Merge branch 'feat/add-support-for-custom-ca' of https://github.com/Infisical/infisical into feat/add-support-for-custom-ca

.github/workflows/build-staging-and-deploy-aws.yml

@@ -102,7 +102,7 @@ jobs:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
           service: infisical-core-gamma-stage
           cluster: infisical-gamma-stage
-          wait-for-service-stability: false
+          wait-for-service-stability: true
 
   production-postgres-deployment:
     name: Deploy to production

backend/e2e-test/routes/v3/secret-reference.spec.ts

@@ -56,10 +56,7 @@ describe("Secret expansion", () => {
       }
     ];
 
-    for (const secret of secrets) {
-      // eslint-disable-next-line no-await-in-loop
-      await createSecretV2(secret);
-    }
+    await Promise.all(secrets.map((el) => createSecretV2(el)));
 
     const expandedSecret = await getSecretByNameV2({
       environmentSlug: seedData1.environment.slug,
@@ -126,10 +123,7 @@ describe("Secret expansion", () => {
       }
     ];
 
-    for (const secret of secrets) {
-      // eslint-disable-next-line no-await-in-loop
-      await createSecretV2(secret);
-    }
+    await Promise.all(secrets.map((el) => createSecretV2(el)));
 
     const expandedSecret = await getSecretByNameV2({
       environmentSlug: seedData1.environment.slug,
@@ -196,11 +190,7 @@ describe("Secret expansion", () => {
       }
     ];
 
-    for (const secret of secrets) {
-      // eslint-disable-next-line no-await-in-loop
-      await createSecretV2(secret);
-    }
-
+    await Promise.all(secrets.map((el) => createSecretV2(el)));
     const secretImportFromProdToDev = await createSecretImport({
       environmentSlug: seedData1.environment.slug,
       workspaceId: projectId,
@@ -285,11 +275,7 @@ describe("Secret expansion", () => {
         }
       ];
 
-      for (const secret of secrets) {
-        // eslint-disable-next-line no-await-in-loop
-        await createSecretV2(secret);
-      }
-
+      await Promise.all(secrets.map((el) => createSecretV2(el)));
       const secretImportFromProdToDev = await createSecretImport({
         environmentSlug: seedData1.environment.slug,
         workspaceId: projectId,

backend/src/@types/fastify.d.ts

@@ -13,7 +13,6 @@ import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secr
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
-import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
@@ -178,7 +177,6 @@ declare module "fastify" {
       dynamicSecretLease: TDynamicSecretLeaseServiceFactory;
       projectUserAdditionalPrivilege: TProjectUserAdditionalPrivilegeServiceFactory;
       identityProjectAdditionalPrivilege: TIdentityProjectAdditionalPrivilegeServiceFactory;
-      identityProjectAdditionalPrivilegeV2: TIdentityProjectAdditionalPrivilegeV2ServiceFactory;
       secretSharing: TSecretSharingServiceFactory;
       rateLimit: TRateLimitServiceFactory;
       userEngagement: TUserEngagementServiceFactory;

backend/src/db/migrations/20240925100349_managed-secret-sharing.ts

@@ -4,40 +4,27 @@ import { TableName } from "../schemas";
 
 export async function up(knex: Knex): Promise<void> {
   if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const hasEncryptedSecret = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSecret");
-    const hasIdentifier = await knex.schema.hasColumn(TableName.SecretSharing, "identifier");
-
     await knex.schema.alterTable(TableName.SecretSharing, (t) => {
       t.string("iv").nullable().alter();
       t.string("tag").nullable().alter();
       t.string("encryptedValue").nullable().alter();
 
-      if (!hasEncryptedSecret) {
-        t.binary("encryptedSecret").nullable();
-      }
+      t.binary("encryptedSecret").nullable();
       t.string("hashedHex").nullable().alter();
 
-      if (!hasIdentifier) {
-        t.string("identifier", 64).nullable();
-        t.unique("identifier");
-        t.index("identifier");
-      }
+      t.string("identifier", 64).nullable();
+      t.unique("identifier");
+      t.index("identifier");
     });
   }
 }
 
 export async function down(knex: Knex): Promise<void> {
-  const hasEncryptedSecret = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSecret");
-  const hasIdentifier = await knex.schema.hasColumn(TableName.SecretSharing, "identifier");
   if (await knex.schema.hasTable(TableName.SecretSharing)) {
     await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-      if (hasEncryptedSecret) {
-        t.dropColumn("encryptedSecret");
-      }
+      t.dropColumn("encryptedSecret");
 
-      if (hasIdentifier) {
-        t.dropColumn("identifier");
-      }
+      t.dropColumn("identifier");
     });
   }
 }

backend/src/db/migrations/20241003220151_kms-key-cmek-alterations.ts

@@ -7,18 +7,15 @@ export async function up(knex: Knex): Promise<void> {
   if (await knex.schema.hasTable(TableName.KmsKey)) {
     const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
     const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
-    const hasProjectId = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
 
     // drop constraint if exists (won't exist if rolled back, see below)
     await dropConstraintIfExists(TableName.KmsKey, "kms_keys_orgid_slug_unique", knex);
 
     // projectId for CMEK functionality
     await knex.schema.alterTable(TableName.KmsKey, (table) => {
-      if (!hasProjectId) {
-        table.string("projectId").nullable().references("id").inTable(TableName.Project).onDelete("CASCADE");
-      }
+      table.string("projectId").nullable().references("id").inTable(TableName.Project).onDelete("CASCADE");
 
-      if (hasOrgId && hasSlug) {
+      if (hasOrgId) {
         table.unique(["orgId", "projectId", "slug"]);
       }
 
@@ -33,7 +30,6 @@ export async function down(knex: Knex): Promise<void> {
   if (await knex.schema.hasTable(TableName.KmsKey)) {
     const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
     const hasName = await knex.schema.hasColumn(TableName.KmsKey, "name");
-    const hasProjectId = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
 
     // remove projectId for CMEK functionality
     await knex.schema.alterTable(TableName.KmsKey, (table) => {
@@ -44,9 +40,7 @@ export async function down(knex: Knex): Promise<void> {
       if (hasOrgId) {
         table.dropUnique(["orgId", "projectId", "slug"]);
       }
-      if (hasProjectId) {
-        table.dropColumn("projectId");
-      }
+      table.dropColumn("projectId");
     });
   }
 }

backend/src/db/migrations/20241008172622_project-permission-split.ts

@@ -1,101 +0,0 @@
-/* eslint-disable no-await-in-loop */
-import { packRules, unpackRules } from "@casl/ability/extra";
-import { Knex } from "knex";
-
-import {
-  backfillPermissionV1SchemaToV2Schema,
-  ProjectPermissionSub
-} from "@app/ee/services/permission/project-permission";
-
-import { TableName } from "../schemas";
-
-const CHUNK_SIZE = 1000;
-export async function up(knex: Knex): Promise<void> {
-  const hasVersion = await knex.schema.hasColumn(TableName.ProjectRoles, "version");
-  if (!hasVersion) {
-    await knex.schema.alterTable(TableName.ProjectRoles, (t) => {
-      t.integer("version").defaultTo(1).notNullable();
-    });
-
-    const docs = await knex(TableName.ProjectRoles).select("*");
-    const updatedDocs = docs
-      .filter((i) => {
-        const permissionString = JSON.stringify(i.permissions || []);
-        return (
-          !permissionString.includes(ProjectPermissionSub.SecretImports) &&
-          !permissionString.includes(ProjectPermissionSub.DynamicSecrets)
-        );
-      })
-      .map((el) => ({
-        ...el,
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore-error this is valid ts
-        permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(unpackRules(el.permissions), true)))
-      }));
-    if (updatedDocs.length) {
-      for (let i = 0; i < updatedDocs.length; i += CHUNK_SIZE) {
-        const chunk = updatedDocs.slice(i, i + CHUNK_SIZE);
-        await knex(TableName.ProjectRoles).insert(chunk).onConflict("id").merge();
-      }
-    }
-
-    // secret permission is split into multiple ones like secrets, folders, imports and dynamic-secrets
-    // so we just find all the privileges with respective mapping and map it as needed
-    const identityPrivileges = await knex(TableName.IdentityProjectAdditionalPrivilege).select("*");
-    const updatedIdentityPrivilegesDocs = identityPrivileges
-      .filter((i) => {
-        const permissionString = JSON.stringify(i.permissions || []);
-        return (
-          !permissionString.includes(ProjectPermissionSub.SecretImports) &&
-          !permissionString.includes(ProjectPermissionSub.DynamicSecrets) &&
-          !permissionString.includes(ProjectPermissionSub.SecretFolders)
-        );
-      })
-      .map((el) => ({
-        ...el,
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore-error this is valid ts
-        permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(unpackRules(el.permissions))))
-      }));
-    if (updatedIdentityPrivilegesDocs.length) {
-      for (let i = 0; i < updatedIdentityPrivilegesDocs.length; i += CHUNK_SIZE) {
-        const chunk = updatedIdentityPrivilegesDocs.slice(i, i + CHUNK_SIZE);
-        await knex(TableName.IdentityProjectAdditionalPrivilege).insert(chunk).onConflict("id").merge();
-      }
-    }
-
-    const userPrivileges = await knex(TableName.ProjectUserAdditionalPrivilege).select("*");
-    const updatedUserPrivilegeDocs = userPrivileges
-      .filter((i) => {
-        const permissionString = JSON.stringify(i.permissions || []);
-        return (
-          !permissionString.includes(ProjectPermissionSub.SecretImports) &&
-          !permissionString.includes(ProjectPermissionSub.DynamicSecrets) &&
-          !permissionString.includes(ProjectPermissionSub.SecretFolders)
-        );
-      })
-      .map((el) => ({
-        ...el,
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore-error this is valid ts
-        permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(unpackRules(el.permissions))))
-      }));
-    if (docs.length) {
-      for (let i = 0; i < updatedUserPrivilegeDocs.length; i += CHUNK_SIZE) {
-        const chunk = updatedUserPrivilegeDocs.slice(i, i + CHUNK_SIZE);
-        await knex(TableName.ProjectUserAdditionalPrivilege).insert(chunk).onConflict("id").merge();
-      }
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasVersion = await knex.schema.hasColumn(TableName.ProjectRoles, "version");
-  if (hasVersion) {
-    await knex.schema.alterTable(TableName.ProjectRoles, (t) => {
-      t.dropColumn("version");
-    });
-
-    // permission change can be ignored
-  }
-}

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -1,9 +1,9 @@
+import { packRules } from "@casl/ability/extra";
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";
 
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
-import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -79,9 +79,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         ...req.body,
         slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
         isTemporary: false,
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore-error this is valid ts
-        permissions: backfillPermissionV1SchemaToV2Schema(permission)
+        permissions: JSON.stringify(packRules(permission))
       });
       return { privilege };
     }
@@ -161,9 +159,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         ...req.body,
         slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
         isTemporary: true,
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore-error this is valid ts
-        permissions: backfillPermissionV1SchemaToV2Schema(permission)
+        permissions: JSON.stringify(packRules(permission))
       });
       return { privilege };
     }
@@ -248,13 +244,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         projectSlug: req.body.projectSlug,
         data: {
           ...updatedInfo,
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore-error this is valid ts
-          permissions: permission
-            ? // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore-error this is valid ts
-              backfillPermissionV1SchemaToV2Schema(permission)
-            : undefined
+          permissions: permission ? JSON.stringify(packRules(permission)) : undefined
         }
       });
       return { privilege };

backend/src/ee/routes/v1/index.ts

@@ -81,9 +81,9 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerSecretVersionRouter, { prefix: "/secret" });
   await server.register(registerGroupRouter, { prefix: "/groups" });
   await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });
-  await server.register(registerUserAdditionalPrivilegeRouter, { prefix: "/user-project-additional-privilege" });
   await server.register(
     async (privilegeRouter) => {
+      await privilegeRouter.register(registerUserAdditionalPrivilegeRouter, { prefix: "/users" });
       await privilegeRouter.register(registerIdentityProjectAdditionalPrivilegeRouter, { prefix: "/identity" });
     },
     { prefix: "/additional-privilege" }

backend/src/ee/routes/v1/project-role-router.ts

@@ -3,16 +3,12 @@ import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
 import { ProjectMembershipRole, ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
-import {
-  backfillPermissionV1SchemaToV2Schema,
-  ProjectPermissionV1Schema
-} from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionSchema } from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedRoleSchemaV1 } from "@app/server/routes/sanitizedSchemas";
+import { SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ProjectRoleServiceIdentifierType } from "@app/services/project-role/project-role-types";
 
 export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -47,11 +43,11 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
           .describe(PROJECT_ROLE.CREATE.slug),
         name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
         description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
-        permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
+        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.CREATE.permissions)
       }),
       response: {
         200: z.object({
-          role: SanitizedRoleSchemaV1
+          role: SanitizedRoleSchema
         })
       }
     },
@@ -62,16 +58,12 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
         actor: req.permission.type,
-        filter: {
-          type: ProjectRoleServiceIdentifierType.SLUG,
-          projectSlug: req.params.projectSlug
-        },
+        projectSlug: req.params.projectSlug,
         data: {
           ...req.body,
-          permissions: JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(req.body.permissions, true)))
+          permissions: JSON.stringify(packRules(req.body.permissions))
         }
       });
-
       return { role };
     }
   });
@@ -111,11 +103,11 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
           }),
         name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
         description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
-        permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
+        permissions: ProjectPermissionSchema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
       }),
       response: {
         200: z.object({
-          role: SanitizedRoleSchemaV1
+          role: SanitizedRoleSchema
         })
       }
     },
@@ -126,12 +118,11 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
         actor: req.permission.type,
+        projectSlug: req.params.projectSlug,
         roleId: req.params.roleId,
         data: {
           ...req.body,
-          permissions: req.body.permissions
-            ? JSON.stringify(packRules(backfillPermissionV1SchemaToV2Schema(req.body.permissions, true)))
-            : undefined
+          permissions: req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined
         }
       });
       return { role };
@@ -157,7 +148,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          role: SanitizedRoleSchemaV1
+          role: SanitizedRoleSchema
         })
       }
     },
@@ -168,6 +159,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
         actor: req.permission.type,
+        projectSlug: req.params.projectSlug,
         roleId: req.params.roleId
       });
       return { role };
@@ -203,10 +195,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
         actor: req.permission.type,
-        filter: {
-          type: ProjectRoleServiceIdentifierType.SLUG,
-          projectSlug: req.params.projectSlug
-        }
+        projectSlug: req.params.projectSlug
       });
       return { roles };
     }
@@ -225,7 +214,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          role: SanitizedRoleSchemaV1
+          role: SanitizedRoleSchema
         })
       }
     },
@@ -236,13 +225,9 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
         actor: req.permission.type,
-        filter: {
-          type: ProjectRoleServiceIdentifierType.SLUG,
-          projectSlug: req.params.projectSlug
-        },
+        projectSlug: req.params.projectSlug,
         roleSlug: req.params.slug
       });
-
       return { role };
     }
   });

backend/src/ee/routes/v1/user-additional-privilege-router.ts

@@ -2,18 +2,17 @@ import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";
 
-import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
+import { ProjectUserAdditionalPrivilegeSchema } from "@app/db/schemas";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-types";
 import { PROJECT_USER_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedUserProjectAdditionalPrivilegeSchema } from "@app/server/routes/santizedSchemas/user-additional-privilege";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
   server.route({
-    url: "/",
+    url: "/permanent",
     method: "POST",
     config: {
       rateLimit: writeLimit
@@ -32,30 +31,11 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
           })
           .optional()
           .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions),
-        type: z.discriminatedUnion("isTemporary", [
-          z.object({
-            isTemporary: z.literal(false)
-          }),
-          z.object({
-            isTemporary: z.literal(true),
-            temporaryMode: z
-              .nativeEnum(ProjectUserAdditionalPrivilegeTemporaryMode)
-              .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
-            temporaryRange: z
-              .string()
-              .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
-              .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryRange),
-            temporaryAccessStartTime: z
-              .string()
-              .datetime()
-              .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryAccessStartTime)
-          })
-        ])
+        permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions)
       }),
       response: {
         200: z.object({
-          privilege: SanitizedUserProjectAdditionalPrivilegeSchema
+          privilege: ProjectUserAdditionalPrivilegeSchema
         })
       }
     },
@@ -66,10 +46,65 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
-        projectMembershipId: req.body.projectMembershipId,
-        ...req.body.type,
-        slug: req.body.slug || slugify(alphaNumericNanoId(8)),
-        permissions: req.body.permissions
+        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : slugify(alphaNumericNanoId(12)),
+        isTemporary: false,
+        permissions: JSON.stringify(req.body.permissions)
+      });
+      return { privilege };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/temporary",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        projectMembershipId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.projectMembershipId),
+        slug: z
+          .string()
+          .min(1)
+          .max(60)
+          .trim()
+          .refine((v) => v.toLowerCase() === v, "Slug must be lowercase")
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .optional()
+          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
+        permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        temporaryMode: z
+          .nativeEnum(ProjectUserAdditionalPrivilegeTemporaryMode)
+          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
+        temporaryRange: z
+          .string()
+          .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryRange),
+        temporaryAccessStartTime: z
+          .string()
+          .datetime()
+          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.temporaryAccessStartTime)
+      }),
+      response: {
+        200: z.object({
+          privilege: ProjectUserAdditionalPrivilegeSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const privilege = await server.services.projectUserAdditionalPrivilege.create({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        slug: req.body.slug ? slugify(req.body.slug) : `privilege-${slugify(alphaNumericNanoId(12))}`,
+        isTemporary: true,
+        permissions: JSON.stringify(req.body.permissions)
       });
       return { privilege };
     }
@@ -96,31 +131,24 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
               message: "Slug must be a valid slug"
             })
             .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.slug),
-          permissions: ProjectPermissionV2Schema.array()
-            .optional()
-            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
-          type: z.discriminatedUnion("isTemporary", [
-            z.object({ isTemporary: z.literal(false).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary) }),
-            z.object({
-              isTemporary: z.literal(true).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
-              temporaryMode: z
-                .nativeEnum(ProjectUserAdditionalPrivilegeTemporaryMode)
-                .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryMode),
-              temporaryRange: z
-                .string()
-                .refine((val) => typeof val === "undefined" || ms(val) > 0, "Temporary range must be a positive number")
-                .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryRange),
-              temporaryAccessStartTime: z
-                .string()
-                .datetime()
-                .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryAccessStartTime)
-            })
-          ])
+          permissions: z.any().array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+          isTemporary: z.boolean().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
+          temporaryMode: z
+            .nativeEnum(ProjectUserAdditionalPrivilegeTemporaryMode)
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryMode),
+          temporaryRange: z
+            .string()
+            .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryRange),
+          temporaryAccessStartTime: z
+            .string()
+            .datetime()
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.temporaryAccessStartTime)
         })
         .partial(),
       response: {
         200: z.object({
-          privilege: SanitizedUserProjectAdditionalPrivilegeSchema
+          privilege: ProjectUserAdditionalPrivilegeSchema
         })
       }
     },
@@ -132,12 +160,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         ...req.body,
-        ...req.body.type,
-        permissions: req.body.permissions
-          ? // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore-error this is valid ts
-            req.body.permissions
-          : undefined,
+        permissions: req.body.permissions ? JSON.stringify(req.body.permissions) : undefined,
         privilegeId: req.params.privilegeId
       });
       return { privilege };
@@ -156,7 +179,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
       }),
       response: {
         200: z.object({
-          privilege: SanitizedUserProjectAdditionalPrivilegeSchema
+          privilege: ProjectUserAdditionalPrivilegeSchema
         })
       }
     },
@@ -185,7 +208,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
       }),
       response: {
         200: z.object({
-          privileges: SanitizedUserProjectAdditionalPrivilegeSchema.omit({ permissions: true }).array()
+          privileges: ProjectUserAdditionalPrivilegeSchema.array()
         })
       }
     },
@@ -210,11 +233,11 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
     },
     schema: {
       params: z.object({
-        privilegeId: z.string().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.GET_BY_PRIVILEGE_ID.privilegeId)
+        privilegeId: z.string().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.GET_BY_PRIVILEGEID.privilegeId)
       }),
       response: {
         200: z.object({
-          privilege: SanitizedUserProjectAdditionalPrivilegeSchema
+          privilege: ProjectUserAdditionalPrivilegeSchema
         })
       }
     },

backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts

@@ -1,305 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import ms from "ms";
-import { z } from "zod";
-
-import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types";
-import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedIdentityPrivilegeSchema } from "@app/server/routes/santizedSchemas/identitiy-additional-privilege";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Add an additional privilege for identity.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.identityId),
-        projectId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.projectId),
-        slug: z
-          .string()
-          .min(1)
-          .max(60)
-          .trim()
-          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
-          .optional()
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.slug),
-        permissions: ProjectPermissionV2Schema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.permission),
-        type: z.discriminatedUnion("isTemporary", [
-          z.object({
-            isTemporary: z.literal(false)
-          }),
-          z.object({
-            isTemporary: z.literal(true),
-            temporaryMode: z
-              .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
-              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.temporaryMode),
-            temporaryRange: z
-              .string()
-              .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
-              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.temporaryRange),
-            temporaryAccessStartTime: z
-              .string()
-              .datetime()
-              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.temporaryAccessStartTime)
-          })
-        ])
-      }),
-      response: {
-        200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const privilege = await server.services.identityProjectAdditionalPrivilegeV2.create({
-        actorAuthMethod: req.permission.authMethod,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actor: req.permission.type,
-        projectId: req.body.projectId,
-        identityId: req.body.identityId,
-        ...req.body.type,
-        slug: req.body.slug || slugify(alphaNumericNanoId(8)),
-        permissions: req.body.permissions
-      });
-      return { privilege };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:id",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Update a specific identity privilege.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        id: z.string().trim().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.id)
-      }),
-      body: z.object({
-        slug: z
-          .string()
-          .min(1)
-          .max(60)
-          .trim()
-          .refine((val) => val.toLowerCase() === val, "Must be lowercase")
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.slug),
-        permissions: ProjectPermissionV2Schema.array()
-          .optional()
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.privilegePermission),
-        type: z.discriminatedUnion("isTemporary", [
-          z.object({ isTemporary: z.literal(false).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.isTemporary) }),
-          z.object({
-            isTemporary: z.literal(true).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.isTemporary),
-            temporaryMode: z
-              .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
-              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.temporaryMode),
-            temporaryRange: z
-              .string()
-              .refine((val) => typeof val === "undefined" || ms(val) > 0, "Temporary range must be a positive number")
-              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.temporaryRange),
-            temporaryAccessStartTime: z
-              .string()
-              .datetime()
-              .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.temporaryAccessStartTime)
-          })
-        ])
-      }),
-      response: {
-        200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const privilege = await server.services.identityProjectAdditionalPrivilegeV2.updateById({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        id: req.params.id,
-        data: {
-          ...req.body,
-          ...req.body.type,
-          permissions: req.body.permissions || undefined
-        }
-      });
-      return { privilege };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:id",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Delete the specified identity privilege.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        id: z.string().trim().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.DELETE.id)
-      }),
-      response: {
-        200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const privilege = await server.services.identityProjectAdditionalPrivilegeV2.deleteById({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.params.id
-      });
-      return { privilege };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:id",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Retrieve details of a specific privilege by id.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        id: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.GET_BY_ID.id)
-      }),
-      response: {
-        200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const privilege = await server.services.identityProjectAdditionalPrivilegeV2.getPrivilegeDetailsById({
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        id: req.params.id
-      });
-      return { privilege };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/slug/:privilegeSlug",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Retrieve details of a specific privilege by slug.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        privilegeSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.GET_BY_SLUG.slug)
-      }),
-      querystring: z.object({
-        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.GET_BY_SLUG.identityId),
-        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.GET_BY_SLUG.projectSlug)
-      }),
-      response: {
-        200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const privilege = await server.services.identityProjectAdditionalPrivilegeV2.getPrivilegeDetailsBySlug({
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        slug: req.params.privilegeSlug,
-        ...req.query
-      });
-      return { privilege };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "List privileges for the specified identity by project.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      querystring: z.object({
-        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.LIST.identityId),
-        projectId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.LIST.projectId)
-      }),
-      response: {
-        200: z.object({
-          privileges: SanitizedIdentityPrivilegeSchema.omit({ permissions: true }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const privileges = await server.services.identityProjectAdditionalPrivilegeV2.listIdentityProjectPrivileges({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.query
-      });
-      return {
-        privileges
-      };
-    }
-  });
-};

backend/src/ee/routes/v2/index.ts

@@ -1,16 +0,0 @@
-import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
-import { registerProjectRoleRouter } from "./project-role-router";
-
-export const registerV2EERoutes = async (server: FastifyZodProvider) => {
-  // org role starts with organization
-  await server.register(
-    async (projectRouter) => {
-      await projectRouter.register(registerProjectRoleRouter);
-    },
-    { prefix: "/workspace" }
-  );
-
-  await server.register(registerIdentityProjectAdditionalPrivilegeRouter, {
-    prefix: "/identity-project-additional-privilege"
-  });
-};

backend/src/ee/routes/v2/project-role-router.ts

@@ -1,242 +0,0 @@
-import { packRules } from "@casl/ability/extra";
-import slugify from "@sindresorhus/slugify";
-import { z } from "zod";
-
-import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
-import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { PROJECT_ROLE } from "@app/lib/api-docs";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { ProjectRoleServiceIdentifierType } from "@app/services/project-role/project-role-types";
-
-export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/:projectId/roles",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Create a project role",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        projectId: z.string().trim().describe(PROJECT_ROLE.CREATE.projectId)
-      }),
-      body: z.object({
-        slug: z
-          .string()
-          .toLowerCase()
-          .trim()
-          .min(1)
-          .refine(
-            (val) => !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
-            "Please choose a different slug, the slug you have entered is reserved"
-          )
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid"
-          })
-          .describe(PROJECT_ROLE.CREATE.slug),
-        name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
-        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
-      }),
-      response: {
-        200: z.object({
-          role: SanitizedRoleSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const role = await server.services.projectRole.createRole({
-        actorAuthMethod: req.permission.authMethod,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actor: req.permission.type,
-        filter: {
-          type: ProjectRoleServiceIdentifierType.ID,
-          projectId: req.params.projectId
-        },
-        data: {
-          ...req.body,
-          permissions: JSON.stringify(packRules(req.body.permissions))
-        }
-      });
-      return { role };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:projectId/roles/:roleId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Update a project role",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        projectId: z.string().trim().describe(PROJECT_ROLE.UPDATE.projectId),
-        roleId: z.string().trim().describe(PROJECT_ROLE.UPDATE.roleId)
-      }),
-      body: z.object({
-        slug: z
-          .string()
-          .toLowerCase()
-          .trim()
-          .optional()
-          .describe(PROJECT_ROLE.UPDATE.slug)
-          .refine(
-            (val) =>
-              typeof val === "undefined" ||
-              !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
-            "Please choose a different slug, the slug you have entered is reserved"
-          )
-          .refine((val) => typeof val === "undefined" || slugify(val) === val, {
-            message: "Slug must be a valid"
-          }),
-        name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
-        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
-      }),
-      response: {
-        200: z.object({
-          role: SanitizedRoleSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const role = await server.services.projectRole.updateRole({
-        actorAuthMethod: req.permission.authMethod,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actor: req.permission.type,
-        roleId: req.params.roleId,
-        data: {
-          ...req.body,
-          permissions: req.body.permissions ? JSON.stringify(packRules(req.body.permissions)) : undefined
-        }
-      });
-      return { role };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:projectId/roles/:roleId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Delete a project role",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        projectId: z.string().trim().describe(PROJECT_ROLE.DELETE.projectId),
-        roleId: z.string().trim().describe(PROJECT_ROLE.DELETE.roleId)
-      }),
-      response: {
-        200: z.object({
-          role: SanitizedRoleSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const role = await server.services.projectRole.deleteRole({
-        actorAuthMethod: req.permission.authMethod,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actor: req.permission.type,
-        roleId: req.params.roleId
-      });
-      return { role };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:projectId/roles",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "List project role",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        projectId: z.string().trim().describe(PROJECT_ROLE.LIST.projectId)
-      }),
-      response: {
-        200: z.object({
-          roles: ProjectRolesSchema.omit({ permissions: true }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const roles = await server.services.projectRole.listRoles({
-        actorAuthMethod: req.permission.authMethod,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actor: req.permission.type,
-        filter: {
-          type: ProjectRoleServiceIdentifierType.ID,
-          projectId: req.params.projectId
-        }
-      });
-      return { roles };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:projectId/roles/slug/:roleSlug",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        projectId: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.projectId),
-        roleSlug: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.roleSlug)
-      }),
-      response: {
-        200: z.object({
-          role: SanitizedRoleSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const role = await server.services.projectRole.getRoleBySlug({
-        actorAuthMethod: req.permission.authMethod,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actor: req.permission.type,
-        filter: {
-          type: ProjectRoleServiceIdentifierType.ID,
-          projectId: req.params.projectId
-        },
-        roleSlug: req.params.roleSlug
-      });
-      return { role };
-    }
-  });
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -14,7 +14,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
 
   const accessApprovalPolicyFindQuery = async (
     tx: Knex,
-    filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
+    filter: TFindFilter<TAccessApprovalPolicies>,
     customFilter?: {
       policyId?: string;
     }

backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts

@@ -0,0 +1,36 @@
+import { ForbiddenError, subject } from "@casl/ability";
+
+import { ActorType } from "@app/services/auth/auth-type";
+
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { TIsApproversValid } from "./access-approval-policy-types";
+
+export const isApproversValid = async ({
+  userIds,
+  projectId,
+  orgId,
+  envSlug,
+  actorAuthMethod,
+  secretPath,
+  permissionService
+}: TIsApproversValid) => {
+  try {
+    for await (const userId of userIds) {
+      const { permission: approverPermission } = await permissionService.getProjectPermission(
+        ActorType.USER,
+        userId,
+        projectId,
+        actorAuthMethod,
+        orgId
+      );
+
+      ForbiddenError.from(approverPermission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        subject(ProjectPermissionSub.Secrets, { environment: envSlug, secretPath })
+      );
+    }
+  } catch {
+    return false;
+  }
+  return true;
+};

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -11,6 +11,7 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
+import { isApproversValid } from "./access-approval-policy-fns";
 import {
   ApproverType,
   TCreateAccessApprovalPolicy,
@@ -133,6 +134,22 @@ export const accessApprovalPolicyServiceFactory = ({
       .map((user) => user.id);
     verifyAllApprovers.push(...verifyGroupApprovers);
 
+    const approversValid = await isApproversValid({
+      projectId: project.id,
+      orgId: actorOrgId,
+      envSlug: environment,
+      secretPath,
+      actorAuthMethod,
+      permissionService,
+      userIds: verifyAllApprovers
+    });
+
+    if (!approversValid) {
+      throw new BadRequestError({
+        message: "One or more approvers doesn't have access to be specified secret path"
+      });
+    }
+
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
@@ -276,6 +293,22 @@ export const accessApprovalPolicyServiceFactory = ({
           userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
         }
 
+        const approversValid = await isApproversValid({
+          projectId: accessApprovalPolicy.projectId,
+          orgId: actorOrgId,
+          envSlug: accessApprovalPolicy.environment.slug,
+          secretPath: doc.secretPath!,
+          actorAuthMethod,
+          permissionService,
+          userIds: userApproverIds
+        });
+
+        if (!approversValid) {
+          throw new BadRequestError({
+            message: "One or more approvers doesn't have access to be specified secret path"
+          });
+        }
+
         await accessApprovalPolicyApproverDAL.insertMany(
           userApproverIds.map((userId) => ({
             approverUserId: userId,
@@ -286,6 +319,45 @@ export const accessApprovalPolicyServiceFactory = ({
       }
 
       if (groupApprovers) {
+        const usersPromises: Promise<
+          {
+            id: string;
+            email: string | null | undefined;
+            username: string;
+            firstName: string | null | undefined;
+            lastName: string | null | undefined;
+            isPartOfGroup: boolean;
+          }[]
+        >[] = [];
+
+        for (const groupId of groupApprovers) {
+          usersPromises.push(
+            groupDAL
+              .findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 })
+              .then((group) => group.members)
+          );
+        }
+        const verifyGroupApprovers = (await Promise.all(usersPromises))
+          .flat()
+          .filter((user) => user.isPartOfGroup)
+          .map((user) => user.id);
+
+        const approversValid = await isApproversValid({
+          projectId: accessApprovalPolicy.projectId,
+          orgId: actorOrgId,
+          envSlug: accessApprovalPolicy.environment.slug,
+          secretPath: doc.secretPath!,
+          actorAuthMethod,
+          permissionService,
+          userIds: verifyGroupApprovers
+        });
+
+        if (!approversValid) {
+          throw new BadRequestError({
+            message: "One or more approvers doesn't have access to be specified secret path"
+          });
+        }
+
         await accessApprovalPolicyApproverDAL.insertMany(
           groupApprovers.map((groupId) => ({
             approverGroupId: groupId,

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -17,6 +17,7 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
+import { isApproversValid } from "../access-approval-policy/access-approval-policy-fns";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
@@ -77,6 +78,7 @@ export const accessApprovalRequestServiceFactory = ({
   permissionService,
   accessApprovalRequestDAL,
   accessApprovalRequestReviewerDAL,
+  projectMembershipDAL,
   accessApprovalPolicyDAL,
   accessApprovalPolicyApproverDAL,
   additionalPrivilegeDAL,
@@ -329,6 +331,22 @@ export const accessApprovalRequestServiceFactory = ({
       throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
     }
 
+    const reviewerProjectMembership = await projectMembershipDAL.findById(membership.id);
+
+    const approversValid = await isApproversValid({
+      projectId: accessApprovalRequest.projectId,
+      orgId: actorOrgId,
+      envSlug: accessApprovalRequest.environment,
+      secretPath: accessApprovalRequest.policy.secretPath!,
+      actorAuthMethod,
+      permissionService,
+      userIds: [reviewerProjectMembership.userId]
+    });
+
+    if (!approversValid) {
+      throw new ForbiddenRequestError({ message: "You don't have access to approve this request" });
+    }
+
     const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
     if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
       throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -4,10 +4,7 @@ import ms from "ms";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import {
-  ProjectPermissionDynamicSecretActions,
-  ProjectPermissionSub
-} from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -75,8 +72,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -154,8 +151,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Edit,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -233,8 +230,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Delete,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -302,8 +299,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -344,8 +341,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.Lease,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -3,10 +3,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import {
-  ProjectPermissionDynamicSecretActions,
-  ProjectPermissionSub
-} from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection } from "@app/lib/types";
@@ -80,8 +77,8 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.CreateRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Create,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -151,8 +148,8 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Edit,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -234,8 +231,8 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Edit,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -294,12 +291,8 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Edit,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -347,8 +340,8 @@ export const dynamicSecretServiceFactory = ({
       // verify user has access to each env in request
       environmentSlugs.forEach((environmentSlug) =>
         ForbiddenError.from(permission).throwUnlessCan(
-          ProjectPermissionDynamicSecretActions.ReadRootCredential,
-          subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+          ProjectPermissionActions.Read,
+          subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
         )
       );
     }
@@ -387,8 +380,8 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -435,8 +428,8 @@ export const dynamicSecretServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -478,8 +471,8 @@ export const dynamicSecretServiceFactory = ({
       // verify user has access to each env in request
       environmentSlugs.forEach((environmentSlug) =>
         ForbiddenError.from(permission).throwUnlessCan(
-          ProjectPermissionDynamicSecretActions.ReadRootCredential,
-          subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
+          ProjectPermissionActions.Read,
+          subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
         )
       );
     }

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-dal.ts

@@ -1,12 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TIdentityProjectAdditionalPrivilegeV2DALFactory = ReturnType<
-  typeof identityProjectAdditionalPrivilegeV2DALFactory
->;
-
-export const identityProjectAdditionalPrivilegeV2DALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.IdentityProjectAdditionalPrivilege);
-  return orm;
-};

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -1,343 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-import { packRules } from "@casl/ability/extra";
-import ms from "ms";
-
-import { TableName } from "@app/db/schemas";
-import { isAtLeastAsPrivileged } from "@app/lib/casl";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { unpackPermissions } from "@app/server/routes/santizedSchemas/permission";
-import { ActorType } from "@app/services/auth/auth-type";
-import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-
-import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
-import { TIdentityProjectAdditionalPrivilegeV2DALFactory } from "./identity-project-additional-privilege-v2-dal";
-import {
-  IdentityProjectAdditionalPrivilegeTemporaryMode,
-  TCreateIdentityPrivilegeDTO,
-  TDeleteIdentityPrivilegeByIdDTO,
-  TGetIdentityPrivilegeDetailsByIdDTO,
-  TGetIdentityPrivilegeDetailsBySlugDTO,
-  TListIdentityPrivilegesDTO,
-  TUpdateIdentityPrivilegeByIdDTO
-} from "./identity-project-additional-privilege-v2-types";
-
-type TIdentityProjectAdditionalPrivilegeV2ServiceFactoryDep = {
-  identityProjectAdditionalPrivilegeDAL: TIdentityProjectAdditionalPrivilegeV2DALFactory;
-  identityProjectDAL: Pick<TIdentityProjectDALFactory, "findOne" | "findById">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-};
-
-export type TIdentityProjectAdditionalPrivilegeV2ServiceFactory = ReturnType<
-  typeof identityProjectAdditionalPrivilegeV2ServiceFactory
->;
-
-export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
-  identityProjectAdditionalPrivilegeDAL,
-  identityProjectDAL,
-  projectDAL,
-  permissionService
-}: TIdentityProjectAdditionalPrivilegeV2ServiceFactoryDep) => {
-  const create = async ({
-    slug,
-    actor,
-    actorId,
-    projectId,
-    actorOrgId,
-    identityId,
-    permissions: customPermission,
-    actorAuthMethod,
-    ...dto
-  }: TCreateIdentityPrivilegeDTO) => {
-    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
-    if (!identityProjectMembership)
-      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      identityProjectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      identityId,
-      identityProjectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    // we need to validate that the privilege given is not higher than the assigning users permission
-    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
-    targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
-
-    const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
-      slug,
-      projectMembershipId: identityProjectMembership.id
-    });
-    if (existingSlug) throw new BadRequestError({ message: "Additional privilege with provided slug already exists" });
-
-    const packedPermission = JSON.stringify(packRules(customPermission));
-    if (!dto.isTemporary) {
-      const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.create({
-        projectMembershipId: identityProjectMembership.id,
-        slug,
-        permissions: packedPermission
-      });
-
-      return {
-        ...additionalPrivilege,
-        permissions: unpackPermissions(additionalPrivilege.permissions)
-      };
-    }
-
-    const relativeTempAllocatedTimeInMs = ms(dto.temporaryRange);
-    const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.create({
-      projectMembershipId: identityProjectMembership.id,
-      slug,
-      permissions: packedPermission,
-      isTemporary: true,
-      temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative,
-      temporaryRange: dto.temporaryRange,
-      temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
-      temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
-    });
-    return {
-      ...additionalPrivilege,
-      permissions: unpackPermissions(additionalPrivilege.permissions)
-    };
-  };
-
-  const updateById = async ({
-    id,
-    data,
-    actorOrgId,
-    actor,
-    actorId,
-    actorAuthMethod
-  }: TUpdateIdentityPrivilegeByIdDTO) => {
-    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findById(id);
-    if (!identityPrivilege) throw new NotFoundError({ message: `Identity privilege with ${id} not found` });
-
-    const identityProjectMembership = await identityProjectDAL.findOne({ id: identityPrivilege.projectMembershipId });
-    if (!identityProjectMembership)
-      throw new NotFoundError({
-        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
-      });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      identityProjectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    // we need to validate that the privilege given is not higher than the assigning users permission
-    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
-    targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
-
-    if (data?.slug) {
-      const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
-        slug: data.slug,
-        projectMembershipId: identityProjectMembership.id
-      });
-      if (existingSlug && existingSlug.id !== identityPrivilege.id)
-        throw new BadRequestError({ message: "Additional privilege with provided slug already exists" });
-    }
-
-    const isTemporary = typeof data?.isTemporary !== "undefined" ? data.isTemporary : identityPrivilege.isTemporary;
-    const packedPermission = data.permissions ? JSON.stringify(packRules(data.permissions)) : undefined;
-    if (isTemporary) {
-      const temporaryAccessStartTime = data?.temporaryAccessStartTime || identityPrivilege?.temporaryAccessStartTime;
-      const temporaryRange = data?.temporaryRange || identityPrivilege?.temporaryRange;
-      const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
-        slug: data.slug,
-        permissions: packedPermission,
-        isTemporary: data.isTemporary,
-        temporaryRange: data.temporaryRange,
-        temporaryMode: data.temporaryMode,
-        temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
-        temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
-      });
-      return {
-        ...additionalPrivilege,
-        permissions: unpackPermissions(additionalPrivilege.permissions)
-      };
-    }
-
-    const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
-      slug: data.slug,
-      permissions: packedPermission,
-      isTemporary: false,
-      temporaryAccessStartTime: null,
-      temporaryAccessEndTime: null,
-      temporaryRange: null,
-      temporaryMode: null
-    });
-    return {
-      ...additionalPrivilege,
-      permissions: unpackPermissions(additionalPrivilege.permissions)
-    };
-  };
-
-  const deleteById = async ({ actorId, id, actor, actorOrgId, actorAuthMethod }: TDeleteIdentityPrivilegeByIdDTO) => {
-    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findById(id);
-    if (!identityPrivilege) throw new NotFoundError({ message: `Identity privilege with ${id} not found` });
-
-    const identityProjectMembership = await identityProjectDAL.findOne({ id: identityPrivilege.projectMembershipId });
-    if (!identityProjectMembership)
-      throw new NotFoundError({
-        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
-      });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      identityProjectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Identity);
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
-      ActorType.IDENTITY,
-      identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
-
-    const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
-    return {
-      ...deletedPrivilege,
-      permissions: unpackPermissions(deletedPrivilege.permissions)
-    };
-  };
-
-  const getPrivilegeDetailsById = async ({
-    id,
-    actorOrgId,
-    actor,
-    actorId,
-    actorAuthMethod
-  }: TGetIdentityPrivilegeDetailsByIdDTO) => {
-    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findById(id);
-    if (!identityPrivilege) throw new NotFoundError({ message: `Identity privilege with ${id} not found` });
-
-    const identityProjectMembership = await identityProjectDAL.findOne({ id: identityPrivilege.projectMembershipId });
-    if (!identityProjectMembership)
-      throw new NotFoundError({
-        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
-      });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      identityProjectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
-
-    return {
-      ...identityPrivilege,
-      permissions: unpackPermissions(identityPrivilege.permissions)
-    };
-  };
-
-  const getPrivilegeDetailsBySlug = async ({
-    identityId,
-    slug,
-    projectSlug,
-    actorOrgId,
-    actor,
-    actorId,
-    actorAuthMethod
-  }: TGetIdentityPrivilegeDetailsBySlugDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new NotFoundError({ message: `Project with slug ${slug} not found` });
-    const projectId = project.id;
-
-    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
-    if (!identityProjectMembership)
-      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      identityProjectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
-
-    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
-      slug,
-      projectMembershipId: identityProjectMembership.id
-    });
-    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });
-
-    return {
-      ...identityPrivilege,
-      permissions: unpackPermissions(identityPrivilege.permissions)
-    };
-  };
-
-  const listIdentityProjectPrivileges = async ({
-    identityId,
-    actorOrgId,
-    actor,
-    actorId,
-    actorAuthMethod,
-    projectId
-  }: TListIdentityPrivilegesDTO) => {
-    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
-    if (!identityProjectMembership)
-      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      identityProjectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
-
-    const identityPrivileges = await identityProjectAdditionalPrivilegeDAL.find(
-      {
-        projectMembershipId: identityProjectMembership.id
-      },
-      { sort: [[`${TableName.IdentityProjectAdditionalPrivilege}.slug` as "slug", "asc"]] }
-    );
-    return identityPrivileges;
-  };
-
-  return {
-    getPrivilegeDetailsById,
-    getPrivilegeDetailsBySlug,
-    listIdentityProjectPrivileges,
-    create,
-    updateById,
-    deleteById
-  };
-};

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types.ts

@@ -1,55 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-
-import { TProjectPermissionV2Schema } from "../permission/project-permission";
-
-export enum IdentityProjectAdditionalPrivilegeTemporaryMode {
-  Relative = "relative"
-}
-
-export type TCreateIdentityPrivilegeDTO = {
-  permissions: TProjectPermissionV2Schema[];
-  identityId: string;
-  projectId: string;
-  slug: string;
-} & (
-  | {
-      isTemporary: false;
-    }
-  | {
-      isTemporary: true;
-      temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative;
-      temporaryRange: string;
-      temporaryAccessStartTime: string;
-    }
-) &
-  Omit<TProjectPermission, "projectId">;
-
-export type TUpdateIdentityPrivilegeByIdDTO = { id: string } & Omit<TProjectPermission, "projectId"> & {
-    data: Partial<{
-      permissions: TProjectPermissionV2Schema[];
-      slug: string;
-      isTemporary: boolean;
-      temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative;
-      temporaryRange: string;
-      temporaryAccessStartTime: string;
-    }>;
-  };
-
-export type TDeleteIdentityPrivilegeByIdDTO = Omit<TProjectPermission, "projectId"> & {
-  id: string;
-};
-
-export type TGetIdentityPrivilegeDetailsByIdDTO = Omit<TProjectPermission, "projectId"> & {
-  id: string;
-};
-
-export type TListIdentityPrivilegesDTO = Omit<TProjectPermission, "projectId"> & {
-  identityId: string;
-  projectId: string;
-};
-
-export type TGetIdentityPrivilegeDetailsBySlugDTO = Omit<TProjectPermission, "projectId"> & {
-  slug: string;
-  identityId: string;
-  projectSlug: string;
-};

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,10 +1,10 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
-import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
+import { PackRule, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
+import { z } from "zod";
 
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -32,6 +32,16 @@ export type TIdentityProjectAdditionalPrivilegeServiceFactory = ReturnType<
   typeof identityProjectAdditionalPrivilegeServiceFactory
 >;
 
+// TODO(akhilmhdh): move this to more centralized
+export const UnpackedPermissionSchema = z.object({
+  subject: z
+    .union([z.string().min(1), z.string().array()])
+    .transform((el) => (typeof el !== "string" ? el[0] : el))
+    .optional(),
+  action: z.union([z.string().min(1), z.string().array()]).transform((el) => (typeof el === "string" ? [el] : el)),
+  conditions: z.unknown().optional()
+});
+
 const unpackPermissions = (permissions: unknown) =>
   UnpackedPermissionSchema.array().parse(
     unpackRules((permissions || []) as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
@@ -70,18 +80,14 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
       ActorType.IDENTITY,
       identityId,
       identityProjectMembership.projectId,
       actorAuthMethod,
       actorOrgId
     );
-
-    // we need to validate that the privilege given is not higher than the assigning users permission
-    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
-    targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
@@ -91,12 +97,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     });
     if (existingSlug) throw new BadRequestError({ message: "Additional privilege of provided slug exist" });
 
-    const packedPermission = JSON.stringify(packRules(customPermission));
     if (!dto.isTemporary) {
       const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.create({
         projectMembershipId: identityProjectMembership.id,
         slug,
-        permissions: packedPermission
+        permissions: customPermission
       });
       return {
         ...additionalPrivilege,
@@ -108,7 +113,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.create({
       projectMembershipId: identityProjectMembership.id,
       slug,
-      permissions: packedPermission,
+      permissions: customPermission,
       isTemporary: true,
       temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative,
       temporaryRange: dto.temporaryRange,
@@ -147,19 +152,14 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
-
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
       ActorType.IDENTITY,
       identityProjectMembership.identityId,
       identityProjectMembership.projectId,
       actorAuthMethod,
       actorOrgId
     );
-
-    // we need to validate that the privilege given is not higher than the assigning users permission
-    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
-    targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
@@ -182,29 +182,23 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     }
 
     const isTemporary = typeof data?.isTemporary !== "undefined" ? data.isTemporary : identityPrivilege.isTemporary;
-
-    const packedPermission = data.permissions ? JSON.stringify(packRules(data.permissions)) : undefined;
     if (isTemporary) {
       const temporaryAccessStartTime = data?.temporaryAccessStartTime || identityPrivilege?.temporaryAccessStartTime;
       const temporaryRange = data?.temporaryRange || identityPrivilege?.temporaryRange;
       const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
-        slug: data.slug,
-        permissions: packedPermission,
-        isTemporary: data.isTemporary,
-        temporaryRange: data.temporaryRange,
-        temporaryMode: data.temporaryMode,
+        ...data,
         temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
         temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
       });
       return {
         ...additionalPrivilege,
+
         permissions: unpackPermissions(additionalPrivilege.permissions)
       };
     }
 
     const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
-      slug: data.slug,
-      permissions: packedPermission,
+      ...data,
       isTemporary: false,
       temporaryAccessStartTime: null,
       temporaryAccessEndTime: null,
@@ -213,6 +207,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     });
     return {
       ...additionalPrivilege,
+
       permissions: unpackPermissions(additionalPrivilege.permissions)
     };
   };
@@ -294,7 +289,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
 
     const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
       slug,
@@ -340,6 +335,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     });
     return identityPrivileges.map((el) => ({
       ...el,
+
       permissions: unpackPermissions(el.permissions)
     }));
   };

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types.ts

@@ -1,13 +1,11 @@
 import { TProjectPermission } from "@app/lib/types";
 
-import { TProjectPermissionV2Schema } from "../permission/project-permission";
-
 export enum IdentityProjectAdditionalPrivilegeTemporaryMode {
   Relative = "relative"
 }
 
 export type TCreateIdentityPrivilegeDTO = {
-  permissions: TProjectPermissionV2Schema[];
+  permissions: unknown;
   identityId: string;
   projectSlug: string;
   slug: string;
@@ -29,7 +27,7 @@ export type TUpdateIdentityPrivilegeDTO = { slug: string; identityId: string; pr
   "projectId"
 > & {
     data: Partial<{
-      permissions: TProjectPermissionV2Schema[];
+      permissions: unknown;
       slug: string;
       isTemporary: boolean;
       temporaryMode: IdentityProjectAdditionalPrivilegeTemporaryMode.Relative;

backend/src/ee/services/permission/permission-service.ts

@@ -67,7 +67,7 @@ export const permissionServiceFactory = ({
             throw new NotFoundError({ name: "OrgRoleInvalid", message: `Organization role '${role}' not found` });
         }
       })
-      .reduce((prev, curr) => prev.concat(curr), []);
+      .reduce((curr, prev) => prev.concat(curr), []);
 
     return createMongoAbility<OrgPermissionSet>(rules, {
       conditionsMatcher
@@ -98,7 +98,7 @@ export const permissionServiceFactory = ({
             });
         }
       })
-      .reduce((prev, curr) => prev.concat(curr), []);
+      .reduce((curr, prev) => prev.concat(curr), []);
 
     return rules;
   };

backend/src/ee/services/permission/permission-types.ts

@@ -11,8 +11,8 @@ export enum PermissionConditionOperators {
 }
 
 export const PermissionConditionSchema = {
-  [PermissionConditionOperators.$IN]: z.string().trim().min(1).array(),
-  [PermissionConditionOperators.$ALL]: z.string().trim().min(1).array(),
+  [PermissionConditionOperators.$IN]: z.string().min(1).array(),
+  [PermissionConditionOperators.$ALL]: z.string().min(1).array(),
   [PermissionConditionOperators.$REGEX]: z
     .string()
     .min(1)

backend/src/ee/services/permission/project-permission.ts

@@ -1,8 +1,9 @@
 import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";
 
+import { TableName } from "@app/db/schemas";
 import { conditionsMatcher } from "@app/lib/casl";
-import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
+import { BadRequestError } from "@app/lib/errors";
 
 import { PermissionConditionOperators, PermissionConditionSchema } from "./permission-types";
 
@@ -22,14 +23,6 @@ export enum ProjectPermissionCmekActions {
   Decrypt = "decrypt"
 }
 
-export enum ProjectPermissionDynamicSecretActions {
-  ReadRootCredential = "read-root-credential",
-  CreateRootCredential = "create-root-credential",
-  EditRootCredential = "edit-root-credential",
-  DeleteRootCredential = "delete-root-credential",
-  Lease = "lease"
-}
-
 export enum ProjectPermissionSub {
   Role = "role",
   Member = "member",
@@ -45,8 +38,6 @@ export enum ProjectPermissionSub {
   Project = "workspace",
   Secrets = "secrets",
   SecretFolders = "secret-folders",
-  SecretImports = "secret-imports",
-  DynamicSecrets = "dynamic-secrets",
   SecretRollback = "secret-rollback",
   SecretApproval = "secret-approval",
   SecretRotation = "secret-rotation",
@@ -63,8 +54,19 @@ export enum ProjectPermissionSub {
 export type SecretSubjectFields = {
   environment: string;
   secretPath: string;
-  secretName?: string;
-  secretTags?: string[];
+  // secretName: string;
+  // secretTags: string[];
+};
+
+export const CaslSecretsV2SubjectKnexMapper = (field: string) => {
+  switch (field) {
+    case "secretName":
+      return `${TableName.SecretV2}.key`;
+    case "secretTags":
+      return `${TableName.SecretTag}.slug`;
+    default:
+      break;
+  }
 };
 
 export type SecretFolderSubjectFields = {
@@ -72,16 +74,6 @@ export type SecretFolderSubjectFields = {
   secretPath: string;
 };
 
-export type DynamicSecretSubjectFields = {
-  environment: string;
-  secretPath: string;
-};
-
-export type SecretImportSubjectFields = {
-  environment: string;
-  secretPath: string;
-};
-
 export type ProjectPermissionSet =
   | [
       ProjectPermissionActions,
@@ -94,20 +86,6 @@ export type ProjectPermissionSet =
         | (ForcedSubject<ProjectPermissionSub.SecretFolders> & SecretFolderSubjectFields)
       )
     ]
-  | [
-      ProjectPermissionDynamicSecretActions,
-      (
-        | ProjectPermissionSub.DynamicSecrets
-        | (ForcedSubject<ProjectPermissionSub.DynamicSecrets> & DynamicSecretSubjectFields)
-      )
-    ]
-  | [
-      ProjectPermissionActions,
-      (
-        | ProjectPermissionSub.SecretImports
-        | (ForcedSubject<ProjectPermissionSub.SecretImports> & SecretImportSubjectFields)
-      )
-    ]
   | [ProjectPermissionActions, ProjectPermissionSub.Role]
   | [ProjectPermissionActions, ProjectPermissionSub.Tags]
   | [ProjectPermissionActions, ProjectPermissionSub.Member]
@@ -142,9 +120,7 @@ const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTI
 const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
   z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
 
-// akhilmhdh: don't modify this for v2
-// if you want to update create a new schema
-const SecretConditionV1Schema = z
+const SecretConditionSchema = z
   .object({
     environment: z.union([
       z.string(),
@@ -170,50 +146,16 @@ const SecretConditionV1Schema = z
   })
   .partial();
 
-const SecretConditionV2Schema = z
-  .object({
-    environment: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
-          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
-        })
-        .partial()
-    ]),
-    secretPath: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
-          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
-        })
-        .partial()
-    ]),
-    secretName: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
-          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
-        })
-        .partial()
-    ]),
-    secretTags: z
-      .object({
-        [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-      })
-      .partial()
-  })
-  .partial();
-
-const GeneralPermissionSchema = [
+export const ProjectPermissionSchema = z.discriminatedUnion("subject", [
+  z.object({
+    subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+      "Describe what action an entity can take."
+    ),
+    conditions: SecretConditionSchema.describe(
+      "When specified, only matching conditions will be allowed to access given resource."
+    ).optional()
+  }),
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
@@ -317,7 +259,7 @@ const GeneralPermissionSchema = [
     )
   }),
   z.object({
-    subject: z.literal(ProjectPermissionSub.CertificateTemplates).describe("The entity this permission pertains to."),
+    subject: z.literal(ProjectPermissionSub.CertificateTemplates).describe("The entity this permission pertains to. "),
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
       "Describe what action an entity can take."
     )
@@ -346,90 +288,26 @@ const GeneralPermissionSchema = [
       "Describe what action an entity can take."
     )
   }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
-      "Describe what action an entity can take."
-    )
-  })
-];
-
-export const ProjectPermissionV1Schema = z.discriminatedUnion("subject", [
-  z.object({
-    subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-      "Describe what action an entity can take."
-    ),
-    conditions: SecretConditionV1Schema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretFolders).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
     action: CASL_ACTION_SCHEMA_ENUM([ProjectPermissionActions.Read]).describe(
       "Describe what action an entity can take."
     )
   }),
-  ...GeneralPermissionSchema
+  z.object({
+    subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
+      "Describe what action an entity can take."
+    )
+  })
 ]);
 
-export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
-  z.object({
-    subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-      "Describe what action an entity can take."
-    ),
-    conditions: SecretConditionV2Schema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.SecretFolders).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-      "Describe what action an entity can take."
-    ),
-    conditions: SecretConditionV1Schema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.SecretImports).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-      "Describe what action an entity can take."
-    ),
-    conditions: SecretConditionV1Schema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.DynamicSecrets).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionDynamicSecretActions).describe(
-      "Describe what action an entity can take."
-    ),
-    conditions: SecretConditionV1Schema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
-  ...GeneralPermissionSchema
-]);
-
-export type TProjectPermissionV2Schema = z.infer<typeof ProjectPermissionV2Schema>;
-
 const buildAdminPermissionRules = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
   // Admins get full access to everything
   [
     ProjectPermissionSub.Secrets,
-    ProjectPermissionSub.SecretFolders,
-    ProjectPermissionSub.SecretImports,
     ProjectPermissionSub.SecretApproval,
     ProjectPermissionSub.SecretRotation,
     ProjectPermissionSub.Member,
@@ -461,17 +339,6 @@ const buildAdminPermissionRules = () => {
     );
   });
 
-  can(
-    [
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      ProjectPermissionDynamicSecretActions.CreateRootCredential,
-      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
-      ProjectPermissionDynamicSecretActions.Lease
-    ],
-    ProjectPermissionSub.DynamicSecrets
-  );
-
   can([ProjectPermissionActions.Edit, ProjectPermissionActions.Delete], ProjectPermissionSub.Project);
   can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
   can([ProjectPermissionActions.Edit], ProjectPermissionSub.Kms);
@@ -503,34 +370,6 @@ const buildMemberPermissionRules = () => {
     ],
     ProjectPermissionSub.Secrets
   );
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.SecretFolders
-  );
-  can(
-    [
-      ProjectPermissionDynamicSecretActions.ReadRootCredential,
-      ProjectPermissionDynamicSecretActions.EditRootCredential,
-      ProjectPermissionDynamicSecretActions.CreateRootCredential,
-      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
-      ProjectPermissionDynamicSecretActions.Lease
-    ],
-    ProjectPermissionSub.DynamicSecrets
-  );
-  can(
-    [
-      ProjectPermissionActions.Read,
-      ProjectPermissionActions.Edit,
-      ProjectPermissionActions.Create,
-      ProjectPermissionActions.Delete
-    ],
-    ProjectPermissionSub.SecretImports
-  );
 
   can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
   can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretRotation);
@@ -654,9 +493,6 @@ const buildViewerPermissionRules = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
-  can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
@@ -759,63 +595,17 @@ export const isAtLeastAsPrivilegedWorkspace = (
 };
 /* eslint-enable */
 
-export const backfillPermissionV1SchemaToV2Schema = (
-  data: z.infer<typeof ProjectPermissionV1Schema>[],
-  dontRemoveReadFolderPermission?: boolean
-) => {
-  let formattedData = UnpackedPermissionSchema.array().parse(data);
-  const secretSubjects = formattedData.filter((el) => el.subject === ProjectPermissionSub.Secrets);
-
-  // this means the folder permission as readonly is set
-  const hasReadOnlyFolder = formattedData.filter((el) => el.subject === ProjectPermissionSub.SecretFolders);
-  const secretImportPolicies = secretSubjects.map(({ subject, ...el }) => ({
-    ...el,
-    subject: ProjectPermissionSub.SecretImports as const
-  }));
-
-  const secretFolderPolicies = secretSubjects
-    .map(({ subject, ...el }) => ({
-      ...el,
-      // read permission is not needed anymore
-      action: el.action.filter((caslAction) => caslAction !== ProjectPermissionActions.Read),
-      subject: ProjectPermissionSub.SecretFolders
-    }))
-    .filter((el) => el.action?.length > 0);
-
-  const dynamicSecretPolicies = secretSubjects.map(({ subject, ...el }) => {
-    const action = el.action.map((e) => {
-      switch (e) {
-        case ProjectPermissionActions.Edit:
-          return ProjectPermissionDynamicSecretActions.EditRootCredential;
-        case ProjectPermissionActions.Create:
-          return ProjectPermissionDynamicSecretActions.CreateRootCredential;
-        case ProjectPermissionActions.Delete:
-          return ProjectPermissionDynamicSecretActions.DeleteRootCredential;
-        case ProjectPermissionActions.Read:
-          return ProjectPermissionDynamicSecretActions.ReadRootCredential;
-        default:
-          return ProjectPermissionDynamicSecretActions.ReadRootCredential;
-      }
-    });
-
-    return {
-      ...el,
-      action: el.action.includes(ProjectPermissionActions.Edit)
-        ? [...action, ProjectPermissionDynamicSecretActions.Lease]
-        : action,
-      subject: ProjectPermissionSub.DynamicSecrets
-    };
-  });
-
-  if (!dontRemoveReadFolderPermission) {
-    formattedData = formattedData.filter((i) => i.subject !== ProjectPermissionSub.SecretFolders);
+export const SecretV2SubjectFieldMapper = (arg: string) => {
+  switch (arg) {
+    case "environment":
+      return null;
+    case "secretPath":
+      return null;
+    case "secretName":
+      return `${TableName.SecretV2}.key`;
+    case "secretTags":
+      return `${TableName.SecretTag}.slug`;
+    default:
+      throw new BadRequestError({ message: `Invalid dynamic knex operator field: ${arg}` });
   }
-
-  return formattedData.concat(
-    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-    // @ts-ignore-error this is valid ts
-    secretImportPolicies,
-    dynamicSecretPolicies,
-    hasReadOnlyFolder.length ? [] : secretFolderPolicies
-  );
 };

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -1,16 +1,11 @@
-import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
-import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
+import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
 
-import { TableName } from "@app/db/schemas";
-import { isAtLeastAsPrivileged } from "@app/lib/casl";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
-import { ActorType } from "@app/services/auth/auth-type";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSet, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "./project-user-additional-privilege-dal";
 import {
   ProjectUserAdditionalPrivilegeTemporaryMode,
@@ -31,11 +26,6 @@ export type TProjectUserAdditionalPrivilegeServiceFactory = ReturnType<
   typeof projectUserAdditionalPrivilegeServiceFactory
 >;
 
-const unpackPermissions = (permissions: unknown) =>
-  UnpackedPermissionSchema.array().parse(
-    unpackRules((permissions || []) as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
-  );
-
 export const projectUserAdditionalPrivilegeServiceFactory = ({
   projectUserAdditionalPrivilegeDAL,
   projectMembershipDAL,
@@ -53,7 +43,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
   }: TCreateUserPrivilegeDTO) => {
     const projectMembership = await projectMembershipDAL.findById(projectMembershipId);
     if (!projectMembership)
-      throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} found` });
+      throw new NotFoundError({ message: `Project membership with ID '${projectMembershipId}' not found` });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -63,41 +53,22 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
-      ActorType.USER,
-      projectMembership.userId,
-      projectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    // we need to validate that the privilege given is not higher than the assigning users permission
-    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
-    targetUserPermission.update(targetUserPermission.rules.concat(customPermission));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetUserPermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
     const existingSlug = await projectUserAdditionalPrivilegeDAL.findOne({
       slug,
       projectId: projectMembership.projectId,
       userId: projectMembership.userId
     });
-    if (existingSlug)
-      throw new BadRequestError({ message: `Additional privilege with provided slug ${slug} already exists` });
+    if (existingSlug) throw new BadRequestError({ message: "Additional privilege of provided slug exist" });
 
-    const packedPermission = JSON.stringify(packRules(customPermission));
     if (!dto.isTemporary) {
       const additionalPrivilege = await projectUserAdditionalPrivilegeDAL.create({
         userId: projectMembership.userId,
         projectId: projectMembership.projectId,
         slug,
-        permissions: packedPermission
+        permissions: customPermission
       });
-      return {
-        ...additionalPrivilege,
-        permissions: unpackPermissions(additionalPrivilege.permissions)
-      };
+      return additionalPrivilege;
     }
 
     const relativeTempAllocatedTimeInMs = ms(dto.temporaryRange);
@@ -105,17 +76,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       projectId: projectMembership.projectId,
       userId: projectMembership.userId,
       slug,
-      permissions: packedPermission,
+      permissions: customPermission,
       isTemporary: true,
       temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
       temporaryRange: dto.temporaryRange,
       temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
       temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
     });
-    return {
-      ...additionalPrivilege,
-      permissions: unpackPermissions(additionalPrivilege.permissions)
-    };
+    return additionalPrivilege;
   };
 
   const updateById = async ({
@@ -128,7 +96,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
   }: TUpdateUserPrivilegeDTO) => {
     const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
     if (!userPrivilege)
-      throw new NotFoundError({ message: `User additional privilege with ID ${privilegeId} not found` });
+      throw new NotFoundError({ message: `User additional privilege with ID '${privilegeId}' not found` });
 
     const projectMembership = await projectMembershipDAL.findOne({
       userId: userPrivilege.userId,
@@ -148,20 +116,6 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
-      ActorType.USER,
-      projectMembership.userId,
-      projectMembership.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    // we need to validate that the privilege given is not higher than the assigning users permission
-    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
-    targetUserPermission.update(targetUserPermission.rules.concat(dto.permissions || []));
-    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetUserPermission);
-    if (!hasRequiredPriviledges)
-      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
 
     if (dto?.slug) {
       const existingSlug = await projectUserAdditionalPrivilegeDAL.findOne({
@@ -170,50 +124,36 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
         projectId: projectMembership.projectId
       });
       if (existingSlug && existingSlug.id !== userPrivilege.id)
-        throw new BadRequestError({ message: `Additional privilege with provided slug ${dto.slug} already exists` });
+        throw new BadRequestError({ message: "Additional privilege of provided slug exist" });
     }
 
     const isTemporary = typeof dto?.isTemporary !== "undefined" ? dto.isTemporary : userPrivilege.isTemporary;
-
-    const packedPermission = dto.permissions && JSON.stringify(packRules(dto.permissions));
     if (isTemporary) {
       const temporaryAccessStartTime = dto?.temporaryAccessStartTime || userPrivilege?.temporaryAccessStartTime;
       const temporaryRange = dto?.temporaryRange || userPrivilege?.temporaryRange;
       const additionalPrivilege = await projectUserAdditionalPrivilegeDAL.updateById(userPrivilege.id, {
-        slug: dto.slug,
-        permissions: packedPermission,
-        isTemporary: dto.isTemporary,
-        temporaryRange: dto.temporaryRange,
-        temporaryMode: dto.temporaryMode,
+        ...dto,
         temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
         temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
       });
-
-      return {
-        ...additionalPrivilege,
-        permissions: unpackPermissions(additionalPrivilege.permissions)
-      };
+      return additionalPrivilege;
     }
 
     const additionalPrivilege = await projectUserAdditionalPrivilegeDAL.updateById(userPrivilege.id, {
-      slug: dto.slug,
-      permissions: packedPermission,
+      ...dto,
       isTemporary: false,
       temporaryAccessStartTime: null,
       temporaryAccessEndTime: null,
       temporaryRange: null,
       temporaryMode: null
     });
-    return {
-      ...additionalPrivilege,
-      permissions: unpackPermissions(additionalPrivilege.permissions)
-    };
+    return additionalPrivilege;
   };
 
   const deleteById = async ({ actorId, actor, actorOrgId, actorAuthMethod, privilegeId }: TDeleteUserPrivilegeDTO) => {
     const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
     if (!userPrivilege)
-      throw new NotFoundError({ message: `User additional privilege with ID ${privilegeId} not found` });
+      throw new NotFoundError({ message: `User additional privilege with ID '${privilegeId}' not found` });
 
     const projectMembership = await projectMembershipDAL.findOne({
       userId: userPrivilege.userId,
@@ -234,10 +174,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
 
     const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
-    return {
-      ...deletedPrivilege,
-      permissions: unpackPermissions(deletedPrivilege.permissions)
-    };
+    return deletedPrivilege;
   };
 
   const getPrivilegeDetailsById = async ({
@@ -249,7 +186,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
   }: TGetUserPrivilegeDetailsDTO) => {
     const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
     if (!userPrivilege)
-      throw new NotFoundError({ message: `User additional privilege with ID  ${privilegeId} not found` });
+      throw new NotFoundError({ message: `User additional privilege with ID '${privilegeId}' not found` });
 
     const projectMembership = await projectMembershipDAL.findOne({
       userId: userPrivilege.userId,
@@ -269,10 +206,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
-    return {
-      ...userPrivilege,
-      permissions: unpackPermissions(userPrivilege.permissions)
-    };
+    return userPrivilege;
   };
 
   const listPrivileges = async ({
@@ -284,7 +218,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
   }: TListUserPrivilegesDTO) => {
     const projectMembership = await projectMembershipDAL.findById(projectMembershipId);
     if (!projectMembership)
-      throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} not found` });
+      throw new NotFoundError({ message: `Project membership with ID '${projectMembershipId}' not found` });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -295,13 +229,10 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
-    const userPrivileges = await projectUserAdditionalPrivilegeDAL.find(
-      {
-        userId: projectMembership.userId,
-        projectId: projectMembership.projectId
-      },
-      { sort: [[`${TableName.ProjectUserAdditionalPrivilege}.slug` as "slug", "asc"]] }
-    );
+    const userPrivileges = await projectUserAdditionalPrivilegeDAL.find({
+      userId: projectMembership.userId,
+      projectId: projectMembership.projectId
+    });
     return userPrivileges;
   };
 

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-types.ts

@@ -1,20 +1,18 @@
 import { TProjectPermission } from "@app/lib/types";
 
-import { TProjectPermissionV2Schema } from "../permission/project-permission";
-
 export enum ProjectUserAdditionalPrivilegeTemporaryMode {
   Relative = "relative"
 }
 
 export type TCreateUserPrivilegeDTO = (
   | {
-      permissions: TProjectPermissionV2Schema[];
+      permissions: unknown;
       projectMembershipId: string;
       slug: string;
       isTemporary: false;
     }
   | {
-      permissions: TProjectPermissionV2Schema[];
+      permissions: unknown;
       projectMembershipId: string;
       slug: string;
       isTemporary: true;
@@ -27,7 +25,7 @@ export type TCreateUserPrivilegeDTO = (
 
 export type TUpdateUserPrivilegeDTO = { privilegeId: string } & Omit<TProjectPermission, "projectId"> &
   Partial<{
-    permissions: TProjectPermissionV2Schema[];
+    permissions: unknown;
     slug: string;
     isTemporary: boolean;
     temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative;

backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts

@@ -14,7 +14,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
 
   const secretApprovalPolicyFindQuery = (
     tx: Knex,
-    filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>,
+    filter: TFindFilter<TSecretApprovalPolicies>,
     customFilter?: {
       sapId?: string;
     }

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -1,4 +1,4 @@
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";
 import picomatch from "picomatch";
 
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -356,8 +356,17 @@ export const secretApprovalPolicyServiceFactory = ({
     environment,
     secretPath
   }: TGetBoardSapDTO) => {
-    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
-
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { secretPath, environment })
+    );
     return getSecretApprovalPolicy(projectId, environment, secretPath);
   };
 

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -43,7 +43,7 @@ import {
   fnSecretBulkDelete as fnSecretV2BridgeBulkDelete,
   fnSecretBulkInsert as fnSecretV2BridgeBulkInsert,
   fnSecretBulkUpdate as fnSecretV2BridgeBulkUpdate,
-  getAllSecretReferences as getAllSecretReferencesV2Bridge
+  getAllNestedSecretReferences as getAllNestedSecretReferencesV2Bridge
 } from "@app/services/secret-v2-bridge/secret-v2-bridge-fns";
 import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
@@ -531,11 +531,11 @@ export const secretApprovalRequestServiceFactory = ({
                 skipMultilineEncoding: el.skipMultilineEncoding,
                 key: el.key,
                 references: el.encryptedValue
-                  ? getAllSecretReferencesV2Bridge(
+                  ? getAllNestedSecretReferencesV2Bridge(
                       secretManagerDecryptor({
                         cipherTextBlob: el.encryptedValue
                       }).toString()
-                    ).nestedReferences
+                    )
                   : [],
                 type: SecretType.Shared
               })),
@@ -555,11 +555,11 @@ export const secretApprovalRequestServiceFactory = ({
                     ? {
                         encryptedValue: el.encryptedValue as Buffer,
                         references: el.encryptedValue
-                          ? getAllSecretReferencesV2Bridge(
+                          ? getAllNestedSecretReferencesV2Bridge(
                               secretManagerDecryptor({
                                 cipherTextBlob: el.encryptedValue
                               }).toString()
-                            ).nestedReferences
+                            )
                           : []
                       }
                     : {};
@@ -1143,6 +1143,10 @@ export const secretApprovalRequestServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+    );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
@@ -1305,24 +1309,7 @@ export const secretApprovalRequestServiceFactory = ({
 
     const tagIds = unique(Object.values(commitTagIds).flat());
     const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
-    if (tagIds.length !== tags.length) throw new NotFoundError({ message: "Tag not found" });
-    const tagsGroupById = groupBy(tags, (i) => i.id);
-
-    commits.forEach((commit) => {
-      let action = ProjectPermissionActions.Create;
-      if (commit.op === SecretOperations.Update) action = ProjectPermissionActions.Edit;
-      if (commit.op === SecretOperations.Delete) action = ProjectPermissionActions.Delete;
-
-      ForbiddenError.from(permission).throwUnlessCan(
-        action,
-        subject(ProjectPermissionSub.Secrets, {
-          environment,
-          secretPath,
-          secretName: commit.key,
-          secretTags: commitTagIds?.[commit.key]?.map((secretTagId) => tagsGroupById[secretTagId][0].slug)
-        })
-      );
-    });
+    if (tagIds.length !== tags.length) throw new NotFoundError({ message: "One or more tags not found" });
 
     const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
       const doc = await secretApprovalRequestDAL.create(

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -28,7 +28,8 @@ import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret
 import {
   fnSecretBulkInsert as fnSecretV2BridgeBulkInsert,
   fnSecretBulkUpdate as fnSecretV2BridgeBulkUpdate,
-  getAllSecretReferences
+  getAllNestedSecretReferences,
+  getAllNestedSecretReferences as getAllNestedSecretReferencesV2Bridge
 } from "@app/services/secret-v2-bridge/secret-v2-bridge-fns";
 import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
@@ -252,12 +253,11 @@ export const secretReplicationServiceFactory = ({
       const sourceLocalSecrets = await secretV2BridgeDAL.find({ folderId: folder.id, type: SecretType.Shared });
       const sourceSecretImports = await secretImportDAL.find({ folderId: folder.id });
       const sourceImportedSecrets = await fnSecretsV2FromImports({
-        secretImports: sourceSecretImports,
+        allowedImports: sourceSecretImports,
         secretDAL: secretV2BridgeDAL,
         folderDAL,
         secretImportDAL,
-        decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : ""),
-        hasSecretAccess: () => true
+        decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : "")
       });
       // secrets that gets replicated across imports
       const sourceDecryptedLocalSecrets = sourceLocalSecrets.map((el) => ({
@@ -419,7 +419,7 @@ export const secretReplicationServiceFactory = ({
                         encryptedValue: doc.encryptedValue,
                         encryptedComment: doc.encryptedComment,
                         skipMultilineEncoding: doc.skipMultilineEncoding,
-                        references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
+                        references: doc.secretValue ? getAllNestedSecretReferencesV2Bridge(doc.secretValue) : []
                       };
                     })
                   });
@@ -445,7 +445,7 @@ export const secretReplicationServiceFactory = ({
                           encryptedValue: doc.encryptedValue as Buffer,
                           encryptedComment: doc.encryptedComment,
                           skipMultilineEncoding: doc.skipMultilineEncoding,
-                          references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
+                          references: doc.secretValue ? getAllNestedSecretReferencesV2Bridge(doc.secretValue) : []
                         }
                       };
                     })
@@ -694,7 +694,7 @@ export const secretReplicationServiceFactory = ({
                       secretCommentTag: doc.secretCommentTag,
                       secretCommentCiphertext: doc.secretCommentCiphertext,
                       skipMultilineEncoding: doc.skipMultilineEncoding,
-                      references: getAllSecretReferences(doc.secretValue).nestedReferences
+                      references: getAllNestedSecretReferences(doc.secretValue)
                     };
                   })
                 });
@@ -730,7 +730,7 @@ export const secretReplicationServiceFactory = ({
                         secretCommentTag: doc.secretCommentTag,
                         secretCommentCiphertext: doc.secretCommentCiphertext,
                         skipMultilineEncoding: doc.skipMultilineEncoding,
-                        references: getAllSecretReferences(doc.secretValue).nestedReferences
+                        references: getAllNestedSecretReferences(doc.secretValue)
                       }
                     };
                   })

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
-import { ProjectVersion, TableName } from "@app/db/schemas";
+import { ProjectVersion } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@@ -103,14 +103,13 @@ export const secretRotationServiceFactory = ({
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
-
     const project = await projectDAL.findById(projectId);
     const shouldUseBridge = project.version === ProjectVersion.V3;
 
     if (shouldUseBridge) {
       const selectedSecrets = await secretV2BridgeDAL.find({
         folderId: folder.id,
-        $in: { [`${TableName.SecretV2}.id` as "id"]: Object.values(outputs) }
+        $in: { id: Object.values(outputs) }
       });
       if (selectedSecrets.length !== Object.values(outputs).length)
         throw new NotFoundError({ message: `Secrets not found in folder with ID '${folder.id}'` });

backend/src/lib/api-docs/constants.ts

@@ -5,31 +5,31 @@ export const GROUPS = {
     role: "The role of the group to create."
   },
   UPDATE: {
-    id: "The ID of the group to update.",
+    id: "The id of the group to update",
     name: "The new name of the group to update to.",
     slug: "The new slug of the group to update to.",
     role: "The new role of the group to update to."
   },
   DELETE: {
-    id: "The ID of the group to delete.",
-    slug: "The slug of the group to delete."
+    id: "The id of the group to delete",
+    slug: "The slug of the group to delete"
   },
   LIST_USERS: {
-    id: "The ID of the group to list users for.",
+    id: "The id of the group to list users for",
     offset: "The offset to start from. If you enter 10, it will start from the 10th user.",
     limit: "The number of users to return.",
     username: "The username to search for.",
     search: "The text string that user email or name will be filtered by."
   },
   ADD_USER: {
-    id: "The ID of the group to add the user to.",
+    id: "The id of the group to add the user to.",
     username: "The username of the user to add to the group."
   },
   GET_BY_ID: {
-    id: "The ID of the group to fetch."
+    id: "The id of the group to fetch"
   },
   DELETE_USER: {
-    id: "The ID of the group to remove the user from.",
+    id: "The id of the group to remove the user from.",
     username: "The username of the user to remove from the group."
   }
 } as const;
@@ -119,7 +119,7 @@ export const AWS_AUTH = {
     identityId: "The ID of the identity to login.",
     iamHttpRequestMethod: "The HTTP request method used in the signed request.",
     iamRequestUrl:
-      "The base64-encoded HTTP URL used in the signed request. Most likely, the base64-encoding of https://sts.amazonaws.com/.",
+      "The base64-encoded HTTP URL used in the signed request. Most likely, the base64-encoding of https://sts.amazonaws.com/",
     iamRequestBody:
       "The base64-encoded body of the signed request. Most likely, the base64-encoding of Action=GetCallerIdentity&Version=2011-06-15.",
     iamRequestHeaders: "The base64-encoded headers of the sts:GetCallerIdentity signed request."
@@ -130,8 +130,8 @@ export const AWS_AUTH = {
       "The comma-separated list of trusted IAM principal ARNs that are allowed to authenticate with Infisical.",
     allowedAccountIds:
       "The comma-separated list of trusted AWS account IDs that are allowed to authenticate with Infisical.",
-    accessTokenTTL: "The lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
     stsEndpoint: "The endpoint URL for the AWS STS API.",
     accessTokenNumUsesLimit: "The maximum number of times that an access token can be used.",
     accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from."
@@ -142,8 +142,8 @@ export const AWS_AUTH = {
       "The new comma-separated list of trusted IAM principal ARNs that are allowed to authenticate with Infisical.",
     allowedAccountIds:
       "The new comma-separated list of trusted AWS account IDs that are allowed to authenticate with Infisical.",
-    accessTokenTTL: "The new lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
     stsEndpoint: "The new endpoint URL for the AWS STS API.",
     accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
     accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from."
@@ -167,8 +167,8 @@ export const AZURE_AUTH = {
     allowedServicePrincipalIds:
       "The comma-separated list of Azure AD service principal IDs that are allowed to authenticate with Infisical.",
     accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
     accessTokenNumUsesLimit: "The maximum number of times that an access token can be used."
   },
   UPDATE: {
@@ -178,8 +178,8 @@ export const AZURE_AUTH = {
     allowedServicePrincipalIds:
       "The new comma-separated list of Azure AD service principal IDs that are allowed to authenticate with Infisical.",
     accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The new lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
     accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
   },
   RETRIEVE: {
@@ -203,8 +203,8 @@ export const GCP_AUTH = {
     allowedZones:
       "The comma-separated list of trusted zones that the GCE instances must belong to authenticate with Infisical.",
     accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
     accessTokenNumUsesLimit: "The maximum number of times that an access token can be used."
   },
   UPDATE: {
@@ -216,8 +216,8 @@ export const GCP_AUTH = {
     allowedZones:
       "The new comma-separated list of trusted zones that the GCE instances must belong to authenticate with Infisical.",
     accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The new lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
     accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
   },
   RETRIEVE: {
@@ -244,8 +244,8 @@ export const KUBERNETES_AUTH = {
     allowedAudience:
       "The optional audience claim that the service account JWT token must have to authenticate with Infisical.",
     accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
     accessTokenNumUsesLimit: "The maximum number of times that an access token can be used."
   },
   UPDATE: {
@@ -276,15 +276,15 @@ export const TOKEN_AUTH = {
   ATTACH: {
     identityId: "The ID of the identity to attach the configuration onto.",
     accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
     accessTokenNumUsesLimit: "The maximum number of times that an access token can be used."
   },
   UPDATE: {
     identityId: "The ID of the identity to update the auth method for.",
     accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The new lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
     accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
   },
   RETRIEVE: {
@@ -296,18 +296,18 @@ export const TOKEN_AUTH = {
   GET_TOKENS: {
     identityId: "The ID of the identity to list token metadata for.",
     offset: "The offset to start from. If you enter 10, it will start from the 10th token.",
-    limit: "The number of tokens to return."
+    limit: "The number of tokens to return"
   },
   CREATE_TOKEN: {
     identityId: "The ID of the identity to create the token for.",
-    name: "The name of the token to create."
+    name: "The name of the token to create"
   },
   UPDATE_TOKEN: {
-    tokenId: "The ID of the token to update metadata for.",
-    name: "The name of the token to update to."
+    tokenId: "The ID of the token to update metadata for",
+    name: "The name of the token to update to"
   },
   REVOKE_TOKEN: {
-    tokenId: "The ID of the token to revoke."
+    tokenId: "The ID of the token to revoke"
   }
 } as const;
 
@@ -324,8 +324,8 @@ export const OIDC_AUTH = {
     boundClaims: "The attributes that should be present in the JWT for it to be valid.",
     boundSubject: "The expected principal that is the subject of the JWT.",
     accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
     accessTokenNumUsesLimit: "The maximum number of times that an access token can be used."
   },
   UPDATE: {
@@ -337,8 +337,8 @@ export const OIDC_AUTH = {
     boundClaims: "The new attributes that should be present in the JWT for it to be valid.",
     boundSubject: "The new expected principal that is the subject of the JWT.",
     accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The new lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
     accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
   },
   RETRIEVE: {
@@ -475,7 +475,6 @@ export const PROJECT_USERS = {
   },
   GET_USER_MEMBERSHIP: {
     workspaceId: "The ID of the project to get memberships from.",
-    membershipId: "The ID of the user's project membership.",
     username: "The username to get project membership of. Email is the default username."
   },
   UPDATE_USER_MEMBERSHIP: {
@@ -507,8 +506,8 @@ export const PROJECT_IDENTITIES = {
       isTemporary:
         "Whether the assigned role is temporary. If isTemporary is set true, must provide temporaryMode, temporaryRange and temporaryAccessStartTime.",
       temporaryMode: "Type of temporary expiry.",
-      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s, 2m ,3h, etc.",
-      temporaryAccessStartTime: "Time to which the temporary access starts."
+      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
+      temporaryAccessStartTime: "Time to which the temporary access starts"
     }
   },
   DELETE_IDENTITY_MEMBERSHIP: {
@@ -525,8 +524,8 @@ export const PROJECT_IDENTITIES = {
       isTemporary:
         "Whether the assigned role is temporary. If isTemporary is set true, must provide temporaryMode, temporaryRange and temporaryAccessStartTime.",
       temporaryMode: "Type of temporary expiry.",
-      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s, 2m, 3h, etc.",
-      temporaryAccessStartTime: "Time to which the temporary access starts."
+      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
+      temporaryAccessStartTime: "Time to which the temporary access starts"
     }
   }
 };
@@ -563,7 +562,7 @@ export const FOLDERS = {
     directory: "The directory to list folders from. (Deprecated in favor of path)"
   },
   GET_BY_ID: {
-    folderId: "The ID of the folder to get details."
+    folderId: "The id of the folder to get details."
   },
   CREATE: {
     workspaceId: "The ID of the project to create the folder in.",
@@ -596,22 +595,22 @@ export const SECRETS = {
     secretPath: "The path of the secret to attach tags to.",
     type: "The type of the secret to attach tags to. (shared/personal)",
     environment: "The slug of the environment where the secret is located",
-    projectSlug: "The slug of the project where the secret is located.",
+    projectSlug: "The slug of the project where the secret is located",
     tagSlugs: "An array of existing tag slugs to attach to the secret."
   },
   DETACH_TAGS: {
     secretName: "The name of the secret to detach tags from.",
     secretPath: "The path of the secret to detach tags from.",
     type: "The type of the secret to attach tags to. (shared/personal)",
-    environment: "The slug of the environment where the secret is located.",
-    projectSlug: "The slug of the project where the secret is located.",
+    environment: "The slug of the environment where the secret is located",
+    projectSlug: "The slug of the project where the secret is located",
     tagSlugs: "An array of existing tag slugs to detach from the secret."
   }
 } as const;
 
 export const RAW_SECRETS = {
   LIST: {
-    expand: "Whether or not to expand secret references.",
+    expand: "Whether or not to expand secret references",
     recursive:
       "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
     workspaceId: "The ID of the project to list secrets from.",
@@ -620,7 +619,7 @@ export const RAW_SECRETS = {
     environment: "The slug of the environment to list secrets from.",
     secretPath: "The secret path to list secrets from.",
     includeImports: "Weather to include imported secrets or not.",
-    tagSlugs: "The comma separated tag slugs to filter secrets."
+    tagSlugs: "The comma separated tag slugs to filter secrets"
   },
   CREATE: {
     secretName: "The name of the secret to create.",
@@ -633,11 +632,11 @@ export const RAW_SECRETS = {
     type: "The type of the secret to create.",
     workspaceId: "The ID of the project to create the secret in.",
     tagIds: "The ID of the tags to be attached to the created secret.",
-    secretReminderRepeatDays: "Interval for secret rotation notifications, measured in days.",
-    secretReminderNote: "Note to be attached in notification email."
+    secretReminderRepeatDays: "Interval for secret rotation notifications, measured in days",
+    secretReminderNote: "Note to be attached in notification email"
   },
   GET: {
-    expand: "Whether or not to expand secret references.",
+    expand: "Whether or not to expand secret references",
     secretName: "The name of the secret to get.",
     workspaceId: "The ID of the project to get the secret from.",
     workspaceSlug: "The slug of the project to get the secret from.",
@@ -651,16 +650,16 @@ export const RAW_SECRETS = {
     secretName: "The name of the secret to update.",
     secretComment: "Update comment to the secret.",
     environment: "The slug of the environment where the secret is located.",
-    secretPath: "The path of the secret to update.",
+    secretPath: "The path of the secret to update",
     secretValue: "The new value of the secret.",
     skipMultilineEncoding: "Skip multiline encoding for the secret value.",
     type: "The type of the secret to update.",
     projectSlug: "The slug of the project to update the secret in.",
     workspaceId: "The ID of the project to update the secret in.",
     tagIds: "The ID of the tags to be attached to the updated secret.",
-    secretReminderRepeatDays: "Interval for secret rotation notifications, measured in days.",
-    secretReminderNote: "Note to be attached in notification email.",
-    newSecretName: "The new name for the secret."
+    secretReminderRepeatDays: "Interval for secret rotation notifications, measured in days",
+    secretReminderNote: "Note to be attached in notification email",
+    newSecretName: "The new name for the secret"
   },
   DELETE: {
     secretName: "The name of the secret to delete.",
@@ -669,12 +668,6 @@ export const RAW_SECRETS = {
     type: "The type of the secret to delete.",
     projectSlug: "The slug of the project to delete the secret in.",
     workspaceId: "The ID of the project where the secret is located."
-  },
-  GET_REFERENCE_TREE: {
-    secretName: "The name of the secret to get the reference tree for.",
-    workspaceId: "The ID of the project where the secret is located.",
-    environment: "The slug of the environment where the the secret is located.",
-    secretPath: "The folder path where the secret is located."
   }
 } as const;
 
@@ -797,7 +790,7 @@ export const DYNAMIC_SECRETS = {
     environmentSlug: "The slug of the environment to update the dynamic secret in.",
     path: "The path to update the dynamic secret in.",
     name: "The name of the dynamic secret.",
-    inputs: "The new partial values for the configured provider of the dynamic secret",
+    inputs: "The new partial values for the configurated provider of the dynamic secret",
     defaultTTL: "The default TTL that will be applied for all the leases.",
     maxTTL: "The maximum limit a TTL can be leases or renewed.",
     newName: "The new name for the dynamic secret."
@@ -808,7 +801,7 @@ export const DYNAMIC_SECRETS = {
     path: "The path to delete the dynamic secret in.",
     name: "The name of the dynamic secret.",
     isForced:
-      "A boolean flag to delete the the dynamic secret from Infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
+      "A boolean flag to delete the the dynamic secret from infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
   }
 } as const;
 
@@ -824,7 +817,7 @@ export const DYNAMIC_SECRET_LEASES = {
     environmentSlug: "The slug of the environment of the dynamic secret in.",
     path: "The path of the dynamic secret in.",
     dynamicSecretName: "The name of the dynamic secret.",
-    ttl: "The lease lifetime TTL. If not provided the default TTL of dynamic secret will be used."
+    ttl: "The lease lifetime ttl. If not provided the default TTL of dynamic secret will be used."
   },
   RENEW: {
     projectSlug: "The slug of the project of the dynamic secret in.",
@@ -839,7 +832,7 @@ export const DYNAMIC_SECRET_LEASES = {
     path: "The path of the dynamic secret in.",
     leaseId: "The ID of the dynamic secret lease.",
     isForced:
-      "A boolean flag to delete the the dynamic secret from Infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
+      "A boolean flag to delete the the dynamic secret from infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
   }
 } as const;
 export const SECRET_TAGS = {
@@ -848,11 +841,11 @@ export const SECRET_TAGS = {
   },
   GET_TAG_BY_ID: {
     projectId: "The ID of the project to get tags from.",
-    tagId: "The ID of the tag to get details."
+    tagId: "The ID of the tag to get details"
   },
   GET_TAG_BY_SLUG: {
     projectId: "The ID of the project to get tags from.",
-    tagSlug: "The slug of the tag to get details."
+    tagSlug: "The slug of the tag to get details"
   },
   CREATE: {
     projectId: "The ID of the project to create the tag in.",
@@ -862,7 +855,7 @@ export const SECRET_TAGS = {
   },
   UPDATE: {
     projectId: "The ID of the project to update the tag in.",
-    tagId: "The ID of the tag to get details.",
+    tagId: "The ID of the tag to get details",
     name: "The name of the tag to update.",
     slug: "The slug of the tag to update.",
     color: "The color of the tag to update."
@@ -896,8 +889,8 @@ The permission object for the privilege.
     privilegePermission: "The permission object for the privilege.",
     isPackPermission: "Whether the server should pack(compact) the permission object.",
     isTemporary: "Whether the privilege is temporary.",
-    temporaryMode: "Type of temporary access given. Types: relative.",
-    temporaryRange: "TTL for the temporary time. Eg: 1m, 1h, 1d.",
+    temporaryMode: "Type of temporary access given. Types: relative",
+    temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
     temporaryAccessStartTime: "ISO time for which temporary access should begin."
   },
   UPDATE: {
@@ -922,8 +915,8 @@ The permission object for the privilege.
 `,
     privilegePermission: "The permission object for the privilege.",
     isTemporary: "Whether the privilege is temporary.",
-    temporaryMode: "Type of temporary access given. Types: relative.",
-    temporaryRange: "TTL for the temporary time. Eg: 1m, 1h, 1d.",
+    temporaryMode: "Type of temporary access given. Types: relative",
+    temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
     temporaryAccessStartTime: "ISO time for which temporary access should begin."
   },
   DELETE: {
@@ -939,102 +932,62 @@ The permission object for the privilege.
   LIST: {
     projectSlug: "The slug of the project of the identity in.",
     identityId: "The ID of the identity to list.",
-    unpacked: "Whether the system should send the permissions as unpacked."
+    unpacked: "Whether the system should send the permissions as unpacked"
   }
 };
 
 export const PROJECT_USER_ADDITIONAL_PRIVILEGE = {
   CREATE: {
-    projectMembershipId: "Project membership ID of user.",
+    projectMembershipId: "Project membership id of user",
     slug: "The slug of the privilege to create.",
     permissions:
-      "The permission object for the privilege. Refer https://casl.js.org/v6/en/guide/define-rules#the-shape-of-raw-rule to understand the shape.",
-    isPackPermission: "Whether the server should pack (compact) the permission object.",
+      "The permission object for the privilege. Refer https://casl.js.org/v6/en/guide/define-rules#the-shape-of-raw-rule to understand the shape",
+    isPackPermission: "Whether the server should pack(compact) the permission object.",
     isTemporary: "Whether the privilege is temporary.",
-    temporaryMode: "Type of temporary access given. Types: relative.",
-    temporaryRange: "TTL for the temporary time. Eg: 1m, 1h, 1d.",
+    temporaryMode: "Type of temporary access given. Types: relative",
+    temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
     temporaryAccessStartTime: "ISO time for which temporary access should begin."
   },
   UPDATE: {
-    privilegeId: "The ID of privilege object.",
+    privilegeId: "The id of privilege object",
     slug: "The slug of the privilege to create.",
     newSlug: "The new slug of the privilege to create.",
     permissions:
-      "The permission object for the privilege. Refer https://casl.js.org/v6/en/guide/define-rules#the-shape-of-raw-rule to understand the shape.",
-    isPackPermission: "Whether the server should pack (compact) the permission object.",
+      "The permission object for the privilege. Refer https://casl.js.org/v6/en/guide/define-rules#the-shape-of-raw-rule to understand the shape",
+    isPackPermission: "Whether the server should pack(compact) the permission object.",
     isTemporary: "Whether the privilege is temporary.",
-    temporaryMode: "Type of temporary access given. Types: relative.",
-    temporaryRange: "TTL for the temporary time. Eg: 1m, 1h, 1d.",
+    temporaryMode: "Type of temporary access given. Types: relative",
+    temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
     temporaryAccessStartTime: "ISO time for which temporary access should begin."
   },
   DELETE: {
-    privilegeId: "The ID of privilege object."
+    privilegeId: "The id of privilege object"
   },
-  GET_BY_PRIVILEGE_ID: {
-    privilegeId: "The ID of privilege object."
+  GET_BY_PRIVILEGEID: {
+    privilegeId: "The id of privilege object"
   },
   LIST: {
-    projectMembershipId: "Project membership ID of user."
-  }
-};
-
-export const IDENTITY_ADDITIONAL_PRIVILEGE_V2 = {
-  CREATE: {
-    identityId: "The ID of the identity to create the privilege for.",
-    projectId: "The ID of the project of the identity in.",
-    slug: "The slug of the privilege to create.",
-    permission: "The permission for the privilege.",
-    isTemporary: "Whether the privilege is temporary or permanent.",
-    temporaryMode: "Type of temporary access given. Types: relative.",
-    temporaryRange: "The TTL for the temporary access given. Eg: 1m, 1h, 1d.",
-    temporaryAccessStartTime: "The start time in ISO format when the temporary access should begin."
-  },
-  UPDATE: {
-    id: "The ID of the identity privilege.",
-    identityId: "The ID of the identity to update.",
-    slug: "The slug of the privilege to update.",
-    privilegePermission: "The permission for the privilege.",
-    isTemporary: "Whether the privilege is temporary.",
-    temporaryMode: "Type of temporary access given. Types: relative.",
-    temporaryRange: "The TTL for the temporary access given. Eg: 1m, 1h, 1d.",
-    temporaryAccessStartTime: "The start time in ISO format when the temporary access should begin."
-  },
-  DELETE: {
-    id: "The ID of the identity privilege.",
-    identityId: "The ID of the identity to delete.",
-    slug: "The slug of the privilege to delete."
-  },
-  GET_BY_SLUG: {
-    projectSlug: "The slug of the project of the identity in.",
-    identityId: "The ID of the identity to list.",
-    slug: "The slug of the privilege."
-  },
-  GET_BY_ID: {
-    id: "The ID of the identity privilege."
-  },
-  LIST: {
-    projectId: "The ID of the project that the identity is in.",
-    identityId: "The ID of the identity to list."
+    projectMembershipId: "Project membership id of user"
   }
 };
 
 export const INTEGRATION_AUTH = {
   GET: {
-    integrationAuthId: "The ID of integration authentication object."
+    integrationAuthId: "The id of integration authentication object."
   },
   DELETE: {
     integration: "The slug of the integration to be unauthorized.",
     projectId: "The ID of the project to delete the integration auth from."
   },
   DELETE_BY_ID: {
-    integrationAuthId: "The ID of integration authentication object to delete."
+    integrationAuthId: "The id of integration authentication object to delete."
   },
   CREATE_ACCESS_TOKEN: {
     workspaceId: "The ID of the project to create the integration auth for.",
     integration: "The slug of integration for the auth object.",
-    accessId: "The unique authorized access ID of the external integration provider.",
+    accessId: "The unique authorized access id of the external integration provider.",
     accessToken: "The unique authorized access token of the external integration provider.",
-    awsAssumeIamRoleArn: "The AWS IAM Role to be assumed by Infisical.",
+    awsAssumeIamRoleArn: "The AWS IAM Role to be assumed by Infisical",
     url: "",
     namespace: "",
     refreshToken: "The refresh token for integration authorization."
@@ -1053,16 +1006,16 @@ export const INTEGRATION = {
     targetEnvironment:
       "The target environment of the integration provider. Used in cloudflare pages, TeamCity, Gitlab integrations.",
     targetEnvironmentId:
-      "The target environment ID of the integration provider. Used in cloudflare pages, teamcity, gitlab integrations.",
+      "The target environment id of the integration provider. Used in cloudflare pages, teamcity, gitlab integrations.",
     targetService:
-      "The service based grouping identifier of the external provider. Used in Terraform cloud, Checkly, Railway and NorthFlank.",
+      "The service based grouping identifier of the external provider. Used in Terraform cloud, Checkly, Railway and NorthFlank",
     targetServiceId:
-      "The service based grouping identifier ID of the external provider. Used in Terraform cloud, Checkly, Railway and NorthFlank.",
+      "The service based grouping identifier ID of the external provider. Used in Terraform cloud, Checkly, Railway and NorthFlank",
     owner: "External integration providers service entity owner. Used in Github.",
-    url: "The self-hosted URL of the platform to integrate with.",
-    path: "Path to save the synced secrets. Used by Gitlab, AWS Parameter Store, Vault.",
+    url: "The self-hosted URL of the platform to integrate with",
+    path: "Path to save the synced secrets. Used by Gitlab, AWS Parameter Store, Vault",
     region: "AWS region to sync secrets to.",
-    scope: "Scope of the provider. Used by Github, Qovery.",
+    scope: "Scope of the provider. Used by Github, Qovery",
     metadata: {
       secretPrefix: "The prefix for the saved secret. Used by GCP.",
       secretSuffix: "The suffix for the saved secret. Used by GCP.",
@@ -1074,12 +1027,12 @@ export const INTEGRATION = {
       githubVisibility:
         "Define where the secrets from the Github Integration should be visible. Option 'selected' lets you directly define which repositories to sync secrets to.",
       githubVisibilityRepoIds:
-        "The repository IDs to sync secrets to when using the Github Integration. Only applicable when using Organization scope, and visibility is set to 'selected'.",
+        "The repository IDs to sync secrets to when using the Github Integration. Only applicable when using Organization scope, and visibility is set to 'selected'",
       kmsKeyId: "The ID of the encryption key from AWS KMS.",
       shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store.",
       shouldMaskSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Masked'.",
       shouldProtectSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Protected'.",
-      shouldEnableDelete: "The flag to enable deletion of secrets."
+      shouldEnableDelete: "The flag to enable deletion of secrets"
     }
   },
   UPDATE: {
@@ -1098,7 +1051,7 @@ export const INTEGRATION = {
     integrationId: "The ID of the integration object."
   },
   SYNC: {
-    integrationId: "The ID of the integration object to manually sync."
+    integrationId: "The ID of the integration object to manually sync"
   }
 };
 
@@ -1106,7 +1059,7 @@ export const AUDIT_LOG_STREAMS = {
   CREATE: {
     url: "The HTTP URL to push logs to.",
     headers: {
-      desc: "The HTTP headers attached for the external provider requests.",
+      desc: "The HTTP headers attached for the external prrovider requests.",
       key: "The HTTP header key name.",
       value: "The HTTP header value."
     }
@@ -1115,7 +1068,7 @@ export const AUDIT_LOG_STREAMS = {
     id: "The ID of the audit log stream to update.",
     url: "The HTTP URL to push logs to.",
     headers: {
-      desc: "The HTTP headers attached for the external provider requests.",
+      desc: "The HTTP headers attached for the external prrovider requests.",
       key: "The HTTP header key name.",
       value: "The HTTP header value."
     }
@@ -1131,16 +1084,16 @@ export const AUDIT_LOG_STREAMS = {
 export const CERTIFICATE_AUTHORITIES = {
   CREATE: {
     projectSlug: "Slug of the project to create the CA in.",
-    type: "The type of CA to create.",
-    friendlyName: "A friendly name for the CA.",
-    organization: "The organization (O) for the CA.",
-    ou: "The organization unit (OU) for the CA.",
-    country: "The country name (C) for the CA.",
-    province: "The state of province name for the CA.",
-    locality: "The locality name for the CA.",
-    commonName: "The common name (CN) for the CA.",
-    notBefore: "The date and time when the CA becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format.",
-    notAfter: "The date and time when the CA expires in YYYY-MM-DDTHH:mm:ss.sssZ format.",
+    type: "The type of CA to create",
+    friendlyName: "A friendly name for the CA",
+    organization: "The organization (O) for the CA",
+    ou: "The organization unit (OU) for the CA",
+    country: "The country name (C) for the CA",
+    province: "The state of province name for the CA",
+    locality: "The locality name for the CA",
+    commonName: "The common name (CN) for the CA",
+    notBefore: "The date and time when the CA becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
+    notAfter: "The date and time when the CA expires in YYYY-MM-DDTHH:mm:ss.sssZ format",
     maxPathLength:
       "The maximum number of intermediate CAs that may follow this CA in the certificate / CA chain. A maxPathLength of -1 implies no path limit on the chain.",
     keyAlgorithm:
@@ -1149,240 +1102,238 @@ export const CERTIFICATE_AUTHORITIES = {
       "Whether or not certificates for this CA can only be issued through certificate templates."
   },
   GET: {
-    caId: "The ID of the CA to get."
+    caId: "The ID of the CA to get"
   },
   UPDATE: {
-    caId: "The ID of the CA to update.",
-    status: "The status of the CA to update to. This can be one of active or disabled.",
+    caId: "The ID of the CA to update",
+    status: "The status of the CA to update to. This can be one of active or disabled",
     requireTemplateForIssuance:
       "Whether or not certificates for this CA can only be issued through certificate templates."
   },
   DELETE: {
-    caId: "The ID of the CA to delete."
+    caId: "The ID of the CA to delete"
   },
   GET_CSR: {
-    caId: "The ID of the CA to generate CSR from.",
-    csr: "The generated CSR from the CA."
+    caId: "The ID of the CA to generate CSR from",
+    csr: "The generated CSR from the CA"
   },
   RENEW_CA_CERT: {
-    caId: "The ID of the CA to renew the CA certificate for.",
+    caId: "The ID of the CA to renew the CA certificate for",
     type: "The type of behavior to use for the renewal operation. Currently Infisical is only able to renew a CA certificate with the same key pair.",
-    notAfter: "The expiry date and time for the renewed CA certificate in YYYY-MM-DDTHH:mm:ss.sssZ format.",
-    certificate: "The renewed CA certificate body.",
-    certificateChain: "The certificate chain of the CA.",
-    serialNumber: "The serial number of the renewed CA certificate."
+    notAfter: "The expiry date and time for the renewed CA certificate in YYYY-MM-DDTHH:mm:ss.sssZ format",
+    certificate: "The renewed CA certificate body",
+    certificateChain: "The certificate chain of the CA",
+    serialNumber: "The serial number of the renewed CA certificate"
   },
   GET_CERT: {
-    caId: "The ID of the CA to get the certificate body and certificate chain from.",
-    certificate: "The certificate body of the CA.",
-    certificateChain: "The certificate chain of the CA.",
-    serialNumber: "The serial number of the CA certificate."
+    caId: "The ID of the CA to get the certificate body and certificate chain from",
+    certificate: "The certificate body of the CA",
+    certificateChain: "The certificate chain of the CA",
+    serialNumber: "The serial number of the CA certificate"
   },
   GET_CERT_BY_ID: {
-    caId: "The ID of the CA to get the CA certificate from.",
-    caCertId: "The ID of the CA certificate to get."
+    caId: "The ID of the CA to get the CA certificate from",
+    caCertId: "The ID of the CA certificate to get"
   },
   GET_CA_CERTS: {
-    caId: "The ID of the CA to get the CA certificates for.",
-    certificate: "The certificate body of the CA certificate.",
-    certificateChain: "The certificate chain of the CA certificate.",
-    serialNumber: "The serial number of the CA certificate.",
+    caId: "The ID of the CA to get the CA certificates for",
+    certificate: "The certificate body of the CA certificate",
+    certificateChain: "The certificate chain of the CA certificate",
+    serialNumber: "The serial number of the CA certificate",
     version: "The version of the CA certificate. The version is incremented for each CA renewal operation."
   },
   SIGN_INTERMEDIATE: {
-    caId: "The ID of the CA to sign the intermediate certificate with.",
-    csr: "The pem-encoded CSR to sign with the CA.",
-    notBefore: "The date and time when the intermediate CA becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format.",
-    notAfter: "The date and time when the intermediate CA expires in YYYY-MM-DDTHH:mm:ss.sssZ format.",
+    caId: "The ID of the CA to sign the intermediate certificate with",
+    csr: "The pem-encoded CSR to sign with the CA",
+    notBefore: "The date and time when the intermediate CA becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
+    notAfter: "The date and time when the intermediate CA expires in YYYY-MM-DDTHH:mm:ss.sssZ format",
     maxPathLength:
       "The maximum number of intermediate CAs that may follow this CA in the certificate / CA chain. A maxPathLength of -1 implies no path limit on the chain.",
-    certificate: "The signed intermediate certificate.",
-    certificateChain: "The certificate chain of the intermediate certificate.",
-    issuingCaCertificate: "The certificate of the issuing CA.",
-    serialNumber: "The serial number of the intermediate certificate."
+    certificate: "The signed intermediate certificate",
+    certificateChain: "The certificate chain of the intermediate certificate",
+    issuingCaCertificate: "The certificate of the issuing CA",
+    serialNumber: "The serial number of the intermediate certificate"
   },
   IMPORT_CERT: {
-    caId: "The ID of the CA to import the certificate for.",
-    certificate: "The certificate body to import.",
-    certificateChain: "The certificate chain to import."
+    caId: "The ID of the CA to import the certificate for",
+    certificate: "The certificate body to import",
+    certificateChain: "The certificate chain to import"
   },
   ISSUE_CERT: {
-    caId: "The ID of the CA to issue the certificate from.",
-    certificateTemplateId: "The ID of the certificate template to issue the certificate from.",
-    pkiCollectionId: "The ID of the PKI collection to add the certificate to.",
-    friendlyName: "A friendly name for the certificate.",
-    commonName: "The common name (CN) for the certificate.",
+    caId: "The ID of the CA to issue the certificate from",
+    certificateTemplateId: "The ID of the certificate template to issue the certificate from",
+    pkiCollectionId: "The ID of the PKI collection to add the certificate to",
+    friendlyName: "A friendly name for the certificate",
+    commonName: "The common name (CN) for the certificate",
     altNames:
       "A comma-delimited list of Subject Alternative Names (SANs) for the certificate; these can be host names or email addresses.",
     ttl: "The time to live for the certificate such as 1m, 1h, 1d, 1y, ...",
-    notBefore: "The date and time when the certificate becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format.",
-    notAfter: "The date and time when the certificate expires in YYYY-MM-DDTHH:mm:ss.sssZ format.",
-    certificate: "The issued certificate.",
-    issuingCaCertificate: "The certificate of the issuing CA.",
-    certificateChain: "The certificate chain of the issued certificate.",
-    privateKey: "The private key of the issued certificate.",
-    serialNumber: "The serial number of the issued certificate.",
-    keyUsages: "The key usage extension of the certificate.",
-    extendedKeyUsages: "The extended key usage extension of the certificate."
+    notBefore: "The date and time when the certificate becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
+    notAfter: "The date and time when the certificate expires in YYYY-MM-DDTHH:mm:ss.sssZ format",
+    certificate: "The issued certificate",
+    issuingCaCertificate: "The certificate of the issuing CA",
+    certificateChain: "The certificate chain of the issued certificate",
+    privateKey: "The private key of the issued certificate",
+    serialNumber: "The serial number of the issued certificate",
+    keyUsages: "The key usage extension of the certificate",
+    extendedKeyUsages: "The extended key usage extension of the certificate"
   },
   SIGN_CERT: {
-    caId: "The ID of the CA to issue the certificate from.",
-    pkiCollectionId: "The ID of the PKI collection to add the certificate to.",
-    keyUsages: "The key usage extension of the certificate.",
-    extendedKeyUsages: "The extended key usage extension of the certificate.",
-    csr: "The pem-encoded CSR to sign with the CA to be used for certificate issuance.",
-    friendlyName: "A friendly name for the certificate.",
-    commonName: "The common name (CN) for the certificate.",
+    caId: "The ID of the CA to issue the certificate from",
+    pkiCollectionId: "The ID of the PKI collection to add the certificate to",
+    keyUsages: "The key usage extension of the certificate",
+    extendedKeyUsages: "The extended key usage extension of the certificate",
+    csr: "The pem-encoded CSR to sign with the CA to be used for certificate issuance",
+    friendlyName: "A friendly name for the certificate",
+    commonName: "The common name (CN) for the certificate",
     altNames:
       "A comma-delimited list of Subject Alternative Names (SANs) for the certificate; these can be host names or email addresses.",
     ttl: "The time to live for the certificate such as 1m, 1h, 1d, 1y, ...",
-    notBefore: "The date and time when the certificate becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format.",
-    notAfter: "The date and time when the certificate expires in YYYY-MM-DDTHH:mm:ss.sssZ format.",
-    certificate: "The issued certificate.",
-    issuingCaCertificate: "The certificate of the issuing CA.",
-    certificateChain: "The certificate chain of the issued certificate.",
-    serialNumber: "The serial number of the issued certificate."
+    notBefore: "The date and time when the certificate becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
+    notAfter: "The date and time when the certificate expires in YYYY-MM-DDTHH:mm:ss.sssZ format",
+    certificate: "The issued certificate",
+    issuingCaCertificate: "The certificate of the issuing CA",
+    certificateChain: "The certificate chain of the issued certificate",
+    serialNumber: "The serial number of the issued certificate"
   },
   GET_CRLS: {
-    caId: "The ID of the CA to get the certificate revocation lists (CRLs) for.",
-    id: "The ID of certificate revocation list (CRL).",
-    crl: "The certificate revocation list (CRL)."
+    caId: "The ID of the CA to get the certificate revocation lists (CRLs) for",
+    id: "The ID of certificate revocation list (CRL)",
+    crl: "The certificate revocation list (CRL)"
   }
 };
 
 export const CERTIFICATES = {
   GET: {
-    serialNumber: "The serial number of the certificate to get."
+    serialNumber: "The serial number of the certificate to get"
   },
   REVOKE: {
     serialNumber:
       "The serial number of the certificate to revoke. The revoked certificate will be added to the certificate revocation list (CRL) of the CA.",
     revocationReason: "The reason for revoking the certificate.",
-    revokedAt: "The date and time when the certificate was revoked.",
+    revokedAt: "The date and time when the certificate was revoked",
     serialNumberRes: "The serial number of the revoked certificate."
   },
   DELETE: {
-    serialNumber: "The serial number of the certificate to delete."
+    serialNumber: "The serial number of the certificate to delete"
   },
   GET_CERT: {
-    serialNumber: "The serial number of the certificate to get the certificate body and certificate chain for.",
-    certificate: "The certificate body of the certificate.",
-    certificateChain: "The certificate chain of the certificate.",
-    serialNumberRes: "The serial number of the certificate."
+    serialNumber: "The serial number of the certificate to get the certificate body and certificate chain for",
+    certificate: "The certificate body of the certificate",
+    certificateChain: "The certificate chain of the certificate",
+    serialNumberRes: "The serial number of the certificate"
   }
 };
 
 export const CERTIFICATE_TEMPLATES = {
   CREATE: {
-    caId: "The ID of the certificate authority to associate the template with.",
-    pkiCollectionId: "The ID of the PKI collection to bind to the template.",
-    name: "The name of the template.",
-    commonName: "The regular expression string to use for validating common names.",
-    subjectAlternativeName: "The regular expression string to use for validating subject alternative names.",
-    ttl: "The max TTL for the template.",
-    keyUsages: "The key usage constraint or default value for when template is used during certificate issuance.",
+    caId: "The ID of the certificate authority to associate the template with",
+    pkiCollectionId: "The ID of the PKI collection to bind to the template",
+    name: "The name of the template",
+    commonName: "The regular expression string to use for validating common names",
+    subjectAlternativeName: "The regular expression string to use for validating subject alternative names",
+    ttl: "The max TTL for the template",
+    keyUsages: "The key usage constraint or default value for when template is used during certificate issuance",
     extendedKeyUsages:
-      "The extended key usage constraint or default value for when template is used during certificate issuance."
+      "The extended key usage constraint or default value for when template is used during certificate issuance"
   },
   GET: {
-    certificateTemplateId: "The ID of the certificate template to get."
+    certificateTemplateId: "The ID of the certificate template to get"
   },
   UPDATE: {
-    certificateTemplateId: "The ID of the certificate template to update.",
-    caId: "The ID of the certificate authority to update the association with the template.",
-    pkiCollectionId: "The ID of the PKI collection to update the binding to the template.",
-    name: "The updated name of the template.",
-    commonName: "The updated regular expression string for validating common names.",
-    subjectAlternativeName: "The updated regular expression string for validating subject alternative names.",
-    ttl: "The updated max TTL for the template.",
+    certificateTemplateId: "The ID of the certificate template to update",
+    caId: "The ID of the certificate authority to update the association with the template",
+    pkiCollectionId: "The ID of the PKI collection to update the binding to the template",
+    name: "The updated name of the template",
+    commonName: "The updated regular expression string for validating common names",
+    subjectAlternativeName: "The updated regular expression string for validating subject alternative names",
+    ttl: "The updated max TTL for the template",
     keyUsages:
-      "The updated key usage constraint or default value for when template is used during certificate issuance.",
+      "The updated key usage constraint or default value for when template is used during certificate issuance",
     extendedKeyUsages:
-      "The updated extended key usage constraint or default value for when template is used during certificate issuance."
+      "The updated extended key usage constraint or default value for when template is used during certificate issuance"
   },
   DELETE: {
-    certificateTemplateId: "The ID of the certificate template to delete."
+    certificateTemplateId: "The ID of the certificate template to delete"
   }
 };
 
 export const CA_CRLS = {
   GET: {
-    crlId: "The ID of the certificate revocation list (CRL) to get.",
-    crl: "The certificate revocation list (CRL)."
+    crlId: "The ID of the certificate revocation list (CRL) to get",
+    crl: "The certificate revocation list (CRL)"
   }
 };
 
 export const ALERTS = {
   CREATE: {
-    projectId: "The ID of the project to create the alert in.",
-    pkiCollectionId: "The ID of the PKI collection to bind to the alert.",
-    name: "The name of the alert.",
-    alertBeforeDays: "The number of days before the certificate expires to trigger the alert.",
-    emails: "The email addresses to send the alert email to."
+    projectId: "The ID of the project to create the alert in",
+    pkiCollectionId: "The ID of the PKI collection to bind to the alert",
+    name: "The name of the alert",
+    alertBeforeDays: "The number of days before the certificate expires to trigger the alert",
+    emails: "The email addresses to send the alert email to"
   },
   GET: {
-    alertId: "The ID of the alert to get."
+    alertId: "The ID of the alert to get"
   },
   UPDATE: {
-    alertId: "The ID of the alert to update.",
-    name: "The name of the alert to update to.",
-    alertBeforeDays: "The number of days before the certificate expires to trigger the alert to update to.",
-    pkiCollectionId: "The ID of the PKI collection to bind to the alert to update to.",
-    emails: "The email addresses to send the alert email to update to."
+    alertId: "The ID of the alert to update",
+    name: "The name of the alert to update to",
+    alertBeforeDays: "The number of days before the certificate expires to trigger the alert to update to",
+    pkiCollectionId: "The ID of the PKI collection to bind to the alert to update to",
+    emails: "The email addresses to send the alert email to update to"
   },
   DELETE: {
-    alertId: "The ID of the alert to delete."
+    alertId: "The ID of the alert to delete"
   }
 };
 
 export const PKI_COLLECTIONS = {
   CREATE: {
-    projectId: "The ID of the project to create the PKI collection in.",
-    name: "The name of the PKI collection.",
-    description: "A description for the PKI collection."
+    projectId: "The ID of the project to create the PKI collection in",
+    name: "The name of the PKI collection",
+    description: "A description for the PKI collection"
   },
   GET: {
-    collectionId: "The ID of the PKI collection to get."
+    collectionId: "The ID of the PKI collection to get"
   },
   UPDATE: {
-    collectionId: "The ID of the PKI collection to update.",
-    name: "The name of the PKI collection to update to.",
-    description: "The description for the PKI collection to update to."
+    collectionId: "The ID of the PKI collection to update",
+    name: "The name of the PKI collection to update to",
+    description: "The description for the PKI collection to update to"
   },
   DELETE: {
-    collectionId: "The ID of the PKI collection to delete."
+    collectionId: "The ID of the PKI collection to delete"
   },
   LIST_ITEMS: {
-    collectionId: "The ID of the PKI collection to list items from.",
-    type: "The type of the PKI collection item to list.",
-    offset: "The offset to start from.",
-    limit: "The number of items to return."
+    collectionId: "The ID of the PKI collection to list items from",
+    type: "The type of the PKI collection item to list",
+    offset: "The offset to start from",
+    limit: "The number of items to return"
   },
   ADD_ITEM: {
-    collectionId: "The ID of the PKI collection to add the item to.",
-    type: "The type of the PKI collection item to add.",
-    itemId: "The resource ID of the PKI collection item to add."
+    collectionId: "The ID of the PKI collection to add the item to",
+    type: "The type of the PKI collection item to add",
+    itemId: "The resource ID of the PKI collection item to add"
   },
   DELETE_ITEM: {
-    collectionId: "The ID of the PKI collection to delete the item from.",
-    collectionItemId: "The ID of the PKI collection item to delete.",
-    type: "The type of the deleted PKI collection item.",
-    itemId: "The resource ID of the deleted PKI collection item."
+    collectionId: "The ID of the PKI collection to delete the item from",
+    collectionItemId: "The ID of the PKI collection item to delete",
+    type: "The type of the deleted PKI collection item",
+    itemId: "The resource ID of the deleted PKI collection item"
   }
 };
 
 export const PROJECT_ROLE = {
   CREATE: {
     projectSlug: "Slug of the project to create the role for.",
-    projectId: "Id of the project to create the role for.",
     slug: "The slug of the role.",
     name: "The name of the role.",
     description: "The description for the role.",
     permissions: "The permissions assigned to the role."
   },
   UPDATE: {
-    projectSlug: "The slug of the project to update the role for.",
-    projectId: "The ID of the project to update the role for.",
+    projectSlug: "Slug of the project to update the role for.",
     roleId: "The ID of the role to update",
     slug: "The slug of the role.",
     name: "The name of the role.",
@@ -1390,18 +1341,15 @@ export const PROJECT_ROLE = {
     permissions: "The permissions assigned to the role."
   },
   DELETE: {
-    projectSlug: "The slug of the project to delete this role for.",
-    projectId: "The ID of the project to delete the role for.",
+    projectSlug: "Slug of the project to delete this role for.",
     roleId: "The ID of the role to update"
   },
   GET_ROLE_BY_SLUG: {
     projectSlug: "The slug of the project.",
-    projectId: "The ID of the project.",
-    roleSlug: "The slug of the role to get details."
+    roleSlug: "The slug of the role to get details"
   },
   LIST: {
-    projectSlug: "The slug of the project to list the roles of.",
-    projectId: "The ID of the project."
+    projectSlug: "The slug of the project to list the roles of."
   }
 };
 

backend/src/lib/casl/knex.ts

@@ -0,0 +1,111 @@
+import { AnyAbility, ExtractSubjectType } from "@casl/ability";
+import { AbilityQuery, rulesToQuery } from "@casl/ability/extra";
+import { Tables } from "knex/types/tables";
+
+import { BadRequestError, UnauthorizedError } from "../errors";
+import { TKnexDynamicOperator } from "../knex/dynamic";
+
+type TBuildKnexQueryFromCaslDTO<K extends AnyAbility> = {
+  ability: K;
+  subject: ExtractSubjectType<Parameters<K["rulesFor"]>[1]>;
+  action: Parameters<K["rulesFor"]>[0];
+};
+
+export const buildKnexQueryFromCaslOperators = <K extends AnyAbility>({
+  ability,
+  subject,
+  action
+}: TBuildKnexQueryFromCaslDTO<K>) => {
+  const query = rulesToQuery(ability, action, subject, (rule) => {
+    if (!rule.ast) throw new Error("Ast not defined");
+    return rule.ast;
+  });
+
+  if (query === null) throw new UnauthorizedError({ message: `You don't have permission to do ${action} ${subject}` });
+  return query;
+};
+
+type TFieldMapper<T extends keyof Tables> = {
+  [K in T]: `${K}.${Exclude<keyof Tables[K]["base"], symbol>}`;
+}[T];
+
+type TFormatCaslFieldsWithTableNames<T extends keyof Tables> = {
+  // handle if any missing operator else throw error let the app break because this is executing again the db
+  missingOperatorCallback?: (operator: string) => void;
+  fieldMapping: (arg: string) => TFieldMapper<T> | null;
+  dynamicQuery: TKnexDynamicOperator;
+};
+
+export const formatCaslOperatorFieldsWithTableNames = <T extends keyof Tables>({
+  missingOperatorCallback = (arg) => {
+    throw new BadRequestError({ message: `Unknown permission operator: ${arg}` });
+  },
+  dynamicQuery: dynamicQueryAst,
+  fieldMapping
+}: TFormatCaslFieldsWithTableNames<T>) => {
+  const stack: [TKnexDynamicOperator, TKnexDynamicOperator | null][] = [[dynamicQueryAst, null]];
+
+  while (stack.length) {
+    const [filterAst, parentAst] = stack.pop()!;
+
+    if (filterAst.operator === "and" || filterAst.operator === "or" || filterAst.operator === "not") {
+      filterAst.value.forEach((el) => {
+        stack.push([el, filterAst]);
+      });
+
+      // eslint-disable-next-line no-continue
+      continue;
+    }
+
+    if (
+      filterAst.operator === "eq" ||
+      filterAst.operator === "ne" ||
+      filterAst.operator === "in" ||
+      filterAst.operator === "endsWith" ||
+      filterAst.operator === "startsWith"
+    ) {
+      const attrPath = fieldMapping(filterAst.field);
+      if (attrPath) {
+        filterAst.field = attrPath;
+      } else if (parentAst && Array.isArray(parentAst.value)) {
+        parentAst.value = parentAst.value.filter((childAst) => childAst !== filterAst) as string[];
+      } else throw new Error("Unknown casl field");
+      // eslint-disable-next-line no-continue
+      continue;
+    }
+
+    if (parentAst && Array.isArray(parentAst.value)) {
+      parentAst.value = parentAst.value.filter((childAst) => childAst !== filterAst) as string[];
+    } else {
+      missingOperatorCallback?.(filterAst.operator);
+    }
+  }
+  return dynamicQueryAst;
+};
+
+export const convertCaslOperatorToKnexOperator = <T extends keyof Tables>(
+  caslKnexOperators: AbilityQuery,
+  fieldMapping: (arg: string) => TFieldMapper<T> | null
+) => {
+  const value = [];
+  if (caslKnexOperators.$and) {
+    value.push({
+      operator: "not" as const,
+      value: caslKnexOperators.$and as TKnexDynamicOperator[]
+    });
+  }
+  if (caslKnexOperators.$or) {
+    value.push({
+      operator: "or" as const,
+      value: caslKnexOperators.$or as TKnexDynamicOperator[]
+    });
+  }
+
+  return formatCaslOperatorFieldsWithTableNames({
+    dynamicQuery: {
+      operator: "and",
+      value
+    },
+    fieldMapping
+  });
+};

backend/src/lib/fn/array.ts

@@ -81,25 +81,3 @@ export const chunkArray = <T>(array: T[], chunkSize: number): T[][] => {
   }
   return chunks;
 };
-
-/*
- * Returns all items from the first list that
- * do not exist in the second list.
- */
-export const diff = <T>(
-  root: readonly T[],
-  other: readonly T[],
-  identity: (item: T) => string | number | symbol = (t: T) => t as unknown as string | number | symbol
-): T[] => {
-  if (!root?.length && !other?.length) return [];
-  if (root?.length === undefined) return [...other];
-  if (!other?.length) return [...root];
-  const bKeys = other.reduce(
-    (acc, item) => {
-      acc[identity(item)] = true;
-      return acc;
-    },
-    {} as Record<string | number | symbol, boolean>
-  );
-  return root.filter((a) => !bKeys[identity(a)]);
-};

backend/src/lib/knex/dynamic.ts

@@ -2,31 +2,32 @@ import { Knex } from "knex";
 
 import { UnauthorizedError } from "../errors";
 
-type TKnexDynamicPrimitiveOperator<T extends object> = {
+type TKnexDynamicPrimitiveOperator = {
   operator: "eq" | "ne" | "startsWith" | "endsWith";
   value: string;
-  field: Extract<keyof T, string>;
+  field: string;
 };
 
-type TKnexDynamicInOperator<T extends object> = {
+type TKnexDynamicInOperator = {
   operator: "in";
   value: string[] | number[];
-  field: Extract<keyof T, string>;
+  field: string;
 };
 
-type TKnexNonGroupOperator<T extends object> = TKnexDynamicInOperator<T> | TKnexDynamicPrimitiveOperator<T>;
+type TKnexNonGroupOperator = TKnexDynamicInOperator | TKnexDynamicPrimitiveOperator;
 
-type TKnexGroupOperator<T extends object> = {
+type TKnexGroupOperator = {
   operator: "and" | "or" | "not";
-  value: (TKnexNonGroupOperator<T> | TKnexGroupOperator<T>)[];
+  value: (TKnexNonGroupOperator | TKnexGroupOperator)[];
 };
 
-export type TKnexDynamicOperator<T extends object> = TKnexGroupOperator<T> | TKnexNonGroupOperator<T>;
+// akhilmhdh: This is still in pending state and not yet ready. If you want to use it ping me.
+// used when you need to write a complex query with the orm
+// use it when you need complex or and and condition - most of the time not needed
+// majorly used with casl permission to filter data based on permission
+export type TKnexDynamicOperator = TKnexGroupOperator | TKnexNonGroupOperator;
 
-export const buildDynamicKnexQuery = <T extends object>(
-  rootQueryBuild: Knex.QueryBuilder,
-  dynamicQuery: TKnexDynamicOperator<T>
-) => {
+export const buildDynamicKnexQuery = (dynamicQuery: TKnexDynamicOperator, rootQueryBuild: Knex.QueryBuilder) => {
   const stack = [{ filterAst: dynamicQuery, queryBuilder: rootQueryBuild }];
 
   while (stack.length) {
@@ -49,25 +50,34 @@ export const buildDynamicKnexQuery = <T extends object>(
         break;
       }
       case "and": {
-        filterAst.value.forEach((el) => {
-          void queryBuilder.andWhere((subQueryBuilder) => {
-            buildDynamicKnexQuery(subQueryBuilder, el);
+        void queryBuilder.andWhere((subQueryBuilder) => {
+          filterAst.value.forEach((el) => {
+            stack.push({
+              queryBuilder: subQueryBuilder,
+              filterAst: el
+            });
           });
         });
         break;
       }
       case "or": {
-        filterAst.value.forEach((el) => {
-          void queryBuilder.orWhere((subQueryBuilder) => {
-            buildDynamicKnexQuery(subQueryBuilder, el);
+        void queryBuilder.orWhere((subQueryBuilder) => {
+          filterAst.value.forEach((el) => {
+            stack.push({
+              queryBuilder: subQueryBuilder,
+              filterAst: el
+            });
           });
         });
         break;
       }
       case "not": {
-        filterAst.value.forEach((el) => {
-          void queryBuilder.whereNot((subQueryBuilder) => {
-            buildDynamicKnexQuery(subQueryBuilder, el);
+        void queryBuilder.whereNot((subQueryBuilder) => {
+          filterAst.value.forEach((el) => {
+            stack.push({
+              queryBuilder: subQueryBuilder,
+              filterAst: el
+            });
           });
         });
         break;

backend/src/lib/knex/index.ts

@@ -3,7 +3,6 @@ import { Knex } from "knex";
 import { Tables } from "knex/types/tables";
 
 import { DatabaseError } from "../errors";
-import { buildDynamicKnexQuery, TKnexDynamicOperator } from "./dynamic";
 
 export * from "./connection";
 export * from "./join";
@@ -21,10 +20,9 @@ export const withTransaction = <K extends object>(db: Knex, dal: K) => ({
 export type TFindFilter<R extends object = object> = Partial<R> & {
   $in?: Partial<{ [k in keyof R]: R[k][] }>;
   $search?: Partial<{ [k in keyof R]: R[k] }>;
-  $complex?: TKnexDynamicOperator<R>;
 };
 export const buildFindFilter =
-  <R extends object = object>({ $in, $search, $complex, ...filter }: TFindFilter<R>) =>
+  <R extends object = object>({ $in, $search, ...filter }: TFindFilter<R>) =>
   (bd: Knex.QueryBuilder<R, R>) => {
     void bd.where(filter);
     if ($in) {
@@ -41,9 +39,6 @@ export const buildFindFilter =
         }
       });
     }
-    if ($complex) {
-      return buildDynamicKnexQuery(bd, $complex);
-    }
     return bd;
   };
 

backend/src/server/plugins/error-handler.ts

@@ -63,7 +63,7 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
       void res.status(HttpStatusCodes.Forbidden).send({
         statusCode: HttpStatusCodes.Forbidden,
         error: "PermissionDenied",
-        message: `You are not allowed to ${error.action} on ${error.subjectType} - ${JSON.stringify(error.subject)}`
+        message: `You are not allowed to ${error.action} on ${error.subjectType}`
       });
     } else if (error instanceof ForbiddenRequestError) {
       void res.status(HttpStatusCodes.Forbidden).send({

backend/src/server/routes/index.ts

@@ -5,7 +5,6 @@ import { z } from "zod";
 
 import { registerCertificateEstRouter } from "@app/ee/routes/est/certificate-est-router";
 import { registerV1EERoutes } from "@app/ee/routes/v1";
-import { registerV2EERoutes } from "@app/ee/routes/v2";
 import { accessApprovalPolicyApproverDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
 import { accessApprovalPolicyDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-dal";
 import { accessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
@@ -33,7 +32,6 @@ import { groupServiceFactory } from "@app/ee/services/group/group-service";
 import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
-import { identityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
 import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
 import { ldapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { ldapGroupMapDALFactory } from "@app/ee/services/ldap-config/ldap-group-map-dal";
@@ -1077,14 +1075,6 @@ export const registerRoutes = async (
     permissionService,
     identityProjectDAL
   });
-
-  const identityProjectAdditionalPrivilegeV2Service = identityProjectAdditionalPrivilegeV2ServiceFactory({
-    projectDAL,
-    identityProjectAdditionalPrivilegeDAL,
-    permissionService,
-    identityProjectDAL
-  });
-
   const identityTokenAuthService = identityTokenAuthServiceFactory({
     identityTokenAuthDAL,
     identityDAL,
@@ -1334,7 +1324,6 @@ export const registerRoutes = async (
     telemetry: telemetryService,
     projectUserAdditionalPrivilege: projectUserAdditionalPrivilegeService,
     identityProjectAdditionalPrivilege: identityProjectAdditionalPrivilegeService,
-    identityProjectAdditionalPrivilegeV2: identityProjectAdditionalPrivilegeV2Service,
     secretSharing: secretSharingService,
     userEngagement: userEngagementService,
     externalKms: externalKmsService,
@@ -1433,13 +1422,7 @@ export const registerRoutes = async (
     },
     { prefix: "/api/v1" }
   );
-  await server.register(
-    async (v2Server) => {
-      await v2Server.register(registerV2EERoutes);
-      await v2Server.register(registerV2Routes);
-    },
-    { prefix: "/api/v2" }
-  );
+  await server.register(registerV2Routes, { prefix: "/api/v2" });
   await server.register(registerV3Routes, { prefix: "/api/v3" });
 
   server.addHook("onClose", async () => {

backend/src/server/routes/sanitizedSchemas.ts

@@ -9,10 +9,9 @@ import {
   SecretApprovalPoliciesSchema,
   UsersSchema
 } from "@app/db/schemas";
+import { UnpackedPermissionSchema } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 
-import { UnpackedPermissionSchema } from "./santizedSchemas/permission";
-
 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
 export const integrationAuthPubSchema = IntegrationAuthsSchema.pick({
@@ -150,44 +149,13 @@ export const ProjectSpecificPrivilegePermissionSchema = z.object({
 });
 
 export const SanitizedIdentityPrivilegeSchema = IdentityProjectAdditionalPrivilegeSchema.extend({
-  permissions: UnpackedPermissionSchema.array().transform((permissions) =>
-    permissions.filter(
-      (caslRule) =>
-        ![
-          ProjectPermissionSub.DynamicSecrets,
-          ProjectPermissionSub.SecretImports,
-          ProjectPermissionSub.SecretFolders
-        ].includes((caslRule?.subject as ProjectPermissionSub) || "")
-    )
-  )
+  permissions: UnpackedPermissionSchema.array()
 });
 
 export const SanitizedRoleSchema = ProjectRolesSchema.extend({
   permissions: UnpackedPermissionSchema.array()
 });
 
-export const SanitizedRoleSchemaV1 = ProjectRolesSchema.extend({
-  permissions: UnpackedPermissionSchema.array().transform((caslPermission) =>
-    // first map and remove other actions of folder permission
-    caslPermission
-      .map((caslRule) =>
-        caslRule.subject === ProjectPermissionSub.SecretFolders
-          ? {
-              ...caslRule,
-              action: caslRule.action.filter((caslAction) => caslAction === ProjectPermissionActions.Read)
-            }
-          : caslRule
-      )
-      // now filter out dynamic secret, secret import permission
-      .filter(
-        (caslRule) =>
-          ![ProjectPermissionSub.DynamicSecrets, ProjectPermissionSub.SecretImports].includes(
-            (caslRule?.subject as ProjectPermissionSub) || ""
-          ) && caslRule.action.length > 0
-      )
-  )
-});
-
 export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
   inputIV: true,
   inputTag: true,

backend/src/server/routes/santizedSchemas/identitiy-additional-privilege.ts

@@ -1,7 +0,0 @@
-import { IdentityProjectAdditionalPrivilegeSchema } from "@app/db/schemas";
-
-import { UnpackedPermissionSchema } from "./permission";
-
-export const SanitizedIdentityPrivilegeSchema = IdentityProjectAdditionalPrivilegeSchema.extend({
-  permissions: UnpackedPermissionSchema.array()
-});

backend/src/server/routes/santizedSchemas/permission.ts

@@ -1,16 +0,0 @@
-import { MongoAbility, RawRuleOf } from "@casl/ability";
-import { PackRule, unpackRules } from "@casl/ability/extra";
-import { z } from "zod";
-
-export const UnpackedPermissionSchema = z.object({
-  subject: z
-    .union([z.string().min(1), z.string().array()])
-    .transform((el) => (typeof el !== "string" ? el[0] : el))
-    .optional(),
-  action: z.union([z.string().min(1), z.string().array()]).transform((el) => (typeof el === "string" ? [el] : el)),
-  conditions: z.unknown().optional(),
-  inverted: z.boolean().optional()
-});
-
-export const unpackPermissions = (permissions: unknown) =>
-  UnpackedPermissionSchema.array().parse(unpackRules((permissions || []) as PackRule<RawRuleOf<MongoAbility>>[]));

backend/src/server/routes/santizedSchemas/user-additional-privilege.ts

@@ -1,7 +0,0 @@
-import { ProjectUserAdditionalPrivilegeSchema } from "@app/db/schemas";
-
-import { UnpackedPermissionSchema } from "./permission";
-
-export const SanitizedUserProjectAdditionalPrivilegeSchema = ProjectUserAdditionalPrivilegeSchema.extend({
-  permissions: UnpackedPermissionSchema.array()
-});

backend/src/server/routes/v1/dashboard-router.ts

@@ -3,10 +3,7 @@ import { z } from "zod";
 
 import { SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
-import {
-  ProjectPermissionDynamicSecretActions,
-  ProjectPermissionSub
-} from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { DASHBOARD } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
@@ -195,15 +192,15 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
         req.permission.orgId
       );
 
-      const allowedDynamicSecretEnvironments = // filter envs user has access to
+      const permissiveEnvs = // filter envs user has access to
         environments.filter((environment) =>
           permission.can(
-            ProjectPermissionDynamicSecretActions.Lease,
-            subject(ProjectPermissionSub.DynamicSecrets, { environment, secretPath })
+            ProjectPermissionActions.Read,
+            subject(ProjectPermissionSub.Secrets, { environment, secretPath })
           )
         );
 
-      if (includeDynamicSecrets && allowedDynamicSecretEnvironments.length) {
+      if (includeDynamicSecrets && permissiveEnvs.length) {
         // this is the unique count, ie duplicate secrets across envs only count as 1
         totalDynamicSecretCount = await server.services.dynamicSecret.getCountMultiEnv({
           actor: req.permission.type,
@@ -212,7 +209,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           actorOrgId: req.permission.orgId,
           projectId,
           search,
-          environmentSlugs: allowedDynamicSecretEnvironments,
+          environmentSlugs: permissiveEnvs,
           path: secretPath,
           isInternal: true
         });
@@ -227,7 +224,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
             search,
             orderBy,
             orderDirection,
-            environmentSlugs: allowedDynamicSecretEnvironments,
+            environmentSlugs: permissiveEnvs,
             path: secretPath,
             limit: remainingLimit,
             offset: adjustedOffset,
@@ -244,13 +241,13 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
         }
       }
 
-      if (includeSecrets) {
+      if (includeSecrets && permissiveEnvs.length) {
         // this is the unique count, ie duplicate secrets across envs only count as 1
         totalSecretCount = await server.services.secret.getSecretsCountMultiEnv({
           actorId: req.permission.id,
           actor: req.permission.type,
           actorOrgId: req.permission.orgId,
-          environments,
+          environments: permissiveEnvs,
           actorAuthMethod: req.permission.authMethod,
           projectId,
           path: secretPath,
@@ -263,7 +260,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
             actorId: req.permission.id,
             actor: req.permission.type,
             actorOrgId: req.permission.orgId,
-            environments,
+            environments: permissiveEnvs,
             actorAuthMethod: req.permission.authMethod,
             projectId,
             path: secretPath,
@@ -275,7 +272,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
             isInternal: true
           });
 
-          for await (const environment of environments) {
+          for await (const environment of permissiveEnvs) {
             const secretCountFromEnv = secrets.filter((secret) => secret.environment === environment).length;
 
             if (secretCountFromEnv) {

backend/src/server/routes/v1/project-membership-router.ts

@@ -39,8 +39,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
               email: true,
               firstName: true,
               lastName: true,
-              id: true,
-              username: true
+              id: true
             }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
             roles: z.array(
               z.object({
@@ -57,7 +56,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
               })
             )
           })
-            .omit({ updatedAt: true })
+            .omit({ createdAt: true, updatedAt: true })
             .array()
         })
       }
@@ -75,65 +74,6 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     }
   });
 
-  server.route({
-    method: "GET",
-    url: "/:workspaceId/memberships/:membershipId",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Return project user membership",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        workspaceId: z.string().min(1).trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIP.workspaceId),
-        membershipId: z.string().min(1).trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIP.membershipId)
-      }),
-      response: {
-        200: z.object({
-          membership: ProjectMembershipsSchema.extend({
-            user: UsersSchema.pick({
-              email: true,
-              firstName: true,
-              lastName: true,
-              id: true,
-              username: true
-            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
-            roles: z.array(
-              z.object({
-                id: z.string(),
-                role: z.string(),
-                customRoleId: z.string().optional().nullable(),
-                customRoleName: z.string().optional().nullable(),
-                customRoleSlug: z.string().optional().nullable(),
-                isTemporary: z.boolean(),
-                temporaryMode: z.string().optional().nullable(),
-                temporaryRange: z.string().nullable().optional(),
-                temporaryAccessStartTime: z.date().nullable().optional(),
-                temporaryAccessEndTime: z.date().nullable().optional()
-              })
-            )
-          }).omit({ updatedAt: true })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const membership = await server.services.projectMembership.getProjectMembershipById({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId,
-        id: req.params.membershipId
-      });
-      return { membership };
-    }
-  });
-
   server.route({
     method: "POST",
     url: "/:workspaceId/memberships/details",

backend/src/server/routes/v3/secret-router.ts

@@ -23,18 +23,6 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 import { secretRawSchema } from "../sanitizedSchemas";
 
-const SecretReferenceNode = z.object({
-  key: z.string(),
-  value: z.string().optional(),
-  environment: z.string(),
-  secretPath: z.string()
-});
-type TSecretReferenceNode = z.infer<typeof SecretReferenceNode> & { children: TSecretReferenceNode[] };
-
-const SecretReferenceNodeTree: z.ZodType<TSecretReferenceNode> = SecretReferenceNode.extend({
-  children: z.lazy(() => SecretReferenceNodeTree.array())
-});
-
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -2114,58 +2102,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    method: "GET",
-    url: "/raw/:secretName/secret-reference-tree",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      description: "Get secret reference tree",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.GET_REFERENCE_TREE.secretName)
-      }),
-      querystring: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.GET_REFERENCE_TREE.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.GET_REFERENCE_TREE.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.GET_REFERENCE_TREE.secretPath)
-      }),
-      response: {
-        200: z.object({
-          tree: SecretReferenceNodeTree,
-          value: z.string().optional()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { secretName } = req.params;
-      const { secretPath, environment, workspaceId } = req.query;
-      const { tree, value } = await server.services.secret.getSecretReferenceTree({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        projectId: workspaceId,
-        secretName,
-        secretPath,
-        environment
-      });
-
-      return { tree, value };
-    }
-  });
-
   server.route({
     method: "POST",
     url: "/backfill-secret-references",

backend/src/services/external-migration/external-migration-fns.ts

@@ -19,7 +19,7 @@ import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
-import { fnSecretBulkInsert, getAllSecretReferences } from "../secret-v2-bridge/secret-v2-bridge-fns";
+import { fnSecretBulkInsert, getAllNestedSecretReferences } from "../secret-v2-bridge/secret-v2-bridge-fns";
 import type { TSecretV2BridgeServiceFactory } from "../secret-v2-bridge/secret-v2-bridge-service";
 import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
@@ -242,7 +242,7 @@ export const importDataIntoInfisicalFn = async ({
           }
           await fnSecretBulkInsert({
             inputSecrets: secretBatch.map((el) => {
-              const references = getAllSecretReferences(el.secretValue).nestedReferences;
+              const references = getAllNestedSecretReferences(el.secretValue);
 
               return {
                 version: 1,

backend/src/services/group-project/group-project-dal.ts

@@ -158,7 +158,6 @@ export const groupProjectDALFactory = (db: TDbClient) => {
       )
       .select(
         db.ref("id").withSchema(TableName.UserGroupMembership),
-        db.ref("createdAt").withSchema(TableName.UserGroupMembership),
         db.ref("isGhost").withSchema(TableName.Users),
         db.ref("username").withSchema(TableName.Users),
         db.ref("email").withSchema(TableName.Users),
@@ -182,18 +181,7 @@ export const groupProjectDALFactory = (db: TDbClient) => {
 
     const members = sqlNestRelationships({
       data: docs,
-      parentMapper: ({
-        email,
-        firstName,
-        username,
-        lastName,
-        publicKey,
-        isGhost,
-        id,
-        userId,
-        projectName,
-        createdAt
-      }) => ({
+      parentMapper: ({ email, firstName, username, lastName, publicKey, isGhost, id, userId, projectName }) => ({
         isGroupMember: true,
         id,
         userId,
@@ -202,8 +190,7 @@ export const groupProjectDALFactory = (db: TDbClient) => {
           id: projectId,
           name: projectName
         },
-        user: { email, username, firstName, lastName, id: userId, publicKey, isGhost },
-        createdAt
+        user: { email, username, firstName, lastName, id: userId, publicKey, isGhost }
       }),
       key: "id",
       childrenMapper: [

backend/src/services/integration-auth/integration-delete-secret.ts

@@ -67,8 +67,7 @@ const getIntegrationSecretsV2 = async (
     folderDAL,
     secretDAL: secretV2BridgeDAL,
     secretImportDAL,
-    secretImports,
-    hasSecretAccess: () => true
+    allowedImports: secretImports
   });
 
   for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {

backend/src/services/integration/integration-service.ts

@@ -90,10 +90,7 @@ export const integrationServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, {
-        environment: sourceEnvironment,
-        secretPath
-      })
+      subject(ProjectPermissionSub.Secrets, { environment: sourceEnvironment, secretPath })
     );
 
     const folder = await folderDAL.findBySecretPath(integrationAuth.projectId, sourceEnvironment, secretPath);
@@ -170,10 +167,7 @@ export const integrationServiceFactory = ({
     if (environment || secretPath) {
       ForbiddenError.from(permission).throwUnlessCan(
         ProjectPermissionActions.Read,
-        subject(ProjectPermissionSub.Secrets, {
-          environment: newEnvironment,
-          secretPath: newSecretPath
-        })
+        subject(ProjectPermissionSub.Secrets, { environment: newEnvironment, secretPath: newSecretPath })
       );
     }
 

backend/src/services/project-membership/project-membership-dal.ts

@@ -11,10 +11,7 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
   const projectMemberOrm = ormify(db, TableName.ProjectMembership);
 
   // special query
-  const findAllProjectMembers = async (
-    projectId: string,
-    filter: { usernames?: string[]; username?: string; id?: string } = {}
-  ) => {
+  const findAllProjectMembers = async (projectId: string, filter: { usernames?: string[]; username?: string } = {}) => {
     try {
       const docs = await db
         .replicaNode()(TableName.ProjectMembership)
@@ -28,9 +25,6 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
           if (filter.username) {
             void qb.where("username", filter.username);
           }
-          if (filter.id) {
-            void qb.where(`${TableName.ProjectMembership}.id`, filter.id);
-          }
         })
         .join<TUserEncryptionKeys>(
           TableName.UserEncryptionKey,
@@ -49,7 +43,6 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
         )
         .select(
           db.ref("id").withSchema(TableName.ProjectMembership),
-          db.ref("createdAt").withSchema(TableName.ProjectMembership),
           db.ref("isGhost").withSchema(TableName.Users),
           db.ref("username").withSchema(TableName.Users),
           db.ref("email").withSchema(TableName.Users),
@@ -73,18 +66,7 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
 
       const members = sqlNestRelationships({
         data: docs,
-        parentMapper: ({
-          email,
-          firstName,
-          username,
-          lastName,
-          publicKey,
-          isGhost,
-          id,
-          userId,
-          projectName,
-          createdAt
-        }) => ({
+        parentMapper: ({ email, firstName, username, lastName, publicKey, isGhost, id, userId, projectName }) => ({
           id,
           userId,
           projectId,
@@ -92,8 +74,7 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
           project: {
             id: projectId,
             name: projectName
-          },
-          createdAt
+          }
         }),
         key: "id",
         childrenMapper: [

backend/src/services/project-membership/project-membership-service.ts

@@ -7,7 +7,6 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
-import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -28,7 +27,6 @@ import {
   TAddUsersToWorkspaceDTO,
   TDeleteProjectMembershipOldDTO,
   TDeleteProjectMembershipsDTO,
-  TGetProjectMembershipByIdDTO,
   TGetProjectMembershipByUsernameDTO,
   TGetProjectMembershipDTO,
   TLeaveProjectDTO,
@@ -37,7 +35,7 @@ import {
 import { TProjectUserMembershipRoleDALFactory } from "./project-user-membership-role-dal";
 
 type TProjectMembershipServiceFactoryDep = {
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getProjectPermissionByRole">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   smtpService: TSmtpService;
   projectBotDAL: TProjectBotDALFactory;
   projectMembershipDAL: TProjectMembershipDALFactory;
@@ -135,28 +133,6 @@ export const projectMembershipServiceFactory = ({
     return membership;
   };
 
-  const getProjectMembershipById = async ({
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    projectId,
-    id
-  }: TGetProjectMembershipByIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
-
-    const [membership] = await projectMembershipDAL.findAllProjectMembers(projectId, { id });
-    if (!membership) throw new NotFoundError({ message: `Project membership not found for user ${id}` });
-    return membership;
-  };
-
   const addUsersToProject = async ({
     projectId,
     actorId,
@@ -263,21 +239,6 @@ export const projectMembershipServiceFactory = ({
       throw new ForbiddenRequestError({ message: "Forbidden member update" });
     }
 
-    for await (const { role: requestedRoleChange } of roles) {
-      const { permission: rolePermission } = await permissionService.getProjectPermissionByRole(
-        requestedRoleChange,
-        projectId
-      );
-
-      const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
-
-      if (!hasRequiredPriviledges) {
-        throw new ForbiddenRequestError({
-          message: `Failed to change to a more privileged role ${requestedRoleChange}`
-        });
-      }
-    }
-
     // validate custom roles input
     const customInputRoles = roles.filter(
       ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
@@ -526,7 +487,6 @@ export const projectMembershipServiceFactory = ({
     deleteProjectMemberships,
     deleteProjectMembership, // TODO: Remove this
     addUsersToProject,
-    leaveProject,
-    getProjectMembershipById
+    leaveProject
   };
 };

backend/src/services/project-membership/project-membership-types.ts

@@ -14,10 +14,6 @@ export type TGetProjectMembershipByUsernameDTO = {
   username: string;
 } & TProjectPermission;
 
-export type TGetProjectMembershipByIdDTO = {
-  id: string;
-} & TProjectPermission;
-
 export type TUpdateProjectMembershipDTO = {
   membershipId: string;
   roles: (

backend/src/services/project-role/project-role-service.ts

@@ -1,7 +1,8 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
-import { ProjectMembershipRole, TableName } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
+import { UnpackedPermissionSchema } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
   ProjectPermissionActions,
@@ -9,7 +10,6 @@ import {
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
 
 import { ActorAuthMethod } from "../auth/auth-type";
 import { TIdentityProjectMembershipRoleDALFactory } from "../identity-project/identity-project-membership-role-dal";
@@ -17,14 +17,7 @@ import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
 import { TProjectRoleDALFactory } from "./project-role-dal";
 import { getPredefinedRoles } from "./project-role-fns";
-import {
-  ProjectRoleServiceIdentifierType,
-  TCreateRoleDTO,
-  TDeleteRoleDTO,
-  TGetRoleDetailsDTO,
-  TListRolesDTO,
-  TUpdateRoleDTO
-} from "./project-role-types";
+import { TCreateRoleDTO, TDeleteRoleDTO, TGetRoleBySlugDTO, TListRolesDTO, TUpdateRoleDTO } from "./project-role-types";
 
 type TProjectRoleServiceFactoryDep = {
   projectRoleDAL: TProjectRoleDALFactory;
@@ -48,15 +41,10 @@ export const projectRoleServiceFactory = ({
   projectUserMembershipRoleDAL,
   projectDAL
 }: TProjectRoleServiceFactoryDep) => {
-  const createRole = async ({ data, actor, actorId, actorAuthMethod, actorOrgId, filter }: TCreateRoleDTO) => {
-    let projectId = "";
-    if (filter.type === ProjectRoleServiceIdentifierType.SLUG) {
-      const project = await projectDAL.findProjectBySlug(filter.projectSlug, actorOrgId);
-      if (!project) throw new NotFoundError({ message: "Project not found" });
-      projectId = project.id;
-    } else {
-      projectId = filter.projectId;
-    }
+  const createRole = async ({ projectSlug, data, actor, actorId, actorAuthMethod, actorOrgId }: TCreateRoleDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
+    const projectId = project.id;
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -81,19 +69,14 @@ export const projectRoleServiceFactory = ({
   const getRoleBySlug = async ({
     actor,
     actorId,
+    projectSlug,
     actorAuthMethod,
     actorOrgId,
-    roleSlug,
-    filter
-  }: TGetRoleDetailsDTO) => {
-    let projectId = "";
-    if (filter.type === ProjectRoleServiceIdentifierType.SLUG) {
-      const project = await projectDAL.findProjectBySlug(filter.projectSlug, actorOrgId);
-      if (!project) throw new NotFoundError({ message: "Project not found" });
-      projectId = project.id;
-    } else {
-      projectId = filter.projectId;
-    }
+    roleSlug
+  }: TGetRoleBySlugDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
+    const projectId = project.id;
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -113,41 +96,58 @@ export const projectRoleServiceFactory = ({
     return { ...customRole, permissions: unpackPermissions(customRole.permissions) };
   };
 
-  const updateRole = async ({ roleId, actorOrgId, actorAuthMethod, actorId, actor, data }: TUpdateRoleDTO) => {
-    const projectRole = await projectRoleDAL.findById(roleId);
-    if (!projectRole) throw new NotFoundError({ message: "Project role not found", name: "Delete role" });
+  const updateRole = async ({
+    roleId,
+    projectSlug,
+    actorOrgId,
+    actorAuthMethod,
+    actorId,
+    actor,
+    data
+  }: TUpdateRoleDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
+    const projectId = project.id;
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectRole.projectId,
+      projectId,
       actorAuthMethod,
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Role);
 
     if (data?.slug) {
-      const existingRole = await projectRoleDAL.findOne({ slug: data.slug, projectId: projectRole.projectId });
+      const existingRole = await projectRoleDAL.findOne({ slug: data.slug, projectId });
       if (existingRole && existingRole.id !== roleId)
         throw new BadRequestError({ name: "Update Role", message: "Project role with the same slug already exists" });
     }
 
-    const updatedRole = await projectRoleDAL.updateById(projectRole.id, {
-      ...data,
-      permissions: data.permissions ? data.permissions : undefined
-    });
-    if (!updatedRole) throw new NotFoundError({ message: "Project role not found", name: "Update role" });
-
+    const [updatedRole] = await projectRoleDAL.update(
+      { id: roleId, projectId },
+      {
+        ...data,
+        permissions: data.permissions ? data.permissions : undefined
+      }
+    );
+    if (!updatedRole) {
+      throw new NotFoundError({
+        message: `Project role with ID '${roleId}' in project with ID '${projectId}' not found`
+      });
+    }
     return { ...updatedRole, permissions: unpackPermissions(updatedRole.permissions) };
   };
 
-  const deleteRole = async ({ actor, actorId, actorAuthMethod, actorOrgId, roleId }: TDeleteRoleDTO) => {
-    const projectRole = await projectRoleDAL.findById(roleId);
-    if (!projectRole) throw new NotFoundError({ message: "Project role not found", name: "Delete role" });
+  const deleteRole = async ({ actor, actorId, actorAuthMethod, actorOrgId, projectSlug, roleId }: TDeleteRoleDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
+    const projectId = project.id;
+
     const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectRole.projectId,
+      projectId,
       actorAuthMethod,
       actorOrgId
     );
@@ -169,21 +169,21 @@ export const projectRoleServiceFactory = ({
       });
     }
 
-    const deletedRole = await projectRoleDAL.deleteById(roleId);
-    if (!deletedRole) throw new NotFoundError({ message: "Project role not found", name: "Delete role" });
+    const [deletedRole] = await projectRoleDAL.delete({ id: roleId, projectId });
+    if (!deletedRole) {
+      throw new NotFoundError({
+        message: `Project role with ID '${roleId}' in project with ID '${projectId}' not found`,
+        name: "DeleteRole"
+      });
+    }
 
     return { ...deletedRole, permissions: unpackPermissions(deletedRole.permissions) };
   };
 
-  const listRoles = async ({ actorOrgId, actorAuthMethod, actorId, actor, filter }: TListRolesDTO) => {
-    let projectId = "";
-    if (filter.type === ProjectRoleServiceIdentifierType.SLUG) {
-      const project = await projectDAL.findProjectBySlug(filter.projectSlug, actorOrgId);
-      if (!project) throw new BadRequestError({ message: "Project not found" });
-      projectId = project.id;
-    } else {
-      projectId = filter.projectId;
-    }
+  const listRoles = async ({ projectSlug, actorOrgId, actorAuthMethod, actorId, actor }: TListRolesDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) throw new BadRequestError({ message: "Project not found" });
+    const projectId = project.id;
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -193,10 +193,7 @@ export const projectRoleServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
-    const customRoles = await projectRoleDAL.find(
-      { projectId },
-      { sort: [[`${TableName.ProjectRoles}.slug` as "slug", "asc"]] }
-    );
+    const customRoles = await projectRoleDAL.find({ projectId });
     const roles = [...getPredefinedRoles(projectId), ...(customRoles || [])];
 
     return roles;

backend/src/services/project-role/project-role-types.ts

@@ -1,36 +1,27 @@
 import { TOrgRolesUpdate, TProjectRolesInsert } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
 
-export enum ProjectRoleServiceIdentifierType {
-  ID = "id",
-  SLUG = "slug"
-}
-
 export type TCreateRoleDTO = {
   data: Omit<TProjectRolesInsert, "projectId">;
-  filter:
-    | { type: ProjectRoleServiceIdentifierType.SLUG; projectSlug: string }
-    | { type: ProjectRoleServiceIdentifierType.ID; projectId: string };
+  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TGetRoleDetailsDTO = {
+export type TGetRoleBySlugDTO = {
   roleSlug: string;
-  filter:
-    | { type: ProjectRoleServiceIdentifierType.SLUG; projectSlug: string }
-    | { type: ProjectRoleServiceIdentifierType.ID; projectId: string };
+  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateRoleDTO = {
   roleId: string;
   data: Omit<TOrgRolesUpdate, "orgId">;
+  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteRoleDTO = {
   roleId: string;
+  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TListRolesDTO = {
-  filter:
-    | { type: ProjectRoleServiceIdentifierType.SLUG; projectSlug: string }
-    | { type: ProjectRoleServiceIdentifierType.ID; projectId: string };
+  projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;

backend/src/services/secret-folder/secret-folder-fns.ts

@@ -0,0 +1,6 @@
+import { RawRule } from "@casl/ability";
+
+import { ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+
+export const shouldCheckFolderPermission = (rules: RawRule[]) =>
+  rules.some((rule) => (rule.subject as ProjectPermissionSub[]).includes(ProjectPermissionSub.SecretFolders));

backend/src/services/secret-folder/secret-folder-service.ts

@@ -12,6 +12,7 @@ import { OrderByDirection } from "@app/lib/types";
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretFolderDALFactory } from "./secret-folder-dal";
+import { shouldCheckFolderPermission } from "./secret-folder-fns";
 import {
   TCreateFolderDTO,
   TDeleteFolderDTO,
@@ -59,10 +60,20 @@ export const secretFolderServiceFactory = ({
       actorOrgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
-      subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
-    );
+    // we do this because we've split Secret and SecretFolder resources
+    // previously, if one can create/update/read/delete secrets then they can do the same for folders
+    // for backwards compatibility, we handle authorization only when SecretFolders subject is used
+    if (shouldCheckFolderPermission(permission.rules)) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    }
 
     const env = await projectEnvDAL.findOne({ projectId, slug: environment });
     if (!env) {
@@ -158,10 +169,20 @@ export const secretFolderServiceFactory = ({
     );
 
     folders.forEach(({ environment, path: secretPath }) => {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionActions.Edit,
-        subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
-      );
+      // we do this because we've split Secret and SecretFolder resources
+      // previously, if one can create/update/read/delete secrets then they can do the same for folders
+      // for backwards compatibility, we handle authorization only when SecretFolders subject is used
+      if (shouldCheckFolderPermission(permission.rules)) {
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionActions.Edit,
+          subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
+        );
+      } else {
+        ForbiddenError.from(permission).throwUnlessCan(
+          ProjectPermissionActions.Edit,
+          subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+        );
+      }
     });
 
     const result = await folderDAL.transaction(async (tx) =>
@@ -266,10 +287,20 @@ export const secretFolderServiceFactory = ({
       actorOrgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
-    );
+    // we do this because we've split Secret and SecretFolder resources
+    // previously, if one can create/update/read/delete secrets then they can do the same for folders
+    // for backwards compatibility, we handle authorization differently only when SecretFolders subject is used
+    if (shouldCheckFolderPermission(permission.rules)) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Edit,
+        subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Edit,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    }
 
     const parentFolder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!parentFolder)
@@ -346,10 +377,20 @@ export const secretFolderServiceFactory = ({
       actorOrgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
-      subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
-    );
+    // we do this because we've split Secret and SecretFolder resources
+    // previously, if one can create/update/read/delete secrets then they can do the same for folders
+    // for backwards compatibility, we handle authorization differently only when SecretFolders subject is used
+    if (shouldCheckFolderPermission(permission.rules)) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Delete,
+        subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
+      );
+    } else {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Delete,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    }
 
     const env = await projectEnvDAL.findOne({ projectId, slug: environment });
     if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });

backend/src/services/secret-import/secret-import-fns.ts

@@ -27,7 +27,6 @@ type TSecretImportSecretsV2 = {
     slug: string;
     name: string;
   };
-  id: string;
   folderId: string | undefined;
   importFolderId: string;
   secrets: (TSecretsV2 & {
@@ -140,22 +139,24 @@ export const fnSecretsFromImports = async ({
   return secrets;
 };
 
-/* eslint-disable no-await-in-loop, no-continue */
 export const fnSecretsV2FromImports = async ({
-  secretImports: rootSecretImports,
+  allowedImports: possibleCyclicImports,
   folderDAL,
   secretDAL,
   secretImportDAL,
+  depth = 0,
+  cyclicDetector = new Set(),
   decryptor,
-  expandSecretReferences,
-  hasSecretAccess
+  expandSecretReferences
 }: {
-  secretImports: (Omit<TSecretImports, "importEnv"> & {
+  allowedImports: (Omit<TSecretImports, "importEnv"> & {
     importEnv: { id: string; slug: string; name: string };
   })[];
   folderDAL: Pick<TSecretFolderDALFactory, "findByManySecretPath">;
   secretDAL: Pick<TSecretV2BridgeDALFactory, "find">;
   secretImportDAL: Pick<TSecretImportDALFactory, "findByFolderIds">;
+  depth?: number;
+  cyclicDetector?: Set<string>;
   decryptor: (value?: Buffer | null) => string;
   expandSecretReferences?: (inputSecret: {
     value?: string;
@@ -163,107 +164,92 @@ export const fnSecretsV2FromImports = async ({
     secretPath: string;
     environment: string;
   }) => Promise<string | undefined>;
-  hasSecretAccess: (environment: string, secretPath: string, secretName: string, secretTagSlugs: string[]) => boolean;
 }) => {
-  const cyclicDetector = new Set();
-  const stack: { secretImports: typeof rootSecretImports; depth: number; parentImportedSecrets: TSecretsV2[] }[] = [
-    { secretImports: rootSecretImports, depth: 0, parentImportedSecrets: [] }
-  ];
+  // avoid going more than a depth
+  if (depth >= LEVEL_BREAK) return [];
 
-  const processedImports: TSecretImportSecretsV2[] = [];
+  const allowedImports = possibleCyclicImports.filter(
+    ({ importPath, importEnv }) => !cyclicDetector.has(getImportUniqKey(importEnv.slug, importPath))
+  );
 
-  while (stack.length) {
-    const { secretImports, depth, parentImportedSecrets } = stack.pop()!;
-
-    if (depth > LEVEL_BREAK) continue;
-    const sanitizedImports = secretImports.filter(
-      ({ importPath, importEnv }) => !cyclicDetector.has(getImportUniqKey(importEnv.slug, importPath))
-    );
-
-    if (!sanitizedImports.length) continue;
-
-    const importedFolders = await folderDAL.findByManySecretPath(
-      sanitizedImports.map(({ importEnv, importPath }) => ({
+  const importedFolders = (
+    await folderDAL.findByManySecretPath(
+      allowedImports.map(({ importEnv, importPath }) => ({
         envId: importEnv.id,
         secretPath: importPath
       }))
-    );
-    if (!importedFolders.length) continue;
+    )
+  ).filter(Boolean); // remove undefined ones
+  if (!importedFolders.length) {
+    return [];
+  }
 
-    const importedFolderIds = importedFolders.map((el) => el?.id) as string[];
-    const importedFolderGroupBySourceImport = groupBy(importedFolders, (i) => `${i?.envId}-${i?.path}`);
+  const importedFolderIds = importedFolders.map((el) => el?.id) as string[];
+  const importedFolderGroupBySourceImport = groupBy(importedFolders, (i) => `${i?.envId}-${i?.path}`);
+  const importedSecrets = await secretDAL.find(
+    {
+      $in: { folderId: importedFolderIds },
+      type: SecretType.Shared
+    },
+    {
+      sort: [["id", "asc"]]
+    }
+  );
 
-    const importedSecrets = await secretDAL.find(
-      {
-        $in: { folderId: importedFolderIds },
-        type: SecretType.Shared
-      },
-      {
-        sort: [["id", "asc"]]
-      }
-    );
-    const importedSecretsGroupByFolderId = groupBy(importedSecrets, (i) => i.folderId);
+  const importedSecretsGroupByFolderId = groupBy(importedSecrets, (i) => i.folderId);
 
-    sanitizedImports.forEach(({ importPath, importEnv }) => {
-      cyclicDetector.add(getImportUniqKey(importEnv.slug, importPath));
-    });
-    // now we need to check recursively deeper imports made inside other imports
-    // we go level wise meaning we take all imports of a tree level and then go deeper ones level by level
-    const deeperImports = await secretImportDAL.findByFolderIds(importedFolderIds);
-    const deeperImportsGroupByFolderId = groupBy(deeperImports, (i) => i.folderId);
-
-    const isFirstIteration = !processedImports.length;
-    sanitizedImports.forEach(({ importPath, importEnv, id, folderId }, i) => {
-      const sourceImportFolder = importedFolderGroupBySourceImport[`${importEnv.id}-${importPath}`]?.[0];
-      const secretsWithDuplicate = (importedSecretsGroupByFolderId?.[importedFolders?.[i]?.id as string] || [])
-        .filter((item) =>
-          hasSecretAccess(
-            importEnv.slug,
-            importPath,
-            item.key,
-            item.tags.map((el) => el.slug)
-          )
-        )
-        .map((item) => ({
-          ...item,
-          secretKey: item.key,
-          secretValue: decryptor(item.encryptedValue),
-          secretComment: decryptor(item.encryptedComment),
-          environment: importEnv.slug,
-          workspace: "", // This field should not be used, it's only here to keep the older Python SDK versions backwards compatible with the new Postgres backend.
-          _id: item.id // The old Python SDK depends on the _id field being returned. We return this to keep the older Python SDK versions backwards compatible with the new Postgres backend.
-        }));
-
-      if (deeperImportsGroupByFolderId?.[sourceImportFolder?.id || ""]) {
-        stack.push({
-          secretImports: deeperImportsGroupByFolderId[sourceImportFolder?.id || ""],
-          depth: depth + 1,
-          parentImportedSecrets: secretsWithDuplicate
-        });
-      }
-
-      if (isFirstIteration) {
-        processedImports.push({
-          secretPath: importPath,
-          environment: importEnv.slug,
-          environmentInfo: importEnv,
-          folderId: importedFolders?.[i]?.id,
-          id,
-          importFolderId: folderId,
-          secrets: secretsWithDuplicate
-        });
-      } else {
-        parentImportedSecrets.push(...secretsWithDuplicate);
-      }
+  allowedImports.forEach(({ importPath, importEnv }) => {
+    cyclicDetector.add(getImportUniqKey(importEnv.slug, importPath));
+  });
+  // now we need to check recursively deeper imports made inside other imports
+  // we go level wise meaning we take all imports of a tree level and then go deeper ones level by level
+  const deeperImports = await secretImportDAL.findByFolderIds(importedFolderIds);
+  let secretsFromDeeperImports: TSecretImportSecretsV2[] = [];
+  if (deeperImports.length) {
+    secretsFromDeeperImports = await fnSecretsV2FromImports({
+      allowedImports: deeperImports.filter(({ isReplication }) => !isReplication),
+      secretImportDAL,
+      folderDAL,
+      secretDAL,
+      depth: depth + 1,
+      cyclicDetector,
+      decryptor,
+      expandSecretReferences
     });
   }
-  /* eslint-enable */
+  const secretsFromdeeperImportGroupedByFolderId = groupBy(secretsFromDeeperImports, (i) => i.importFolderId);
+
+  const processedImports = allowedImports.map(({ importPath, importEnv, id, folderId }, i) => {
+    const sourceImportFolder = importedFolderGroupBySourceImport[`${importEnv.id}-${importPath}`]?.[0];
+    const folderDeeperImportSecrets =
+      secretsFromdeeperImportGroupedByFolderId?.[sourceImportFolder?.id || ""]?.[0]?.secrets || [];
+    const secretsWithDuplicate = (importedSecretsGroupByFolderId?.[importedFolders?.[i]?.id as string] || [])
+      .map((item) => ({
+        ...item,
+        secretKey: item.key,
+        secretValue: decryptor(item.encryptedValue),
+        secretComment: decryptor(item.encryptedComment),
+        environment: importEnv.slug,
+        workspace: "", // This field should not be used, it's only here to keep the older Python SDK versions backwards compatible with the new Postgres backend.
+        _id: item.id // The old Python SDK depends on the _id field being returned. We return this to keep the older Python SDK versions backwards compatible with the new Postgres backend.
+      }))
+      .concat(folderDeeperImportSecrets);
+
+    return {
+      secretPath: importPath,
+      environment: importEnv.slug,
+      environmentInfo: importEnv,
+      folderId: importedFolders?.[i]?.id,
+      id,
+      importFolderId: folderId,
+      secrets: unique(secretsWithDuplicate, (el) => el.secretKey)
+    };
+  });
+
   if (expandSecretReferences) {
     await Promise.allSettled(
-      processedImports.map((processedImport) => {
-        // eslint-disable-next-line
-        processedImport.secrets = unique(processedImport.secrets, (i) => i.key);
-        return Promise.allSettled(
+      processedImports.map((processedImport) =>
+        Promise.allSettled(
           processedImport.secrets.map(async (decryptedSecret, index) => {
             const expandedSecretValue = await expandSecretReferences({
               value: decryptedSecret.secretValue,
@@ -274,8 +260,8 @@ export const fnSecretsV2FromImports = async ({
             // eslint-disable-next-line no-param-reassign
             processedImport.secrets[index].secretValue = expandedSecretValue || "";
           })
-        );
-      })
+        )
+      )
     );
   }
 

backend/src/services/secret-import/secret-import-service.ts

@@ -84,12 +84,12 @@ export const secretImportServiceFactory = ({
     // check if user has permission to import into destination  path
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
-      subject(ProjectPermissionSub.SecretImports, { environment, secretPath })
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
 
     // check if user has permission to import from target path
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Create,
       subject(ProjectPermissionSub.Secrets, {
         environment: data.environment,
         secretPath: data.path
@@ -198,7 +198,7 @@ export const secretImportServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.SecretImports, { environment, secretPath })
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
@@ -292,7 +292,7 @@ export const secretImportServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
-      subject(ProjectPermissionSub.SecretImports, { environment, secretPath })
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
@@ -364,8 +364,8 @@ export const secretImportServiceFactory = ({
 
     // check if user has permission to import into destination  path
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.SecretImports, { environment, secretPath })
+      ProjectPermissionActions.Create,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -393,7 +393,7 @@ export const secretImportServiceFactory = ({
 
     // check if user has permission to import from target path
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Create,
       subject(ProjectPermissionSub.Secrets, {
         environment: secretImportDoc.importEnv.slug,
         secretPath: secretImportDoc.importPath
@@ -441,7 +441,7 @@ export const secretImportServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.SecretImports, { environment, secretPath })
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
@@ -476,7 +476,7 @@ export const secretImportServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.SecretImports, { environment, secretPath })
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
@@ -526,7 +526,7 @@ export const secretImportServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.SecretImports, {
+      subject(ProjectPermissionSub.Secrets, {
         environment: folder.environment.envSlug,
         secretPath: folderWithPath.path
       })
@@ -573,19 +573,20 @@ export const secretImportServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.SecretImports, { environment, secretPath })
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder) return [];
     // this will already order by position
     // so anything based on this order will also be in right position
     const secretImports = await secretImportDAL.find({ folderId: folder.id, isReplication: false });
-    const allowedImports = secretImports.filter((el) =>
+
+    const allowedImports = secretImports.filter(({ importEnv, importPath }) =>
       permission.can(
         ProjectPermissionActions.Read,
         subject(ProjectPermissionSub.Secrets, {
-          environment: el.importEnv.slug,
-          secretPath: el.importPath
+          environment: importEnv.slug,
+          secretPath: importPath
         })
       )
     );
@@ -610,7 +611,7 @@ export const secretImportServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.SecretImports, { environment, secretPath })
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
     );
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder) return [];
@@ -618,6 +619,16 @@ export const secretImportServiceFactory = ({
     // so anything based on this order will also be in right position
     const secretImports = await secretImportDAL.find({ folderId: folder.id, isReplication: false });
 
+    const allowedImports = secretImports.filter(({ importEnv, importPath }) =>
+      permission.can(
+        ProjectPermissionActions.Read,
+        subject(ProjectPermissionSub.Secrets, {
+          environment: importEnv.slug,
+          secretPath: importPath
+        })
+      )
+    );
+
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     if (shouldUseSecretV2Bridge) {
       const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -625,21 +636,11 @@ export const secretImportServiceFactory = ({
         projectId
       });
       const importedSecrets = await fnSecretsV2FromImports({
-        secretImports,
+        allowedImports,
         folderDAL,
         secretDAL: secretV2BridgeDAL,
         secretImportDAL,
-        decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : ""),
-        hasSecretAccess: (expandEnvironment, expandSecretPath, expandSecretKey, expandSecretTags) =>
-          permission.can(
-            ProjectPermissionActions.Read,
-            subject(ProjectPermissionSub.Secrets, {
-              environment: expandEnvironment,
-              secretPath: expandSecretPath,
-              secretName: expandSecretKey,
-              secretTags: expandSecretTags
-            })
-          )
+        decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : "")
       });
       return importedSecrets;
     }
@@ -650,21 +651,7 @@ export const secretImportServiceFactory = ({
         name: "bot_not_found_error"
       });
 
-    const allowedImports = secretImports.filter((el) =>
-      permission.can(
-        ProjectPermissionActions.Read,
-        subject(ProjectPermissionSub.Secrets, {
-          environment: el.importEnv.slug,
-          secretPath: el.importPath
-        })
-      )
-    );
-    const importedSecrets = await fnSecretsFromImports({
-      allowedImports,
-      folderDAL,
-      secretDAL,
-      secretImportDAL
-    });
+    const importedSecrets = await fnSecretsFromImports({ allowedImports, folderDAL, secretDAL, secretImportDAL });
     return importedSecrets.map((el) => ({
       ...el,
       secrets: el.secrets.map((encryptedSecret) =>

backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts

@@ -4,14 +4,7 @@ import { validate as uuidValidate } from "uuid";
 import { TDbClient } from "@app/db";
 import { SecretsV2Schema, SecretType, TableName, TSecretsV2, TSecretsV2Update } from "@app/db/schemas";
 import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
-import {
-  buildFindFilter,
-  ormify,
-  selectAllTableCols,
-  sqlNestRelationships,
-  TFindFilter,
-  TFindOpt
-} from "@app/lib/knex";
+import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
@@ -20,97 +13,6 @@ export type TSecretV2BridgeDALFactory = ReturnType<typeof secretV2BridgeDALFacto
 export const secretV2BridgeDALFactory = (db: TDbClient) => {
   const secretOrm = ormify(db, TableName.SecretV2);
 
-  const findOne = async (filter: Partial<TSecretsV2>, tx?: Knex) => {
-    try {
-      const docs = await (tx || db)(TableName.SecretV2)
-        .where(filter)
-        .leftJoin(
-          TableName.SecretV2JnTag,
-          `${TableName.SecretV2}.id`,
-          `${TableName.SecretV2JnTag}.${TableName.SecretV2}Id`
-        )
-        .leftJoin(
-          TableName.SecretTag,
-          `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
-          `${TableName.SecretTag}.id`
-        )
-        .select(selectAllTableCols(TableName.SecretV2))
-        .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
-        .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
-        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"));
-
-      const data = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (el) => ({ _id: el.id, ...SecretsV2Schema.parse(el) }),
-        childrenMapper: [
-          {
-            key: "tagId",
-            label: "tags" as const,
-            mapper: ({ tagId: id, tagColor: color, tagSlug: slug }) => ({
-              id,
-              color,
-              slug,
-              name: slug
-            })
-          }
-        ]
-      });
-      return data?.[0];
-    } catch (error) {
-      throw new DatabaseError({ error, name: `${TableName.SecretV2}: FindOne` });
-    }
-  };
-
-  const find = async (filter: TFindFilter<TSecretsV2>, { offset, limit, sort, tx }: TFindOpt<TSecretsV2> = {}) => {
-    try {
-      const query = (tx || db)(TableName.SecretV2)
-        // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter(filter))
-        .leftJoin(
-          TableName.SecretV2JnTag,
-          `${TableName.SecretV2}.id`,
-          `${TableName.SecretV2JnTag}.${TableName.SecretV2}Id`
-        )
-        .leftJoin(
-          TableName.SecretTag,
-          `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
-          `${TableName.SecretTag}.id`
-        )
-        .select(selectAllTableCols(TableName.SecretV2))
-        .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
-        .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
-        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"));
-      if (limit) void query.limit(limit);
-      if (offset) void query.offset(offset);
-      if (sort) {
-        void query.orderBy(sort.map(([column, order, nulls]) => ({ column: column as string, order, nulls })));
-      }
-
-      const docs = await query;
-      const data = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (el) => ({ _id: el.id, ...SecretsV2Schema.parse(el) }),
-        childrenMapper: [
-          {
-            key: "tagId",
-            label: "tags" as const,
-            mapper: ({ tagId: id, tagColor: color, tagSlug: slug }) => ({
-              id,
-              color,
-              slug,
-              name: slug
-            })
-          }
-        ]
-      });
-      return data;
-    } catch (error) {
-      throw new DatabaseError({ error, name: `${TableName.SecretV2}: Find` });
-    }
-  };
-
   const update = async (filter: Partial<TSecretsV2>, data: Omit<TSecretsV2Update, "version">, tx?: Knex) => {
     try {
       const sec = await (tx || db)(TableName.SecretV2)
@@ -582,8 +484,6 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
     upsertSecretReferences,
     findReferencedSecretReferences,
     findAllProjectSecretValues,
-    countByFolderIds,
-    findOne,
-    find
+    countByFolderIds
   };
 };

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -11,8 +11,6 @@ import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import { TFnSecretBulkDelete, TFnSecretBulkInsert, TFnSecretBulkUpdate } from "./secret-v2-bridge-types";
 
 const INTERPOLATION_SYNTAX_REG = /\${([^}]+)}/g;
-// akhilmhdh: JS regex with global save state in .test
-const INTERPOLATION_SYNTAX_REG_NON_GLOBAL = /\${([^}]+)}/;
 
 export const shouldUseSecretV2Bridge = (version: number) => version === 3;
 
@@ -32,10 +30,9 @@ export const shouldUseSecretV2Bridge = (version: number) => version === 3;
  * //   { environment: 'prod', secretPath: '/anotherFolder' }
  * // ]
  */
-export const getAllSecretReferences = (maybeSecretReference: string) => {
+export const getAllNestedSecretReferences = (maybeSecretReference: string) => {
   const references = Array.from(maybeSecretReference.matchAll(INTERPOLATION_SYNTAX_REG), (m) => m[1]);
-
-  const nestedReferences = references
+  return references
     .filter((el) => el.includes("."))
     .map((el) => {
       const [environment, ...secretPathList] = el.split(".");
@@ -45,8 +42,6 @@ export const getAllSecretReferences = (maybeSecretReference: string) => {
         secretKey: secretPathList[secretPathList.length - 1]
       };
     });
-  const localReferences = references.filter((el) => !el.includes("."));
-  return { nestedReferences, localReferences };
 };
 
 // these functions are special functions shared by a couple of resources
@@ -330,6 +325,7 @@ type TRecursivelyFetchSecretsFromFoldersArg = {
   projectId: string;
   environment: string;
   currentPath: string;
+  hasAccess: (environment: string, secretPath: string) => boolean;
 };
 
 export const recursivelyGetSecretPaths = async ({
@@ -337,7 +333,8 @@ export const recursivelyGetSecretPaths = async ({
   projectEnvDAL,
   projectId,
   environment,
-  currentPath
+  currentPath,
+  hasAccess
 }: TRecursivelyFetchSecretsFromFoldersArg) => {
   const env = await projectEnvDAL.findOne({
     projectId,
@@ -365,11 +362,12 @@ export const recursivelyGetSecretPaths = async ({
     folderId: p.folderId
   }));
 
-  const pathsInCurrentDirectory = paths.filter((folder) =>
-    folder.path.startsWith(currentPath === "/" ? "" : currentPath)
+  // Filter out paths that the user does not have permission to access, and paths that are not in the current path
+  const allowedPaths = paths.filter(
+    (folder) => hasAccess(environment, folder.path) && folder.path.startsWith(currentPath === "/" ? "" : currentPath)
   );
 
-  return pathsInCurrentDirectory;
+  return allowedPaths;
 };
 // used to convert multi line ones to quotes ones with \n
 const formatMultiValueEnv = (val?: string) => {
@@ -378,19 +376,12 @@ const formatMultiValueEnv = (val?: string) => {
   return `"${val.replace(/\n/g, "\\n")}"`;
 };
 
-type TSecretReferenceTraceNode = {
-  key: string;
-  value?: string;
-  environment: string;
-  secretPath: string;
-  children: TSecretReferenceTraceNode[];
-};
 type TInterpolateSecretArg = {
   projectId: string;
   decryptSecretValue: (encryptedValue?: Buffer | null) => string | undefined;
   secretDAL: Pick<TSecretV2BridgeDALFactory, "findByFolderId">;
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
-  canExpandValue: (environment: string, secretPath: string, secretName: string, secretTagSlugs: string[]) => boolean;
+  canExpandValue: (environment: string, secretPath: string) => boolean;
 };
 
 const MAX_SECRET_REFERENCE_DEPTH = 10;
@@ -401,46 +392,39 @@ export const expandSecretReferencesFactory = ({
   folderDAL,
   canExpandValue
 }: TInterpolateSecretArg) => {
-  const secretCache: Record<string, Record<string, { value: string; tags: string[] }>> = {};
+  const secretCache: Record<string, Record<string, string>> = {};
   const getCacheUniqueKey = (environment: string, secretPath: string) => `${environment}-${secretPath}`;
 
   const fetchSecret = async (environment: string, secretPath: string, secretKey: string) => {
     const cacheKey = getCacheUniqueKey(environment, secretPath);
 
     if (secretCache?.[cacheKey]) {
-      return secretCache[cacheKey][secretKey] || { value: "", tags: [] };
+      return secretCache[cacheKey][secretKey] || "";
     }
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
-    if (!folder) return { value: "", tags: [] };
+    if (!folder) return "";
     const secrets = await secretDAL.findByFolderId(folder.id);
 
-    const decryptedSecret = secrets.reduce<Record<string, { value: string; tags: string[] }>>((prev, secret) => {
+    const decryptedSecret = secrets.reduce<Record<string, string>>((prev, secret) => {
       // eslint-disable-next-line no-param-reassign
-      prev[secret.key] = { value: decryptSecret(secret.encryptedValue) || "", tags: secret.tags?.map((el) => el.slug) };
+      prev[secret.key] = decryptSecret(secret.encryptedValue) || "";
       return prev;
     }, {});
 
     secretCache[cacheKey] = decryptedSecret;
 
-    return secretCache[cacheKey][secretKey] || { value: "", tags: [] };
+    return secretCache[cacheKey][secretKey] || "";
   };
 
-  const recursivelyExpandSecret = async (dto: {
-    value?: string;
-    secretPath: string;
-    environment: string;
-    shouldStackTrace?: boolean;
-  }) => {
-    const stackTrace = { ...dto, key: "root", children: [] } as TSecretReferenceTraceNode;
+  const recursivelyExpandSecret = async (dto: { value?: string; secretPath: string; environment: string }) => {
+    if (!dto.value) return "";
 
-    if (!dto.value) return { expandedValue: "", stackTrace };
-    const stack = [{ ...dto, depth: 0, trace: stackTrace }];
+    const stack = [{ ...dto, depth: 0 }];
     let expandedValue = dto.value;
 
     while (stack.length) {
-      const { value, secretPath, environment, depth, trace } = stack.pop()!;
-
+      const { value, secretPath, environment, depth } = stack.pop()!;
       // eslint-disable-next-line no-continue
       if (depth > MAX_SECRET_REFERENCE_DEPTH) continue;
       const refs = value?.match(INTERPOLATION_SYNTAX_REG);
@@ -453,78 +437,61 @@ export const expandSecretReferencesFactory = ({
           // eslint-disable-next-line no-continue
           if (!entities.length) continue;
 
-          let referencedSecretPath = "";
-          let referencedSecretKey = "";
-          let referencedSecretEnvironmentSlug = "";
-          let referencedSecretValue = "";
-
           if (entities.length === 1) {
             const [secretKey] = entities;
 
-            // eslint-disable-next-line no-continue,no-await-in-loop
-            const referredValue = await fetchSecret(environment, secretPath, secretKey);
-            if (!canExpandValue(environment, secretPath, secretKey, referredValue.tags))
+            if (!canExpandValue(environment, secretPath))
               throw new ForbiddenRequestError({
                 message: `You are attempting to reference secret named ${secretKey} from environment ${environment} in path ${secretPath} which you do not have access to.`
               });
 
+            // eslint-disable-next-line no-continue,no-await-in-loop
+            const referedValue = await fetchSecret(environment, secretPath, secretKey);
             const cacheKey = getCacheUniqueKey(environment, secretPath);
-            secretCache[cacheKey][secretKey] = referredValue;
-
-            referencedSecretValue = referredValue.value;
-            referencedSecretKey = secretKey;
-            referencedSecretPath = secretPath;
-            referencedSecretEnvironmentSlug = environment;
+            secretCache[cacheKey][secretKey] = referedValue;
+            if (INTERPOLATION_SYNTAX_REG.test(referedValue)) {
+              stack.push({
+                value: referedValue,
+                secretPath,
+                environment,
+                depth: depth + 1
+              });
+            }
+            if (referedValue) {
+              expandedValue = expandedValue.replaceAll(interpolationSyntax, referedValue);
+            }
           } else {
             const secretReferenceEnvironment = entities[0];
             const secretReferencePath = path.join("/", ...entities.slice(1, entities.length - 1));
             const secretReferenceKey = entities[entities.length - 1];
 
-            // eslint-disable-next-line no-await-in-loop
-            const referedValue = await fetchSecret(secretReferenceEnvironment, secretReferencePath, secretReferenceKey);
-            if (!canExpandValue(secretReferenceEnvironment, secretReferencePath, secretReferenceKey, referedValue.tags))
+            if (!canExpandValue(secretReferenceEnvironment, secretReferencePath))
               throw new ForbiddenRequestError({
                 message: `You are attempting to reference secret named ${secretReferenceKey} from environment ${secretReferenceEnvironment} in path ${secretReferencePath} which you do not have access to.`
               });
 
+            // eslint-disable-next-line no-await-in-loop
+            const referedValue = await fetchSecret(secretReferenceEnvironment, secretReferencePath, secretReferenceKey);
             const cacheKey = getCacheUniqueKey(secretReferenceEnvironment, secretReferencePath);
             secretCache[cacheKey][secretReferenceKey] = referedValue;
-
-            referencedSecretValue = referedValue.value;
-            referencedSecretKey = secretReferenceKey;
-            referencedSecretPath = secretReferencePath;
-            referencedSecretEnvironmentSlug = secretReferenceEnvironment;
-          }
-
-          const node = {
-            value: referencedSecretValue,
-            secretPath: referencedSecretPath,
-            environment: referencedSecretEnvironmentSlug,
-            depth: depth + 1,
-            trace
-          };
-
-          const shouldExpandMore = INTERPOLATION_SYNTAX_REG_NON_GLOBAL.test(referencedSecretValue);
-          if (dto.shouldStackTrace) {
-            const stackTraceNode = { ...node, children: [], key: referencedSecretKey, trace: null };
-            trace?.children.push(stackTraceNode);
-            // if stack trace this would be child node
-            if (shouldExpandMore) {
-              stack.push({ ...node, trace: stackTraceNode });
+            if (INTERPOLATION_SYNTAX_REG.test(referedValue)) {
+              stack.push({
+                value: referedValue,
+                secretPath: secretReferencePath,
+                environment: secretReferenceEnvironment,
+                depth: depth + 1
+              });
             }
-          } else if (shouldExpandMore) {
-            // if no stack trace is needed we just keep going with root node
-            stack.push(node);
-          }
 
-          if (referencedSecretValue) {
-            expandedValue = expandedValue.replaceAll(interpolationSyntax, referencedSecretValue);
+            if (referedValue) {
+              expandedValue = expandedValue.replaceAll(interpolationSyntax, referedValue);
+            }
           }
         }
       }
     }
 
-    return { expandedValue, stackTrace };
+    return expandedValue;
   };
 
   const expandSecret = async (inputSecret: {
@@ -538,21 +505,10 @@ export const expandSecretReferencesFactory = ({
     const shouldExpand = Boolean(inputSecret.value?.match(INTERPOLATION_SYNTAX_REG));
     if (!shouldExpand) return inputSecret.value;
 
-    const { expandedValue } = await recursivelyExpandSecret(inputSecret);
-
-    return inputSecret.skipMultilineEncoding ? formatMultiValueEnv(expandedValue) : expandedValue;
+    const expandedSecretValue = await recursivelyExpandSecret(inputSecret);
+    return inputSecret.skipMultilineEncoding ? formatMultiValueEnv(expandedSecretValue) : expandedSecretValue;
   };
-
-  const getExpandedSecretStackTrace = async (inputSecret: {
-    value?: string;
-    secretPath: string;
-    environment: string;
-  }) => {
-    const { stackTrace, expandedValue } = await recursivelyExpandSecret({ ...inputSecret, shouldStackTrace: true });
-    return { stackTrace, expandedValue };
-  };
-
-  return { expandSecretReferences: expandSecret, getExpandedSecretStackTrace };
+  return expandSecret;
 };
 
 export const reshapeBridgeSecret = (

backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts

@@ -15,12 +15,6 @@ type TPartialSecret = Pick<TSecretsV2, "id" | "reminderRepeatDays" | "reminderNo
 
 type TPartialInputSecret = Pick<TSecretsV2, "type" | "reminderNote" | "reminderRepeatDays" | "id">;
 
-export type TSecretReferenceDTO = {
-  environment: string;
-  secretPath: string;
-  secretKey: string;
-};
-
 export type TGetSecretsDTO = {
   expandSecretReferences?: boolean;
   path: string;
@@ -278,10 +272,3 @@ export type TAttachSecretTagsDTO = {
   secretPath: string;
   type: SecretType;
 } & Omit<TProjectPermission, "projectId">;
-
-export type TGetSecretReferencesTreeDTO = {
-  projectId: string;
-  secretName: string;
-  environment: string;
-  secretPath: string;
-} & Omit<TProjectPermission, "projectId">;

backend/src/services/secret/secret-fns.ts

@@ -25,7 +25,7 @@ import { logger } from "@app/lib/logger";
 import {
   fnSecretBulkInsert as fnSecretV2BridgeBulkInsert,
   fnSecretBulkUpdate as fnSecretV2BridgeBulkUpdate,
-  getAllSecretReferences
+  getAllNestedSecretReferences as getAllNestedSecretReferencesV2Bridge
 } from "@app/services/secret-v2-bridge/secret-v2-bridge-fns";
 
 import { ActorAuthMethod, ActorType } from "../auth/auth-type";
@@ -793,7 +793,7 @@ export const createManySecretsRawFnFactory = ({
             : null,
           skipMultilineEncoding: secret.skipMultilineEncoding,
           tags: secret.tags,
-          references: getAllSecretReferences(secret.secretValue).nestedReferences
+          references: getAllNestedSecretReferencesV2Bridge(secret.secretValue)
         };
       });
 
@@ -973,7 +973,7 @@ export const updateManySecretsRawFnFactory = ({
             : null,
           skipMultilineEncoding: secret.skipMultilineEncoding,
           tags: secret.tags,
-          references: getAllSecretReferences(secret.secretValue).nestedReferences
+          references: getAllNestedSecretReferencesV2Bridge(secret.secretValue)
         };
       });
 

backend/src/services/secret/secret-queue.ts

@@ -50,7 +50,7 @@ import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
 import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
-import { expandSecretReferencesFactory, getAllSecretReferences } from "../secret-v2-bridge/secret-v2-bridge-fns";
+import { expandSecretReferencesFactory, getAllNestedSecretReferences } from "../secret-v2-bridge/secret-v2-bridge-fns";
 import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
 import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
@@ -299,7 +299,7 @@ export const secretQueueFactory = ({
       );
       return content;
     }
-    const { expandSecretReferences } = expandSecretReferencesFactory({
+    const expandSecretReferences = expandSecretReferencesFactory({
       decryptSecretValue: dto.decryptor,
       secretDAL: secretV2BridgeDAL,
       folderDAL,
@@ -342,8 +342,7 @@ export const secretQueueFactory = ({
       secretDAL: secretV2BridgeDAL,
       expandSecretReferences,
       secretImportDAL,
-      secretImports,
-      hasSecretAccess: () => true
+      allowedImports: secretImports
     });
 
     for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {
@@ -1148,7 +1147,7 @@ export const secretQueueFactory = ({
                   : "";
               const encryptedValue = secretManagerEncryptor({ plainText: Buffer.from(value) }).cipherTextBlob;
               // create references
-              const references = getAllSecretReferences(value).nestedReferences;
+              const references = getAllNestedSecretReferences(value);
               secretReferences.push({ secretId: el.id, references });
 
               const encryptedComment = comment

backend/src/services/secret/secret-service.ts

@@ -38,7 +38,6 @@ import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
 import { fnSecretsFromImports } from "../secret-import/secret-import-fns";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeServiceFactory } from "../secret-v2-bridge/secret-v2-bridge-service";
-import { TGetSecretReferencesTreeDTO } from "../secret-v2-bridge/secret-v2-bridge-types";
 import { TSecretDALFactory } from "./secret-dal";
 import {
   decryptSecretRaw,
@@ -1100,18 +1099,6 @@ export const secretServiceFactory = ({
     return secrets;
   };
 
-  const getSecretReferenceTree = async (dto: TGetSecretReferencesTreeDTO) => {
-    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(dto.projectId);
-
-    if (!shouldUseSecretV2Bridge)
-      throw new BadRequestError({
-        message: "Project version does not support secret reference tree",
-        name: "SecretReferenceTreeNotSupported"
-      });
-
-    return secretV2BridgeService.getSecretReferenceTree(dto);
-  };
-
   const getSecretsRaw = async ({
     projectId,
     path,
@@ -2449,26 +2436,17 @@ export const secretServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
-      subject(ProjectPermissionSub.Secrets, {
-        environment: sourceEnvironment,
-        secretPath: sourceSecretPath
-      })
+      subject(ProjectPermissionSub.Secrets, { environment: sourceEnvironment, secretPath: sourceSecretPath })
     );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
-      subject(ProjectPermissionSub.Secrets, {
-        environment: destinationEnvironment,
-        secretPath: destinationSecretPath
-      })
+      subject(ProjectPermissionSub.Secrets, { environment: destinationEnvironment, secretPath: destinationSecretPath })
     );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, {
-        environment: destinationEnvironment,
-        secretPath: destinationSecretPath
-      })
+      subject(ProjectPermissionSub.Secrets, { environment: destinationEnvironment, secretPath: destinationSecretPath })
     );
 
     const { botKey } = await projectBotService.getBotKey(project.id);
@@ -2870,7 +2848,6 @@ export const secretServiceFactory = ({
     startSecretV2Migration,
     getSecretsCount,
     getSecretsCountMultiEnv,
-    getSecretsRawMultiEnv,
-    getSecretReferenceTree
+    getSecretsRawMultiEnv
   };
 };

docker-compose.prod.yml

@@ -37,7 +37,6 @@ services:
     image: redis
     container_name: infisical-dev-redis
     env_file: .env
-    restart: always
     environment:
       - ALLOW_EMPTY_PASSWORD=yes
     ports:

docs/integrations/cicd/githubactions.mdx

@@ -79,7 +79,7 @@ Infisical lets you sync secrets to GitHub at the organization-level, repository-
         Disable webhook by unchecking the Active checkbox.
         ![integrations github app webhook](../../images/integrations/github/app/self-hosted-github-app-webhook.png)
 
-        Set the repository permissions as follows: Metadata: Read-only, Secrets: Read and write, Environments: Read and write, Actions: Read.
+        Set the repository permissions as follows: Metadata: Read-only, Secrets: Read and write, Environments: Read and write.
         ![integrations github app repository](../../images/integrations/github/app/self-hosted-github-app-repository.png)
 
         Similarly, set the organization permissions as follows: Secrets: Read and write.

docs/integrations/platforms/kubernetes.mdx

@@ -10,7 +10,9 @@ It uses an `InfisicalSecret` resource to specify authentication and storage meth
 The operator continuously updates secrets and can also reload dependent deployments automatically.
 
 <Note>
-  If you are already using the External Secrets operator, you can view the integration documentation for it [here](https://external-secrets.io/latest/provider/infisical/).
+  If you are already using the External Secrets operator, you can view the
+  integration documentation for it
+  [here](https://external-secrets.io/latest/provider/infisical/).
 </Note>
 
 ## Install Operator
@@ -31,7 +33,7 @@ The operator can be install via [Helm](https://helm.sh) or [kubectl](https://git
     To select a specific version, view the  application versions [here](https://hub.docker.com/r/infisical/kubernetes-operator/tags) and chart versions [here](https://cloudsmith.io/~infisical/repos/helm-charts/packages/detail/helm/secrets-operator/#versions)
 
     ```bash
-    helm install --generate-name infisical-helm-charts/secrets-operator 
+    helm install --generate-name infisical-helm-charts/secrets-operator
     ```
 
     ```bash
@@ -61,109 +63,106 @@ Once you apply the manifest, the operator will be installed in `infisical-operat
 Once you have installed the operator to your cluster, you'll need to create a `InfisicalSecret` custom resource definition (CRD).
 
 ```yaml example-infisical-secret-crd.yaml
-
 apiVersion: secrets.infisical.com/v1alpha1
 kind: InfisicalSecret
 metadata:
-    name: infisicalsecret-sample
-    labels:
-        label-to-be-passed-to-managed-secret: sample-value
-    annotations:
-        example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
+  name: infisicalsecret-sample
+  labels:
+    label-to-be-passed-to-managed-secret: sample-value
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
 spec:
-    hostAPI: https://app.infisical.com/api
-    resyncInterval: 10
-    authentication:
-        # Make sure to only have 1 authentication method defined, serviceToken/universalAuth.
-        # If you have multiple authentication methods defined, it may cause issues.
+  hostAPI: https://app.infisical.com/api
+  resyncInterval: 10
+  authentication:
+    # Make sure to only have 1 authentication method defined, serviceToken/universalAuth.
+    # If you have multiple authentication methods defined, it may cause issues.
 
-        # (Deprecated) Service Token Auth
-        serviceToken:
-            serviceTokenSecretReference:
-                secretName: service-token
-                secretNamespace: default
-            secretsScope:
-                envSlug: <env-slug>
-                secretsPath: <secrets-path>
-                recursive: true
-
-        # Universal Auth
-        universalAuth:
-            secretsScope:
-                projectSlug: new-ob-em
-                envSlug: dev # "dev", "staging", "prod", etc..
-                secretsPath: "/" # Root is "/"
-                recursive: true # Wether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
-            credentialsRef:
-                secretName: universal-auth-credentials
-                secretNamespace: default
-
-        # Native Kubernetes Auth
-        kubernetesAuth:
-            identityId: <machine-identity-id>
-            serviceAccountRef:
-              name: <service-account-name>
-              namespace: <service-account-namespace>
-
-            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
-            secretsScope:
-                projectSlug: your-project-slug
-                envSlug: prod
-                secretsPath: "/path"
-                recursive: true
-
-        # AWS IAM Auth
-        awsIamAuth:
-            identityId: <your-machine-identity-id>
-
-            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
-            secretsScope:
-                projectSlug: your-project-slug
-                envSlug: prod
-                secretsPath: "/path"
-                recursive: true
-
-        # Azure Auth
-        azureAuth:
-            identityId: <your-machine-identity-id>
-            resource: https://management.azure.com/&client_id=CLIENT_ID # (Optional) This is the Azure resource that you want to access. For example, "https://management.azure.com/". If no value is provided, it will default to "https://management.azure.com/"
-
-            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
-            secretsScope:
-                projectSlug: your-project-slug
-                envSlug: prod
-                secretsPath: "/path"
-                recursive: true
-
-        # GCP ID Token Auth
-        gcpIdTokenAuth:
-            identityId: <your-machine-identity-id>
-
-            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
-            secretsScope:
-                projectSlug: your-project-slug
-                envSlug: prod
-                secretsPath: "/path"
-                recursive: true
-
-        # GCP IAM Auth
-        gcpIamAuth:
-            identityId: <your-machine-identity-id>
-
-            # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
-            secretsScope:
-                projectSlug: your-project-slug
-                envSlug: prod
-                secretsPath: "/path"
-                recursive: true
-
-    managedSecretReference:
-        secretName: managed-secret
+    # (Deprecated) Service Token Auth
+    serviceToken:
+      serviceTokenSecretReference:
+        secretName: service-token
         secretNamespace: default
-        creationPolicy: "Orphan" ## Owner | Orphan
-        # secretType: kubernetes.io/dockerconfigjson
+      secretsScope:
+        envSlug: <env-slug>
+        secretsPath: <secrets-path>
+        recursive: true
 
+    # Universal Auth
+    universalAuth:
+      secretsScope:
+        projectSlug: new-ob-em
+        envSlug: dev # "dev", "staging", "prod", etc..
+        secretsPath: "/" # Root is "/"
+        recursive: true # Wether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
+      credentialsRef:
+        secretName: universal-auth-credentials
+        secretNamespace: default
 
+    # Native Kubernetes Auth
+    kubernetesAuth:
+      identityId: <machine-identity-id>
+      serviceAccountRef:
+        name: <service-account-name>
+        namespace: <service-account-namespace>
+
+      # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+      secretsScope:
+        projectSlug: your-project-slug
+        envSlug: prod
+        secretsPath: "/path"
+        recursive: true
+
+    # AWS IAM Auth
+    awsIamAuth:
+      identityId: <your-machine-identity-id>
+
+      # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+      secretsScope:
+        projectSlug: your-project-slug
+        envSlug: prod
+        secretsPath: "/path"
+        recursive: true
+
+    # Azure Auth
+    azureAuth:
+      identityId: <your-machine-identity-id>
+      resource: https://management.azure.com/&client_id=CLIENT_ID # (Optional) This is the Azure resource that you want to access. For example, "https://management.azure.com/". If no value is provided, it will default to "https://management.azure.com/"
+
+      # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+      secretsScope:
+        projectSlug: your-project-slug
+        envSlug: prod
+        secretsPath: "/path"
+        recursive: true
+
+    # GCP ID Token Auth
+    gcpIdTokenAuth:
+      identityId: <your-machine-identity-id>
+
+      # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+      secretsScope:
+        projectSlug: your-project-slug
+        envSlug: prod
+        secretsPath: "/path"
+        recursive: true
+
+    # GCP IAM Auth
+    gcpIamAuth:
+      identityId: <your-machine-identity-id>
+
+      # secretsScope is identical to the secrets scope in the universalAuth field in this sample.
+      secretsScope:
+        projectSlug: your-project-slug
+        envSlug: prod
+        secretsPath: "/path"
+        recursive: true
+
+  managedSecretReference:
+    secretName: managed-secret
+    secretNamespace: default
+    creationPolicy: "Orphan" ## Owner | Orphan
+    # secretType: kubernetes.io/dockerconfigjson
 ```
 
 ### InfisicalSecret CRD properties
@@ -193,6 +192,31 @@ When `hostAPI` is not defined the operator fetches secrets from Infisical Cloud.
   available on paid plans. Default re-sync interval is every 1 minute.
 </Accordion>
 
+<Accordion title="tls">
+  This block defines the TLS settings to use for connecting to the Infisical
+  instance.
+</Accordion>
+
+<Accordion title="tls.caRef">
+  This block defines the reference to the CA certificate to use for connecting
+  to the Infisical instance with SSL/TLS.
+</Accordion>
+
+<Accordion title="tls.caRef.secretName">
+  The name of the Kubernetes secret containing the CA certificate to use for
+  connecting to the Infisical instance with SSL/TLS.
+</Accordion>
+
+<Accordion title="tls.caRef.secretNamespace">
+  The namespace of the Kubernetes secret containing the CA certificate to use
+  for connecting to the Infisical instance with SSL/TLS.
+</Accordion>
+
+<Accordion title="tls.caRef.key">
+  The name of the key in the Kubernetes secret which contains the value of the
+  CA certificate to use for connecting to the Infisical instance with SSL/TLS.
+</Accordion>
+
 <Accordion title="authentication">
   This block defines the method that will be used to authenticate with Infisical
   so that secrets can be fetched
@@ -222,8 +246,6 @@ When `hostAPI` is not defined the operator fetches secrets from Infisical Cloud.
 
   </Steps>
 
-
-
 <Info>
   Make sure to also populate the `secretsScope` field with the project slug
   _`projectSlug`_, environment slug _`envSlug`_, and secrets path
@@ -365,15 +387,15 @@ spec:
 
     </Step>
     <Step title="Add your identity ID & service account to your InfisicalSecret resource">
-      Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource. 
-      In the `authentication.kubernetesAuth.identityId` field, add the identity ID of the machine identity you created. 
+      Once you have created your machine identity and added it to your project(s), you will need to add the identity ID to your InfisicalSecret resource.
+      In the `authentication.kubernetesAuth.identityId` field, add the identity ID of the machine identity you created.
       See the example below for more details.
     </Step>
     <Step title="Add your Kubernetes service account token to the InfisicalSecret resource">
-      Add the service account details from the previous steps under `authentication.kubernetesAuth.serviceAccountRef`. 
-      Here you will need to enter the name and namespace of the service account. 
+      Add the service account details from the previous steps under `authentication.kubernetesAuth.serviceAccountRef`.
+      Here you will need to enter the name and namespace of the service account.
       The example below shows a complete InfisicalSecret resource with all required fields defined.
-    </Step> 
+    </Step>
 
   </Steps>
 
@@ -539,8 +561,6 @@ spec:
 
 </Accordion>
 
-
-
 <Accordion title="authentication.gcpIamAuth">
   The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments.
 
@@ -877,6 +897,42 @@ spec:
 
 </Accordion>
 
+### Connecting to instances with private/self-signed certificate
+
+To connect to Infisical instances behind a private/self-signed certificate, you can configure the TLS settings in the `InfisicalSecret` CRD
+to point to a CA certificate stored in a Kubernetes secret resource.
+
+```yaml
+---
+spec:
+  hostAPI: https://app.infisical.com/api
+  resyncInterval: 10
+  tls:
+    caRef:
+      secretName: custom-ca-certificate
+      secretNamespace: default
+      key: ca.crt
+  authentication:
+---
+```
+
+The definition file of the Kubernetes secret for the CA certificate can be structured like the following:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: custom-ca-certificate
+type: Opaque
+stringData:
+  ca.crt: |
+    -----BEGIN CERTIFICATE-----
+    MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
+    ...
+    BQAwDTELMAkGA1UEChMCUEgwHhcNMjQxMDI1MTU0MjAzWhcNMjUxMDI1MjE0MjAz
+    -----END CERTIFICATE-----
+```
+
 ## Auto redeployment
 
 Deployments using managed secrets don't reload automatically on updates, so they may use outdated secrets unless manually redeployed.
@@ -889,6 +945,7 @@ To enable auto redeployment you simply have to add the following annotation to t
 ```yaml
 secrets.infisical.com/auto-reload: "true"
 ```
+
 <Accordion title="Deployment example with auto redeploy enabled">
 ```yaml
 apiVersion: apps/v1

frontend/package-lock.json

@@ -26,7 +26,6 @@
         "@radix-ui/react-accordion": "^1.1.2",
         "@radix-ui/react-alert-dialog": "^1.0.5",
         "@radix-ui/react-checkbox": "^1.0.4",
-        "@radix-ui/react-collapsible": "^1.0.3",
         "@radix-ui/react-dialog": "^1.0.5",
         "@radix-ui/react-dropdown-menu": "^2.0.6",
         "@radix-ui/react-hover-card": "^1.0.7",
@@ -4932,7 +4931,6 @@
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/@radix-ui/react-collapsible/-/react-collapsible-1.0.3.tgz",
       "integrity": "sha512-UBmVDkmR6IvDsloHVN+3rtx4Mi5TFvylYXpluuv0f37dtaz3H99bp8No0LGXRigVpl3UAT4l9j6bIchh42S/Gg==",
-      "license": "MIT",
       "dependencies": {
         "@babel/runtime": "^7.13.10",
         "@radix-ui/primitive": "1.0.1",

frontend/package.json

@@ -39,7 +39,6 @@
     "@radix-ui/react-accordion": "^1.1.2",
     "@radix-ui/react-alert-dialog": "^1.0.5",
     "@radix-ui/react-checkbox": "^1.0.4",
-    "@radix-ui/react-collapsible": "^1.0.3",
     "@radix-ui/react-dialog": "^1.0.5",
     "@radix-ui/react-dropdown-menu": "^2.0.6",
     "@radix-ui/react-hover-card": "^1.0.7",

frontend/src/components/permissions/GlobPermissionInfo.tsx

@@ -1,33 +0,0 @@
-import { useState } from "react";
-import picomatch from "picomatch";
-
-import { FormControl } from "../v2/FormControl";
-import { Input } from "../v2/Input";
-
-export const GlobPermissionInfo = () => {
-  const [pattern, setPattern] = useState("");
-  const [text, setText] = useState("");
-
-  return (
-    <div>
-      <div className="mt-2">A glob pattern uses wildcards to match resources or paths.</div>
-      <div>
-        <FormControl label="Glob pattern" helperText="Examples: /{a,b}, DB_**">
-          <Input value={pattern} onChange={(e) => setPattern(e.target.value)} />
-        </FormControl>
-      </div>
-      <div>
-        <FormControl
-          label="Test string"
-          helperText="Type a value to test glob match"
-          isError={
-            pattern && text ? !picomatch.isMatch(text, pattern, { strictSlashes: false }) : false
-          }
-          errorText="Invalid"
-        >
-          <Input value={text} onChange={(e) => setText(e.target.value)} />
-        </FormControl>
-      </div>
-    </div>
-  );
-};

frontend/src/components/permissions/ProjectPermissionCan.tsx

@@ -1,25 +1,23 @@
 import { FunctionComponent, ReactNode } from "react";
-import { AbilityTuple, MongoAbility } from "@casl/ability";
-import { Can } from "@casl/react";
+import { BoundCanProps, Can } from "@casl/react";
 
-import { ProjectPermissionSet, useProjectPermission } from "@app/context/ProjectPermissionContext";
+import { TProjectPermission, useProjectPermission } from "@app/context/ProjectPermissionContext";
 
-import { Tooltip } from "../v2/Tooltip";
+import { Tooltip } from "../v2";
 
-type Props<T extends AbilityTuple> = {
+type Props = {
   label?: ReactNode;
   // this prop is used when there exist already a tooltip as helper text for users
   // so when permission is allowed same tooltip will be reused  to show helpertext
   renderTooltip?: boolean;
   allowedLabel?: string;
-  children: ReactNode | ((isAllowed: boolean, ability: T) => ReactNode);
-  passThrough?: boolean;
-  I: T[0];
-  a: T[1];
-  ability?: MongoAbility<T>;
-};
+  // BUG(akhilmhdh): As a workaround for now i put any but this should be TProjectPermission
+  // For some reason when i put TProjectPermission in a wrapper component it just wont work causes a weird  ts error
+  // tried a lot combinations
+  // REF: https://github.com/stalniy/casl/blob/ac081a34f56366a7eaaed05d21689d27041ef005/packages/casl-react/src/factory.ts#L15
+} & BoundCanProps<any>;
 
-export const ProjectPermissionCan: FunctionComponent<Props<ProjectPermissionSet>> = ({
+export const ProjectPermissionCan: FunctionComponent<Props> = ({
   label = "Access restricted",
   children,
   passThrough = true,
@@ -33,7 +31,9 @@ export const ProjectPermissionCan: FunctionComponent<Props<ProjectPermissionSet>
       {(isAllowed, ability) => {
         // akhilmhdh: This is set as type due to error in casl react type.
         const finalChild =
-          typeof children === "function" ? children(isAllowed, ability as any) : children;
+          typeof children === "function"
+            ? children(isAllowed, ability as TProjectPermission)
+            : children;
 
         if (!isAllowed && passThrough) {
           return <Tooltip content={label}>{finalChild}</Tooltip>;

frontend/src/components/permissions/index.tsx

@@ -1,4 +1,3 @@
-export { GlobPermissionInfo } from "./GlobPermissionInfo";
 export { OrgPermissionCan } from "./OrgPermissionCan";
 export { PermissionDeniedBanner } from "./PermissionDeniedBanner";
 export { ProjectPermissionCan } from "./ProjectPermissionCan";

frontend/src/components/v2/Alert/Alert.tsx

@@ -9,7 +9,7 @@ import { type VariantProps, cva } from "cva";
 import { twMerge } from "tailwind-merge";
 
 const alertVariants = cva(
-  "w-full bg-mineshaft-800 rounded-lg border border-bunker-400 px-4 py-3 text-sm flex items-center gap-x-4",
+  "w-full bg-mineshaft-800 rounded-lg border px-4 py-3 text-sm flex items-center gap-x-4",
   {
     variants: {
       variant: {
@@ -66,7 +66,7 @@ const Alert = forwardRef<
       </div>
       <div className="flex flex-col gap-y-1">
         {hideTitle ? null : (
-          <h5 className="font-medium leading-6 tracking-tight" {...props}>
+          <h5 className="font-medium leading-none tracking-tight" {...props}>
             {defaultTitle}
           </h5>
         )}

frontend/src/components/v2/Select/Select.tsx

@@ -12,7 +12,6 @@ type Props = {
   placeholder?: string;
   className?: string;
   dropdownContainerClassName?: string;
-  containerClassName?: string;
   isLoading?: boolean;
   position?: "item-aligned" | "popper";
   isDisabled?: boolean;
@@ -32,13 +31,12 @@ export const Select = forwardRef<HTMLButtonElement, SelectProps>(
       isDisabled,
       dropdownContainerClassName,
       position,
-      containerClassName,
       ...props
     },
     ref
   ): JSX.Element => {
     return (
-      <div className={twMerge("flex items-center space-x-2", containerClassName)}>
+      <div className="flex items-center space-x-2">
         <SelectPrimitive.Root
           {...props}
           onValueChange={(value) => {

frontend/src/context/ProjectPermissionContext/index.tsx

@@ -3,6 +3,5 @@ export type { ProjectPermissionSet, TProjectPermission } from "./types";
 export {
   ProjectPermissionActions,
   ProjectPermissionCmekActions,
-  ProjectPermissionDynamicSecretActions,
   ProjectPermissionSub
 } from "./types";

frontend/src/context/ProjectPermissionContext/types.ts

@@ -7,14 +7,6 @@ export enum ProjectPermissionActions {
   Delete = "delete"
 }
 
-export enum ProjectPermissionDynamicSecretActions {
-  ReadRootCredential = "read-root-credential",
-  CreateRootCredential = "create-root-credential",
-  EditRootCredential = "edit-root-credential",
-  DeleteRootCredential = "delete-root-credential",
-  Lease = "lease"
-}
-
 export enum ProjectPermissionCmekActions {
   Read = "read",
   Create = "create",
@@ -29,7 +21,7 @@ export enum PermissionConditionOperators {
   $ALL = "$all",
   $REGEX = "$regex",
   $EQ = "$eq",
-  $NEQ = "$ne",
+  $NEQ = "$neq",
   $GLOB = "$glob"
 }
 
@@ -45,7 +37,7 @@ export type TPermissionConditionOperators = {
 export type TPermissionCondition = Record<
   string,
   | string
-  | { $in: string[]; $all: string[]; $regex: string; $eq: string; $ne: string; $glob: string }
+  | { $in: string[]; $all: string[]; $regex: string; $eq: string; $neq: string; $glob: string }
 >;
 
 export enum ProjectPermissionSub {
@@ -60,11 +52,9 @@ export enum ProjectPermissionSub {
   Tags = "tags",
   AuditLogs = "audit-logs",
   IpAllowList = "ip-allowlist",
-  Project = "workspace",
+  Workspace = "workspace",
   Secrets = "secrets",
   SecretFolders = "secret-folders",
-  SecretImports = "secret-imports",
-  DynamicSecrets = "dynamic-secrets",
   SecretRollback = "secret-rollback",
   SecretApproval = "secret-approval",
   SecretRotation = "secret-rotation",
@@ -78,24 +68,7 @@ export enum ProjectPermissionSub {
   Cmek = "cmek"
 }
 
-export type SecretSubjectFields = {
-  environment: string;
-  secretPath: string;
-  secretName: string;
-  secretTags: string[];
-};
-
-export type SecretFolderSubjectFields = {
-  environment: string;
-  secretPath: string;
-};
-
-export type DynamicSecretSubjectFields = {
-  environment: string;
-  secretPath: string;
-};
-
-export type SecretImportSubjectFields = {
+type SubjectFields = {
   environment: string;
   secretPath: string;
 };
@@ -103,30 +76,13 @@ export type SecretImportSubjectFields = {
 export type ProjectPermissionSet =
   | [
       ProjectPermissionActions,
-      (
-        | ProjectPermissionSub.Secrets
-        | (ForcedSubject<ProjectPermissionSub.Secrets> & SecretSubjectFields)
-      )
+      ProjectPermissionSub.Secrets | (ForcedSubject<ProjectPermissionSub.Secrets> & SubjectFields)
     ]
   | [
       ProjectPermissionActions,
       (
         | ProjectPermissionSub.SecretFolders
-        | (ForcedSubject<ProjectPermissionSub.SecretFolders> & SecretFolderSubjectFields)
-      )
-    ]
-  | [
-      ProjectPermissionDynamicSecretActions,
-      (
-        | ProjectPermissionSub.DynamicSecrets
-        | (ForcedSubject<ProjectPermissionSub.DynamicSecrets> & DynamicSecretSubjectFields)
-      )
-    ]
-  | [
-      ProjectPermissionActions,
-      (
-        | ProjectPermissionSub.SecretImports
-        | (ForcedSubject<ProjectPermissionSub.SecretImports> & SecretImportSubjectFields)
+        | (ForcedSubject<ProjectPermissionSub.SecretFolders> & SubjectFields)
       )
     ]
   | [ProjectPermissionActions, ProjectPermissionSub.Role]
@@ -139,19 +95,19 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.Environments]
   | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
   | [ProjectPermissionActions, ProjectPermissionSub.Settings]
+  | [ProjectPermissionActions, ProjectPermissionSub.Identity]
   | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
   | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
   | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
-  | [ProjectPermissionActions, ProjectPermissionSub.Identity]
   | [ProjectPermissionActions, ProjectPermissionSub.CertificateAuthorities]
   | [ProjectPermissionActions, ProjectPermissionSub.Certificates]
   | [ProjectPermissionActions, ProjectPermissionSub.CertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
-  | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
-  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
+  | [ProjectPermissionActions.Delete, ProjectPermissionSub.Workspace]
+  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Workspace]
   | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
-  | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
-  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
+  | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek];
+
 export type TProjectPermission = MongoAbility<ProjectPermissionSet>;

frontend/src/context/index.tsx

@@ -11,7 +11,6 @@ export type { TProjectPermission } from "./ProjectPermissionContext";
 export {
   ProjectPermissionActions,
   ProjectPermissionCmekActions,
-  ProjectPermissionDynamicSecretActions,
   ProjectPermissionProvider,
   ProjectPermissionSub,
   useProjectPermission

frontend/src/helpers/roles.ts

@@ -4,17 +4,5 @@ enum OrgMembershipRole {
   NoAccess = "no-access"
 }
 
-enum ProjectMemberRole {
-  Admin = "admin",
-  Member = "member",
-  Viewer = "viewer",
-  NoAccess = "no-access"
-}
-
 export const isCustomOrgRole = (slug: string) =>
   !Object.values(OrgMembershipRole).includes(slug as OrgMembershipRole);
-
-export const formatProjectRoleName = (name: string) => {
-  if (name === ProjectMemberRole.Member) return "developer";
-  return name;
-};

frontend/src/hoc/withProjectPermission/withProjectPermission.tsx

@@ -1,29 +1,31 @@
 import { ComponentType } from "react";
-import { AbilityTuple } from "@casl/ability";
+import { Abilities, AbilityTuple, Generics, SubjectType } from "@casl/ability";
 import { faLock } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { twMerge } from "tailwind-merge";
 
-import { useProjectPermission } from "@app/context";
-import { ProjectPermissionSet } from "@app/context/ProjectPermissionContext";
+import { TProjectPermission, useProjectPermission } from "@app/context";
 
-type Props<T extends AbilityTuple> = {
-  className?: string;
-  containerClassName?: string;
-  action: T[0];
-  subject: T[1];
-};
+type Props<T extends Abilities> = (T extends AbilityTuple
+  ? {
+      action: T[0];
+      subject: Extract<T[1], SubjectType>;
+    }
+  : {
+      action: string;
+      subject: string;
+    }) & { className?: string; containerClassName?: string };
 
-export const withProjectPermission = <T extends {}>(
-  Component: ComponentType<Omit<Props<ProjectPermissionSet>, "action" | "subject"> & T>,
-  { action, subject, className, containerClassName }: Props<ProjectPermissionSet>
+export const withProjectPermission = <T extends {}, J extends TProjectPermission>(
+  Component: ComponentType<T>,
+  { action, subject, className, containerClassName }: Props<Generics<J>["abilities"]>
 ) => {
-  const HOC = (hocProps: Omit<Props<ProjectPermissionSet>, "action" | "subject"> & T) => {
+  const HOC = (hocProps: T) => {
     const { permission } = useProjectPermission();
 
     // akhilmhdh: Set as any due to casl/react ts type bug
     // REASON: casl due to its type checking can't seem to union even if union intersection is applied
-    if (permission.cannot(action as any, subject as any)) {
+    if (permission.cannot(action as any, subject)) {
       return (
         <div
           className={twMerge(

frontend/src/hooks/api/dashboard/queries.tsx

@@ -15,7 +15,6 @@ import {
 } from "@app/hooks/api/dashboard/types";
 import { OrderByDirection } from "@app/hooks/api/generic/types";
 import { mergePersonalSecrets } from "@app/hooks/api/secrets/queries";
-import { unique } from "@app/lib/fn/array";
 
 export const dashboardKeys = {
   all: () => ["dashboard"] as const,
@@ -155,20 +154,10 @@ export const useGetProjectSecretsOverview = (
     },
     select: useCallback((data: Awaited<ReturnType<typeof fetchProjectSecretsOverview>>) => {
       const { secrets, ...select } = data;
-      const uniqueSecrets = secrets ? unique(secrets, (i) => i.secretKey) : [];
-
-      const uniqueFolders = select.folders ? unique(select.folders, (i) => i.name) : [];
-
-      const uniqueDynamicSecrets = select.dynamicSecrets
-        ? unique(select.dynamicSecrets, (i) => i.name)
-        : [];
 
       return {
         ...select,
-        secrets: secrets ? mergePersonalSecrets(secrets) : undefined,
-        totalUniqueSecretsInPage: uniqueSecrets.length,
-        totalUniqueDynamicSecretsInPage: uniqueDynamicSecrets.length,
-        totalUniqueFoldersInPage: uniqueFolders.length
+        secrets: secrets ? mergePersonalSecrets(secrets) : undefined
       };
     }, []),
     keepPreviousData: true

frontend/src/hooks/api/dashboard/types.ts

@@ -12,9 +12,6 @@ export type DashboardProjectSecretsOverviewResponse = {
   totalFolderCount?: number;
   totalDynamicSecretCount?: number;
   totalCount: number;
-  totalUniqueSecretsInPage: number;
-  totalUniqueDynamicSecretsInPage: number;
-  totalUniqueFoldersInPage: number;
 };
 
 export type DashboardProjectSecretsDetailsResponse = {

frontend/src/hooks/api/identities/types.ts

@@ -1,5 +1,5 @@
 import { TOrgRole } from "../roles/types";
-import { ProjectUserMembershipTemporaryMode, Workspace } from "../workspace/types";
+import { Workspace } from "../workspace/types";
 import { IdentityAuthMethod } from "./enums";
 
 export type IdentityTrustedIp = {
@@ -66,7 +66,7 @@ export type IdentityMembership = {
       | {
           isTemporary: true;
           temporaryRange: string;
-          temporaryMode: ProjectUserMembershipTemporaryMode;
+          temporaryMode: string;
           temporaryAccessEndTime: string;
           temporaryAccessStartTime: string;
         }

frontend/src/hooks/api/identityProjectAdditionalPrivilege/mutation.tsx

@@ -15,11 +15,16 @@ export const useCreateIdentityProjectAdditionalPrivilege = () => {
 
   return useMutation<TIdentityProjectPrivilege, {}, TCreateIdentityProjectPrivilegeDTO>({
     mutationFn: async (dto) => {
-      const { data } = await apiRequest.post("/api/v2/identity-project-additional-privilege", dto);
+      const { data } = await apiRequest.post(
+        "/api/v1/additional-privilege/identity/permanent",
+        dto
+      );
       return data.privilege;
     },
-    onSuccess: (_, { projectId, identityId }) => {
-      queryClient.invalidateQueries(identitiyProjectPrivilegeKeys.list({ projectId, identityId }));
+    onSuccess: (_, { projectSlug, identityId }) => {
+      queryClient.invalidateQueries(
+        identitiyProjectPrivilegeKeys.list({ projectSlug, identityId })
+      );
     }
   });
 };
@@ -28,22 +33,19 @@ export const useUpdateIdentityProjectAdditionalPrivilege = () => {
   const queryClient = useQueryClient();
 
   return useMutation<TIdentityProjectPrivilege, {}, TUpdateIdentityProjectPrivlegeDTO>({
-    mutationFn: async ({ projectId, privilegeId, identityId, permissions, slug, type }) => {
-      const { data: res } = await apiRequest.patch(
-        `/api/v2/identity-project-additional-privilege/${privilegeId}`,
-        {
-          privilegeId,
-          projectId,
-          identityId,
-          permissions,
-          slug,
-          type
-        }
-      );
+    mutationFn: async ({ privilegeSlug, projectSlug, identityId, privilegeDetails }) => {
+      const { data: res } = await apiRequest.patch("/api/v1/additional-privilege/identity", {
+        privilegeSlug,
+        projectSlug,
+        identityId,
+        privilegeDetails
+      });
       return res.privilege;
     },
-    onSuccess: (_, { projectId, identityId }) => {
-      queryClient.invalidateQueries(identitiyProjectPrivilegeKeys.list({ projectId, identityId }));
+    onSuccess: (_, { projectSlug, identityId }) => {
+      queryClient.invalidateQueries(
+        identitiyProjectPrivilegeKeys.list({ projectSlug, identityId })
+      );
     }
   });
 };
@@ -52,21 +54,20 @@ export const useDeleteIdentityProjectAdditionalPrivilege = () => {
   const queryClient = useQueryClient();
 
   return useMutation<TIdentityProjectPrivilege, {}, TDeleteIdentityProjectPrivilegeDTO>({
-    mutationFn: async ({ identityId, projectId, privilegeId }) => {
-      const { data } = await apiRequest.delete(
-        `/api/v2/identity-project-additional-privilege/${privilegeId}`,
-        {
-          data: {
-            identityId,
-            privilegeId,
-            projectId
-          }
+    mutationFn: async ({ identityId, projectSlug, privilegeSlug }) => {
+      const { data } = await apiRequest.delete("/api/v1/additional-privilege/identity", {
+        data: {
+          identityId,
+          projectSlug,
+          privilegeSlug
         }
-      );
+      });
       return data.privilege;
     },
-    onSuccess: (_, { projectId, identityId }) => {
-      queryClient.invalidateQueries(identitiyProjectPrivilegeKeys.list({ projectId, identityId }));
+    onSuccess: (_, { projectSlug, identityId }) => {
+      queryClient.invalidateQueries(
+        identitiyProjectPrivilegeKeys.list({ projectSlug, identityId })
+      );
     }
   });
 };

frontend/src/hooks/api/identityProjectAdditionalPrivilege/queries.tsx

@@ -9,36 +9,36 @@ import {
 } from "./types";
 
 export const identitiyProjectPrivilegeKeys = {
-  details: ({ identityId, privilegeId, projectId }: TGetIdentityProjectPrivilegeDetails) =>
+  details: ({ identityId, privilegeSlug, projectSlug }: TGetIdentityProjectPrivilegeDetails) =>
     [
       "identity-user-privilege",
       {
         identityId,
-        projectId,
-        privilegeId
+        projectSlug,
+        privilegeSlug
       }
     ] as const,
-  list: ({ projectId, identityId }: TListIdentityProjectPrivileges) =>
-    ["identity-user-privileges", { identityId, projectId }] as const
+  list: ({ projectSlug, identityId }: TListIdentityProjectPrivileges) =>
+    ["identity-user-privileges", { identityId, projectSlug }] as const
 };
 
 export const useGetIdentityProjectPrivilegeDetails = ({
-  projectId,
+  projectSlug,
   identityId,
-  privilegeId
+  privilegeSlug
 }: TGetIdentityProjectPrivilegeDetails) => {
   return useQuery({
-    enabled: Boolean(projectId && identityId && privilegeId),
-    queryKey: identitiyProjectPrivilegeKeys.details({ projectId, privilegeId, identityId }),
+    enabled: Boolean(projectSlug && identityId && privilegeSlug),
+    queryKey: identitiyProjectPrivilegeKeys.details({ projectSlug, privilegeSlug, identityId }),
     queryFn: async () => {
       const {
         data: { privilege }
       } = await apiRequest.get<{
         privilege: TIdentityProjectPrivilege;
-      }>(`/api/v2/identity-project-additional-privilege/${privilegeId}`, {
+      }>(`/api/v1/additional-privilege/identity/${privilegeSlug}`, {
         params: {
           identityId,
-          projectId
+          projectSlug
         }
       });
       return privilege;
@@ -47,19 +47,19 @@ export const useGetIdentityProjectPrivilegeDetails = ({
 };
 
 export const useListIdentityProjectPrivileges = ({
-  projectId,
+  projectSlug,
   identityId
 }: TListIdentityProjectPrivileges) => {
   return useQuery({
-    enabled: Boolean(projectId && identityId),
-    queryKey: identitiyProjectPrivilegeKeys.list({ projectId, identityId }),
+    enabled: Boolean(projectSlug && identityId),
+    queryKey: identitiyProjectPrivilegeKeys.list({ projectSlug, identityId }),
     queryFn: async () => {
       const {
         data: { privileges }
       } = await apiRequest.get<{
         privileges: Array<TIdentityProjectPrivilege>;
-      }>("/api/v2/identity-project-additional-privilege", {
-        params: { identityId, projectId }
+      }>("/api/v1/additional-privilege/identity", {
+        params: { identityId, projectSlug }
       });
       return privileges;
     }

frontend/src/hooks/api/identityProjectAdditionalPrivilege/types.tsx

@@ -28,42 +28,48 @@ export type TIdentityProjectPrivilege = {
     }
 );
 
+export type TProjectSpecificPrivilegePermission = {
+  conditions: {
+    environment: string;
+    secretPath?: { $glob: string };
+  };
+  actions: string[];
+  subject: string;
+};
+
 export type TCreateIdentityProjectPrivilegeDTO = {
   identityId: string;
-  projectId: string;
+  projectSlug: string;
   slug?: string;
-  type:
-    | {
-        isTemporary: true;
-        temporaryMode?: IdentityProjectAdditionalPrivilegeTemporaryMode;
-        temporaryRange?: string;
-        temporaryAccessStartTime?: string;
-      }
-    | {
-        isTemporary: false;
-      };
-  permissions: TProjectPermission[];
+  isTemporary?: boolean;
+  temporaryMode?: IdentityProjectAdditionalPrivilegeTemporaryMode;
+  temporaryRange?: string;
+  temporaryAccessStartTime?: string;
+  privilegePermission: TProjectSpecificPrivilegePermission;
 };
 
 export type TUpdateIdentityProjectPrivlegeDTO = {
-  projectId: string;
+  projectSlug: string;
   identityId: string;
-  privilegeId: string;
-} & Partial<Omit<TCreateIdentityProjectPrivilegeDTO, "projectMembershipId" | "projectId">>;
+  privilegeSlug: string;
+  privilegeDetails: Partial<
+    Omit<TCreateIdentityProjectPrivilegeDTO, "projectMembershipId" | "projectId">
+  >;
+};
 
 export type TDeleteIdentityProjectPrivilegeDTO = {
-  projectId: string;
+  projectSlug: string;
   identityId: string;
-  privilegeId: string;
+  privilegeSlug: string;
 };
 
 export type TListIdentityUserPrivileges = {
-  projectId: string;
+  projectSlug: string;
   identityId: string;
 };
 
 export type TGetIdentityProejctPrivilegeDetails = {
-  projectId: string;
+  projectSlug: string;
   identityId: string;
-  privilegeId: string;
+  privilegeSlug: string;
 };

frontend/src/hooks/api/projectUserAdditionalPrivilege/mutation.tsx

@@ -1,3 +1,4 @@
+import { packRules } from "@casl/ability/extra";
 import { useMutation, useQueryClient } from "@tanstack/react-query";
 
 import { apiRequest } from "@app/config/request";
@@ -15,7 +16,10 @@ export const useCreateProjectUserAdditionalPrivilege = () => {
 
   return useMutation<{ privilege: TProjectUserPrivilege }, {}, TCreateProjectUserPrivilegeDTO>({
     mutationFn: async (dto) => {
-      const { data } = await apiRequest.post("/api/v1/user-project-additional-privilege", dto);
+      const { data } = await apiRequest.post("/api/v1/additional-privilege/users/permanent", {
+        ...dto,
+        permissions: packRules(dto.permissions)
+      });
       return data.privilege;
     },
     onSuccess: (_, { projectMembershipId }) => {
@@ -30,8 +34,8 @@ export const useUpdateProjectUserAdditionalPrivilege = () => {
   return useMutation<{ privilege: TProjectUserPrivilege }, {}, TUpdateProjectUserPrivlegeDTO>({
     mutationFn: async (dto) => {
       const { data } = await apiRequest.patch(
-        `/api/v1/user-project-additional-privilege/${dto.privilegeId}`,
-        dto
+        `/api/v1/additional-privilege/users/${dto.privilegeId}`,
+        { ...dto, permissions: dto.permissions ? packRules(dto.permissions) : undefined }
       );
       return data.privilege;
     },
@@ -47,7 +51,7 @@ export const useDeleteProjectUserAdditionalPrivilege = () => {
   return useMutation<{ privilege: TProjectUserPrivilege }, {}, TDeleteProjectUserPrivilegeDTO>({
     mutationFn: async (dto) => {
       const { data } = await apiRequest.delete(
-        `/api/v1/user-project-additional-privilege/${dto.privilegeId}`
+        `/api/v1/additional-privilege/users/${dto.privilegeId}`
       );
       return data.privilege;
     },

frontend/src/hooks/api/projectUserAdditionalPrivilege/queries.tsx

@@ -1,3 +1,4 @@
+import { PackRule, unpackRules } from "@casl/ability/extra";
 import { useQuery } from "@tanstack/react-query";
 
 import { apiRequest } from "@app/config/request";
@@ -15,9 +16,12 @@ const fetchProjectUserPrivilegeDetails = async (privilegeId: string) => {
   const {
     data: { privilege }
   } = await apiRequest.get<{
-    privilege: Omit<TProjectUserPrivilege, "permissions"> & { permissions: TProjectPermission[] };
-  }>(`/api/v1/user-project-additional-privilege/${privilegeId}`);
-  return privilege;
+    privilege: Omit<TProjectUserPrivilege, "permissions"> & { permissions: unknown };
+  }>(`/api/v1/additional-privilege/users/${privilegeId}`);
+  return {
+    ...privilege,
+    permissions: unpackRules(privilege.permissions as PackRule<TProjectPermission>[])
+  };
 };
 
 export const useGetProjectUserPrivilegeDetails = (privilegeId: string) => {
@@ -37,10 +41,10 @@ export const useListProjectUserPrivileges = (projectMembershipId: string) => {
         data: { privileges }
       } = await apiRequest.get<{
         privileges: Array<Omit<TProjectUserPrivilege, "permissions"> & { permissions: unknown }>;
-      }>("/api/v1/user-project-additional-privilege", { params: { projectMembershipId } });
+      }>("/api/v1/additional-privilege/users", { params: { projectMembershipId } });
       return privileges.map((el) => ({
         ...el,
-        permissions: el.permissions as TProjectPermission[]
+        permissions: unpackRules(el.permissions as PackRule<TProjectPermission>[])
       }));
     }
   });

frontend/src/hooks/api/projectUserAdditionalPrivilege/types.tsx

@@ -12,35 +12,29 @@ export type TProjectUserPrivilege = {
   updatedAt: Date;
   permissions?: TProjectPermission[];
 } & (
-  | {
+    | {
       isTemporary: true;
       temporaryMode: string;
       temporaryRange: string;
       temporaryAccessStartTime: string;
       temporaryAccessEndTime?: string;
     }
-  | {
+    | {
       isTemporary: false;
       temporaryMode?: null;
       temporaryRange?: null;
       temporaryAccessStartTime?: null;
       temporaryAccessEndTime?: null;
     }
-);
+  );
 
 export type TCreateProjectUserPrivilegeDTO = {
   projectMembershipId: string;
   slug?: string;
-  type:
-    | {
-        isTemporary: true;
-        temporaryMode?: ProjectUserAdditionalPrivilegeTemporaryMode;
-        temporaryRange?: string;
-        temporaryAccessStartTime?: string;
-      }
-    | {
-        isTemporary: false;
-      };
+  isTemporary?: boolean;
+  temporaryMode?: ProjectUserAdditionalPrivilegeTemporaryMode;
+  temporaryRange?: string;
+  temporaryAccessStartTime?: string;
   permissions: TProjectPermission[];
 };
 

frontend/src/hooks/api/roles/mutation.tsx

@@ -19,14 +19,14 @@ export const useCreateProjectRole = () => {
   const queryClient = useQueryClient();
 
   return useMutation<TProjectRole, {}, TCreateProjectRoleDTO>({
-    mutationFn: async ({ projectId, ...dto }: TCreateProjectRoleDTO) => {
+    mutationFn: async ({ projectSlug, ...dto }: TCreateProjectRoleDTO) => {
       const {
         data: { role }
-      } = await apiRequest.post(`/api/v2/workspace/${projectId}/roles`, dto);
+      } = await apiRequest.post(`/api/v1/workspace/${projectSlug}/roles`, dto);
       return role;
     },
-    onSuccess: (_, { projectId }) => {
-      queryClient.invalidateQueries(roleQueryKeys.getProjectRoles(projectId));
+    onSuccess: (_, { projectSlug }) => {
+      queryClient.invalidateQueries(roleQueryKeys.getProjectRoles(projectSlug));
     }
   });
 };
@@ -35,17 +35,14 @@ export const useUpdateProjectRole = () => {
   const queryClient = useQueryClient();
 
   return useMutation<TProjectRole, {}, TUpdateProjectRoleDTO>({
-    mutationFn: async ({ id, projectId, ...dto }: TUpdateProjectRoleDTO) => {
+    mutationFn: async ({ id, projectSlug, ...dto }: TUpdateProjectRoleDTO) => {
       const {
         data: { role }
-      } = await apiRequest.patch(`/api/v2/workspace/${projectId}/roles/${id}`, dto);
+      } = await apiRequest.patch(`/api/v1/workspace/${projectSlug}/roles/${id}`, dto);
       return role;
     },
-    onSuccess: (_, { projectId, slug }) => {
-      queryClient.invalidateQueries(roleQueryKeys.getProjectRoles(projectId));
-      if (slug) {
-        queryClient.invalidateQueries(roleQueryKeys.getProjectRoleBySlug(projectId, slug));
-      }
+    onSuccess: (_, { projectSlug }) => {
+      queryClient.invalidateQueries(roleQueryKeys.getProjectRoles(projectSlug));
     }
   });
 };
@@ -53,14 +50,14 @@ export const useUpdateProjectRole = () => {
 export const useDeleteProjectRole = () => {
   const queryClient = useQueryClient();
   return useMutation<TProjectRole, {}, TDeleteProjectRoleDTO>({
-    mutationFn: async ({ projectId, id }: TDeleteProjectRoleDTO) => {
+    mutationFn: async ({ projectSlug, id }: TDeleteProjectRoleDTO) => {
       const {
         data: { role }
-      } = await apiRequest.delete(`/api/v2/workspace/${projectId}/roles/${id}`);
+      } = await apiRequest.delete(`/api/v1/workspace/${projectSlug}/roles/${id}`);
       return role;
     },
-    onSuccess: (_, { projectId }) => {
-      queryClient.invalidateQueries(roleQueryKeys.getProjectRoles(projectId));
+    onSuccess: (_, { projectSlug }) => {
+      queryClient.invalidateQueries(roleQueryKeys.getProjectRoles(projectSlug));
     }
   });
 };

frontend/src/hooks/api/roles/queries.tsx

@@ -7,8 +7,6 @@ import picomatch from "picomatch";
 import { apiRequest } from "@app/config/request";
 import { OrgPermissionSet } from "@app/context/OrgPermissionContext/types";
 import { ProjectPermissionSet } from "@app/context/ProjectPermissionContext/types";
-import { groupBy } from "@app/lib/fn/array";
-import { omit } from "@app/lib/fn/object";
 
 import { OrgUser, TProjectMembership } from "../users/types";
 import {
@@ -38,9 +36,9 @@ const glob: JsInterpreter<FieldCondition<string>> = (node, object, context) => {
 const conditionsMatcher = buildMongoQueryMatcher({ $glob }, { glob });
 
 export const roleQueryKeys = {
-  getProjectRoles: (projectId: string) => ["roles", { projectId }] as const,
-  getProjectRoleBySlug: (projectId: string, roleSlug: string) =>
-    ["roles", { projectId, roleSlug }] as const,
+  getProjectRoles: (projectSlug: string) => ["roles", { projectSlug }] as const,
+  getProjectRoleBySlug: (projectSlug: string, roleSlug: string) =>
+    ["roles", { projectSlug, roleSlug }] as const,
   getOrgRoles: (orgId: string) => ["org-roles", { orgId }] as const,
   getOrgRole: (orgId: string, roleId: string) => [{ orgId, roleId }, "org-role"] as const,
   getUserOrgPermissions: ({ orgId }: TGetUserOrgPermissionsDTO) =>
@@ -51,28 +49,28 @@ export const roleQueryKeys = {
 
 export const getProjectRoles = async (projectId: string) => {
   const { data } = await apiRequest.get<{ roles: Array<Omit<TProjectRole, "permissions">> }>(
-    `/api/v2/workspace/${projectId}/roles`
+    `/api/v1/workspace/${projectId}/roles`
   );
   return data.roles;
 };
 
-export const useGetProjectRoles = (projectId: string) =>
+export const useGetProjectRoles = (projectSlug: string) =>
   useQuery({
-    queryKey: roleQueryKeys.getProjectRoles(projectId),
-    queryFn: () => getProjectRoles(projectId),
-    enabled: Boolean(projectId)
+    queryKey: roleQueryKeys.getProjectRoles(projectSlug),
+    queryFn: () => getProjectRoles(projectSlug),
+    enabled: Boolean(projectSlug)
   });
 
-export const useGetProjectRoleBySlug = (projectId: string, roleSlug: string) =>
+export const useGetProjectRoleBySlug = (projectSlug: string, roleSlug: string) =>
   useQuery({
-    queryKey: roleQueryKeys.getProjectRoleBySlug(projectId, roleSlug),
+    queryKey: roleQueryKeys.getProjectRoleBySlug(projectSlug, roleSlug),
     queryFn: async () => {
       const { data } = await apiRequest.get<{ role: TProjectRole }>(
-        `/api/v2/workspace/${projectId}/roles/slug/${roleSlug}`
+        `/api/v1/workspace/${projectSlug}/roles/slug/${roleSlug}`
       );
       return data.role;
     },
-    enabled: Boolean(projectId && roleSlug)
+    enabled: Boolean(projectSlug && roleSlug)
   });
 
 const getOrgRoles = async (orgId: string) => {
@@ -148,32 +146,8 @@ export const useGetUserProjectPermissions = ({ workspaceId }: TGetUserProjectPer
     enabled: Boolean(workspaceId),
     select: (data) => {
       const rule = unpackRules<RawRuleOf<MongoAbility<ProjectPermissionSet>>>(data.permissions);
-      const negatedRules = groupBy(
-        rule.filter((i) => i.inverted && i.conditions),
-        (i) => `${i.subject}-${JSON.stringify(i.conditions)}`
-      );
-      const ability = createMongoAbility<ProjectPermissionSet>(rule, {
-        // this allows in frontend to skip some rules using *
-        conditionsMatcher: (rules) => {
-          return (entity) => {
-            // skip validation if its negated rules
-            const isNegatedRule =
-              // eslint-disable-next-line no-underscore-dangle
-              negatedRules?.[`${entity.__caslSubjectType__}-${JSON.stringify(rules)}`];
-            if (isNegatedRule) {
-              const baseMatcher = conditionsMatcher(rules);
-              return baseMatcher(entity);
-            }
+      const ability = createMongoAbility<ProjectPermissionSet>(rule, { conditionsMatcher });
 
-            const rulesStrippedOfWildcard = omit(
-              rules,
-              Object.keys(entity).filter((el) => entity[el]?.includes("*"))
-            );
-            const baseMatcher = conditionsMatcher(rulesStrippedOfWildcard);
-            return baseMatcher(entity);
-          };
-        }
-      });
       const membership = {
         ...data.membership,
         roles: data.membership.roles.map(({ role }) => role)

frontend/src/hooks/api/roles/types.ts

@@ -40,7 +40,6 @@ export type TPermission = {
 
 export type TProjectPermission = {
   conditions?: Record<string, any>;
-  inverted?: boolean;
   action: string | string[];
   subject: string | string[];
 };
@@ -72,7 +71,7 @@ export type TDeleteOrgRoleDTO = {
 };
 
 export type TCreateProjectRoleDTO = {
-  projectId: string;
+  projectSlug: string;
   name: string;
   description?: string;
   slug: string;
@@ -80,11 +79,11 @@ export type TCreateProjectRoleDTO = {
 };
 
 export type TUpdateProjectRoleDTO = {
-  projectId: string;
+  projectSlug: string;
   id: string;
 } & Partial<Omit<TCreateProjectRoleDTO, "orgId">>;
 
 export type TDeleteProjectRoleDTO = {
-  projectId: string;
+  projectSlug: string;
   id: string;
 };

frontend/src/hooks/api/secrets/index.ts

@@ -8,8 +8,4 @@ export {
   useUpdateSecretBatch,
   useUpdateSecretV3
 } from "./mutations";
-export {
-  useGetProjectSecrets,
-  useGetProjectSecretsAllEnv,
-  useGetSecretReferenceTree,
-  useGetSecretVersion} from "./queries";
+export { useGetProjectSecrets, useGetProjectSecretsAllEnv, useGetSecretVersion } from "./queries";

frontend/src/hooks/api/secrets/queries.tsx

@@ -17,17 +17,14 @@ import {
   SecretVersions,
   TGetProjectSecretsAllEnvDTO,
   TGetProjectSecretsDTO,
-  TGetProjectSecretsKey,
-  TGetSecretReferenceTreeDTO,
-  TSecretReferenceTraceNode
+  TGetProjectSecretsKey
 } from "./types";
 
 export const secretKeys = {
   // this is also used in secretSnapshot part
   getProjectSecret: ({ workspaceId, environment, secretPath }: TGetProjectSecretsKey) =>
     [{ workspaceId, environment, secretPath }, "secrets"] as const,
-  getSecretVersion: (secretId: string) => [{ secretId }, "secret-versions"] as const,
-  getSecretReferenceTree: (dto: TGetSecretReferenceTreeDTO) => ["secret-reference-tree", dto]
+  getSecretVersion: (secretId: string) => [{ secretId }, "secret-versions"] as const
 };
 
 export const fetchProjectSecrets = async ({
@@ -230,33 +227,3 @@ export const useGetSecretVersion = (dto: GetSecretVersionsDTO) =>
       return data.sort((a, b) => b.createdAt.localeCompare(a.createdAt));
     }, [])
   });
-
-const fetchSecretReferenceTree = async ({
-  secretPath,
-  projectId,
-  secretKey,
-  environmentSlug
-}: TGetSecretReferenceTreeDTO) => {
-  const { data } = await apiRequest.get<{ tree: TSecretReferenceTraceNode; value: string }>(
-    `/api/v3/secrets/raw/${secretKey}/secret-reference-tree`,
-    {
-      params: {
-        secretPath,
-        workspaceId: projectId,
-        environment: environmentSlug
-      }
-    }
-  );
-  return data;
-};
-
-export const useGetSecretReferenceTree = (dto: TGetSecretReferenceTreeDTO) =>
-  useQuery({
-    enabled:
-      Boolean(dto.environmentSlug) &&
-      Boolean(dto.secretPath) &&
-      Boolean(dto.projectId) &&
-      Boolean(dto.secretKey),
-    queryKey: secretKeys.getSecretReferenceTree(dto),
-    queryFn: () => fetchSecretReferenceTree(dto)
-  });

frontend/src/hooks/api/secrets/types.ts

@@ -210,18 +210,3 @@ export type TMoveSecretsDTO = {
   secretIds: string[];
   shouldOverwrite: boolean;
 };
-
-export type TGetSecretReferenceTreeDTO = {
-  secretKey: string;
-  secretPath: string;
-  environmentSlug: string;
-  projectId: string;
-};
-
-export type TSecretReferenceTraceNode = {
-  key: string;
-  value?: string;
-  environment: string;
-  secretPath: string;
-  children: TSecretReferenceTraceNode[];
-};

frontend/src/hooks/api/users/types.ts

@@ -1,5 +1,4 @@
 import { UserWsKeyPair } from "../keys/types";
-import { ProjectUserMembershipTemporaryMode } from "../workspace/types";
 
 export enum AuthMethod {
   EMAIL = "email",
@@ -86,7 +85,6 @@ export type TWorkspaceUser = {
     id: string;
     publicKey: string;
   };
-  createdAt: string;
   projectId: string;
   isGroupMember: boolean;
   project: {
@@ -116,7 +114,7 @@ export type TWorkspaceUser = {
         customRoleSlug: string;
         isTemporary: true;
         temporaryRange: string;
-        temporaryMode: ProjectUserMembershipTemporaryMode;
+        temporaryMode: string;
         temporaryAccessEndTime: string;
         temporaryAccessStartTime: string;
       }