add slack notification message on success

.env.example

@@ -26,8 +26,7 @@ SITE_URL=http://localhost:8080
 # Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
-SMTP_FROM_ADDRESS=
-SMTP_FROM_NAME=
+SMTP_NAME=
 SMTP_USERNAME=
 SMTP_PASSWORD=
 
@@ -105,7 +104,4 @@ INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
 INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
-INF_APP_CONNECTION_GITHUB_APP_ID=
-
-#gcp app
-INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
+INF_APP_CONNECTION_GITHUB_APP_ID=

.github/actions/notify-slack/action.yaml

@@ -0,0 +1,42 @@
+name: notify-slack
+description: notify slack
+inputs:
+  channel:
+    description: channel to send message
+    required: true
+  token:
+    description: token with chat:write and chat:write.public permissions
+    required: true
+  message:
+    description: message formatted in Markdown
+    required: true
+runs:
+  using: composite
+  steps:
+    # see https://api.slack.com/tutorials/tracks/posting-messages-with-curl#let-us-hello-then__making-your-messages-more-fantastic
+    - name: notify-slack
+      shell: bash
+      run: |
+        curl https://slack.com/api/chat.postMessage \
+        -X POST --fail --silent --show-error \
+        -H "Authorization: Bearer ${SLACK_TOKEN}" \
+        -H "Content-type: application/json; charset=utf-8" \
+        --data @<(yq -pjson -ojson '.channel = env(SLACK_CHANNEL) | .blocks[0].text.text = env(MESSAGE)' <<'EOF'
+        {
+          "channel": "<replace me>",
+          "blocks": [
+            {
+              "type": "section",
+              "text": {
+                "type": "mrkdwn",
+                "text": "<replace me>"
+              }
+            }
+          ]
+        }
+        EOF
+        ) >/dev/null
+      env:
+        SLACK_CHANNEL: ${{ inputs.channel }}
+        SLACK_TOKEN: ${{ inputs.token }}
+        MESSAGE: ${{ inputs.message }}

.github/workflows/check-fe-ts-and-lint.yml

@@ -18,18 +18,18 @@ jobs:
     steps:
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
-      - name: 🔧 Setup Node 20
+      - name: 🔧 Setup Node 16
         uses: actions/setup-node@v3
         with:
-          node-version: "20"
+          node-version: "16"
           cache: "npm"
           cache-dependency-path: frontend/package-lock.json
       - name: 📦 Install dependencies
         run: npm install
         working-directory: frontend
       - name: 🏗️ Run Type check
-        run: npm run type:check
+        run: npm run type:check 
         working-directory: frontend
       - name: 🏗️ Run Link check
-        run: npm run lint:fix
+        run: npm run lint:fix 
         working-directory: frontend

.github/workflows/deployment-pipeline.yml

@@ -5,10 +5,6 @@ permissions:
   id-token: write
   contents: read
 
-concurrency: 
-  group: "infisical-core-deployment"
-  cancel-in-progress: true  
-
 jobs:
   infisical-tests:
     name: Integration tests
@@ -101,12 +97,18 @@ jobs:
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
           service: infisical-core-gamma-stage
           cluster: infisical-gamma-stage
           wait-for-service-stability: true
+      # only notify of success because continue-on-error is so tricky, see https://www.kenmuse.com/blog/how-to-handle-step-and-job-errors-in-github-actions/
+      - uses: ./.github/actions/notify-slack
+        with:
+          token: ${{ secrets.SLACK_TOKEN }}
+          channel: ${{ secrets.SLACK_CHANNEL }}
+          message: deployed infisical/staging_infisical:${{ steps.commit.outputs.short }} to ${{ vars.ENVIRONMENT }}
 
   production-us:
     name: US production deploy 
@@ -117,6 +119,10 @@ jobs:
     steps:
       - uses: twingate/github-action@v1
         with:
+        # The Twingate Service Key used to connect Twingate to the proper service
+        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
+        #
+        # Required
           service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
       - name: Checkout code
         uses: actions/checkout@v2
@@ -153,37 +159,18 @@ jobs:
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
           service: infisical-core-platform
           cluster: infisical-core-platform
           wait-for-service-stability: true
-      - name: Post slack message 
-        uses: slackapi/slack-github-action@v2.0.0
+      # only notify of success because continue-on-error is so tricky, see https://www.kenmuse.com/blog/how-to-handle-step-and-job-errors-in-github-actions/
+      - uses: ./.github/actions/notify-slack
         with:
-          webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
-          webhook-type: incoming-webhook
-          payload: |
-            text: "*Deployment Status Update*: ${{ job.status }}"
-            blocks:
-              - type: "section"
-                text:
-                  type: "mrkdwn"
-                  text: "*Deployment Status Update*: ${{ job.status }}"
-              - type: "section"
-                fields:
-                  - type: "mrkdwn"
-                    text: "*Application:*\nInfisical Core"
-                  - type: "mrkdwn"
-                    text: "*Instance Type:*\nShared Infisical Cloud"
-              - type: "section"
-                fields:
-                  - type: "mrkdwn"
-                    text: "*Region:*\nUS"
-                  - type: "mrkdwn"
-                    text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
-
+          token: ${{ secrets.SLACK_TOKEN }}
+          channel: ${{ secrets.SLACK_CHANNEL }}
+          message: deployed infisical/staging_infisical:${{ steps.commit.outputs.short }} to ${{ vars.ENVIRONMENT }}
 
   production-eu:
       name: EU production deploy
@@ -229,34 +216,15 @@ jobs:
             image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
             environment-variables: "LOG_LEVEL=info"
         - name: Deploy to Amazon ECS service
-          uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
           with:
             task-definition: ${{ steps.render-web-container.outputs.task-definition }}
             service: infisical-core-platform
             cluster: infisical-core-platform
             wait-for-service-stability: true
-        - name: Post slack message 
-          uses: slackapi/slack-github-action@v2.0.0
-          with:
-            webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
-            webhook-type: incoming-webhook
-            payload: |
-              text: "*Deployment Status Update*: ${{ job.status }}"
-              blocks:
-                - type: "section"
-                  text:
-                    type: "mrkdwn"
-                    text: "*Deployment Status Update*: ${{ job.status }}"
-                - type: "section"
-                  fields:
-                    - type: "mrkdwn"
-                      text: "*Application:*\nInfisical Core"
-                    - type: "mrkdwn"
-                      text: "*Instance Type:*\nShared Infisical Cloud"
-                - type: "section"
-                  fields:
-                    - type: "mrkdwn"
-                      text: "*Region:*\nEU"
-                    - type: "mrkdwn"
-                      text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
-
+      # only notify of success because continue-on-error is so tricky, see https://www.kenmuse.com/blog/how-to-handle-step-and-job-errors-in-github-actions/
+      - uses: ./.github/actions/notify-slack
+        with:
+          token: ${{ secrets.SLACK_TOKEN }}
+          channel: ${{ secrets.SLACK_CHANNEL }}
+          message: deployed infisical/staging_infisical:${{ steps.commit.outputs.short }} to ${{ vars.ENVIRONMENT }}

.infisicalignore

@@ -7,4 +7,3 @@ docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
-docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104

Dockerfile.fips.standalone-infisical

@@ -8,7 +8,7 @@ FROM node:20-slim AS base
 FROM base AS frontend-dependencies
 WORKDIR /app
 
-COPY frontend/package.json frontend/package-lock.json  ./
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
 
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@@ -23,16 +23,17 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 
 ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV VITE_POSTHOG_HOST $POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV VITE_INTERCOM_ID $INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -43,10 +44,20 @@ WORKDIR /app
 
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
 
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
 
 USER non-root-user
 
+ENV NEXT_TELEMETRY_DISABLED 1
+
 ##
 ## BACKEND
 ##
@@ -126,7 +137,7 @@ RUN apt-get update && apt-get install -y \
     freetds-dev \
     freetds-bin \
     tdsodbc \
-    openssh-client \
+    openssh \
     && rm -rf /var/lib/apt/lists/*
 
 # Configure ODBC in production
@@ -149,11 +160,14 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV INTERCOM_ID=$INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
 WORKDIR / 
 
@@ -178,4 +192,4 @@ EXPOSE 443
 
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -12,7 +12,7 @@ RUN apk add --no-cache libc6-compat
 
 WORKDIR /app
 
-COPY frontend/package.json frontend/package-lock.json  ./
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
 
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@@ -27,16 +27,17 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 
 ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV VITE_POSTHOG_HOST $POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV VITE_INTERCOM_ID $INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -48,10 +49,20 @@ WORKDIR /app
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 non-root-user
 
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
 
 USER non-root-user
 
+ENV NEXT_TELEMETRY_DISABLED 1
+
 ##
 ## BACKEND
 ##
@@ -148,11 +159,14 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV INTERCOM_ID=$INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
 
 COPY --from=backend-runner /app /backend
@@ -175,4 +189,4 @@ EXPOSE 443
 
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

README.md

@@ -56,7 +56,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
 - **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)**: Inject secrets into applications without modifying any code logic.
 
-### Infisical (Internal) PKI:
+### Internal PKI:
 
 - **[Private Certificate Authority](https://infisical.com/docs/documentation/platform/pki/private-ca)**: Create CA hierarchies, configure [certificate templates](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) for policy enforcement, and start issuing X.509 certificates.
 - **[Certificate Management](https://infisical.com/docs/documentation/platform/pki/certificates)**: Manage the certificate lifecycle from [issuance](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) to [revocation](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-revoking-certificates) with support for CRL.
@@ -64,17 +64,12 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.
 
-### Infisical Key Management System (KMS):
+### Key Management (KMS):
 
 - **[Cryptographic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.
 
-### Infisical SSH
-
-- **[Signed SSH Certificates](https://infisical.com/docs/documentation/platform/ssh)**: Issue ephemeral SSH credentials for secure, short-lived, and centralized access to infrastructure.
-
 ### General Platform:
-
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
 - **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)**: Track every action taken on the platform.

backend/package-lock.json

@@ -26,7 +26,6 @@
         "@fastify/rate-limit": "^9.0.0",
         "@fastify/request-context": "^5.1.0",
         "@fastify/session": "^10.7.0",
-        "@fastify/static": "^7.0.4",
         "@fastify/swagger": "^8.14.0",
         "@fastify/swagger-ui": "^2.1.0",
         "@google-cloud/kms": "^4.5.0",
@@ -5407,7 +5406,6 @@
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/@fastify/accept-negotiator/-/accept-negotiator-1.1.0.tgz",
       "integrity": "sha512-OIHZrb2ImZ7XG85HXOONLcJWGosv7sIvM2ifAPQVhg9Lv7qdmMBNVaai4QTdyuaqbKM5eO6sLSQOYI7wEQeCJQ==",
-      "license": "MIT",
       "engines": {
         "node": ">=14"
       }
@@ -5547,7 +5545,6 @@
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/@fastify/send/-/send-2.1.0.tgz",
       "integrity": "sha512-yNYiY6sDkexoJR0D8IDy3aRP3+L4wdqCpvx5WP+VtEU58sn7USmKynBzDQex5X42Zzvw2gNzzYgP90UfWShLFA==",
-      "license": "MIT",
       "dependencies": {
         "@lukeed/ms": "^2.0.1",
         "escape-html": "~1.0.3",
@@ -5566,85 +5563,16 @@
       }
     },
     "node_modules/@fastify/static": {
-      "version": "7.0.4",
-      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-7.0.4.tgz",
-      "integrity": "sha512-p2uKtaf8BMOZWLs6wu+Ihg7bWNBdjNgCwDza4MJtTqg+5ovKmcbgbR9Xs5/smZ1YISfzKOCNYmZV8LaCj+eJ1Q==",
-      "license": "MIT",
+      "version": "6.12.0",
+      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
+      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
       "dependencies": {
         "@fastify/accept-negotiator": "^1.0.0",
         "@fastify/send": "^2.0.0",
         "content-disposition": "^0.5.3",
         "fastify-plugin": "^4.0.0",
-        "fastq": "^1.17.0",
-        "glob": "^10.3.4"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/glob": {
-      "version": "10.4.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
-      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
-      "license": "ISC",
-      "dependencies": {
-        "foreground-child": "^3.1.0",
-        "jackspeak": "^3.1.2",
-        "minimatch": "^9.0.4",
-        "minipass": "^7.1.2",
-        "package-json-from-dist": "^1.0.0",
-        "path-scurry": "^1.11.1"
-      },
-      "bin": {
-        "glob": "dist/esm/bin.mjs"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/jackspeak": {
-      "version": "3.4.3",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
-      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
-      "license": "BlueOak-1.0.0",
-      "dependencies": {
-        "@isaacs/cliui": "^8.0.2"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      },
-      "optionalDependencies": {
-        "@pkgjs/parseargs": "^0.11.0"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
+        "glob": "^8.0.1",
+        "p-limit": "^3.1.0"
       }
     },
     "node_modules/@fastify/swagger": {
@@ -5671,20 +5599,6 @@
         "yaml": "^2.2.2"
       }
     },
-    "node_modules/@fastify/swagger-ui/node_modules/@fastify/static": {
-      "version": "6.12.0",
-      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
-      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
-      "license": "MIT",
-      "dependencies": {
-        "@fastify/accept-negotiator": "^1.0.0",
-        "@fastify/send": "^2.0.0",
-        "content-disposition": "^0.5.3",
-        "fastify-plugin": "^4.0.0",
-        "glob": "^8.0.1",
-        "p-limit": "^3.1.0"
-      }
-    },
     "node_modules/@google-cloud/kms": {
       "version": "4.5.0",
       "resolved": "https://registry.npmjs.org/@google-cloud/kms/-/kms-4.5.0.tgz",
@@ -6148,10 +6062,9 @@
       "integrity": "sha512-O89xFDLW2gBoZWNXuXpBSM32/KealKCTb3JGtJdtUQc7RjAk8XzrRgyz02cPAwGKwKPxy0ivuC7UP9bmN87egQ=="
     },
     "node_modules/@lukeed/ms": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.2.tgz",
-      "integrity": "sha512-9I2Zn6+NJLfaGoz9jN3lpwDgAYvfGeNYdbAIjJOqzs4Tpc+VU3Jqq4IofSUBKajiDS8k9fZIg18/z13mpk1bsA==",
-      "license": "MIT",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.1.tgz",
+      "integrity": "sha512-Xs/4RZltsAL7pkvaNStUQt7netTkyxrS0K+RILcVr3TRMS/ToOg4I6uNfhB9SlGsnWBym4U+EaXq0f0cEMNkHA==",
       "engines": {
         "node": ">=8"
       }
@@ -13966,9 +13879,9 @@
       }
     },
     "node_modules/express": {
-      "version": "4.21.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
-      "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==",
+      "version": "4.21.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz",
+      "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==",
       "license": "MIT",
       "dependencies": {
         "accepts": "~1.3.8",
@@ -13990,7 +13903,7 @@
         "methods": "~1.1.2",
         "on-finished": "2.4.1",
         "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.12",
+        "path-to-regexp": "0.1.10",
         "proxy-addr": "~2.0.7",
         "qs": "6.13.0",
         "range-parser": "~1.2.1",
@@ -14005,10 +13918,6 @@
       },
       "engines": {
         "node": ">= 0.10.0"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
       }
     },
     "node_modules/express-session": {
@@ -17479,16 +17388,15 @@
       }
     },
     "node_modules/nanoid": {
-      "version": "3.3.8",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz",
-      "integrity": "sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==",
+      "version": "3.3.7",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz",
+      "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==",
       "funding": [
         {
           "type": "github",
           "url": "https://github.com/sponsors/ai"
         }
       ],
-      "license": "MIT",
       "bin": {
         "nanoid": "bin/nanoid.cjs"
       },
@@ -18475,9 +18383,9 @@
       "license": "ISC"
     },
     "node_modules/path-to-regexp": {
-      "version": "0.1.12",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
-      "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==",
+      "version": "0.1.10",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz",
+      "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==",
       "license": "MIT"
     },
     "node_modules/path-type": {

backend/package.json

@@ -134,7 +134,6 @@
     "@fastify/rate-limit": "^9.0.0",
     "@fastify/request-context": "^5.1.0",
     "@fastify/session": "^10.7.0",
-    "@fastify/static": "^7.0.4",
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@google-cloud/kms": "^4.5.0",

backend/src/@types/fastify.d.ts

@@ -80,7 +80,6 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
-import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
@@ -211,7 +210,6 @@ declare module "fastify" {
       projectTemplate: TProjectTemplateServiceFactory;
       totp: TTotpServiceFactory;
       appConnection: TAppConnectionServiceFactory;
-      secretSync: TSecretSyncServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -218,9 +218,6 @@ import {
   TRateLimit,
   TRateLimitInsert,
   TRateLimitUpdate,
-  TResourceMetadata,
-  TResourceMetadataInsert,
-  TResourceMetadataUpdate,
   TSamlConfigs,
   TSamlConfigsInsert,
   TSamlConfigsUpdate,
@@ -372,7 +369,6 @@ import {
   TExternalGroupOrgRoleMappingsInsert,
   TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
-import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
 import {
   TSecretV2TagJunction,
   TSecretV2TagJunctionInsert,
@@ -891,16 +887,10 @@ declare module "knex/types/tables" {
       TProjectSplitBackfillIdsInsert,
       TProjectSplitBackfillIdsUpdate
     >;
-    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
-      TResourceMetadata,
-      TResourceMetadataInsert,
-      TResourceMetadataUpdate
-    >;
     [TableName.AppConnection]: KnexOriginal.CompositeTableType<
       TAppConnections,
       TAppConnectionsInsert,
       TAppConnectionsUpdate
     >;
-    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
   }
 }

backend/src/db/migrations/20241218165837_resource-metadata.ts

@@ -1,40 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
-    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("key").notNullable();
-      tb.string("value", 1020).notNullable();
-      tb.uuid("orgId").notNullable();
-      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      tb.uuid("userId");
-      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      tb.uuid("identityId");
-      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      tb.uuid("secretId");
-      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      tb.timestamps(true, true, true);
-    });
-  }
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (!hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.jsonb("secretMetadata");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.dropColumn("secretMetadata");
-    });
-  }
-}

backend/src/db/migrations/20250115222458_groups-unique-name.ts

@@ -1,49 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  // find any duplicate group names within organizations
-  const duplicates = await knex(TableName.Groups)
-    .select("orgId", "name")
-    .count("* as count")
-    .groupBy("orgId", "name")
-    .having(knex.raw("count(*) > 1"));
-
-  // for each set of duplicates, update all but one with a numbered suffix
-  for await (const duplicate of duplicates) {
-    const groups = await knex(TableName.Groups)
-      .select("id", "name")
-      .where({
-        orgId: duplicate.orgId,
-        name: duplicate.name
-      })
-      .orderBy("createdAt", "asc"); // keep original name for oldest group
-
-    // skip the first (oldest) group, rename others with numbered suffix
-    for (let i = 1; i < groups.length; i += 1) {
-      // eslint-disable-next-line no-await-in-loop
-      await knex(TableName.Groups)
-        .where("id", groups[i].id)
-        .update({
-          name: `${groups[i].name} (${i})`,
-
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore TS doesn't know about Knex's timestamp types
-          updatedAt: new Date()
-        });
-    }
-  }
-
-  // add the unique constraint
-  await knex.schema.alterTable(TableName.Groups, (t) => {
-    t.unique(["orgId", "name"]);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // Remove the unique constraint
-  await knex.schema.alterTable(TableName.Groups, (t) => {
-    t.dropUnique(["orgId", "name"]);
-  });
-}

backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts

@@ -1,33 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
-  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
-
-  await knex.schema.alterTable(TableName.Project, (t) => {
-    if (!hasEnforceCapitalizationCol) {
-      t.boolean("enforceCapitalization").defaultTo(false).notNullable();
-    }
-
-    if (hasAutoCapitalizationCol) {
-      t.boolean("autoCapitalization").defaultTo(false).alter();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
-  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
-
-  await knex.schema.alterTable(TableName.Project, (t) => {
-    if (hasEnforceCapitalizationCol) {
-      t.dropColumn("enforceCapitalization");
-    }
-
-    if (hasAutoCapitalizationCol) {
-      t.boolean("autoCapitalization").defaultTo(true).alter();
-    }
-  });
-}

backend/src/db/migrations/20250122055102_secret-sync.ts

@@ -1,50 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
-    await knex.schema.createTable(TableName.SecretSync, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name", 32).notNullable();
-      t.string("description");
-      t.string("destination").notNullable();
-      t.boolean("isAutoSyncEnabled").notNullable().defaultTo(true);
-      t.integer("version").defaultTo(1).notNullable();
-      t.jsonb("destinationConfig").notNullable();
-      t.jsonb("syncOptions").notNullable();
-      // we're including projectId in addition to folder ID because we allow folderId to be null (if the folder
-      // is deleted), to preserve sync configuration
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("folderId");
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
-      t.uuid("connectionId").notNullable();
-      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
-      t.timestamps(true, true, true);
-      // sync secrets to destination
-      t.string("syncStatus");
-      t.string("lastSyncJobId");
-      t.string("lastSyncMessage");
-      t.datetime("lastSyncedAt");
-      // import secrets from destination
-      t.string("importStatus");
-      t.string("lastImportJobId");
-      t.string("lastImportMessage");
-      t.datetime("lastImportedAt");
-      // remove secrets from destination
-      t.string("removeStatus");
-      t.string("lastRemoveJobId");
-      t.string("lastRemoveMessage");
-      t.datetime("lastRemovedAt");
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretSync);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretSync);
-  await dropOnUpdateTrigger(knex, TableName.SecretSync);
-}

backend/src/db/schemas/index.ts

@@ -71,7 +71,6 @@ export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./rate-limit";
-export * from "./resource-metadata";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";

backend/src/db/schemas/models.ts

@@ -80,7 +80,6 @@ export enum TableName {
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
   // used by both identity and users
   IdentityMetadata = "identity_metadata",
-  ResourceMetadata = "resource_metadata",
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",
@@ -131,8 +130,7 @@ export enum TableName {
   WorkflowIntegrations = "workflow_integrations",
   SlackIntegrations = "slack_integrations",
   ProjectSlackConfigs = "project_slack_configs",
-  AppConnection = "app_connections",
-  SecretSync = "secret_syncs"
+  AppConnection = "app_connections"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
@@ -216,12 +214,3 @@ export enum ProjectType {
   KMS = "kms",
   SSH = "ssh"
 }
-
-export enum ActionProjectType {
-  SecretManager = ProjectType.SecretManager,
-  CertificateManager = ProjectType.CertificateManager,
-  KMS = ProjectType.KMS,
-  SSH = ProjectType.SSH,
-  // project operations that happen on all types
-  Any = "any"
-}

backend/src/db/schemas/projects.ts

@@ -13,7 +13,7 @@ export const ProjectsSchema = z.object({
   id: z.string(),
   name: z.string(),
   slug: z.string(),
-  autoCapitalization: z.boolean().default(false).nullable().optional(),
+  autoCapitalization: z.boolean().default(true).nullable().optional(),
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
@@ -25,8 +25,7 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
-  type: z.string(),
-  enforceCapitalization: z.boolean().default(false)
+  type: z.string()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/resource-metadata.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ResourceMetadataSchema = z.object({
-  id: z.string().uuid(),
-  key: z.string(),
-  value: z.string(),
-  orgId: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional(),
-  identityId: z.string().uuid().nullable().optional(),
-  secretId: z.string().uuid().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
-export type TResourceMetadataInsert = Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>;
-export type TResourceMetadataUpdate = Partial<Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-approval-requests-secrets-v2.ts

@@ -24,8 +24,7 @@ export const SecretApprovalRequestsSecretsV2Schema = z.object({
   requestId: z.string().uuid(),
   op: z.string(),
   secretId: z.string().uuid().nullable().optional(),
-  secretVersion: z.string().uuid().nullable().optional(),
-  secretMetadata: z.unknown().nullable().optional()
+  secretVersion: z.string().uuid().nullable().optional()
 });
 
 export type TSecretApprovalRequestsSecretsV2 = z.infer<typeof SecretApprovalRequestsSecretsV2Schema>;

backend/src/db/schemas/secret-syncs.ts

@@ -1,40 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretSyncsSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  description: z.string().nullable().optional(),
-  destination: z.string(),
-  isAutoSyncEnabled: z.boolean().default(true),
-  version: z.number().default(1),
-  destinationConfig: z.unknown(),
-  syncOptions: z.unknown(),
-  projectId: z.string(),
-  folderId: z.string().uuid().nullable().optional(),
-  connectionId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  syncStatus: z.string().nullable().optional(),
-  lastSyncJobId: z.string().nullable().optional(),
-  lastSyncMessage: z.string().nullable().optional(),
-  lastSyncedAt: z.date().nullable().optional(),
-  importStatus: z.string().nullable().optional(),
-  lastImportJobId: z.string().nullable().optional(),
-  lastImportMessage: z.string().nullable().optional(),
-  lastImportedAt: z.date().nullable().optional(),
-  removeStatus: z.string().nullable().optional(),
-  lastRemoveJobId: z.string().nullable().optional(),
-  lastRemoveMessage: z.string().nullable().optional(),
-  lastRemovedAt: z.date().nullable().optional()
-});
-
-export type TSecretSyncs = z.infer<typeof SecretSyncsSchema>;
-export type TSecretSyncsInsert = Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>;
-export type TSecretSyncsUpdate = Partial<Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>>;

backend/src/ee/routes/v1/index.ts

@@ -22,7 +22,6 @@ import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-rou
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
 import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
 import { registerSecretRotationRouter } from "./secret-rotation-router";
-import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
@@ -93,7 +92,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerLdapRouter, { prefix: "/ldap" });
   await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
   await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
-  await server.register(registerSecretRouter, { prefix: "/secrets" });
   await server.register(registerSecretVersionRouter, { prefix: "/secret" });
   await server.register(registerGroupRouter, { prefix: "/groups" });
   await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });

backend/src/ee/routes/v1/org-role-router.ts

@@ -24,7 +24,6 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         ),
         name: z.string().trim(),
         description: z.string().trim().nullish(),
-        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array()
         permissions: z.any().array()
       }),
       response: {
@@ -97,7 +96,6 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           .optional(),
         name: z.string().trim().optional(),
         description: z.string().trim().nullish(),
-        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array().optional()
         permissions: z.any().array().optional()
       }),
       response: {

backend/src/ee/routes/v1/saml-router.ts

@@ -84,10 +84,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                 samlConfig.audience = `spn:${ssoConfig.issuer}`;
               }
             }
-            if (
-              ssoConfig.authProvider === SamlProviders.GOOGLE_SAML ||
-              ssoConfig.authProvider === SamlProviders.AUTH0_SAML
-            ) {
+            if (ssoConfig.authProvider === SamlProviders.GOOGLE_SAML) {
               samlConfig.wantAssertionsSigned = false;
             }
 
@@ -126,10 +123,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
               `email: ${email} firstName: ${profile.firstName as string}`
             );
 
-            throw new BadRequestError({
-              message:
-                "Missing email or first name. Please double check your SAML attribute mapping for the selected provider."
-            });
+            throw new Error("Invalid saml request. Missing email or first name");
           }
 
           const userMetadata = Object.keys(profile.attributes || {})

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -12,7 +12,6 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
   UsersSchema.pick({
@@ -275,7 +274,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 .extend({
                   op: z.string(),
                   tags: tagSchema,
-                  secretMetadata: ResourceMetadataSchema.nullish(),
                   secret: z
                     .object({
                       id: z.string(),
@@ -293,8 +291,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                       secretKey: z.string(),
                       secretValue: z.string().optional(),
                       secretComment: z.string().optional(),
-                      tags: tagSchema,
-                      secretMetadata: ResourceMetadataSchema.nullish()
+                      tags: tagSchema
                     })
                     .optional()
                 })

backend/src/ee/routes/v1/secret-router.ts

@@ -1,71 +0,0 @@
-import z from "zod";
-
-import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
-import { RAW_SECRETS } from "@app/lib/api-docs";
-import { removeTrailingSlash } from "@app/lib/fn";
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-const AccessListEntrySchema = z
-  .object({
-    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
-    id: z.string(),
-    membershipId: z.string(),
-    name: z.string()
-  })
-  .array();
-
-export const registerSecretRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/:secretName/access-list",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Get list of users, machine identities, and groups with access to a secret",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.secretName)
-      }),
-      querystring: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.GET_ACCESS_LIST.secretPath)
-      }),
-      response: {
-        200: z.object({
-          groups: AccessListEntrySchema,
-          identities: AccessListEntrySchema,
-          users: AccessListEntrySchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { secretName } = req.params;
-      const { secretPath, environment, workspaceId: projectId } = req.query;
-
-      return server.services.secret.getSecretAccessList({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        secretPath,
-        environment,
-        projectId,
-        secretName
-      });
-    }
-  });
-};

backend/src/ee/routes/v1/secret-scanning-router.ts

@@ -1,13 +1,9 @@
 import { z } from "zod";
 
 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
-import {
-  SecretScanningResolvedStatus,
-  SecretScanningRiskStatus
-} from "@app/ee/services/secret-scanning/secret-scanning-types";
+import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -101,45 +97,6 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
     }
   });
 
-  server.route({
-    url: "/organization/:organizationId/risks/export",
-    method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({ organizationId: z.string().trim() }),
-      querystring: z.object({
-        repositoryNames: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
-      }),
-      response: {
-        200: z.object({
-          risks: SecretScanningGitRisksSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const risks = await server.services.secretScanning.getAllRisksByOrg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId,
-        filter: {
-          repositoryNames: req.query.repositoryNames,
-          resolvedStatus: req.query.resolvedStatus
-        }
-      });
-      return { risks };
-    }
-  });
-
   server.route({
     url: "/organization/:organizationId/risks",
     method: "GET",
@@ -148,46 +105,20 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
     },
     schema: {
       params: z.object({ organizationId: z.string().trim() }),
-
-      querystring: z.object({
-        offset: z.coerce.number().min(0).default(0),
-        limit: z.coerce.number().min(1).max(20000).default(100),
-        orderBy: z.enum(["createdAt", "name"]).default("createdAt"),
-        orderDirection: z.nativeEnum(OrderByDirection).default(OrderByDirection.DESC),
-        repositoryNames: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
-      }),
-
       response: {
-        200: z.object({
-          risks: SecretScanningGitRisksSchema.array(),
-          totalCount: z.number(),
-          repos: z.array(z.string())
-        })
+        200: z.object({ risks: SecretScanningGitRisksSchema.array() })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const { risks, totalCount, repos } = await server.services.secretScanning.getRisksByOrg({
+      const { risks } = await server.services.secretScanning.getRisksByOrg({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId,
-        filter: {
-          limit: req.query.limit,
-          offset: req.query.offset,
-          orderBy: req.query.orderBy,
-          orderDirection: req.query.orderDirection,
-          repositoryNames: req.query.repositoryNames,
-          resolvedStatus: req.query.resolvedStatus
-        }
+        orgId: req.params.organizationId
       });
-      return { risks, totalCount, repos };
+      return { risks };
     }
   });
 

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -87,14 +87,14 @@ export const accessApprovalPolicyServiceFactory = ({
     if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -193,14 +193,7 @@ export const accessApprovalPolicyServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     // Anyone in the project should be able to get the policies.
-    await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: project.id,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+    await permissionService.getProjectPermission(actor, actorId, project.id, actorAuthMethod, actorOrgId);
 
     const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
     return accessApprovalPolicies;
@@ -244,14 +237,14 @@ export const accessApprovalPolicyServiceFactory = ({
     if (!accessApprovalPolicy) {
       throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
     }
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: accessApprovalPolicy.projectId,
+      accessApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
@@ -328,14 +321,14 @@ export const accessApprovalPolicyServiceFactory = ({
     const policy = await accessApprovalPolicyDAL.findById(policyId);
     if (!policy) throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: policy.projectId,
+      policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SecretApproval
@@ -379,14 +372,13 @@ export const accessApprovalPolicyServiceFactory = ({
 
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
@@ -419,14 +411,13 @@ export const accessApprovalPolicyServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: policy.projectId,
+      policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 
-import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -100,14 +100,13 @@ export const accessApprovalRequestServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     // Anyone can create an access approval request.
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
@@ -214,7 +213,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/secret-manager/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/project/${project.id}/approval`;
 
       await triggerSlackNotification({
         projectId: project.id,
@@ -274,14 +273,13 @@ export const accessApprovalRequestServiceFactory = ({
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
@@ -320,14 +318,13 @@ export const accessApprovalRequestServiceFactory = ({
       });
     }
 
-    const { membership, hasRole } = await permissionService.getProjectPermission({
+    const { membership, hasRole } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: accessApprovalRequest.projectId,
+      accessApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -425,14 +422,13 @@ export const accessApprovalRequestServiceFactory = ({
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -93,7 +93,7 @@ export const auditLogStreamServiceFactory = ({
         }
       )
       .catch((err) => {
-        throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
+        throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
       });
     const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
     const logStream = await auditLogStreamDAL.create({

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -39,13 +39,11 @@ export const auditLogDALFactory = (db: TDbClient) => {
       offset = 0,
       actorId,
       actorType,
-      secretPath,
       eventType,
       eventMetadata
     }: Omit<TFindQuery, "actor" | "eventType"> & {
       actorId?: string;
       actorType?: ActorType;
-      secretPath?: string;
       eventType?: EventType[];
       eventMetadata?: Record<string, string>;
     },
@@ -90,10 +88,6 @@ export const auditLogDALFactory = (db: TDbClient) => {
         });
       }
 
-      if (projectId && secretPath) {
-        void sqlQuery.whereRaw(`"eventMetadata" @> jsonb_build_object('secretPath', ?::text)`, [secretPath]);
-      }
-
       // Filter by actor type
       if (actorType) {
         void sqlQuery.where("actor", actorType);
@@ -106,10 +100,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
 
       // Filter by date range
       if (startDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
+        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
       }
       if (endDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
+        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
       }
 
       // we timeout long running queries to prevent DB resource issues (2 minutes)

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 
@@ -27,14 +26,13 @@ export const auditLogServiceFactory = ({
   const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
     // Filter logs for specific project
     if (filter.projectId) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
         actor,
         actorId,
-        projectId: filter.projectId,
+        filter.projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.Any
-      });
+        actorOrgId
+      );
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {
       // Organization-wide logs
@@ -46,6 +44,10 @@ export const auditLogServiceFactory = ({
         actorOrgId
       );
 
+      /**
+       * NOTE (dangtony98): Update this to organization-level audit log permission check once audit logs are moved
+       * to the organization level ✅
+       */
       ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
     }
 
@@ -60,7 +62,6 @@ export const auditLogServiceFactory = ({
       actorId: filter.auditLogActorId,
       actorType: filter.actorType,
       eventMetadata: filter.eventMetadata,
-      secretPath: filter.secretPath,
       ...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
     });
 
@@ -78,8 +79,7 @@ export const auditLogServiceFactory = ({
     }
     // add all cases in which project id or org id cannot be added
     if (data.event.type !== EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH) {
-      if (!data.projectId && !data.orgId)
-        throw new BadRequestError({ message: "Must specify either project id or org id" });
+      if (!data.projectId && !data.orgId) throw new BadRequestError({ message: "Must either project id or org id" });
     }
 
     return auditLogQueue.pushToLog(data);

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -13,13 +13,6 @@ import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
-import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
-import {
-  TCreateSecretSyncDTO,
-  TDeleteSecretSyncDTO,
-  TSecretSyncRaw,
-  TUpdateSecretSyncDTO
-} from "@app/services/secret-sync/secret-sync-types";
 
 export type TListProjectAuditLogDTO = {
   filter: {
@@ -32,14 +25,13 @@ export type TListProjectAuditLogDTO = {
     projectId?: string;
     auditLogActorId?: string;
     actorType?: ActorType;
-    secretPath?: string;
     eventMetadata?: Record<string, string>;
   };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TCreateAuditLogDTO = {
   event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
   orgId?: string;
   projectId?: string;
 } & BaseAuthData;
@@ -234,22 +226,10 @@ export enum EventType {
   DELETE_PROJECT_TEMPLATE = "delete-project-template",
   APPLY_PROJECT_TEMPLATE = "apply-project-template",
   GET_APP_CONNECTIONS = "get-app-connections",
-  GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
   GET_APP_CONNECTION = "get-app-connection",
   CREATE_APP_CONNECTION = "create-app-connection",
   UPDATE_APP_CONNECTION = "update-app-connection",
-  DELETE_APP_CONNECTION = "delete-app-connection",
-  CREATE_SHARED_SECRET = "create-shared-secret",
-  DELETE_SHARED_SECRET = "delete-shared-secret",
-  READ_SHARED_SECRET = "read-shared-secret",
-  GET_SECRET_SYNCS = "get-secret-syncs",
-  GET_SECRET_SYNC = "get-secret-sync",
-  CREATE_SECRET_SYNC = "create-secret-sync",
-  UPDATE_SECRET_SYNC = "update-secret-sync",
-  DELETE_SECRET_SYNC = "delete-secret-sync",
-  SECRET_SYNC_SYNC_SECRETS = "secret-sync-sync-secrets",
-  SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
-  SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets"
+  DELETE_APP_CONNECTION = "delete-app-connection"
 }
 
 interface UserActorMetadata {
@@ -272,8 +252,6 @@ interface ScimClientActorMetadata {}
 
 interface PlatformActorMetadata {}
 
-interface UnknownUserActorMetadata {}
-
 export interface UserActor {
   type: ActorType.USER;
   metadata: UserActorMetadata;
@@ -289,11 +267,6 @@ export interface PlatformActor {
   metadata: PlatformActorMetadata;
 }
 
-export interface UnknownUserActor {
-  type: ActorType.UNKNOWN_USER;
-  metadata: UnknownUserActorMetadata;
-}
-
 export interface IdentityActor {
   type: ActorType.IDENTITY;
   metadata: IdentityActorMetadata;
@@ -1910,15 +1883,6 @@ interface GetAppConnectionsEvent {
   };
 }
 
-interface GetAvailableAppConnectionsDetailsEvent {
-  type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS;
-  metadata: {
-    app?: AppConnection;
-    count: number;
-    connectionIds: string[];
-  };
-}
-
 interface GetAppConnectionEvent {
   type: EventType.GET_APP_CONNECTION;
   metadata: {
@@ -1943,107 +1907,6 @@ interface DeleteAppConnectionEvent {
   };
 }
 
-interface CreateSharedSecretEvent {
-  type: EventType.CREATE_SHARED_SECRET;
-  metadata: {
-    id: string;
-    accessType: string;
-    name?: string;
-    expiresAfterViews?: number;
-    usingPassword: boolean;
-    expiresAt: string;
-  };
-}
-
-interface DeleteSharedSecretEvent {
-  type: EventType.DELETE_SHARED_SECRET;
-  metadata: {
-    id: string;
-    name?: string;
-  };
-}
-
-interface ReadSharedSecretEvent {
-  type: EventType.READ_SHARED_SECRET;
-  metadata: {
-    id: string;
-    name?: string;
-    accessType: string;
-  };
-}
-
-interface GetSecretSyncsEvent {
-  type: EventType.GET_SECRET_SYNCS;
-  metadata: {
-    destination?: SecretSync;
-    count: number;
-    syncIds: string[];
-  };
-}
-
-interface GetSecretSyncEvent {
-  type: EventType.GET_SECRET_SYNC;
-  metadata: {
-    destination: SecretSync;
-    syncId: string;
-  };
-}
-
-interface CreateSecretSyncEvent {
-  type: EventType.CREATE_SECRET_SYNC;
-  metadata: Omit<TCreateSecretSyncDTO, "projectId"> & { syncId: string };
-}
-
-interface UpdateSecretSyncEvent {
-  type: EventType.UPDATE_SECRET_SYNC;
-  metadata: TUpdateSecretSyncDTO;
-}
-
-interface DeleteSecretSyncEvent {
-  type: EventType.DELETE_SECRET_SYNC;
-  metadata: TDeleteSecretSyncDTO;
-}
-
-interface SecretSyncSyncSecretsEvent {
-  type: EventType.SECRET_SYNC_SYNC_SECRETS;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "syncStatus" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    syncMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-  };
-}
-
-interface SecretSyncImportSecretsEvent {
-  type: EventType.SECRET_SYNC_IMPORT_SECRETS;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "importStatus" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    importMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-    importBehavior: SecretSyncImportBehavior;
-  };
-}
-
-interface SecretSyncRemoveSecretsEvent {
-  type: EventType.SECRET_SYNC_REMOVE_SECRETS;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "removeStatus" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    removeMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-  };
-}
-
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2217,19 +2080,7 @@ export type Event =
   | DeleteProjectTemplateEvent
   | ApplyProjectTemplateEvent
   | GetAppConnectionsEvent
-  | GetAvailableAppConnectionsDetailsEvent
   | GetAppConnectionEvent
   | CreateAppConnectionEvent
   | UpdateAppConnectionEvent
-  | DeleteAppConnectionEvent
-  | CreateSharedSecretEvent
-  | DeleteSharedSecretEvent
-  | ReadSharedSecretEvent
-  | GetSecretSyncsEvent
-  | GetSecretSyncEvent
-  | CreateSecretSyncEvent
-  | UpdateSecretSyncEvent
-  | DeleteSecretSyncEvent
-  | SecretSyncSyncSecretsEvent
-  | SecretSyncImportSecretsEvent
-  | SecretSyncRemoveSecretsEvent;
+  | DeleteAppConnectionEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -67,14 +66,13 @@ export const certificateAuthorityCrlServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import ms from "ms";
 
-import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@@ -67,14 +67,14 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -147,14 +147,14 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -227,14 +227,14 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -297,14 +297,13 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -340,14 +339,13 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@@ -73,14 +73,14 @@ export const dynamicSecretServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.CreateRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -145,14 +145,14 @@ export const dynamicSecretServiceFactory = ({
 
     const projectId = project.id;
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.EditRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -229,14 +229,14 @@ export const dynamicSecretServiceFactory = ({
 
     const projectId = project.id;
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.DeleteRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -290,14 +290,13 @@ export const dynamicSecretServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -341,14 +340,13 @@ export const dynamicSecretServiceFactory = ({
     isInternal
   }: TListDynamicSecretsMultiEnvDTO) => {
     if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
         actor,
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
+        actorOrgId
+      );
 
       // verify user has access to each env in request
       environmentSlugs.forEach((environmentSlug) =>
@@ -385,14 +383,13 @@ export const dynamicSecretServiceFactory = ({
     search,
     projectId
   }: TGetDynamicSecretsCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -434,14 +431,13 @@ export const dynamicSecretServiceFactory = ({
       projectId = project.id;
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -466,14 +462,13 @@ export const dynamicSecretServiceFactory = ({
     { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
     actor: OrgServiceActor
   ) => {
-    const { permission } = await permissionService.getProjectPermission({
-      actor: actor.type,
-      actorId: actor.id,
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
       projectId,
-      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actor.authMethod,
+      actor.orgId
+    );
 
     const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
       permission.can(
@@ -512,14 +507,13 @@ export const dynamicSecretServiceFactory = ({
     ...params
   }: TListDynamicSecretsMultiEnvDTO) => {
     if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
         actor,
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
+        actorOrgId
+      );
 
       // verify user has access to each env in request
       environmentSlugs.forEach((environmentSlug) =>

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -34,8 +34,6 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
     const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
-    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;
-
     const db = knex({
       client: providerInputs.client,
       connection: {
@@ -45,16 +43,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
         user: providerInputs.username,
         password: providerInputs.password,
         ssl,
-        pool: { min: 0, max: 1 },
-        // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
-        // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
-        // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
-        options: isMsSQLClient
-          ? {
-              trustServerCertificate: !providerInputs.ca,
-              cryptoCredentialsDetails: providerInputs.ca ? { ca: providerInputs.ca } : {}
-            }
-          : undefined
+        pool: { min: 0, max: 1 }
       },
       acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
     });

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -1,9 +1,7 @@
-import { KMSServiceException } from "@aws-sdk/client-kms";
-import { STSServiceException } from "@aws-sdk/client-sts";
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
-import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -73,16 +71,7 @@ export const externalKmsServiceFactory = ({
     switch (provider.type) {
       case KmsProviders.Aws:
         {
-          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs }).catch((error) => {
-            if (error instanceof STSServiceException || error instanceof KMSServiceException) {
-              throw new InternalServerError({
-                message: error.message ? `AWS error: ${error.message}` : ""
-              });
-            }
-
-            throw error;
-          });
-
+          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs });
           // if missing kms key this generate a new kms key id and returns new provider input
           const newProviderInput = await externalKms.generateInputKmsKey();
           sanitizedProviderInput = JSON.stringify(newProviderInput);

backend/src/ee/services/group/group-service.ts

@@ -32,7 +32,7 @@ type TGroupServiceFactoryDep = {
   userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
   groupDAL: Pick<
     TGroupDALFactory,
-    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById" | "transaction"
+    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
   >;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
   orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
@@ -88,26 +88,12 @@ export const groupServiceFactory = ({
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
 
-    const group = await groupDAL.transaction(async (tx) => {
-      const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-      if (existingGroup) {
-        throw new BadRequestError({
-          message: `Failed to create group with name '${name}'. Group with the same name already exists`
-        });
-      }
-
-      const newGroup = await groupDAL.create(
-        {
-          name,
-          slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
-          orgId: actorOrgId,
-          role: isCustomRole ? OrgMembershipRole.Custom : role,
-          roleId: customRole?.id
-        },
-        tx
-      );
-
-      return newGroup;
+    const group = await groupDAL.create({
+      name,
+      slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
+      orgId: actorOrgId,
+      role: isCustomRole ? OrgMembershipRole.Custom : role,
+      roleId: customRole?.id
     });
 
     return group;
@@ -159,36 +145,21 @@ export const groupServiceFactory = ({
       if (isCustomRole) customRole = customOrgRole;
     }
 
-    const updatedGroup = await groupDAL.transaction(async (tx) => {
-      if (name) {
-        const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-
-        if (existingGroup && existingGroup.id !== id) {
-          throw new BadRequestError({
-            message: `Failed to update group with name '${name}'. Group with the same name already exists`
-          });
-        }
+    const [updatedGroup] = await groupDAL.update(
+      {
+        id: group.id
+      },
+      {
+        name,
+        slug: slug ? slugify(slug) : undefined,
+        ...(role
+          ? {
+              role: customRole ? OrgMembershipRole.Custom : role,
+              roleId: customRole?.id ?? null
+            }
+          : {})
       }
-
-      const [updated] = await groupDAL.update(
-        {
-          id: group.id
-        },
-        {
-          name,
-          slug: slug ? slugify(slug) : undefined,
-          ...(role
-            ? {
-                role: customRole ? OrgMembershipRole.Custom : role,
-                roleId: customRole?.id ?? null
-              }
-            : {})
-        },
-        tx
-      );
-
-      return updated;
-    });
+    );
 
     return updatedGroup;
   };

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 import ms from "ms";
 
-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { unpackPermissions } from "@app/server/routes/santizedSchemas/permission";
@@ -55,26 +55,24 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -137,26 +135,24 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -219,26 +215,24 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
@@ -266,14 +260,13 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@@ -301,14 +294,13 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@@ -337,14 +329,13 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -2,7 +2,6 @@ import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability"
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@@ -63,27 +62,25 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -146,28 +143,26 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -247,27 +242,25 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });
@@ -306,14 +299,13 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId })
@@ -349,14 +341,13 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -476,14 +476,14 @@ export const ldapConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
         // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
         throw new BadRequestError({
           message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
         });
       }
 
-      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({
           message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."

backend/src/ee/services/license/license-fns.ts

@@ -24,7 +24,6 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   rbac: false,
   customRateLimits: false,
   customAlerts: false,
-  secretAccessInsights: false,
   auditLogs: false,
   auditLogsRetentionDays: 0,
   auditLogStreams: false,
@@ -50,7 +49,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   },
   pkiEst: false,
   enforceMfa: false,
-  projectTemplates: false
+  projectTemplates: false,
+  appConnections: false
 });
 
 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/ee/services/license/license-service.ts

@@ -246,7 +246,8 @@ export const licenseServiceFactory = ({
   };
 
   const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
-    await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
     const plan = await getPlan(orgId, projectId);
     return plan;
   };

backend/src/ee/services/license/license-types.ts

@@ -48,7 +48,6 @@ export type TFeatureSet = {
   samlSSO: false;
   hsm: false;
   oidcSSO: false;
-  secretAccessInsights: false;
   scim: false;
   ldap: false;
   groups: false;
@@ -68,6 +67,7 @@ export type TFeatureSet = {
   pkiEst: boolean;
   enforceMfa: boolean;
   projectTemplates: false;
+  appConnections: false; // TODO: remove once live
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/permission/org-permission.ts

@@ -1,12 +1,4 @@
-import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
-import { z } from "zod";
-
-import {
-  CASL_ACTION_SCHEMA_ENUM,
-  CASL_ACTION_SCHEMA_NATIVE_ENUM
-} from "@app/ee/services/permission/permission-schemas";
-import { PermissionConditionSchema } from "@app/ee/services/permission/permission-types";
-import { PermissionConditionOperators } from "@app/lib/casl";
+import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";
 
 export enum OrgPermissionActions {
   Read = "read",
@@ -15,14 +7,6 @@ export enum OrgPermissionActions {
   Delete = "delete"
 }
 
-export enum OrgPermissionAppConnectionActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  Connect = "connect"
-}
-
 export enum OrgPermissionAdminConsoleAction {
   AccessAllProjects = "access-all-projects"
 }
@@ -47,10 +31,6 @@ export enum OrgPermissionSubjects {
   AppConnections = "app-connections"
 }
 
-export type AppConnectionSubjectFields = {
-  connectionId: string;
-};
-
 export type OrgPermissionSet =
   | [OrgPermissionActions.Create, OrgPermissionSubjects.Workspace]
   | [OrgPermissionActions, OrgPermissionSubjects.Role]
@@ -67,109 +47,9 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
   | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
-  | [
-      OrgPermissionAppConnectionActions,
-      (
-        | OrgPermissionSubjects.AppConnections
-        | (ForcedSubject<OrgPermissionSubjects.AppConnections> & AppConnectionSubjectFields)
-      )
-    ]
+  | [OrgPermissionActions, OrgPermissionSubjects.AppConnections]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 
-const AppConnectionConditionSchema = z
-  .object({
-    connectionId: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-        })
-        .partial()
-    ])
-  })
-  .partial();
-
-export const OrgPermissionSchema = z.discriminatedUnion("subject", [
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Workspace).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_ENUM([OrgPermissionActions.Create]).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Role).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Member).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Settings).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.IncidentAccount).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Sso).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Scim).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Ldap).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Groups).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.SecretScanning).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Billing).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Identity).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Kms).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.AuditLogs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.ProjectTemplates).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.AppConnections).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAppConnectionActions).describe(
-      "Describe what action an entity can take."
-    ),
-    conditions: AppConnectionConditionSchema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.AdminConsole).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAdminConsoleAction).describe(
-      "Describe what action an entity can take."
-    )
-  })
-]);
-
 const buildAdminPermission = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
   // ws permissions
@@ -245,11 +125,10 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);
 
-  can(OrgPermissionAppConnectionActions.Read, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Create, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Edit, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Delete, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AppConnections);
 
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
@@ -281,7 +160,7 @@ const buildMemberPermission = () => {
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
 
-  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.AppConnections);
 
   return rules;
 };

backend/src/ee/services/permission/permission-dal.ts

@@ -125,404 +125,6 @@ export const permissionDALFactory = (db: TDbClient) => {
     }
   };
 
-  const getProjectGroupPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.GroupProjectMembership)
-        .join(TableName.Groups, `${TableName.Groups}.id`, `${TableName.GroupProjectMembership}.groupId`)
-        .join(
-          TableName.GroupProjectMembershipRole,
-          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
-          `${TableName.GroupProjectMembership}.id`
-        )
-        .leftJoin<TProjectRoles>(
-          { groupCustomRoles: TableName.ProjectRoles },
-          `${TableName.GroupProjectMembershipRole}.customRoleId`,
-          `groupCustomRoles.id`
-        )
-        .where(`${TableName.GroupProjectMembership}.projectId`, "=", projectId)
-        .select(
-          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
-          db.ref("id").withSchema(TableName.Groups).as("groupId"),
-          db.ref("name").withSchema(TableName.Groups).as("groupName"),
-          db.ref("slug").withSchema("groupCustomRoles").as("groupProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema("groupCustomRoles").as("groupProjectMembershipRolePermission"),
-          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRole"),
-          db
-            .ref("customRoleId")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleCustomRoleId"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryAccessEndTime")
-        );
-
-      const groupPermissions = sqlNestRelationships({
-        data: docs,
-        key: "groupId",
-        parentMapper: ({ groupId, groupName, membershipId }) => ({
-          groupId,
-          username: groupName,
-          id: membershipId
-        }),
-        childrenMapper: [
-          {
-            key: "groupProjectMembershipRoleId",
-            label: "groupRoles" as const,
-            mapper: ({
-              groupProjectMembershipRoleId,
-              groupProjectMembershipRole,
-              groupProjectMembershipRolePermission,
-              groupProjectMembershipRoleCustomRoleSlug,
-              groupProjectMembershipRoleIsTemporary,
-              groupProjectMembershipRoleTemporaryMode,
-              groupProjectMembershipRoleTemporaryAccessEndTime,
-              groupProjectMembershipRoleTemporaryAccessStartTime,
-              groupProjectMembershipRoleTemporaryRange
-            }) => ({
-              id: groupProjectMembershipRoleId,
-              role: groupProjectMembershipRole,
-              customRoleSlug: groupProjectMembershipRoleCustomRoleSlug,
-              permissions: groupProjectMembershipRolePermission,
-              temporaryRange: groupProjectMembershipRoleTemporaryRange,
-              temporaryMode: groupProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: groupProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: groupProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: groupProjectMembershipRoleIsTemporary
-            })
-          }
-        ]
-      });
-
-      return groupPermissions
-        .map((groupPermission) => {
-          if (!groupPermission) return undefined;
-
-          const activeGroupRoles =
-            groupPermission?.groupRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          return {
-            ...groupPermission,
-            roles: activeGroupRoles
-          };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectGroupPermissions" });
-    }
-  };
-
-  const getProjectUserPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.Users)
-        .where("isGhost", "=", false)
-        .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
-          void queryBuilder.on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]));
-        })
-        .leftJoin(
-          TableName.GroupProjectMembershipRole,
-          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
-          `${TableName.GroupProjectMembership}.id`
-        )
-        .leftJoin<TProjectRoles>(
-          { groupCustomRoles: TableName.ProjectRoles },
-          `${TableName.GroupProjectMembershipRole}.customRoleId`,
-          `groupCustomRoles.id`
-        )
-        .join(TableName.ProjectMembership, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.ProjectMembership}.projectId`, db.raw("?", [projectId]))
-            .andOn(`${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`);
-        })
-        .leftJoin(
-          TableName.ProjectUserMembershipRole,
-          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
-          `${TableName.ProjectMembership}.id`
-        )
-        .leftJoin(
-          TableName.ProjectRoles,
-          `${TableName.ProjectUserMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
-        )
-        .leftJoin(TableName.ProjectUserAdditionalPrivilege, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.ProjectUserAdditionalPrivilege}.projectId`, db.raw("?", [projectId]))
-            .andOn(`${TableName.ProjectUserAdditionalPrivilege}.userId`, `${TableName.Users}.id`);
-        })
-        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
-        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
-        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
-            .andOn(`${TableName.Organization}.id`, `${TableName.IdentityMetadata}.orgId`);
-        })
-        .select(
-          db.ref("id").withSchema(TableName.Users).as("userId"),
-          db.ref("username").withSchema(TableName.Users).as("username"),
-          // groups specific
-          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
-          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipUpdatedAt"),
-          db.ref("slug").withSchema("groupCustomRoles").as("userGroupProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema("groupCustomRoles").as("userGroupProjectMembershipRolePermission"),
-          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRole"),
-          db
-            .ref("customRoleId")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleCustomRoleId"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryAccessEndTime"),
-          // user specific
-          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
-          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("userProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles).as("userProjectCustomRolePermission"),
-          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRole"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryAccessEndTime"),
-          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesId"),
-          db
-            .ref("permissions")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesPermissions"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryMode"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryRange"),
-          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesUserId"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
-          // general
-          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
-          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("type").withSchema(TableName.Project).as("projectType"),
-          db.ref("id").withSchema(TableName.Project).as("projectId")
-        );
-
-      const userPermissions = sqlNestRelationships({
-        data: docs,
-        key: "userId",
-        parentMapper: ({
-          orgId,
-          username,
-          orgAuthEnforced,
-          membershipId,
-          groupMembershipId,
-          membershipCreatedAt,
-          groupMembershipCreatedAt,
-          groupMembershipUpdatedAt,
-          membershipUpdatedAt,
-          projectType,
-          userId
-        }) => ({
-          orgId,
-          orgAuthEnforced,
-          userId,
-          projectId,
-          username,
-          projectType,
-          id: membershipId || groupMembershipId,
-          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
-          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
-        }),
-        childrenMapper: [
-          {
-            key: "userGroupProjectMembershipRoleId",
-            label: "userGroupRoles" as const,
-            mapper: ({
-              userGroupProjectMembershipRoleId,
-              userGroupProjectMembershipRole,
-              userGroupProjectMembershipRolePermission,
-              userGroupProjectMembershipRoleCustomRoleSlug,
-              userGroupProjectMembershipRoleIsTemporary,
-              userGroupProjectMembershipRoleTemporaryMode,
-              userGroupProjectMembershipRoleTemporaryAccessEndTime,
-              userGroupProjectMembershipRoleTemporaryAccessStartTime,
-              userGroupProjectMembershipRoleTemporaryRange
-            }) => ({
-              id: userGroupProjectMembershipRoleId,
-              role: userGroupProjectMembershipRole,
-              customRoleSlug: userGroupProjectMembershipRoleCustomRoleSlug,
-              permissions: userGroupProjectMembershipRolePermission,
-              temporaryRange: userGroupProjectMembershipRoleTemporaryRange,
-              temporaryMode: userGroupProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: userGroupProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: userGroupProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: userGroupProjectMembershipRoleIsTemporary
-            })
-          },
-          {
-            key: "userProjectMembershipRoleId",
-            label: "projectMembershipRoles" as const,
-            mapper: ({
-              userProjectMembershipRoleId,
-              userProjectMembershipRole,
-              userProjectCustomRolePermission,
-              userProjectMembershipRoleIsTemporary,
-              userProjectMembershipRoleTemporaryMode,
-              userProjectMembershipRoleTemporaryRange,
-              userProjectMembershipRoleTemporaryAccessEndTime,
-              userProjectMembershipRoleTemporaryAccessStartTime,
-              userProjectMembershipRoleCustomRoleSlug
-            }) => ({
-              id: userProjectMembershipRoleId,
-              role: userProjectMembershipRole,
-              customRoleSlug: userProjectMembershipRoleCustomRoleSlug,
-              permissions: userProjectCustomRolePermission,
-              temporaryRange: userProjectMembershipRoleTemporaryRange,
-              temporaryMode: userProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: userProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: userProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: userProjectMembershipRoleIsTemporary
-            })
-          },
-          {
-            key: "userAdditionalPrivilegesId",
-            label: "additionalPrivileges" as const,
-            mapper: ({
-              userAdditionalPrivilegesId,
-              userAdditionalPrivilegesPermissions,
-              userAdditionalPrivilegesIsTemporary,
-              userAdditionalPrivilegesTemporaryMode,
-              userAdditionalPrivilegesTemporaryRange,
-              userAdditionalPrivilegesTemporaryAccessEndTime,
-              userAdditionalPrivilegesTemporaryAccessStartTime
-            }) => ({
-              id: userAdditionalPrivilegesId,
-              permissions: userAdditionalPrivilegesPermissions,
-              temporaryRange: userAdditionalPrivilegesTemporaryRange,
-              temporaryMode: userAdditionalPrivilegesTemporaryMode,
-              temporaryAccessStartTime: userAdditionalPrivilegesTemporaryAccessStartTime,
-              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
-              isTemporary: userAdditionalPrivilegesIsTemporary
-            })
-          },
-          {
-            key: "metadataId",
-            label: "metadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
-          }
-        ]
-      });
-
-      return userPermissions
-        .map((userPermission) => {
-          if (!userPermission) return undefined;
-          if (!userPermission?.userGroupRoles?.[0] && !userPermission?.projectMembershipRoles?.[0]) return undefined;
-
-          // when introducting cron mode change it here
-          const activeRoles =
-            userPermission?.projectMembershipRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          const activeGroupRoles =
-            userPermission?.userGroupRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          const activeAdditionalPrivileges =
-            userPermission?.additionalPrivileges?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          return {
-            ...userPermission,
-            roles: [...activeRoles, ...activeGroupRoles],
-            additionalPrivileges: activeAdditionalPrivileges
-          };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectUserPermissions" });
-    }
-  };
-
   const getProjectPermission = async (userId: string, projectId: string) => {
     try {
       const subQueryUserGroups = db(TableName.UserGroupMembership).where("userId", userId).select("groupId");
@@ -812,163 +414,6 @@ export const permissionDALFactory = (db: TDbClient) => {
     }
   };
 
-  const getProjectIdentityPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.IdentityProjectMembership)
-        .join(
-          TableName.IdentityProjectMembershipRole,
-          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
-          `${TableName.IdentityProjectMembership}.id`
-        )
-        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityProjectMembership}.identityId`)
-        .leftJoin(
-          TableName.ProjectRoles,
-          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
-        )
-        .leftJoin(
-          TableName.IdentityProjectAdditionalPrivilege,
-          `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`,
-          `${TableName.IdentityProjectMembership}.id`
-        )
-        .join(
-          // Join the Project table to later select orgId
-          TableName.Project,
-          `${TableName.IdentityProjectMembership}.projectId`,
-          `${TableName.Project}.id`
-        )
-        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
-            .andOn(`${TableName.Project}.orgId`, `${TableName.IdentityMetadata}.orgId`);
-        })
-        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
-        .select(
-          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
-          db.ref("id").withSchema(TableName.Identity).as("identityId"),
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
-          db.ref("type").withSchema(TableName.Project).as("projectType"),
-          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles),
-          db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
-          db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryMode"),
-          db.ref("isTemporary").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryAccessEndTime"),
-          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
-        );
-
-      const permissions = sqlNestRelationships({
-        data: docs,
-        key: "identityId",
-        parentMapper: ({
-          membershipId,
-          membershipCreatedAt,
-          membershipUpdatedAt,
-          orgId,
-          identityName,
-          projectType,
-          identityId
-        }) => ({
-          id: membershipId,
-          identityId,
-          username: identityName,
-          projectId,
-          createdAt: membershipCreatedAt,
-          updatedAt: membershipUpdatedAt,
-          orgId,
-          projectType,
-          // just a prefilled value
-          orgAuthEnforced: false
-        }),
-        childrenMapper: [
-          {
-            key: "id",
-            label: "roles" as const,
-            mapper: (data) =>
-              IdentityProjectMembershipRoleSchema.extend({
-                permissions: z.unknown(),
-                customRoleSlug: z.string().optional().nullable()
-              }).parse(data)
-          },
-          {
-            key: "identityApId",
-            label: "additionalPrivileges" as const,
-            mapper: ({
-              identityApId,
-              identityApPermissions,
-              identityApIsTemporary,
-              identityApTemporaryMode,
-              identityApTemporaryRange,
-              identityApTemporaryAccessEndTime,
-              identityApTemporaryAccessStartTime
-            }) => ({
-              id: identityApId,
-              permissions: identityApPermissions,
-              temporaryRange: identityApTemporaryRange,
-              temporaryMode: identityApTemporaryMode,
-              temporaryAccessEndTime: identityApTemporaryAccessEndTime,
-              temporaryAccessStartTime: identityApTemporaryAccessStartTime,
-              isTemporary: identityApIsTemporary
-            })
-          },
-          {
-            key: "metadataId",
-            label: "metadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
-          }
-        ]
-      });
-
-      return permissions
-        .map((permission) => {
-          if (!permission) {
-            return undefined;
-          }
-
-          // when introducting cron mode change it here
-          const activeRoles = permission?.roles.filter(
-            ({ isTemporary, temporaryAccessEndTime }) =>
-              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-          );
-          const activeAdditionalPrivileges = permission?.additionalPrivileges?.filter(
-            ({ isTemporary, temporaryAccessEndTime }) =>
-              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-          );
-
-          return { ...permission, roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectIdentityPermissions" });
-    }
-  };
-
   const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
     try {
       const docs = await db
@@ -1123,9 +568,6 @@ export const permissionDALFactory = (db: TDbClient) => {
     getOrgPermission,
     getOrgIdentityPermission,
     getProjectPermission,
-    getProjectIdentityPermission,
-    getProjectUserPermissions,
-    getProjectIdentityPermissions,
-    getProjectGroupPermissions
+    getProjectIdentityPermission
   };
 };

backend/src/ee/services/permission/permission-schemas.ts

@@ -1,9 +0,0 @@
-import { z } from "zod";
-
-export const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
-  z
-    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
-    .transform((el) => (typeof el === "string" ? [el] : el));
-
-export const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
-  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));

backend/src/ee/services/permission/permission-service-types.ts

@@ -1,6 +1,3 @@
-import { ActionProjectType } from "@app/db/schemas";
-import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
-
 export type TBuildProjectPermissionDTO = {
   permissions?: unknown;
   role: string;
@@ -10,34 +7,3 @@ export type TBuildOrgPermissionDTO = {
   permissions?: unknown;
   role: string;
 }[];
-
-export type TGetUserProjectPermissionArg = {
-  userId: string;
-  projectId: string;
-  authMethod: ActorAuthMethod;
-  actionProjectType: ActionProjectType;
-  userOrgId?: string;
-};
-
-export type TGetIdentityProjectPermissionArg = {
-  identityId: string;
-  projectId: string;
-  identityOrgId?: string;
-  actionProjectType: ActionProjectType;
-};
-
-export type TGetServiceTokenProjectPermissionArg = {
-  serviceTokenId: string;
-  projectId: string;
-  actorOrgId?: string;
-  actionProjectType: ActionProjectType;
-};
-
-export type TGetProjectPermissionArg = {
-  actor: ActorType;
-  actorId: string;
-  projectId: string;
-  actorAuthMethod: ActorAuthMethod;
-  actorOrgId?: string;
-  actionProjectType: ActionProjectType;
-};

backend/src/ee/services/permission/permission-service.ts

@@ -4,9 +4,9 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 
 import {
-  ActionProjectType,
   OrgMembershipRole,
   ProjectMembershipRole,
+  ProjectType,
   ServiceTokenScopes,
   TIdentityProjectMemberships,
   TProjectMemberships
@@ -23,14 +23,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
 import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
-import {
-  TBuildOrgPermissionDTO,
-  TBuildProjectPermissionDTO,
-  TGetIdentityProjectPermissionArg,
-  TGetProjectPermissionArg,
-  TGetServiceTokenProjectPermissionArg,
-  TGetUserProjectPermissionArg
-} from "./permission-service-types";
+import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-service-types";
 import {
   buildServiceTokenProjectPermission,
   projectAdminPermissions,
@@ -200,13 +193,12 @@ export const permissionServiceFactory = ({
   };
 
   // user permission for a project in an organization
-  const getUserProjectPermission = async ({
-    userId,
-    projectId,
-    authMethod,
-    userOrgId,
-    actionProjectType
-  }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
+  const getUserProjectPermission = async (
+    userId: string,
+    projectId: string,
+    authMethod: ActorAuthMethod,
+    userOrgId?: string
+  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
     const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
     if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
 
@@ -227,12 +219,6 @@ export const permissionServiceFactory = ({
 
     validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);
 
-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
-      throw new BadRequestError({
-        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
     // join two permissions and pass to build the final permission set
     const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -270,6 +256,13 @@ export const permissionServiceFactory = ({
     return {
       permission,
       membership: userProjectPermission,
+      ForbidOnInvalidProjectType: (productType: ProjectType) => {
+        if (productType !== userProjectPermission.projectType) {
+          throw new BadRequestError({
+            message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${productType} are not allowed.`
+          });
+        }
+      },
       hasRole: (role: string) =>
         userProjectPermission.roles.findIndex(
           ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
@@ -277,12 +270,11 @@ export const permissionServiceFactory = ({
     };
   };
 
-  const getIdentityProjectPermission = async ({
-    identityId,
-    projectId,
-    identityOrgId,
-    actionProjectType
-  }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
+  const getIdentityProjectPermission = async (
+    identityId: string,
+    projectId: string,
+    identityOrgId: string | undefined
+  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
     const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
     if (!identityProjectPermission)
       throw new ForbiddenRequestError({
@@ -301,12 +293,6 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
     }
 
-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
-      throw new BadRequestError({
-        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
     const rolePermissions =
       identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -345,6 +331,13 @@ export const permissionServiceFactory = ({
     return {
       permission,
       membership: identityProjectPermission,
+      ForbidOnInvalidProjectType: (productType: ProjectType) => {
+        if (productType !== identityProjectPermission.projectType) {
+          throw new BadRequestError({
+            message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${productType} are not allowed.`
+          });
+        }
+      },
       hasRole: (role: string) =>
         identityProjectPermission.roles.findIndex(
           ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
@@ -352,12 +345,11 @@ export const permissionServiceFactory = ({
     };
   };
 
-  const getServiceTokenProjectPermission = async ({
-    serviceTokenId,
-    projectId,
-    actorOrgId,
-    actionProjectType
-  }: TGetServiceTokenProjectPermissionArg) => {
+  const getServiceTokenProjectPermission = async (
+    serviceTokenId: string,
+    projectId: string,
+    actorOrgId: string | undefined
+  ) => {
     const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
     if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
 
@@ -381,16 +373,17 @@ export const permissionServiceFactory = ({
       });
     }
 
-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
-      throw new BadRequestError({
-        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
     const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
     return {
       permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
-      membership: undefined
+      membership: undefined,
+      ForbidOnInvalidProjectType: (productType: ProjectType) => {
+        if (productType !== serviceTokenProject.type) {
+          throw new BadRequestError({
+            message: `The project is of type ${serviceTokenProject.type}. Operations of type ${productType} are not allowed.`
+          });
+        }
+      }
     };
   };
 
@@ -399,6 +392,7 @@ export const permissionServiceFactory = ({
         permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
         membership: undefined;
         hasRole: (arg: string) => boolean;
+        ForbidOnInvalidProjectType: (type: ProjectType) => void;
       } // service token doesn't have both membership and roles
     : {
         permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
@@ -408,156 +402,23 @@ export const permissionServiceFactory = ({
           roles: Array<{ role: string }>;
         };
         hasRole: (role: string) => boolean;
+        ForbidOnInvalidProjectType: (type: ProjectType) => void;
       };
 
-  const getProjectPermissions = async (projectId: string) => {
-    // fetch user permissions
-    const rawUserProjectPermissions = await permissionDAL.getProjectUserPermissions(projectId);
-    const userPermissions = rawUserProjectPermissions.map((userProjectPermission) => {
-      const rolePermissions =
-        userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const additionalPrivileges =
-        userProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
-          role: ProjectMembershipRole.Custom,
-          permissions
-        })) || [];
-
-      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-        objectify(
-          userProjectPermission.metadata,
-          (i) => i.key,
-          (i) => i.value
-        )
-      );
-      const interpolateRules = templatedRules(
-        {
-          identity: {
-            id: userProjectPermission.userId,
-            username: userProjectPermission.username,
-            metadata: metadataKeyValuePair
-          }
-        },
-        { data: false }
-      );
-      const permission = createMongoAbility<ProjectPermissionSet>(
-        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
-        {
-          conditionsMatcher
-        }
-      );
-
-      return {
-        permission,
-        id: userProjectPermission.userId,
-        name: userProjectPermission.username,
-        membershipId: userProjectPermission.id
-      };
-    });
-
-    // fetch identity permissions
-    const rawIdentityProjectPermissions = await permissionDAL.getProjectIdentityPermissions(projectId);
-    const identityPermissions = rawIdentityProjectPermissions.map((identityProjectPermission) => {
-      const rolePermissions =
-        identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const additionalPrivileges =
-        identityProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
-          role: ProjectMembershipRole.Custom,
-          permissions
-        })) || [];
-
-      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-        objectify(
-          identityProjectPermission.metadata,
-          (i) => i.key,
-          (i) => i.value
-        )
-      );
-
-      const interpolateRules = templatedRules(
-        {
-          identity: {
-            id: identityProjectPermission.identityId,
-            username: identityProjectPermission.username,
-            metadata: metadataKeyValuePair
-          }
-        },
-        { data: false }
-      );
-      const permission = createMongoAbility<ProjectPermissionSet>(
-        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
-        {
-          conditionsMatcher
-        }
-      );
-
-      return {
-        permission,
-        id: identityProjectPermission.identityId,
-        name: identityProjectPermission.username,
-        membershipId: identityProjectPermission.id
-      };
-    });
-
-    // fetch group permissions
-    const rawGroupProjectPermissions = await permissionDAL.getProjectGroupPermissions(projectId);
-    const groupPermissions = rawGroupProjectPermissions.map((groupProjectPermission) => {
-      const rolePermissions =
-        groupProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const rules = buildProjectPermissionRules(rolePermissions);
-      const permission = createMongoAbility<ProjectPermissionSet>(rules, {
-        conditionsMatcher
-      });
-
-      return {
-        permission,
-        id: groupProjectPermission.groupId,
-        name: groupProjectPermission.username,
-        membershipId: groupProjectPermission.id
-      };
-    });
-
-    return {
-      userPermissions,
-      identityPermissions,
-      groupPermissions
-    };
-  };
-
-  const getProjectPermission = async <T extends ActorType>({
-    actor,
-    actorId,
-    projectId,
-    actorAuthMethod,
-    actorOrgId,
-    actionProjectType
-  }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
-    switch (actor) {
+  const getProjectPermission = async <T extends ActorType>(
+    type: T,
+    id: string,
+    projectId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ): Promise<TProjectPermissionRT<T>> => {
+    switch (type) {
       case ActorType.USER:
-        return getUserProjectPermission({
-          userId: actorId,
-          projectId,
-          authMethod: actorAuthMethod,
-          userOrgId: actorOrgId,
-          actionProjectType
-        }) as Promise<TProjectPermissionRT<T>>;
+        return getUserProjectPermission(id, projectId, actorAuthMethod, actorOrgId) as Promise<TProjectPermissionRT<T>>;
       case ActorType.SERVICE:
-        return getServiceTokenProjectPermission({
-          serviceTokenId: actorId,
-          projectId,
-          actorOrgId,
-          actionProjectType
-        }) as Promise<TProjectPermissionRT<T>>;
+        return getServiceTokenProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
       case ActorType.IDENTITY:
-        return getIdentityProjectPermission({
-          identityId: actorId,
-          projectId,
-          identityOrgId: actorOrgId,
-          actionProjectType
-        }) as Promise<TProjectPermissionRT<T>>;
+        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
       default:
         throw new BadRequestError({
           message: "Invalid actor provided",
@@ -594,7 +455,6 @@ export const permissionServiceFactory = ({
     getOrgPermission,
     getUserProjectPermission,
     getProjectPermission,
-    getProjectPermissions,
     getOrgPermissionByRole,
     getProjectPermissionByRole,
     buildOrgPermission,

backend/src/ee/services/permission/project-permission.ts

@@ -1,10 +1,6 @@
 import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";
 
-import {
-  CASL_ACTION_SCHEMA_ENUM,
-  CASL_ACTION_SCHEMA_NATIVE_ENUM
-} from "@app/ee/services/permission/permission-schemas";
 import { conditionsMatcher, PermissionConditionOperators } from "@app/lib/casl";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
 
@@ -34,16 +30,6 @@ export enum ProjectPermissionDynamicSecretActions {
   Lease = "lease"
 }
 
-export enum ProjectPermissionSecretSyncActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  SyncSecrets = "sync-secrets",
-  ImportSecrets = "import-secrets",
-  RemoveSecrets = "remove-secrets"
-}
-
 export enum ProjectPermissionSub {
   Role = "role",
   Member = "member",
@@ -74,8 +60,7 @@ export enum ProjectPermissionSub {
   PkiAlerts = "pki-alerts",
   PkiCollections = "pki-collections",
   Kms = "kms",
-  Cmek = "cmek",
-  SecretSyncs = "secret-syncs"
+  Cmek = "cmek"
 }
 
 export type SecretSubjectFields = {
@@ -155,7 +140,6 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
-  | [ProjectPermissionSecretSyncActions, ProjectPermissionSub.SecretSyncs]
   | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
@@ -163,6 +147,14 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
 
+const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
+  z
+    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
+    .transform((el) => (typeof el === "string" ? [el] : el));
+
+const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
+  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
+
 // akhilmhdh: don't modify this for v2
 // if you want to update create a new schema
 const SecretConditionV1Schema = z
@@ -400,15 +392,10 @@ const GeneralPermissionSchema = [
   }),
   z.object({
     subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
       "Describe what action an entity can take."
     )
-  }),
-  z.object({
-    subject: z.literal(ProjectPermissionSub.SecretSyncs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretSyncActions).describe(
-      "Describe what action an entity can take."
-    )
   })
 ];
 
@@ -562,18 +549,6 @@ const buildAdminPermissionRules = () => {
     ],
     ProjectPermissionSub.Cmek
   );
-  can(
-    [
-      ProjectPermissionSecretSyncActions.Create,
-      ProjectPermissionSecretSyncActions.Edit,
-      ProjectPermissionSecretSyncActions.Delete,
-      ProjectPermissionSecretSyncActions.Read,
-      ProjectPermissionSecretSyncActions.SyncSecrets,
-      ProjectPermissionSecretSyncActions.ImportSecrets,
-      ProjectPermissionSecretSyncActions.RemoveSecrets
-    ],
-    ProjectPermissionSub.SecretSyncs
-  );
   return rules;
 };
 
@@ -738,19 +713,6 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.Cmek
   );
 
-  can(
-    [
-      ProjectPermissionSecretSyncActions.Create,
-      ProjectPermissionSecretSyncActions.Edit,
-      ProjectPermissionSecretSyncActions.Delete,
-      ProjectPermissionSecretSyncActions.Read,
-      ProjectPermissionSecretSyncActions.SyncSecrets,
-      ProjectPermissionSecretSyncActions.ImportSecrets,
-      ProjectPermissionSecretSyncActions.RemoveSecrets
-    ],
-    ProjectPermissionSub.SecretSyncs
-  );
-
   return rules;
 };
 
@@ -784,7 +746,6 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateAuthorities);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
-  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
 
   return rules;
 };

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
 
-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@@ -55,23 +55,21 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     if (!projectMembership)
       throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: projectMembership.projectId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.USER,
-      actorId: projectMembership.userId,
-      projectId: projectMembership.projectId,
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
+      ActorType.USER,
+      projectMembership.userId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -142,23 +140,21 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
         message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: projectMembership.projectId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.USER,
-      actorId: projectMembership.userId,
-      projectId: projectMembership.projectId,
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
+      ActorType.USER,
+      projectMembership.userId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -228,14 +224,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
         message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: projectMembership.projectId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
 
     const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
@@ -265,14 +260,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
         message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: projectMembership.projectId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
     return {
@@ -292,14 +286,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     if (!projectMembership)
       throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: projectMembership.projectId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
     const userPrivileges = await projectUserAdditionalPrivilegeDAL.find(

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -421,14 +421,14 @@ export const samlConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
         // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
         throw new BadRequestError({
           message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
         });
       }
 
-      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({
           message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -6,8 +6,7 @@ export enum SamlProviders {
   AZURE_SAML = "azure-saml",
   JUMPCLOUD_SAML = "jumpcloud-saml",
   GOOGLE_SAML = "google-saml",
-  KEYCLOAK_SAML = "keycloak-saml",
-  AUTH0_SAML = "auth0-saml"
+  KEYCLOAK_SAML = "keycloak-saml"
 }
 
 export type TCreateSamlCfgDTO = {

backend/src/ee/services/scim/scim-service.ts

@@ -531,7 +531,7 @@ export const scimServiceFactory = ({
           firstName: scimUser.name.givenName,
           email: scimUser.emails[0].value,
           lastName: scimUser.name.familyName,
-          isEmailVerified: hasEmailChanged ? trustScimEmails : undefined
+          isEmailVerified: hasEmailChanged ? trustScimEmails : true
         },
         tx
       );
@@ -790,21 +790,6 @@ export const scimServiceFactory = ({
       });
 
     const newGroup = await groupDAL.transaction(async (tx) => {
-      const conflictingGroup = await groupDAL.findOne(
-        {
-          name: displayName,
-          orgId
-        },
-        tx
-      );
-
-      if (conflictingGroup) {
-        throw new ScimRequestError({
-          detail: `Group with name '${displayName}' already exists in the organization`,
-          status: 409
-        });
-      }
-
       const group = await groupDAL.create(
         {
           name: displayName,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -79,14 +79,14 @@ export const secretApprovalPolicyServiceFactory = ({
     if (!groupApprovers.length && approvals > approvers.length)
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretApproval
@@ -193,14 +193,14 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: secretApprovalPolicy.projectId,
+      secretApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -288,14 +288,14 @@ export const secretApprovalPolicyServiceFactory = ({
     if (!sapPolicy)
       throw new NotFoundError({ message: `Secret approval policy with ID '${secretPolicyId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: sapPolicy.projectId,
+      sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SecretApproval
@@ -328,14 +328,13 @@ export const secretApprovalPolicyServiceFactory = ({
     actorAuthMethod,
     projectId
   }: TListSapDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
     const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
@@ -373,14 +372,7 @@ export const secretApprovalPolicyServiceFactory = ({
     environment,
     secretPath
   }: TGetBoardSapDTO) => {
-    await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
 
     return getSecretApprovalPolicy(projectId, environment, secretPath);
   };
@@ -400,14 +392,13 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: sapPolicy.projectId,
+      sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 

backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts

@@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
         firstName: reviewerUser.firstName,
         projectName: project.name,
         organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval?requestId=${secretApprovalRequest.id}`
       },
       template: SmtpTemplates.SecretApprovalRequestNeedsReview
     });

backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts

@@ -256,7 +256,6 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
           `${TableName.SecretVersionV2Tag}.${TableName.SecretTag}Id`,
           db.ref("id").withSchema("secVerTag")
         )
-        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(selectAllTableCols(TableName.SecretApprovalRequestSecretV2))
         .select({
           secVerTagId: "secVerTag.id",
@@ -280,11 +279,6 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
           db.ref("key").withSchema(TableName.SecretVersionV2).as("secVerKey"),
           db.ref("encryptedValue").withSchema(TableName.SecretVersionV2).as("secVerValue"),
           db.ref("encryptedComment").withSchema(TableName.SecretVersionV2).as("secVerComment")
-        )
-        .select(
-          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
         );
       const formatedDoc = sqlNestRelationships({
         data: doc,
@@ -344,19 +338,9 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
                 })
               }
             ]
-          },
-          {
-            key: "metadataId",
-            label: "oldSecretMetadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
           }
         ]
       });
-
       return formatedDoc?.map(({ secret, secretVersion, ...el }) => ({
         ...el,
         secret: secret?.[0],

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -1,8 +1,8 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
 import {
-  ActionProjectType,
   ProjectMembershipRole,
+  ProjectType,
   SecretEncryptionAlgo,
   SecretKeyEncoding,
   SecretType,
@@ -22,8 +22,6 @@ import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
-import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import {
   decryptSecretWithBot,
@@ -93,7 +91,6 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
   smtpService: Pick<TSmtpService, "sendMail">;
   userDAL: Pick<TUserDALFactory, "find" | "findOne" | "findById">;
@@ -141,20 +138,18 @@ export const secretApprovalRequestServiceFactory = ({
   secretVersionV2BridgeDAL,
   secretVersionTagV2BridgeDAL,
   licenseService,
-  projectSlackConfigDAL,
-  resourceMetadataDAL
+  projectSlackConfigDAL
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
-    await permissionService.getProjectPermission({
-      actor,
+    await permissionService.getProjectPermission(
+      actor as ActorType.USER,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId);
     return count;
@@ -174,14 +169,7 @@ export const secretApprovalRequestServiceFactory = ({
   }: TListApprovalsDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
-    await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
 
     const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     if (shouldUseSecretV2Bridge) {
@@ -224,14 +212,13 @@ export const secretApprovalRequestServiceFactory = ({
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
 
     const { policy } = secretApprovalRequest;
-    const { hasRole } = await permissionService.getProjectPermission({
+    const { hasRole } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       secretApprovalRequest.committerUserId !== actorId &&
@@ -254,7 +241,6 @@ export const secretApprovalRequestServiceFactory = ({
         secretKey: el.key,
         id: el.id,
         version: el.version,
-        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
         secretValue: el.encryptedValue ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString() : "",
         secretComment: el.encryptedComment
           ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
@@ -283,8 +269,7 @@ export const secretApprovalRequestServiceFactory = ({
               secretComment: el.secretVersion.encryptedComment
                 ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedComment }).toString()
                 : "",
-              tags: el.secretVersion.tags,
-              secretMetadata: el.oldSecretMetadata as ResourceMetadataDTO
+              tags: el.secretVersion.tags
             }
           : undefined
       }));
@@ -345,14 +330,13 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { hasRole } = await permissionService.getProjectPermission({
-      actor: ActorType.USER,
+    const { hasRole } = await permissionService.getProjectPermission(
+      ActorType.USER,
       actorId,
-      projectId: secretApprovalRequest.projectId,
+      secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       secretApprovalRequest.committerUserId !== actorId &&
@@ -412,14 +396,13 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { hasRole } = await permissionService.getProjectPermission({
-      actor: ActorType.USER,
+    const { hasRole } = await permissionService.getProjectPermission(
+      ActorType.USER,
       actorId,
-      projectId: secretApprovalRequest.projectId,
+      secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       secretApprovalRequest.committerUserId !== actorId &&
@@ -469,14 +452,13 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { hasRole } = await permissionService.getProjectPermission({
-      actor: ActorType.USER,
+    const { hasRole } = await permissionService.getProjectPermission(
+      ActorType.USER,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -561,7 +543,6 @@ export const secretApprovalRequestServiceFactory = ({
           ? await fnSecretV2BridgeBulkInsert({
               tx,
               folderId,
-              orgId: actorOrgId,
               inputSecrets: secretCreationCommits.map((el) => ({
                 tagIds: el?.tags.map(({ id }) => id),
                 version: 1,
@@ -569,7 +550,6 @@ export const secretApprovalRequestServiceFactory = ({
                 encryptedValue: el.encryptedValue,
                 skipMultilineEncoding: el.skipMultilineEncoding,
                 key: el.key,
-                secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                 references: el.encryptedValue
                   ? getAllSecretReferencesV2Bridge(
                       secretManagerDecryptor({
@@ -579,7 +559,6 @@ export const secretApprovalRequestServiceFactory = ({
                   : [],
                 type: SecretType.Shared
               })),
-              resourceMetadataDAL,
               secretDAL: secretV2BridgeDAL,
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretTagDAL,
@@ -589,7 +568,6 @@ export const secretApprovalRequestServiceFactory = ({
         const updatedSecrets = secretUpdationCommits.length
           ? await fnSecretV2BridgeBulkUpdate({
               folderId,
-              orgId: actorOrgId,
               tx,
               inputSecrets: secretUpdationCommits.map((el) => {
                 const encryptedValue =
@@ -614,7 +592,6 @@ export const secretApprovalRequestServiceFactory = ({
                     skipMultilineEncoding: el.skipMultilineEncoding,
                     key: el.key,
                     tags: el?.tags.map(({ id }) => id),
-                    secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                     ...encryptedValue
                   }
                 };
@@ -622,8 +599,7 @@ export const secretApprovalRequestServiceFactory = ({
               secretDAL: secretV2BridgeDAL,
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretTagDAL,
-              secretVersionTagDAL: secretVersionTagV2BridgeDAL,
-              resourceMetadataDAL
+              secretVersionTagDAL: secretVersionTagV2BridgeDAL
             })
           : [];
         const deletedSecret = secretDeletionCommits.length
@@ -848,7 +824,6 @@ export const secretApprovalRequestServiceFactory = ({
     }
     await secretQueueService.syncSecrets({
       projectId,
-      orgId: actorOrgId,
       secretPath: folder.path,
       environmentSlug: folder.environmentSlug,
       actorId,
@@ -877,7 +852,7 @@ export const secretApprovalRequestServiceFactory = ({
           bypassReason,
           secretPath: policy.secretPath,
           environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`
+          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
         },
         template: SmtpTemplates.AccessSecretRequestBypassed
       });
@@ -901,14 +876,14 @@ export const secretApprovalRequestServiceFactory = ({
   }: TGenerateSecretApprovalRequestDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath })
@@ -1182,14 +1157,14 @@ export const secretApprovalRequestServiceFactory = ({
     if (actor === ActorType.SERVICE || actor === ActorType.Machine)
       throw new BadRequestError({ message: "Cannot use service token or machine token over protected branches" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
       throw new NotFoundError({
@@ -1233,7 +1208,6 @@ export const secretApprovalRequestServiceFactory = ({
           ),
           skipMultilineEncoding: createdSecret.skipMultilineEncoding,
           key: createdSecret.secretKey,
-          secretMetadata: createdSecret.secretMetadata,
           type: SecretType.Shared
         }))
       );
@@ -1267,10 +1241,9 @@ export const secretApprovalRequestServiceFactory = ({
             type: SecretType.Shared
           }))
         );
-
-        if (secrets.length !== secretsWithNewName.length)
+        if (secrets.length)
           throw new NotFoundError({
-            message: `Secret does not exist: ${secrets.map((el) => el.key).join(",")}`
+            message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
           });
       }
 
@@ -1290,14 +1263,12 @@ export const secretApprovalRequestServiceFactory = ({
             reminderNote,
             secretComment,
             metadata,
-            skipMultilineEncoding,
-            secretMetadata
+            skipMultilineEncoding
           }) => {
             const secretId = updatingSecretsGroupByKey[secretKey][0].id;
             if (tagIds?.length) commitTagIds[secretKey] = tagIds;
             return {
               ...latestSecretVersions[secretId],
-              secretMetadata,
               key: newSecretName || secretKey,
               encryptedComment: setKnexStringValue(
                 secretComment,
@@ -1399,8 +1370,7 @@ export const secretApprovalRequestServiceFactory = ({
             reminderRepeatDays,
             encryptedValue,
             secretId,
-            secretVersion,
-            secretMetadata
+            secretVersion
           }) => ({
             version,
             requestId: doc.id,
@@ -1413,8 +1383,7 @@ export const secretApprovalRequestServiceFactory = ({
             reminderRepeatDays,
             reminderNote,
             encryptedComment,
-            key,
-            secretMetadata: JSON.stringify(secretMetadata)
+            key
           })
         ),
         tx

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -1,6 +1,5 @@
 import { TImmutableDBKeys, TSecretApprovalPolicies, TSecretApprovalRequestsSecrets } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations } from "@app/services/secret/secret-types";
 
 export enum RequestState {
@@ -35,7 +34,6 @@ export type TApprovalCreateSecretV2Bridge = {
   reminderRepeatDays?: number | null;
   skipMultilineEncoding?: boolean;
   metadata?: Record<string, string>;
-  secretMetadata?: ResourceMetadataDTO;
   tagIds?: string[];
 };
 

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -13,8 +13,6 @@ import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
-import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { fnSecretBulkInsert, fnSecretBulkUpdate } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory, uniqueSecretQueueKey } from "@app/services/secret/secret-queue";
@@ -58,7 +56,6 @@ type TSecretReplicationServiceFactoryDep = {
   >;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "find" | "insertMany">;
   secretVersionV2TagBridgeDAL: Pick<TSecretVersionV2TagDALFactory, "find" | "insertMany">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "replicateSecrets">;
   queueService: Pick<TQueueServiceFactory, "start" | "listen" | "queue" | "stopJobById">;
   secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
@@ -124,8 +121,7 @@ export const secretReplicationServiceFactory = ({
   secretVersionV2TagBridgeDAL,
   secretVersionV2BridgeDAL,
   secretV2BridgeDAL,
-  kmsService,
-  resourceMetadataDAL
+  kmsService
 }: TSecretReplicationServiceFactoryDep) => {
   const $getReplicatedSecrets = (
     botKey: string,
@@ -155,10 +151,8 @@ export const secretReplicationServiceFactory = ({
   };
 
   const $getReplicatedSecretsV2 = (
-    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[],
-    importedSecrets: {
-      secrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[];
-    }[]
+    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[],
+    importedSecrets: { secrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[] }[]
   ) => {
     const deDupe = new Set<string>();
     const secrets = [...localSecrets];
@@ -184,7 +178,6 @@ export const secretReplicationServiceFactory = ({
       secretPath,
       environmentSlug,
       projectId,
-      orgId,
       actorId,
       actor,
       pickOnlyImportIds,
@@ -229,7 +222,6 @@ export const secretReplicationServiceFactory = ({
           .map(({ folderId }) =>
             secretQueueService.replicateSecrets({
               projectId,
-              orgId,
               secretPath: foldersGroupedById[folderId][0]?.path as string,
               environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
               actorId,
@@ -275,7 +267,6 @@ export const secretReplicationServiceFactory = ({
           ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
           : undefined
       }));
-
       const sourceSecrets = $getReplicatedSecretsV2(sourceDecryptedLocalSecrets, sourceImportedSecrets);
       const sourceSecretsGroupByKey = groupBy(sourceSecrets, (i) => i.key);
 
@@ -342,29 +333,13 @@ export const secretReplicationServiceFactory = ({
               .map((el) => ({ ...el, operation: SecretOperations.Create })); // rewrite update ops to create
 
             const locallyUpdatedSecrets = sourceSecrets
-              .filter(({ key, secretKey, secretValue, secretMetadata }) => {
-                const sourceSecretMetadataJson = JSON.stringify(
-                  (secretMetadata ?? []).map((entry) => ({
-                    key: entry.key,
-                    value: entry.value
-                  }))
-                );
-
-                const destinationSecretMetadataJson = JSON.stringify(
-                  (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretMetadata ?? []).map((entry) => ({
-                    key: entry.key,
-                    value: entry.value
-                  }))
-                );
-
-                return (
+              .filter(
+                ({ key, secretKey, secretValue }) =>
                   destinationLocalSecretsGroupedByKey[key]?.[0] &&
                   // if key or value changed
                   (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretKey !== secretKey ||
-                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue ||
-                    sourceSecretMetadataJson !== destinationSecretMetadataJson)
-                );
-              })
+                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue)
+              )
               .map((el) => ({ ...el, operation: SecretOperations.Update })); // rewrite update ops to create
 
             const locallyDeletedSecrets = destinationLocalSecrets
@@ -412,7 +387,6 @@ export const secretReplicationServiceFactory = ({
                       op: operation,
                       requestId: approvalRequestDoc.id,
                       metadata: doc.metadata,
-                      secretMetadata: JSON.stringify(doc.secretMetadata),
                       key: doc.key,
                       encryptedValue: doc.encryptedValue,
                       encryptedComment: doc.encryptedComment,
@@ -432,12 +406,10 @@ export const secretReplicationServiceFactory = ({
                 if (locallyCreatedSecrets.length) {
                   await fnSecretV2BridgeBulkInsert({
                     folderId: destinationReplicationFolderId,
-                    orgId,
                     secretVersionDAL: secretVersionV2BridgeDAL,
                     secretDAL: secretV2BridgeDAL,
                     tx,
                     secretTagDAL,
-                    resourceMetadataDAL,
                     secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                     inputSecrets: locallyCreatedSecrets.map((doc) => {
                       return {
@@ -447,7 +419,6 @@ export const secretReplicationServiceFactory = ({
                         encryptedValue: doc.encryptedValue,
                         encryptedComment: doc.encryptedComment,
                         skipMultilineEncoding: doc.skipMultilineEncoding,
-                        secretMetadata: doc.secretMetadata,
                         references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                       };
                     })
@@ -455,12 +426,10 @@ export const secretReplicationServiceFactory = ({
                 }
                 if (locallyUpdatedSecrets.length) {
                   await fnSecretV2BridgeBulkUpdate({
-                    orgId,
                     folderId: destinationReplicationFolderId,
                     secretVersionDAL: secretVersionV2BridgeDAL,
                     secretDAL: secretV2BridgeDAL,
                     tx,
-                    resourceMetadataDAL,
                     secretTagDAL,
                     secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                     inputSecrets: locallyUpdatedSecrets.map((doc) => {
@@ -476,7 +445,6 @@ export const secretReplicationServiceFactory = ({
                           encryptedValue: doc.encryptedValue as Buffer,
                           encryptedComment: doc.encryptedComment,
                           skipMultilineEncoding: doc.skipMultilineEncoding,
-                          secretMetadata: doc.secretMetadata,
                           references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                         }
                       };
@@ -498,7 +466,6 @@ export const secretReplicationServiceFactory = ({
 
               await secretQueueService.syncSecrets({
                 projectId,
-                orgId,
                 secretPath: destinationFolder.path,
                 environmentSlug: destinationFolder.environmentSlug,
                 actorId,
@@ -784,7 +751,6 @@ export const secretReplicationServiceFactory = ({
 
             await secretQueueService.syncSecrets({
               projectId,
-              orgId,
               secretPath: destinationFolder.path,
               environmentSlug: destinationFolder.environmentSlug,
               actorId,

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -180,8 +180,6 @@ export const secretRotationQueueFactory = ({
           provider.template.client === TDbProviderClients.MsSqlServer
             ? ({
                 encrypt: appCfg.ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT,
-                // when ca is provided use that
-                trustServerCertificate: !ca,
                 cryptoCredentialsDetails: ca ? { ca } : {}
               } as Record<string, unknown>)
             : undefined;

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
-import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
+import { ProjectType, ProjectVersion, TableName } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@@ -53,14 +53,14 @@ export const secretRotationServiceFactory = ({
     actorAuthMethod,
     projectId
   }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
 
     return {
@@ -82,14 +82,14 @@ export const secretRotationServiceFactory = ({
     secretPath,
     environment
   }: TCreateSecretRotationDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretRotation
@@ -191,14 +191,13 @@ export const secretRotationServiceFactory = ({
   };
 
   const getByProjectId = async ({ actorId, projectId, actor, actorOrgId, actorAuthMethod }: TListByProjectIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     if (shouldUseSecretV2Bridge) {
@@ -237,14 +236,14 @@ export const secretRotationServiceFactory = ({
         message: "Failed to add secret rotation due to plan restriction. Upgrade plan to add secret rotation."
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      doc.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
     await secretRotationQueue.removeFromQueue(doc.id, doc.interval);
     await secretRotationQueue.addToQueue(doc.id, doc.interval);
@@ -255,14 +254,14 @@ export const secretRotationServiceFactory = ({
     const doc = await secretRotationDAL.findById(rotationId);
     if (!doc) throw new NotFoundError({ message: `Rotation with ID '${rotationId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: doc.projectId,
+      doc.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SecretRotation

backend/src/ee/services/secret-scanning/secret-scanning-dal.ts

@@ -1,12 +1,9 @@
-import knex, { Knex } from "knex";
+import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
 import { TableName, TSecretScanningGitRisksInsert } from "@app/db/schemas";
-import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
-import { OrderByDirection } from "@app/lib/types";
-
-import { SecretScanningResolvedStatus, TGetOrgRisksDTO } from "./secret-scanning-types";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify } from "@app/lib/knex";
 
 export type TSecretScanningDALFactory = ReturnType<typeof secretScanningDALFactory>;
 
@@ -22,70 +19,5 @@ export const secretScanningDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findByOrgId = async (orgId: string, filter: TGetOrgRisksDTO["filter"], tx?: Knex) => {
-    try {
-      // Find statements
-      const sqlQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
-        // eslint-disable-next-line func-names
-        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId);
-
-      if (filter.repositoryNames) {
-        void sqlQuery.whereIn(`${TableName.SecretScanningGitRisk}.repositoryFullName`, filter.repositoryNames);
-      }
-
-      if (filter.resolvedStatus) {
-        if (filter.resolvedStatus !== SecretScanningResolvedStatus.All) {
-          const isResolved = filter.resolvedStatus === SecretScanningResolvedStatus.Resolved;
-
-          void sqlQuery.where(`${TableName.SecretScanningGitRisk}.isResolved`, isResolved);
-        }
-      }
-
-      // Select statements
-      void sqlQuery
-        .select(selectAllTableCols(TableName.SecretScanningGitRisk))
-        .limit(filter.limit)
-        .offset(filter.offset);
-
-      if (filter.orderBy) {
-        const orderDirection = filter.orderDirection || OrderByDirection.ASC;
-
-        void sqlQuery.orderBy(filter.orderBy, orderDirection);
-      }
-
-      const countQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
-        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
-        .count();
-
-      const uniqueReposQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
-        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
-        .distinct("repositoryFullName")
-        .select("repositoryFullName");
-
-      // we timeout long running queries to prevent DB resource issues (2 minutes)
-      const docs = await sqlQuery.timeout(1000 * 120);
-      const uniqueRepos = await uniqueReposQuery.timeout(1000 * 120);
-      const totalCount = await countQuery;
-
-      return {
-        risks: docs,
-        totalCount: Number(totalCount?.[0].count),
-        repos: uniqueRepos
-          .filter(Boolean)
-          .map((r) => r.repositoryFullName!)
-          .sort((a, b) => a.localeCompare(b))
-      };
-    } catch (error) {
-      if (error instanceof knex.KnexTimeoutError) {
-        throw new GatewayTimeoutError({
-          error,
-          message: "Failed to fetch secret leaks due to timeout. Add more search filters."
-        });
-      }
-
-      throw new DatabaseError({ error });
-    }
-  };
-
-  return { ...gitRiskOrm, upsert, findByOrgId };
+  return { ...gitRiskOrm, upsert };
 };

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -15,7 +15,6 @@ import { TSecretScanningDALFactory } from "./secret-scanning-dal";
 import { TSecretScanningQueueFactory } from "./secret-scanning-queue";
 import {
   SecretScanningRiskStatus,
-  TGetAllOrgRisksDTO,
   TGetOrgInstallStatusDTO,
   TGetOrgRisksDTO,
   TInstallAppSessionDTO,
@@ -119,21 +118,11 @@ export const secretScanningServiceFactory = ({
     return Boolean(appInstallation);
   };
 
-  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId, filter }: TGetOrgRisksDTO) => {
+  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetOrgRisksDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
-
-    const results = await secretScanningDAL.findByOrgId(orgId, filter);
-
-    return results;
-  };
-
-  const getAllRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetAllOrgRisksDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
-
     const risks = await secretScanningDAL.find({ orgId }, { sort: [["createdAt", "desc"]] });
-    return risks;
+    return { risks };
   };
 
   const updateRiskStatus = async ({
@@ -200,7 +189,6 @@ export const secretScanningServiceFactory = ({
     linkInstallationToOrg,
     getOrgInstallationStatus,
     getRisksByOrg,
-    getAllRisksByOrg,
     updateRiskStatus,
     handleRepoPushEvent,
     handleRepoDeleteEvent

backend/src/ee/services/secret-scanning/secret-scanning-types.ts

@@ -1,4 +1,4 @@
-import { OrderByDirection, TOrgPermission } from "@app/lib/types";
+import { TOrgPermission } from "@app/lib/types";
 
 export enum SecretScanningRiskStatus {
   FalsePositive = "RESOLVED_FALSE_POSITIVE",
@@ -7,12 +7,6 @@ export enum SecretScanningRiskStatus {
   Unresolved = "UNRESOLVED"
 }
 
-export enum SecretScanningResolvedStatus {
-  All = "all",
-  Resolved = "resolved",
-  Unresolved = "unresolved"
-}
-
 export type TInstallAppSessionDTO = TOrgPermission;
 
 export type TLinkInstallSessionDTO = {
@@ -22,22 +16,7 @@ export type TLinkInstallSessionDTO = {
 
 export type TGetOrgInstallStatusDTO = TOrgPermission;
 
-type RiskFilter = {
-  offset: number;
-  limit: number;
-  orderBy?: "createdAt" | "name";
-  orderDirection?: OrderByDirection;
-  repositoryNames?: string[];
-  resolvedStatus?: SecretScanningResolvedStatus;
-};
-
-export type TGetOrgRisksDTO = {
-  filter: RiskFilter;
-} & TOrgPermission;
-
-export type TGetAllOrgRisksDTO = {
-  filter: Omit<RiskFilter, "offset" | "limit" | "orderBy" | "orderDirection">;
-} & TOrgPermission;
+export type TGetOrgRisksDTO = TOrgPermission;
 
 export type TUpdateRiskStatusDTO = {
   riskId: string;

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
+import { ProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -83,14 +83,13 @@ export const secretSnapshotServiceFactory = ({
     actorAuthMethod,
     path
   }: TProjectSnapshotCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
     // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
@@ -120,14 +119,13 @@ export const secretSnapshotServiceFactory = ({
     limit = 20,
     offset = 0
   }: TProjectSnapshotListDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
     // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
@@ -149,14 +147,13 @@ export const secretSnapshotServiceFactory = ({
   const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
     const snapshot = await snapshotDAL.findById(id);
     if (!snapshot) throw new NotFoundError({ message: `Snapshot with ID '${id}' not found` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: snapshot.projectId,
+      snapshot.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
     const shouldUseBridge = snapshot.projectVersion === 3;
@@ -325,14 +322,14 @@ export const secretSnapshotServiceFactory = ({
     if (!snapshot) throw new NotFoundError({ message: `Snapshot with ID '${snapshotId}' not found` });
     const shouldUseBridge = snapshot.projectVersion === 3;
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: snapshot.projectId,
+      snapshot.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretRollback

backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -54,15 +54,15 @@ export const sshCertificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SshCertificateTemplates
@@ -127,15 +127,15 @@ export const sshCertificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certTemplate.projectId,
+      certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       ProjectPermissionSub.SshCertificateTemplates
@@ -196,15 +196,15 @@ export const sshCertificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certificateTemplate.projectId,
+      certificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SshCertificateTemplates
@@ -223,15 +223,15 @@ export const sshCertificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certTemplate.projectId,
+      certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       ProjectPermissionSub.SshCertificateTemplates

backend/src/ee/services/ssh/ssh-certificate-authority-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
@@ -65,15 +65,15 @@ export const sshCertificateAuthorityServiceFactory = ({
     actor,
     actorOrgId
   }: TCreateSshCaDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SshCertificateAuthorities
@@ -118,15 +118,15 @@ export const sshCertificateAuthorityServiceFactory = ({
     const ca = await sshCertificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       ProjectPermissionSub.SshCertificateAuthorities
@@ -187,15 +187,15 @@ export const sshCertificateAuthorityServiceFactory = ({
     const ca = await sshCertificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       ProjectPermissionSub.SshCertificateAuthorities
@@ -226,15 +226,15 @@ export const sshCertificateAuthorityServiceFactory = ({
     const ca = await sshCertificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SshCertificateAuthorities
@@ -268,15 +268,15 @@ export const sshCertificateAuthorityServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: sshCertificateTemplate.projectId,
+      sshCertificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SshCertificates
@@ -390,15 +390,15 @@ export const sshCertificateAuthorityServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: sshCertificateTemplate.projectId,
+      sshCertificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SshCertificates
@@ -488,15 +488,15 @@ export const sshCertificateAuthorityServiceFactory = ({
     const ca = await sshCertificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       ProjectPermissionSub.SshCertificateTemplates

backend/src/ee/services/trusted-ip/trusted-ip-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TProjectPermission } from "@app/lib/types";
@@ -28,14 +27,13 @@ export const trustedIpServiceFactory = ({
   projectDAL
 }: TTrustedIpServiceFactoryDep) => {
   const listIpsByProjectId = async ({ projectId, actor, actorId, actorAuthMethod, actorOrgId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
     const trustedIps = await trustedIpDAL.find({
       projectId
@@ -53,14 +51,13 @@ export const trustedIpServiceFactory = ({
     comment,
     isActive
   }: TCreateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
     const project = await projectDAL.findById(projectId);
@@ -99,14 +96,13 @@ export const trustedIpServiceFactory = ({
     comment,
     trustedIpId
   }: TUpdateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
     const project = await projectDAL.findById(projectId);
@@ -145,14 +141,13 @@ export const trustedIpServiceFactory = ({
     actorAuthMethod,
     trustedIpId
   }: TDeleteIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
     const project = await projectDAL.findById(projectId);

backend/src/keystore/keystore.ts

@@ -23,8 +23,6 @@ export const KeyStorePrefixes = {
     `sync-integration-mutex-${projectId}-${environmentSlug}-${secretPath}` as const,
   SyncSecretIntegrationLastRunTimestamp: (projectId: string, environmentSlug: string, secretPath: string) =>
     `sync-integration-last-run-${projectId}-${environmentSlug}-${secretPath}` as const,
-  SecretSyncLock: (syncId: string) => `secret-sync-mutex-${syncId}` as const,
-  SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
   IdentityAccessTokenStatusUpdate: (identityAccessTokenId: string) =>
     `identity-access-token-status:${identityAccessTokenId}`,
   ServiceTokenStatusUpdate: (serviceTokenId: string) => `service-token-status:${serviceTokenId}`
@@ -32,7 +30,6 @@ export const KeyStorePrefixes = {
 
 export const KeyStoreTtls = {
   SetSyncSecretIntegrationLastRunTimestampInSeconds: 60,
-  SetSecretSyncLastRunTimestampInSeconds: 60,
   AccessTokenStatusUpdateInSeconds: 120
 };
 

backend/src/lib/api-docs/constants.ts

@@ -1,7 +1,5 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 
 export const GROUPS = {
   CREATE: {
@@ -476,7 +474,7 @@ export const PROJECTS = {
   },
   ADD_GROUP_TO_PROJECT: {
     projectId: "The ID of the project to add the group to.",
-    groupIdOrName: "The ID or name of the group to add to the project.",
+    groupId: "The ID of the group to add to the project.",
     role: "The role for the group to assume in the project."
   },
   UPDATE_GROUP_IN_PROJECT: {
@@ -743,12 +741,6 @@ export const RAW_SECRETS = {
     workspaceId: "The ID of the project where the secret is located.",
     environment: "The slug of the environment where the the secret is located.",
     secretPath: "The folder path where the secret is located."
-  },
-  GET_ACCESS_LIST: {
-    secretName: "The name of the secret to get the access list for.",
-    workspaceId: "The ID of the project where the secret is located.",
-    environment: "The slug of the environment where the the secret is located.",
-    secretPath: "The folder path where the secret is located."
   }
 } as const;
 
@@ -828,8 +820,6 @@ export const AUDIT_LOGS = {
     projectId:
       "Optionally filter logs by project ID. If not provided, logs from the entire organization will be returned.",
     eventType: "The type of the event to export.",
-    secretPath:
-      "The path of the secret to query audit logs for. Note that the projectId parameter must also be provided.",
     userAgentType: "Choose which consuming application to export audit logs for.",
     eventMetadata:
       "Filter by event metadata key-value pairs. Formatted as `key1=value1,key2=value2`, with comma-separation.",
@@ -1160,8 +1150,7 @@ export const INTEGRATION = {
       shouldMaskSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Masked'.",
       shouldProtectSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Protected'.",
       shouldEnableDelete: "The flag to enable deletion of secrets.",
-      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy.",
-      metadataSyncMode: "The mode for syncing metadata to external system"
+      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy."
     }
   },
   UPDATE: {
@@ -1647,83 +1636,6 @@ export const AppConnections = {
     };
   },
   DELETE: (app: AppConnection) => ({
-    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to be deleted.`
+    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} connection to be deleted.`
   })
 };
-
-export const SecretSyncs = {
-  LIST: (destination?: SecretSync) => ({
-    projectId: `The ID of the project to list ${destination ? SECRET_SYNC_NAME_MAP[destination] : "Secret"} Syncs from.`
-  }),
-  GET_BY_ID: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`
-  }),
-  GET_BY_NAME: (destination: SecretSync) => ({
-    syncName: `The name of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`,
-    projectId: `The ID of the project the ${SECRET_SYNC_NAME_MAP[destination]} Sync is associated with.`
-  }),
-  CREATE: (destination: SecretSync) => {
-    const destinationName = SECRET_SYNC_NAME_MAP[destination];
-    return {
-      name: `The name of the ${destinationName} Sync to create. Must be slug-friendly.`,
-      description: `An optional description for the ${destinationName} Sync.`,
-      projectId: "The ID of the project to create the sync in.",
-      environment: `The slug of the project environment to sync secrets from.`,
-      secretPath: `The folder path to sync secrets from.`,
-      connectionId: `The ID of the ${
-        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
-      } Connection to use for syncing.`,
-      isAutoSyncEnabled: `Whether secrets should be automatically synced when changes occur at the source location or not.`,
-      syncOptions: "Optional parameters to modify how secrets are synced."
-    };
-  },
-  UPDATE: (destination: SecretSync) => {
-    const destinationName = SECRET_SYNC_NAME_MAP[destination];
-    return {
-      syncId: `The ID of the ${destinationName} Sync to be updated.`,
-      connectionId: `The updated ID of the ${
-        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
-      } Connection to use for syncing.`,
-      name: `The updated name of the ${destinationName} Sync. Must be slug-friendly.`,
-      environment: `The updated slug of the project environment to sync secrets from.`,
-      secretPath: `The updated folder path to sync secrets from.`,
-      description: `The updated description of the ${destinationName} Sync.`,
-      isAutoSyncEnabled: `Whether secrets should be automatically synced when changes occur at the source location or not.`,
-      syncOptions: "Optional parameters to modify how secrets are synced."
-    };
-  },
-  DELETE: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to be deleted.`,
-    removeSecrets: `Whether previously synced secrets should be removed prior to deletion.`
-  }),
-  SYNC_SECRETS: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger a sync for.`
-  }),
-  IMPORT_SECRETS: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger importing secrets for.`,
-    importBehavior: `Specify whether Infisical should prioritize secret values from Infisical or ${SECRET_SYNC_NAME_MAP[destination]}.`
-  }),
-  REMOVE_SECRETS: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger removing secrets for.`
-  }),
-  SYNC_OPTIONS: (destination: SecretSync) => {
-    const destinationName = SECRET_SYNC_NAME_MAP[destination];
-    return {
-      INITIAL_SYNC_BEHAVIOR: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
-      PREPEND_PREFIX: `Optionally prepend a prefix to your secrets' keys when syncing to ${destinationName}.`,
-      APPEND_SUFFIX: `Optionally append a suffix to your secrets' keys when syncing to ${destinationName}.`
-    };
-  },
-  DESTINATION_CONFIG: {
-    AWS_PARAMETER_STORE: {
-      REGION: "The AWS region to sync secrets to.",
-      PATH: "The Parameter Store path to sync secrets to."
-    },
-    GITHUB: {
-      ORG: "The name of the GitHub organization.",
-      OWNER: "The name of the GitHub account owner of the repository.",
-      REPO: "The name of the GitHub repository.",
-      ENV: "The name of the GitHub environment."
-    }
-  }
-};

backend/src/lib/config/env.ts

@@ -157,8 +157,6 @@ const envSchema = z
     INFISICAL_CLOUD: zodStrBool.default("false"),
     MAINTENANCE_MODE: zodStrBool.default("false"),
     CAPTCHA_SECRET: zpStr(z.string().optional()),
-    CAPTCHA_SITE_KEY: zpStr(z.string().optional()),
-    INTERCOM_ID: zpStr(z.string().optional()),
 
     // TELEMETRY
     OTEL_TELEMETRY_COLLECTION_ENABLED: zodStrBool.default("false"),
@@ -199,32 +197,7 @@ const envSchema = z
     INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET: zpStr(z.string().optional()),
     INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY: zpStr(z.string().optional()),
     INF_APP_CONNECTION_GITHUB_APP_SLUG: zpStr(z.string().optional()),
-    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional()),
-
-    // gcp app
-    INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL: zpStr(z.string().optional()),
-
-    /* CORS ----------------------------------------------------------------------------- */
-
-    CORS_ALLOWED_ORIGINS: zpStr(
-      z
-        .string()
-        .optional()
-        .transform((val) => {
-          if (!val) return undefined;
-          return JSON.parse(val) as string[];
-        })
-    ),
-
-    CORS_ALLOWED_HEADERS: zpStr(
-      z
-        .string()
-        .optional()
-        .transform((val) => {
-          if (!val) return undefined;
-          return JSON.parse(val) as string[];
-        })
-    )
+    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional())
   })
   // To ensure that basic encryption is always possible.
   .refine(

backend/src/lib/crypto/encryption.ts

@@ -116,7 +116,7 @@ export const decryptAsymmetric = ({ ciphertext, nonce, publicKey, privateKey }:
 
 export const generateSymmetricKey = (size = 32) => crypto.randomBytes(size).toString("base64");
 
-export const generateHash = (value: string | Buffer) => crypto.createHash("sha256").update(value).digest("hex");
+export const generateHash = (value: string) => crypto.createHash("sha256").update(value).digest("hex");
 
 export const generateAsymmetricKeyPair = () => {
   const pair = nacl.box.keyPair();

backend/src/lib/validator/index.ts

@@ -1,4 +1,3 @@
 export { isDisposableEmail } from "./validate-email";
 export { isValidFolderName, isValidSecretPath } from "./validate-folder-name";
 export { blockLocalAndPrivateIpAddresses } from "./validate-url";
-export { isUuidV4 } from "./validate-uuid";

backend/src/lib/validator/validate-uuid.ts

@@ -1,3 +0,0 @@
-import { z } from "zod";
-
-export const isUuidV4 = (uuid: string) => z.string().uuid().safeParse(uuid).success;

backend/src/queue/queue-service.ts

@@ -15,12 +15,6 @@ import {
   TIntegrationSyncPayload,
   TSyncSecretsDTO
 } from "@app/services/secret/secret-types";
-import {
-  TQueueSecretSyncImportSecretsByIdDTO,
-  TQueueSecretSyncRemoveSecretsByIdDTO,
-  TQueueSecretSyncSyncSecretsByIdDTO,
-  TQueueSendSecretSyncActionFailedNotificationsDTO
-} from "@app/services/secret-sync/secret-sync-types";
 
 export enum QueueName {
   SecretRotation = "secret-rotation",
@@ -42,8 +36,7 @@ export enum QueueName {
   SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
   ProjectV3Migration = "project-v3-migration",
   AccessTokenStatusUpdate = "access-token-status-update",
-  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
-  AppConnectionSecretSync = "app-connection-secret-sync"
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
 }
 
 export enum QueueJobs {
@@ -68,11 +61,7 @@ export enum QueueJobs {
   ProjectV3Migration = "project-v3-migration",
   IdentityAccessTokenStatusUpdate = "identity-access-token-status-update",
   ServiceTokenStatusUpdate = "service-token-status-update",
-  ImportSecretsFromExternalSource = "import-secrets-from-external-source",
-  SecretSyncSyncSecrets = "secret-sync-sync-secrets",
-  SecretSyncImportSecrets = "secret-sync-import-secrets",
-  SecretSyncRemoveSecrets = "secret-sync-remove-secrets",
-  SecretSyncSendActionFailedNotifications = "secret-sync-send-action-failed-notifications"
+  ImportSecretsFromExternalSource = "import-secrets-from-external-source"
 }
 
 export type TQueueJobTypes = {
@@ -195,23 +184,6 @@ export type TQueueJobTypes = {
       };
     };
   };
-  [QueueName.AppConnectionSecretSync]:
-    | {
-        name: QueueJobs.SecretSyncSyncSecrets;
-        payload: TQueueSecretSyncSyncSecretsByIdDTO;
-      }
-    | {
-        name: QueueJobs.SecretSyncImportSecrets;
-        payload: TQueueSecretSyncImportSecretsByIdDTO;
-      }
-    | {
-        name: QueueJobs.SecretSyncRemoveSecrets;
-        payload: TQueueSecretSyncRemoveSecretsByIdDTO;
-      }
-    | {
-        name: QueueJobs.SecretSyncSendActionFailedNotifications;
-        payload: TQueueSendSecretSyncActionFailedNotificationsDTO;
-      };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;

backend/src/server/app.ts

@@ -27,10 +27,10 @@ import { globalRateLimiterCfg } from "./config/rateLimiter";
 import { addErrorsToResponseSchemas } from "./plugins/add-errors-to-response-schemas";
 import { apiMetrics } from "./plugins/api-metrics";
 import { fastifyErrHandler } from "./plugins/error-handler";
+import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
 import { fastifyIp } from "./plugins/ip";
 import { maintenanceMode } from "./plugins/maintenanceMode";
-import { registerServeUI } from "./plugins/serve-ui";
 import { fastifySwagger } from "./plugins/swagger";
 import { registerRoutes } from "./routes";
 
@@ -87,16 +87,7 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
 
     await server.register<FastifyCorsOptions>(cors, {
       credentials: true,
-      ...(appCfg.CORS_ALLOWED_ORIGINS?.length
-        ? {
-            origin: [...appCfg.CORS_ALLOWED_ORIGINS, ...(appCfg.SITE_URL ? [appCfg.SITE_URL] : [])]
-          }
-        : {
-            origin: appCfg.SITE_URL || true
-          }),
-      ...(appCfg.CORS_ALLOWED_HEADERS?.length && {
-        allowedHeaders: appCfg.CORS_ALLOWED_HEADERS
-      })
+      origin: appCfg.SITE_URL || true
     });
 
     await server.register(addErrorsToResponseSchemas);
@@ -129,10 +120,13 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
 
     await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore, hsmModule });
 
-    await server.register(registerServeUI, {
-      standaloneMode: appCfg.STANDALONE_MODE || IS_PACKAGED,
-      dir: path.join(__dirname, IS_PACKAGED ? "../../../" : "../../")
-    });
+    if (appCfg.isProductionMode) {
+      await server.register(registerExternalNextjs, {
+        standaloneMode: appCfg.STANDALONE_MODE || IS_PACKAGED,
+        dir: path.join(__dirname, IS_PACKAGED ? "../../../" : "../../"),
+        port: appCfg.PORT
+      });
+    }
 
     await server.ready();
     server.swagger();

backend/src/server/plugins/audit-log.ts

@@ -32,21 +32,13 @@ export const getUserAgentType = (userAgent: string | undefined) => {
 export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
   server.decorateRequest("auditLogInfo", null);
   server.addHook("onRequest", async (req) => {
+    if (!req.auth) return;
     const userAgent = req.headers["user-agent"] ?? "";
     const payload = {
       ipAddress: req.realIp,
       userAgent,
       userAgentType: getUserAgentType(userAgent)
     } as typeof req.auditLogInfo;
-
-    if (!req.auth) {
-      payload.actor = {
-        type: ActorType.UNKNOWN_USER,
-        metadata: {}
-      };
-      req.auditLogInfo = payload;
-      return;
-    }
     if (req.auth.actor === ActorType.USER) {
       payload.actor = {
         type: ActorType.USER,

backend/src/server/plugins/external-nextjs.ts

@@ -0,0 +1,76 @@
+// this plugins allows to run infisical in standalone mode
+// standalone mode = infisical backend and nextjs frontend in one server
+// this way users don't need to deploy two things
+import path from "node:path";
+
+import { IS_PACKAGED } from "@app/lib/config/env";
+
+// to enabled this u need to set standalone mode to true
+export const registerExternalNextjs = async (
+  server: FastifyZodProvider,
+  {
+    standaloneMode,
+    dir,
+    port
+  }: {
+    standaloneMode?: boolean;
+    dir: string;
+    port: number;
+  }
+) => {
+  if (standaloneMode) {
+    const frontendName = IS_PACKAGED ? "frontend" : "frontend-build";
+    const nextJsBuildPath = path.join(dir, frontendName);
+
+    const { default: conf } = (await import(
+      path.join(dir, `${frontendName}/.next/required-server-files.json`),
+      // @ts-expect-error type
+      {
+        assert: { type: "json" }
+      }
+    )) as { default: { config: string } };
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    let NextServer: any;
+
+    if (!IS_PACKAGED) {
+      /* eslint-disable */
+      const { default: nextServer } = (
+        await import(path.join(dir, `${frontendName}/node_modules/next/dist/server/next-server.js`))
+      ).default;
+
+      NextServer = nextServer;
+    } else {
+      /* eslint-disable */
+      const nextServer = await import(path.join(dir, `${frontendName}/node_modules/next/dist/server/next-server.js`));
+
+      NextServer = nextServer.default;
+    }
+
+    const nextApp = new NextServer({
+      dev: false,
+      dir: nextJsBuildPath,
+      port,
+      conf: conf.config,
+      hostname: "local",
+      customServer: false
+    });
+
+    server.route({
+      method: ["GET", "PUT", "PATCH", "POST", "DELETE"],
+      url: "/*",
+      schema: {
+        hide: true
+      },
+      handler: (req, res) =>
+        nextApp
+          .getRequestHandler()(req.raw, res.raw)
+          .then(() => {
+            res.hijack();
+          })
+    });
+    server.addHook("onClose", () => nextApp.close());
+    await nextApp.prepare();
+    /* eslint-enable */
+  }
+};

backend/src/server/plugins/secret-scanner.ts

@@ -1,4 +1,3 @@
-import type { EmitterWebhookEventName } from "@octokit/webhooks/dist-types/types";
 import { PushEvent } from "@octokit/webhooks-types";
 import { Probot } from "probot";
 import SmeeClient from "smee-client";
@@ -55,14 +54,14 @@ export const registerSecretScannerGhApp = async (server: FastifyZodProvider) =>
         rateLimit: writeLimit
       },
       handler: async (req, res) => {
-        const eventName = req.headers["x-github-event"] as EmitterWebhookEventName;
+        const eventName = req.headers["x-github-event"];
         const signatureSHA256 = req.headers["x-hub-signature-256"] as string;
         const id = req.headers["x-github-delivery"] as string;
-
         await probot.webhooks.verifyAndReceive({
           id,
+          // @ts-expect-error type
           name: eventName,
-          payload: JSON.stringify(req.body),
+          payload: req.body as string,
           signature: signatureSHA256
         });
         void res.send("ok");

backend/src/server/plugins/serve-ui.ts

@@ -1,64 +0,0 @@
-import path from "node:path";
-
-import staticServe from "@fastify/static";
-
-import { getConfig, IS_PACKAGED } from "@app/lib/config/env";
-
-// to enabled this u need to set standalone mode to true
-export const registerServeUI = async (
-  server: FastifyZodProvider,
-  {
-    standaloneMode,
-    dir
-  }: {
-    standaloneMode?: boolean;
-    dir: string;
-  }
-) => {
-  // use this only for frontend runtime static non-sensitive configuration in standalone mode
-  // that app needs before loading like posthog dsn key
-  // for most of the other usecase use server config
-  server.route({
-    method: "GET",
-    url: "/runtime-ui-env.js",
-    schema: {
-      hide: true
-    },
-    handler: (_req, res) => {
-      const appCfg = getConfig();
-      void res.type("application/javascript");
-      const config = {
-        CAPTCHA_SITE_KEY: appCfg.CAPTCHA_SITE_KEY,
-        POSTHOG_API_KEY: appCfg.POSTHOG_PROJECT_API_KEY,
-        INTERCOM_ID: appCfg.INTERCOM_ID,
-        TELEMETRY_CAPTURING_ENABLED: appCfg.TELEMETRY_ENABLED
-      };
-      const js = `window.__INFISICAL_RUNTIME_ENV__ = Object.freeze(${JSON.stringify(config)});`;
-      void res.send(js);
-    }
-  });
-
-  if (standaloneMode) {
-    const frontendName = IS_PACKAGED ? "frontend" : "frontend-build";
-    const frontendPath = path.join(dir, frontendName);
-    await server.register(staticServe, {
-      root: frontendPath,
-      wildcard: false
-    });
-
-    server.route({
-      method: "GET",
-      url: "/*",
-      schema: {
-        hide: true
-      },
-      handler: (request, reply) => {
-        if (request.url.startsWith("/api")) {
-          reply.callNotFound();
-          return;
-        }
-        void reply.sendFile("index.html");
-      }
-    });
-  }
-};

backend/src/server/routes/index.ts

@@ -181,7 +181,6 @@ import { projectUserMembershipRoleDALFactory } from "@app/services/project-membe
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
 import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
-import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
 import { secretQueueFactory } from "@app/services/secret/secret-queue";
 import { secretServiceFactory } from "@app/services/secret/secret-service";
@@ -196,9 +195,6 @@ import { secretImportDALFactory } from "@app/services/secret-import/secret-impor
 import { secretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { secretSharingDALFactory } from "@app/services/secret-sharing/secret-sharing-dal";
 import { secretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
-import { secretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
-import { secretSyncQueueFactory } from "@app/services/secret-sync/secret-sync-queue";
-import { secretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { secretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 import { secretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { secretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
@@ -321,7 +317,6 @@ export const registerRoutes = async (
   const trustedIpDAL = trustedIpDALFactory(db);
   const telemetryDAL = telemetryDALFactory(db);
   const appConnectionDAL = appConnectionDALFactory(db);
-  const secretSyncDAL = secretSyncDALFactory(db, folderDAL);
 
   // ee db layer ops
   const permissionDAL = permissionDALFactory(db);
@@ -379,7 +374,6 @@ export const registerRoutes = async (
   const externalGroupOrgRoleMappingDAL = externalGroupOrgRoleMappingDALFactory(db);
 
   const projectTemplateDAL = projectTemplateDALFactory(db);
-  const resourceMetadataDAL = resourceMetadataDALFactory(db);
 
   const permissionService = permissionServiceFactory({
     permissionDAL,
@@ -612,7 +606,6 @@ export const registerRoutes = async (
   });
   const superAdminService = superAdminServiceFactory({
     userDAL,
-    userAliasDAL,
     authService: loginService,
     serverCfgDAL: superAdminDAL,
     kmsRootConfigDAL,
@@ -828,29 +821,6 @@ export const registerRoutes = async (
     kmsService
   });
 
-  const secretSyncQueue = secretSyncQueueFactory({
-    queueService,
-    secretSyncDAL,
-    folderDAL,
-    secretImportDAL,
-    secretV2BridgeDAL,
-    kmsService,
-    keyStore,
-    auditLogService,
-    smtpService,
-    projectDAL,
-    projectMembershipDAL,
-    projectBotDAL,
-    secretDAL,
-    secretBlindIndexDAL,
-    secretVersionDAL,
-    secretTagDAL,
-    secretVersionTagDAL,
-    secretVersionV2BridgeDAL,
-    secretVersionTagV2BridgeDAL,
-    resourceMetadataDAL
-  });
-
   const secretQueueService = secretQueueFactory({
     keyStore,
     queueService,
@@ -884,9 +854,7 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     projectKeyDAL,
     projectUserMembershipRoleDAL,
-    orgService,
-    resourceMetadataDAL,
-    secretSyncQueue
+    orgService
   });
 
   const projectService = projectServiceFactory({
@@ -923,8 +891,7 @@ export const registerRoutes = async (
     certificateTemplateDAL,
     projectSlackConfigDAL,
     slackIntegrationDAL,
-    projectTemplateService,
-    groupProjectDAL
+    projectTemplateService
   });
 
   const projectEnvService = projectEnvServiceFactory({
@@ -1013,8 +980,7 @@ export const registerRoutes = async (
     secretApprovalPolicyService,
     secretApprovalRequestSecretDAL,
     kmsService,
-    snapshotService,
-    resourceMetadataDAL
+    snapshotService
   });
 
   const secretApprovalRequestService = secretApprovalRequestServiceFactory({
@@ -1041,8 +1007,7 @@ export const registerRoutes = async (
     projectEnvDAL,
     userDAL,
     licenseService,
-    projectSlackConfigDAL,
-    resourceMetadataDAL
+    projectSlackConfigDAL
   });
 
   const secretService = secretServiceFactory({
@@ -1063,8 +1028,7 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     secretApprovalRequestSecretDAL,
     secretV2BridgeService,
-    secretApprovalRequestService,
-    licenseService
+    secretApprovalRequestService
   });
 
   const secretSharingService = secretSharingServiceFactory({
@@ -1122,10 +1086,8 @@ export const registerRoutes = async (
     kmsService,
     secretV2BridgeDAL,
     secretVersionV2TagBridgeDAL: secretVersionTagV2BridgeDAL,
-    secretVersionV2BridgeDAL,
-    resourceMetadataDAL
+    secretVersionV2BridgeDAL
   });
-
   const secretRotationQueue = secretRotationQueueFactory({
     telemetryService,
     secretRotationDAL,
@@ -1377,8 +1339,7 @@ export const registerRoutes = async (
     folderDAL,
     secretDAL: secretV2BridgeDAL,
     queueService,
-    secretV2BridgeService,
-    resourceMetadataDAL
+    secretV2BridgeService
   });
 
   const migrationService = externalMigrationServiceFactory({
@@ -1397,17 +1358,8 @@ export const registerRoutes = async (
   const appConnectionService = appConnectionServiceFactory({
     appConnectionDAL,
     permissionService,
-    kmsService
-  });
-
-  const secretSyncService = secretSyncServiceFactory({
-    secretSyncDAL,
-    permissionService,
-    appConnectionService,
-    folderDAL,
-    secretSyncQueue,
-    projectBotService,
-    keyStore
+    kmsService,
+    licenseService
   });
 
   await superAdminService.initServerCfg();
@@ -1507,8 +1459,7 @@ export const registerRoutes = async (
     externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService,
     projectTemplate: projectTemplateService,
     totp: totpService,
-    appConnection: appConnectionService,
-    secretSync: secretSyncService
+    appConnection: appConnectionService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -4,21 +4,18 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AwsConnectionListItemSchema, SanitizedAwsConnectionSchema } from "@app/services/app-connection/aws";
-import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 // can't use discriminated due to multiple schemas for certain apps
 const SanitizedAppConnectionSchema = z.union([
   ...SanitizedAwsConnectionSchema.options,
-  ...SanitizedGitHubConnectionSchema.options,
-  ...SanitizedGcpConnectionSchema.options
+  ...SanitizedGitHubConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   AwsConnectionListItemSchema,
-  GitHubConnectionListItemSchema,
-  GcpConnectionListItemSchema
+  GitHubConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/apps/app-connection-endpoints.ts

@@ -15,7 +15,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
   app,
   createSchema,
   updateSchema,
-  sanitizedResponseSchema
+  responseSchema
 }: {
   app: AppConnection;
   server: FastifyZodProvider;
@@ -26,7 +26,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     description?: string | null;
   }>;
   updateSchema: z.ZodType<{ name?: string; credentials?: I["credentials"]; description?: string | null }>;
-  sanitizedResponseSchema: z.ZodTypeAny;
+  responseSchema: z.ZodTypeAny;
 }) => {
   const appName = APP_CONNECTION_NAME_MAP[app];
 
@@ -39,7 +39,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     schema: {
       description: `List the ${appName} Connections for the current organization.`,
       response: {
-        200: z.object({ appConnections: sanitizedResponseSchema.array() })
+        200: z.object({ appConnections: responseSchema.array() })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -63,44 +63,6 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     }
   });
 
-  server.route({
-    method: "GET",
-    url: "/available",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: `List the ${appName} Connections the current user has permission to establish connections with.`,
-      response: {
-        200: z.object({
-          appConnections: z.object({ app: z.literal(app), name: z.string(), id: z.string().uuid() }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const appConnections = await server.services.appConnection.listAvailableAppConnectionsForUser(
-        app,
-        req.permission
-      );
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS,
-          metadata: {
-            app,
-            count: appConnections.length,
-            connectionIds: appConnections.map((connection) => connection.id)
-          }
-        }
-      });
-
-      return { appConnections };
-    }
-  });
-
   server.route({
     method: "GET",
     url: "/:connectionId",
@@ -113,7 +75,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
         connectionId: z.string().uuid().describe(AppConnections.GET_BY_ID(app).connectionId)
       }),
       response: {
-        200: z.object({ appConnection: sanitizedResponseSchema })
+        200: z.object({ appConnection: responseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -143,7 +105,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
 
   server.route({
     method: "GET",
-    url: `/connection-name/:connectionName`,
+    url: `/name/:connectionName`,
     config: {
       rateLimit: readLimit
     },
@@ -152,12 +114,11 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       params: z.object({
         connectionName: z
           .string()
-          .trim()
-          .min(1, "Connection name required")
+          .min(0, "Connection name required")
           .describe(AppConnections.GET_BY_NAME(app).connectionName)
       }),
       response: {
-        200: z.object({ appConnection: sanitizedResponseSchema })
+        200: z.object({ appConnection: responseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -197,7 +158,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       } ${appName} Connection for the current organization.`,
       body: createSchema,
       response: {
-        200: z.object({ appConnection: sanitizedResponseSchema })
+        200: z.object({ appConnection: responseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -207,7 +168,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       const appConnection = (await server.services.appConnection.createAppConnection(
         { name, method, app, credentials, description },
         req.permission
-      )) as T;
+      )) as TAppConnection;
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -240,7 +201,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
       }),
       body: updateSchema,
       response: {
-        200: z.object({ appConnection: sanitizedResponseSchema })
+        200: z.object({ appConnection: responseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
@@ -283,7 +244,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
         connectionId: z.string().uuid().describe(AppConnections.DELETE(app).connectionId)
       }),
       response: {
-        200: z.object({ appConnection: sanitizedResponseSchema })
+        200: z.object({ appConnection: responseSchema })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),

backend/src/server/routes/v1/app-connection-routers/apps/aws-connection-router.ts

@@ -11,7 +11,7 @@ export const registerAwsConnectionRouter = async (server: FastifyZodProvider) =>
   registerAppConnectionEndpoints({
     app: AppConnection.AWS,
     server,
-    sanitizedResponseSchema: SanitizedAwsConnectionSchema,
+    responseSchema: SanitizedAwsConnectionSchema,
     createSchema: CreateAwsConnectionSchema,
     updateSchema: UpdateAwsConnectionSchema
   });

backend/src/server/routes/v1/app-connection-routers/apps/github-connection-router.ts

@@ -0,0 +1,17 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateGitHubConnectionSchema,
+  SanitizedGitHubConnectionSchema,
+  UpdateGitHubConnectionSchema
+} from "@app/services/app-connection/github";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerGitHubConnectionRouter = async (server: FastifyZodProvider) =>
+  registerAppConnectionEndpoints({
+    app: AppConnection.GitHub,
+    server,
+    responseSchema: SanitizedGitHubConnectionSchema,
+    createSchema: CreateGitHubConnectionSchema,
+    updateSchema: UpdateGitHubConnectionSchema
+  });

backend/src/server/routes/v1/app-connection-routers/apps/index.ts

@@ -0,0 +1,8 @@
+import { registerAwsConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/aws-connection-router";
+import { registerGitHubConnectionRouter } from "@app/server/routes/v1/app-connection-routers/apps/github-connection-router";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const APP_CONNECTION_REGISTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> = {
+  [AppConnection.AWS]: registerAwsConnectionRouter,
+  [AppConnection.GitHub]: registerGitHubConnectionRouter
+};

backend/src/server/routes/v1/app-connection-routers/gcp-connection-router.ts

@@ -1,48 +0,0 @@
-import z from "zod";
-
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  CreateGcpConnectionSchema,
-  SanitizedGcpConnectionSchema,
-  UpdateGcpConnectionSchema
-} from "@app/services/app-connection/gcp";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
-
-export const registerGcpConnectionRouter = async (server: FastifyZodProvider) => {
-  registerAppConnectionEndpoints({
-    app: AppConnection.GCP,
-    server,
-    sanitizedResponseSchema: SanitizedGcpConnectionSchema,
-    createSchema: CreateGcpConnectionSchema,
-    updateSchema: UpdateGcpConnectionSchema
-  });
-
-  // The below endpoints are not exposed and for Infisical App use
-  server.route({
-    method: "GET",
-    url: `/:connectionId/secret-manager-projects`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      response: {
-        200: z.object({ id: z.string(), name: z.string() }).array()
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const projects = await server.services.appConnection.gcp.listSecretManagerProjects(connectionId, req.permission);
-
-      return projects;
-    }
-  });
-};

backend/src/server/routes/v1/app-connection-routers/github-connection-router.ts

@@ -1,117 +0,0 @@
-import { z } from "zod";
-
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  CreateGitHubConnectionSchema,
-  SanitizedGitHubConnectionSchema,
-  UpdateGitHubConnectionSchema
-} from "@app/services/app-connection/github";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
-
-export const registerGitHubConnectionRouter = async (server: FastifyZodProvider) => {
-  registerAppConnectionEndpoints({
-    app: AppConnection.GitHub,
-    server,
-    sanitizedResponseSchema: SanitizedGitHubConnectionSchema,
-    createSchema: CreateGitHubConnectionSchema,
-    updateSchema: UpdateGitHubConnectionSchema
-  });
-
-  // The below endpoints are not exposed and for Infisical App use
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/repositories`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      response: {
-        200: z.object({
-          repositories: z
-            .object({ id: z.number(), name: z.string(), owner: z.object({ login: z.string(), id: z.number() }) })
-            .array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const repositories = await server.services.appConnection.github.listRepositories(connectionId, req.permission);
-
-      return { repositories };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/organizations`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      response: {
-        200: z.object({
-          organizations: z.object({ id: z.number(), login: z.string() }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const organizations = await server.services.appConnection.github.listOrganizations(connectionId, req.permission);
-
-      return { organizations };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/environments`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      querystring: z.object({
-        repo: z.string().min(1, "Repository name is required"),
-        owner: z.string().min(1, "Repository owner name is required")
-      }),
-      response: {
-        200: z.object({
-          environments: z.object({ id: z.number(), name: z.string() }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-      const { repo, owner } = req.query;
-
-      const environments = await server.services.appConnection.github.listEnvironments(
-        {
-          connectionId,
-          repo,
-          owner
-        },
-        req.permission
-      );
-
-      return { environments };
-    }
-  });
-};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -1,14 +1,2 @@
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-import { registerAwsConnectionRouter } from "./aws-connection-router";
-import { registerGcpConnectionRouter } from "./gcp-connection-router";
-import { registerGitHubConnectionRouter } from "./github-connection-router";
-
 export * from "./app-connection-router";
-
-export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> =
-  {
-    [AppConnection.AWS]: registerAwsConnectionRouter,
-    [AppConnection.GitHub]: registerGitHubConnectionRouter,
-    [AppConnection.GCP]: registerGcpConnectionRouter
-  };
+export * from "./apps";

backend/src/server/routes/v1/auth-router.ts

@@ -63,8 +63,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          token: z.string(),
-          organizationId: z.string().optional()
+          token: z.string()
         })
       }
     },
@@ -116,7 +115,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
         { expiresIn: appCfg.JWT_AUTH_LIFETIME }
       );
 
-      return { token, organizationId: decodedToken.organizationId };
+      return { token };
     }
   });
 };

backend/src/server/routes/v1/dashboard-router.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { z } from "zod";
 
-import { ActionProjectType, SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
+import { SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import {
   ProjectPermissionDynamicSecretActions,
@@ -17,7 +17,6 @@ import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
@@ -117,7 +116,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -220,14 +218,13 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           totalCount: totalFolderCount ?? 0
         };
 
-      const { permission } = await server.services.permission.getProjectPermission({
-        actor: req.permission.type,
-        actorId: req.permission.id,
+      const { permission } = await server.services.permission.getProjectPermission(
+        req.permission.type,
+        req.permission.id,
         projectId,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
+        req.permission.authMethod,
+        req.permission.orgId
+      );
 
       const allowedDynamicSecretEnvironments = // filter envs user has access to
         environments.filter((environment) =>
@@ -411,7 +408,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -697,7 +693,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -869,7 +864,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -79,44 +79,44 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
       params: z.object({
         identityId: z.string().trim().describe(AWS_AUTH.ATTACH.identityId)
       }),
-      body: z
-        .object({
-          stsEndpoint: z
-            .string()
-            .trim()
-            .min(1)
-            .default("https://sts.amazonaws.com/")
-            .describe(AWS_AUTH.ATTACH.stsEndpoint),
-          allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.ATTACH.allowedPrincipalArns),
-          allowedAccountIds: validateAccountIds.describe(AWS_AUTH.ATTACH.allowedAccountIds),
-          accessTokenTrustedIps: z
-            .object({
-              ipAddress: z.string().trim()
-            })
-            .array()
-            .min(1)
-            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-            .describe(AWS_AUTH.ATTACH.accessTokenTrustedIps),
-          accessTokenTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .default(2592000)
-            .describe(AWS_AUTH.ATTACH.accessTokenTTL),
-          accessTokenMaxTTL: z
-            .number()
-            .int()
-            .min(1)
-            .max(315360000)
-            .default(2592000)
-            .describe(AWS_AUTH.ATTACH.accessTokenMaxTTL),
-          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AWS_AUTH.ATTACH.accessTokenNumUsesLimit)
-        })
-        .refine(
-          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+      body: z.object({
+        stsEndpoint: z
+          .string()
+          .trim()
+          .min(1)
+          .default("https://sts.amazonaws.com/")
+          .describe(AWS_AUTH.ATTACH.stsEndpoint),
+        allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.ATTACH.allowedPrincipalArns),
+        allowedAccountIds: validateAccountIds.describe(AWS_AUTH.ATTACH.allowedAccountIds),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(AWS_AUTH.ATTACH.accessTokenTrustedIps),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(AWS_AUTH.ATTACH.accessTokenTTL),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(AWS_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AWS_AUTH.ATTACH.accessTokenNumUsesLimit)
+      }),
       response: {
         200: z.object({
           identityAwsAuth: IdentityAwsAuthsSchema
@@ -172,33 +172,30 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
       params: z.object({
         identityId: z.string().describe(AWS_AUTH.UPDATE.identityId)
       }),
-      body: z
-        .object({
-          stsEndpoint: z.string().trim().min(1).optional().describe(AWS_AUTH.UPDATE.stsEndpoint),
-          allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.UPDATE.allowedPrincipalArns),
-          allowedAccountIds: validateAccountIds.describe(AWS_AUTH.UPDATE.allowedAccountIds),
-          accessTokenTrustedIps: z
-            .object({
-              ipAddress: z.string().trim()
-            })
-            .array()
-            .min(1)
-            .optional()
-            .describe(AWS_AUTH.UPDATE.accessTokenTrustedIps),
-          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AWS_AUTH.UPDATE.accessTokenTTL),
-          accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AWS_AUTH.UPDATE.accessTokenNumUsesLimit),
-          accessTokenMaxTTL: z
-            .number()
-            .int()
-            .max(315360000)
-            .min(0)
-            .optional()
-            .describe(AWS_AUTH.UPDATE.accessTokenMaxTTL)
-        })
-        .refine(
-          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+      body: z.object({
+        stsEndpoint: z.string().trim().min(1).optional().describe(AWS_AUTH.UPDATE.stsEndpoint),
+        allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.UPDATE.allowedPrincipalArns),
+        allowedAccountIds: validateAccountIds.describe(AWS_AUTH.UPDATE.allowedAccountIds),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional()
+          .describe(AWS_AUTH.UPDATE.accessTokenTrustedIps),
+        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AWS_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AWS_AUTH.UPDATE.accessTokenNumUsesLimit),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+          .describe(AWS_AUTH.UPDATE.accessTokenMaxTTL)
+      }),
       response: {
         200: z.object({
           identityAwsAuth: IdentityAwsAuthsSchema

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -76,44 +76,39 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
       params: z.object({
         identityId: z.string().trim().describe(AZURE_AUTH.LOGIN.identityId)
       }),
-      body: z
-        .object({
-          tenantId: z.string().trim().describe(AZURE_AUTH.ATTACH.tenantId),
-          resource: z.string().trim().describe(AZURE_AUTH.ATTACH.resource),
-          allowedServicePrincipalIds: validateAzureAuthField.describe(AZURE_AUTH.ATTACH.allowedServicePrincipalIds),
-          accessTokenTrustedIps: z
-            .object({
-              ipAddress: z.string().trim()
-            })
-            .array()
-            .min(1)
-            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-            .describe(AZURE_AUTH.ATTACH.accessTokenTrustedIps),
-          accessTokenTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .default(2592000)
-            .describe(AZURE_AUTH.ATTACH.accessTokenTTL),
-          accessTokenMaxTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .default(2592000)
-            .describe(AZURE_AUTH.ATTACH.accessTokenMaxTTL),
-          accessTokenNumUsesLimit: z
-            .number()
-            .int()
-            .min(0)
-            .default(0)
-            .describe(AZURE_AUTH.ATTACH.accessTokenNumUsesLimit)
-        })
-        .refine(
-          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+      body: z.object({
+        tenantId: z.string().trim().describe(AZURE_AUTH.ATTACH.tenantId),
+        resource: z.string().trim().describe(AZURE_AUTH.ATTACH.resource),
+        allowedServicePrincipalIds: validateAzureAuthField.describe(AZURE_AUTH.ATTACH.allowedServicePrincipalIds),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(AZURE_AUTH.ATTACH.accessTokenTrustedIps),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(AZURE_AUTH.ATTACH.accessTokenTTL),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(AZURE_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AZURE_AUTH.ATTACH.accessTokenNumUsesLimit)
+      }),
       response: {
         200: z.object({
           identityAzureAuth: IdentityAzureAuthsSchema
@@ -168,40 +163,32 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
       params: z.object({
         identityId: z.string().trim().describe(AZURE_AUTH.UPDATE.identityId)
       }),
-      body: z
-        .object({
-          tenantId: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.tenantId),
-          resource: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.resource),
-          allowedServicePrincipalIds: validateAzureAuthField
-            .optional()
-            .describe(AZURE_AUTH.UPDATE.allowedServicePrincipalIds),
-          accessTokenTrustedIps: z
-            .object({
-              ipAddress: z.string().trim()
-            })
-            .array()
-            .min(1)
-            .optional()
-            .describe(AZURE_AUTH.UPDATE.accessTokenTrustedIps),
-          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AZURE_AUTH.UPDATE.accessTokenTTL),
-          accessTokenNumUsesLimit: z
-            .number()
-            .int()
-            .min(0)
-            .optional()
-            .describe(AZURE_AUTH.UPDATE.accessTokenNumUsesLimit),
-          accessTokenMaxTTL: z
-            .number()
-            .int()
-            .max(315360000)
-            .min(0)
-            .optional()
-            .describe(AZURE_AUTH.UPDATE.accessTokenMaxTTL)
-        })
-        .refine(
-          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+      body: z.object({
+        tenantId: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.tenantId),
+        resource: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.resource),
+        allowedServicePrincipalIds: validateAzureAuthField
+          .optional()
+          .describe(AZURE_AUTH.UPDATE.allowedServicePrincipalIds),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional()
+          .describe(AZURE_AUTH.UPDATE.accessTokenTrustedIps),
+        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AZURE_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AZURE_AUTH.UPDATE.accessTokenNumUsesLimit),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+          .describe(AZURE_AUTH.UPDATE.accessTokenMaxTTL)
+      }),
       response: {
         200: z.object({
           identityAzureAuth: IdentityAzureAuthsSchema

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -74,40 +74,40 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
       params: z.object({
         identityId: z.string().trim().describe(GCP_AUTH.ATTACH.identityId)
       }),
-      body: z
-        .object({
-          type: z.enum(["iam", "gce"]),
-          allowedServiceAccounts: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedServiceAccounts),
-          allowedProjects: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedProjects),
-          allowedZones: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedZones),
-          accessTokenTrustedIps: z
-            .object({
-              ipAddress: z.string().trim()
-            })
-            .array()
-            .min(1)
-            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-            .describe(GCP_AUTH.ATTACH.accessTokenTrustedIps),
-          accessTokenTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .default(2592000)
-            .describe(GCP_AUTH.ATTACH.accessTokenTTL),
-          accessTokenMaxTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .default(2592000)
-            .describe(GCP_AUTH.ATTACH.accessTokenMaxTTL),
-          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(GCP_AUTH.ATTACH.accessTokenNumUsesLimit)
-        })
-        .refine(
-          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+      body: z.object({
+        type: z.enum(["iam", "gce"]),
+        allowedServiceAccounts: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedServiceAccounts),
+        allowedProjects: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedProjects),
+        allowedZones: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedZones),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(GCP_AUTH.ATTACH.accessTokenTrustedIps),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(GCP_AUTH.ATTACH.accessTokenTTL),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(GCP_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(GCP_AUTH.ATTACH.accessTokenNumUsesLimit)
+      }),
       response: {
         200: z.object({
           identityGcpAuth: IdentityGcpAuthsSchema
@@ -164,34 +164,31 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
       params: z.object({
         identityId: z.string().trim().describe(GCP_AUTH.UPDATE.identityId)
       }),
-      body: z
-        .object({
-          type: z.enum(["iam", "gce"]).optional(),
-          allowedServiceAccounts: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedServiceAccounts),
-          allowedProjects: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedProjects),
-          allowedZones: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedZones),
-          accessTokenTrustedIps: z
-            .object({
-              ipAddress: z.string().trim()
-            })
-            .array()
-            .min(1)
-            .optional()
-            .describe(GCP_AUTH.UPDATE.accessTokenTrustedIps),
-          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(GCP_AUTH.UPDATE.accessTokenTTL),
-          accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(GCP_AUTH.UPDATE.accessTokenNumUsesLimit),
-          accessTokenMaxTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .optional()
-            .describe(GCP_AUTH.UPDATE.accessTokenMaxTTL)
-        })
-        .refine(
-          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+      body: z.object({
+        type: z.enum(["iam", "gce"]).optional(),
+        allowedServiceAccounts: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedServiceAccounts),
+        allowedProjects: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedProjects),
+        allowedZones: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedZones),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional()
+          .describe(GCP_AUTH.UPDATE.accessTokenTrustedIps),
+        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(GCP_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(GCP_AUTH.UPDATE.accessTokenNumUsesLimit),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+          .describe(GCP_AUTH.UPDATE.accessTokenMaxTTL)
+      }),
       response: {
         200: z.object({
           identityGcpAuth: IdentityGcpAuthsSchema

backend/src/server/routes/v1/identity-jwt-auth-router.ts

@@ -34,12 +34,23 @@ const CreateBaseSchema = z.object({
     .min(1)
     .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
     .describe(JWT_AUTH.ATTACH.accessTokenTrustedIps),
-  accessTokenTTL: z.number().int().min(0).max(315360000).default(2592000).describe(JWT_AUTH.ATTACH.accessTokenTTL),
+  accessTokenTTL: z
+    .number()
+    .int()
+    .min(1)
+    .max(315360000)
+    .refine((value) => value !== 0, {
+      message: "accessTokenTTL must have a non zero number"
+    })
+    .default(2592000)
+    .describe(JWT_AUTH.ATTACH.accessTokenTTL),
   accessTokenMaxTTL: z
     .number()
     .int()
-    .min(0)
     .max(315360000)
+    .refine((value) => value !== 0, {
+      message: "accessTokenMaxTTL must have a non zero number"
+    })
     .default(2592000)
     .describe(JWT_AUTH.ATTACH.accessTokenMaxTTL),
   accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(JWT_AUTH.ATTACH.accessTokenNumUsesLimit)
@@ -59,12 +70,23 @@ const UpdateBaseSchema = z
       .min(1)
       .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
       .describe(JWT_AUTH.UPDATE.accessTokenTrustedIps),
-    accessTokenTTL: z.number().int().min(0).max(315360000).default(2592000).describe(JWT_AUTH.UPDATE.accessTokenTTL),
+    accessTokenTTL: z
+      .number()
+      .int()
+      .min(1)
+      .max(315360000)
+      .refine((value) => value !== 0, {
+        message: "accessTokenTTL must have a non zero number"
+      })
+      .default(2592000)
+      .describe(JWT_AUTH.UPDATE.accessTokenTTL),
     accessTokenMaxTTL: z
       .number()
       .int()
-      .min(0)
       .max(315360000)
+      .refine((value) => value !== 0, {
+        message: "accessTokenMaxTTL must have a non zero number"
+      })
       .default(2592000)
       .describe(JWT_AUTH.UPDATE.accessTokenMaxTTL),
     accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(JWT_AUTH.UPDATE.accessTokenNumUsesLimit)

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -87,47 +87,47 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
       params: z.object({
         identityId: z.string().trim().describe(KUBERNETES_AUTH.ATTACH.identityId)
       }),
-      body: z
-        .object({
-          kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
-          caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
-          tokenReviewerJwt: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
-          allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
-          allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
-          allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
-          accessTokenTrustedIps: z
-            .object({
-              ipAddress: z.string().trim()
-            })
-            .array()
-            .min(1)
-            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-            .describe(KUBERNETES_AUTH.ATTACH.accessTokenTrustedIps),
-          accessTokenTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .default(2592000)
-            .describe(KUBERNETES_AUTH.ATTACH.accessTokenTTL),
-          accessTokenMaxTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .default(2592000)
-            .describe(KUBERNETES_AUTH.ATTACH.accessTokenMaxTTL),
-          accessTokenNumUsesLimit: z
-            .number()
-            .int()
-            .min(0)
-            .default(0)
-            .describe(KUBERNETES_AUTH.ATTACH.accessTokenNumUsesLimit)
-        })
-        .refine(
-          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+      body: z.object({
+        kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
+        caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
+        tokenReviewerJwt: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
+        allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
+        allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
+        allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(KUBERNETES_AUTH.ATTACH.accessTokenTrustedIps),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(KUBERNETES_AUTH.ATTACH.accessTokenTTL),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(KUBERNETES_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z
+          .number()
+          .int()
+          .min(0)
+          .default(0)
+          .describe(KUBERNETES_AUTH.ATTACH.accessTokenNumUsesLimit)
+      }),
       response: {
         200: z.object({
           identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
@@ -183,47 +183,44 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
       params: z.object({
         identityId: z.string().describe(KUBERNETES_AUTH.UPDATE.identityId)
       }),
-      body: z
-        .object({
-          kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
-          caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
-          tokenReviewerJwt: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
-          allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
-          allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
-          allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
-          accessTokenTrustedIps: z
-            .object({
-              ipAddress: z.string().trim()
-            })
-            .array()
-            .min(1)
-            .optional()
-            .describe(KUBERNETES_AUTH.UPDATE.accessTokenTrustedIps),
-          accessTokenTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .optional()
-            .describe(KUBERNETES_AUTH.UPDATE.accessTokenTTL),
-          accessTokenNumUsesLimit: z
-            .number()
-            .int()
-            .min(0)
-            .optional()
-            .describe(KUBERNETES_AUTH.UPDATE.accessTokenNumUsesLimit),
-          accessTokenMaxTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .optional()
-            .describe(KUBERNETES_AUTH.UPDATE.accessTokenMaxTTL)
-        })
-        .refine(
-          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+      body: z.object({
+        kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
+        caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
+        tokenReviewerJwt: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
+        allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
+        allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
+        allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .optional()
+          .describe(KUBERNETES_AUTH.UPDATE.accessTokenTrustedIps),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(0)
+          .max(315360000)
+          .optional()
+          .describe(KUBERNETES_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z
+          .number()
+          .int()
+          .min(0)
+          .optional()
+          .describe(KUBERNETES_AUTH.UPDATE.accessTokenNumUsesLimit),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .optional()
+          .describe(KUBERNETES_AUTH.UPDATE.accessTokenMaxTTL)
+      }),
       response: {
         200: z.object({
           identityKubernetesAuth: IdentityKubernetesAuthResponseSchema

backend/src/server/routes/v1/identity-oidc-auth-router.ts

@@ -87,42 +87,42 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
       params: z.object({
         identityId: z.string().trim().describe(OIDC_AUTH.ATTACH.identityId)
       }),
-      body: z
-        .object({
-          oidcDiscoveryUrl: z.string().url().min(1).describe(OIDC_AUTH.ATTACH.oidcDiscoveryUrl),
-          caCert: z.string().trim().default("").describe(OIDC_AUTH.ATTACH.caCert),
-          boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
-          boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
-          boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
-          boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
-          accessTokenTrustedIps: z
-            .object({
-              ipAddress: z.string().trim()
-            })
-            .array()
-            .min(1)
-            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-            .describe(OIDC_AUTH.ATTACH.accessTokenTrustedIps),
-          accessTokenTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .default(2592000)
-            .describe(OIDC_AUTH.ATTACH.accessTokenTTL),
-          accessTokenMaxTTL: z
-            .number()
-            .int()
-            .min(0)
-            .max(315360000)
-            .default(2592000)
-            .describe(OIDC_AUTH.ATTACH.accessTokenMaxTTL),
-          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.ATTACH.accessTokenNumUsesLimit)
-        })
-        .refine(
-          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+      body: z.object({
+        oidcDiscoveryUrl: z.string().url().min(1).describe(OIDC_AUTH.ATTACH.oidcDiscoveryUrl),
+        caCert: z.string().trim().default("").describe(OIDC_AUTH.ATTACH.caCert),
+        boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
+        boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
+        boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
+        boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(OIDC_AUTH.ATTACH.accessTokenTrustedIps),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(OIDC_AUTH.ATTACH.accessTokenTTL),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(OIDC_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.ATTACH.accessTokenNumUsesLimit)
+      }),
       response: {
         200: z.object({
           identityOidcAuth: IdentityOidcAuthResponseSchema
@@ -202,24 +202,26 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
           accessTokenTTL: z
             .number()
             .int()
-            .min(0)
+            .min(1)
             .max(315360000)
+            .refine((value) => value !== 0, {
+              message: "accessTokenTTL must have a non zero number"
+            })
             .default(2592000)
             .describe(OIDC_AUTH.UPDATE.accessTokenTTL),
           accessTokenMaxTTL: z
             .number()
             .int()
-            .min(0)
             .max(315360000)
+            .refine((value) => value !== 0, {
+              message: "accessTokenMaxTTL must have a non zero number"
+            })
             .default(2592000)
             .describe(OIDC_AUTH.UPDATE.accessTokenMaxTTL),
+
           accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.UPDATE.accessTokenNumUsesLimit)
         })
-        .partial()
-        .refine(
-          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
-          "Access Token TTL cannot be greater than Access Token Max TTL."
-        ),
+        .partial(),
       response: {
         200: z.object({
           identityOidcAuth: IdentityOidcAuthResponseSchema