Update GCP auth method description

Feature: add support for secret folder rename in the overview page

.github/workflows/build-staging-and-deploy-aws.yml

@@ -74,21 +74,21 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-prod-platform
+          container-name: infisical-core-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
           wait-for-service-stability: true
 
   production-postgres-deployment:
@@ -135,6 +135,6 @@ jobs:
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
           wait-for-service-stability: true

backend/package-lock.json

@@ -39,6 +39,8 @@
         "dotenv": "^16.4.1",
         "fastify": "^4.26.0",
         "fastify-plugin": "^4.5.1",
+        "google-auth-library": "^9.9.0",
+        "googleapis": "^137.1.0",
         "handlebars": "^4.7.8",
         "ioredis": "^5.3.2",
         "jmespath": "^0.16.0",
@@ -49,7 +51,7 @@
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
         "ms": "^2.1.3",
-        "mysql2": "^3.9.4",
+        "mysql2": "^3.9.7",
         "nanoid": "^5.0.4",
         "nodemailer": "^6.9.9",
         "ora": "^7.0.1",
@@ -6183,6 +6185,14 @@
       "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
       "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
     },
+    "node_modules/bignumber.js": {
+      "version": "9.1.2",
+      "resolved": "https://registry.npmjs.org/bignumber.js/-/bignumber.js-9.1.2.tgz",
+      "integrity": "sha512-2/mKyZH9K85bzOEfhXDBFZTGd1CTs+5IHpeFQo9luiBG7hghdC851Pj2WAhb6E3R6b9tZj/XKhbg4fum+Kepug==",
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/binary-extensions": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz",
@@ -7759,6 +7769,11 @@
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
       "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
     },
+    "node_modules/extend": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",
+      "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g=="
+    },
     "node_modules/extsprintf": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.4.1.tgz",
@@ -8286,6 +8301,88 @@
         "node": ">=8"
       }
     },
+    "node_modules/gaxios": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/gaxios/-/gaxios-6.5.0.tgz",
+      "integrity": "sha512-R9QGdv8j4/dlNoQbX3hSaK/S0rkMijqjVvW3YM06CoBdbU/VdKd159j4hePpng0KuE6Lh6JJ7UdmVGJZFcAG1w==",
+      "dependencies": {
+        "extend": "^3.0.2",
+        "https-proxy-agent": "^7.0.1",
+        "is-stream": "^2.0.0",
+        "node-fetch": "^2.6.9",
+        "uuid": "^9.0.1"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/gaxios/node_modules/agent-base": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.1.tgz",
+      "integrity": "sha512-H0TSyFNDMomMNJQBn8wFV5YC/2eJ+VXECwOadZJT554xP6cODZHPX3H9QMQECxvrgiSOP1pHjy1sMWQVYJOUOA==",
+      "dependencies": {
+        "debug": "^4.3.4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/gaxios/node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/gaxios/node_modules/https-proxy-agent": {
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.4.tgz",
+      "integrity": "sha512-wlwpilI7YdjSkWaQ/7omYBMTliDcmCN8OLihO6I9B86g06lMyAoqgoDpV0XqoaPOKj+0DIdAvnsWfyAAhmimcg==",
+      "dependencies": {
+        "agent-base": "^7.0.2",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/gaxios/node_modules/is-stream": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz",
+      "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/gaxios/node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node_modules/gcp-metadata": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/gcp-metadata/-/gcp-metadata-6.1.0.tgz",
+      "integrity": "sha512-Jh/AIwwgaxan+7ZUUmRLCjtchyDiqh4KjBJ5tW3plBZb5iL/BPcso8A5DlzeD9qlw0duCamnNdpFjxwaT0KyKg==",
+      "dependencies": {
+        "gaxios": "^6.0.0",
+        "json-bigint": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
     "node_modules/generate-function": {
       "version": "2.3.1",
       "resolved": "https://registry.npmjs.org/generate-function/-/generate-function-2.3.1.tgz",
@@ -8482,6 +8579,69 @@
       "integrity": "sha512-uHJgbwAMwNFf5mLst7IWLNg14x1CkeqglJb/K3doi4dw6q2IvAAmM/Y81kevy83wP+Sst+nutFTYOGg3d1lsxg==",
       "dev": true
     },
+    "node_modules/google-auth-library": {
+      "version": "9.9.0",
+      "resolved": "https://registry.npmjs.org/google-auth-library/-/google-auth-library-9.9.0.tgz",
+      "integrity": "sha512-9l+zO07h1tDJdIHN74SpnWIlNR+OuOemXlWJlLP9pXy6vFtizgpEzMuwJa4lqY9UAdiAv5DVd5ql0Am916I+aA==",
+      "dependencies": {
+        "base64-js": "^1.3.0",
+        "ecdsa-sig-formatter": "^1.0.11",
+        "gaxios": "^6.1.1",
+        "gcp-metadata": "^6.1.0",
+        "gtoken": "^7.0.0",
+        "jws": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/google-auth-library/node_modules/jwa": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.0.tgz",
+      "integrity": "sha512-jrZ2Qx916EA+fq9cEAeCROWPTfCwi1IVHqT2tapuqLEVVDKFDENFw1oL+MwrTvH6msKxsd1YTDVw6uKEcsrLEA==",
+      "dependencies": {
+        "buffer-equal-constant-time": "1.0.1",
+        "ecdsa-sig-formatter": "1.0.11",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/google-auth-library/node_modules/jws": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
+      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "dependencies": {
+        "jwa": "^2.0.0",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/googleapis": {
+      "version": "137.1.0",
+      "resolved": "https://registry.npmjs.org/googleapis/-/googleapis-137.1.0.tgz",
+      "integrity": "sha512-2L7SzN0FLHyQtFmyIxrcXhgust77067pkkduqkbIpDuj9JzVnByxsRrcRfUMFQam3rQkWW2B0f1i40IwKDWIVQ==",
+      "dependencies": {
+        "google-auth-library": "^9.0.0",
+        "googleapis-common": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/googleapis-common": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/googleapis-common/-/googleapis-common-7.2.0.tgz",
+      "integrity": "sha512-/fhDZEJZvOV3X5jmD+fKxMqma5q2Q9nZNSF3kn1F18tpxmA86BcTxAGBQdM0N89Z3bEaIs+HVznSmFJEAmMTjA==",
+      "dependencies": {
+        "extend": "^3.0.2",
+        "gaxios": "^6.0.3",
+        "google-auth-library": "^9.7.0",
+        "qs": "^6.7.0",
+        "url-template": "^2.0.8",
+        "uuid": "^9.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
     "node_modules/gopd": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.0.1.tgz",
@@ -8504,6 +8664,37 @@
       "integrity": "sha512-EtKwoO6kxCL9WO5xipiHTZlSzBm7WLT627TqC/uVRd0HKmq8NXyebnNYxDoBi7wt8eTWrUrKXCOVaFq9x1kgag==",
       "dev": true
     },
+    "node_modules/gtoken": {
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/gtoken/-/gtoken-7.1.0.tgz",
+      "integrity": "sha512-pCcEwRi+TKpMlxAQObHDQ56KawURgyAf6jtIY046fJ5tIv3zDe/LEIubckAO8fj6JnAxLdmWkUfNyulQ2iKdEw==",
+      "dependencies": {
+        "gaxios": "^6.0.0",
+        "jws": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/gtoken/node_modules/jwa": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.0.tgz",
+      "integrity": "sha512-jrZ2Qx916EA+fq9cEAeCROWPTfCwi1IVHqT2tapuqLEVVDKFDENFw1oL+MwrTvH6msKxsd1YTDVw6uKEcsrLEA==",
+      "dependencies": {
+        "buffer-equal-constant-time": "1.0.1",
+        "ecdsa-sig-formatter": "1.0.11",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/gtoken/node_modules/jws": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
+      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "dependencies": {
+        "jwa": "^2.0.0",
+        "safe-buffer": "^5.0.1"
+      }
+    },
     "node_modules/handlebars": {
       "version": "4.7.8",
       "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz",
@@ -9277,6 +9468,14 @@
       "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-1.1.0.tgz",
       "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A=="
     },
+    "node_modules/json-bigint": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/json-bigint/-/json-bigint-1.0.0.tgz",
+      "integrity": "sha512-SiPv/8VpZuWbvLSMtTDU8hEfrZWg/mH/nV/b4o0CYbSxu1UIQPLdwKOCIyLQX+VIPO5vrLX3i8qtqFyhdPSUSQ==",
+      "dependencies": {
+        "bignumber.js": "^9.0.0"
+      }
+    },
     "node_modules/json-buffer": {
       "version": "3.0.1",
       "resolved": "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz",
@@ -10102,9 +10301,9 @@
       }
     },
     "node_modules/mysql2": {
-      "version": "3.9.4",
-      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.4.tgz",
-      "integrity": "sha512-OEESQuwxMza803knC1YSt7NMuc1BrK9j7gZhCSs2WAyxr1vfiI7QLaLOKTh5c9SWGz98qVyQUbK8/WckevNQhg==",
+      "version": "3.9.7",
+      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.7.tgz",
+      "integrity": "sha512-KnJT8vYRcNAZv73uf9zpXqNbvBG7DJrs+1nACsjZP1HMJ1TgXEy8wnNilXAn/5i57JizXKtrUtwDB7HxT9DDpw==",
       "dependencies": {
         "denque": "^2.1.0",
         "generate-function": "^2.3.1",
@@ -13703,6 +13902,11 @@
         "querystring": "0.2.0"
       }
     },
+    "node_modules/url-template": {
+      "version": "2.0.8",
+      "resolved": "https://registry.npmjs.org/url-template/-/url-template-2.0.8.tgz",
+      "integrity": "sha512-XdVKMF4SJ0nP/O7XIPB0JwAEuT9lDIYnNsK8yGVe43y0AWoKeJNdv3ZNWh7ksJ6KqQFjOO6ox/VEitLnaVNufw=="
+    },
     "node_modules/url/node_modules/punycode": {
       "version": "1.3.2",
       "resolved": "https://registry.npmjs.org/punycode/-/punycode-1.3.2.tgz",

backend/package.json

@@ -100,6 +100,8 @@
     "dotenv": "^16.4.1",
     "fastify": "^4.26.0",
     "fastify-plugin": "^4.5.1",
+    "google-auth-library": "^9.9.0",
+    "googleapis": "^137.1.0",
     "handlebars": "^4.7.8",
     "ioredis": "^5.3.2",
     "jmespath": "^0.16.0",

backend/src/@types/fastify.d.ts

@@ -33,6 +33,7 @@ import { TGroupProjectServiceFactory } from "@app/services/group-project/group-p
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
+import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@@ -116,6 +117,7 @@ declare module "fastify" {
       identityAccessToken: TIdentityAccessTokenServiceFactory;
       identityProject: TIdentityProjectServiceFactory;
       identityUa: TIdentityUaServiceFactory;
+      identityGcpAuth: TIdentityGcpAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
       accessApprovalRequest: TAccessApprovalRequestServiceFactory;

backend/src/@types/knex.d.ts

@@ -62,6 +62,9 @@ import {
   TIdentityAwsAuths,
   TIdentityAwsAuthsInsert,
   TIdentityAwsAuthsUpdate,
+  TIdentityGcpAuths,
+  TIdentityGcpAuthsInsert,
+  TIdentityGcpAuthsUpdate,
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
@@ -329,6 +332,11 @@ declare module "knex/types/tables" {
       TIdentityUniversalAuthsInsert,
       TIdentityUniversalAuthsUpdate
     >;
+    [TableName.IdentityGcpAuth]: Knex.CompositeTableType<
+      TIdentityGcpAuths,
+      TIdentityGcpAuthsInsert,
+      TIdentityGcpAuthsUpdate
+    >;
     [TableName.IdentityAwsAuth]: Knex.CompositeTableType<
       TIdentityAwsAuths,
       TIdentityAwsAuthsInsert,

backend/src/db/migrations/20240509235819_identity-gcp-auth.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityGcpAuth))) {
+    await knex.schema.createTable(TableName.IdentityGcpAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+      t.string("allowedServiceAccounts").notNullable();
+      t.string("allowedProjects").notNullable();
+      t.string("allowedZones").notNullable(); // GCE only (fully qualified zone names)
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityGcpAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
+}

backend/src/db/schemas/identity-gcp-auths.ts

@@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityGcpAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  allowedServiceAccounts: z.string(),
+  allowedProjects: z.string(),
+  allowedZones: z.string()
+});
+
+export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;
+export type TIdentityGcpAuthsInsert = Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityGcpAuthsUpdate = Partial<Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -18,6 +18,7 @@ export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
 export * from "./identity-aws-auths";
+export * from "./identity-gcp-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";

backend/src/db/schemas/models.ts

@@ -44,6 +44,7 @@ export enum TableName {
   Identity = "identities",
   IdentityAccessToken = "identity_access_tokens",
   IdentityUniversalAuth = "identity_universal_auths",
+  IdentityGcpAuth = "identity_gcp_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
   IdentityAwsAuth = "identity_aws_auths",
   IdentityOrgMembership = "identity_org_memberships",
@@ -144,5 +145,6 @@ export enum ProjectUpgradeStatus {
 
 export enum IdentityAuthMethod {
   Univeral = "universal-auth",
+  GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth"
 }

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -66,6 +66,10 @@ export enum EventType {
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
+  LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
+  ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
+  UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
+  GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
   LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
   ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
   UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
@@ -410,6 +414,52 @@ interface RevokeIdentityUniversalAuthClientSecretEvent {
   };
 }
 
+interface LoginIdentityGcpAuthEvent {
+  type: EventType.LOGIN_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+    identityGcpAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityGcpAuthEvent {
+  type: EventType.ADD_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+    type: string;
+    allowedServiceAccounts: string;
+    allowedProjects: string;
+    allowedZones: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface UpdateIdentityGcpAuthEvent {
+  type: EventType.UPDATE_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+    type?: string;
+    allowedServiceAccounts?: string;
+    allowedProjects?: string;
+    allowedZones?: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityGcpAuthEvent {
+  type: EventType.GET_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityAwsAuthEvent {
   type: EventType.LOGIN_IDENTITY_AWS_AUTH;
   metadata: {
@@ -708,6 +758,10 @@ export type Event =
   | CreateIdentityUniversalAuthClientSecretEvent
   | GetIdentityUniversalAuthClientSecretsEvent
   | RevokeIdentityUniversalAuthClientSecretEvent
+  | LoginIdentityGcpAuthEvent
+  | AddIdentityGcpAuthEvent
+  | UpdateIdentityGcpAuthEvent
+  | GetIdentityGcpAuthEvent
   | LoginIdentityAwsAuthEvent
   | AddIdentityAwsAuthEvent
   | UpdateIdentityAwsAuthEvent

backend/src/lib/api-docs/constants.ts

@@ -252,6 +252,7 @@ export const FOLDERS = {
     name: "The new name of the folder.",
     path: "The path of the folder to update.",
     directory: "The new directory of the folder to update. (Deprecated in favor of path)",
+    projectSlug: "The slug of the project where the folder is located.",
     workspaceId: "The ID of the project where the folder is located."
   },
   DELETE: {
@@ -288,7 +289,8 @@ export const RAW_SECRETS = {
     recursive:
       "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
     workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
+    workspaceSlug:
+      "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
     environment: "The slug of the environment to list secrets from.",
     secretPath: "The secret path to list secrets from.",
     includeImports: "Weather to include imported secrets or not."
@@ -307,6 +309,7 @@ export const RAW_SECRETS = {
   GET: {
     secretName: "The name of the secret to get.",
     workspaceId: "The ID of the project to get the secret from.",
+    workspaceSlug: "The slug of the project to get the secret from.",
     environment: "The slug of the environment to get the secret from.",
     secretPath: "The path of the secret to get.",
     version: "The version of the secret to get.",
@@ -625,7 +628,8 @@ export const INTEGRATION = {
       shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
       secretGCPLabel: "The label for GCP secrets.",
       secretAWSTag: "The tags for AWS secrets.",
-      kmsKeyId: "The ID of the encryption key from AWS KMS."
+      kmsKeyId: "The ID of the encryption key from AWS KMS.",
+      shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store."
     }
   },
   UPDATE: {

backend/src/server/routes/index.ts

@@ -80,6 +80,8 @@ import { identityAccessTokenDALFactory } from "@app/services/identity-access-tok
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
 import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
+import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-dal";
+import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -205,6 +207,8 @@ export const registerRoutes = async (
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
   const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
 
+  const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
+
   const auditLogDAL = auditLogDALFactory(db);
   const auditLogStreamDAL = auditLogStreamDALFactory(db);
   const trustedIpDAL = trustedIpDALFactory(db);
@@ -538,8 +542,10 @@ export const registerRoutes = async (
     folderDAL,
     folderVersionDAL,
     projectEnvDAL,
-    snapshotService
+    snapshotService,
+    projectDAL
   });
+
   const integrationAuthService = integrationAuthServiceFactory({
     integrationAuthDAL,
     integrationDAL,
@@ -702,6 +708,15 @@ export const registerRoutes = async (
     identityUaDAL,
     licenseService
   });
+  const identityGcpAuthService = identityGcpAuthServiceFactory({
+    identityGcpAuthDAL,
+    identityOrgMembershipDAL,
+    identityAccessTokenDAL,
+    identityDAL,
+    permissionService,
+    licenseService
+  });
+
   const identityAwsAuthService = identityAwsAuthServiceFactory({
     identityAccessTokenDAL,
     identityAwsAuthDAL,
@@ -779,6 +794,7 @@ export const registerRoutes = async (
     identityAccessToken: identityAccessTokenService,
     identityProject: identityProjectService,
     identityUa: identityUaService,
+    identityGcpAuth: identityGcpAuthService,
     identityAwsAuth: identityAwsAuthService,
     secretApprovalPolicy: sapService,
     accessApprovalPolicy: accessApprovalPolicyService,

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -0,0 +1,268 @@
+import { z } from "zod";
+
+import { IdentityGcpAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { validateGcpAuthField } from "@app/services/identity-gcp-auth/identity-gcp-auth-validators";
+
+export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/gcp-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Login with GCP Auth",
+      body: z.object({
+        identityId: z.string(),
+        jwt: z.string()
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityGcpAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityGcpAuth.login(req.body);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityGcpAuthId: identityGcpAuth.id
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityGcpAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Attach GCP Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        type: z.enum(["iam", "gce"]),
+        allowedServiceAccounts: validateGcpAuthField,
+        allowedProjects: validateGcpAuthField,
+        allowedZones: validateGcpAuthField,
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.attachGcpAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId,
+            type: identityGcpAuth.type,
+            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
+            allowedProjects: identityGcpAuth.allowedProjects,
+            allowedZones: identityGcpAuth.allowedZones,
+            accessTokenTTL: identityGcpAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update GCP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z.object({
+        type: z.enum(["iam", "gce"]).optional(),
+        allowedServiceAccounts: validateGcpAuthField,
+        allowedProjects: validateGcpAuthField,
+        allowedZones: validateGcpAuthField,
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.updateGcpAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId,
+            type: identityGcpAuth.type,
+            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
+            allowedProjects: identityGcpAuth.allowedProjects,
+            allowedZones: identityGcpAuth.allowedZones,
+            accessTokenTTL: identityGcpAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Retrieve GCP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.getGcpAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
+};

backend/src/server/routes/v1/index.ts

@@ -3,6 +3,7 @@ import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
 import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
+import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityUaRouter } from "./identity-ua";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
@@ -28,6 +29,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
     async (authRouter) => {
       await authRouter.register(registerAuthRoutes);
       await authRouter.register(registerIdentityUaRouter);
+      await authRouter.register(registerIdentityGcpAuthRouter);
       await authRouter.register(registerIdentityAccessTokenRouter);
       await authRouter.register(registerIdentityAwsAuthRouter);
     },

backend/src/server/routes/v1/integration-router.ts

@@ -66,7 +66,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
               )
               .optional()
               .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId)
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
+            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
           })
           .default({})
       }),

backend/src/server/routes/v1/secret-folder-router.ts

@@ -127,6 +127,70 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
     }
   });
 
+  server.route({
+    url: "/batch",
+    method: "PATCH",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "Update folders by batch",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        projectSlug: z.string().trim().describe(FOLDERS.UPDATE.projectSlug),
+        folders: z
+          .object({
+            id: z.string().describe(FOLDERS.UPDATE.folderId),
+            environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
+            name: z.string().trim().describe(FOLDERS.UPDATE.name),
+            path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path)
+          })
+          .array()
+          .min(1)
+      }),
+      response: {
+        200: z.object({
+          folders: SecretFoldersSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { newFolders, oldFolders, projectId } = await server.services.folder.updateManyFolders({
+        ...req.body,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await Promise.all(
+        req.body.folders.map(async (folder, index) => {
+          await server.services.auditLog.createAuditLog({
+            ...req.auditLogInfo,
+            projectId,
+            event: {
+              type: EventType.UPDATE_FOLDER,
+              metadata: {
+                environment: oldFolders[index].envId,
+                folderId: oldFolders[index].id,
+                folderPath: folder.path,
+                newFolderName: newFolders[index].name,
+                oldFolderName: oldFolders[index].name
+              }
+            }
+          });
+        })
+      );
+
+      return { folders: newFolders };
+    }
+  });
+
   // TODO(daniel): Expose this route in api reference and write docs for it.
   server.route({
     method: "DELETE",

backend/src/server/routes/v3/secret-router.ts

@@ -293,6 +293,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       }),
       querystring: z.object({
         workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
+        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceSlug),
         environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
         secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
         version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
@@ -311,6 +312,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const { workspaceSlug } = req.query;
       let { secretPath, environment, workspaceId } = req.query;
       if (req.auth.actor === ActorType.SERVICE) {
         const scope = ServiceTokenScopes.parse(req.auth.serviceToken.scopes);
@@ -322,7 +324,9 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       }
 
-      if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
+      if (!environment) throw new BadRequestError({ message: "Missing environment" });
+      if (!workspaceId && !workspaceSlug)
+        throw new BadRequestError({ message: "You must provide workspaceSlug or workspaceId" });
 
       const secret = await server.services.secret.getSecretByNameRaw({
         actorId: req.permission.id,
@@ -331,6 +335,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         environment,
         projectId: workspaceId,
+        projectSlug: workspaceSlug,
         path: secretPath,
         secretName: req.params.secretName,
         type: req.query.type,
@@ -339,7 +344,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       });
 
       await server.services.auditLog.createAuditLog({
-        projectId: req.query.workspaceId,
+        projectId: secret.workspace,
         ...req.auditLogInfo,
         event: {
           type: EventType.GET_SECRET,
@@ -358,7 +363,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
-          workspaceId,
+          workspaceId: secret.workspace,
           environment,
           secretPath: req.query.secretPath,
           channel: getUserAgentType(req.headers["user-agent"]),

backend/src/services/identity-gcp-auth/identity-gcp-auth-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityGcpAuthDALFactory = ReturnType<typeof identityGcpAuthDALFactory>;
+
+export const identityGcpAuthDALFactory = (db: TDbClient) => {
+  const gcpAuthOrm = ormify(db, TableName.IdentityGcpAuth);
+  return gcpAuthOrm;
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-fns.ts

@@ -0,0 +1,70 @@
+import axios from "axios";
+import { OAuth2Client } from "google-auth-library";
+import jwt from "jsonwebtoken";
+
+import { UnauthorizedError } from "@app/lib/errors";
+
+import { TDecodedGcpIamAuthJwt, TGcpIdTokenPayload } from "./identity-gcp-auth-types";
+
+/**
+ * Validates that the identity token [jwt] sent in from a client GCE instance as part of GCP ID Token authentication
+ * is valid.
+ * @param {string} identityId - The ID of the identity in Infisical that is being authenticated against (used as audience).
+ * @param {string} jwt - The identity token to validate.
+ * @param {string} credentials - The credentials in the GCP Auth configuration for Infisical.
+ */
+export const validateIdTokenIdentity = async ({
+  identityId,
+  jwt: identityToken
+}: {
+  identityId: string;
+  jwt: string;
+}) => {
+  const oAuth2Client = new OAuth2Client();
+  const response = await oAuth2Client.getFederatedSignonCerts();
+  const ticket = await oAuth2Client.verifySignedJwtWithCertsAsync(
+    identityToken,
+    response.certs,
+    identityId, // audience
+    ["https://accounts.google.com"]
+  );
+  const payload = ticket.getPayload() as TGcpIdTokenPayload;
+  if (!payload || !payload.email) throw new UnauthorizedError();
+
+  return { email: payload.email, computeEngineDetails: payload.google?.compute_engine };
+};
+
+/**
+ * Validates that the signed JWT token for a GCP service account is valid as part of GCP IAM authentication.
+ * @param {string} identityId - The ID of the identity in Infisical that is being authenticated against (used as audience).
+ * @param {string} jwt - The signed JWT token to validate.
+ * @param {string} credentials - The credentials in the GCP Auth configuration for Infisical.
+ * @returns
+ */
+export const validateIamIdentity = async ({
+  identityId,
+  jwt: serviceAccountJwt
+}: {
+  identityId: string;
+  jwt: string;
+}) => {
+  const decodedJwt = jwt.decode(serviceAccountJwt, { complete: true }) as TDecodedGcpIamAuthJwt;
+  const { sub, aud } = decodedJwt.payload;
+
+  const {
+    data
+  }: {
+    data: {
+      [key: string]: string;
+    };
+  } = await axios.get(`https://www.googleapis.com/service_accounts/v1/metadata/x509/${sub}`);
+
+  const publicKey = data[decodedJwt.header.kid];
+
+  jwt.verify(serviceAccountJwt, publicKey, {
+    algorithms: ["RS256"]
+  });
+
+  if (aud !== identityId) throw new UnauthorizedError();
+  return { email: sub };
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -0,0 +1,324 @@
+import { ForbiddenError } from "@casl/ability";
+import jwt from "jsonwebtoken";
+
+import { IdentityAuthMethod } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+
+import { AuthTokenType } from "../auth/auth-type";
+import { TIdentityDALFactory } from "../identity/identity-dal";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TIdentityGcpAuthDALFactory } from "./identity-gcp-auth-dal";
+import { validateIamIdentity, validateIdTokenIdentity } from "./identity-gcp-auth-fns";
+import {
+  TAttachGcpAuthDTO,
+  TGcpIdentityDetails,
+  TGetGcpAuthDTO,
+  TLoginGcpAuthDTO,
+  TUpdateGcpAuthDTO
+} from "./identity-gcp-auth-types";
+
+type TIdentityGcpAuthServiceFactoryDep = {
+  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityDAL: Pick<TIdentityDALFactory, "updateById">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+};
+
+export type TIdentityGcpAuthServiceFactory = ReturnType<typeof identityGcpAuthServiceFactory>;
+
+export const identityGcpAuthServiceFactory = ({
+  identityGcpAuthDAL,
+  identityOrgMembershipDAL,
+  identityAccessTokenDAL,
+  identityDAL,
+  permissionService,
+  licenseService
+}: TIdentityGcpAuthServiceFactoryDep) => {
+  const login = async ({ identityId, jwt: gcpJwt }: TLoginGcpAuthDTO) => {
+    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
+    if (!identityGcpAuth) throw new UnauthorizedError();
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityGcpAuth.identityId });
+    if (!identityMembershipOrg) throw new UnauthorizedError();
+
+    let gcpIdentityDetails: TGcpIdentityDetails;
+    switch (identityGcpAuth.type) {
+      case "gce": {
+        gcpIdentityDetails = await validateIdTokenIdentity({
+          identityId,
+          jwt: gcpJwt
+        });
+        break;
+      }
+      case "iam": {
+        gcpIdentityDetails = await validateIamIdentity({
+          identityId,
+          jwt: gcpJwt
+        });
+        break;
+      }
+      default: {
+        throw new BadRequestError({ message: "Invalid GCP Auth type" });
+      }
+    }
+
+    if (identityGcpAuth.allowedServiceAccounts) {
+      // validate if the service account is in the list of allowed service accounts
+
+      const isServiceAccountAllowed = identityGcpAuth.allowedServiceAccounts
+        .split(",")
+        .map((serviceAccount) => serviceAccount.trim())
+        .some((serviceAccount) => serviceAccount === gcpIdentityDetails.email);
+
+      if (!isServiceAccountAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedProjects && gcpIdentityDetails.computeEngineDetails) {
+      // validate if the project that the service account belongs to is in the list of allowed projects
+
+      const isProjectAllowed = identityGcpAuth.allowedProjects
+        .split(",")
+        .map((project) => project.trim())
+        .some((project) => project === gcpIdentityDetails.computeEngineDetails?.project_id);
+
+      if (!isProjectAllowed) throw new UnauthorizedError();
+    }
+
+    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedZones && gcpIdentityDetails.computeEngineDetails) {
+      const isZoneAllowed = identityGcpAuth.allowedZones
+        .split(",")
+        .map((zone) => zone.trim())
+        .some((zone) => zone === gcpIdentityDetails.computeEngineDetails?.zone);
+
+      if (!isZoneAllowed) throw new UnauthorizedError();
+    }
+
+    const identityAccessToken = await identityGcpAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityGcpAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityGcpAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityGcpAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn:
+          Number(identityAccessToken.accessTokenMaxTTL) === 0
+            ? undefined
+            : Number(identityAccessToken.accessTokenMaxTTL)
+      }
+    );
+
+    return { accessToken, identityGcpAuth, identityAccessToken, identityMembershipOrg };
+  };
+
+  const attachGcpAuth = async ({
+    identityId,
+    type,
+    allowedServiceAccounts,
+    allowedProjects,
+    allowedZones,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TAttachGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity.authMethod)
+      throw new BadRequestError({
+        message: "Failed to add GCP Auth to already configured identity"
+      });
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const identityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
+      const doc = await identityGcpAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          type,
+          allowedServiceAccounts,
+          allowedProjects,
+          allowedZones,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      await identityDAL.updateById(
+        identityMembershipOrg.identityId,
+        {
+          authMethod: IdentityAuthMethod.GCP_AUTH
+        },
+        tx
+      );
+      return doc;
+    });
+    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateGcpAuth = async ({
+    identityId,
+    type,
+    allowedServiceAccounts,
+    allowedProjects,
+    allowedZones,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+      throw new BadRequestError({
+        message: "Failed to update GCP Auth"
+      });
+
+    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityGcpAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updatedGcpAuth = await identityGcpAuthDAL.updateById(identityGcpAuth.id, {
+      type,
+      allowedServiceAccounts,
+      allowedProjects,
+      allowedZones,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    });
+
+    return {
+      ...updatedGcpAuth,
+      orgId: identityMembershipOrg.orgId
+    };
+  };
+
+  const getGcpAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have GCP Auth attached"
+      });
+
+    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  return {
+    login,
+    attachGcpAuth,
+    updateGcpAuth,
+    getGcpAuth
+  };
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts

@@ -0,0 +1,78 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TLoginGcpAuthDTO = {
+  identityId: string;
+  jwt: string;
+};
+
+export type TAttachGcpAuthDTO = {
+  identityId: string;
+  type: "iam" | "gce";
+  allowedServiceAccounts: string;
+  allowedProjects: string;
+  allowedZones: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateGcpAuthDTO = {
+  identityId: string;
+  type?: "iam" | "gce";
+  allowedServiceAccounts?: string;
+  allowedProjects?: string;
+  allowedZones?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetGcpAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+type TComputeEngineDetails = {
+  instance_creation_timestamp: number;
+  instance_id: string;
+  instance_name: string;
+  project_id: string;
+  project_number: number;
+  zone: string;
+};
+
+export type TGcpIdentityDetails = {
+  email: string;
+  computeEngineDetails?: TComputeEngineDetails;
+};
+
+export type TGcpIdTokenPayload = {
+  aud: string;
+  azp: string;
+  email: string;
+  email_verified: boolean;
+  exp: number;
+  google?: {
+    compute_engine: TComputeEngineDetails;
+  };
+  iat: number;
+  iss: string;
+  sub: string;
+};
+
+export type TDecodedGcpIamAuthJwt = {
+  header: {
+    alg: string;
+    kid: string;
+    typ: string;
+  };
+  payload: {
+    sub: string;
+    aud: string;
+  };
+  signature: string;
+  metadata: {
+    [key: string]: string;
+  };
+};

backend/src/services/identity-gcp-auth/identity-gcp-auth-validators.ts

@@ -0,0 +1,14 @@
+import { z } from "zod";
+
+export const validateGcpAuthField = z
+  .string()
+  .trim()
+  .default("")
+  .transform((data) => {
+    if (data === "") return "";
+    // Trim each ID and join with ', ' to ensure formatting
+    return data
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  });

backend/src/services/identity-ua/identity-ua-service.ts

@@ -52,7 +52,7 @@ export const identityUaServiceFactory = ({
 }: TIdentityUaServiceFactoryDep) => {
   const login = async (clientId: string, clientSecret: string, ip: string) => {
     const identityUa = await identityUaDAL.findOne({ clientId });
-    if (!identityUa) throw new UnauthorizedError();
+    if (!identityUa) throw new UnauthorizedError({ message: "Invalid credentials" });
 
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityUa.identityId });
 
@@ -68,7 +68,7 @@ export const identityUaServiceFactory = ({
     const validClientSecretInfo = clientSecrtInfo.find(({ clientSecretHash }) =>
       bcrypt.compareSync(clientSecret, clientSecretHash)
     );
-    if (!validClientSecretInfo) throw new UnauthorizedError();
+    if (!validClientSecretInfo) throw new UnauthorizedError({ message: "Invalid credentials" });
 
     const { clientSecretTTL, clientSecretNumUses, clientSecretNumUsesLimit } = validClientSecretInfo;
     if (Number(clientSecretTTL) > 0) {

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -517,20 +517,22 @@ const syncSecretsAWSParameterStore = async ({
     })
   );
 
-  // Identify secrets to delete
-  await Promise.all(
-    Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
-      if (!(key in secrets)) {
-        // case:
-        // -> delete secret
-        await ssm
-          .deleteParameter({
-            Name: awsParameterStoreSecretsObj[key].Name as string
-          })
-          .promise();
-      }
-    })
-  );
+  if (!metadata.shouldDisableDelete) {
+    // Identify secrets to delete
+    await Promise.all(
+      Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
+        if (!(key in secrets)) {
+          // case:
+          // -> delete secret
+          await ssm
+            .deleteParameter({
+              Name: awsParameterStoreSecretsObj[key].Name as string
+            })
+            .promise();
+        }
+      })
+    );
+  }
 };
 
 /**

backend/src/services/integration/integration-types.ts

@@ -27,6 +27,7 @@ export type TCreateIntegrationDTO = {
       value: string;
     }[];
     kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
   };
 } & Omit<TProjectPermission, "projectId">;
 

backend/src/services/org/org-service.ts

@@ -546,6 +546,10 @@ export const orgServiceFactory = ({
       code
     });
 
+    await userDAL.updateById(user.id, {
+      isEmailVerified: true
+    });
+
     if (user.isAccepted) {
       // this means user has already completed signup process
       // isAccepted is set true when keys are exchanged

backend/src/services/secret-folder/secret-folder-service.ts

@@ -8,9 +8,16 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { BadRequestError } from "@app/lib/errors";
 
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretFolderDALFactory } from "./secret-folder-dal";
-import { TCreateFolderDTO, TDeleteFolderDTO, TGetFolderDTO, TUpdateFolderDTO } from "./secret-folder-types";
+import {
+  TCreateFolderDTO,
+  TDeleteFolderDTO,
+  TGetFolderDTO,
+  TUpdateFolderDTO,
+  TUpdateManyFoldersDTO
+} from "./secret-folder-types";
 import { TSecretFolderVersionDALFactory } from "./secret-folder-version-dal";
 
 type TSecretFolderServiceFactoryDep = {
@@ -19,6 +26,7 @@ type TSecretFolderServiceFactoryDep = {
   folderDAL: TSecretFolderDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   folderVersionDAL: TSecretFolderVersionDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
 };
 
 export type TSecretFolderServiceFactory = ReturnType<typeof secretFolderServiceFactory>;
@@ -28,7 +36,8 @@ export const secretFolderServiceFactory = ({
   snapshotService,
   permissionService,
   projectEnvDAL,
-  folderVersionDAL
+  folderVersionDAL,
+  projectDAL
 }: TSecretFolderServiceFactoryDep) => {
   const createFolder = async ({
     projectId,
@@ -116,6 +125,105 @@ export const secretFolderServiceFactory = ({
     return folder;
   };
 
+  const updateManyFolders = async ({
+    actor,
+    actorId,
+    projectSlug,
+    actorAuthMethod,
+    actorOrgId,
+    folders
+  }: TUpdateManyFoldersDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) {
+      throw new BadRequestError({ message: "Project not found" });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    folders.forEach(({ environment, path: secretPath }) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Edit,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    });
+
+    const result = await folderDAL.transaction(async (tx) =>
+      Promise.all(
+        folders.map(async (newFolder) => {
+          const { environment, path: secretPath, id, name } = newFolder;
+
+          const parentFolder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
+          if (!parentFolder) {
+            throw new BadRequestError({ message: "Secret path not found", name: "Batch update folder" });
+          }
+
+          const env = await projectEnvDAL.findOne({ projectId: project.id, slug: environment });
+          if (!env) {
+            throw new BadRequestError({ message: "Environment not found", name: "Batch update folder" });
+          }
+          const folder = await folderDAL
+            .findOne({ envId: env.id, id, parentId: parentFolder.id })
+            // now folder api accepts id based change
+            // this is for cli backward compatiability and when cli removes this, we will remove this logic
+            .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
+
+          if (!folder) {
+            throw new BadRequestError({ message: "Folder not found" });
+          }
+          if (name !== folder.name) {
+            // ensure that new folder name is unique
+            const folderToCheck = await folderDAL.findOne({
+              name,
+              envId: env.id,
+              parentId: parentFolder.id
+            });
+
+            if (folderToCheck) {
+              throw new BadRequestError({
+                message: "Folder with specified name already exists",
+                name: "Batch update folder"
+              });
+            }
+          }
+
+          const [doc] = await folderDAL.update(
+            { envId: env.id, id: folder.id, parentId: parentFolder.id },
+            { name },
+            tx
+          );
+          await folderVersionDAL.create(
+            {
+              name: doc.name,
+              envId: doc.envId,
+              version: doc.version,
+              folderId: doc.id
+            },
+            tx
+          );
+          if (!doc) {
+            throw new BadRequestError({ message: "Folder not found", name: "Batch update folder" });
+          }
+
+          return { oldFolder: folder, newFolder: doc };
+        })
+      )
+    );
+
+    await Promise.all(result.map(async (res) => snapshotService.performSnapshot(res.newFolder.parentId as string)));
+
+    return {
+      projectId: project.id,
+      newFolders: result.map((res) => res.newFolder),
+      oldFolders: result.map((res) => res.oldFolder)
+    };
+  };
+
   const updateFolder = async ({
     projectId,
     actor,
@@ -151,6 +259,21 @@ export const secretFolderServiceFactory = ({
       .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
 
     if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (name !== folder.name) {
+      // ensure that new folder name is unique
+      const folderToCheck = await folderDAL.findOne({
+        name,
+        envId: env.id,
+        parentId: parentFolder.id
+      });
+
+      if (folderToCheck) {
+        throw new BadRequestError({
+          message: "Folder with specified name already exists",
+          name: "Update folder"
+        });
+      }
+    }
 
     const newFolder = await folderDAL.transaction(async (tx) => {
       const [doc] = await folderDAL.update({ envId: env.id, id: folder.id, parentId: parentFolder.id }, { name }, tx);
@@ -239,6 +362,7 @@ export const secretFolderServiceFactory = ({
   return {
     createFolder,
     updateFolder,
+    updateManyFolders,
     deleteFolder,
     getFolders
   };

backend/src/services/secret-folder/secret-folder-types.ts

@@ -13,6 +13,16 @@ export type TUpdateFolderDTO = {
   name: string;
 } & TProjectPermission;
 
+export type TUpdateManyFoldersDTO = {
+  projectSlug: string;
+  folders: {
+    environment: string;
+    path: string;
+    id: string;
+    name: string;
+  }[];
+} & Omit<TProjectPermission, "projectId">;
+
 export type TDeleteFolderDTO = {
   environment: string;
   path: string;

backend/src/services/secret/secret-service.ts

@@ -972,7 +972,8 @@ export const secretServiceFactory = ({
     path,
     actor,
     environment,
-    projectId,
+    projectId: workspaceId,
+    projectSlug,
     actorId,
     actorOrgId,
     actorAuthMethod,
@@ -980,6 +981,8 @@ export const secretServiceFactory = ({
     includeImports,
     version
   }: TGetASecretRawDTO) => {
+    const projectId = workspaceId || (await projectDAL.findProjectBySlug(projectSlug as string, actorOrgId)).id;
+
     const botKey = await projectBotService.getBotKey(projectId);
     if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });
 

backend/src/services/secret/secret-types.ts

@@ -152,7 +152,9 @@ export type TGetASecretRawDTO = {
   type: "shared" | "personal";
   includeImports?: boolean;
   version?: number;
-} & TProjectPermission;
+  projectSlug?: string;
+  projectId?: string;
+} & Omit<TProjectPermission, "projectId">;
 
 export type TCreateSecretRawDTO = TProjectPermission & {
   secretPath: string;

docs/documentation/platform/identities/aws-auth.mdx

@@ -27,7 +27,7 @@ sequenceDiagram
   Note over Infis: Step 4: Identity Property Validation
   Infis->>Client: Return short-lived access token
 
-  Note over Client,Infis: Step 4: Access Infisical API with Token
+  Note over Client,Infis: Step 5: Access Infisical API with Token
   Client->>Infis: Make authenticated requests using the short-lived access token
 ```
 
@@ -36,9 +36,13 @@ sequenceDiagram
 At a high-level, Infisical authenticates an IAM principal by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed IAM principal ARN) at the `/api/v1/auth/aws-auth/login` endpoint. If successful,
 then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
 
-In AWS Auth, an IAM principal signs a `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html); this is done using the credentials from the AWS environment where the IAM principal is running.
-The query data including the request method, request body, and request headers are sent to Infisical afterwhich Infisical forwards the signed query to AWS STS API via the [sts:GetCallerIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) method to verify and obtain the identity of the IAM principal.
-Once obtained, the identity information is verified against specified requirements such as if the associated IAM principal ARN is allowed to authenticate with Infisical. If all is well, Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+To be more specific:
+
+1. The client IAM principal signs a `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html); this is done using the credentials from the AWS environment where the IAM principal is running.
+2. The client sends the signed query data to Infisical including the request method, request body, and request headers.
+3. Infisical reconstructs the query and sends it to AWS STS API via the [sts:GetCallerIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) method for verification and obtains the identity associated with the IAM principal.
+4. Infisical checks the identity's properties against set criteria such **Allowed Principal ARNs**.
+5. If all is well, Infisical returns a short-lived access token that the IAM principal can use to make authenticated requests to the Infisical API.
 
 <Note>
 We recommend using one of Infisical's clients like SDKs or the Infisical Agent
@@ -51,7 +55,7 @@ as part of the AWS Auth workflow.
 
 </Note>
 
-## Workflow
+## Guide
 
 In the following steps, we explore how to create and use identities for your workloads and applications on AWS to
 access the Infisical API using the AWS Auth authentication method.

docs/documentation/platform/identities/gcp-auth.mdx

@@ -0,0 +1,351 @@
+---
+title: GCP Auth
+description: "Learn how to authenticate with Infisical for services on Google Cloud Platform"
+---
+
+**GCP Auth** is a GCP-native authentication method for GCP resources to access Infisical. It consists of two sub-methods/approaches:
+
+- GCP ID Token Auth: For GCP services including [Compute Engine](https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature), [App Engine standard environment](https://cloud.google.com/appengine/docs/standard/python3/runtime#metadata_server), [App Engine flexible environment](https://cloud.google.com/appengine/docs/flexible/python/runtime#metadata_server), [Cloud Functions](https://cloud.google.com/functions/docs/securing/function-identity#using_the_metadata_server_to_acquire_tokens), [Cloud Run](https://cloud.google.com/run/docs/container-contract#metadata-server), [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#instance_metadata), and [Cloud Build](https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#instance_metadata) to authenticate with Infisical.
+- GCP IAM Auth: For Google Cloud Platform (GCP) service accounts to authenticate with Infisical.
+
+<Tabs>
+  <Tab title="Google ID Token Auth">
+
+    ## Diagram
+
+    The following sequence digram illustrates the GCP ID Token Auth workflow for authenticating GCP resources with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant GCE as GCP Service
+  participant Infis as Infisical
+  participant Google as OAuth2 API
+
+  Note over GCE,Google: Step 1: Instance Identity Token Retrieval
+  GCE->>Google: Request instance identity metadata token
+  Google-->>GCE: Return JWT token with RS256 signature
+
+  Note over GCE,Infis: Step 2: Identity Token Login Operation
+  GCE->>Infis: Send JWT token to /api/v1/auth/gcp-auth/login
+  Infis->>Google: Request OAuth2 certificates
+  Google-->>Infis: Return certificates
+
+  Note over Infis: Step 3: Identity Token Verification
+  Note over Infis: Step 4: Identity Property Validation
+  Infis->>GCE: Return short-lived access token
+
+  Note over GCE,Infis: Step 4: Access Infisical API with Token
+  GCE->>Infis: Make authenticated requests using the short-lived access token
+```
+
+    ## Concept
+
+At a high-level, Infisical authenticates a GCP resource by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed GCE instance) at the `/api/v1/auth/gcp-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+To be more specific:
+
+1. The client running on a GCP service obtains an [ID token](https://cloud.google.com/docs/authentication/get-id-token) constituting the identity for a GCP resource such as a GCE instance or Cloud Function; this is a unique JWT token that includes details about the instance as well as Google's [RS256 signature](https://datatracker.ietf.org/doc/html/rfc7518#section-3.3).
+2. The client sends the ID token to Infisical.
+3. Infisical verifies the token against Google's [public OAuth2 certificates](https://www.googleapis.com/oauth2/v3/certs).
+4. Infisical checks if the entity behind the ID token is allowed to authenticate with Infisical based on set criteria such as **Allowed Service Account Emails**.
+5. If all is well, Infisical returns a short-lived access token that the client can use to make authenticated requests to the Infisical API.
+
+<Note>
+We recommend using one of Infisical's clients like SDKs or the Infisical Agent
+to authenticate with Infisical using GCP ID Token Auth as they handle the
+authentication process including generating the instance ID token for you.
+
+Also, note that Infisical needs network-level access to send requests to the Google Cloud API
+as part of the GCP Auth workflow.
+
+</Note>
+
+## Guide
+
+In the following steps, we explore how to create and use identities for your workloads and applications on GCP to
+access the Infisical API using the GCP ID Token authentication method.
+
+<Steps>
+    <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+
+    ![identities organization](/images/platform/identities/identities-org.png)
+
+    When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+    ![identities organization create](/images/platform/identities/identities-org-create.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **GCP Auth** and set the **Type** to **GCP ID Token Auth**.
+
+    ![identities create gcp auth method](/images/platform/identities/identities-org-create-gcp-gce-auth-method.png)
+
+    Here's some more guidance on each field:
+
+    - Allowed Service Account Emails: A comma-separated list of trusted service account emails corresponding to the GCE resource(s) allowed to authenticate with Infisical; this could be something like `test@project.iam.gserviceaccount.com`, `12345-compute@developer.gserviceaccount.com`, etc.
+    - Allowed Projects: A comma-separated list of trusted GCP projects that the GCE instance must belong to authenticate with Infisical. Note that this validation property will only work for GCE instances.
+    - Allowed Zones: A comma-separated list of trusted zones that the GCE instances must belong to authenticate with Infisical; this should be the fully-qualified zone name in the format `<region>-<zone>`like `us-central1-a`, `us-west1-b`, etc. Note that this validation property will only work for GCE instances.
+    - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max TTL (default is `2592000`  equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
+    - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
+
+    </Step>
+    <Step title="Adding an identity to a project">
+    To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+    To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+    Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
+
+    ![identities project](/images/platform/identities/identities-project.png)
+
+    ![identities project create](/images/platform/identities/identities-project-create.png)
+    </Step>
+    <Step title="Accessing the Infisical API with the identity">
+        To access the Infisical API as the identity, you need to generate an [ID token](https://cloud.google.com/docs/authentication/get-id-token) constituting the identity of the present GCE instance and make a request to the `/api/v1/auth/gcp-auth/login` endpoint containing the token in exchange for an access token.
+
+        We provide a few code examples below of how you can authenticate with Infisical to access the [Infisical API](/api-reference/overview/introduction).
+
+        <AccordionGroup>
+            <Accordion
+                title="Sample code for generating the ID token"
+            >
+                Start by making a request from the GCE instance to obtain the ID token.
+                For more examples of how to obtain the token in Java, Go, Node.js, etc. refer to the [official documentation](https://cloud.google.com/docs/authentication/get-id-token#curl).
+
+                #### Sample request
+                <CodeGroup>
+                ```bash curl
+                curl -H "Metadata-Flavor: Google" \
+                'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=<identityId>'
+                ```
+                </CodeGroup>
+
+                <Note>
+                    Note that you should replace `<identityId>` with the ID of the identity you created in step 1.
+                </Note>
+
+                Next use send the obtained JWT token along to authenticate with Infisical and obtain an access token.
+
+                #### Sample request
+
+                ```bash Request
+                curl --location --request POST 'https://app.infisical.com/api/v1/auth/gcp-auth/login' \
+                    --header 'Content-Type: application/x-www-form-urlencoded' \
+                    --data-urlencode 'identityId=...' \
+                    --data-urlencode 'jwt=...'
+                ```
+
+                #### Sample response
+
+                ```bash Response
+                {
+                    "accessToken": "...",
+                    "expiresIn": 7200,
+                    "accessTokenMaxTTL": 43244
+                    "tokenType": "Bearer"
+                }
+                ```
+
+                Next, you can use the access token to access the [Infisical API](/api-reference/overview/introduction)
+            </Accordion>
+        </AccordionGroup>
+
+        <Tip>
+            We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using GCP IAM Auth as they handle the authentication process including generating the signed JWT token.
+        </Tip>
+        <Note>
+        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        the default TTL is `7200` seconds which can be adjusted.
+        If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
+        a new access token should be obtained by performing another login operation.
+        </Note>
+    </Step>
+
+</Steps>
+
+  </Tab>
+<Tab title="GCP IAM Auth">
+  
+    ## Diagram
+
+    The following sequence digram illustrates the GCP IAM Auth workflow for authenticating GCP IAM service accounts with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant GCE as Client
+  participant Infis as Infisical
+  participant Google as Cloud IAM
+
+  Note over GCE,Google: Step 1: Signed JWT Token Generation
+  GCE->>Google: Request to generate signed JWT token
+  Google-->>GCE: Return signed JWT token
+
+  Note over GCE,Infis: Step 2: JWT Token Login Operation
+  GCE->>Infis: Send signed JWT token to /api/v1/auth/gcp-auth/login
+  Infis->>Google: Request public key
+  Google-->>Infis: Return public key
+
+  Note over Infis: Step 3: JWT Token Verification
+  Note over Infis: Step 4: JWT Property Validation
+  Infis->>GCE: Return short-lived access token
+
+  Note over GCE,Infis: Step 5: Access Infisical API with Token
+  GCE->>Infis: Make authenticated requests using the short-lived access token
+```
+
+## Concept
+
+At a high-level, Infisical authenticates an IAM service account by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed service account) at the `/api/v1/auth/gcp-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+To be more specific:
+
+1. The client generates a signed JWT token using the `projects.serviceAccounts.signJwt` [API method](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt); this is done using the service account credentials associated with the client.
+2. The client sends the signed JWT token to Infisical.
+3. Infisical verifies the signed JWT token.
+4. Infisical checks if the service account behind the JWT token is allowed to authenticate with Infisical based **Allowed Service Account Emails**.
+5. If all is well, Infisical returns a short-lived access token that the client can use to make authenticated requests to the Infisical API.
+
+<Note>
+We recommend using one of Infisical's clients like SDKs or the Infisical Agent
+to authenticate with Infisical using GCP IAM Auth as they handle the
+authentication process including generating the signed JWT token.
+
+Also, note that Infisical needs network-level access to send requests to the Google Cloud API
+as part of the GCP Auth workflow.
+
+</Note>
+
+## Guide
+
+In the following steps, we explore how to create and use identities for your workloads and applications on GCP to
+access the Infisical API using the GCP IAM authentication method.
+
+<Steps>
+    <Step title="Creating an identity">
+    To create an identity, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
+
+    ![identities organization](/images/platform/identities/identities-org.png)
+
+    When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
+
+    ![identities organization create](/images/platform/identities/identities-org-create.png)
+
+    Now input a few details for your new identity. Here's some guidance for each field:
+
+    - Name (required): A friendly name for the identity.
+    - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
+
+    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **GCP IAM Auth** and set the **Type** to **GCP IAM Auth**.
+
+    ![identities create gcp auth method](/images/platform/identities/identities-org-create-gcp-iam-auth-method.png)
+
+    Here's some more guidance on each field:
+
+    - Allowed Service Account Emails: A comma-separated list of trusted IAM service account emails that are allowed to authenticate with Infisical; this could be something like `test@project.iam.gserviceaccount.com`, `12345-compute@developer.gserviceaccount.com`, etc.
+    - Access Token TTL (default is `2592000` equivalent to 30 days): The lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max TTL (default is `2592000`  equivalent to 30 days): The maximum lifetime for an acccess token in seconds. This value will be referenced at renewal time.
+    - Access Token Max Number of Uses (default is `0`): The maximum number of times that an access token can be used; a value of `0` implies infinite number of uses.
+    - Access Token Trusted IPs: The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
+
+    </Step>
+    <Step title="Adding an identity to a project">
+    To enable the identity to access project-level resources such as secrets within a specific project, you should add it to that project.
+
+    To do this, head over to the project you want to add the identity to and go to Project Settings > Access Control > Machine Identities and press **Add identity**.
+
+    Next, select the identity you want to add to the project and the project level role you want to allow it to assume. The project role assigned will determine what project level resources this identity can have access to.
+
+    ![identities project](/images/platform/identities/identities-project.png)
+
+    ![identities project create](/images/platform/identities/identities-project-create.png)
+    </Step>
+    <Step title="Accessing the Infisical API with the identity">
+        To access the Infisical API as the identity, you need to generate a signed JWT token using the `projects.serviceAccounts.signJwt` [API method](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt) and make a request to the `/api/v1/auth/gcp-auth/login` endpoint containing the signed JWT token in exchange for an access token.
+
+        <Info>
+            Make sure that the service account has the `iam.serviceAccounts.signJwt` permission or the `roles/iam.serviceAccountTokenCreator` role.
+        </Info>
+
+        We provide a few code examples below of how you can authenticate with Infisical to access the [Infisical API](/api-reference/overview/introduction).
+
+        <AccordionGroup>
+            <Accordion
+                title="Sample code for generating a signed JWT token"
+            >
+                The following code provides a generic example of how you can generate a signed JWT token against the `projects.serviceAccounts.signJwt` API method.
+
+                The shown example uses Node.js and the official [google-auth-library](https://github.com/googleapis/google-auth-library-nodejs#readme) package but you can use any language you wish.
+
+
+                ```javascript
+                const { GoogleAuth } = require("google-auth-library");
+
+                const auth = new GoogleAuth({
+                    scopes: "https://www.googleapis.com/auth/cloud-platform",
+                });
+
+                const credentials = await auth.getCredentials();
+
+                const identityId = "<your-infisical-identity-id>";
+
+                const jwtPayload = {
+                    sub: credentials.client_email,
+                    aud: identityId,
+                };
+
+                const { data } = await client.request({
+                    url: `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${credentials.client_email}:signJwt`,
+                    method: "POST",
+                    data: { payload: JSON.stringify(jwtPayload) },
+                });
+
+                const jwt = data.signedJwt // send this jwt to Infisical in the next step
+                ```
+
+                #### Sample request
+
+                ```bash Request
+                curl --location --request POST 'https://app.infisical.com/api/v1/auth/gcp-auth/login' \
+                    --header 'Content-Type: application/x-www-form-urlencoded' \
+                    --data-urlencode 'identityId=...' \
+                    --data-urlencode 'jwt=...'
+                ```
+
+                #### Sample response
+
+                ```bash Response
+                {
+                    "accessToken": "...",
+                    "expiresIn": 7200,
+                    "accessTokenMaxTTL": 43244
+                    "tokenType": "Bearer"
+                }
+                ```
+
+                Next, you can use the access token to access the [Infisical API](/api-reference/overview/introduction)
+            </Accordion>
+        </AccordionGroup>
+
+        <Tip>
+            We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using GCP IAM Auth as they handle the authentication process including generating the signed JWT token.
+        </Tip>
+        <Note>
+        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        the default TTL is `7200` seconds which can be adjusted.
+        If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
+        a new access token should be obtained by performing another login operation.
+        </Note>
+    </Step>
+
+</Steps>
+  </Tab>
+  
+</Tabs>

docs/documentation/platform/identities/machine-identities.mdx

@@ -7,7 +7,7 @@ description: "Learn how to use Machine Identities to programmatically interact w
 
 An Infisical machine identity is an entity that represents a workload or application that require access to various resources in Infisical. This is conceptually similar to an IAM user in AWS or service account in Google Cloud Platform (GCP).
 
-Each identity must authenticate using a supported authentication method like [Universal Auth](/documentation/platform/identities/universal-auth) or [AWS Auth](/documentation/platform/identities/aws-auth) to get back a short-lived access token to be used in subsequent requests.
+Each identity must authenticate with the Infisical API using a supported authentication method like [Universal Auth](/documentation/platform/identities/universal-auth), [AWS Auth](/documentation/platform/identities/aws-auth), or [GCP Auth](/documentation/platform/identities/gcp-auth) to get back a short-lived access token to be used in subsequent requests.
 
 ![organization identities](/images/platform/organization/organization-machine-identities.png)
 
@@ -21,7 +21,7 @@ Key Features:
 A typical workflow for using identities consists of four steps:
 
 1. Creating the identity with a name and [role](/documentation/platform/role-based-access-controls) in Organization Access Control > Machine Identities.
-   This step also involves configuring an authentication method for it such as [Universal Auth](/documentation/platform/identities/universal-auth) or [AWS Auth](/documentation/platform/identities/aws-auth).
+   This step also involves configuring an authentication method for it.
 2. Adding the identity to the project(s) you want it to have access to.
 3. Authenticating the identity with the Infisical API based on the configured authentication method on it and receiving a short-lived access token back.
 4. Authenticating subsequent requests with the Infisical API using the short-lived access token.
@@ -39,6 +39,9 @@ To interact with various resources in Infisical, Machine Identities are able to
 
 - [Universal Auth](/documentation/platform/identities/universal-auth): A platform-agnostic authentication method that can be configured on an identity suitable to authenticate from any platform/environment.
 - [AWS Auth](/documentation/platform/identities/aws-auth): An AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to authenticate with Infisical.
+- [GCP Auth](/documentation/platform/identities/gcp-auth): A GCP-native authentication method for GCP resources (e.g. Compute Engine, App Engine, Cloud Run, Google Kubernetes Engine, IAM service accounts, etc.) to authenticate with Infisical.
+
+IAM service accounts and GCE instances to authenticate with Infisical.
 
 ## FAQ
 

docs/documentation/platform/identities/universal-auth.mdx

@@ -5,14 +5,37 @@ description: "Learn how to authenticate to Infisical from any platform or enviro
 
 **Universal Auth** is a platform-agnostic authentication method that can be configured for a [machine identity](/documentation/platform/identities/machine-identities) suitable to authenticate from any platform/environment.
 
+## Diagram
+
+The following sequence digram illustrates the Universal Auth workflow for authenticating clients with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant Client as Client
+  participant Infis as Infisical
+
+  Note over Client,Infis: Step 1: Login Operation
+  Client->>Infis: Send Client ID and Client Secret
+
+  Note over Infis: Step 2: Client ID and Client Secret validation
+  Infis->>Client: Return short-lived access token
+
+  Note over Client,Infis: Step 3: Access Infisical API with Token
+  Client->>Infis: Make authenticated requests using the short-lived access token
+```
+
 ## Concept
 
-In this method, Infisical authenticates an identity by verifying the credentials issued for it at the `/api/v1/auth/universal-auth/login` endpoint. If successful,
+In this method, Infisical authenticates a client by verifying the credentials issued for it at the `/api/v1/auth/universal-auth/login` endpoint. If successful,
 then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
 
-In Universal Auth, an identity is given a **Client ID** and one or more **Client Secret(s)**. Together, a **Client ID** and **Client Secret** can be exchanged for a short-lived access token to authenticate with the Infisical API.
+To be more specific:
 
-## Workflow
+1. The client submits a **Client ID** and **Client Secret** to Infisical.
+2. Infisical verifies the credential pair.
+3. If all is well, Infisical returns a short-lived access token that the client can use to make authenticated requests to the Infisical API.
+
+## Guide
 
 In the following steps, we explore how to create and use identities for your workloads and applications to access the Infisical API
 using the Universal Auth authentication method.
@@ -129,7 +152,7 @@ using the Universal Auth authentication method.
   - The client secret/access token is being used from an untrusted IP.
 </Accordion>
 <Accordion title="What is access token renewal and TTL/Max TTL?">
-  A identity access token can have a time-to-live (TTL) or incremental lifetime afterwhich it expires.
+  A identity access token can have a time-to-live (TTL) or incremental lifetime after which it expires.
   
   In certain cases, you may want to extend the lifespan of an access token; to do so, you must set a max TTL parameter.
 

docs/integrations/cicd/githubactions.mdx

@@ -3,9 +3,15 @@ title: "GitHub Actions"
 description: "How to sync secrets from Infisical to GitHub Actions"
 ---
 
+<Note>
+  Alternatively, you can use Infisical's official Github Action
+  [here](https://github.com/Infisical/secrets-action).
+</Note>
+
 Infisical lets you sync secrets to GitHub at the organization-level, repository-level, and repository environment-level.
 
 Prerequisites:
+
 - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
 - Ensure that you have admin privileges to the repository you want to sync secrets to.
 

docs/mint.json

@@ -153,6 +153,7 @@
         "documentation/platform/auth-methods/email-password",
         "documentation/platform/token",
         "documentation/platform/identities/universal-auth",
+        "documentation/platform/identities/gcp-auth",
         "documentation/platform/identities/aws-auth",
         "documentation/platform/mfa",
         {

frontend/src/hooks/api/identities/constants.tsx

@@ -2,5 +2,6 @@ import { IdentityAuthMethod } from "./enums";
 
 export const identityAuthToNameMap: { [I in IdentityAuthMethod]: string } = {
   [IdentityAuthMethod.UNIVERSAL_AUTH]: "Universal Auth",
+  [IdentityAuthMethod.GCP_AUTH]: "GCP Auth",
   [IdentityAuthMethod.AWS_AUTH]: "AWS Auth"
 };

frontend/src/hooks/api/identities/enums.tsx

@@ -1,4 +1,5 @@
 export enum IdentityAuthMethod {
   UNIVERSAL_AUTH = "universal-auth",
+  GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth"
 }

frontend/src/hooks/api/identities/index.tsx

@@ -2,6 +2,7 @@ export { identityAuthToNameMap } from "./constants";
 export { IdentityAuthMethod } from "./enums";
 export {
   useAddIdentityAwsAuth,
+  useAddIdentityGcpAuth,
   useAddIdentityUniversalAuth,
   useCreateIdentity,
   useCreateIdentityUniversalAuthClientSecret,
@@ -9,10 +10,11 @@ export {
   useRevokeIdentityUniversalAuthClientSecret,
   useUpdateIdentity,
   useUpdateIdentityAwsAuth,
-  useUpdateIdentityUniversalAuth
-} from "./mutations";
+  useUpdateIdentityGcpAuth,
+  useUpdateIdentityUniversalAuth} from "./mutations";
 export {
   useGetIdentityAwsAuth,
+  useGetIdentityGcpAuth,
   useGetIdentityUniversalAuth,
   useGetIdentityUniversalAuthClientSecrets
 } from "./queries";

frontend/src/hooks/api/identities/mutations.tsx

@@ -6,6 +6,7 @@ import { organizationKeys } from "../organization/queries";
 import { identitiesKeys } from "./queries";
 import {
   AddIdentityAwsAuthDTO,
+  AddIdentityGcpAuthDTO,
   AddIdentityUniversalAuthDTO,
   ClientSecretData,
   CreateIdentityDTO,
@@ -15,9 +16,11 @@ import {
   DeleteIdentityUniversalAuthClientSecretDTO,
   Identity,
   IdentityAwsAuth,
+  IdentityGcpAuth,
   IdentityUniversalAuth,
   UpdateIdentityAwsAuthDTO,
   UpdateIdentityDTO,
+  UpdateIdentityGcpAuthDTO,
   UpdateIdentityUniversalAuthDTO
 } from "./types";
 
@@ -173,6 +176,82 @@ export const useRevokeIdentityUniversalAuthClientSecret = () => {
   });
 };
 
+export const useAddIdentityGcpAuth = () => {
+  const queryClient = useQueryClient();
+  return useMutation<IdentityGcpAuth, {}, AddIdentityGcpAuthDTO>({
+    mutationFn: async ({
+      identityId,
+      type,
+      allowedServiceAccounts,
+      allowedProjects,
+      allowedZones,
+      accessTokenTTL,
+      accessTokenMaxTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps
+    }) => {
+      const {
+        data: { identityGcpAuth }
+      } = await apiRequest.post<{ identityGcpAuth: IdentityGcpAuth }>(
+        `/api/v1/auth/gcp-auth/identities/${identityId}`,
+        {
+          type,
+          allowedServiceAccounts,
+          allowedProjects,
+          allowedZones,
+          accessTokenTTL,
+          accessTokenMaxTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps
+        }
+      );
+
+      return identityGcpAuth;
+    },
+    onSuccess: (_, { organizationId }) => {
+      queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));
+    }
+  });
+};
+
+export const useUpdateIdentityGcpAuth = () => {
+  const queryClient = useQueryClient();
+  return useMutation<IdentityGcpAuth, {}, UpdateIdentityGcpAuthDTO>({
+    mutationFn: async ({
+      identityId,
+      type,
+      allowedServiceAccounts,
+      allowedProjects,
+      allowedZones,
+      accessTokenTTL,
+      accessTokenMaxTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps
+    }) => {
+      const {
+        data: { identityGcpAuth }
+      } = await apiRequest.patch<{ identityGcpAuth: IdentityGcpAuth }>(
+        `/api/v1/auth/gcp-auth/identities/${identityId}`,
+        {
+          type,
+          allowedServiceAccounts,
+          allowedProjects,
+          allowedZones,
+          accessTokenTTL,
+          accessTokenMaxTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps
+        }
+      );
+
+      return identityGcpAuth;
+    },
+    onSuccess: (_, { organizationId }) => {
+      queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));
+    }
+  });
+};
+
 export const useAddIdentityAwsAuth = () => {
   const queryClient = useQueryClient();
   return useMutation<IdentityAwsAuth, {}, AddIdentityAwsAuthDTO>({
@@ -236,6 +315,7 @@ export const useUpdateIdentityAwsAuth = () => {
           accessTokenTrustedIps
         }
       );
+
       return identityAwsAuth;
     },
     onSuccess: (_, { organizationId }) => {

frontend/src/hooks/api/identities/queries.tsx

@@ -2,13 +2,14 @@ import { useQuery } from "@tanstack/react-query";
 
 import { apiRequest } from "@app/config/request";
 
-import { ClientSecretData, IdentityAwsAuth, IdentityUniversalAuth } from "./types";
+import { ClientSecretData, IdentityAwsAuth, IdentityGcpAuth, IdentityUniversalAuth } from "./types";
 
 export const identitiesKeys = {
   getIdentityUniversalAuth: (identityId: string) =>
     [{ identityId }, "identity-universal-auth"] as const,
   getIdentityUniversalAuthClientSecrets: (identityId: string) =>
     [{ identityId }, "identity-universal-auth-client-secrets"] as const,
+  getIdentityGcpAuth: (identityId: string) => [{ identityId }, "identity-gcp-auth"] as const,
   getIdentityAwsAuth: (identityId: string) => [{ identityId }, "identity-aws-auth"] as const
 };
 
@@ -42,6 +43,21 @@ export const useGetIdentityUniversalAuthClientSecrets = (identityId: string) =>
   });
 };
 
+export const useGetIdentityGcpAuth = (identityId: string) => {
+  return useQuery({
+    enabled: Boolean(identityId),
+    queryKey: identitiesKeys.getIdentityGcpAuth(identityId),
+    queryFn: async () => {
+      const {
+        data: { identityGcpAuth }
+      } = await apiRequest.get<{ identityGcpAuth: IdentityGcpAuth }>(
+        `/api/v1/auth/gcp-auth/identities/${identityId}`
+      );
+      return identityGcpAuth;
+    }
+  });
+};
+
 export const useGetIdentityAwsAuth = (identityId: string) => {
   return useQuery({
     enabled: Boolean(identityId),

frontend/src/hooks/api/identities/types.ts

@@ -113,6 +113,48 @@ export type UpdateIdentityUniversalAuthDTO = {
   }[];
 };
 
+export type IdentityGcpAuth = {
+  identityId: string;
+  type: "iam" | "gce";
+  allowedServiceAccounts: string;
+  allowedProjects: string;
+  allowedZones: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: IdentityTrustedIp[];
+};
+
+export type AddIdentityGcpAuthDTO = {
+  organizationId: string;
+  identityId: string;
+  type: "iam" | "gce";
+  allowedServiceAccounts: string;
+  allowedProjects: string;
+  allowedZones: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: {
+    ipAddress: string;
+  }[];
+};
+
+export type UpdateIdentityGcpAuthDTO = {
+  organizationId: string;
+  identityId: string;
+  type?: "iam" | "gce";
+  allowedServiceAccounts?: string;
+  allowedProjects?: string;
+  allowedZones?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: {
+    ipAddress: string;
+  }[];
+};
+
 export type IdentityAwsAuth = {
   identityId: string;
   type: "iam";

frontend/src/hooks/api/integrations/queries.tsx

@@ -68,6 +68,7 @@ export const useCreateIntegration = () => {
           value: string;
         }[];
         kmsKeyId?: string;
+        shouldDisableDelete?: boolean;
       };
     }) => {
       const {

frontend/src/hooks/api/secretFolders/queries.tsx

@@ -16,6 +16,7 @@ import {
   TGetFoldersByEnvDTO,
   TGetProjectFoldersDTO,
   TSecretFolder,
+  TUpdateFolderBatchDTO,
   TUpdateFolderDTO
 } from "./types";
 
@@ -190,3 +191,43 @@ export const useDeleteFolder = () => {
     }
   });
 };
+
+export const useUpdateFolderBatch = () => {
+  const queryClient = useQueryClient();
+
+  return useMutation<{}, {}, TUpdateFolderBatchDTO>({
+    mutationFn: async ({ projectSlug, folders }) => {
+      const { data } = await apiRequest.patch("/api/v1/folders/batch", {
+        projectSlug,
+        folders
+      });
+
+      return data;
+    },
+    onSuccess: (_, { projectId, folders }) => {
+      folders.forEach((folder) => {
+        queryClient.invalidateQueries(
+          folderQueryKeys.getSecretFolders({
+            projectId,
+            environment: folder.environment,
+            path: folder.path
+          })
+        );
+        queryClient.invalidateQueries(
+          secretSnapshotKeys.list({
+            workspaceId: projectId,
+            environment: folder.environment,
+            directory: folder.path
+          })
+        );
+        queryClient.invalidateQueries(
+          secretSnapshotKeys.count({
+            workspaceId: projectId,
+            environment: folder.environment,
+            directory: folder.path
+          })
+        );
+      });
+    }
+  });
+};

frontend/src/hooks/api/secretFolders/types.ts

@@ -36,3 +36,14 @@ export type TDeleteFolderDTO = {
   folderId: string;
   path?: string;
 };
+
+export type TUpdateFolderBatchDTO = {
+  projectId: string;
+  projectSlug: string;
+  folders: {
+    name: string;
+    environment: string;
+    id: string;
+    path?: string;
+  }[];
+};

frontend/src/pages/integrations/aws-parameter-store/create.tsx

@@ -89,6 +89,7 @@ export default function AWSParameterStoreCreateIntegrationPage() {
 
   const [isLoading, setIsLoading] = useState(false);
   const [shouldTag, setShouldTag] = useState(false);
+  const [shouldDisableDelete, setShouldDisableDelete] = useState(false);
   const [tagKey, setTagKey] = useState("");
   const [tagValue, setTagValue] = useState("");
   const [kmsKeyId, setKmsKeyId] = useState("");
@@ -144,7 +145,8 @@ export default function AWSParameterStoreCreateIntegrationPage() {
                 ]
               }
             : {}),
-          ...(kmsKeyId && { kmsKeyId })
+          ...(kmsKeyId && { kmsKeyId }),
+          ...(shouldDisableDelete && { shouldDisableDelete })
         }
       });
 
@@ -273,6 +275,15 @@ export default function AWSParameterStoreCreateIntegrationPage() {
               exit={{ opacity: 0, translateX: 30 }}
             >
               <div className="mt-2 ml-1">
+                <Switch
+                  id="delete-aws"
+                  onCheckedChange={() => setShouldDisableDelete(!shouldDisableDelete)}
+                  isChecked={shouldDisableDelete}
+                >
+                  Disable deleting secrets in AWS Parameter Store
+                </Switch>
+              </div>
+              <div className="mt-4 ml-1">
                 <Switch
                   id="tag-aws"
                   onCheckedChange={() => setShouldTag(!shouldTag)}

frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityAuthMethodModal.tsx

@@ -15,6 +15,7 @@ import { IdentityAuthMethod } from "@app/hooks/api/identities";
 import { UsePopUpState } from "@app/hooks/usePopUp";
 
 import { IdentityAwsAuthForm } from "./IdentityAwsAuthForm";
+import { IdentityGcpAuthForm } from "./IdentityGcpAuthForm";
 import { IdentityUniversalAuthForm } from "./IdentityUniversalAuthForm";
 
 type Props = {
@@ -28,6 +29,7 @@ type Props = {
 
 const identityAuthMethods = [
   { label: "Universal Auth", value: IdentityAuthMethod.UNIVERSAL_AUTH },
+  { label: "GCP Auth", value: IdentityAuthMethod.GCP_AUTH },
   { label: "AWS Auth", value: IdentityAuthMethod.AWS_AUTH }
 ];
 
@@ -75,6 +77,15 @@ export const IdentityAuthMethodModal = ({ popUp, handlePopUpOpen, handlePopUpTog
           />
         );
       }
+      case IdentityAuthMethod.GCP_AUTH: {
+        return (
+          <IdentityGcpAuthForm
+            handlePopUpOpen={handlePopUpOpen}
+            handlePopUpToggle={handlePopUpToggle}
+            identityAuthMethodData={identityAuthMethodData}
+          />
+        );
+      }
       case IdentityAuthMethod.UNIVERSAL_AUTH: {
         return (
           <IdentityUniversalAuthForm

frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityGcpAuthForm.tsx

@@ -0,0 +1,384 @@
+import { useEffect } from "react";
+import { Controller, useFieldArray, useForm } from "react-hook-form";
+import { faPlus, faXmark } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, FormControl, IconButton, Input, Select, SelectItem } from "@app/components/v2";
+import { useOrganization, useSubscription } from "@app/context";
+import {
+  useAddIdentityGcpAuth,
+  useGetIdentityGcpAuth,
+  useUpdateIdentityGcpAuth
+} from "@app/hooks/api";
+import { IdentityAuthMethod } from "@app/hooks/api/identities";
+import { IdentityTrustedIp } from "@app/hooks/api/identities/types";
+import { UsePopUpState } from "@app/hooks/usePopUp";
+
+const schema = z
+  .object({
+    type: z.enum(["iam", "gce"]),
+    allowedServiceAccounts: z.string(),
+    allowedProjects: z.string(),
+    allowedZones: z.string(),
+    accessTokenTTL: z.string(),
+    accessTokenMaxTTL: z.string(),
+    accessTokenNumUsesLimit: z.string(),
+    accessTokenTrustedIps: z
+      .array(
+        z.object({
+          ipAddress: z.string().max(50)
+        })
+      )
+      .min(1)
+  })
+  .required();
+
+export type FormData = z.infer<typeof schema>;
+
+type Props = {
+  handlePopUpOpen: (popUpName: keyof UsePopUpState<["upgradePlan"]>) => void;
+  handlePopUpToggle: (
+    popUpName: keyof UsePopUpState<["identityAuthMethod"]>,
+    state?: boolean
+  ) => void;
+  identityAuthMethodData: {
+    identityId: string;
+    name: string;
+    authMethod?: IdentityAuthMethod;
+  };
+};
+
+export const IdentityGcpAuthForm = ({
+  handlePopUpOpen,
+  handlePopUpToggle,
+  identityAuthMethodData
+}: Props) => {
+  const { currentOrg } = useOrganization();
+  const orgId = currentOrg?.id || "";
+  const { subscription } = useSubscription();
+
+  const { mutateAsync: addMutateAsync } = useAddIdentityGcpAuth();
+  const { mutateAsync: updateMutateAsync } = useUpdateIdentityGcpAuth();
+
+  const { data } = useGetIdentityGcpAuth(identityAuthMethodData?.identityId ?? "");
+
+  const {
+    control,
+    handleSubmit,
+    reset,
+    formState: { isSubmitting },
+    watch
+  } = useForm<FormData>({
+    resolver: zodResolver(schema),
+    defaultValues: {
+      type: "gce",
+      allowedServiceAccounts: "",
+      allowedProjects: "",
+      allowedZones: "",
+      accessTokenTTL: "2592000",
+      accessTokenMaxTTL: "2592000",
+      accessTokenNumUsesLimit: "0",
+      accessTokenTrustedIps: [{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]
+    }
+  });
+
+  const watchedType = watch("type");
+
+  const {
+    fields: accessTokenTrustedIpsFields,
+    append: appendAccessTokenTrustedIp,
+    remove: removeAccessTokenTrustedIp
+  } = useFieldArray({ control, name: "accessTokenTrustedIps" });
+
+  useEffect(() => {
+    if (data) {
+      reset({
+        type: data.type,
+        allowedServiceAccounts: data.allowedServiceAccounts,
+        allowedProjects: data.allowedProjects,
+        allowedZones: data.allowedZones,
+        accessTokenTTL: String(data.accessTokenTTL),
+        accessTokenMaxTTL: String(data.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: String(data.accessTokenNumUsesLimit),
+        accessTokenTrustedIps: data.accessTokenTrustedIps.map(
+          ({ ipAddress, prefix }: IdentityTrustedIp) => {
+            return {
+              ipAddress: `${ipAddress}${prefix !== undefined ? `/${prefix}` : ""}`
+            };
+          }
+        )
+      });
+    } else {
+      reset({
+        type: "iam",
+        allowedServiceAccounts: "",
+        allowedProjects: "",
+        allowedZones: "",
+        accessTokenTTL: "2592000",
+        accessTokenMaxTTL: "2592000",
+        accessTokenNumUsesLimit: "0",
+        accessTokenTrustedIps: [{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]
+      });
+    }
+  }, [data]);
+
+  const onFormSubmit = async ({
+    type,
+    allowedServiceAccounts,
+    allowedProjects,
+    allowedZones,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps
+  }: FormData) => {
+    try {
+      if (!identityAuthMethodData) return;
+
+      if (data) {
+        await updateMutateAsync({
+          identityId: identityAuthMethodData.identityId,
+          organizationId: orgId,
+          type,
+          allowedServiceAccounts,
+          allowedProjects,
+          allowedZones,
+          accessTokenTTL: Number(accessTokenTTL),
+          accessTokenMaxTTL: Number(accessTokenMaxTTL),
+          accessTokenNumUsesLimit: Number(accessTokenNumUsesLimit),
+          accessTokenTrustedIps
+        });
+      } else {
+        await addMutateAsync({
+          identityId: identityAuthMethodData.identityId,
+          organizationId: orgId,
+          type,
+          allowedServiceAccounts: allowedServiceAccounts || "",
+          allowedProjects: allowedProjects || "",
+          allowedZones: allowedZones || "",
+          accessTokenTTL: Number(accessTokenTTL),
+          accessTokenMaxTTL: Number(accessTokenMaxTTL),
+          accessTokenNumUsesLimit: Number(accessTokenNumUsesLimit),
+          accessTokenTrustedIps
+        });
+      }
+
+      handlePopUpToggle("identityAuthMethod", false);
+
+      createNotification({
+        text: `Successfully ${
+          identityAuthMethodData?.authMethod ? "updated" : "configured"
+        } auth method`,
+        type: "success"
+      });
+
+      reset();
+    } catch (err) {
+      createNotification({
+        text: `Failed to ${identityAuthMethodData?.authMethod ? "update" : "configure"} identity`,
+        type: "error"
+      });
+    }
+  };
+
+  return (
+    <form onSubmit={handleSubmit(onFormSubmit)}>
+      <Controller
+        control={control}
+        name="type"
+        render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+          <FormControl label="Type" isError={Boolean(error)} errorText={error?.message}>
+            <Select
+              defaultValue={field.value}
+              {...field}
+              onValueChange={(e) => onChange(e)}
+              className="w-full"
+            >
+              <SelectItem value="gce" key="gcp-type-gce">
+                GCP ID Token Auth (Recommended)
+              </SelectItem>
+              <SelectItem value="iam" key="gcpiam">
+                GCP IAM Auth
+              </SelectItem>
+            </Select>
+          </FormControl>
+        )}
+      />
+      <Controller
+        control={control}
+        defaultValue="2592000"
+        name="allowedServiceAccounts"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="Allowed Service Account Emails"
+            isError={Boolean(error)}
+            errorText={error?.message}
+          >
+            <Input
+              {...field}
+              placeholder="test@project.iam.gserviceaccount.com, 12345-compute@developer.gserviceaccount.com"
+              type="text"
+            />
+          </FormControl>
+        )}
+      />
+      {watchedType === "gce" && (
+        <Controller
+          control={control}
+          name="allowedProjects"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Allowed Projects"
+              isError={Boolean(error)}
+              errorText={error?.message}
+            >
+              <Input {...field} placeholder="my-gcp-project, ..." />
+            </FormControl>
+          )}
+        />
+      )}
+      {watchedType === "gce" && (
+        <Controller
+          control={control}
+          name="allowedZones"
+          render={({ field, fieldState: { error } }) => (
+            <FormControl label="Allowed Zones" isError={Boolean(error)} errorText={error?.message}>
+              <Input {...field} placeholder="us-west2-a, us-central1-a, ..." />
+            </FormControl>
+          )}
+        />
+      )}
+      <Controller
+        control={control}
+        defaultValue="2592000"
+        name="accessTokenTTL"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="Access Token TTL (seconds)"
+            isError={Boolean(error)}
+            errorText={error?.message}
+          >
+            <Input {...field} placeholder="2592000" type="number" min="1" step="1" />
+          </FormControl>
+        )}
+      />
+      <Controller
+        control={control}
+        defaultValue="2592000"
+        name="accessTokenMaxTTL"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="Access Token Max TTL (seconds)"
+            isError={Boolean(error)}
+            errorText={error?.message}
+          >
+            <Input {...field} placeholder="2592000" type="number" min="1" step="1" />
+          </FormControl>
+        )}
+      />
+      <Controller
+        control={control}
+        defaultValue="0"
+        name="accessTokenNumUsesLimit"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl
+            label="Access Token Max Number of Uses"
+            isError={Boolean(error)}
+            errorText={error?.message}
+          >
+            <Input {...field} placeholder="0" type="number" min="0" step="1" />
+          </FormControl>
+        )}
+      />
+      {accessTokenTrustedIpsFields.map(({ id }, index) => (
+        <div className="mb-3 flex items-end space-x-2" key={id}>
+          <Controller
+            control={control}
+            name={`accessTokenTrustedIps.${index}.ipAddress`}
+            defaultValue="0.0.0.0/0"
+            render={({ field, fieldState: { error } }) => {
+              return (
+                <FormControl
+                  className="mb-0 flex-grow"
+                  label={index === 0 ? "Access Token Trusted IPs" : undefined}
+                  isError={Boolean(error)}
+                  errorText={error?.message}
+                >
+                  <Input
+                    value={field.value}
+                    onChange={(e) => {
+                      if (subscription?.ipAllowlisting) {
+                        field.onChange(e);
+                        return;
+                      }
+
+                      handlePopUpOpen("upgradePlan");
+                    }}
+                    placeholder="123.456.789.0"
+                  />
+                </FormControl>
+              );
+            }}
+          />
+          <IconButton
+            onClick={() => {
+              if (subscription?.ipAllowlisting) {
+                removeAccessTokenTrustedIp(index);
+                return;
+              }
+
+              handlePopUpOpen("upgradePlan");
+            }}
+            size="lg"
+            colorSchema="danger"
+            variant="plain"
+            ariaLabel="update"
+            className="p-3"
+          >
+            <FontAwesomeIcon icon={faXmark} />
+          </IconButton>
+        </div>
+      ))}
+      <div className="my-4 ml-1">
+        <Button
+          variant="outline_bg"
+          onClick={() => {
+            if (subscription?.ipAllowlisting) {
+              appendAccessTokenTrustedIp({
+                ipAddress: "0.0.0.0/0"
+              });
+              return;
+            }
+
+            handlePopUpOpen("upgradePlan");
+          }}
+          leftIcon={<FontAwesomeIcon icon={faPlus} />}
+          size="xs"
+        >
+          Add IP Address
+        </Button>
+      </div>
+      <div className="flex items-center">
+        <Button
+          className="mr-4"
+          size="sm"
+          type="submit"
+          isLoading={isSubmitting}
+          isDisabled={isSubmitting}
+        >
+          {identityAuthMethodData?.authMethod ? "Update" : "Configure"}
+        </Button>
+        <Button
+          colorSchema="secondary"
+          variant="plain"
+          onClick={() => handlePopUpToggle("identityAuthMethod", false)}
+        >
+          {identityAuthMethodData?.authMethod ? "Cancel" : "Skip"}
+        </Button>
+      </div>
+    </form>
+  );
+};

frontend/src/views/SecretOverviewPage/SecretOverviewPage.tsx

@@ -47,6 +47,7 @@ import {
   ProjectPermissionActions,
   ProjectPermissionSub,
   useOrganization,
+  useProjectPermission,
   useWorkspace
 } from "@app/context";
 import { usePopUp } from "@app/hooks";
@@ -61,6 +62,9 @@ import {
   useGetUserWsKey,
   useUpdateSecretV3
 } from "@app/hooks/api";
+import { useUpdateFolderBatch } from "@app/hooks/api/secretFolders/queries";
+import { TUpdateFolderBatchDTO } from "@app/hooks/api/secretFolders/types";
+import { TSecretFolder } from "@app/hooks/api/types";
 import { ProjectVersion } from "@app/hooks/api/workspace/types";
 
 import { FolderForm } from "../SecretMainPage/components/ActionBar/FolderForm";
@@ -87,6 +91,7 @@ export const SecretOverviewPage = () => {
   const parentTableRef = useRef<HTMLTableElement>(null);
   const [expandableTableWidth, setExpandableTableWidth] = useState(0);
   const [sortDir, setSortDir] = useState<"asc" | "desc">("asc");
+  const { permission } = useProjectPermission();
 
   useEffect(() => {
     if (parentTableRef.current) {
@@ -201,11 +206,13 @@ export const SecretOverviewPage = () => {
   const { mutateAsync: updateSecretV3 } = useUpdateSecretV3();
   const { mutateAsync: deleteSecretV3 } = useDeleteSecretV3();
   const { mutateAsync: createFolder } = useCreateFolder();
+  const { mutateAsync: updateFolderBatch } = useUpdateFolderBatch();
 
   const { handlePopUpOpen, handlePopUpToggle, handlePopUpClose, popUp } = usePopUp([
     "addSecretsInAllEnvs",
     "addFolder",
-    "misc"
+    "misc",
+    "updateFolder"
   ] as const);
 
   const handleFolderCreate = async (folderName: string) => {
@@ -236,6 +243,59 @@ export const SecretOverviewPage = () => {
     }
   };
 
+  const handleFolderUpdate = async (newFolderName: string) => {
+    const { name: oldFolderName } = popUp.updateFolder.data as TSecretFolder;
+
+    const updatedFolders: TUpdateFolderBatchDTO["folders"] = [];
+    userAvailableEnvs.forEach((env) => {
+      if (
+        permission.can(
+          ProjectPermissionActions.Edit,
+          subject(ProjectPermissionSub.Secrets, { environment: env.slug, secretPath })
+        )
+      ) {
+        const folder = getFolderByNameAndEnv(oldFolderName, env.slug);
+        if (folder) {
+          updatedFolders.push({
+            environment: env.slug,
+            name: newFolderName,
+            id: folder.id,
+            path: secretPath
+          });
+        }
+      }
+    });
+
+    if (updatedFolders.length === 0) {
+      createNotification({
+        type: "info",
+        text: "You don't have access to rename selected folder"
+      });
+
+      handlePopUpClose("updateFolder");
+      return;
+    }
+
+    try {
+      await updateFolderBatch({
+        projectSlug,
+        folders: updatedFolders,
+        projectId: workspaceId
+      });
+      createNotification({
+        type: "success",
+        text: "Successfully renamed folder across environments"
+      });
+    } catch (err) {
+      createNotification({
+        type: "error",
+        text: "Failed to rename folder across environments"
+      });
+    } finally {
+      handlePopUpClose("updateFolder");
+    }
+  };
+
   const handleSecretCreate = async (env: string, key: string, value: string) => {
     try {
       // create folder if not existing
@@ -726,6 +786,9 @@ export const SecretOverviewPage = () => {
                       environments={visibleEnvs}
                       key={`overview-${folderName}-${index + 1}`}
                       onClick={handleFolderClick}
+                      onToggleFolderEdit={(name: string) =>
+                        handlePopUpOpen("updateFolder", { name })
+                      }
                     />
                   ))}
                 {!isTableLoading &&
@@ -800,6 +863,18 @@ export const SecretOverviewPage = () => {
           <FolderForm onCreateFolder={handleFolderCreate} />
         </ModalContent>
       </Modal>
+      <Modal
+        isOpen={popUp.updateFolder.isOpen}
+        onOpenChange={(isOpen) => handlePopUpToggle("updateFolder", isOpen)}
+      >
+        <ModalContent title="Edit Folder Name">
+          <FolderForm
+            isEdit
+            defaultFolderName={(popUp.updateFolder?.data as Pick<TSecretFolder, "name">)?.name}
+            onUpdateFolder={handleFolderUpdate}
+          />
+        </ModalContent>
+      </Modal>
     </>
   );
 };

frontend/src/views/SecretOverviewPage/components/SecretOverviewFolderRow/SecretOverviewFolderRow.tsx

@@ -1,8 +1,8 @@
-import { faCheck, faFolder, faXmark } from "@fortawesome/free-solid-svg-icons";
+import { faCheck, faFolder, faPencil, faXmark } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { twMerge } from "tailwind-merge";
 
-import { Checkbox, Td, Tr } from "@app/components/v2";
+import { Checkbox, IconButton, Td, Tr } from "@app/components/v2";
 
 type Props = {
   folderName: string;
@@ -11,6 +11,7 @@ type Props = {
   onClick: (path: string) => void;
   isSelected: boolean;
   onToggleFolderSelect: (folderName: string) => void;
+  onToggleFolderEdit: (name: string) => void;
 };
 
 export const SecretOverviewFolderRow = ({
@@ -19,6 +20,7 @@ export const SecretOverviewFolderRow = ({
   isFolderPresentInEnv,
   isSelected,
   onToggleFolderSelect,
+  onToggleFolderEdit,
   onClick
 }: Props) => {
   return (
@@ -43,6 +45,18 @@ export const SecretOverviewFolderRow = ({
             />
           </div>
           <div>{folderName}</div>
+          <IconButton
+            ariaLabel="edit-folder"
+            variant="plain"
+            size="sm"
+            className="p-0 opacity-0 group-hover:opacity-100"
+            onClick={(e) => {
+              onToggleFolderEdit(folderName);
+              e.stopPropagation();
+            }}
+          >
+            <FontAwesomeIcon icon={faPencil} size="sm" />
+          </IconButton>
         </div>
       </Td>
       {environments.map(({ slug }, i) => {

pg-migrator/.gitignore

@@ -1 +0,0 @@
-db

pg-migrator/package.json

@@ -1,33 +0,0 @@
-{
-  "name": "pg-migrator",
-  "version": "1.0.0",
-  "description": "",
-  "main": "index.js",
-  "scripts": {
-    "migration": "tsx src/index.ts",
-    "rollback": "tsx src/rollback.ts",
-    "migrate:audit-log": "tsx src/audit-log-migrator.ts"
-  },
-  "author": "",
-  "license": "ISC",
-  "devDependencies": {
-    "@types/node": "^20.11.0",
-    "@types/prompt-sync": "^4.2.3",
-    "@types/uuid": "^9.0.7",
-    "tsx": "^4.7.0",
-    "typescript": "^5.3.3"
-  },
-  "dependencies": {
-    "@casl/ability": "^6.5.0",
-    "@sindresorhus/slugify": "^2.2.1",
-    "dotenv": "^16.3.1",
-    "knex": "^3.1.0",
-    "level": "^8.0.0",
-    "mongoose": "^8.0.4",
-    "nanoid": "^5.0.4",
-    "pg": "^8.11.3",
-    "prompt-sync": "^4.2.0",
-    "uuid": "^9.0.1",
-    "zod": "^3.22.4"
-  }
-}

pg-migrator/src/@types/knex.d.ts

@@ -1,451 +0,0 @@
-import { Knex } from "knex";
-
-import {
-  TableName,
-  TApiKeys,
-  TApiKeysInsert,
-  TApiKeysUpdate,
-  TAuditLogs,
-  TAuditLogsInsert,
-  TAuditLogsUpdate,
-  TAuthTokens,
-  TAuthTokenSessions,
-  TAuthTokenSessionsInsert,
-  TAuthTokenSessionsUpdate,
-  TAuthTokensInsert,
-  TAuthTokensUpdate,
-  TBackupPrivateKey,
-  TBackupPrivateKeyInsert,
-  TBackupPrivateKeyUpdate,
-  TGitAppInstallSessions,
-  TGitAppInstallSessionsInsert,
-  TGitAppInstallSessionsUpdate,
-  TGitAppOrg,
-  TGitAppOrgInsert,
-  TGitAppOrgUpdate,
-  TIdentities,
-  TIdentitiesInsert,
-  TIdentitiesUpdate,
-  TIdentityAccessTokens,
-  TIdentityAccessTokensInsert,
-  TIdentityAccessTokensUpdate,
-  TIdentityOrgMemberships,
-  TIdentityOrgMembershipsInsert,
-  TIdentityOrgMembershipsUpdate,
-  TIdentityProjectMemberships,
-  TIdentityProjectMembershipsInsert,
-  TIdentityProjectMembershipsUpdate,
-  TIdentityUaClientSecrets,
-  TIdentityUaClientSecretsInsert,
-  TIdentityUaClientSecretsUpdate,
-  TIdentityUniversalAuths,
-  TIdentityUniversalAuthsInsert,
-  TIdentityUniversalAuthsUpdate,
-  TIncidentContacts,
-  TIncidentContactsInsert,
-  TIncidentContactsUpdate,
-  TIntegrationAuths,
-  TIntegrationAuthsInsert,
-  TIntegrationAuthsUpdate,
-  TIntegrations,
-  TIntegrationsInsert,
-  TIntegrationsUpdate,
-  TOrganizations,
-  TOrganizationsInsert,
-  TOrganizationsUpdate,
-  TOrgBots,
-  TOrgBotsInsert,
-  TOrgBotsUpdate,
-  TOrgMemberships,
-  TOrgMembershipsInsert,
-  TOrgMembershipsUpdate,
-  TOrgRoles,
-  TOrgRolesInsert,
-  TOrgRolesUpdate,
-  TProjectBots,
-  TProjectBotsInsert,
-  TProjectBotsUpdate,
-  TProjectEnvironments,
-  TProjectEnvironmentsInsert,
-  TProjectEnvironmentsUpdate,
-  TProjectKeys,
-  TProjectKeysInsert,
-  TProjectKeysUpdate,
-  TProjectMemberships,
-  TProjectMembershipsInsert,
-  TProjectMembershipsUpdate,
-  TProjectRoles,
-  TProjectRolesInsert,
-  TProjectRolesUpdate,
-  TProjects,
-  TProjectsInsert,
-  TProjectsUpdate,
-  TSamlConfigs,
-  TSamlConfigsInsert,
-  TSamlConfigsUpdate,
-  TSecretApprovalPolicies,
-  TSecretApprovalPoliciesApprovers,
-  TSecretApprovalPoliciesApproversInsert,
-  TSecretApprovalPoliciesApproversUpdate,
-  TSecretApprovalPoliciesInsert,
-  TSecretApprovalPoliciesUpdate,
-  TSecretApprovalRequests,
-  TSecretApprovalRequestSecretTags,
-  TSecretApprovalRequestSecretTagsInsert,
-  TSecretApprovalRequestSecretTagsUpdate,
-  TSecretApprovalRequestsInsert,
-  TSecretApprovalRequestsReviewers,
-  TSecretApprovalRequestsReviewersInsert,
-  TSecretApprovalRequestsReviewersUpdate,
-  TSecretApprovalRequestsSecrets,
-  TSecretApprovalRequestsSecretsInsert,
-  TSecretApprovalRequestsSecretsUpdate,
-  TSecretApprovalRequestsUpdate,
-  TSecretBlindIndexes,
-  TSecretBlindIndexesInsert,
-  TSecretBlindIndexesUpdate,
-  TSecretFolders,
-  TSecretFoldersInsert,
-  TSecretFoldersUpdate,
-  TSecretFolderVersions,
-  TSecretFolderVersionsInsert,
-  TSecretFolderVersionsUpdate,
-  TSecretImports,
-  TSecretImportsInsert,
-  TSecretImportsUpdate,
-  TSecretRotationOutputs,
-  TSecretRotationOutputsInsert,
-  TSecretRotationOutputsUpdate,
-  TSecretRotations,
-  TSecretRotationsInsert,
-  TSecretRotationsUpdate,
-  TSecrets,
-  TSecretScanningGitRisks,
-  TSecretScanningGitRisksInsert,
-  TSecretScanningGitRisksUpdate,
-  TSecretsInsert,
-  TSecretSnapshotFolders,
-  TSecretSnapshotFoldersInsert,
-  TSecretSnapshotFoldersUpdate,
-  TSecretSnapshots,
-  TSecretSnapshotSecrets,
-  TSecretSnapshotSecretsInsert,
-  TSecretSnapshotSecretsUpdate,
-  TSecretSnapshotsInsert,
-  TSecretSnapshotsUpdate,
-  TSecretsUpdate,
-  TSecretTagJunction,
-  TSecretTagJunctionInsert,
-  TSecretTagJunctionUpdate,
-  TSecretTags,
-  TSecretTagsInsert,
-  TSecretTagsUpdate,
-  TSecretVersions,
-  TSecretVersionsInsert,
-  TSecretVersionsUpdate,
-  TSecretVersionTagJunction,
-  TSecretVersionTagJunctionInsert,
-  TSecretVersionTagJunctionUpdate,
-  TServiceTokens,
-  TServiceTokensInsert,
-  TServiceTokensUpdate,
-  TSuperAdmin,
-  TSuperAdminInsert,
-  TSuperAdminUpdate,
-  TTrustedIps,
-  TTrustedIpsInsert,
-  TTrustedIpsUpdate,
-  TUserActions,
-  TUserActionsInsert,
-  TUserActionsUpdate,
-  TUserEncryptionKeys,
-  TUserEncryptionKeysInsert,
-  TUserEncryptionKeysUpdate,
-  TUsers,
-  TUsersInsert,
-  TUsersUpdate,
-  TWebhooks,
-  TWebhooksInsert,
-  TWebhooksUpdate,
-} from "../schemas";
-
-declare module "knex/types/tables" {
-  interface Tables {
-    [TableName.Users]: Knex.CompositeTableType<
-      TUsers,
-      TUsersInsert,
-      TUsersUpdate
-    >;
-    [TableName.UserEncryptionKey]: Knex.CompositeTableType<
-      TUserEncryptionKeys,
-      TUserEncryptionKeysInsert,
-      TUserEncryptionKeysUpdate
-    >;
-    [TableName.AuthTokens]: Knex.CompositeTableType<
-      TAuthTokens,
-      TAuthTokensInsert,
-      TAuthTokensUpdate
-    >;
-    [TableName.AuthTokenSession]: Knex.CompositeTableType<
-      TAuthTokenSessions,
-      TAuthTokenSessionsInsert,
-      TAuthTokenSessionsUpdate
-    >;
-    [TableName.BackupPrivateKey]: Knex.CompositeTableType<
-      TBackupPrivateKey,
-      TBackupPrivateKeyInsert,
-      TBackupPrivateKeyUpdate
-    >;
-    [TableName.Organization]: Knex.CompositeTableType<
-      TOrganizations,
-      TOrganizationsInsert,
-      TOrganizationsUpdate
-    >;
-    [TableName.OrgMembership]: Knex.CompositeTableType<
-      TOrgMemberships,
-      TOrgMembershipsInsert,
-      TOrgMembershipsUpdate
-    >;
-    [TableName.OrgRoles]: Knex.CompositeTableType<
-      TOrgRoles,
-      TOrgRolesInsert,
-      TOrgRolesUpdate
-    >;
-    [TableName.IncidentContact]: Knex.CompositeTableType<
-      TIncidentContacts,
-      TIncidentContactsInsert,
-      TIncidentContactsUpdate
-    >;
-    [TableName.UserAction]: Knex.CompositeTableType<
-      TUserActions,
-      TUserActionsInsert,
-      TUserActionsUpdate
-    >;
-    [TableName.SuperAdmin]: Knex.CompositeTableType<
-      TSuperAdmin,
-      TSuperAdminInsert,
-      TSuperAdminUpdate
-    >;
-    [TableName.ApiKey]: Knex.CompositeTableType<
-      TApiKeys,
-      TApiKeysInsert,
-      TApiKeysUpdate
-    >;
-    [TableName.Project]: Knex.CompositeTableType<
-      TProjects,
-      TProjectsInsert,
-      TProjectsUpdate
-    >;
-    [TableName.ProjectMembership]: Knex.CompositeTableType<
-      TProjectMemberships,
-      TProjectMembershipsInsert,
-      TProjectMembershipsUpdate
-    >;
-    [TableName.Environment]: Knex.CompositeTableType<
-      TProjectEnvironments,
-      TProjectEnvironmentsInsert,
-      TProjectEnvironmentsUpdate
-    >;
-    [TableName.ProjectBot]: Knex.CompositeTableType<
-      TProjectBots,
-      TProjectBotsInsert,
-      TProjectBotsUpdate
-    >;
-    [TableName.ProjectRoles]: Knex.CompositeTableType<
-      TProjectRoles,
-      TProjectRolesInsert,
-      TProjectRolesUpdate
-    >;
-    [TableName.ProjectKeys]: Knex.CompositeTableType<
-      TProjectKeys,
-      TProjectKeysInsert,
-      TProjectKeysUpdate
-    >;
-    [TableName.Secret]: Knex.CompositeTableType<
-      TSecrets,
-      TSecretsInsert,
-      TSecretsUpdate
-    >;
-    [TableName.SecretBlindIndex]: Knex.CompositeTableType<
-      TSecretBlindIndexes,
-      TSecretBlindIndexesInsert,
-      TSecretBlindIndexesUpdate
-    >;
-    [TableName.SecretVersion]: Knex.CompositeTableType<
-      TSecretVersions,
-      TSecretVersionsInsert,
-      TSecretVersionsUpdate
-    >;
-    [TableName.SecretFolder]: Knex.CompositeTableType<
-      TSecretFolders,
-      TSecretFoldersInsert,
-      TSecretFoldersUpdate
-    >;
-    [TableName.SecretFolderVersion]: Knex.CompositeTableType<
-      TSecretFolderVersions,
-      TSecretFolderVersionsInsert,
-      TSecretFolderVersionsUpdate
-    >;
-    [TableName.SecretTag]: Knex.CompositeTableType<
-      TSecretTags,
-      TSecretTagsInsert,
-      TSecretTagsUpdate
-    >;
-    [TableName.SecretImport]: Knex.CompositeTableType<
-      TSecretImports,
-      TSecretImportsInsert,
-      TSecretImportsUpdate
-    >;
-    [TableName.Integration]: Knex.CompositeTableType<
-      TIntegrations,
-      TIntegrationsInsert,
-      TIntegrationsUpdate
-    >;
-    [TableName.Webhook]: Knex.CompositeTableType<
-      TWebhooks,
-      TWebhooksInsert,
-      TWebhooksUpdate
-    >;
-    [TableName.ServiceToken]: Knex.CompositeTableType<
-      TServiceTokens,
-      TServiceTokensInsert,
-      TServiceTokensUpdate
-    >;
-    [TableName.IntegrationAuth]: Knex.CompositeTableType<
-      TIntegrationAuths,
-      TIntegrationAuthsInsert,
-      TIntegrationAuthsUpdate
-    >;
-    [TableName.Identity]: Knex.CompositeTableType<
-      TIdentities,
-      TIdentitiesInsert,
-      TIdentitiesUpdate
-    >;
-    [TableName.IdentityUniversalAuth]: Knex.CompositeTableType<
-      TIdentityUniversalAuths,
-      TIdentityUniversalAuthsInsert,
-      TIdentityUniversalAuthsUpdate
-    >;
-    [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
-      TIdentityUaClientSecrets,
-      TIdentityUaClientSecretsInsert,
-      TIdentityUaClientSecretsUpdate
-    >;
-    [TableName.IdentityAccessToken]: Knex.CompositeTableType<
-      TIdentityAccessTokens,
-      TIdentityAccessTokensInsert,
-      TIdentityAccessTokensUpdate
-    >;
-    [TableName.IdentityOrgMembership]: Knex.CompositeTableType<
-      TIdentityOrgMemberships,
-      TIdentityOrgMembershipsInsert,
-      TIdentityOrgMembershipsUpdate
-    >;
-    [TableName.IdentityProjectMembership]: Knex.CompositeTableType<
-      TIdentityProjectMemberships,
-      TIdentityProjectMembershipsInsert,
-      TIdentityProjectMembershipsUpdate
-    >;
-    [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
-      TSecretApprovalPolicies,
-      TSecretApprovalPoliciesInsert,
-      TSecretApprovalPoliciesUpdate
-    >;
-    [TableName.SecretApprovalPolicyApprover]: Knex.CompositeTableType<
-      TSecretApprovalPoliciesApprovers,
-      TSecretApprovalPoliciesApproversInsert,
-      TSecretApprovalPoliciesApproversUpdate
-    >;
-    [TableName.SecretApprovalRequest]: Knex.CompositeTableType<
-      TSecretApprovalRequests,
-      TSecretApprovalRequestsInsert,
-      TSecretApprovalRequestsUpdate
-    >;
-    [TableName.SecretApprovalRequestReviewer]: Knex.CompositeTableType<
-      TSecretApprovalRequestsReviewers,
-      TSecretApprovalRequestsReviewersInsert,
-      TSecretApprovalRequestsReviewersUpdate
-    >;
-    [TableName.SecretApprovalRequestSecret]: Knex.CompositeTableType<
-      TSecretApprovalRequestsSecrets,
-      TSecretApprovalRequestsSecretsInsert,
-      TSecretApprovalRequestsSecretsUpdate
-    >;
-    [TableName.SecretApprovalRequestSecretTag]: Knex.CompositeTableType<
-      TSecretApprovalRequestSecretTags,
-      TSecretApprovalRequestSecretTagsInsert,
-      TSecretApprovalRequestSecretTagsUpdate
-    >;
-    [TableName.SecretRotation]: Knex.CompositeTableType<
-      TSecretRotations,
-      TSecretRotationsInsert,
-      TSecretRotationsUpdate
-    >;
-    [TableName.SecretRotationOutput]: Knex.CompositeTableType<
-      TSecretRotationOutputs,
-      TSecretRotationOutputsInsert,
-      TSecretRotationOutputsUpdate
-    >;
-    [TableName.Snapshot]: Knex.CompositeTableType<
-      TSecretSnapshots,
-      TSecretSnapshotsInsert,
-      TSecretSnapshotsUpdate
-    >;
-    [TableName.SnapshotSecret]: Knex.CompositeTableType<
-      TSecretSnapshotSecrets,
-      TSecretSnapshotSecretsInsert,
-      TSecretSnapshotSecretsUpdate
-    >;
-    [TableName.SnapshotFolder]: Knex.CompositeTableType<
-      TSecretSnapshotFolders,
-      TSecretSnapshotFoldersInsert,
-      TSecretSnapshotFoldersUpdate
-    >;
-    [TableName.SamlConfig]: Knex.CompositeTableType<
-      TSamlConfigs,
-      TSamlConfigsInsert,
-      TSamlConfigsUpdate
-    >;
-    [TableName.OrgBot]: Knex.CompositeTableType<
-      TOrgBots,
-      TOrgBotsInsert,
-      TOrgBotsUpdate
-    >;
-    [TableName.AuditLog]: Knex.CompositeTableType<
-      TAuditLogs,
-      TAuditLogsInsert,
-      TAuditLogsUpdate
-    >;
-    [TableName.GitAppInstallSession]: Knex.CompositeTableType<
-      TGitAppInstallSessions,
-      TGitAppInstallSessionsInsert,
-      TGitAppInstallSessionsUpdate
-    >;
-    [TableName.GitAppOrg]: Knex.CompositeTableType<
-      TGitAppOrg,
-      TGitAppOrgInsert,
-      TGitAppOrgUpdate
-    >;
-    [TableName.SecretScanningGitRisk]: Knex.CompositeTableType<
-      TSecretScanningGitRisks,
-      TSecretScanningGitRisksInsert,
-      TSecretScanningGitRisksUpdate
-    >;
-    [TableName.TrustedIps]: Knex.CompositeTableType<
-      TTrustedIps,
-      TTrustedIpsInsert,
-      TTrustedIpsUpdate
-    >;
-    // Junction tables
-    [TableName.JnSecretTag]: Knex.CompositeTableType<
-      TSecretTagJunction,
-      TSecretTagJunctionInsert,
-      TSecretTagJunctionUpdate
-    >;
-    [TableName.SecretVersionTag]: Knex.CompositeTableType<
-      TSecretVersionTagJunction,
-      TSecretVersionTagJunctionInsert,
-      TSecretVersionTagJunctionUpdate
-    >;
-  }
-}

pg-migrator/src/folder.ts

@@ -1,36 +0,0 @@
-import { TFolderSchema } from "./models";
-
-export const folderBfsTraversal = async (
-  root: TFolderSchema,
-  callback: (
-    data: TFolderSchema & { parentId: string | null },
-  ) => void | Promise<void>,
-) => {
-  const queue = [root];
-  while (queue.length) {
-    const folder = queue.pop() as TFolderSchema & { parentId: null };
-    callback(folder);
-    queue.push(
-      ...folder.children.map((el) => ({
-        ...el,
-        parentId: folder.id,
-      })),
-    );
-  }
-};
-
-export const flattenFolders = (folders: TFolderSchema) => {
-  const flattened: {
-    id: string;
-    parentId: string | null;
-    name: string;
-    version: number;
-  }[] = [];
-  
-  if(!folders) return []
-
-  folderBfsTraversal(folders, ({ name, version, parentId, id }) => {
-    flattened.push({ name, version, parentId, id });
-  });
-  return flattened;
-};

pg-migrator/src/migrations/20231128072457_user.ts

@@ -1,37 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import {
-  createOnUpdateTrigger,
-  createUpdateAtTriggerFunction,
-  dropOnUpdateTrigger,
-  dropUpdatedAtTriggerFunction
-} from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.Users);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.Users, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("email").notNullable();
-      t.specificType("authMethods", "text[]");
-      t.boolean("superAdmin").defaultTo(false);
-      t.string("firstName");
-      t.string("lastName");
-      t.boolean("isAccepted").defaultTo(false);
-      t.boolean("isMfaEnabled").defaultTo(false);
-      t.specificType("mfaMethods", "text[]");
-      t.jsonb("devices");
-      t.timestamps(true, true, true);
-    });
-  }
-  // this is a one time function
-  await createUpdateAtTriggerFunction(knex);
-  await createOnUpdateTrigger(knex, TableName.Users);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.Users);
-  await dropOnUpdateTrigger(knex, TableName.Users);
-  await dropUpdatedAtTriggerFunction(knex);
-}

pg-migrator/src/migrations/20231128092347_user-encryption-key.ts

@@ -1,31 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.UserEncryptionKey);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.UserEncryptionKey, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.text("clientPublicKey");
-      t.text("serverPrivateKey");
-      t.integer("encryptionVersion").defaultTo(2);
-      t.text("protectedKey");
-      t.text("protectedKeyIV");
-      t.text("protectedKeyTag");
-      t.text("publicKey").notNullable();
-      t.text("encryptedPrivateKey").notNullable();
-      t.text("iv").notNullable();
-      t.text("tag").notNullable();
-      t.text("salt").notNullable();
-      t.text("verifier").notNullable();
-      // one to one relationship
-      t.uuid("userId").notNullable().unique();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.UserEncryptionKey);
-}

pg-migrator/src/migrations/20231129072939_auth-token.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.AuthTokens);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.AuthTokens, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("type").notNullable();
-      t.string("phoneNumber");
-      t.string("tokenHash").notNullable();
-      t.integer("triesLeft");
-      t.datetime("expiresAt").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AuthTokens);
-}

pg-migrator/src/migrations/20231130072734_auth-token-session.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.AuthTokenSession);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.AuthTokenSession, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("ip").notNullable();
-      t.string("userAgent");
-      t.integer("refreshVersion").notNullable().defaultTo(1);
-      t.integer("accessVersion").notNullable().defaultTo(1);
-      t.datetime("lastUsed").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.AuthTokenSession);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AuthTokenSession);
-  await dropOnUpdateTrigger(knex, TableName.AuthTokenSession);
-}

pg-migrator/src/migrations/20231201151432_backup-key.ts

@@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesTableExist = await knex.schema.hasTable(TableName.BackupPrivateKey);
-  if (!doesTableExist) {
-    await knex.schema.createTable(TableName.BackupPrivateKey, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.text("encryptedPrivateKey").notNullable();
-      t.text("iv").notNullable();
-      t.text("tag").notNullable();
-      t.string("algorithm").notNullable();
-      t.string("keyEncoding").notNullable();
-      t.text("salt").notNullable();
-      t.text("verifier").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable().unique();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.BackupPrivateKey);
-}

pg-migrator/src/migrations/20231204092737_organization.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.Organization);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.Organization, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("customerId");
-      t.string("slug").notNullable();
-      // does not need update trigger we will do it manually
-      t.unique("slug");
-      t.timestamps(true, true, true);
-    });
-    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
-      t.uuid("orgId");
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.Organization);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.AuthTokens, "orgId")) {
-    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
-      t.dropColumn("orgId");
-    });
-  }
-  await knex.schema.dropTableIfExists(TableName.Organization);
-  await dropOnUpdateTrigger(knex, TableName.Organization);
-}

pg-migrator/src/migrations/20231204092747_org-membership.ts

@@ -1,48 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { OrgMembershipStatus } from "../schemas/models";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isOrgRolePresent = await knex.schema.hasTable(TableName.OrgRoles);
-  if (!isOrgRolePresent) {
-    await knex.schema.createTable(TableName.OrgRoles, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("description");
-      t.string("slug").notNullable();
-      t.jsonb("permissions").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-    });
-  }
-
-  const isOrgTablePresent = await knex.schema.hasTable(TableName.OrgMembership);
-  if (!isOrgTablePresent) {
-    await knex.schema.createTable(TableName.OrgMembership, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("role").notNullable();
-      t.string("status").notNullable().defaultTo(OrgMembershipStatus.Invited);
-      t.string("inviteEmail");
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.OrgRoles);
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.OrgMembership);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.OrgMembership);
-  await knex.schema.dropTableIfExists(TableName.OrgRoles);
-  await dropOnUpdateTrigger(knex, TableName.OrgMembership);
-}

pg-migrator/src/migrations/20231205151331_incident-contact.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.IncidentContact);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.IncidentContact, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("email").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.IncidentContact);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IncidentContact);
-  await dropOnUpdateTrigger(knex, TableName.IncidentContact);
-}

pg-migrator/src/migrations/20231207055643_user-action.ts

@@ -1,20 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.UserAction);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.UserAction, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("action").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.UserAction);
-}

pg-migrator/src/migrations/20231207055701_super-admin.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.SuperAdmin);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.SuperAdmin, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.boolean("initialized").defaultTo(false);
-      t.boolean("allowSignUp").defaultTo(true);
-      t.timestamps(true, true, true);
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.SuperAdmin);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SuperAdmin);
-  await dropOnUpdateTrigger(knex, TableName.SuperAdmin);
-}

pg-migrator/src/migrations/20231207105059_api-key.ts

@@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.ApiKey);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.ApiKey, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.datetime("lastUsed");
-      t.datetime("expiresAt");
-      t.string("secretHash").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.ApiKey);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ApiKey);
-  await dropOnUpdateTrigger(knex, TableName.ApiKey);
-}

pg-migrator/src/migrations/20231212110939_project.ts

@@ -1,62 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.Project))) {
-    await knex.schema.createTable(TableName.Project, (t) => {
-      t.string("id", 36).primary().defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("slug").notNullable();
-      t.boolean("autoCapitalization").defaultTo(true);
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-      t.unique(["orgId", "slug"]);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.Project);
-  // environments
-  if (!(await knex.schema.hasTable(TableName.Environment))) {
-    await knex.schema.createTable(TableName.Environment, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("slug").notNullable();
-      t.integer("position").notNullable();
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      // this will ensure ever env has its position
-      t.unique(["projectId", "position"], {
-        indexName: "env_pos_composite_uniqe",
-        deferrable: "deferred"
-      });
-      t.timestamps(true, true, true);
-    });
-  }
-  // project key
-  if (!(await knex.schema.hasTable(TableName.ProjectKeys))) {
-    await knex.schema.createTable(TableName.ProjectKeys, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.text("encryptedKey").notNullable();
-      t.text("nonce").notNullable();
-      t.uuid("receiverId").notNullable();
-      t.foreign("receiverId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.uuid("senderId");
-      // if sender is deleted just don't do anything to this record
-      t.foreign("senderId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.ProjectKeys);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.Environment);
-  await knex.schema.dropTableIfExists(TableName.ProjectKeys);
-  await knex.schema.dropTableIfExists(TableName.Project);
-  await dropOnUpdateTrigger(knex, TableName.ProjectKeys);
-  await dropOnUpdateTrigger(knex, TableName.Project);
-}

pg-migrator/src/migrations/20231212110946_project-membership.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ProjectRoles))) {
-    await knex.schema.createTable(TableName.ProjectRoles, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("description");
-      t.string("slug").notNullable();
-      t.jsonb("permissions").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ProjectMembership))) {
-    await knex.schema.createTable(TableName.ProjectMembership, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("role").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      // until role is changed/removed the role should not deleted
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.ProjectMembership);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ProjectMembership);
-  await knex.schema.dropTableIfExists(TableName.ProjectRoles);
-  await dropOnUpdateTrigger(knex, TableName.ProjectMembership);
-}

pg-migrator/src/migrations/20231218092441_secret-folder.ts

@@ -1,42 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretFolder))) {
-    await knex.schema.createTable(TableName.SecretFolder, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.integer("version").defaultTo(1);
-      t.timestamps(true, true, true);
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.uuid("parentId");
-      t.foreign("parentId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretFolder);
-
-  if (!(await knex.schema.hasTable(TableName.SecretFolderVersion))) {
-    await knex.schema.createTable(TableName.SecretFolderVersion, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.integer("version").defaultTo(1);
-      t.timestamps(true, true, true);
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.uuid("folderId").notNullable();
-      // t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.SecretFolderVersion);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretFolderVersion);
-  await knex.schema.dropTableIfExists(TableName.SecretFolder);
-  await dropOnUpdateTrigger(knex, TableName.SecretFolder);
-  await dropOnUpdateTrigger(knex, TableName.SecretFolderVersion);
-}

pg-migrator/src/migrations/20231218092508_secret-import.ts

@@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretImport))) {
-    await knex.schema.createTable(TableName.SecretImport, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").defaultTo(1);
-      t.string("importPath").notNullable();
-      t.uuid("importEnv").notNullable();
-      t.foreign("importEnv").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.integer("position").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("folderId").notNullable();
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-      t.unique(["folderId", "position"], {
-        indexName: "import_pos_composite_uniqe",
-        deferrable: "deferred"
-      });
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretImport);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretImport);
-  await dropOnUpdateTrigger(knex, TableName.SecretImport);
-}

pg-migrator/src/migrations/20231218092517_secret-tag.ts

@@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretTag))) {
-    await knex.schema.createTable(TableName.SecretTag, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("slug").notNullable();
-      t.string("color");
-      t.timestamps(true, true, true);
-      t.uuid("createdBy");
-      t.foreign("createdBy").references("id").inTable(TableName.Users).onDelete("SET NULL");
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretTag);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretTag);
-  await dropOnUpdateTrigger(knex, TableName.SecretTag);
-}

pg-migrator/src/migrations/20231218103423_secret.ts

@@ -1,93 +0,0 @@
-import { Knex } from "knex";
-
-import {
-  SecretEncryptionAlgo,
-  SecretKeyEncoding,
-  SecretType,
-  TableName,
-} from "../schemas";
-import {
-  createJunctionTable,
-  createOnUpdateTrigger,
-  dropOnUpdateTrigger,
-} from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretBlindIndex))) {
-    await knex.schema.createTable(TableName.SecretBlindIndex, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.text("encryptedSaltCipherText").notNullable();
-      t.text("saltIV").notNullable();
-      t.text("saltTag").notNullable();
-      t.string("algorithm")
-        .notNullable()
-        .defaultTo(SecretEncryptionAlgo.AES_256_GCM);
-      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
-      t.string("projectId").notNullable().unique();
-      t.foreign("projectId")
-        .references("id")
-        .inTable(TableName.Project)
-        .onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretBlindIndex);
-
-  if (!(await knex.schema.hasTable(TableName.Secret))) {
-    await knex.schema.createTable(TableName.Secret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").defaultTo(1).notNullable();
-      t.string("type").notNullable().defaultTo(SecretType.Shared);
-      // t.text("secretKeyHash").notNullable();
-      // t.text("secretValueHash");
-      // t.text("secretCommentHash");
-      // this is required but for backward compatiability we are making it nullable
-      t.text("secretBlindIndex");
-      t.text("secretKeyCiphertext").notNullable();
-      t.text("secretKeyIV").notNullable();
-      t.text("secretKeyTag").notNullable();
-      t.text("secretValueCiphertext").notNullable();
-      t.text("secretValueIV").notNullable(); // symmetric encryption
-      t.text("secretValueTag").notNullable();
-      t.text("secretCommentCiphertext");
-      t.text("secretCommentIV");
-      t.text("secretCommentTag");
-      t.string("secretReminderNote");
-      t.integer("secretReminderRepeatDays");
-      t.boolean("skipMultilineEncoding").defaultTo(false);
-      t.string("algorithm")
-        .notNullable()
-        .defaultTo(SecretEncryptionAlgo.AES_256_GCM);
-      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
-      t.jsonb("metadata");
-      t.uuid("userId");
-      t.foreign("userId")
-        .references("id")
-        .inTable(TableName.Users)
-        .onDelete("CASCADE");
-      t.uuid("folderId").notNullable();
-      t.foreign("folderId")
-        .references("id")
-        .inTable(TableName.SecretFolder)
-        .onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.Secret);
-  // many to many relation between tags
-  await createJunctionTable(
-    knex,
-    TableName.JnSecretTag,
-    TableName.Secret,
-    TableName.SecretTag,
-  );
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretBlindIndex);
-  await dropOnUpdateTrigger(knex, TableName.SecretBlindIndex);
-
-  await knex.schema.dropTableIfExists(TableName.JnSecretTag);
-  await knex.schema.dropTableIfExists(TableName.Secret);
-  await dropOnUpdateTrigger(knex, TableName.Secret);
-}

pg-migrator/src/migrations/20231220052508_secret-version.ts

@@ -1,53 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretEncryptionAlgo, SecretKeyEncoding, SecretType, TableName } from "../schemas";
-import { createJunctionTable, createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretVersion))) {
-    await knex.schema.createTable(TableName.SecretVersion, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").defaultTo(1).notNullable();
-      t.string("type").notNullable().defaultTo(SecretType.Shared);
-      t.text("secretBlindIndex");
-      t.text("secretKeyCiphertext").notNullable();
-      t.text("secretKeyIV").notNullable();
-      t.text("secretKeyTag").notNullable();
-      t.text("secretValueCiphertext").notNullable();
-      t.text("secretValueIV").notNullable(); // symmetric encryption
-      t.text("secretValueTag").notNullable();
-      t.text("secretCommentCiphertext");
-      t.text("secretCommentIV");
-      t.text("secretCommentTag");
-      t.string("secretReminderNote");
-      t.integer("secretReminderRepeatDays");
-      t.boolean("skipMultilineEncoding").defaultTo(false);
-      t.string("algorithm").notNullable().defaultTo(SecretEncryptionAlgo.AES_256_GCM);
-      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
-      t.jsonb("metadata");
-      // to avoid orphan rows
-      t.uuid("envId");
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.uuid("secretId").notNullable();
-      t.uuid("folderId").notNullable();
-      // t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("SET NULL");
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretVersion);
-  // many to many relation between tags
-  await createJunctionTable(
-    knex,
-    TableName.SecretVersionTag,
-    TableName.SecretVersion,
-    TableName.SecretTag
-  );
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretVersionTag);
-  await knex.schema.dropTableIfExists(TableName.SecretVersion);
-  await dropOnUpdateTrigger(knex, TableName.SecretVersion);
-}

pg-migrator/src/migrations/20231222092113_project-bot.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ProjectBot))) {
-    await knex.schema.createTable(TableName.ProjectBot, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.boolean("isActive").defaultTo(false).notNullable();
-      t.text("encryptedPrivateKey").notNullable();
-      t.text("publicKey").notNullable();
-      t.text("iv").notNullable();
-      t.text("tag").notNullable();
-      t.string("algorithm").notNullable();
-      t.string("keyEncoding").notNullable();
-      t.text("encryptedProjectKey");
-      t.text("encryptedProjectKeyNonce");
-      // one to one relationship
-      t.string("projectId").notNullable().unique();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("senderId");
-      t.foreign("senderId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.ProjectBot);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ProjectBot);
-  await dropOnUpdateTrigger(knex, TableName.ProjectBot);
-}

pg-migrator/src/migrations/20231222172455_integration.ts

@@ -1,71 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IntegrationAuth))) {
-    await knex.schema.createTable(TableName.IntegrationAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("integration").notNullable();
-      t.string("teamId"); // vercel-specific
-      t.string("url"); // for self hosted
-      t.string("namespace"); // hashicorp specific
-      t.string("accountId"); // netlify
-      t.text("refreshCiphertext");
-      t.string("refreshIV");
-      t.string("refreshTag");
-      t.string("accessIdCiphertext");
-      t.string("accessIdIV");
-      t.string("accessIdTag");
-      t.text("accessCiphertext");
-      t.string("accessIV");
-      t.string("accessTag");
-      t.datetime("accessExpiresAt");
-      t.jsonb("metadata");
-      t.string("algorithm").notNullable();
-      t.string("keyEncoding").notNullable();
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.IntegrationAuth);
-
-  if (!(await knex.schema.hasTable(TableName.Integration))) {
-    await knex.schema.createTable(TableName.Integration, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.boolean("isActive").notNullable();
-      t.string("url"); // self hosted
-      t.string("app"); // name of app in provider
-      t.string("appId");
-      t.string("targetEnvironment");
-      t.string("targetEnvironmentId");
-      t.string("targetService"); // railway - qovery specific
-      t.string("targetServiceId");
-      t.string("owner"); // github specific
-      t.string("path"); // aws parameter store / vercel preview branch
-      t.string("region"); // aws
-      t.string("scope"); // qovery specific scope
-      t.string("integration").notNullable();
-      t.jsonb("metadata");
-      t.uuid("integrationAuthId").notNullable();
-      t.foreign("integrationAuthId")
-        .references("id")
-        .inTable(TableName.IntegrationAuth)
-        .onDelete("CASCADE");
-      t.uuid("envId").notNullable();
-      t.string("secretPath").defaultTo("/").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.Integration);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.Integration);
-  await knex.schema.dropTableIfExists(TableName.IntegrationAuth);
-  await dropOnUpdateTrigger(knex, TableName.IntegrationAuth);
-  await dropOnUpdateTrigger(knex, TableName.Integration);
-}

pg-migrator/src/migrations/20231225072545_service-token.ts

@@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ServiceToken))) {
-    await knex.schema.createTable(TableName.ServiceToken, (t) => {
-      t.string("id", 36).primary().defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.jsonb("scopes").notNullable();
-      t.specificType("permissions", "text[]").notNullable();
-      t.datetime("lastUsed");
-      t.datetime("expiresAt");
-      t.text("secretHash").notNullable();
-      t.text("encryptedKey");
-      t.text("iv");
-      t.text("tag");
-      t.timestamps(true, true, true);
-      // user is old one
-      t.string("createdBy").notNullable();
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.ServiceToken);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ServiceToken);
-  await dropOnUpdateTrigger(knex, TableName.ServiceToken);
-}

pg-migrator/src/migrations/20231225072552_webhook.ts

@@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.Webhook))) {
-    await knex.schema.createTable(TableName.Webhook, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("secretPath").notNullable().defaultTo("/");
-      t.string("url").notNullable();
-      t.string("lastStatus");
-      t.text("lastRunErrorMessage");
-      t.boolean("isDisabled").defaultTo(false).notNullable();
-      // webhook signature
-      t.text("encryptedSecretKey");
-      t.text("iv");
-      t.text("tag");
-      t.string("algorithm");
-      t.string("keyEncoding");
-      t.timestamps(true, true, true);
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.Webhook);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.Webhook);
-  await dropOnUpdateTrigger(knex, TableName.Webhook);
-}

pg-migrator/src/migrations/20231228074856_identity.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.Identity))) {
-    await knex.schema.createTable(TableName.Identity, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("authMethod");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.Identity);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.Identity);
-  await dropOnUpdateTrigger(knex, TableName.Identity);
-}

pg-migrator/src/migrations/20231228074908_identity-universal-auth.ts

@@ -1,49 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityUniversalAuth))) {
-    await knex.schema.createTable(TableName.IdentityUniversalAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("clientId").notNullable();
-      t.bigint("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigint("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigint("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("clientSecretTrustedIps").notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-    });
-  }
-  if (!(await knex.schema.hasTable(TableName.IdentityUaClientSecret))) {
-    await knex.schema.createTable(TableName.IdentityUaClientSecret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("description").notNullable();
-      t.string("clientSecretPrefix").notNullable();
-      t.string("clientSecretHash").notNullable();
-      t.datetime("clientSecretLastUsedAt");
-      t.bigint("clientSecretNumUses").defaultTo(0).notNullable();
-      t.bigint("clientSecretNumUsesLimit").defaultTo(0).notNullable();
-      t.bigint("clientSecretTTL").defaultTo(0).notNullable();
-      t.boolean("isClientSecretRevoked").defaultTo(false).notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityUAId").notNullable();
-      t.foreign("identityUAId")
-        .references("id")
-        .inTable(TableName.IdentityUniversalAuth)
-        .onDelete("CASCADE");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.IdentityUniversalAuth);
-  await createOnUpdateTrigger(knex, TableName.IdentityUaClientSecret);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityUaClientSecret);
-  await knex.schema.dropTableIfExists(TableName.IdentityUniversalAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityUaClientSecret);
-  await dropOnUpdateTrigger(knex, TableName.IdentityUniversalAuth);
-}

pg-migrator/src/migrations/20231228075011_identity-access-token.ts

@@ -1,37 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAccessToken))) {
-    await knex.schema.createTable(TableName.IdentityAccessToken, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("accessTokenTTL").defaultTo(2592000).notNullable(); // 30 days second
-      t.integer("accessTokenMaxTTL").defaultTo(2592000).notNullable();
-      t.integer("accessTokenNumUses").defaultTo(0).notNullable();
-      t.integer("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.datetime("accessTokenLastUsedAt");
-      t.datetime("accessTokenLastRenewedAt");
-      t.boolean("isAccessTokenRevoked").defaultTo(false).notNullable();
-      t.uuid("identityUAClientSecretId");
-      t.foreign("identityUAClientSecretId")
-        .references("id")
-        .inTable(TableName.IdentityUaClientSecret)
-        .onDelete("CASCADE");
-      t.uuid("identityId").notNullable();
-      t.foreign("identityId")
-        .references("id")
-        .inTable(TableName.Identity)
-        .onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityAccessToken);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAccessToken);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAccessToken);
-}

pg-migrator/src/migrations/20231228075023_identity-membership.ts

@@ -1,44 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityOrgMembership))) {
-    await knex.schema.createTable(TableName.IdentityOrgMembership, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("role").notNullable();
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.OrgRoles);
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.IdentityOrgMembership);
-
-  if (!(await knex.schema.hasTable(TableName.IdentityProjectMembership))) {
-    await knex.schema.createTable(TableName.IdentityProjectMembership, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("role").notNullable();
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("identityId").notNullable();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.IdentityProjectMembership);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityOrgMembership);
-  await knex.schema.dropTableIfExists(TableName.IdentityProjectMembership);
-
-  await dropOnUpdateTrigger(knex, TableName.IdentityProjectMembership);
-  await dropOnUpdateTrigger(knex, TableName.IdentityOrgMembership);
-}

pg-migrator/src/migrations/20240101054849_secret-approval-policy.ts

@@ -1,45 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicy))) {
-    await knex.schema.createTable(TableName.SecretApprovalPolicy, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("secretPath");
-      t.integer("approvals").defaultTo(1).notNullable();
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicy);
-
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicyApprover))) {
-    await knex.schema.createTable(TableName.SecretApprovalPolicyApprover, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("approverId").notNullable();
-      t.foreign("approverId")
-        .references("id")
-        .inTable(TableName.ProjectMembership)
-        .onDelete("CASCADE");
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId")
-        .references("id")
-        .inTable(TableName.SecretApprovalPolicy)
-        .onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicyApprover);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicyApprover);
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicy);
-  await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicyApprover);
-  await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicy);
-}

pg-migrator/src/migrations/20240101104907_secret-approval-request.ts

@@ -1,118 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalRequest))) {
-    await knex.schema.createTable(TableName.SecretApprovalRequest, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("policyId").notNullable();
-      t.boolean("hasMerged").defaultTo(false).notNullable();
-      t.string("status").defaultTo("open").notNullable();
-      t.jsonb("conflicts");
-      t.foreign("policyId")
-        .references("id")
-        .inTable(TableName.SecretApprovalPolicy)
-        .onDelete("CASCADE");
-      t.string("slug").notNullable();
-      t.uuid("folderId").notNullable();
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-      t.uuid("statusChangeBy");
-      t.foreign("statusChangeBy")
-        .references("id")
-        .inTable(TableName.ProjectMembership)
-        .onDelete("SET NULL");
-      t.uuid("committerId").notNullable();
-      t.foreign("committerId")
-        .references("id")
-        .inTable(TableName.ProjectMembership)
-        .onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretApprovalRequest);
-
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalRequestReviewer))) {
-    await knex.schema.createTable(TableName.SecretApprovalRequestReviewer, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("member").notNullable();
-      t.foreign("member").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-      t.string("status").notNullable();
-      t.uuid("requestId").notNullable();
-      t.foreign("requestId")
-        .references("id")
-        .inTable(TableName.SecretApprovalRequest)
-        .onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretApprovalRequestReviewer);
-
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalRequestSecret))) {
-    await knex.schema.createTable(TableName.SecretApprovalRequestSecret, (t) => {
-      // everything related  to secret
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").defaultTo(1);
-      t.text("secretBlindIndex");
-      t.text("secretKeyCiphertext").notNullable();
-      t.text("secretKeyIV").notNullable();
-      t.text("secretKeyTag").notNullable();
-      t.text("secretValueCiphertext").notNullable();
-      t.text("secretValueIV").notNullable(); // symmetric encryption
-      t.text("secretValueTag").notNullable();
-      t.text("secretCommentCiphertext");
-      t.text("secretCommentIV");
-      t.text("secretCommentTag");
-      t.string("secretReminderNote");
-      t.integer("secretReminderRepeatDays");
-      t.boolean("skipMultilineEncoding").defaultTo(false);
-      t.string("algorithm").notNullable().defaultTo(SecretEncryptionAlgo.AES_256_GCM);
-      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
-      t.jsonb("metadata");
-      t.timestamps(true, true, true);
-      // commit details
-      t.uuid("requestId").notNullable();
-      t.foreign("requestId")
-        .references("id")
-        .inTable(TableName.SecretApprovalRequest)
-        .onDelete("CASCADE");
-      t.string("op").notNullable();
-      t.uuid("secretId");
-      t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("SET NULL");
-      t.uuid("secretVersion");
-      t.foreign("secretVersion")
-        .references("id")
-        .inTable(TableName.SecretVersion)
-        .onDelete("SET NULL");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretApprovalRequestSecret);
-
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalRequestSecretTag))) {
-    await knex.schema.createTable(TableName.SecretApprovalRequestSecretTag, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("secretId").notNullable();
-      t.foreign("secretId")
-        .references("id")
-        .inTable(TableName.SecretApprovalRequestSecret)
-        .onDelete("CASCADE");
-      t.uuid("tagId").notNullable();
-      t.foreign("tagId").references("id").inTable(TableName.SecretTag).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretApprovalRequestSecretTag);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalRequestSecretTag);
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalRequestSecret);
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalRequestReviewer);
-  await knex.schema.dropTableIfExists(TableName.SecretApprovalRequest);
-
-  await dropOnUpdateTrigger(knex, TableName.SecretApprovalRequestSecretTag);
-  await dropOnUpdateTrigger(knex, TableName.SecretApprovalRequestSecret);
-  await dropOnUpdateTrigger(knex, TableName.SecretApprovalRequestReviewer);
-  await dropOnUpdateTrigger(knex, TableName.SecretApprovalRequest);
-}

pg-migrator/src/migrations/20240102152111_secret-rotation.ts

@@ -1,47 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretRotation))) {
-    await knex.schema.createTable(TableName.SecretRotation, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("provider").notNullable();
-      t.string("secretPath").notNullable();
-      t.integer("interval").notNullable();
-      t.datetime("lastRotatedAt");
-      t.string("status");
-      t.text("statusMessage");
-      t.text("encryptedData");
-      t.text("encryptedDataIV");
-      t.text("encryptedDataTag");
-      t.string("algorithm");
-      t.string("keyEncoding");
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretRotation);
-
-  if (!(await knex.schema.hasTable(TableName.SecretRotationOutput))) {
-    await knex.schema.createTable(TableName.SecretRotationOutput, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("key").notNullable();
-      t.uuid("secretId").notNullable();
-      t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("CASCADE");
-      t.uuid("rotationId").notNullable();
-      t.foreign("rotationId")
-        .references("id")
-        .inTable(TableName.SecretRotation)
-        .onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretRotationOutput);
-  await knex.schema.dropTableIfExists(TableName.SecretRotation);
-  await dropOnUpdateTrigger(knex, TableName.SecretRotation);
-}

pg-migrator/src/migrations/20240104140641_secret-snapshot.ts

@@ -1,61 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.Snapshot))) {
-    await knex.schema.createTable(TableName.Snapshot, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      // this is not a relation kept like that
-      // this ensure snapshot are not lost when folder gets deleted and rolled back
-      t.uuid("folderId").notNullable();
-      t.uuid("parentFolderId");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.Snapshot);
-
-  if (!(await knex.schema.hasTable(TableName.SnapshotSecret))) {
-    await knex.schema.createTable(TableName.SnapshotSecret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      // not a relation kept like that to keep it when rolled back
-      t.uuid("secretVersionId").notNullable();
-      t.foreign("secretVersionId")
-        .references("id")
-        .inTable(TableName.SecretVersion)
-        .onDelete("CASCADE");
-      t.uuid("snapshotId").notNullable();
-      t.foreign("snapshotId").references("id").inTable(TableName.Snapshot).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SnapshotFolder))) {
-    await knex.schema.createTable(TableName.SnapshotFolder, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      // not a relation kept like that to keep it when rolled back
-      t.uuid("folderVersionId").notNullable();
-      t.foreign("folderVersionId")
-        .references("id")
-        .inTable(TableName.SecretFolderVersion)
-        .onDelete("CASCADE");
-      t.uuid("snapshotId").notNullable();
-      t.foreign("snapshotId").references("id").inTable(TableName.Snapshot).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SnapshotSecret);
-  await knex.schema.dropTableIfExists(TableName.SnapshotFolder);
-  await knex.schema.dropTableIfExists(TableName.Snapshot);
-  await dropOnUpdateTrigger(knex, TableName.Snapshot);
-}

pg-migrator/src/migrations/20240107153439_saml-config.ts

@@ -1,33 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SamlConfig))) {
-    await knex.schema.createTable(TableName.SamlConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("authProvider").notNullable();
-      t.boolean("isActive").notNullable();
-      t.string("encryptedEntryPoint");
-      t.string("entryPointIV");
-      t.string("entryPointTag");
-      t.string("encryptedIssuer");
-      t.string("issuerTag");
-      t.string("issuerIV");
-      t.text("encryptedCert");
-      t.string("certIV");
-      t.string("certTag");
-      t.timestamps(true, true, true);
-      t.uuid("orgId").notNullable().unique();
-      t.foreign("orgId").references("id").inTable(TableName.Organization);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.SamlConfig);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SamlConfig);
-  await dropOnUpdateTrigger(knex, TableName.SamlConfig);
-}

pg-migrator/src/migrations/20240107163155_org-bot.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.OrgBot))) {
-    await knex.schema.createTable(TableName.OrgBot, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.text("publicKey").notNullable();
-      t.text("encryptedSymmetricKey").notNullable();
-      t.text("symmetricKeyIV").notNullable();
-      t.text("symmetricKeyTag").notNullable();
-      t.string("symmetricKeyAlgorithm").notNullable();
-      t.string("symmetricKeyKeyEncoding").notNullable();
-      t.text("encryptedPrivateKey").notNullable();
-      t.text("privateKeyIV").notNullable();
-      t.text("privateKeyTag").notNullable();
-      t.string("privateKeyAlgorithm").notNullable();
-      t.string("privateKeyKeyEncoding").notNullable();
-      // one to one relationship
-      t.uuid("orgId").notNullable().unique();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.OrgBot);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.OrgBot);
-  await dropOnUpdateTrigger(knex, TableName.OrgBot);
-}

pg-migrator/src/migrations/20240108134148_audit-log.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AuditLog))) {
-    await knex.schema.createTable(TableName.AuditLog, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("actor").notNullable();
-      t.jsonb("actorMetadata").notNullable();
-      t.string("ipAddress");
-      t.string("eventType").notNullable();
-      t.jsonb("eventMetadata");
-      t.string("userAgent");
-      t.string("userAgentType");
-      t.datetime("expiresAt");
-      t.timestamps(true, true, true);
-      // no trigger needed as this collection is append only
-      t.uuid("orgId");
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.string("projectId");
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AuditLog);
-}

pg-migrator/src/migrations/20240111051011_secret-scanning.ts

@@ -1,79 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.GitAppInstallSession))) {
-    await knex.schema.createTable(TableName.GitAppInstallSession, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("sessionId").notNullable().unique();
-      t.uuid("userId");
-      // one to one relationship
-      t.uuid("orgId").notNullable().unique();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  createOnUpdateTrigger(knex, TableName.GitAppInstallSession);
-
-  if (!(await knex.schema.hasTable(TableName.GitAppOrg))) {
-    await knex.schema.createTable(TableName.GitAppOrg, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("installationId").notNullable().unique();
-      t.uuid("userId").notNullable();
-      // one to one relationship
-      t.uuid("orgId").notNullable().unique();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  createOnUpdateTrigger(knex, TableName.GitAppOrg);
-
-  if (!(await knex.schema.hasTable(TableName.SecretScanningGitRisk))) {
-    await knex.schema.createTable(TableName.SecretScanningGitRisk, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("description");
-      t.string("startLine");
-      t.string("endLine");
-      t.string("startColumn");
-      t.string("endColumn");
-      t.string("file");
-      t.string("symlinkFile");
-      t.string("commit");
-      t.string("entropy");
-      t.string("author");
-      t.string("email");
-      t.string("date");
-      t.text("message");
-      t.specificType("tags", "text[]");
-      t.string("ruleID");
-      t.string("fingerprint").unique();
-      t.string("fingerPrintWithoutCommitId");
-      t.boolean("isFalsePositive").defaultTo(false);
-      t.boolean("isResolved").defaultTo(false);
-      t.string("riskOwner");
-      t.string("installationId").notNullable();
-      t.string("repositoryId");
-      t.string("repositoryLink");
-      t.string("repositoryFullName");
-      t.string("pusherName");
-      t.string("pusherEmail");
-      t.string("status");
-      // one to one relationship
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  createOnUpdateTrigger(knex, TableName.SecretScanningGitRisk);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretScanningGitRisk);
-  await knex.schema.dropTableIfExists(TableName.GitAppOrg);
-  await knex.schema.dropTableIfExists(TableName.GitAppInstallSession);
-  await dropOnUpdateTrigger(knex, TableName.SecretScanningGitRisk);
-  await dropOnUpdateTrigger(knex, TableName.GitAppOrg);
-  await dropOnUpdateTrigger(knex, TableName.GitAppInstallSession);
-}

pg-migrator/src/migrations/20240113103743_trusted-ip.ts

@@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.TrustedIps))) {
-    await knex.schema.createTable(TableName.TrustedIps, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("ipAddress").notNullable();
-      t.string("type").notNullable();
-      t.integer("prefix");
-      t.boolean("isActive").defaultTo(true);
-      t.string("comment");
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project);
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.TrustedIps);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.TrustedIps);
-  await dropOnUpdateTrigger(knex, TableName.TrustedIps);
-}

pg-migrator/src/models/apiKeyData.ts

@@ -1,39 +0,0 @@
-import { Schema, Types, model } from "mongoose";
-
-export interface IAPIKeyData {
-  _id: Types.ObjectId;
-  name: string;
-  user: Types.ObjectId;
-  lastUsed: Date;
-  expiresAt: Date;
-  secretHash: string;
-}
-
-const apiKeyDataSchema = new Schema<IAPIKeyData>(
-  {
-    name: {
-      type: String,
-      required: true,
-    },
-    user: {
-      type: Schema.Types.ObjectId,
-      ref: "User",
-      required: true,
-    },
-    lastUsed: {
-      type: Date,
-    },
-    expiresAt: {
-      type: Date,
-    },
-    secretHash: {
-      type: String,
-      required: true,
-    },
-  },
-  {
-    timestamps: true,
-  },
-);
-
-export const APIKeyData = model<IAPIKeyData>("APIKeyData", apiKeyDataSchema);

pg-migrator/src/models/apiKeyDataV2.ts

@@ -1,38 +0,0 @@
-import { Document, Schema, Types, model } from "mongoose";
-
-export interface IAPIKeyDataV2 extends Document {
-    _id: Types.ObjectId;
-    name: string;
-    user: Types.ObjectId;
-    lastUsed?: Date
-    usageCount: number;
-    expiresAt?: Date;
-}
-
-const apiKeyDataV2Schema  = new Schema(
-    {
-        name: {
-            type: String,
-            required: true
-        },
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: "User",
-            required: true
-        },
-        lastUsed: {
-            type: Date,
-            required: false
-        },
-        usageCount: {
-            type: Number,
-            default: 0,
-            required: true
-        }
-    },
-    {
-        timestamps: true
-    }
-);
-
-export const APIKeyDataV2 = model<IAPIKeyDataV2>("APIKeyDataV2", apiKeyDataV2Schema);

pg-migrator/src/models/auditLog/auditLog.ts

@@ -1,70 +0,0 @@
-import { Schema, Types, model } from "mongoose";
-import { ActorType, EventType, UserAgentType } from "./enums";
-import { Actor, Event } from "./types";
-
-export interface IAuditLog {
-  actor: Actor;
-  organization: Types.ObjectId;
-  workspace: Types.ObjectId;
-  ipAddress: string;
-  event: Event;
-  userAgent: string;
-  userAgentType: UserAgentType;
-  expiresAt?: Date;
-}
-
-const auditLogSchema = new Schema<IAuditLog>(
-  {
-    actor: {
-      type: {
-        type: String,
-        enum: ActorType,
-        required: true,
-      },
-      metadata: {
-        type: Schema.Types.Mixed,
-      },
-    },
-    organization: {
-      type: Schema.Types.ObjectId,
-      required: false,
-    },
-    workspace: {
-      type: Schema.Types.ObjectId,
-      required: false,
-      index: true,
-    },
-    ipAddress: {
-      type: String,
-      required: true,
-    },
-    event: {
-      type: {
-        type: String,
-        enum: EventType,
-        required: true,
-      },
-      metadata: {
-        type: Schema.Types.Mixed,
-      },
-    },
-    userAgent: {
-      type: String,
-      required: true,
-    },
-    userAgentType: {
-      type: String,
-      enum: UserAgentType,
-      required: true,
-    },
-    expiresAt: {
-      type: Date,
-      expires: 0,
-    },
-  },
-  {
-    timestamps: true,
-  },
-);
-
-export const AuditLog = model<IAuditLog>("AuditLog", auditLogSchema);

pg-migrator/src/models/auditLog/enums.ts

@@ -1,69 +0,0 @@
-export enum ActorType { // would extend to AWS, Azure, ...
-    USER = "user", // userIdentity
-    SERVICE = "service",
-    IDENTITY = "identity"
-}
-
-export enum UserAgentType {
-  WEB = "web",
-  CLI = "cli",
-  K8_OPERATOR = "k8-operator",
-  TERRAFORM = "terraform",
-  OTHER = "other",
-  PYTHON_SDK = "InfisicalPythonSDK",
-  NODE_SDK = "InfisicalNodeSDK"
-}
-
-export enum EventType {
-  GET_SECRETS = "get-secrets",
-  GET_SECRET = "get-secret",
-  REVEAL_SECRET = "reveal-secret",
-  CREATE_SECRET = "create-secret",
-  CREATE_SECRETS = "create-secrets",
-  UPDATE_SECRET = "update-secret",
-  UPDATE_SECRETS = "update-secrets",
-  DELETE_SECRET = "delete-secret",
-  DELETE_SECRETS = "delete-secrets",
-  GET_WORKSPACE_KEY = "get-workspace-key",
-  AUTHORIZE_INTEGRATION = "authorize-integration",
-  UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
-  CREATE_INTEGRATION = "create-integration",
-  DELETE_INTEGRATION = "delete-integration",
-  ADD_TRUSTED_IP = "add-trusted-ip",
-  UPDATE_TRUSTED_IP = "update-trusted-ip",
-  DELETE_TRUSTED_IP = "delete-trusted-ip",
-  CREATE_SERVICE_TOKEN = "create-service-token", // v2
-  DELETE_SERVICE_TOKEN = "delete-service-token", // v2
-  CREATE_IDENTITY = "create-identity",
-  UPDATE_IDENTITY = "update-identity",
-  DELETE_IDENTITY = "delete-identity",
-  LOGIN_IDENTITY_UNIVERSAL_AUTH = "login-identity-universal-auth",
-  ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
-  UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
-  GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
-  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
-  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET =  "revoke-identity-universal-auth-client-secret",
-  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
-  CREATE_ENVIRONMENT = "create-environment",
-  UPDATE_ENVIRONMENT = "update-environment",
-  DELETE_ENVIRONMENT = "delete-environment",
-  ADD_WORKSPACE_MEMBER = "add-workspace-member",
-  ADD_BATCH_WORKSPACE_MEMBER = "add-workspace-members",
-  REMOVE_WORKSPACE_MEMBER = "remove-workspace-member",
-  CREATE_FOLDER = "create-folder",
-  UPDATE_FOLDER = "update-folder",
-  DELETE_FOLDER = "delete-folder",
-  CREATE_WEBHOOK = "create-webhook",
-  UPDATE_WEBHOOK_STATUS = "update-webhook-status",
-  DELETE_WEBHOOK = "delete-webhook",
-  GET_SECRET_IMPORTS = "get-secret-imports",
-  CREATE_SECRET_IMPORT = "create-secret-import",
-  UPDATE_SECRET_IMPORT = "update-secret-import",
-  DELETE_SECRET_IMPORT = "delete-secret-import",
-  UPDATE_USER_WORKSPACE_ROLE = "update-user-workspace-role",
-  UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS = "update-user-workspace-denied-permissions",
-  SECRET_APPROVAL_MERGED = "secret-approval-merged",
-  SECRET_APPROVAL_REQUEST = "secret-approval-request",
-  SECRET_APPROVAL_CLOSED = "secret-approval-closed",
-  SECRET_APPROVAL_REOPENED = "secret-approval-reopened"
-}

pg-migrator/src/models/auditLog/index.ts

@@ -1,3 +0,0 @@
-export * from "./auditLog";
-export * from "./enums";
-export * from "./types";