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
@@ -378,6 +380,7 @@ const buildMemberPermission = () => {
   can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
   can(OrgPermissionGatewayActions.ListGateways, OrgPermissionSubjects.Gateway);
   can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
+  can(OrgPermissionGatewayActions.AttachGateways, OrgPermissionSubjects.Gateway);
 
   return rules;
 };

backend/src/ee/services/permission/project-permission.ts

@@ -34,6 +34,15 @@ export enum ProjectPermissionSecretActions {
   Delete = "delete"
 }
 
+export enum ProjectPermissionApprovalActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  AllowChangeBypass = "allow-change-bypass",
+  AllowAccessBypass = "allow-access-bypass"
+}
+
 export enum ProjectPermissionCmekActions {
   Read = "read",
   Create = "create",
@@ -242,7 +251,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
   | [ProjectPermissionActions, ProjectPermissionSub.Settings]
   | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
-  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionApprovalActions, ProjectPermissionSub.SecretApproval]
   | [
       ProjectPermissionSecretRotationActions,
       (
@@ -439,7 +448,7 @@ const PkiSubscriberConditionSchema = z
 const GeneralPermissionSchema = [
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionApprovalActions).describe(
       "Describe what action an entity can take."
     )
   }),
@@ -605,7 +614,7 @@ const GeneralPermissionSchema = [
   })
 ];
 
-// Do not update this schema anymore, as it's kept purely for backwards compatability. Update V2 schema only.
+// Do not update this schema anymore, as it's kept purely for backwards compatibility. Update V2 schema only.
 export const ProjectPermissionV1Schema = z.discriminatedUnion("subject", [
   z.object({
     subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),

backend/src/ee/services/scim/scim-service.ts

@@ -342,7 +342,7 @@ export const scimServiceFactory = ({
           orgMembership = await orgMembershipDAL.create(
             {
               userId: userAlias.userId,
-              inviteEmail: email,
+              inviteEmail: email.toLowerCase(),
               orgId,
               role,
               roleId,
@@ -364,7 +364,7 @@ export const scimServiceFactory = ({
         if (trustScimEmails) {
           user = await userDAL.findOne(
             {
-              email,
+              email: email.toLowerCase(),
               isEmailVerified: true
             },
             tx
@@ -379,8 +379,8 @@ export const scimServiceFactory = ({
           );
           user = await userDAL.create(
             {
-              username: trustScimEmails ? email : uniqueUsername,
-              email,
+              username: trustScimEmails ? email.toLowerCase() : uniqueUsername,
+              email: email.toLowerCase(),
               isEmailVerified: trustScimEmails,
               firstName,
               lastName,
@@ -396,7 +396,7 @@ export const scimServiceFactory = ({
             userId: user.id,
             aliasType,
             externalId,
-            emails: email ? [email] : [],
+            emails: email ? [email.toLowerCase()] : [],
             orgId
           },
           tx
@@ -418,7 +418,7 @@ export const scimServiceFactory = ({
           orgMembership = await orgMembershipDAL.create(
             {
               userId: user.id,
-              inviteEmail: email,
+              inviteEmail: email.toLowerCase(),
               orgId,
               role,
               roleId,
@@ -529,7 +529,7 @@ export const scimServiceFactory = ({
         membership.userId,
         {
           firstName: scimUser.name.givenName,
-          email: scimUser.emails[0].value,
+          email: scimUser.emails[0].value.toLowerCase(),
           lastName: scimUser.name.familyName,
           isEmailVerified: hasEmailChanged ? trustScimEmails : undefined
         },
@@ -606,7 +606,7 @@ export const scimServiceFactory = ({
         membership.userId,
         {
           firstName,
-          email,
+          email: email?.toLowerCase(),
           lastName,
           isEmailVerified:
             org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -3,7 +3,7 @@ import picomatch from "picomatch";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { containsGlobPatterns } from "@app/lib/picomatch";
@@ -89,7 +89,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
+      ProjectPermissionApprovalActions.Create,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -204,7 +204,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Edit,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.secretApproval) {
@@ -301,7 +304,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
+      ProjectPermissionApprovalActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -340,7 +343,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.SecretManager
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
     return sapPolicies;
@@ -413,7 +419,10 @@ export const secretApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionApprovalActions.Read,
+      ProjectPermissionSub.SecretApproval
+    );
 
     return sapPolicy;
   };

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -62,7 +62,11 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
+import {
+  ProjectPermissionApprovalActions,
+  ProjectPermissionSecretActions,
+  ProjectPermissionSub
+} from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
@@ -504,7 +508,7 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { hasRole } = await permissionService.getProjectPermission({
+    const { hasRole, permission } = await permissionService.getProjectPermission({
       actor: ActorType.USER,
       actorId,
       projectId,
@@ -531,7 +535,13 @@ export const secretApprovalRequestServiceFactory = ({
       ).length;
     const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;
 
-    if (!hasMinApproval && !isSoftEnforcement)
+    if (
+      !hasMinApproval &&
+      !(
+        isSoftEnforcement &&
+        permission.can(ProjectPermissionApprovalActions.AllowChangeBypass, ProjectPermissionSub.SecretApproval)
+      )
+    )
       throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
 
     const { botKey, shouldUseSecretV2Bridge, project } = await projectBotService.getBotKey(projectId);

backend/src/ee/services/secret-rotation-v2/ldap-password/ldap-password-rotation-fns.ts

@@ -1,4 +1,4 @@
-import ldap from "ldapjs";
+import ldap, { Client, SearchOptions } from "ldapjs";
 
 import {
   TRotationFactory,
@@ -8,26 +8,73 @@ import {
   TRotationFactoryRotateCredentials
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
 import { logger } from "@app/lib/logger";
+import { DistinguishedNameRegex } from "@app/lib/regex";
 import { encryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
 import { getLdapConnectionClient, LdapProvider, TLdapConnection } from "@app/services/app-connection/ldap";
 
 import { generatePassword } from "../shared/utils";
 import {
+  LdapPasswordRotationMethod,
   TLdapPasswordRotationGeneratedCredentials,
+  TLdapPasswordRotationInput,
   TLdapPasswordRotationWithConnection
 } from "./ldap-password-rotation-types";
 
 const getEncodedPassword = (password: string) => Buffer.from(`"${password}"`, "utf16le");
 
+const getDN = async (dn: string, client: Client): Promise<string> => {
+  if (DistinguishedNameRegex.test(dn)) return dn;
+
+  const opts: SearchOptions = {
+    filter: `(userPrincipalName=${dn})`,
+    scope: "sub",
+    attributes: ["dn"]
+  };
+
+  const base = dn
+    .split("@")[1]
+    .split(".")
+    .map((dc) => `dc=${dc}`)
+    .join(",");
+
+  return new Promise((resolve, reject) => {
+    // Perform the search
+    client.search(base, opts, (err, res) => {
+      if (err) {
+        logger.error(err, "LDAP Failed to get DN");
+        reject(new Error(`Provider Resolve DN Error: ${err.message}`));
+      }
+
+      let userDn: string | null;
+
+      res.on("searchEntry", (entry) => {
+        userDn = entry.objectName;
+      });
+
+      res.on("error", (error) => {
+        logger.error(error, "LDAP Failed to get DN");
+        reject(new Error(`Provider Resolve DN Error: ${error.message}`));
+      });
+
+      res.on("end", () => {
+        if (userDn) {
+          resolve(userDn);
+        } else {
+          reject(new Error(`Unable to resolve DN for ${dn}.`));
+        }
+      });
+    });
+  });
+};
+
 export const ldapPasswordRotationFactory: TRotationFactory<
   TLdapPasswordRotationWithConnection,
-  TLdapPasswordRotationGeneratedCredentials
+  TLdapPasswordRotationGeneratedCredentials,
+  TLdapPasswordRotationInput["temporaryParameters"]
 > = (secretRotation, appConnectionDAL, kmsService) => {
-  const {
-    connection,
-    parameters: { dn, passwordRequirements },
-    secretsMapping
-  } = secretRotation;
+  const { connection, parameters, secretsMapping, activeIndex } = secretRotation;
+
+  const { dn, passwordRequirements } = parameters;
 
   const $verifyCredentials = async (credentials: Pick<TLdapConnection["credentials"], "dn" | "password">) => {
     try {
@@ -40,13 +87,21 @@ export const ldapPasswordRotationFactory: TRotationFactory<
     }
   };
 
-  const $rotatePassword = async () => {
+  const $rotatePassword = async (currentPassword?: string) => {
     const { credentials, orgId } = connection;
 
     if (!credentials.url.startsWith("ldaps")) throw new Error("Password Rotation requires an LDAPS connection");
 
-    const client = await getLdapConnectionClient(credentials);
-    const isPersonalRotation = credentials.dn === dn;
+    const client = await getLdapConnectionClient(
+      currentPassword
+        ? {
+            ...credentials,
+            password: currentPassword,
+            dn
+          }
+        : credentials
+    );
+    const isConnectionRotation = credentials.dn === dn;
 
     const password = generatePassword(passwordRequirements);
 
@@ -58,8 +113,8 @@ export const ldapPasswordRotationFactory: TRotationFactory<
           const encodedPassword = getEncodedPassword(password);
 
           // service account vs personal password rotation require different changes
-          if (isPersonalRotation) {
-            const currentEncodedPassword = getEncodedPassword(credentials.password);
+          if (isConnectionRotation || currentPassword) {
+            const currentEncodedPassword = getEncodedPassword(currentPassword || credentials.password);
 
             changes = [
               new ldap.Change({
@@ -93,8 +148,9 @@ export const ldapPasswordRotationFactory: TRotationFactory<
     }
 
     try {
+      const userDn = await getDN(dn, client);
       await new Promise((resolve, reject) => {
-        client.modify(dn, changes, (err) => {
+        client.modify(userDn, changes, (err) => {
           if (err) {
             logger.error(err, "LDAP Password Rotation Failed");
             reject(new Error(`Provider Modify Error: ${err.message}`));
@@ -110,7 +166,7 @@ export const ldapPasswordRotationFactory: TRotationFactory<
 
     await $verifyCredentials({ dn, password });
 
-    if (isPersonalRotation) {
+    if (isConnectionRotation) {
       const updatedCredentials: TLdapConnection["credentials"] = {
         ...credentials,
         password
@@ -128,29 +184,41 @@ export const ldapPasswordRotationFactory: TRotationFactory<
     return { dn, password };
   };
 
-  const issueCredentials: TRotationFactoryIssueCredentials<TLdapPasswordRotationGeneratedCredentials> = async (
-    callback
-  ) => {
-    const credentials = await $rotatePassword();
+  const issueCredentials: TRotationFactoryIssueCredentials<
+    TLdapPasswordRotationGeneratedCredentials,
+    TLdapPasswordRotationInput["temporaryParameters"]
+  > = async (callback, temporaryParameters) => {
+    const credentials = await $rotatePassword(
+      parameters.rotationMethod === LdapPasswordRotationMethod.TargetPrincipal
+        ? temporaryParameters?.password
+        : undefined
+    );
 
     return callback(credentials);
   };
 
   const revokeCredentials: TRotationFactoryRevokeCredentials<TLdapPasswordRotationGeneratedCredentials> = async (
-    _,
+    credentialsToRevoke,
     callback
   ) => {
+    const currentPassword = credentialsToRevoke[activeIndex].password;
+
     // we just rotate to a new password, essentially revoking old credentials
-    await $rotatePassword();
+    await $rotatePassword(
+      parameters.rotationMethod === LdapPasswordRotationMethod.TargetPrincipal ? currentPassword : undefined
+    );
 
     return callback();
   };
 
   const rotateCredentials: TRotationFactoryRotateCredentials<TLdapPasswordRotationGeneratedCredentials> = async (
     _,
-    callback
+    callback,
+    activeCredentials
   ) => {
-    const credentials = await $rotatePassword();
+    const credentials = await $rotatePassword(
+      parameters.rotationMethod === LdapPasswordRotationMethod.TargetPrincipal ? activeCredentials.password : undefined
+    );
 
     return callback(credentials);
   };

backend/src/ee/services/secret-rotation-v2/ldap-password/ldap-password-rotation-schemas.ts

@@ -1,6 +1,6 @@
-import RE2 from "re2";
 import { z } from "zod";
 
+import { LdapPasswordRotationMethod } from "@app/ee/services/secret-rotation-v2/ldap-password/ldap-password-rotation-types";
 import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 import {
   BaseCreateSecretRotationSchema,
@@ -9,7 +9,7 @@ import {
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
 import { PasswordRequirementsSchema } from "@app/ee/services/secret-rotation-v2/shared/general";
 import { SecretRotations } from "@app/lib/api-docs";
-import { DistinguishedNameRegex } from "@app/lib/regex";
+import { DistinguishedNameRegex, UserPrincipalNameRegex } from "@app/lib/regex";
 import { SecretNameSchema } from "@app/server/lib/schemas";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 
@@ -26,10 +26,16 @@ const LdapPasswordRotationParametersSchema = z.object({
   dn: z
     .string()
     .trim()
-    .regex(new RE2(DistinguishedNameRegex), "Invalid DN format, ie; CN=user,OU=users,DC=example,DC=com")
-    .min(1, "Distinguished Name (DN) Required")
+    .min(1, "DN/UPN required")
+    .refine((value) => DistinguishedNameRegex.test(value) || UserPrincipalNameRegex.test(value), {
+      message: "Invalid DN/UPN format"
+    })
     .describe(SecretRotations.PARAMETERS.LDAP_PASSWORD.dn),
-  passwordRequirements: PasswordRequirementsSchema.optional()
+  passwordRequirements: PasswordRequirementsSchema.optional(),
+  rotationMethod: z
+    .nativeEnum(LdapPasswordRotationMethod)
+    .optional()
+    .describe(SecretRotations.PARAMETERS.LDAP_PASSWORD.rotationMethod)
 });
 
 const LdapPasswordRotationSecretsMappingSchema = z.object({
@@ -50,10 +56,28 @@ export const LdapPasswordRotationSchema = BaseSecretRotationSchema(SecretRotatio
   secretsMapping: LdapPasswordRotationSecretsMappingSchema
 });
 
-export const CreateLdapPasswordRotationSchema = BaseCreateSecretRotationSchema(SecretRotation.LdapPassword).extend({
-  parameters: LdapPasswordRotationParametersSchema,
-  secretsMapping: LdapPasswordRotationSecretsMappingSchema
-});
+export const CreateLdapPasswordRotationSchema = BaseCreateSecretRotationSchema(SecretRotation.LdapPassword)
+  .extend({
+    parameters: LdapPasswordRotationParametersSchema,
+    secretsMapping: LdapPasswordRotationSecretsMappingSchema,
+    temporaryParameters: z
+      .object({
+        password: z.string().min(1, "Password required").describe(SecretRotations.PARAMETERS.LDAP_PASSWORD.password)
+      })
+      .optional()
+  })
+  .superRefine((val, ctx) => {
+    if (
+      val.parameters.rotationMethod === LdapPasswordRotationMethod.TargetPrincipal &&
+      !val.temporaryParameters?.password
+    ) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "Password required",
+        path: ["temporaryParameters", "password"]
+      });
+    }
+  });
 
 export const UpdateLdapPasswordRotationSchema = BaseUpdateSecretRotationSchema(SecretRotation.LdapPassword).extend({
   parameters: LdapPasswordRotationParametersSchema.optional(),

backend/src/ee/services/secret-rotation-v2/ldap-password/ldap-password-rotation-types.ts

@@ -9,6 +9,11 @@ import {
   LdapPasswordRotationSchema
 } from "./ldap-password-rotation-schemas";
 
+export enum LdapPasswordRotationMethod {
+  ConnectionPrincipal = "connection-principal",
+  TargetPrincipal = "target-principal"
+}
+
 export type TLdapPasswordRotation = z.infer<typeof LdapPasswordRotationSchema>;
 
 export type TLdapPasswordRotationInput = z.infer<typeof CreateLdapPasswordRotationSchema>;

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -1,12 +1,13 @@
 import { AxiosError } from "axios";
 
 import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
 import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret";
 import { AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION } from "./aws-iam-user-secret";
 import { AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./azure-client-secret";
-import { LDAP_PASSWORD_ROTATION_LIST_OPTION } from "./ldap-password";
+import { LDAP_PASSWORD_ROTATION_LIST_OPTION, TLdapPasswordRotation } from "./ldap-password";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
@@ -15,7 +16,8 @@ import {
   TSecretRotationV2,
   TSecretRotationV2GeneratedCredentials,
   TSecretRotationV2ListItem,
-  TSecretRotationV2Raw
+  TSecretRotationV2Raw,
+  TUpdateSecretRotationV2DTO
 } from "./secret-rotation-v2-types";
 
 const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2ListItem> = {
@@ -228,3 +230,30 @@ export const parseRotationErrorMessage = (err: unknown): string => {
     ? errorMessage
     : `${errorMessage.substring(0, MAX_MESSAGE_LENGTH - 3)}...`;
 };
+
+function haveUnequalProperties<T>(obj1: T, obj2: T, properties: (keyof T)[]): boolean {
+  return properties.some((prop) => obj1[prop] !== obj2[prop]);
+}
+
+export const throwOnImmutableParameterUpdate = (
+  updatePayload: TUpdateSecretRotationV2DTO,
+  secretRotation: TSecretRotationV2Raw
+) => {
+  if (!updatePayload.parameters) return;
+
+  switch (updatePayload.type) {
+    case SecretRotation.LdapPassword:
+      if (
+        haveUnequalProperties(
+          updatePayload.parameters as TLdapPasswordRotation["parameters"],
+          secretRotation.parameters as TLdapPasswordRotation["parameters"],
+          ["rotationMethod", "dn"]
+        )
+      ) {
+        throw new BadRequestError({ message: "Cannot update rotation method or DN" });
+      }
+      break;
+    default:
+    // do nothing
+  }
+};

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -25,7 +25,8 @@ import {
   getNextUtcRotationInterval,
   getSecretRotationRotateSecretJobOptions,
   listSecretRotationOptions,
-  parseRotationErrorMessage
+  parseRotationErrorMessage,
+  throwOnImmutableParameterUpdate
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-fns";
 import {
   SECRET_ROTATION_CONNECTION_MAP,
@@ -46,6 +47,7 @@ import {
   TSecretRotationV2,
   TSecretRotationV2GeneratedCredentials,
   TSecretRotationV2Raw,
+  TSecretRotationV2TemporaryParameters,
   TSecretRotationV2WithConnection,
   TUpdateSecretRotationV2DTO
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
@@ -112,7 +114,8 @@ const MAX_GENERATED_CREDENTIALS_LENGTH = 2;
 
 type TRotationFactoryImplementation = TRotationFactory<
   TSecretRotationV2WithConnection,
-  TSecretRotationV2GeneratedCredentials
+  TSecretRotationV2GeneratedCredentials,
+  TSecretRotationV2TemporaryParameters
 >;
 const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplementation> = {
   [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
@@ -400,6 +403,7 @@ export const secretRotationV2ServiceFactory = ({
       environment,
       rotateAtUtc = { hours: 0, minutes: 0 },
       secretsMapping,
+      temporaryParameters,
       ...payload
     }: TCreateSecretRotationV2DTO,
     actor: OrgServiceActor
@@ -546,7 +550,7 @@ export const secretRotationV2ServiceFactory = ({
 
           return createdRotation;
         });
-      });
+      }, temporaryParameters);
 
       await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
       await snapshotService.performSnapshot(folder.id);
@@ -585,10 +589,7 @@ export const secretRotationV2ServiceFactory = ({
     }
   };
 
-  const updateSecretRotation = async (
-    { type, rotationId, ...payload }: TUpdateSecretRotationV2DTO,
-    actor: OrgServiceActor
-  ) => {
+  const updateSecretRotation = async (dto: TUpdateSecretRotationV2DTO, actor: OrgServiceActor) => {
     const plan = await licenseService.getPlan(actor.orgId);
 
     if (!plan.secretRotation)
@@ -596,6 +597,8 @@ export const secretRotationV2ServiceFactory = ({
         message: "Failed to update secret rotation due to plan restriction. Upgrade plan to update secret rotations."
       });
 
+    const { type, rotationId, ...payload } = dto;
+
     const secretRotation = await secretRotationV2DAL.findById(rotationId);
 
     if (!secretRotation)
@@ -603,6 +606,8 @@ export const secretRotationV2ServiceFactory = ({
         message: `Could not find ${SECRET_ROTATION_NAME_MAP[type]} Rotation with ID ${rotationId}`
       });
 
+    throwOnImmutableParameterUpdate(dto, secretRotation);
+
     const { folder, environment, projectId, folderId, connection } = secretRotation;
     const secretsMapping = secretRotation.secretsMapping as TSecretRotationV2["secretsMapping"];
 
@@ -877,6 +882,7 @@ export const secretRotationV2ServiceFactory = ({
       const inactiveIndex = (activeIndex + 1) % MAX_GENERATED_CREDENTIALS_LENGTH;
 
       const inactiveCredentials = generatedCredentials[inactiveIndex];
+      const activeCredentials = generatedCredentials[activeIndex];
 
       const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type as SecretRotation](
         {
@@ -887,73 +893,77 @@ export const secretRotationV2ServiceFactory = ({
         kmsService
       );
 
-      const updatedRotation = await rotationFactory.rotateCredentials(inactiveCredentials, async (newCredentials) => {
-        const updatedCredentials = [...generatedCredentials];
-        updatedCredentials[inactiveIndex] = newCredentials;
+      const updatedRotation = await rotationFactory.rotateCredentials(
+        inactiveCredentials,
+        async (newCredentials) => {
+          const updatedCredentials = [...generatedCredentials];
+          updatedCredentials[inactiveIndex] = newCredentials;
 
-        const encryptedUpdatedCredentials = await encryptSecretRotationCredentials({
-          projectId,
-          generatedCredentials: updatedCredentials as TSecretRotationV2GeneratedCredentials,
-          kmsService
-        });
-
-        return secretRotationV2DAL.transaction(async (tx) => {
-          const secretsPayload = rotationFactory.getSecretsPayload(newCredentials);
-
-          const { encryptor } = await kmsService.createCipherPairWithDataKey({
-            type: KmsDataKey.SecretManager,
-            projectId
+          const encryptedUpdatedCredentials = await encryptSecretRotationCredentials({
+            projectId,
+            generatedCredentials: updatedCredentials as TSecretRotationV2GeneratedCredentials,
+            kmsService
           });
 
-          // update mapped secrets with new credential values
-          await fnSecretBulkUpdate({
-            folderId,
-            orgId: connection.orgId,
-            tx,
-            inputSecrets: secretsPayload.map(({ key, value }) => ({
-              filter: {
-                key,
-                folderId,
-                type: SecretType.Shared
-              },
-              data: {
-                encryptedValue: encryptor({
-                  plainText: Buffer.from(value)
-                }).cipherTextBlob,
-                references: []
-              }
-            })),
-            secretDAL: secretV2BridgeDAL,
-            secretVersionDAL: secretVersionV2BridgeDAL,
-            secretVersionTagDAL: secretVersionTagV2BridgeDAL,
-            secretTagDAL,
-            resourceMetadataDAL
-          });
+          return secretRotationV2DAL.transaction(async (tx) => {
+            const secretsPayload = rotationFactory.getSecretsPayload(newCredentials);
 
-          const currentTime = new Date();
+            const { encryptor } = await kmsService.createCipherPairWithDataKey({
+              type: KmsDataKey.SecretManager,
+              projectId
+            });
 
-          return secretRotationV2DAL.updateById(
-            secretRotation.id,
-            {
-              encryptedGeneratedCredentials: encryptedUpdatedCredentials,
-              activeIndex: inactiveIndex,
-              isLastRotationManual: isManualRotation,
-              lastRotatedAt: currentTime,
-              lastRotationAttemptedAt: currentTime,
-              nextRotationAt: calculateNextRotationAt({
-                ...(secretRotation as TSecretRotationV2),
-                rotationStatus: SecretRotationStatus.Success,
+            // update mapped secrets with new credential values
+            await fnSecretBulkUpdate({
+              folderId,
+              orgId: connection.orgId,
+              tx,
+              inputSecrets: secretsPayload.map(({ key, value }) => ({
+                filter: {
+                  key,
+                  folderId,
+                  type: SecretType.Shared
+                },
+                data: {
+                  encryptedValue: encryptor({
+                    plainText: Buffer.from(value)
+                  }).cipherTextBlob,
+                  references: []
+                }
+              })),
+              secretDAL: secretV2BridgeDAL,
+              secretVersionDAL: secretVersionV2BridgeDAL,
+              secretVersionTagDAL: secretVersionTagV2BridgeDAL,
+              secretTagDAL,
+              resourceMetadataDAL
+            });
+
+            const currentTime = new Date();
+
+            return secretRotationV2DAL.updateById(
+              secretRotation.id,
+              {
+                encryptedGeneratedCredentials: encryptedUpdatedCredentials,
+                activeIndex: inactiveIndex,
+                isLastRotationManual: isManualRotation,
                 lastRotatedAt: currentTime,
-                isManualRotation
-              }),
-              rotationStatus: SecretRotationStatus.Success,
-              lastRotationJobId: jobId,
-              encryptedLastRotationMessage: null
-            },
-            tx
-          );
-        });
-      });
+                lastRotationAttemptedAt: currentTime,
+                nextRotationAt: calculateNextRotationAt({
+                  ...(secretRotation as TSecretRotationV2),
+                  rotationStatus: SecretRotationStatus.Success,
+                  lastRotatedAt: currentTime,
+                  isManualRotation
+                }),
+                rotationStatus: SecretRotationStatus.Success,
+                lastRotationJobId: jobId,
+                encryptedLastRotationMessage: null
+              },
+              tx
+            );
+          });
+        },
+        activeCredentials
+      );
 
       await auditLogService.createAuditLog({
         ...(auditLogInfo ?? {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts

@@ -87,6 +87,8 @@ export type TSecretRotationV2ListItem =
   | TLdapPasswordRotationListItem
   | TAwsIamUserSecretRotationListItem;
 
+export type TSecretRotationV2TemporaryParameters = TLdapPasswordRotationInput["temporaryParameters"] | undefined;
+
 export type TSecretRotationV2Raw = NonNullable<Awaited<ReturnType<TSecretRotationV2DALFactory["findById"]>>>;
 
 export type TListSecretRotationsV2ByProjectId = {
@@ -120,6 +122,7 @@ export type TCreateSecretRotationV2DTO = Pick<
   environment: string;
   isAutoRotationEnabled?: boolean;
   rotateAtUtc?: TRotateAtUtc;
+  temporaryParameters?: TSecretRotationV2TemporaryParameters;
 };
 
 export type TUpdateSecretRotationV2DTO = Partial<
@@ -186,8 +189,12 @@ export type TSecretRotationSendNotificationJobPayload = {
 // transactional behavior. By passing in the rotation mutation, if this mutation fails we can roll back the
 // third party credential changes (when supported), preventing credentials getting out of sync
 
-export type TRotationFactoryIssueCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
-  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>
+export type TRotationFactoryIssueCredentials<
+  T extends TSecretRotationV2GeneratedCredentials,
+  P extends TSecretRotationV2TemporaryParameters = undefined
+> = (
+  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>,
+  temporaryParameters?: P
 ) => Promise<TSecretRotationV2Raw>;
 
 export type TRotationFactoryRevokeCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
@@ -197,7 +204,8 @@ export type TRotationFactoryRevokeCredentials<T extends TSecretRotationV2Generat
 
 export type TRotationFactoryRotateCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
   credentialsToRevoke: T[number] | undefined,
-  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>
+  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>,
+  activeCredentials: T[number]
 ) => Promise<TSecretRotationV2Raw>;
 
 export type TRotationFactoryGetSecretsPayload<T extends TSecretRotationV2GeneratedCredentials> = (
@@ -206,13 +214,14 @@ export type TRotationFactoryGetSecretsPayload<T extends TSecretRotationV2Generat
 
 export type TRotationFactory<
   T extends TSecretRotationV2WithConnection,
-  C extends TSecretRotationV2GeneratedCredentials
+  C extends TSecretRotationV2GeneratedCredentials,
+  P extends TSecretRotationV2TemporaryParameters = undefined
 > = (
   secretRotation: T,
   appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">,
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
 ) => {
-  issueCredentials: TRotationFactoryIssueCredentials<C>;
+  issueCredentials: TRotationFactoryIssueCredentials<C, P>;
   revokeCredentials: TRotationFactoryRevokeCredentials<C>;
   rotateCredentials: TRotationFactoryRotateCredentials<C>;
   getSecretsPayload: TRotationFactoryGetSecretsPayload<C>;

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-constants.ts

@@ -6,5 +6,6 @@ export const OCI_VAULT_SYNC_LIST_OPTION: TSecretSyncListItem = {
   name: "OCI Vault",
   destination: SecretSync.OCIVault,
   connection: AppConnection.OCI,
-  canImportSecrets: true
+  canImportSecrets: true,
+  enterprise: true
 };

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-fns.ts

@@ -1,7 +1,6 @@
 import { secrets, vault } from "oci-sdk";
 
-import { delay } from "@app/lib/delay";
-import { getOCIProvider } from "@app/services/app-connection/oci";
+import { getOCIProvider } from "@app/ee/services/app-connections/oci";
 import {
   TCreateOCIVaultVariable,
   TDeleteOCIVaultVariable,
@@ -9,8 +8,10 @@ import {
   TOCIVaultSyncWithCredentials,
   TUnmarkOCIVaultVariableFromDeletion,
   TUpdateOCIVaultVariable
-} from "@app/services/secret-sync/oci-vault/oci-vault-sync-types";
+} from "@app/ee/services/secret-sync/oci-vault/oci-vault-sync-types";
+import { delay } from "@app/lib/delay";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
 const listOCIVaultVariables = async ({ provider, compartmentId, vaultId, onlyActive }: TOCIVaultListVariables) => {
@@ -211,6 +212,9 @@ export const OCIVaultSyncFns = {
 
     // Update and delete secrets
     for await (const [key, variable] of Object.entries(variables)) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+
       // Only update / delete active secrets
       if (variable.lifecycleState === vault.models.SecretSummary.LifecycleState.Active) {
         if (key in secretMap && secretMap[key].value.length > 0) {

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-schemas.ts

@@ -66,5 +66,6 @@ export const OCIVaultSyncListItemSchema = z.object({
   name: z.literal("OCI Vault"),
   connection: z.literal(AppConnection.OCI),
   destination: z.literal(SecretSync.OCIVault),
-  canImportSecrets: z.literal(true)
+  canImportSecrets: z.literal(true),
+  enterprise: z.boolean()
 });

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-types.ts

@@ -1,7 +1,7 @@
 import { SimpleAuthenticationDetailsProvider } from "oci-sdk";
 import { z } from "zod";
 
-import { TOCIConnection } from "@app/services/app-connection/oci";
+import { TOCIConnection } from "@app/ee/services/app-connections/oci";
 
 import { CreateOCIVaultSyncSchema, OCIVaultSyncListItemSchema, OCIVaultSyncSchema } from "./oci-vault-sync-schemas";
 

backend/src/lib/api-docs/constants.ts

@@ -14,6 +14,7 @@ export enum ApiDocsTags {
   UniversalAuth = "Universal Auth",
   GcpAuth = "GCP Auth",
   AwsAuth = "AWS Auth",
+  OciAuth = "OCI Auth",
   AzureAuth = "Azure Auth",
   KubernetesAuth = "Kubernetes Auth",
   JwtAuth = "JWT Auth",
@@ -271,6 +272,40 @@ export const AWS_AUTH = {
   }
 } as const;
 
+export const OCI_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login.",
+    userOcid: "The OCID of the user attempting login.",
+    headers: "The headers of the signed request."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    tenancyOcid: "The OCID of your tenancy.",
+    allowedUsernames:
+      "The comma-separated list of trusted OCI account usernames that are allowed to authenticate with Infisical.",
+    accessTokenTTL: "The lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    tenancyOcid: "The OCID of your tenancy.",
+    allowedUsernames:
+      "The comma-separated list of trusted OCI account usernames that are allowed to authenticate with Infisical.",
+    accessTokenTTL: "The new lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke the auth method for."
+  }
+} as const;
+
 export const AZURE_AUTH = {
   LOGIN: {
     identityId: "The ID of the identity to login."
@@ -358,6 +393,7 @@ export const KUBERNETES_AUTH = {
     allowedNames: "The comma-separated list of trusted service account names that can authenticate with Infisical.",
     allowedAudience:
       "The optional audience claim that the service account JWT token must have to authenticate with Infisical.",
+    gatewayId: "The ID of the gateway to use when performing kubernetes API requests.",
     accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The lifetime for an access token in seconds.",
     accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
@@ -374,6 +410,7 @@ export const KUBERNETES_AUTH = {
     allowedNames: "The new comma-separated list of trusted service account names that can authenticate with Infisical.",
     allowedAudience:
       "The new optional audience claim that the service account JWT token must have to authenticate with Infisical.",
+    gatewayId: "The ID of the gateway to use when performing kubernetes API requests.",
     accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The new lifetime for an acccess token in seconds.",
     accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
@@ -571,7 +608,8 @@ export const PROJECTS = {
     projectDescription: "An optional description label for the project.",
     autoCapitalization: "Disable or enable auto-capitalization for the project.",
     slug: "An optional slug for the project. (must be unique within the organization)",
-    hasDeleteProtection: "Enable or disable delete protection for the project."
+    hasDeleteProtection: "Enable or disable delete protection for the project.",
+    secretSharing: "Enable or disable secret sharing for the project."
   },
   GET_KEY: {
     workspaceId: "The ID of the project to get the key from."
@@ -2025,7 +2063,7 @@ export const AppConnections = {
     LDAP: {
       provider: "The type of LDAP provider. Determines provider-specific behaviors.",
       url: "The LDAP/LDAPS URL to connect to (e.g., 'ldap://domain-or-ip:389' or 'ldaps://domain-or-ip:636').",
-      dn: "The Distinguished Name (DN) of the principal to bind with (e.g., 'CN=John,CN=Users,DC=example,DC=com').",
+      dn: "The Distinguished Name (DN) or User Principal Name (UPN) of the principal to bind with (e.g., 'CN=John,CN=Users,DC=example,DC=com').",
       password: "The password to bind with for authentication.",
       sslRejectUnauthorized:
         "Whether or not to reject unauthorized SSL certificates (true/false) when using ldaps://. Set to false only in test environments.",
@@ -2046,6 +2084,10 @@ export const AppConnections = {
       region: "The region identifier in Oracle Cloud Infrastructure where the vault is located.",
       fingerprint: "The fingerprint of the public key uploaded to the user's API keys.",
       privateKey: "The private key content in PEM format used to sign API requests."
+    },
+    ONEPASS: {
+      instanceUrl: "The URL of the 1Password Connect Server instance to authenticate with.",
+      apiToken: "The API token used to access the 1Password Connect Server."
     }
   }
 };
@@ -2109,6 +2151,7 @@ export const SecretSyncs = {
     const destinationName = SECRET_SYNC_NAME_MAP[destination];
     return {
       initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
+      keySchema: `Specify the format to use for structuring secret keys in the ${destinationName} destination.`,
       disableSecretDeletion: `Enable this flag to prevent removal of secrets from the ${destinationName} destination when syncing.`
     };
   },
@@ -2198,6 +2241,9 @@ export const SecretSyncs = {
       compartmentOcid: "The OCID (Oracle Cloud Identifier) of the compartment where the vault is located.",
       vaultOcid: "The OCID (Oracle Cloud Identifier) of the vault to sync secrets to.",
       keyOcid: "The OCID (Oracle Cloud Identifier) of the encryption key to use when creating secrets in the vault."
+    },
+    ONEPASS: {
+      vaultId: "The ID of the 1Password vault to sync secrets to."
     }
   }
 };
@@ -2269,7 +2315,10 @@ export const SecretRotations = {
       clientId: "The client ID of the Azure Application to rotate the client secret for."
     },
     LDAP_PASSWORD: {
-      dn: "The Distinguished Name (DN) of the principal to rotate the password for."
+      dn: "The Distinguished Name (DN) or User Principal Name (UPN) of the principal to rotate the password for.",
+      rotationMethod:
+        'Whether the rotation should be performed by the LDAP "connection-principal" or the "target-principal" (defaults to \'connection-principal\').',
+      password: 'The password of the provided principal if "parameters.rotationMethod" is set to "target-principal".'
     },
     GENERAL: {
       PASSWORD_REQUIREMENTS: {
@@ -2303,7 +2352,7 @@ export const SecretRotations = {
       clientSecret: "The name of the secret that the rotated client secret will be mapped to."
     },
     LDAP_PASSWORD: {
-      dn: "The name of the secret that the Distinguished Name (DN) of the principal will be mapped to.",
+      dn: "The name of the secret that the Distinguished Name (DN) or User Principal Name (UPN) of the principal will be mapped to.",
       password: "The name of the secret that the rotated password will be mapped to."
     },
     AWS_IAM_USER_SECRET: {

backend/src/lib/config/env.ts

@@ -69,6 +69,9 @@ const envSchema = z
     SMTP_PASSWORD: zpStr(z.string().optional()),
     SMTP_FROM_ADDRESS: zpStr(z.string().optional()),
     SMTP_FROM_NAME: zpStr(z.string().optional().default("Infisical")),
+    SMTP_CUSTOM_CA_CERT: zpStr(
+      z.string().optional().describe("Base64 encoded custom CA certificate PEM(s) for the SMTP server")
+    ),
     COOKIE_SECRET_SIGN_KEY: z
       .string()
       .min(32)
@@ -298,6 +301,17 @@ export const initEnvConfig = (logger?: CustomLogger) => {
 };
 
 export const formatSmtpConfig = () => {
+  const tlsOptions: {
+    rejectUnauthorized: boolean;
+    ca?: string | string[];
+  } = {
+    rejectUnauthorized: envCfg.SMTP_TLS_REJECT_UNAUTHORIZED
+  };
+
+  if (envCfg.SMTP_CUSTOM_CA_CERT) {
+    tlsOptions.ca = Buffer.from(envCfg.SMTP_CUSTOM_CA_CERT, "base64").toString("utf-8");
+  }
+
   return {
     host: envCfg.SMTP_HOST,
     port: envCfg.SMTP_PORT,
@@ -309,8 +323,6 @@ export const formatSmtpConfig = () => {
     from: `"${envCfg.SMTP_FROM_NAME}" <${envCfg.SMTP_FROM_ADDRESS}>`,
     ignoreTLS: envCfg.SMTP_IGNORE_TLS,
     requireTLS: envCfg.SMTP_REQUIRE_TLS,
-    tls: {
-      rejectUnauthorized: envCfg.SMTP_TLS_REJECT_UNAUTHORIZED
-    }
+    tls: tlsOptions
   };
 };

backend/src/lib/gateway/index.ts

@@ -174,6 +174,8 @@ const setupProxyServer = async ({
   return new Promise((resolve, reject) => {
     const server = net.createServer();
 
+    let streamClosed = false;
+
     // eslint-disable-next-line @typescript-eslint/no-misused-promises
     server.on("connection", async (clientConn) => {
       try {
@@ -202,9 +204,15 @@ const setupProxyServer = async ({
 
             // Handle client connection close
             clientConn.on("end", () => {
-              writer.close().catch((err) => {
-                logger.error(err);
-              });
+              if (!streamClosed) {
+                try {
+                  writer.close().catch((err) => {
+                    logger.debug(err, "Error closing writer (already closed)");
+                  });
+                } catch (error) {
+                  logger.debug(error, "Error in writer close");
+                }
+              }
             });
 
             clientConn.on("error", (clientConnErr) => {
@@ -249,14 +257,29 @@ const setupProxyServer = async ({
         setupCopy();
         // Handle connection closure
         clientConn.on("close", () => {
-          stream.destroy().catch((err) => {
-            proxyErrorMsg.push((err as Error)?.message);
-          });
+          if (!streamClosed) {
+            streamClosed = true;
+            stream.destroy().catch((err) => {
+              logger.debug(err, "Stream already destroyed during close event");
+            });
+          }
         });
 
         const cleanup = async () => {
-          clientConn?.destroy();
-          await stream.destroy();
+          try {
+            clientConn?.destroy();
+          } catch (err) {
+            logger.debug(err, "Error destroying client connection");
+          }
+
+          if (!streamClosed) {
+            streamClosed = true;
+            try {
+              await stream.destroy();
+            } catch (err) {
+              logger.debug(err, "Error destroying stream (might be already closed)");
+            }
+          }
         };
 
         clientConn.on("error", (clientConnErr) => {
@@ -301,8 +324,17 @@ const setupProxyServer = async ({
         server,
         port: address.port,
         cleanup: async () => {
-          server.close();
-          await quicClient?.destroy();
+          try {
+            server.close();
+          } catch (err) {
+            logger.debug(err, "Error closing server");
+          }
+
+          try {
+            await quicClient?.destroy();
+          } catch (err) {
+            logger.debug(err, "Error destroying QUIC client");
+          }
         },
         getProxyError: () => proxyErrorMsg.join(",")
       });
@@ -320,10 +352,10 @@ interface ProxyOptions {
   orgId: string;
 }
 
-export const withGatewayProxy = async (
-  callback: (port: number) => Promise<void>,
+export const withGatewayProxy = async <T>(
+  callback: (port: number) => Promise<T>,
   options: ProxyOptions
-): Promise<void> => {
+): Promise<T> => {
   const { relayHost, relayPort, targetHost, targetPort, tlsOptions, identityId, orgId } = options;
 
   // Setup the proxy server
@@ -339,7 +371,7 @@ export const withGatewayProxy = async (
 
   try {
     // Execute the callback with the allocated port
-    await callback(port);
+    return await callback(port);
   } catch (err) {
     const proxyErrorMessage = getProxyError();
     if (proxyErrorMessage) {

backend/src/lib/knex/index.ts

@@ -32,13 +32,13 @@ export const buildFindFilter =
   <R extends object = object>(
     { $in, $notNull, $search, $complex, ...filter }: TFindFilter<R>,
     tableName?: TableName,
-    excludeKeys?: Array<keyof R>
+    excludeKeys?: string[]
   ) =>
   (bd: Knex.QueryBuilder<R, R>) => {
     const processedFilter = tableName
       ? Object.fromEntries(
           Object.entries(filter)
-            .filter(([key]) => !excludeKeys || !excludeKeys.includes(key as keyof R))
+            .filter(([key]) => !excludeKeys || !excludeKeys.includes(key))
             .map(([key, value]) => [`${tableName}.${key}`, value])
         )
       : filter;

backend/src/lib/knex/scim.ts

@@ -1,6 +1,8 @@
 import { Knex } from "knex";
 import { Compare, Filter, parse } from "scim2-parse-filter";
 
+import { TableName } from "@app/db/schemas";
+
 const appendParentToGroupingOperator = (parentPath: string, filter: Filter) => {
   if (filter.op !== "[]" && filter.op !== "and" && filter.op !== "or" && filter.op !== "not") {
     return { ...filter, attrPath: `${parentPath}.${(filter as Compare).attrPath}` };
@@ -27,8 +29,12 @@ const processDynamicQuery = (
     const { scimFilterAst, query } = stack.pop()!;
     switch (scimFilterAst.op) {
       case "eq": {
+        let sanitizedValue = scimFilterAst.compValue;
         const attrPath = getAttributeField(scimFilterAst.attrPath);
-        if (attrPath) void query.where(attrPath, scimFilterAst.compValue);
+        if (attrPath === `${TableName.Users}.email` && typeof sanitizedValue === "string") {
+          sanitizedValue = sanitizedValue.toLowerCase();
+        }
+        if (attrPath) void query.where(attrPath, sanitizedValue);
         break;
       }
       case "pr": {
@@ -62,18 +68,30 @@ const processDynamicQuery = (
         break;
       }
       case "ew": {
+        let sanitizedValue = scimFilterAst.compValue;
         const attrPath = getAttributeField(scimFilterAst.attrPath);
-        if (attrPath) void query.whereILike(attrPath, `%${scimFilterAst.compValue}`);
+        if (attrPath === `${TableName.Users}.email` && typeof sanitizedValue === "string") {
+          sanitizedValue = sanitizedValue.toLowerCase();
+        }
+        if (attrPath) void query.whereILike(attrPath, `%${sanitizedValue}`);
         break;
       }
       case "co": {
+        let sanitizedValue = scimFilterAst.compValue;
         const attrPath = getAttributeField(scimFilterAst.attrPath);
-        if (attrPath) void query.whereILike(attrPath, `%${scimFilterAst.compValue}%`);
+        if (attrPath === `${TableName.Users}.email` && typeof sanitizedValue === "string") {
+          sanitizedValue = sanitizedValue.toLowerCase();
+        }
+        if (attrPath) void query.whereILike(attrPath, `%${sanitizedValue}%`);
         break;
       }
       case "ne": {
+        let sanitizedValue = scimFilterAst.compValue;
         const attrPath = getAttributeField(scimFilterAst.attrPath);
-        if (attrPath) void query.whereNot(attrPath, "=", scimFilterAst.compValue);
+        if (attrPath === `${TableName.Users}.email` && typeof sanitizedValue === "string") {
+          sanitizedValue = sanitizedValue.toLowerCase();
+        }
+        if (attrPath) void query.whereNot(attrPath, "=", sanitizedValue);
         break;
       }
       case "and": {

backend/src/lib/logger/logger.ts

@@ -95,11 +95,20 @@ const extractReqId = () => {
   try {
     return requestContext.get("reqId") || UNKNOWN_REQUEST_ID;
   } catch (err) {
+    // eslint-disable-next-line no-console
     console.log("failed to get request context", err);
     return UNKNOWN_REQUEST_ID;
   }
 };
 
+const extractOrgId = () => {
+  try {
+    return requestContext.get("orgId");
+  } catch {
+    return "";
+  }
+};
+
 export const initLogger = () => {
   const cfg = loggerConfig.parse(process.env);
   const targets: pino.TransportMultiOptions["targets"][number][] = [
@@ -135,22 +144,22 @@ export const initLogger = () => {
   const wrapLogger = (originalLogger: Logger): CustomLogger => {
     // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
     originalLogger.info = (obj: unknown, msg?: string, ...args: any[]) => {
-      return originalLogger.child({ reqId: extractReqId() }).info(obj, msg, ...args);
+      return originalLogger.child({ reqId: extractReqId(), orgId: extractOrgId() }).info(obj, msg, ...args);
     };
 
     // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
     originalLogger.error = (obj: unknown, msg?: string, ...args: any[]) => {
-      return originalLogger.child({ reqId: extractReqId() }).error(obj, msg, ...args);
+      return originalLogger.child({ reqId: extractReqId(), orgId: extractOrgId() }).error(obj, msg, ...args);
     };
 
     // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
     originalLogger.warn = (obj: unknown, msg?: string, ...args: any[]) => {
-      return originalLogger.child({ reqId: extractReqId() }).warn(obj, msg, ...args);
+      return originalLogger.child({ reqId: extractReqId(), orgId: extractOrgId() }).warn(obj, msg, ...args);
     };
 
     // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
     originalLogger.debug = (obj: unknown, msg?: string, ...args: any[]) => {
-      return originalLogger.child({ reqId: extractReqId() }).debug(obj, msg, ...args);
+      return originalLogger.child({ reqId: extractReqId(), orgId: extractOrgId() }).debug(obj, msg, ...args);
     };
 
     return originalLogger;

backend/src/lib/regex/index.ts

@@ -1,3 +1,11 @@
+import RE2 from "re2";
+
 export const DistinguishedNameRegex =
   // DN format, ie; CN=user,OU=users,DC=example,DC=com
-  /^(?:(?:[a-zA-Z0-9]+=[^,+="<>#;\\\\]+)(?:(?:\\+[a-zA-Z0-9]+=[^,+="<>#;\\\\]+)*)(?:,(?:[a-zA-Z0-9]+=[^,+="<>#;\\\\]+)(?:(?:\\+[a-zA-Z0-9]+=[^,+="<>#;\\\\]+)*))*)?$/;
+  new RE2(
+    /^(?:(?:[a-zA-Z0-9]+=[^,+="<>#;\\\\]+)(?:(?:\\+[a-zA-Z0-9]+=[^,+="<>#;\\\\]+)*)(?:,(?:[a-zA-Z0-9]+=[^,+="<>#;\\\\]+)(?:(?:\\+[a-zA-Z0-9]+=[^,+="<>#;\\\\]+)*))*)?$/
+  );
+
+export const UserPrincipalNameRegex = new RE2(/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9._-]+\.[a-zA-Z]{2,}$/);
+
+export const LdapUrlRegex = new RE2(/^ldaps?:\/\//);

backend/src/server/lib/schemas.ts

@@ -9,7 +9,7 @@ interface SlugSchemaInputs {
   field?: string;
 }
 
-export const slugSchema = ({ min = 1, max = 32, field = "Slug" }: SlugSchemaInputs = {}) => {
+export const slugSchema = ({ min = 1, max = 64, field = "Slug" }: SlugSchemaInputs = {}) => {
   return z
     .string()
     .trim()

backend/src/server/plugins/auth/inject-identity.ts

@@ -123,6 +123,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
     switch (authMode) {
       case AuthMode.JWT: {
         const { user, tokenVersionId, orgId } = await server.services.authToken.fnValidateJwtIdentity(token);
+        requestContext.set("orgId", orgId);
         req.auth = {
           authMode: AuthMode.JWT,
           user,
@@ -138,6 +139,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
       case AuthMode.IDENTITY_ACCESS_TOKEN: {
         const identity = await server.services.identityAccessToken.fnValidateIdentityAccessToken(token, req.realIp);
         const serverCfg = await getServerCfg();
+        requestContext.set("orgId", identity.orgId);
         req.auth = {
           authMode: AuthMode.IDENTITY_ACCESS_TOKEN,
           actor,
@@ -157,6 +159,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
       }
       case AuthMode.SERVICE_TOKEN: {
         const serviceToken = await server.services.serviceToken.fnValidateServiceToken(token);
+        requestContext.set("orgId", serviceToken.orgId);
         req.auth = {
           orgId: serviceToken.orgId,
           authMode: AuthMode.SERVICE_TOKEN as const,
@@ -181,6 +184,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
       }
       case AuthMode.SCIM_TOKEN: {
         const { orgId, scimTokenId } = await server.services.scim.fnValidateScimToken(token);
+        requestContext.set("orgId", orgId);
         req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId, authMethod: null };
         break;
       }

backend/src/server/routes/index.ts

@@ -32,7 +32,6 @@ import { externalKmsServiceFactory } from "@app/ee/services/external-kms/externa
 import { gatewayDALFactory } from "@app/ee/services/gateway/gateway-dal";
 import { gatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { orgGatewayConfigDALFactory } from "@app/ee/services/gateway/org-gateway-config-dal";
-import { projectGatewayDALFactory } from "@app/ee/services/gateway/project-gateway-dal";
 import { githubOrgSyncDALFactory } from "@app/ee/services/github-org-sync/github-org-sync-dal";
 import { githubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";
 import { groupDALFactory } from "@app/ee/services/group/group-dal";
@@ -162,6 +161,8 @@ import { identityKubernetesAuthDALFactory } from "@app/services/identity-kuberne
 import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityLdapAuthDALFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-dal";
 import { identityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
+import { identityOciAuthDALFactory } from "@app/services/identity-oci-auth/identity-oci-auth-dal";
+import { identityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { identityOidcAuthDALFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-dal";
 import { identityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
@@ -355,6 +356,7 @@ export const registerRoutes = async (
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
   const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
   const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
+  const identityOciAuthDAL = identityOciAuthDALFactory(db);
   const identityOidcAuthDAL = identityOidcAuthDALFactory(db);
   const identityJwtAuthDAL = identityJwtAuthDALFactory(db);
   const identityAzureAuthDAL = identityAzureAuthDALFactory(db);
@@ -436,7 +438,6 @@ export const registerRoutes = async (
 
   const orgGatewayConfigDAL = orgGatewayConfigDALFactory(db);
   const gatewayDAL = gatewayDALFactory(db);
-  const projectGatewayDAL = projectGatewayDALFactory(db);
   const secretReminderRecipientsDAL = secretReminderRecipientsDALFactory(db);
   const githubOrgSyncDAL = githubOrgSyncDALFactory(db);
 
@@ -624,7 +625,6 @@ export const registerRoutes = async (
 
   const userService = userServiceFactory({
     userDAL,
-    userAliasDAL,
     orgMembershipDAL,
     tokenService,
     permissionService,
@@ -1014,7 +1014,8 @@ export const registerRoutes = async (
     secretVersionV2BridgeDAL,
     secretVersionTagV2BridgeDAL,
     resourceMetadataDAL,
-    appConnectionDAL
+    appConnectionDAL,
+    licenseService
   });
 
   const secretQueueService = secretQueueFactory({
@@ -1419,12 +1420,24 @@ export const registerRoutes = async (
     identityUaDAL,
     licenseService
   });
+
+  const gatewayService = gatewayServiceFactory({
+    permissionService,
+    gatewayDAL,
+    kmsService,
+    licenseService,
+    orgGatewayConfigDAL,
+    keyStore
+  });
+
   const identityKubernetesAuthService = identityKubernetesAuthServiceFactory({
     identityKubernetesAuthDAL,
     identityOrgMembershipDAL,
     identityAccessTokenDAL,
     permissionService,
     licenseService,
+    gatewayService,
+    gatewayDAL,
     kmsService
   });
   const identityGcpAuthService = identityGcpAuthServiceFactory({
@@ -1451,6 +1464,14 @@ export const registerRoutes = async (
     licenseService
   });
 
+  const identityOciAuthService = identityOciAuthServiceFactory({
+    identityAccessTokenDAL,
+    identityOciAuthDAL,
+    identityOrgMembershipDAL,
+    licenseService,
+    permissionService
+  });
+
   const identityOidcAuthService = identityOidcAuthServiceFactory({
     identityOidcAuthDAL,
     identityOrgMembershipDAL,
@@ -1479,16 +1500,6 @@ export const registerRoutes = async (
     identityDAL
   });
 
-  const gatewayService = gatewayServiceFactory({
-    permissionService,
-    gatewayDAL,
-    kmsService,
-    licenseService,
-    orgGatewayConfigDAL,
-    keyStore,
-    projectGatewayDAL
-  });
-
   const dynamicSecretProviders = buildDynamicSecretProviders({
     gatewayService
   });
@@ -1510,7 +1521,7 @@ export const registerRoutes = async (
     permissionService,
     licenseService,
     kmsService,
-    projectGatewayDAL,
+    gatewayDAL,
     resourceMetadataDAL
   });
 
@@ -1621,7 +1632,8 @@ export const registerRoutes = async (
   const appConnectionService = appConnectionServiceFactory({
     appConnectionDAL,
     permissionService,
-    kmsService
+    kmsService,
+    licenseService
   });
 
   const secretSyncService = secretSyncServiceFactory({
@@ -1632,7 +1644,8 @@ export const registerRoutes = async (
     folderDAL,
     secretSyncQueue,
     projectBotService,
-    keyStore
+    keyStore,
+    licenseService
   });
 
   const kmipService = kmipServiceFactory({
@@ -1737,6 +1750,7 @@ export const registerRoutes = async (
     identityGcpAuth: identityGcpAuthService,
     identityAwsAuth: identityAwsAuthService,
     identityAzureAuth: identityAzureAuthService,
+    identityOciAuth: identityOciAuthService,
     identityOidcAuth: identityOidcAuthService,
     identityJwtAuth: identityJwtAuthService,
     identityLdapAuth: identityLdapAuthService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -261,7 +261,8 @@ export const SanitizedProjectSchema = ProjectsSchema.pick({
   pitVersionLimit: true,
   kmsCertificateKeyId: true,
   auditLogsRetentionDays: true,
-  hasDeleteProtection: true
+  hasDeleteProtection: true,
+  secretSharing: true
 });
 
 export const SanitizedTagSchema = SecretTagsSchema.pick({

backend/src/server/routes/v1/app-connection-routers/1password-connection-router.ts

@@ -0,0 +1,60 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import {
+  CreateOnePassConnectionSchema,
+  SanitizedOnePassConnectionSchema,
+  UpdateOnePassConnectionSchema
+} from "@app/services/app-connection/1password";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerOnePassConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.OnePass,
+    server,
+    sanitizedResponseSchema: SanitizedOnePassConnectionSchema,
+    createSchema: CreateOnePassConnectionSchema,
+    updateSchema: UpdateOnePassConnectionSchema
+  });
+
+  // The following endpoints are for internal Infisical App use only and not part of the public API
+  server.route({
+    method: "GET",
+    url: `/:connectionId/vaults`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string(),
+            type: z.string(),
+            items: z.number(),
+
+            attributeVersion: z.number(),
+            contentVersion: z.number(),
+
+            // Corresponds to ISO8601 date string
+            createdAt: z.string(),
+            updatedAt: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const vaults = await server.services.appConnection.onepass.listVaults(connectionId, req.permission);
+      return vaults;
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -1,9 +1,14 @@
 import { z } from "zod";
 
+import { OCIConnectionListItemSchema, SanitizedOCIConnectionSchema } from "@app/ee/services/app-connections/oci";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import {
+  OnePassConnectionListItemSchema,
+  SanitizedOnePassConnectionSchema
+} from "@app/services/app-connection/1password";
 import { Auth0ConnectionListItemSchema, SanitizedAuth0ConnectionSchema } from "@app/services/app-connection/auth0";
 import { AwsConnectionListItemSchema, SanitizedAwsConnectionSchema } from "@app/services/app-connection/aws";
 import {
@@ -38,7 +43,6 @@ import {
 } from "@app/services/app-connection/humanitec";
 import { LdapConnectionListItemSchema, SanitizedLdapConnectionSchema } from "@app/services/app-connection/ldap";
 import { MsSqlConnectionListItemSchema, SanitizedMsSqlConnectionSchema } from "@app/services/app-connection/mssql";
-import { OCIConnectionListItemSchema, SanitizedOCIConnectionSchema } from "@app/services/app-connection/oci";
 import {
   PostgresConnectionListItemSchema,
   SanitizedPostgresConnectionSchema
@@ -78,7 +82,8 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedWindmillConnectionSchema.options,
   ...SanitizedLdapConnectionSchema.options,
   ...SanitizedTeamCityConnectionSchema.options,
-  ...SanitizedOCIConnectionSchema.options
+  ...SanitizedOCIConnectionSchema.options,
+  ...SanitizedOnePassConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -100,7 +105,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   WindmillConnectionListItemSchema,
   LdapConnectionListItemSchema,
   TeamCityConnectionListItemSchema,
-  OCIConnectionListItemSchema
+  OCIConnectionListItemSchema,
+  OnePassConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -1,5 +1,7 @@
+import { registerOCIConnectionRouter } from "@app/ee/routes/v1/app-connection-routers/oci-connection-router";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 
+import { registerOnePassConnectionRouter } from "./1password-connection-router";
 import { registerAuth0ConnectionRouter } from "./auth0-connection-router";
 import { registerAwsConnectionRouter } from "./aws-connection-router";
 import { registerAzureAppConfigurationConnectionRouter } from "./azure-app-configuration-connection-router";
@@ -13,7 +15,6 @@ import { registerHCVaultConnectionRouter } from "./hc-vault-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
 import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
-import { registerOCIConnectionRouter } from "./oci-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
 import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
@@ -42,5 +43,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.HCVault]: registerHCVaultConnectionRouter,
     [AppConnection.LDAP]: registerLdapConnectionRouter,
     [AppConnection.TeamCity]: registerTeamCityConnectionRouter,
-    [AppConnection.OCI]: registerOCIConnectionRouter
+    [AppConnection.OCI]: registerOCIConnectionRouter,
+    [AppConnection.OnePass]: registerOnePassConnectionRouter
   };

backend/src/server/routes/v1/certificate-router.ts

@@ -131,8 +131,8 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           certificate: z.string().trim().describe(CERTIFICATES.GET_CERT.certificate),
-          certificateChain: z.string().trim().nullish().describe(CERTIFICATES.GET_CERT.certificateChain),
-          privateKey: z.string().trim().describe(CERTIFICATES.GET_CERT.privateKey),
+          certificateChain: z.string().trim().nullable().describe(CERTIFICATES.GET_CERT.certificateChain),
+          privateKey: z.string().trim().nullable().describe(CERTIFICATES.GET_CERT.privateKey),
           serialNumber: z.string().trim().describe(CERTIFICATES.GET_CERT.serialNumberRes)
         })
       }
@@ -518,7 +518,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           certificate: z.string().trim().describe(CERTIFICATES.GET_CERT.certificate),
-          certificateChain: z.string().trim().nullish().describe(CERTIFICATES.GET_CERT.certificateChain),
+          certificateChain: z.string().trim().nullable().describe(CERTIFICATES.GET_CERT.certificateChain),
           serialNumber: z.string().trim().describe(CERTIFICATES.GET_CERT.serialNumberRes)
         })
       }

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, KUBERNETES_AUTH } from "@app/lib/api-docs";
+import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -21,7 +22,8 @@ const IdentityKubernetesAuthResponseSchema = IdentityKubernetesAuthsSchema.pick(
   kubernetesHost: true,
   allowedNamespaces: true,
   allowedNames: true,
-  allowedAudience: true
+  allowedAudience: true,
+  gatewayId: true
 }).extend({
   caCert: z.string(),
   tokenReviewerJwt: z.string().optional().nullable()
@@ -100,12 +102,32 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
       }),
       body: z
         .object({
-          kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
+          kubernetesHost: z
+            .string()
+            .trim()
+            .min(1)
+            .describe(KUBERNETES_AUTH.ATTACH.kubernetesHost)
+            .refine(
+              (val) =>
+                characterValidator([
+                  CharacterType.Alphabets,
+                  CharacterType.Numbers,
+                  CharacterType.Colon,
+                  CharacterType.Period,
+                  CharacterType.ForwardSlash,
+                  CharacterType.Hyphen
+                ])(val),
+              {
+                message:
+                  "Kubernetes host must only contain alphabets, numbers, colons, periods, hyphen, and forward slashes."
+              }
+            ),
           caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
           tokenReviewerJwt: z.string().trim().optional().describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
           allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
           allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
           allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
+          gatewayId: z.string().uuid().optional().nullable().describe(KUBERNETES_AUTH.ATTACH.gatewayId),
           accessTokenTrustedIps: z
             .object({
               ipAddress: z.string().trim()
@@ -199,12 +221,36 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
       }),
       body: z
         .object({
-          kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
+          kubernetesHost: z
+            .string()
+            .trim()
+            .min(1)
+            .optional()
+            .describe(KUBERNETES_AUTH.UPDATE.kubernetesHost)
+            .refine(
+              (val) => {
+                if (!val) return true;
+
+                return characterValidator([
+                  CharacterType.Alphabets,
+                  CharacterType.Numbers,
+                  CharacterType.Colon,
+                  CharacterType.Period,
+                  CharacterType.ForwardSlash,
+                  CharacterType.Hyphen
+                ])(val);
+              },
+              {
+                message:
+                  "Kubernetes host must only contain alphabets, numbers, colons, periods, hyphen, and forward slashes."
+              }
+            ),
           caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
           tokenReviewerJwt: z.string().trim().nullable().optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
           allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
           allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
           allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
+          gatewayId: z.string().uuid().optional().nullable().describe(KUBERNETES_AUTH.UPDATE.gatewayId),
           accessTokenTrustedIps: z
             .object({
               ipAddress: z.string().trim()

backend/src/server/routes/v1/identity-oci-auth-router.ts

@@ -0,0 +1,338 @@
+import { z } from "zod";
+
+import { IdentityOciAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ApiDocsTags, OCI_AUTH } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { validateTenancy, validateUsernames } from "@app/services/identity-oci-auth/identity-oci-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
+
+export const registerIdentityOciAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/oci-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OciAuth],
+      description: "Login with OCI Auth",
+      body: z.object({
+        identityId: z.string().trim().describe(OCI_AUTH.LOGIN.identityId),
+        userOcid: z.string().trim().describe(OCI_AUTH.LOGIN.userOcid),
+        headers: z
+          .object({
+            authorization: z.string(),
+            host: z.string(),
+            "x-date": z.string()
+          })
+          .describe(OCI_AUTH.LOGIN.headers)
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityOciAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityOciAuth.login(req.body);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_OCI_AUTH,
+          metadata: {
+            identityId: identityOciAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityOciAuthId: identityOciAuth.id
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityOciAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityOciAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/oci-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OciAuth],
+      description: "Attach OCI Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim().describe(OCI_AUTH.ATTACH.identityId)
+      }),
+      body: z
+        .object({
+          tenancyOcid: validateTenancy.describe(OCI_AUTH.ATTACH.tenancyOcid),
+          allowedUsernames: validateUsernames.describe(OCI_AUTH.ATTACH.allowedUsernames),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(OCI_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(OCI_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(1)
+            .max(315360000)
+            .default(2592000)
+            .describe(OCI_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OCI_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
+      response: {
+        200: z.object({
+          identityOciAuth: IdentityOciAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOciAuth = await server.services.identityOciAuth.attachOciAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOciAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_OCI_AUTH,
+          metadata: {
+            identityId: identityOciAuth.identityId,
+            tenancyOcid: identityOciAuth.tenancyOcid,
+            allowedUsernames: identityOciAuth.allowedUsernames || null,
+            accessTokenTTL: identityOciAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityOciAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityOciAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityOciAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityOciAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/oci-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OciAuth],
+      description: "Update OCI Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(OCI_AUTH.UPDATE.identityId)
+      }),
+      body: z
+        .object({
+          tenancyOcid: validateTenancy.describe(OCI_AUTH.UPDATE.tenancyOcid),
+          allowedUsernames: validateUsernames.describe(OCI_AUTH.UPDATE.allowedUsernames),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(OCI_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(OCI_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(OCI_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .max(315360000)
+            .min(0)
+            .optional()
+            .describe(OCI_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
+      response: {
+        200: z.object({
+          identityOciAuth: IdentityOciAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOciAuth = await server.services.identityOciAuth.updateOciAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId,
+        allowedUsernames: req.body.allowedUsernames || null
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOciAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_OCI_AUTH,
+          metadata: {
+            identityId: identityOciAuth.identityId,
+            tenancyOcid: identityOciAuth.tenancyOcid,
+            allowedUsernames: identityOciAuth.allowedUsernames || null,
+            accessTokenTTL: identityOciAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityOciAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityOciAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityOciAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityOciAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/oci-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OciAuth],
+      description: "Retrieve OCI Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(OCI_AUTH.RETRIEVE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityOciAuth: IdentityOciAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOciAuth = await server.services.identityOciAuth.getOciAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOciAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_OCI_AUTH,
+          metadata: {
+            identityId: identityOciAuth.identityId
+          }
+        }
+      });
+      return { identityOciAuth };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/oci-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OciAuth],
+      description: "Delete OCI Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(OCI_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityOciAuth: IdentityOciAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOciAuth = await server.services.identityOciAuth.revokeIdentityOciAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOciAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_OCI_AUTH,
+          metadata: {
+            identityId: identityOciAuth.identityId
+          }
+        }
+      });
+
+      return { identityOciAuth };
+    }
+  });
+};

backend/src/server/routes/v1/index.ts

@@ -20,6 +20,7 @@ import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityJwtAuthRouter } from "./identity-jwt-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityLdapAuthRouter } from "./identity-ldap-auth-router";
+import { registerIdentityOciAuthRouter } from "./identity-oci-auth-router";
 import { registerIdentityOidcAuthRouter } from "./identity-oidc-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityTokenAuthRouter } from "./identity-token-auth-router";
@@ -63,6 +64,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
       await authRouter.register(registerIdentityAccessTokenRouter);
       await authRouter.register(registerIdentityAwsAuthRouter);
       await authRouter.register(registerIdentityAzureAuthRouter);
+      await authRouter.register(registerIdentityOciAuthRouter);
       await authRouter.register(registerIdentityOidcAuthRouter);
       await authRouter.register(registerIdentityJwtAuthRouter);
       await authRouter.register(registerIdentityLdapAuthRouter);

backend/src/server/routes/v1/invite-org-router.ts

@@ -16,7 +16,12 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     schema: {
       body: z.object({
-        inviteeEmails: z.array(z.string().trim().email()),
+        inviteeEmails: z
+          .string()
+          .trim()
+          .email()
+          .array()
+          .refine((val) => val.every((el) => el === el.toLowerCase()), "Email must be lowercase"),
         organizationId: z.string().trim(),
         projects: z
           .object({
@@ -115,7 +120,11 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       body: z.object({
-        email: z.string().trim().email(),
+        email: z
+          .string()
+          .trim()
+          .email()
+          .refine((val) => val === val.toLowerCase(), "Email must be lowercase"),
         organizationId: z.string().trim(),
         code: z.string().trim()
       }),

backend/src/server/routes/v1/organization-router.ts

@@ -275,6 +275,23 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
             },
             { message: "Duration value must be at least 1" }
           )
+          .optional(),
+        secretsProductEnabled: z.boolean().optional(),
+        pkiProductEnabled: z.boolean().optional(),
+        kmsProductEnabled: z.boolean().optional(),
+        sshProductEnabled: z.boolean().optional(),
+        scannerProductEnabled: z.boolean().optional(),
+        shareSecretsProductEnabled: z.boolean().optional(),
+        maxSharedSecretLifetime: z
+          .number()
+          .min(300, "Max Shared Secret lifetime cannot be under 5 minutes")
+          .max(2592000, "Max Shared Secret lifetime cannot exceed 30 days")
+          .optional(),
+        maxSharedSecretViewLimit: z
+          .number()
+          .min(1, "Max Shared Secret view count cannot be lower than 1")
+          .max(1000, "Max Shared Secret view count cannot exceed 1000")
+          .nullable()
           .optional()
       }),
       response: {
@@ -295,8 +312,17 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         data: req.body
       });
 
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.UPDATE_ORG,
+          metadata: req.body
+        }
+      });
+
       return {
-        message: "Successfully changed organization name",
+        message: "Successfully updated organization",
         organization
       };
     }

backend/src/server/routes/v1/project-router.ts

@@ -263,6 +263,17 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actor: req.permission.type,
         actorOrgId: req.permission.orgId
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: req.params.workspaceId,
+        event: {
+          type: EventType.DELETE_PROJECT,
+          metadata: workspace
+        }
+      });
+
       return { workspace };
     }
   });
@@ -297,6 +308,17 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         projectId: req.params.workspaceId,
         name: req.body.name
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: req.params.workspaceId,
+        event: {
+          type: EventType.UPDATE_PROJECT,
+          metadata: req.body
+        }
+      });
+
       return {
         message: "Successfully changed workspace name",
         workspace
@@ -346,7 +368,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
               "Project slug can only contain lowercase letters and numbers, with optional single hyphens (-) or underscores (_) between words. Cannot start or end with a hyphen or underscore."
           })
           .optional()
-          .describe(PROJECTS.UPDATE.slug)
+          .describe(PROJECTS.UPDATE.slug),
+        secretSharing: z.boolean().optional().describe(PROJECTS.UPDATE.secretSharing)
       }),
       response: {
         200: z.object({
@@ -366,13 +389,25 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           description: req.body.description,
           autoCapitalization: req.body.autoCapitalization,
           hasDeleteProtection: req.body.hasDeleteProtection,
-          slug: req.body.slug
+          slug: req.body.slug,
+          secretSharing: req.body.secretSharing
         },
         actorAuthMethod: req.permission.authMethod,
         actorId: req.permission.id,
         actor: req.permission.type,
         actorOrgId: req.permission.orgId
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: req.params.workspaceId,
+        event: {
+          type: EventType.UPDATE_PROJECT,
+          metadata: req.body
+        }
+      });
+
       return {
         workspace
       };
@@ -409,6 +444,17 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         projectId: req.params.workspaceId,
         autoCapitalization: req.body.autoCapitalization
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: req.params.workspaceId,
+        event: {
+          type: EventType.UPDATE_PROJECT,
+          metadata: req.body
+        }
+      });
+
       return {
         message: "Successfully changed workspace settings",
         workspace
@@ -446,6 +492,17 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         projectId: req.params.workspaceId,
         hasDeleteProtection: req.body.hasDeleteProtection
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: req.params.workspaceId,
+        event: {
+          type: EventType.UPDATE_PROJECT,
+          metadata: req.body
+        }
+      });
+
       return {
         message: "Successfully changed workspace settings",
         workspace
@@ -484,6 +541,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         workspaceSlug: req.params.workspaceSlug
       });
 
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: workspace.id,
+        event: {
+          type: EventType.UPDATE_PROJECT,
+          metadata: req.body
+        }
+      });
+
       return {
         message: "Successfully changed workspace version limit",
         workspace
@@ -511,7 +578,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const workspace = await server.services.project.updateAuditLogsRetention({
         actorId: req.permission.id,
@@ -522,6 +589,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         auditLogsRetentionDays: req.body.auditLogsRetentionDays
       });
 
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: workspace.id,
+        event: {
+          type: EventType.UPDATE_PROJECT,
+          metadata: req.body
+        }
+      });
+
       return {
         message: "Successfully updated project's audit logs retention period",
         workspace

backend/src/server/routes/v1/secret-sharing-router.ts

@@ -62,7 +62,9 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
       }),
       body: z.object({
         hashedHex: z.string().min(1).optional(),
-        password: z.string().optional()
+        password: z.string().optional(),
+        email: z.string().optional(),
+        hash: z.string().optional()
       }),
       response: {
         200: z.object({
@@ -88,7 +90,9 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         sharedSecretId: req.params.id,
         hashedHex: req.body.hashedHex,
         password: req.body.password,
-        orgId: req.permission?.orgId
+        orgId: req.permission?.orgId,
+        email: req.body.email,
+        hash: req.body.hash
       });
 
       if (sharedSecret.secret?.orgId) {
@@ -151,7 +155,8 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         secretValue: z.string(),
         expiresAt: z.string(),
         expiresAfterViews: z.number().min(1).optional(),
-        accessType: z.nativeEnum(SecretSharingAccessType).default(SecretSharingAccessType.Organization)
+        accessType: z.nativeEnum(SecretSharingAccessType).default(SecretSharingAccessType.Organization),
+        emails: z.string().email().array().max(100).optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-sync-routers/1password-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  CreateOnePassSyncSchema,
+  OnePassSyncSchema,
+  UpdateOnePassSyncSchema
+} from "@app/services/secret-sync/1password";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerOnePassSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.OnePass,
+    server,
+    responseSchema: OnePassSyncSchema,
+    createSchema: CreateOnePassSyncSchema,
+    updateSchema: UpdateOnePassSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -1,5 +1,7 @@
+import { registerOCIVaultSyncRouter } from "@app/ee/routes/v1/secret-sync-routers/oci-vault-sync-router";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
+import { registerOnePassSyncRouter } from "./1password-sync-router";
 import { registerAwsParameterStoreSyncRouter } from "./aws-parameter-store-sync-router";
 import { registerAwsSecretsManagerSyncRouter } from "./aws-secrets-manager-sync-router";
 import { registerAzureAppConfigurationSyncRouter } from "./azure-app-configuration-sync-router";
@@ -10,7 +12,6 @@ import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
 import { registerHCVaultSyncRouter } from "./hc-vault-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
-import { registerOCIVaultSyncRouter } from "./oci-vault-sync-router";
 import { registerTeamCitySyncRouter } from "./teamcity-sync-router";
 import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router";
 import { registerVercelSyncRouter } from "./vercel-sync-router";
@@ -33,5 +34,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Windmill]: registerWindmillSyncRouter,
   [SecretSync.HCVault]: registerHCVaultSyncRouter,
   [SecretSync.TeamCity]: registerTeamCitySyncRouter,
-  [SecretSync.OCIVault]: registerOCIVaultSyncRouter
+  [SecretSync.OCIVault]: registerOCIVaultSyncRouter,
+  [SecretSync.OnePass]: registerOnePassSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -1,10 +1,12 @@
 import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { OCIVaultSyncListItemSchema, OCIVaultSyncSchema } from "@app/ee/services/secret-sync/oci-vault";
 import { ApiDocsTags, SecretSyncs } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { OnePassSyncListItemSchema, OnePassSyncSchema } from "@app/services/secret-sync/1password";
 import {
   AwsParameterStoreSyncListItemSchema,
   AwsParameterStoreSyncSchema
@@ -24,7 +26,6 @@ import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
 import { HCVaultSyncListItemSchema, HCVaultSyncSchema } from "@app/services/secret-sync/hc-vault";
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
-import { OCIVaultSyncListItemSchema, OCIVaultSyncSchema } from "@app/services/secret-sync/oci-vault";
 import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/secret-sync/teamcity";
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
 import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
@@ -45,7 +46,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   WindmillSyncSchema,
   HCVaultSyncSchema,
   TeamCitySyncSchema,
-  OCIVaultSyncSchema
+  OCIVaultSyncSchema,
+  OnePassSyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -63,7 +65,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   WindmillSyncListItemSchema,
   HCVaultSyncListItemSchema,
   TeamCitySyncListItemSchema,
-  OCIVaultSyncListItemSchema
+  OCIVaultSyncListItemSchema,
+  OnePassSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/user-router.ts

@@ -46,6 +46,54 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/duplicate-accounts",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          users: UsersSchema.extend({
+            isMyAccount: z.boolean(),
+            organizations: z.object({ name: z.string(), slug: z.string() }).array()
+          }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
+    handler: async (req) => {
+      if (req.auth.authMode === AuthMode.JWT && req.auth.user.email) {
+        const users = await server.services.user.getAllMyAccounts(req.auth.user.email, req.permission.id);
+        return { users };
+      }
+      return { users: [] };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/remove-duplicate-accounts",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
+    handler: async (req) => {
+      if (req.auth.authMode === AuthMode.JWT && req.auth.user.email) {
+        await server.services.user.removeMyDuplicateAccounts(req.auth.user.email, req.permission.id);
+      }
+      return { message: "Removed all duplicate accounts" };
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/private-key",

backend/src/server/routes/v2/project-membership-router.ts

@@ -27,8 +27,19 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         projectId: z.string().describe(PROJECT_USERS.INVITE_MEMBER.projectId)
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECT_USERS.INVITE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECT_USERS.INVITE_MEMBER.usernames),
+        emails: z
+          .string()
+          .email()
+          .array()
+          .default([])
+          .describe(PROJECT_USERS.INVITE_MEMBER.emails)
+          .refine((val) => val.every((el) => el === el.toLowerCase()), "Email must be lowercase"),
+        usernames: z
+          .string()
+          .array()
+          .default([])
+          .describe(PROJECT_USERS.INVITE_MEMBER.usernames)
+          .refine((val) => val.every((el) => el === el.toLowerCase()), "Username must be lowercase"),
         roleSlugs: z.string().array().min(1).optional().describe(PROJECT_USERS.INVITE_MEMBER.roleSlugs)
       }),
       response: {
@@ -92,8 +103,19 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         projectId: z.string().describe(PROJECT_USERS.REMOVE_MEMBER.projectId)
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECT_USERS.REMOVE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECT_USERS.REMOVE_MEMBER.usernames)
+        emails: z
+          .string()
+          .email()
+          .array()
+          .default([])
+          .describe(PROJECT_USERS.REMOVE_MEMBER.emails)
+          .refine((val) => val.every((el) => el === el.toLowerCase()), "Email must be lowercase"),
+        usernames: z
+          .string()
+          .array()
+          .default([])
+          .describe(PROJECT_USERS.REMOVE_MEMBER.usernames)
+          .refine((val) => val.every((el) => el === el.toLowerCase()), "Username must be lowercase")
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/project-router.ts

@@ -206,19 +206,18 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       });
 
-      if (req.body.template) {
-        await server.services.auditLog.createAuditLog({
-          ...req.auditLogInfo,
-          orgId: req.permission.orgId,
-          event: {
-            type: EventType.APPLY_PROJECT_TEMPLATE,
-            metadata: {
-              template: req.body.template,
-              projectId: project.id
-            }
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: project.id,
+        event: {
+          type: EventType.CREATE_PROJECT,
+          metadata: {
+            ...req.body,
+            name: req.body.projectName
           }
-        });
-      }
+        }
+      });
 
       return { project };
     }
@@ -262,6 +261,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actor: req.permission.type
       });
 
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: project.id,
+        event: {
+          type: EventType.DELETE_PROJECT,
+          metadata: project
+        }
+      });
+
       return project;
     }
   });
@@ -341,6 +350,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId
       });
 
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: project.id,
+        event: {
+          type: EventType.UPDATE_PROJECT,
+          metadata: req.body
+        }
+      });
+
       return project;
     }
   });

backend/src/services/app-connection/1password/1password-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum OnePassConnectionMethod {
+  ApiToken = "api-token"
+}

backend/src/services/app-connection/1password/1password-connection-fns.ts

@@ -0,0 +1,66 @@
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { OnePassConnectionMethod } from "./1password-connection-enums";
+import { TOnePassConnection, TOnePassConnectionConfig, TOnePassVault } from "./1password-connection-types";
+
+export const getOnePassInstanceUrl = async (config: TOnePassConnectionConfig) => {
+  const instanceUrl = removeTrailingSlash(config.credentials.instanceUrl);
+
+  await blockLocalAndPrivateIpAddresses(instanceUrl);
+
+  return instanceUrl;
+};
+
+export const getOnePassConnectionListItem = () => {
+  return {
+    name: "1Password" as const,
+    app: AppConnection.OnePass as const,
+    methods: Object.values(OnePassConnectionMethod) as [OnePassConnectionMethod.ApiToken]
+  };
+};
+
+export const validateOnePassConnectionCredentials = async (config: TOnePassConnectionConfig) => {
+  const instanceUrl = await getOnePassInstanceUrl(config);
+
+  const { apiToken } = config.credentials;
+
+  try {
+    await request.get(`${instanceUrl}/v1/vaults`, {
+      headers: {
+        Authorization: `Bearer ${apiToken}`,
+        Accept: "application/json"
+      }
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+
+  return config.credentials;
+};
+
+export const listOnePassVaults = async (appConnection: TOnePassConnection) => {
+  const instanceUrl = await getOnePassInstanceUrl(appConnection);
+  const { apiToken } = appConnection.credentials;
+
+  const resp = await request.get<TOnePassVault[]>(`${instanceUrl}/v1/vaults`, {
+    headers: {
+      Authorization: `Bearer ${apiToken}`,
+      Accept: "application/json"
+    }
+  });
+
+  return resp.data;
+};