add slack notification message on success

.env.example

@@ -26,8 +26,7 @@ SITE_URL=http://localhost:8080
 # Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
-SMTP_FROM_ADDRESS=
-SMTP_FROM_NAME=
+SMTP_NAME=
 SMTP_USERNAME=
 SMTP_PASSWORD=
 
@@ -92,24 +91,17 @@ ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
 
 # App Connections
 
-# aws assume-role connection
+# aws assume-role
 INF_APP_CONNECTION_AWS_ACCESS_KEY_ID=
 INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY=
 
-# github oauth connection
+# github oauth
 INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET=
 
-#github app connection
+#github app
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
 INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
-INF_APP_CONNECTION_GITHUB_APP_ID=
-
-#gcp app connection
-INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
-
-# azure app connection
-INF_APP_CONNECTION_AZURE_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
+INF_APP_CONNECTION_GITHUB_APP_ID=

.github/actions/notify-slack/action.yaml

@@ -0,0 +1,42 @@
+name: notify-slack
+description: notify slack
+inputs:
+  channel:
+    description: channel to send message
+    required: true
+  token:
+    description: token with chat:write and chat:write.public permissions
+    required: true
+  message:
+    description: message formatted in Markdown
+    required: true
+runs:
+  using: composite
+  steps:
+    # see https://api.slack.com/tutorials/tracks/posting-messages-with-curl#let-us-hello-then__making-your-messages-more-fantastic
+    - name: notify-slack
+      shell: bash
+      run: |
+        curl https://slack.com/api/chat.postMessage \
+        -X POST --fail --silent --show-error \
+        -H "Authorization: Bearer ${SLACK_TOKEN}" \
+        -H "Content-type: application/json; charset=utf-8" \
+        --data @<(yq -pjson -ojson '.channel = env(SLACK_CHANNEL) | .blocks[0].text.text = env(MESSAGE)' <<'EOF'
+        {
+          "channel": "<replace me>",
+          "blocks": [
+            {
+              "type": "section",
+              "text": {
+                "type": "mrkdwn",
+                "text": "<replace me>"
+              }
+            }
+          ]
+        }
+        EOF
+        ) >/dev/null
+      env:
+        SLACK_CHANNEL: ${{ inputs.channel }}
+        SLACK_TOKEN: ${{ inputs.token }}
+        MESSAGE: ${{ inputs.message }}

.github/workflows/check-fe-ts-and-lint.yml

@@ -18,18 +18,18 @@ jobs:
     steps:
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
-      - name: 🔧 Setup Node 20
+      - name: 🔧 Setup Node 16
         uses: actions/setup-node@v3
         with:
-          node-version: "20"
+          node-version: "16"
           cache: "npm"
           cache-dependency-path: frontend/package-lock.json
       - name: 📦 Install dependencies
         run: npm install
         working-directory: frontend
       - name: 🏗️ Run Type check
-        run: npm run type:check
+        run: npm run type:check 
         working-directory: frontend
       - name: 🏗️ Run Link check
-        run: npm run lint:fix
+        run: npm run lint:fix 
         working-directory: frontend

.github/workflows/deployment-pipeline.yml

@@ -0,0 +1,230 @@
+name: Deployment pipeline
+on: [workflow_dispatch]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  infisical-tests:
+    name: Integration tests
+    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
+    uses: ./.github/workflows/run-backend-tests.yml
+    
+  infisical-image:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: [infisical-tests]
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 🏗️ Build backend and push to docker hub
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: |
+            infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            infisical/staging_infisical:latest
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }}
+    
+  gamma-deployment:
+    name: Deploy to gamma
+    runs-on: ubuntu-latest
+    needs: [infisical-image]
+    environment:
+      name: Gamma
+    steps:
+      - uses: twingate/github-action@v1
+        with:
+          # The Twingate Service Key used to connect Twingate to the proper service
+          # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
+          #
+          # Required
+          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      - name: Configure AWS Credentials 
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition --task-definition infisical-core-gamma-stage --query taskDefinition > task-definition.json
+      - name: Render Amazon ECS task definition
+        id: render-web-container
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: infisical-core
+          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+          environment-variables: "LOG_LEVEL=info"
+      - name: Deploy to Amazon ECS service
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+          service: infisical-core-gamma-stage
+          cluster: infisical-gamma-stage
+          wait-for-service-stability: true
+      # only notify of success because continue-on-error is so tricky, see https://www.kenmuse.com/blog/how-to-handle-step-and-job-errors-in-github-actions/
+      - uses: ./.github/actions/notify-slack
+        with:
+          token: ${{ secrets.SLACK_TOKEN }}
+          channel: ${{ secrets.SLACK_CHANNEL }}
+          message: deployed infisical/staging_infisical:${{ steps.commit.outputs.short }} to ${{ vars.ENVIRONMENT }}
+
+  production-us:
+    name: US production deploy 
+    runs-on: ubuntu-latest
+    needs: [gamma-deployment]
+    environment:
+      name: Production
+    steps:
+      - uses: twingate/github-action@v1
+        with:
+        # The Twingate Service Key used to connect Twingate to the proper service
+        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
+        #
+        # Required
+          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+          AUDIT_LOGS_DB_CONNECTION_URI: ${{ secrets.AUDIT_LOGS_DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      - name: Configure AWS Credentials 
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+      - name: Render Amazon ECS task definition
+        id: render-web-container
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: infisical-core-platform
+          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+          environment-variables: "LOG_LEVEL=info"
+      - name: Deploy to Amazon ECS service
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+          service: infisical-core-platform
+          cluster: infisical-core-platform
+          wait-for-service-stability: true
+      # only notify of success because continue-on-error is so tricky, see https://www.kenmuse.com/blog/how-to-handle-step-and-job-errors-in-github-actions/
+      - uses: ./.github/actions/notify-slack
+        with:
+          token: ${{ secrets.SLACK_TOKEN }}
+          channel: ${{ secrets.SLACK_CHANNEL }}
+          message: deployed infisical/staging_infisical:${{ steps.commit.outputs.short }} to ${{ vars.ENVIRONMENT }}
+
+  production-eu:
+      name: EU production deploy
+      runs-on: ubuntu-latest
+      needs: [production-us]
+      environment:
+        name: production-eu
+      steps:
+        - uses: twingate/github-action@v1
+          with:
+            service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
+        - name: Configure AWS Credentials 
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+            audience: sts.amazonaws.com
+            aws-region: eu-central-1
+            role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment
+        - name: Checkout code
+          uses: actions/checkout@v2
+        - name: Setup Node.js environment
+          uses: actions/setup-node@v2
+          with:
+            node-version: "20"
+        - name: Change directory to backend and install dependencies
+          env:
+            DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+          run: |
+            cd backend
+            npm install
+            npm run migration:latest
+        - name: Save commit hashes for tag
+          id: commit
+          uses: pr-mpt/actions-commit-hash@v2
+        - name: Download task definition
+          run: |
+            aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+        - name: Render Amazon ECS task definition
+          id: render-web-container
+          uses: aws-actions/amazon-ecs-render-task-definition@v1
+          with:
+            task-definition: task-definition.json
+            container-name: infisical-core-platform
+            image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            environment-variables: "LOG_LEVEL=info"
+        - name: Deploy to Amazon ECS service
+          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+          with:
+            task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+            service: infisical-core-platform
+            cluster: infisical-core-platform
+            wait-for-service-stability: true
+      # only notify of success because continue-on-error is so tricky, see https://www.kenmuse.com/blog/how-to-handle-step-and-job-errors-in-github-actions/
+      - uses: ./.github/actions/notify-slack
+        with:
+          token: ${{ secrets.SLACK_TOKEN }}
+          channel: ${{ secrets.SLACK_CHANNEL }}
+          message: deployed infisical/staging_infisical:${{ steps.commit.outputs.short }} to ${{ vars.ENVIRONMENT }}

.github/workflows/helm_chart_release.yml

@@ -1,4 +1,4 @@
-name: Release Infisical Core Helm chart
+name: Release Helm Charts
 
 on: [workflow_dispatch]
 
@@ -17,6 +17,6 @@ jobs:
       - name: Install Cloudsmith CLI
         run: pip install --upgrade cloudsmith-cli
       - name: Build and push helm package to Cloudsmith
-        run: cd helm-charts && sh upload-infisical-core-helm-cloudsmith.sh
+        run: cd helm-charts && sh upload-to-cloudsmith.sh
         env:
           CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release_docker_k8_operator.yaml

@@ -1,4 +1,4 @@
-name: Release image + Helm chart K8s Operator
+name: Release Docker image for K8 operator
 on:
   push:
     tags:
@@ -35,18 +35,3 @@ jobs:
           tags: |
             infisical/kubernetes-operator:latest
             infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
-
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-      - name: Install python
-        uses: actions/setup-python@v4
-      - name: Install Cloudsmith CLI
-        run: pip install --upgrade cloudsmith-cli
-      - name: Build and push helm package to Cloudsmith
-        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.infisicalignore

@@ -7,4 +7,3 @@ docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
-docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104

Dockerfile.fips.standalone-infisical

@@ -8,7 +8,7 @@ FROM node:20-slim AS base
 FROM base AS frontend-dependencies
 WORKDIR /app
 
-COPY frontend/package.json frontend/package-lock.json  ./
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
 
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@@ -23,16 +23,17 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 
 ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV VITE_POSTHOG_HOST $POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV VITE_INTERCOM_ID $INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -43,10 +44,20 @@ WORKDIR /app
 
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
 
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
 
 USER non-root-user
 
+ENV NEXT_TELEMETRY_DISABLED 1
+
 ##
 ## BACKEND
 ##
@@ -126,7 +137,7 @@ RUN apt-get update && apt-get install -y \
     freetds-dev \
     freetds-bin \
     tdsodbc \
-    openssh-client \
+    openssh \
     && rm -rf /var/lib/apt/lists/*
 
 # Configure ODBC in production
@@ -149,11 +160,14 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV INTERCOM_ID=$INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
 WORKDIR / 
 
@@ -178,4 +192,4 @@ EXPOSE 443
 
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -12,7 +12,7 @@ RUN apk add --no-cache libc6-compat
 
 WORKDIR /app
 
-COPY frontend/package.json frontend/package-lock.json  ./
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
 
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@@ -27,16 +27,17 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 
 ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV VITE_POSTHOG_HOST $POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV VITE_INTERCOM_ID $INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -48,10 +49,20 @@ WORKDIR /app
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 non-root-user
 
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
 
 USER non-root-user
 
+ENV NEXT_TELEMETRY_DISABLED 1
+
 ##
 ## BACKEND
 ##
@@ -148,11 +159,14 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV INTERCOM_ID=$INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
 
 COPY --from=backend-runner /app /backend
@@ -175,4 +189,4 @@ EXPOSE 443
 
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

Makefile

@@ -30,6 +30,3 @@ reviewable-api:
 	npm run type:check
 
 reviewable: reviewable-ui reviewable-api
-
-up-dev-sso:
-	docker compose -f docker-compose.dev.yml --profile sso up --build

README.md

@@ -56,7 +56,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
 - **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)**: Inject secrets into applications without modifying any code logic.
 
-### Infisical (Internal) PKI:
+### Internal PKI:
 
 - **[Private Certificate Authority](https://infisical.com/docs/documentation/platform/pki/private-ca)**: Create CA hierarchies, configure [certificate templates](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) for policy enforcement, and start issuing X.509 certificates.
 - **[Certificate Management](https://infisical.com/docs/documentation/platform/pki/certificates)**: Manage the certificate lifecycle from [issuance](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) to [revocation](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-revoking-certificates) with support for CRL.
@@ -64,17 +64,12 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.
 
-### Infisical Key Management System (KMS):
+### Key Management (KMS):
 
 - **[Cryptographic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.
 
-### Infisical SSH
-
-- **[Signed SSH Certificates](https://infisical.com/docs/documentation/platform/ssh)**: Issue ephemeral SSH credentials for secure, short-lived, and centralized access to infrastructure.
-
 ### General Platform:
-
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
 - **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)**: Track every action taken on the platform.
@@ -125,7 +120,7 @@ Install pre commit hook to scan each commit before you push to your repository
 infisical scan install --pre-commit-hook
 ```
 
-Learn about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)
+Lean about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)
 
 ## Open-source vs. paid
 

backend/e2e-test/routes/v3/secrets-v2.spec.ts

@@ -535,107 +535,6 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
       );
     });
 
-    test.each(secretTestCases)("Bulk upsert secrets in path $path", async ({ secret, path }) => {
-      const updateSharedSecRes = await testServer.inject({
-        method: "PATCH",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          secretPath: path,
-          mode: "upsert",
-          secrets: Array.from(Array(5)).map((_e, i) => ({
-            secretKey: `BULK-${secret.key}-${i + 1}`,
-            secretValue: "update-value",
-            secretComment: secret.comment
-          }))
-        }
-      });
-      expect(updateSharedSecRes.statusCode).toBe(200);
-      const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
-      expect(updateSharedSecPayload).toHaveProperty("secrets");
-
-      // bulk ones should exist
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.arrayContaining(
-          Array.from(Array(5)).map((_e, i) =>
-            expect.objectContaining({
-              secretKey: `BULK-${secret.key}-${i + 1}`,
-              secretValue: "update-value",
-              type: SecretType.Shared
-            })
-          )
-        )
-      );
-      await Promise.all(
-        Array.from(Array(5)).map((_e, i) => deleteSecret({ path, key: `BULK-${secret.key}-${i + 1}` }))
-      );
-    });
-
-    test("Bulk upsert secrets in path multiple paths", async () => {
-      const firstBatchSecrets = Array.from(Array(5)).map((_e, i) => ({
-        secretKey: `BULK-KEY-${secretTestCases[0].secret.key}-${i + 1}`,
-        secretValue: "update-value",
-        secretComment: "comment",
-        secretPath: secretTestCases[0].path
-      }));
-      const secondBatchSecrets = Array.from(Array(5)).map((_e, i) => ({
-        secretKey: `BULK-KEY-${secretTestCases[1].secret.key}-${i + 1}`,
-        secretValue: "update-value",
-        secretComment: "comment",
-        secretPath: secretTestCases[1].path
-      }));
-      const testSecrets = [...firstBatchSecrets, ...secondBatchSecrets];
-
-      const updateSharedSecRes = await testServer.inject({
-        method: "PATCH",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          mode: "upsert",
-          secrets: testSecrets
-        }
-      });
-      expect(updateSharedSecRes.statusCode).toBe(200);
-      const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
-      expect(updateSharedSecPayload).toHaveProperty("secrets");
-
-      // bulk ones should exist
-      const firstBatchSecretsOnInfisical = await getSecrets(seedData1.environment.slug, secretTestCases[0].path);
-      expect(firstBatchSecretsOnInfisical).toEqual(
-        expect.arrayContaining(
-          firstBatchSecrets.map((el) =>
-            expect.objectContaining({
-              secretKey: el.secretKey,
-              secretValue: "update-value",
-              type: SecretType.Shared
-            })
-          )
-        )
-      );
-      const secondBatchSecretsOnInfisical = await getSecrets(seedData1.environment.slug, secretTestCases[1].path);
-      expect(secondBatchSecretsOnInfisical).toEqual(
-        expect.arrayContaining(
-          secondBatchSecrets.map((el) =>
-            expect.objectContaining({
-              secretKey: el.secretKey,
-              secretValue: "update-value",
-              type: SecretType.Shared
-            })
-          )
-        )
-      );
-      await Promise.all(testSecrets.map((el) => deleteSecret({ path: el.secretPath, key: el.secretKey })));
-    });
-
     test.each(secretTestCases)("Bulk delete secrets in path $path", async ({ secret, path }) => {
       await Promise.all(
         Array.from(Array(5)).map((_e, i) => createSecret({ ...secret, key: `BULK-${secret.key}-${i + 1}`, path }))

backend/e2e-test/vitest-environment-knex.ts

@@ -23,14 +23,14 @@ export default {
   name: "knex-env",
   transformMode: "ssr",
   async setup() {
-    const logger = initLogger();
-    const envConfig = initEnvConfig(logger);
+    const logger = await initLogger();
+    const cfg = initEnvConfig(logger);
     const db = initDbConnection({
-      dbConnectionUri: envConfig.DB_CONNECTION_URI,
-      dbRootCert: envConfig.DB_ROOT_CERT
+      dbConnectionUri: cfg.DB_CONNECTION_URI,
+      dbRootCert: cfg.DB_ROOT_CERT
     });
 
-    const redis = new Redis(envConfig.REDIS_URL);
+    const redis = new Redis(cfg.REDIS_URL);
     await redis.flushdb("SYNC");
 
     try {
@@ -42,7 +42,6 @@ export default {
         },
         true
       );
-
       await db.migrate.latest({
         directory: path.join(__dirname, "../src/db/migrations"),
         extension: "ts",
@@ -53,24 +52,14 @@ export default {
         directory: path.join(__dirname, "../src/db/seeds"),
         extension: "ts"
       });
-
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig.REDIS_URL, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig.REDIS_URL);
+      const queue = queueServiceFactory(cfg.REDIS_URL, { dbConnectionUrl: cfg.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(cfg.REDIS_URL);
 
-      const hsmModule = initializeHsmModule(envConfig);
+      const hsmModule = initializeHsmModule();
       hsmModule.initialize();
 
-      const server = await main({
-        db,
-        smtp,
-        logger,
-        queue,
-        keyStore,
-        hsmModule: hsmModule.getModule(),
-        redis,
-        envConfig
-      });
+      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule(), redis });
 
       // @ts-expect-error type
       globalThis.testServer = server;
@@ -84,8 +73,8 @@ export default {
           organizationId: seedData1.organization.id,
           accessVersion: 1
         },
-        envConfig.AUTH_SECRET,
-        { expiresIn: envConfig.JWT_AUTH_LIFETIME }
+        cfg.AUTH_SECRET,
+        { expiresIn: cfg.JWT_AUTH_LIFETIME }
       );
     } catch (error) {
       // eslint-disable-next-line
@@ -120,4 +109,3 @@ export default {
     };
   }
 };
-

backend/package.json

@@ -45,24 +45,24 @@
     "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
     "generate:component": "tsx ./scripts/create-backend-file.ts",
     "generate:schema": "tsx ./scripts/generate-schema-types.ts && eslint --fix --ext ts ./src/db/schemas",
-    "auditlog-migration:latest": "node ./dist/db/rename-migrations-to-mjs.mjs && knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:latest",
-    "auditlog-migration:up": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:up",
-    "auditlog-migration:down": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:down",
-    "auditlog-migration:list": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:list",
-    "auditlog-migration:status": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:status",
-    "auditlog-migration:unlock": "knex --knexfile ./dist/db/auditlog-knexfile.mjs migrate:unlock",
-    "auditlog-migration:rollback": "knex --knexfile ./dist/db/auditlog-knexfile.mjs migrate:rollback",
+    "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
+    "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
+    "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
+    "auditlog-migration:list": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:list",
+    "auditlog-migration:status": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:status",
+    "auditlog-migration:unlock": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:unlock",
+    "auditlog-migration:rollback": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:rollback",
     "migration:new": "tsx ./scripts/create-migration.ts",
-    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:up",
-    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:down",
-    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:list",
-    "migration:latest": "node ./dist/db/rename-migrations-to-mjs.mjs && npm run auditlog-migration:latest && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:latest",
-    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:status",
-    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./dist/db/knexfile.mjs migrate:rollback",
-    "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./dist/db/knexfile.mjs migrate:unlock",
+    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
+    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
+    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
+    "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
+    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
+    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./src/db/knexfile.ts migrate:unlock",
     "migrate:org": "tsx ./scripts/migrate-organization.ts",
     "seed:new": "tsx ./scripts/create-seed-file.ts",
-    "seed": "knex --knexfile ./dist/db/knexfile.ts --client pg seed:run",
+    "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
     "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
   },
   "keywords": [],
@@ -129,19 +129,18 @@
     "@fastify/etag": "^5.1.0",
     "@fastify/formbody": "^7.4.0",
     "@fastify/helmet": "^11.1.1",
-    "@fastify/multipart": "8.3.1",
+    "@fastify/multipart": "8.3.0",
     "@fastify/passport": "^2.4.0",
     "@fastify/rate-limit": "^9.0.0",
     "@fastify/request-context": "^5.1.0",
     "@fastify/session": "^10.7.0",
-    "@fastify/static": "^7.0.4",
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@google-cloud/kms": "^4.5.0",
     "@node-saml/passport-saml": "^4.0.4",
-    "@octokit/auth-app": "^7.1.5",
-    "@octokit/plugin-retry": "^7.1.4",
-    "@octokit/rest": "^21.1.1",
+    "@octokit/auth-app": "^7.1.1",
+    "@octokit/plugin-retry": "^5.0.5",
+    "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
     "@octopusdeploy/api-client": "^3.4.1",
     "@opentelemetry/api": "^1.9.0",
@@ -156,8 +155,8 @@
     "@peculiar/x509": "^1.12.1",
     "@serdnam/pino-cloudwatch-transport": "^1.0.4",
     "@sindresorhus/slugify": "1.1.0",
-    "@slack/oauth": "^3.0.2",
-    "@slack/web-api": "^7.8.0",
+    "@slack/oauth": "^3.0.1",
+    "@slack/web-api": "^7.3.4",
     "@ucast/mongo2js": "^1.3.4",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
@@ -189,10 +188,9 @@
     "mongodb": "^6.8.1",
     "ms": "^2.1.3",
     "mysql2": "^3.9.8",
-    "nanoid": "^3.3.8",
+    "nanoid": "^3.3.4",
     "nodemailer": "^6.9.9",
     "odbc": "^2.4.9",
-    "openai": "^4.85.4",
     "openid-client": "^5.6.5",
     "ora": "^7.0.1",
     "oracledb": "^6.4.0",

backend/src/@types/fastify.d.ts

@@ -16,9 +16,6 @@ import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/extern
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
-import { TKmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
-import { TKmipOperationServiceFactory } from "@app/ee/services/kmip/kmip-operation-service";
-import { TKmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
@@ -45,7 +42,6 @@ import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
-import { TAutomatedSecurityServiceFactory } from "@app/services/automated-security/automated-security-service";
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
@@ -84,7 +80,6 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
-import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
@@ -97,12 +92,6 @@ import { TUserEngagementServiceFactory } from "@app/services/user-engagement/use
 import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
 import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integration/workflow-integration-service";
 
-declare module "@fastify/request-context" {
-  interface RequestContextData {
-    reqId: string;
-  }
-}
-
 declare module "fastify" {
   interface Session {
     callbackPort: string;
@@ -130,11 +119,6 @@ declare module "fastify" {
       isUserCompleted: string;
       providerAuthToken: string;
     };
-    kmipUser: {
-      projectId: string;
-      clientId: string;
-      name: string;
-    };
     auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
     ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
     ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
@@ -226,16 +210,11 @@ declare module "fastify" {
       projectTemplate: TProjectTemplateServiceFactory;
       totp: TTotpServiceFactory;
       appConnection: TAppConnectionServiceFactory;
-      secretSync: TSecretSyncServiceFactory;
-      kmip: TKmipServiceFactory;
-      kmipOperation: TKmipOperationServiceFactory;
-      automatedSecurity: TAutomatedSecurityServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer
     store: {
       user: Pick<TUserDALFactory, "findById">;
-      kmipClient: Pick<TKmipClientDALFactory, "findByProjectAndClientId">;
     };
   }
 }

backend/src/@types/knex.d.ts

@@ -29,9 +29,6 @@ import {
   TAuthTokenSessionsUpdate,
   TAuthTokensInsert,
   TAuthTokensUpdate,
-  TAutomatedSecurityReports,
-  TAutomatedSecurityReportsInsert,
-  TAutomatedSecurityReportsUpdate,
   TBackupPrivateKey,
   TBackupPrivateKeyInsert,
   TBackupPrivateKeyUpdate,
@@ -116,9 +113,6 @@ import {
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
-  TIdentityProfile,
-  TIdentityProfileInsert,
-  TIdentityProfileUpdate,
   TIdentityProjectAdditionalPrivilege,
   TIdentityProjectAdditionalPrivilegeInsert,
   TIdentityProjectAdditionalPrivilegeUpdate,
@@ -149,18 +143,6 @@ import {
   TInternalKms,
   TInternalKmsInsert,
   TInternalKmsUpdate,
-  TKmipClientCertificates,
-  TKmipClientCertificatesInsert,
-  TKmipClientCertificatesUpdate,
-  TKmipClients,
-  TKmipClientsInsert,
-  TKmipClientsUpdate,
-  TKmipOrgConfigs,
-  TKmipOrgConfigsInsert,
-  TKmipOrgConfigsUpdate,
-  TKmipOrgServerCertificates,
-  TKmipOrgServerCertificatesInsert,
-  TKmipOrgServerCertificatesUpdate,
   TKmsKeys,
   TKmsKeysInsert,
   TKmsKeysUpdate,
@@ -236,9 +218,6 @@ import {
   TRateLimit,
   TRateLimitInsert,
   TRateLimitUpdate,
-  TResourceMetadata,
-  TResourceMetadataInsert,
-  TResourceMetadataUpdate,
   TSamlConfigs,
   TSamlConfigsInsert,
   TSamlConfigsUpdate,
@@ -390,7 +369,6 @@ import {
   TExternalGroupOrgRoleMappingsInsert,
   TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
-import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
 import {
   TSecretV2TagJunction,
   TSecretV2TagJunctionInsert,
@@ -909,42 +887,10 @@ declare module "knex/types/tables" {
       TProjectSplitBackfillIdsInsert,
       TProjectSplitBackfillIdsUpdate
     >;
-    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
-      TResourceMetadata,
-      TResourceMetadataInsert,
-      TResourceMetadataUpdate
-    >;
     [TableName.AppConnection]: KnexOriginal.CompositeTableType<
       TAppConnections,
       TAppConnectionsInsert,
       TAppConnectionsUpdate
     >;
-    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
-    [TableName.KmipClient]: KnexOriginal.CompositeTableType<TKmipClients, TKmipClientsInsert, TKmipClientsUpdate>;
-    [TableName.KmipOrgConfig]: KnexOriginal.CompositeTableType<
-      TKmipOrgConfigs,
-      TKmipOrgConfigsInsert,
-      TKmipOrgConfigsUpdate
-    >;
-    [TableName.KmipOrgServerCertificates]: KnexOriginal.CompositeTableType<
-      TKmipOrgServerCertificates,
-      TKmipOrgServerCertificatesInsert,
-      TKmipOrgServerCertificatesUpdate
-    >;
-    [TableName.KmipClientCertificates]: KnexOriginal.CompositeTableType<
-      TKmipClientCertificates,
-      TKmipClientCertificatesInsert,
-      TKmipClientCertificatesUpdate
-    >;
-    [TableName.IdentityProfile]: KnexOriginal.CompositeTableType<
-      TIdentityProfile,
-      TIdentityProfileInsert,
-      TIdentityProfileUpdate
-    >;
-    [TableName.AutomatedSecurityReports]: KnexOriginal.CompositeTableType<
-      TAutomatedSecurityReports,
-      TAutomatedSecurityReportsInsert,
-      TAutomatedSecurityReportsUpdate
-    >;
   }
 }

backend/src/auto-start-migrations.ts

@@ -1,105 +0,0 @@
-import path from "node:path";
-
-import dotenv from "dotenv";
-import { Knex } from "knex";
-import { Logger } from "pino";
-
-import { PgSqlLock } from "./keystore/keystore";
-
-dotenv.config();
-
-type TArgs = {
-  auditLogDb?: Knex;
-  applicationDb: Knex;
-  logger: Logger;
-};
-
-const isProduction = process.env.NODE_ENV === "production";
-const migrationConfig = {
-  directory: path.join(__dirname, "./db/migrations"),
-  loadExtensions: [".mjs", ".ts"],
-  tableName: "infisical_migrations"
-};
-
-const migrationStatusCheckErrorHandler = (err: Error) => {
-  // happens for first time  in which the migration table itself is not created yet
-  //    error: select * from "infisical_migrations" - relation "infisical_migrations" does not exist
-  if (err?.message?.includes("does not exist")) {
-    return true;
-  }
-  throw err;
-};
-
-export const runMigrations = async ({ applicationDb, auditLogDb, logger }: TArgs) => {
-  try {
-    // akhilmhdh(Feb 10 2025): 2 years  from now remove this
-    if (isProduction) {
-      const migrationTable = migrationConfig.tableName;
-      const hasMigrationTable = await applicationDb.schema.hasTable(migrationTable);
-      if (hasMigrationTable) {
-        const firstFile = (await applicationDb(migrationTable).where({}).first()) as { name: string };
-        if (firstFile?.name?.includes(".ts")) {
-          await applicationDb(migrationTable).update({
-            name: applicationDb.raw("REPLACE(name, '.ts', '.mjs')")
-          });
-        }
-      }
-      if (auditLogDb) {
-        const hasMigrationTableInAuditLog = await auditLogDb.schema.hasTable(migrationTable);
-        if (hasMigrationTableInAuditLog) {
-          const firstFile = (await auditLogDb(migrationTable).where({}).first()) as { name: string };
-          if (firstFile?.name?.includes(".ts")) {
-            await auditLogDb(migrationTable).update({
-              name: auditLogDb.raw("REPLACE(name, '.ts', '.mjs')")
-            });
-          }
-        }
-      }
-    }
-
-    const shouldRunMigration = Boolean(
-      await applicationDb.migrate.status(migrationConfig).catch(migrationStatusCheckErrorHandler)
-    ); // db.length - code.length
-    if (!shouldRunMigration) {
-      logger.info("No migrations pending: Skipping migration process.");
-      return;
-    }
-
-    if (auditLogDb) {
-      await auditLogDb.transaction(async (tx) => {
-        await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.BootUpMigration]);
-        logger.info("Running audit log migrations.");
-
-        const didPreviousInstanceRunMigration = !(await auditLogDb.migrate
-          .status(migrationConfig)
-          .catch(migrationStatusCheckErrorHandler));
-        if (didPreviousInstanceRunMigration) {
-          logger.info("No audit log migrations pending: Applied by previous instance. Skipping migration process.");
-          return;
-        }
-
-        await auditLogDb.migrate.latest(migrationConfig);
-        logger.info("Finished audit log migrations.");
-      });
-    }
-
-    await applicationDb.transaction(async (tx) => {
-      await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.BootUpMigration]);
-      logger.info("Running application migrations.");
-
-      const didPreviousInstanceRunMigration = !(await applicationDb.migrate
-        .status(migrationConfig)
-        .catch(migrationStatusCheckErrorHandler));
-      if (didPreviousInstanceRunMigration) {
-        logger.info("No application migrations pending: Applied by previous instance. Skipping migration process.");
-        return;
-      }
-
-      await applicationDb.migrate.latest(migrationConfig);
-      logger.info("Finished application migrations.");
-    });
-  } catch (err) {
-    logger.error(err, "Boot up migration failed");
-    process.exit(1);
-  }
-};

backend/src/db/instance.ts

@@ -49,9 +49,6 @@ export const initDbConnection = ({
             ca: Buffer.from(dbRootCert, "base64").toString("ascii")
           }
         : false
-    },
-    migrations: {
-      tableName: "infisical_migrations"
     }
   });
 
@@ -67,9 +64,6 @@ export const initDbConnection = ({
               ca: Buffer.from(replicaDbCertificate, "base64").toString("ascii")
             }
           : false
-      },
-      migrations: {
-        tableName: "infisical_migrations"
       }
     });
   });
@@ -104,9 +98,6 @@ export const initAuditLogDbConnection = ({
             ca: Buffer.from(dbRootCert, "base64").toString("ascii")
           }
         : false
-    },
-    migrations: {
-      tableName: "infisical_migrations"
     }
   });
 

backend/src/db/knexfile.ts

@@ -38,8 +38,7 @@ export default {
       directory: "./seeds"
     },
     migrations: {
-      tableName: "infisical_migrations",
-      loadExtensions: [".mjs"]
+      tableName: "infisical_migrations"
     }
   },
   production: {
@@ -63,8 +62,7 @@ export default {
       max: 10
     },
     migrations: {
-      tableName: "infisical_migrations",
-      loadExtensions: [".mjs"]
+      tableName: "infisical_migrations"
     }
   }
 } as Knex.Config;

backend/src/db/migrations/20241218165837_resource-metadata.ts

@@ -1,40 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
-    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("key").notNullable();
-      tb.string("value", 1020).notNullable();
-      tb.uuid("orgId").notNullable();
-      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      tb.uuid("userId");
-      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      tb.uuid("identityId");
-      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      tb.uuid("secretId");
-      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      tb.timestamps(true, true, true);
-    });
-  }
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (!hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.jsonb("secretMetadata");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.dropColumn("secretMetadata");
-    });
-  }
-}

backend/src/db/migrations/20250115222458_groups-unique-name.ts

@@ -1,49 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  // find any duplicate group names within organizations
-  const duplicates = await knex(TableName.Groups)
-    .select("orgId", "name")
-    .count("* as count")
-    .groupBy("orgId", "name")
-    .having(knex.raw("count(*) > 1"));
-
-  // for each set of duplicates, update all but one with a numbered suffix
-  for await (const duplicate of duplicates) {
-    const groups = await knex(TableName.Groups)
-      .select("id", "name")
-      .where({
-        orgId: duplicate.orgId,
-        name: duplicate.name
-      })
-      .orderBy("createdAt", "asc"); // keep original name for oldest group
-
-    // skip the first (oldest) group, rename others with numbered suffix
-    for (let i = 1; i < groups.length; i += 1) {
-      // eslint-disable-next-line no-await-in-loop
-      await knex(TableName.Groups)
-        .where("id", groups[i].id)
-        .update({
-          name: `${groups[i].name} (${i})`,
-
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore TS doesn't know about Knex's timestamp types
-          updatedAt: new Date()
-        });
-    }
-  }
-
-  // add the unique constraint
-  await knex.schema.alterTable(TableName.Groups, (t) => {
-    t.unique(["orgId", "name"]);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // Remove the unique constraint
-  await knex.schema.alterTable(TableName.Groups, (t) => {
-    t.dropUnique(["orgId", "name"]);
-  });
-}

backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts

@@ -1,33 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
-  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
-
-  await knex.schema.alterTable(TableName.Project, (t) => {
-    if (!hasEnforceCapitalizationCol) {
-      t.boolean("enforceCapitalization").defaultTo(false).notNullable();
-    }
-
-    if (hasAutoCapitalizationCol) {
-      t.boolean("autoCapitalization").defaultTo(false).alter();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
-  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
-
-  await knex.schema.alterTable(TableName.Project, (t) => {
-    if (hasEnforceCapitalizationCol) {
-      t.dropColumn("enforceCapitalization");
-    }
-
-    if (hasAutoCapitalizationCol) {
-      t.boolean("autoCapitalization").defaultTo(true).alter();
-    }
-  });
-}

backend/src/db/migrations/20250122055102_secret-sync.ts

@@ -1,50 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
-    await knex.schema.createTable(TableName.SecretSync, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name", 32).notNullable();
-      t.string("description");
-      t.string("destination").notNullable();
-      t.boolean("isAutoSyncEnabled").notNullable().defaultTo(true);
-      t.integer("version").defaultTo(1).notNullable();
-      t.jsonb("destinationConfig").notNullable();
-      t.jsonb("syncOptions").notNullable();
-      // we're including projectId in addition to folder ID because we allow folderId to be null (if the folder
-      // is deleted), to preserve sync configuration
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("folderId");
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
-      t.uuid("connectionId").notNullable();
-      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
-      t.timestamps(true, true, true);
-      // sync secrets to destination
-      t.string("syncStatus");
-      t.string("lastSyncJobId");
-      t.string("lastSyncMessage");
-      t.datetime("lastSyncedAt");
-      // import secrets from destination
-      t.string("importStatus");
-      t.string("lastImportJobId");
-      t.string("lastImportMessage");
-      t.datetime("lastImportedAt");
-      // remove secrets from destination
-      t.string("removeStatus");
-      t.string("lastRemoveJobId");
-      t.string("lastRemoveMessage");
-      t.datetime("lastRemovedAt");
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretSync);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretSync);
-  await dropOnUpdateTrigger(knex, TableName.SecretSync);
-}

backend/src/db/migrations/20250129214629_oidc-configs-manage-group-memberships-col.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
-
-  await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
-    if (!hasManageGroupMembershipsCol) {
-      tb.boolean("manageGroupMemberships").notNullable().defaultTo(false);
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
-
-  await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-    if (hasManageGroupMembershipsCol) {
-      t.dropColumn("manageGroupMemberships");
-    }
-  });
-}

backend/src/db/migrations/20250203141127_add-kmip.ts

@@ -1,108 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
-  if (!hasKmipClientTable) {
-    await knex.schema.createTable(TableName.KmipClient, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.specificType("permissions", "text[]");
-      t.string("description");
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-  }
-
-  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
-  if (!hasKmipOrgPkiConfig) {
-    await knex.schema.createTable(TableName.KmipOrgConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.unique("orgId");
-
-      t.string("caKeyAlgorithm").notNullable();
-
-      t.datetime("rootCaIssuedAt").notNullable();
-      t.datetime("rootCaExpiration").notNullable();
-      t.string("rootCaSerialNumber").notNullable();
-      t.binary("encryptedRootCaCertificate").notNullable();
-      t.binary("encryptedRootCaPrivateKey").notNullable();
-
-      t.datetime("serverIntermediateCaIssuedAt").notNullable();
-      t.datetime("serverIntermediateCaExpiration").notNullable();
-      t.string("serverIntermediateCaSerialNumber");
-      t.binary("encryptedServerIntermediateCaCertificate").notNullable();
-      t.binary("encryptedServerIntermediateCaChain").notNullable();
-      t.binary("encryptedServerIntermediateCaPrivateKey").notNullable();
-
-      t.datetime("clientIntermediateCaIssuedAt").notNullable();
-      t.datetime("clientIntermediateCaExpiration").notNullable();
-      t.string("clientIntermediateCaSerialNumber").notNullable();
-      t.binary("encryptedClientIntermediateCaCertificate").notNullable();
-      t.binary("encryptedClientIntermediateCaChain").notNullable();
-      t.binary("encryptedClientIntermediateCaPrivateKey").notNullable();
-
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.KmipOrgConfig);
-  }
-
-  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
-  if (!hasKmipOrgServerCertTable) {
-    await knex.schema.createTable(TableName.KmipOrgServerCertificates, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.string("commonName").notNullable();
-      t.string("altNames").notNullable();
-      t.string("serialNumber").notNullable();
-      t.string("keyAlgorithm").notNullable();
-      t.datetime("issuedAt").notNullable();
-      t.datetime("expiration").notNullable();
-      t.binary("encryptedCertificate").notNullable();
-      t.binary("encryptedChain").notNullable();
-    });
-  }
-
-  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
-  if (!hasKmipClientCertTable) {
-    await knex.schema.createTable(TableName.KmipClientCertificates, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("kmipClientId").notNullable();
-      t.foreign("kmipClientId").references("id").inTable(TableName.KmipClient).onDelete("CASCADE");
-      t.string("serialNumber").notNullable();
-      t.string("keyAlgorithm").notNullable();
-      t.datetime("issuedAt").notNullable();
-      t.datetime("expiration").notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
-  if (hasKmipOrgPkiConfig) {
-    await knex.schema.dropTable(TableName.KmipOrgConfig);
-    await dropOnUpdateTrigger(knex, TableName.KmipOrgConfig);
-  }
-
-  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
-  if (hasKmipOrgServerCertTable) {
-    await knex.schema.dropTable(TableName.KmipOrgServerCertificates);
-  }
-
-  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
-  if (hasKmipClientCertTable) {
-    await knex.schema.dropTable(TableName.KmipClientCertificates);
-  }
-
-  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
-  if (hasKmipClientTable) {
-    await knex.schema.dropTable(TableName.KmipClient);
-  }
-}

backend/src/db/migrations/20250204025010_app-connections-and-secret-syncs-unique-constraint.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.AppConnection, (t) => {
-    t.unique(["orgId", "name"]);
-  });
-
-  await knex.schema.alterTable(TableName.SecretSync, (t) => {
-    t.unique(["projectId", "name"]);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.AppConnection, (t) => {
-    t.dropUnique(["orgId", "name"]);
-  });
-
-  await knex.schema.alterTable(TableName.SecretSync, (t) => {
-    t.dropUnique(["projectId", "name"]);
-  });
-}

backend/src/db/migrations/20250205045509_increase-gcp-auth-limit.ts

@@ -1,37 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
-  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
-  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
-    TableName.IdentityGcpAuth,
-    "allowedServiceAccounts"
-  );
-  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
-  if (hasTable) {
-    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
-      if (hasAllowedProjectsColumn) t.string("allowedProjects", 2500).alter();
-      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts", 5000).alter();
-      if (hasAllowedZones) t.string("allowedZones", 2500).alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
-  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
-  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
-    TableName.IdentityGcpAuth,
-    "allowedServiceAccounts"
-  );
-  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
-  if (hasTable) {
-    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
-      if (hasAllowedProjectsColumn) t.string("allowedProjects").alter();
-      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts").alter();
-      if (hasAllowedZones) t.string("allowedZones").alter();
-    });
-  }
-}

backend/src/db/migrations/20250205220952_kms-keys-drop-slug-col.ts

@@ -1,27 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.KmsKey)) {
-    const hasSlugCol = await knex.schema.hasColumn(TableName.KmsKey, "slug");
-
-    if (hasSlugCol) {
-      await knex.schema.alterTable(TableName.KmsKey, (t) => {
-        t.dropColumn("slug");
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.KmsKey)) {
-    const hasSlugCol = await knex.schema.hasColumn(TableName.KmsKey, "slug");
-
-    if (!hasSlugCol) {
-      await knex.schema.alterTable(TableName.KmsKey, (t) => {
-        t.string("slug", 32);
-      });
-    }
-  }
-}

backend/src/db/migrations/20250207002643_secret-syncs-increase-message-length.ts

@@ -1,31 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSync)) {
-    const hasLastSyncMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastSyncMessage");
-    const hasLastImportMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastImportMessage");
-    const hasLastRemoveMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastRemoveMessage");
-
-    await knex.schema.alterTable(TableName.SecretSync, (t) => {
-      if (hasLastSyncMessage) t.string("lastSyncMessage", 1024).alter();
-      if (hasLastImportMessage) t.string("lastImportMessage", 1024).alter();
-      if (hasLastRemoveMessage) t.string("lastRemoveMessage", 1024).alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSync)) {
-    const hasLastSyncMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastSyncMessage");
-    const hasLastImportMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastImportMessage");
-    const hasLastRemoveMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastRemoveMessage");
-
-    await knex.schema.alterTable(TableName.SecretSync, (t) => {
-      if (hasLastSyncMessage) t.string("lastSyncMessage").alter();
-      if (hasLastImportMessage) t.string("lastImportMessage").alter();
-      if (hasLastRemoveMessage) t.string("lastRemoveMessage").alter();
-    });
-  }
-}

backend/src/db/migrations/20250210101840_webhook-to-kms.ts

@@ -1,130 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-export async function up(knex: Knex): Promise<void> {
-  const hasEncryptedKey = await knex.schema.hasColumn(TableName.Webhook, "encryptedPassKey");
-  const hasEncryptedUrl = await knex.schema.hasColumn(TableName.Webhook, "encryptedUrl");
-  const hasUrl = await knex.schema.hasColumn(TableName.Webhook, "url");
-
-  const hasWebhookTable = await knex.schema.hasTable(TableName.Webhook);
-  if (hasWebhookTable) {
-    await knex.schema.alterTable(TableName.Webhook, (t) => {
-      if (!hasEncryptedKey) t.binary("encryptedPassKey");
-      if (!hasEncryptedUrl) t.binary("encryptedUrl");
-      if (hasUrl) t.string("url").nullable().alter();
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const projectEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-  const webhooks = await knex(TableName.Webhook)
-    .where({})
-    .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.Webhook}.envId`)
-    .select(
-      "url",
-      "encryptedSecretKey",
-      "iv",
-      "tag",
-      "keyEncoding",
-      "urlCipherText",
-      "urlIV",
-      "urlTag",
-      knex.ref("id").withSchema(TableName.Webhook),
-      "envId"
-    )
-    .select(knex.ref("projectId").withSchema(TableName.Environment))
-    .orderBy(`${TableName.Environment}.projectId` as "projectId");
-
-  const updatedWebhooks = await Promise.all(
-    webhooks.map(async (el) => {
-      let projectKmsService = projectEncryptionRingBuffer.getItem(el.projectId);
-      if (!projectKmsService) {
-        projectKmsService = await kmsService.createCipherPairWithDataKey(
-          {
-            type: KmsDataKey.SecretManager,
-            projectId: el.projectId
-          },
-          knex
-        );
-        projectEncryptionRingBuffer.push(el.projectId, projectKmsService);
-      }
-
-      let encryptedSecretKey = null;
-      if (el.encryptedSecretKey && el.iv && el.tag && el.keyEncoding) {
-        const decyptedSecretKey = infisicalSymmetricDecrypt({
-          keyEncoding: el.keyEncoding as SecretKeyEncoding,
-          iv: el.iv,
-          tag: el.tag,
-          ciphertext: el.encryptedSecretKey
-        });
-        encryptedSecretKey = projectKmsService.encryptor({
-          plainText: Buffer.from(decyptedSecretKey, "utf8")
-        }).cipherTextBlob;
-      }
-
-      const decryptedUrl =
-        el.urlIV && el.urlTag && el.urlCipherText && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              iv: el.urlIV,
-              tag: el.urlTag,
-              ciphertext: el.urlCipherText
-            })
-          : null;
-
-      const encryptedUrl = projectKmsService.encryptor({
-        plainText: Buffer.from(decryptedUrl || el.url || "")
-      }).cipherTextBlob;
-      return { id: el.id, encryptedUrl, encryptedSecretKey, envId: el.envId };
-    })
-  );
-
-  for (let i = 0; i < updatedWebhooks.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.Webhook)
-      .insert(
-        updatedWebhooks.slice(i, i + BATCH_SIZE).map((el) => ({
-          id: el.id,
-          envId: el.envId,
-          url: "",
-          encryptedUrl: el.encryptedUrl,
-          encryptedPassKey: el.encryptedSecretKey
-        }))
-      )
-      .onConflict("id")
-      .merge();
-  }
-
-  if (hasWebhookTable) {
-    await knex.schema.alterTable(TableName.Webhook, (t) => {
-      if (!hasEncryptedUrl) t.binary("encryptedUrl").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEncryptedKey = await knex.schema.hasColumn(TableName.Webhook, "encryptedPassKey");
-  const hasEncryptedUrl = await knex.schema.hasColumn(TableName.Webhook, "encryptedUrl");
-
-  const hasWebhookTable = await knex.schema.hasTable(TableName.Webhook);
-  if (hasWebhookTable) {
-    await knex.schema.alterTable(TableName.Webhook, (t) => {
-      if (hasEncryptedKey) t.dropColumn("encryptedPassKey");
-      if (hasEncryptedUrl) t.dropColumn("encryptedUrl");
-    });
-  }
-}

backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts

@@ -1,111 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-export async function up(knex: Knex): Promise<void> {
-  const hasEncryptedInputColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "encryptedInput");
-  const hasInputCiphertextColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputCiphertext");
-  const hasInputIVColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputIV");
-  const hasInputTagColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputTag");
-
-  const hasDynamicSecretTable = await knex.schema.hasTable(TableName.DynamicSecret);
-  if (hasDynamicSecretTable) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      if (!hasEncryptedInputColumn) t.binary("encryptedInput");
-      if (hasInputCiphertextColumn) t.text("inputCiphertext").nullable().alter();
-      if (hasInputIVColumn) t.string("inputIV").nullable().alter();
-      if (hasInputTagColumn) t.string("inputTag").nullable().alter();
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const projectEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const dynamicSecretRootCredentials = await knex(TableName.DynamicSecret)
-    .join(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
-    .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
-    .select(selectAllTableCols(TableName.DynamicSecret))
-    .select(knex.ref("projectId").withSchema(TableName.Environment))
-    .orderBy(`${TableName.Environment}.projectId` as "projectId");
-
-  const updatedDynamicSecrets = await Promise.all(
-    dynamicSecretRootCredentials.map(async ({ projectId, ...el }) => {
-      let projectKmsService = projectEncryptionRingBuffer.getItem(projectId);
-      if (!projectKmsService) {
-        projectKmsService = await kmsService.createCipherPairWithDataKey(
-          {
-            type: KmsDataKey.SecretManager,
-            projectId
-          },
-          knex
-        );
-        projectEncryptionRingBuffer.push(projectId, projectKmsService);
-      }
-
-      const decryptedInputData =
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-        el.inputIV && el.inputTag && el.inputCiphertext && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              iv: el.inputIV,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              tag: el.inputTag,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              ciphertext: el.inputCiphertext
-            })
-          : "";
-
-      const encryptedInput = projectKmsService.encryptor({
-        plainText: Buffer.from(decryptedInputData)
-      }).cipherTextBlob;
-
-      return { ...el, encryptedInput };
-    })
-  );
-
-  for (let i = 0; i < updatedDynamicSecrets.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.DynamicSecret)
-      .insert(updatedDynamicSecrets.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-
-  if (hasDynamicSecretTable) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      if (!hasEncryptedInputColumn) t.binary("encryptedInput").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEncryptedInputColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "encryptedInput");
-
-  const hasDynamicSecretTable = await knex.schema.hasTable(TableName.DynamicSecret);
-  if (hasDynamicSecretTable) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      if (hasEncryptedInputColumn) t.dropColumn("encryptedInput");
-    });
-  }
-}

backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts

@@ -1,103 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-export async function up(knex: Knex): Promise<void> {
-  const hasEncryptedRotationData = await knex.schema.hasColumn(TableName.SecretRotation, "encryptedRotationData");
-
-  const hasRotationTable = await knex.schema.hasTable(TableName.SecretRotation);
-  if (hasRotationTable) {
-    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
-      if (!hasEncryptedRotationData) t.binary("encryptedRotationData");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const projectEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const secretRotations = await knex(TableName.SecretRotation)
-    .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretRotation}.envId`)
-    .select(selectAllTableCols(TableName.SecretRotation))
-    .select(knex.ref("projectId").withSchema(TableName.Environment))
-    .orderBy(`${TableName.Environment}.projectId` as "projectId");
-
-  const updatedRotationData = await Promise.all(
-    secretRotations.map(async ({ projectId, ...el }) => {
-      let projectKmsService = projectEncryptionRingBuffer.getItem(projectId);
-      if (!projectKmsService) {
-        projectKmsService = await kmsService.createCipherPairWithDataKey(
-          {
-            type: KmsDataKey.SecretManager,
-            projectId
-          },
-          knex
-        );
-        projectEncryptionRingBuffer.push(projectId, projectKmsService);
-      }
-
-      const decryptedRotationData =
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-        el.encryptedDataTag && el.encryptedDataIV && el.encryptedData && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              iv: el.encryptedDataIV,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              tag: el.encryptedDataTag,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              ciphertext: el.encryptedData
-            })
-          : "";
-
-      const encryptedRotationData = projectKmsService.encryptor({
-        plainText: Buffer.from(decryptedRotationData)
-      }).cipherTextBlob;
-      return { ...el, encryptedRotationData };
-    })
-  );
-
-  for (let i = 0; i < updatedRotationData.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.SecretRotation)
-      .insert(updatedRotationData.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-
-  if (hasRotationTable) {
-    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
-      if (!hasEncryptedRotationData) t.binary("encryptedRotationData").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEncryptedRotationData = await knex.schema.hasColumn(TableName.SecretRotation, "encryptedRotationData");
-
-  const hasRotationTable = await knex.schema.hasTable(TableName.SecretRotation);
-  if (hasRotationTable) {
-    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
-      if (hasEncryptedRotationData) t.dropColumn("encryptedRotationData");
-    });
-  }
-}

backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts

@@ -1,200 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-const reencryptIdentityK8sAuth = async (knex: Knex) => {
-  const hasEncryptedKubernetesTokenReviewerJwt = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedKubernetesTokenReviewerJwt"
-  );
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedKubernetesCaCertificate"
-  );
-  const hasidentityKubernetesAuthTable = await knex.schema.hasTable(TableName.IdentityKubernetesAuth);
-
-  const hasEncryptedCaCertColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "encryptedCaCert");
-  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "caCertIV");
-  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "caCertTag");
-  const hasEncryptedTokenReviewerJwtColumn = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedTokenReviewerJwt"
-  );
-  const hasTokenReviewerJwtIVColumn = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "tokenReviewerJwtIV"
-  );
-  const hasTokenReviewerJwtTagColumn = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "tokenReviewerJwtTag"
-  );
-
-  if (hasidentityKubernetesAuthTable) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      if (hasEncryptedCaCertColumn) t.text("encryptedCaCert").nullable().alter();
-      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
-      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
-      if (hasEncryptedTokenReviewerJwtColumn) t.text("encryptedTokenReviewerJwt").nullable().alter();
-      if (hasTokenReviewerJwtIVColumn) t.string("tokenReviewerJwtIV").nullable().alter();
-      if (hasTokenReviewerJwtTagColumn) t.string("tokenReviewerJwtTag").nullable().alter();
-
-      if (!hasEncryptedKubernetesTokenReviewerJwt) t.binary("encryptedKubernetesTokenReviewerJwt");
-      if (!hasEncryptedCertificateColumn) t.binary("encryptedKubernetesCaCertificate");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const orgEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-  const identityKubernetesConfigs = await knex(TableName.IdentityKubernetesAuth)
-    .join(
-      TableName.IdentityOrgMembership,
-      `${TableName.IdentityOrgMembership}.identityId`,
-      `${TableName.IdentityKubernetesAuth}.identityId`
-    )
-    .join<TOrgBots>(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.IdentityOrgMembership}.orgId`)
-    .select(selectAllTableCols(TableName.IdentityKubernetesAuth))
-    .select(
-      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot),
-      knex.ref("orgId").withSchema(TableName.OrgBot)
-    )
-    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
-
-  const updatedIdentityKubernetesConfigs = [];
-
-  for await (const {
-    encryptedSymmetricKey,
-    symmetricKeyKeyEncoding,
-    symmetricKeyTag,
-    symmetricKeyIV,
-    orgId,
-    ...el
-  } of identityKubernetesConfigs) {
-    let orgKmsService = orgEncryptionRingBuffer.getItem(orgId);
-
-    if (!orgKmsService) {
-      orgKmsService = await kmsService.createCipherPairWithDataKey(
-        {
-          type: KmsDataKey.Organization,
-          orgId
-        },
-        knex
-      );
-      orgEncryptionRingBuffer.push(orgId, orgKmsService);
-    }
-
-    const key = infisicalSymmetricDecrypt({
-      ciphertext: encryptedSymmetricKey,
-      iv: symmetricKeyIV,
-      tag: symmetricKeyTag,
-      keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
-
-    const decryptedTokenReviewerJwt =
-      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-      // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-      el.encryptedTokenReviewerJwt && el.tokenReviewerJwtIV && el.tokenReviewerJwtTag
-        ? decryptSymmetric({
-            key,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            iv: el.tokenReviewerJwtIV,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            tag: el.tokenReviewerJwtTag,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            ciphertext: el.encryptedTokenReviewerJwt
-          })
-        : "";
-
-    const decryptedCertificate =
-      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-      // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-      el.encryptedCaCert && el.caCertIV && el.caCertTag
-        ? decryptSymmetric({
-            key,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            iv: el.caCertIV,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            tag: el.caCertTag,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            ciphertext: el.encryptedCaCert
-          })
-        : "";
-
-    const encryptedKubernetesTokenReviewerJwt = orgKmsService.encryptor({
-      plainText: Buffer.from(decryptedTokenReviewerJwt)
-    }).cipherTextBlob;
-    const encryptedKubernetesCaCertificate = orgKmsService.encryptor({
-      plainText: Buffer.from(decryptedCertificate)
-    }).cipherTextBlob;
-
-    updatedIdentityKubernetesConfigs.push({
-      ...el,
-      accessTokenTrustedIps: JSON.stringify(el.accessTokenTrustedIps),
-      encryptedKubernetesCaCertificate,
-      encryptedKubernetesTokenReviewerJwt
-    });
-  }
-
-  for (let i = 0; i < updatedIdentityKubernetesConfigs.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.IdentityKubernetesAuth)
-      .insert(updatedIdentityKubernetesConfigs.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-  if (hasidentityKubernetesAuthTable) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      if (!hasEncryptedKubernetesTokenReviewerJwt)
-        t.binary("encryptedKubernetesTokenReviewerJwt").notNullable().alter();
-    });
-  }
-};
-
-export async function up(knex: Knex): Promise<void> {
-  await reencryptIdentityK8sAuth(knex);
-}
-
-const dropIdentityK8sColumns = async (knex: Knex) => {
-  const hasEncryptedKubernetesTokenReviewerJwt = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedKubernetesTokenReviewerJwt"
-  );
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedKubernetesCaCertificate"
-  );
-  const hasidentityKubernetesAuthTable = await knex.schema.hasTable(TableName.IdentityKubernetesAuth);
-
-  if (hasidentityKubernetesAuthTable) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      if (hasEncryptedKubernetesTokenReviewerJwt) t.dropColumn("encryptedKubernetesTokenReviewerJwt");
-      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedKubernetesCaCertificate");
-    });
-  }
-};
-
-export async function down(knex: Knex): Promise<void> {
-  await dropIdentityK8sColumns(knex);
-}

backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts

@@ -1,141 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-const reencryptIdentityOidcAuth = async (knex: Knex) => {
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
-    TableName.IdentityOidcAuth,
-    "encryptedCaCertificate"
-  );
-  const hasidentityOidcAuthTable = await knex.schema.hasTable(TableName.IdentityOidcAuth);
-
-  const hasEncryptedCaCertColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "encryptedCaCert");
-  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "caCertIV");
-  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "caCertTag");
-
-  if (hasidentityOidcAuthTable) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      if (hasEncryptedCaCertColumn) t.text("encryptedCaCert").nullable().alter();
-      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
-      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
-
-      if (!hasEncryptedCertificateColumn) t.binary("encryptedCaCertificate");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const orgEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const identityOidcConfig = await knex(TableName.IdentityOidcAuth)
-    .join(
-      TableName.IdentityOrgMembership,
-      `${TableName.IdentityOrgMembership}.identityId`,
-      `${TableName.IdentityOidcAuth}.identityId`
-    )
-    .join<TOrgBots>(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.IdentityOrgMembership}.orgId`)
-    .select(selectAllTableCols(TableName.IdentityOidcAuth))
-    .select(
-      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot),
-      knex.ref("orgId").withSchema(TableName.OrgBot)
-    )
-    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
-
-  const updatedIdentityOidcConfigs = await Promise.all(
-    identityOidcConfig.map(
-      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, orgId, ...el }) => {
-        let orgKmsService = orgEncryptionRingBuffer.getItem(orgId);
-        if (!orgKmsService) {
-          orgKmsService = await kmsService.createCipherPairWithDataKey(
-            {
-              type: KmsDataKey.Organization,
-              orgId
-            },
-            knex
-          );
-          orgEncryptionRingBuffer.push(orgId, orgKmsService);
-        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
-
-        const decryptedCertificate =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedCaCert && el.caCertIV && el.caCertTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.caCertIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.caCertTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedCaCert
-              })
-            : "";
-
-        const encryptedCaCertificate = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedCertificate)
-        }).cipherTextBlob;
-
-        return {
-          ...el,
-          accessTokenTrustedIps: JSON.stringify(el.accessTokenTrustedIps),
-          encryptedCaCertificate
-        };
-      }
-    )
-  );
-
-  for (let i = 0; i < updatedIdentityOidcConfigs.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.IdentityOidcAuth)
-      .insert(updatedIdentityOidcConfigs.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-};
-
-export async function up(knex: Knex): Promise<void> {
-  await reencryptIdentityOidcAuth(knex);
-}
-
-const dropIdentityOidcColumns = async (knex: Knex) => {
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
-    TableName.IdentityOidcAuth,
-    "encryptedCaCertificate"
-  );
-  const hasidentityOidcTable = await knex.schema.hasTable(TableName.IdentityOidcAuth);
-
-  if (hasidentityOidcTable) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedCaCertificate");
-    });
-  }
-};
-
-export async function down(knex: Knex): Promise<void> {
-  await dropIdentityOidcColumns(knex);
-}

backend/src/db/migrations/20250210101845_directory-config-to-kms.ts

@@ -1,493 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-const reencryptSamlConfig = async (knex: Knex) => {
-  const hasEncryptedEntrypointColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlEntryPoint");
-  const hasEncryptedIssuerColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlIssuer");
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlCertificate");
-  const hasSamlConfigTable = await knex.schema.hasTable(TableName.SamlConfig);
-
-  if (hasSamlConfigTable) {
-    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
-      if (!hasEncryptedEntrypointColumn) t.binary("encryptedSamlEntryPoint");
-      if (!hasEncryptedIssuerColumn) t.binary("encryptedSamlIssuer");
-      if (!hasEncryptedCertificateColumn) t.binary("encryptedSamlCertificate");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const orgEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const samlConfigs = await knex(TableName.SamlConfig)
-    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.SamlConfig}.orgId`)
-    .select(selectAllTableCols(TableName.SamlConfig))
-    .select(
-      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
-    )
-    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
-
-  const updatedSamlConfigs = await Promise.all(
-    samlConfigs.map(
-      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
-        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
-        if (!orgKmsService) {
-          orgKmsService = await kmsService.createCipherPairWithDataKey(
-            {
-              type: KmsDataKey.Organization,
-              orgId: el.orgId
-            },
-            knex
-          );
-          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
-        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
-
-        const decryptedEntryPoint =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedEntryPoint && el.entryPointIV && el.entryPointTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.entryPointIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.entryPointTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedEntryPoint
-              })
-            : "";
-
-        const decryptedIssuer =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedIssuer && el.issuerIV && el.issuerTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.issuerIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.issuerTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedIssuer
-              })
-            : "";
-
-        const decryptedCertificate =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedCert && el.certIV && el.certTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.certIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.certTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedCert
-              })
-            : "";
-
-        const encryptedSamlIssuer = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedIssuer)
-        }).cipherTextBlob;
-        const encryptedSamlCertificate = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedCertificate)
-        }).cipherTextBlob;
-        const encryptedSamlEntryPoint = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedEntryPoint)
-        }).cipherTextBlob;
-        return { ...el, encryptedSamlCertificate, encryptedSamlEntryPoint, encryptedSamlIssuer };
-      }
-    )
-  );
-
-  for (let i = 0; i < updatedSamlConfigs.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.SamlConfig)
-      .insert(updatedSamlConfigs.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-
-  if (hasSamlConfigTable) {
-    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
-      if (!hasEncryptedEntrypointColumn) t.binary("encryptedSamlEntryPoint").notNullable().alter();
-      if (!hasEncryptedIssuerColumn) t.binary("encryptedSamlIssuer").notNullable().alter();
-      if (!hasEncryptedCertificateColumn) t.binary("encryptedSamlCertificate").notNullable().alter();
-    });
-  }
-};
-
-const reencryptLdapConfig = async (knex: Knex) => {
-  const hasEncryptedLdapBindDNColum = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindDN");
-  const hasEncryptedLdapBindPassColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindPass");
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapCaCertificate");
-  const hasLdapConfigTable = await knex.schema.hasTable(TableName.LdapConfig);
-
-  const hasEncryptedCACertColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedCACert");
-  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "caCertIV");
-  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "caCertTag");
-  const hasEncryptedBindPassColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedBindPass");
-  const hasBindPassIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindPassIV");
-  const hasBindPassTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindPassTag");
-  const hasEncryptedBindDNColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedBindDN");
-  const hasBindDNIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindDNIV");
-  const hasBindDNTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindDNTag");
-
-  if (hasLdapConfigTable) {
-    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-      if (hasEncryptedCACertColumn) t.text("encryptedCACert").nullable().alter();
-      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
-      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
-      if (hasEncryptedBindPassColumn) t.string("encryptedBindPass").nullable().alter();
-      if (hasBindPassIVColumn) t.string("bindPassIV").nullable().alter();
-      if (hasBindPassTagColumn) t.string("bindPassTag").nullable().alter();
-      if (hasEncryptedBindDNColumn) t.string("encryptedBindDN").nullable().alter();
-      if (hasBindDNIVColumn) t.string("bindDNIV").nullable().alter();
-      if (hasBindDNTagColumn) t.string("bindDNTag").nullable().alter();
-
-      if (!hasEncryptedLdapBindDNColum) t.binary("encryptedLdapBindDN");
-      if (!hasEncryptedLdapBindPassColumn) t.binary("encryptedLdapBindPass");
-      if (!hasEncryptedCertificateColumn) t.binary("encryptedLdapCaCertificate");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const orgEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const ldapConfigs = await knex(TableName.LdapConfig)
-    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.LdapConfig}.orgId`)
-    .select(selectAllTableCols(TableName.LdapConfig))
-    .select(
-      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
-    )
-    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
-
-  const updatedLdapConfigs = await Promise.all(
-    ldapConfigs.map(
-      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
-        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
-        if (!orgKmsService) {
-          orgKmsService = await kmsService.createCipherPairWithDataKey(
-            {
-              type: KmsDataKey.Organization,
-              orgId: el.orgId
-            },
-            knex
-          );
-          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
-        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
-
-        const decryptedBindDN =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedBindDN && el.bindDNIV && el.bindDNTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.bindDNIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.bindDNTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedBindDN
-              })
-            : "";
-
-        const decryptedBindPass =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedBindPass && el.bindPassIV && el.bindPassTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.bindPassIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.bindPassTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedBindPass
-              })
-            : "";
-
-        const decryptedCertificate =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedCACert && el.caCertIV && el.caCertTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.caCertIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.caCertTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedCACert
-              })
-            : "";
-
-        const encryptedLdapBindDN = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedBindDN)
-        }).cipherTextBlob;
-        const encryptedLdapBindPass = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedBindPass)
-        }).cipherTextBlob;
-        const encryptedLdapCaCertificate = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedCertificate)
-        }).cipherTextBlob;
-        return { ...el, encryptedLdapBindPass, encryptedLdapBindDN, encryptedLdapCaCertificate };
-      }
-    )
-  );
-
-  for (let i = 0; i < updatedLdapConfigs.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.LdapConfig)
-      .insert(updatedLdapConfigs.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-  if (hasLdapConfigTable) {
-    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-      if (!hasEncryptedLdapBindPassColumn) t.binary("encryptedLdapBindPass").notNullable().alter();
-      if (!hasEncryptedLdapBindDNColum) t.binary("encryptedLdapBindDN").notNullable().alter();
-    });
-  }
-};
-
-const reencryptOidcConfig = async (knex: Knex) => {
-  const hasEncryptedOidcClientIdColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientId");
-  const hasEncryptedOidcClientSecretColumn = await knex.schema.hasColumn(
-    TableName.OidcConfig,
-    "encryptedOidcClientSecret"
-  );
-
-  const hasEncryptedClientIdColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedClientId");
-  const hasClientIdIVColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientIdIV");
-  const hasClientIdTagColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientIdTag");
-  const hasEncryptedClientSecretColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedClientSecret");
-  const hasClientSecretIVColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientSecretIV");
-  const hasClientSecretTagColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientSecretTag");
-
-  const hasOidcConfigTable = await knex.schema.hasTable(TableName.OidcConfig);
-
-  if (hasOidcConfigTable) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      if (hasEncryptedClientIdColumn) t.text("encryptedClientId").nullable().alter();
-      if (hasClientIdIVColumn) t.string("clientIdIV").nullable().alter();
-      if (hasClientIdTagColumn) t.string("clientIdTag").nullable().alter();
-      if (hasEncryptedClientSecretColumn) t.text("encryptedClientSecret").nullable().alter();
-      if (hasClientSecretIVColumn) t.string("clientSecretIV").nullable().alter();
-      if (hasClientSecretTagColumn) t.string("clientSecretTag").nullable().alter();
-
-      if (!hasEncryptedOidcClientIdColumn) t.binary("encryptedOidcClientId");
-      if (!hasEncryptedOidcClientSecretColumn) t.binary("encryptedOidcClientSecret");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const orgEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const oidcConfigs = await knex(TableName.OidcConfig)
-    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.OidcConfig}.orgId`)
-    .select(selectAllTableCols(TableName.OidcConfig))
-    .select(
-      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
-    )
-    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
-
-  const updatedOidcConfigs = await Promise.all(
-    oidcConfigs.map(
-      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
-        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
-        if (!orgKmsService) {
-          orgKmsService = await kmsService.createCipherPairWithDataKey(
-            {
-              type: KmsDataKey.Organization,
-              orgId: el.orgId
-            },
-            knex
-          );
-          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
-        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
-
-        const decryptedClientId =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedClientId && el.clientIdIV && el.clientIdTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.clientIdIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.clientIdTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedClientId
-              })
-            : "";
-
-        const decryptedClientSecret =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedClientSecret && el.clientSecretIV && el.clientSecretTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.clientSecretIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.clientSecretTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedClientSecret
-              })
-            : "";
-
-        const encryptedOidcClientId = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedClientId)
-        }).cipherTextBlob;
-        const encryptedOidcClientSecret = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedClientSecret)
-        }).cipherTextBlob;
-        return { ...el, encryptedOidcClientId, encryptedOidcClientSecret };
-      }
-    )
-  );
-
-  for (let i = 0; i < updatedOidcConfigs.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.OidcConfig)
-      .insert(updatedOidcConfigs.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-  if (hasOidcConfigTable) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      if (!hasEncryptedOidcClientIdColumn) t.binary("encryptedOidcClientId").notNullable().alter();
-      if (!hasEncryptedOidcClientSecretColumn) t.binary("encryptedOidcClientSecret").notNullable().alter();
-    });
-  }
-};
-
-export async function up(knex: Knex): Promise<void> {
-  await reencryptSamlConfig(knex);
-  await reencryptLdapConfig(knex);
-  await reencryptOidcConfig(knex);
-}
-
-const dropSamlConfigColumns = async (knex: Knex) => {
-  const hasEncryptedEntrypointColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlEntryPoint");
-  const hasEncryptedIssuerColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlIssuer");
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlCertificate");
-  const hasSamlConfigTable = await knex.schema.hasTable(TableName.SamlConfig);
-
-  if (hasSamlConfigTable) {
-    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
-      if (hasEncryptedEntrypointColumn) t.dropColumn("encryptedSamlEntryPoint");
-      if (hasEncryptedIssuerColumn) t.dropColumn("encryptedSamlIssuer");
-      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedSamlCertificate");
-    });
-  }
-};
-
-const dropLdapConfigColumns = async (knex: Knex) => {
-  const hasEncryptedBindDN = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindDN");
-  const hasEncryptedBindPass = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindPass");
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapCaCertificate");
-  const hasLdapConfigTable = await knex.schema.hasTable(TableName.LdapConfig);
-
-  if (hasLdapConfigTable) {
-    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-      if (hasEncryptedBindDN) t.dropColumn("encryptedLdapBindDN");
-      if (hasEncryptedBindPass) t.dropColumn("encryptedLdapBindPass");
-      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedLdapCaCertificate");
-    });
-  }
-};
-
-const dropOidcConfigColumns = async (knex: Knex) => {
-  const hasEncryptedClientId = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientId");
-  const hasEncryptedClientSecret = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientSecret");
-  const hasOidcConfigTable = await knex.schema.hasTable(TableName.OidcConfig);
-
-  if (hasOidcConfigTable) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      if (hasEncryptedClientId) t.dropColumn("encryptedOidcClientId");
-      if (hasEncryptedClientSecret) t.dropColumn("encryptedOidcClientSecret");
-    });
-  }
-};
-
-export async function down(knex: Knex): Promise<void> {
-  await dropSamlConfigColumns(knex);
-  await dropLdapConfigColumns(knex);
-  await dropOidcConfigColumns(knex);
-}

backend/src/db/migrations/20250224015833_identity-profile.ts

@@ -1,53 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityProfile))) {
-    await knex.schema.createTable(TableName.IdentityProfile, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.uuid("identityId");
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-
-      t.text("temporalProfile").notNullable(); // access pattern or frequency
-      t.text("scopeProfile").notNullable(); // scope of usage - are they accessing development environment secrets. which paths? are they doing mainly admin work?
-      t.text("usageProfile").notNullable(); // method of usage
-
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.IdentityProfile);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.AutomatedSecurityReports))) {
-    await knex.schema.createTable(TableName.AutomatedSecurityReports, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("profileId").notNullable();
-      t.foreign("profileId").references("id").inTable(TableName.IdentityProfile).onDelete("CASCADE");
-
-      t.jsonb("event").notNullable();
-
-      t.string("remarks").notNullable();
-      t.string("severity").notNullable();
-      t.string("status").notNullable();
-
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.AutomatedSecurityReports);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityProfile);
-
-  await knex.schema.dropTableIfExists(TableName.AutomatedSecurityReports);
-}

backend/src/db/migrations/utils/env-config.ts

@@ -1,53 +0,0 @@
-import { z } from "zod";
-
-import { zpStr } from "@app/lib/zod";
-
-const envSchema = z
-  .object({
-    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
-      `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
-    ),
-    DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
-    DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
-    DB_PORT: zpStr(z.string().describe("Postgres database port").optional()).default("5432"),
-    DB_USER: zpStr(z.string().describe("Postgres database username").optional()),
-    DB_PASSWORD: zpStr(z.string().describe("Postgres database password").optional()),
-    DB_NAME: zpStr(z.string().describe("Postgres database name").optional()),
-    // TODO(akhilmhdh): will be changed to one
-    ENCRYPTION_KEY: zpStr(z.string().optional()),
-    ROOT_ENCRYPTION_KEY: zpStr(z.string().optional()),
-    // HSM
-    HSM_LIB_PATH: zpStr(z.string().optional()),
-    HSM_PIN: zpStr(z.string().optional()),
-    HSM_KEY_LABEL: zpStr(z.string().optional()),
-    HSM_SLOT: z.coerce.number().optional().default(0)
-  })
-  // To ensure that basic encryption is always possible.
-  .refine(
-    (data) => Boolean(data.ENCRYPTION_KEY) || Boolean(data.ROOT_ENCRYPTION_KEY),
-    "Either ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY must be defined."
-  )
-  .transform((data) => ({
-    ...data,
-    isHsmConfigured:
-      Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined
-  }));
-
-export type TMigrationEnvConfig = z.infer<typeof envSchema>;
-
-export const getMigrationEnvConfig = () => {
-  const parsedEnv = envSchema.safeParse(process.env);
-  if (!parsedEnv.success) {
-    // eslint-disable-next-line no-console
-    console.error("Invalid environment variables. Check the error below");
-    // eslint-disable-next-line no-console
-    console.error(
-      "Infisical now automatically runs database migrations during boot up, so you no longer need to run them separately."
-    );
-    // eslint-disable-next-line no-console
-    console.error(parsedEnv.error.issues);
-    process.exit(-1);
-  }
-
-  return Object.freeze(parsedEnv.data);
-};

backend/src/db/migrations/utils/kms.ts

@@ -0,0 +1,105 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { randomSecureBytes } from "@app/lib/crypto";
+import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+const getInstanceRootKey = async (knex: Knex) => {
+  const encryptionKey = process.env.ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
+  // if root key its base64 encoded
+  const isBase64 = !process.env.ENCRYPTION_KEY;
+  if (!encryptionKey) throw new Error("ENCRYPTION_KEY variable needed for migration");
+  const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
+
+  const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
+  const kmsRootConfig = await knex(TableName.KmsServerRootConfig).where({ id: KMS_ROOT_CONFIG_UUID }).first();
+  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+  if (kmsRootConfig) {
+    const decryptedRootKey = cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
+    // set the flag so that other instancen nodes can start
+    return decryptedRootKey;
+  }
+
+  const newRootKey = randomSecureBytes(32);
+  const encryptedRootKey = cipher.encrypt(newRootKey, encryptionKeyBuffer);
+  await knex(TableName.KmsServerRootConfig).insert({
+    encryptedRootKey,
+    // eslint-disable-next-line
+    // @ts-ignore id is kept as fixed for idempotence and to avoid race condition
+    id: KMS_ROOT_CONFIG_UUID
+  });
+  return encryptedRootKey;
+};
+
+export const getSecretManagerDataKey = async (knex: Knex, projectId: string) => {
+  const KMS_VERSION = "v01";
+  const KMS_VERSION_BLOB_LENGTH = 3;
+  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+  const project = await knex(TableName.Project).where({ id: projectId }).first();
+  if (!project) throw new Error("Missing project id");
+
+  const ROOT_ENCRYPTION_KEY = await getInstanceRootKey(knex);
+
+  let secretManagerKmsKey;
+  const projectSecretManagerKmsId = project?.kmsSecretManagerKeyId;
+  if (projectSecretManagerKmsId) {
+    const kmsDoc = await knex(TableName.KmsKey)
+      .leftJoin(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
+      .where({ [`${TableName.KmsKey}.id` as "id"]: projectSecretManagerKmsId })
+      .first();
+    if (!kmsDoc) throw new Error("missing kms");
+    secretManagerKmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
+  } else {
+    const [kmsDoc] = await knex(TableName.KmsKey)
+      .insert({
+        name: slugify(alphaNumericNanoId(8).toLowerCase()),
+        orgId: project.orgId,
+        isReserved: false
+      })
+      .returning("*");
+
+    secretManagerKmsKey = randomSecureBytes(32);
+    const encryptedKeyMaterial = cipher.encrypt(secretManagerKmsKey, ROOT_ENCRYPTION_KEY);
+    await knex(TableName.InternalKms).insert({
+      version: 1,
+      encryptedKey: encryptedKeyMaterial,
+      encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
+      kmsKeyId: kmsDoc.id
+    });
+  }
+
+  const encryptedSecretManagerDataKey = project?.kmsSecretManagerEncryptedDataKey;
+  let dataKey: Buffer;
+  if (!encryptedSecretManagerDataKey) {
+    dataKey = randomSecureBytes();
+    // the below versioning we do it automatically in kms service
+    const unversionedDataKey = cipher.encrypt(dataKey, secretManagerKmsKey);
+    const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
+    await knex(TableName.Project)
+      .where({ id: projectId })
+      .update({
+        kmsSecretManagerEncryptedDataKey: Buffer.concat([unversionedDataKey, versionBlob])
+      });
+  } else {
+    const cipherTextBlob = encryptedSecretManagerDataKey.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+    dataKey = cipher.decrypt(cipherTextBlob, secretManagerKmsKey);
+  }
+
+  return {
+    encryptor: ({ plainText }: { plainText: Buffer }) => {
+      const encryptedPlainTextBlob = cipher.encrypt(plainText, dataKey);
+
+      // Buffer#1 encrypted text + Buffer#2 version number
+      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
+      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
+      return { cipherTextBlob };
+    },
+    decryptor: ({ cipherTextBlob: versionedCipherTextBlob }: { cipherTextBlob: Buffer }) => {
+      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+      const decryptedBlob = cipher.decrypt(cipherTextBlob, dataKey);
+      return decryptedBlob;
+    }
+  };
+};

backend/src/db/migrations/utils/ring-buffer.ts

@@ -1,19 +0,0 @@
-export const createCircularCache = <T>(bufferSize = 10) => {
-  const bufferItems: { id: string; item: T }[] = [];
-  let bufferIndex = 0;
-
-  const push = (id: string, item: T) => {
-    if (bufferItems.length < bufferSize) {
-      bufferItems.push({ id, item });
-    } else {
-      bufferItems[bufferIndex] = { id, item };
-    }
-    bufferIndex = (bufferIndex + 1) % bufferSize;
-  };
-
-  const getItem = (id: string) => {
-    return bufferItems.find((i) => i.id === id)?.item;
-  };
-
-  return { push, getItem };
-};

backend/src/db/migrations/utils/services.ts

@@ -1,52 +0,0 @@
-import { Knex } from "knex";
-
-import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
-import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
-import { TKeyStoreFactory } from "@app/keystore/keystore";
-import { internalKmsDALFactory } from "@app/services/kms/internal-kms-dal";
-import { kmskeyDALFactory } from "@app/services/kms/kms-key-dal";
-import { kmsRootConfigDALFactory } from "@app/services/kms/kms-root-config-dal";
-import { kmsServiceFactory } from "@app/services/kms/kms-service";
-import { orgDALFactory } from "@app/services/org/org-dal";
-import { projectDALFactory } from "@app/services/project/project-dal";
-
-import { TMigrationEnvConfig } from "./env-config";
-
-type TDependencies = {
-  envConfig: TMigrationEnvConfig;
-  db: Knex;
-  keyStore: TKeyStoreFactory;
-};
-
-export const getMigrationEncryptionServices = async ({ envConfig, db, keyStore }: TDependencies) => {
-  // eslint-disable-next-line no-param-reassign
-  const hsmModule = initializeHsmModule(envConfig);
-  hsmModule.initialize();
-
-  const hsmService = hsmServiceFactory({
-    hsmModule: hsmModule.getModule(),
-    envConfig
-  });
-
-  const orgDAL = orgDALFactory(db);
-  const kmsRootConfigDAL = kmsRootConfigDALFactory(db);
-  const kmsDAL = kmskeyDALFactory(db);
-  const internalKmsDAL = internalKmsDALFactory(db);
-  const projectDAL = projectDALFactory(db);
-
-  const kmsService = kmsServiceFactory({
-    kmsRootConfigDAL,
-    keyStore,
-    kmsDAL,
-    internalKmsDAL,
-    orgDAL,
-    projectDAL,
-    hsmService,
-    envConfig
-  });
-
-  await hsmService.startService();
-  await kmsService.startService();
-
-  return { kmsService };
-};

backend/src/db/rename-migrations-to-mjs.ts

@@ -1,56 +0,0 @@
-import path from "node:path";
-
-import dotenv from "dotenv";
-
-import { initAuditLogDbConnection, initDbConnection } from "./instance";
-
-const isProduction = process.env.NODE_ENV === "production";
-
-// Update with your config settings. .
-dotenv.config({
-  path: path.join(__dirname, "../../../.env.migration")
-});
-dotenv.config({
-  path: path.join(__dirname, "../../../.env")
-});
-
-const runRename = async () => {
-  if (!isProduction) return;
-  const migrationTable = "infisical_migrations";
-  const applicationDb = initDbConnection({
-    dbConnectionUri: process.env.DB_CONNECTION_URI as string,
-    dbRootCert: process.env.DB_ROOT_CERT
-  });
-
-  const auditLogDb = process.env.AUDIT_LOGS_DB_CONNECTION_URI
-    ? initAuditLogDbConnection({
-        dbConnectionUri: process.env.AUDIT_LOGS_DB_CONNECTION_URI,
-        dbRootCert: process.env.AUDIT_LOGS_DB_ROOT_CERT
-      })
-    : undefined;
-
-  const hasMigrationTable = await applicationDb.schema.hasTable(migrationTable);
-  if (hasMigrationTable) {
-    const firstFile = (await applicationDb(migrationTable).where({}).first()) as { name: string };
-    if (firstFile?.name?.includes(".ts")) {
-      await applicationDb(migrationTable).update({
-        name: applicationDb.raw("REPLACE(name, '.ts', '.mjs')")
-      });
-    }
-  }
-  if (auditLogDb) {
-    const hasMigrationTableInAuditLog = await auditLogDb.schema.hasTable(migrationTable);
-    if (hasMigrationTableInAuditLog) {
-      const firstFile = (await auditLogDb(migrationTable).where({}).first()) as { name: string };
-      if (firstFile?.name?.includes(".ts")) {
-        await auditLogDb(migrationTable).update({
-          name: auditLogDb.raw("REPLACE(name, '.ts', '.mjs')")
-        });
-      }
-    }
-  }
-  await applicationDb.destroy();
-  await auditLogDb?.destroy();
-};
-
-void runRename();

backend/src/db/schemas/automated-security-reports.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AutomatedSecurityReportsSchema = z.object({
-  id: z.string().uuid(),
-  profileId: z.string().uuid(),
-  event: z.unknown(),
-  remarks: z.string(),
-  severity: z.string(),
-  status: z.string(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAutomatedSecurityReports = z.infer<typeof AutomatedSecurityReportsSchema>;
-export type TAutomatedSecurityReportsInsert = Omit<z.input<typeof AutomatedSecurityReportsSchema>, TImmutableDBKeys>;
-export type TAutomatedSecurityReportsUpdate = Partial<
-  Omit<z.input<typeof AutomatedSecurityReportsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/dynamic-secrets.ts

@@ -5,8 +5,6 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const DynamicSecretsSchema = z.object({
@@ -16,17 +14,16 @@ export const DynamicSecretsSchema = z.object({
   type: z.string(),
   defaultTTL: z.string(),
   maxTTL: z.string().nullable().optional(),
-  inputIV: z.string().nullable().optional(),
-  inputCiphertext: z.string().nullable().optional(),
-  inputTag: z.string().nullable().optional(),
+  inputIV: z.string(),
+  inputCiphertext: z.string(),
+  inputTag: z.string(),
   algorithm: z.string().default("aes-256-gcm"),
   keyEncoding: z.string().default("utf8"),
   folderId: z.string().uuid(),
   status: z.string().nullable().optional(),
   statusDetails: z.string().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  encryptedInput: zodBuffer
+  updatedAt: z.date()
 });
 
 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -17,9 +17,9 @@ export const IdentityGcpAuthsSchema = z.object({
   updatedAt: z.date(),
   identityId: z.string().uuid(),
   type: z.string(),
-  allowedServiceAccounts: z.string().nullable().optional(),
-  allowedProjects: z.string().nullable().optional(),
-  allowedZones: z.string().nullable().optional()
+  allowedServiceAccounts: z.string(),
+  allowedProjects: z.string(),
+  allowedZones: z.string()
 });
 
 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -5,8 +5,6 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const IdentityKubernetesAuthsSchema = z.object({
@@ -19,17 +17,15 @@ export const IdentityKubernetesAuthsSchema = z.object({
   updatedAt: z.date(),
   identityId: z.string().uuid(),
   kubernetesHost: z.string(),
-  encryptedCaCert: z.string().nullable().optional(),
-  caCertIV: z.string().nullable().optional(),
-  caCertTag: z.string().nullable().optional(),
-  encryptedTokenReviewerJwt: z.string().nullable().optional(),
-  tokenReviewerJwtIV: z.string().nullable().optional(),
-  tokenReviewerJwtTag: z.string().nullable().optional(),
+  encryptedCaCert: z.string(),
+  caCertIV: z.string(),
+  caCertTag: z.string(),
+  encryptedTokenReviewerJwt: z.string(),
+  tokenReviewerJwtIV: z.string(),
+  tokenReviewerJwtTag: z.string(),
   allowedNamespaces: z.string(),
   allowedNames: z.string(),
-  allowedAudience: z.string(),
-  encryptedKubernetesTokenReviewerJwt: zodBuffer,
-  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
+  allowedAudience: z.string()
 });
 
 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;

backend/src/db/schemas/identity-oidc-auths.ts

@@ -5,8 +5,6 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const IdentityOidcAuthsSchema = z.object({
@@ -17,16 +15,15 @@ export const IdentityOidcAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   identityId: z.string().uuid(),
   oidcDiscoveryUrl: z.string(),
-  encryptedCaCert: z.string().nullable().optional(),
-  caCertIV: z.string().nullable().optional(),
-  caCertTag: z.string().nullable().optional(),
+  encryptedCaCert: z.string(),
+  caCertIV: z.string(),
+  caCertTag: z.string(),
   boundIssuer: z.string(),
   boundAudiences: z.string(),
   boundClaims: z.unknown(),
   boundSubject: z.string().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  encryptedCaCertificate: zodBuffer.nullable().optional()
+  updatedAt: z.date()
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/identity-profile.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityProfileSchema = z.object({
-  id: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional(),
-  identityId: z.string().uuid().nullable().optional(),
-  temporalProfile: z.string(),
-  scopeProfile: z.string(),
-  usageProfile: z.string(),
-  orgId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TIdentityProfile = z.infer<typeof IdentityProfileSchema>;
-export type TIdentityProfileInsert = Omit<z.input<typeof IdentityProfileSchema>, TImmutableDBKeys>;
-export type TIdentityProfileUpdate = Partial<Omit<z.input<typeof IdentityProfileSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -7,7 +7,6 @@ export * from "./audit-log-streams";
 export * from "./audit-logs";
 export * from "./auth-token-sessions";
 export * from "./auth-tokens";
-export * from "./automated-security-reports";
 export * from "./backup-private-key";
 export * from "./certificate-authorities";
 export * from "./certificate-authority-certs";
@@ -36,7 +35,6 @@ export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
-export * from "./identity-profile";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
@@ -47,10 +45,6 @@ export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
 export * from "./internal-kms";
-export * from "./kmip-client-certificates";
-export * from "./kmip-clients";
-export * from "./kmip-org-configs";
-export * from "./kmip-org-server-certificates";
 export * from "./kms-key-versions";
 export * from "./kms-keys";
 export * from "./kms-root-config";
@@ -77,7 +71,6 @@ export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./rate-limit";
-export * from "./resource-metadata";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";

backend/src/db/schemas/kmip-client-certificates.ts

@@ -1,23 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const KmipClientCertificatesSchema = z.object({
-  id: z.string().uuid(),
-  kmipClientId: z.string().uuid(),
-  serialNumber: z.string(),
-  keyAlgorithm: z.string(),
-  issuedAt: z.date(),
-  expiration: z.date()
-});
-
-export type TKmipClientCertificates = z.infer<typeof KmipClientCertificatesSchema>;
-export type TKmipClientCertificatesInsert = Omit<z.input<typeof KmipClientCertificatesSchema>, TImmutableDBKeys>;
-export type TKmipClientCertificatesUpdate = Partial<
-  Omit<z.input<typeof KmipClientCertificatesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/kmip-clients.ts

@@ -1,20 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const KmipClientsSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  permissions: z.string().array().nullable().optional(),
-  description: z.string().nullable().optional(),
-  projectId: z.string()
-});
-
-export type TKmipClients = z.infer<typeof KmipClientsSchema>;
-export type TKmipClientsInsert = Omit<z.input<typeof KmipClientsSchema>, TImmutableDBKeys>;
-export type TKmipClientsUpdate = Partial<Omit<z.input<typeof KmipClientsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/kmip-org-configs.ts

@@ -1,39 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const KmipOrgConfigsSchema = z.object({
-  id: z.string().uuid(),
-  orgId: z.string().uuid(),
-  caKeyAlgorithm: z.string(),
-  rootCaIssuedAt: z.date(),
-  rootCaExpiration: z.date(),
-  rootCaSerialNumber: z.string(),
-  encryptedRootCaCertificate: zodBuffer,
-  encryptedRootCaPrivateKey: zodBuffer,
-  serverIntermediateCaIssuedAt: z.date(),
-  serverIntermediateCaExpiration: z.date(),
-  serverIntermediateCaSerialNumber: z.string().nullable().optional(),
-  encryptedServerIntermediateCaCertificate: zodBuffer,
-  encryptedServerIntermediateCaChain: zodBuffer,
-  encryptedServerIntermediateCaPrivateKey: zodBuffer,
-  clientIntermediateCaIssuedAt: z.date(),
-  clientIntermediateCaExpiration: z.date(),
-  clientIntermediateCaSerialNumber: z.string(),
-  encryptedClientIntermediateCaCertificate: zodBuffer,
-  encryptedClientIntermediateCaChain: zodBuffer,
-  encryptedClientIntermediateCaPrivateKey: zodBuffer,
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TKmipOrgConfigs = z.infer<typeof KmipOrgConfigsSchema>;
-export type TKmipOrgConfigsInsert = Omit<z.input<typeof KmipOrgConfigsSchema>, TImmutableDBKeys>;
-export type TKmipOrgConfigsUpdate = Partial<Omit<z.input<typeof KmipOrgConfigsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/kmip-org-server-certificates.ts

@@ -1,29 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const KmipOrgServerCertificatesSchema = z.object({
-  id: z.string().uuid(),
-  orgId: z.string().uuid(),
-  commonName: z.string(),
-  altNames: z.string(),
-  serialNumber: z.string(),
-  keyAlgorithm: z.string(),
-  issuedAt: z.date(),
-  expiration: z.date(),
-  encryptedCertificate: zodBuffer,
-  encryptedChain: zodBuffer
-});
-
-export type TKmipOrgServerCertificates = z.infer<typeof KmipOrgServerCertificatesSchema>;
-export type TKmipOrgServerCertificatesInsert = Omit<z.input<typeof KmipOrgServerCertificatesSchema>, TImmutableDBKeys>;
-export type TKmipOrgServerCertificatesUpdate = Partial<
-  Omit<z.input<typeof KmipOrgServerCertificatesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/kms-keys.ts

@@ -16,7 +16,8 @@ export const KmsKeysSchema = z.object({
   name: z.string(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  projectId: z.string().nullable().optional()
+  projectId: z.string().nullable().optional(),
+  slug: z.string().nullable().optional()
 });
 
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;

backend/src/db/schemas/ldap-configs.ts

@@ -5,8 +5,6 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const LdapConfigsSchema = z.object({
@@ -14,25 +12,22 @@ export const LdapConfigsSchema = z.object({
   orgId: z.string().uuid(),
   isActive: z.boolean(),
   url: z.string(),
-  encryptedBindDN: z.string().nullable().optional(),
-  bindDNIV: z.string().nullable().optional(),
-  bindDNTag: z.string().nullable().optional(),
-  encryptedBindPass: z.string().nullable().optional(),
-  bindPassIV: z.string().nullable().optional(),
-  bindPassTag: z.string().nullable().optional(),
+  encryptedBindDN: z.string(),
+  bindDNIV: z.string(),
+  bindDNTag: z.string(),
+  encryptedBindPass: z.string(),
+  bindPassIV: z.string(),
+  bindPassTag: z.string(),
   searchBase: z.string(),
-  encryptedCACert: z.string().nullable().optional(),
-  caCertIV: z.string().nullable().optional(),
-  caCertTag: z.string().nullable().optional(),
+  encryptedCACert: z.string(),
+  caCertIV: z.string(),
+  caCertTag: z.string(),
   createdAt: z.date(),
   updatedAt: z.date(),
   groupSearchBase: z.string().default(""),
   groupSearchFilter: z.string().default(""),
   searchFilter: z.string().default(""),
-  uniqueUserAttribute: z.string().default(""),
-  encryptedLdapBindDN: zodBuffer,
-  encryptedLdapBindPass: zodBuffer,
-  encryptedLdapCaCertificate: zodBuffer.nullable().optional()
+  uniqueUserAttribute: z.string().default("")
 });
 
 export type TLdapConfigs = z.infer<typeof LdapConfigsSchema>;

backend/src/db/schemas/models.ts

@@ -80,9 +80,6 @@ export enum TableName {
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
   // used by both identity and users
   IdentityMetadata = "identity_metadata",
-  IdentityProfile = "identity_profile",
-  AutomatedSecurityReports = "automated_security_reports",
-  ResourceMetadata = "resource_metadata",
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",
@@ -133,12 +130,7 @@ export enum TableName {
   WorkflowIntegrations = "workflow_integrations",
   SlackIntegrations = "slack_integrations",
   ProjectSlackConfigs = "project_slack_configs",
-  AppConnection = "app_connections",
-  SecretSync = "secret_syncs",
-  KmipClient = "kmip_clients",
-  KmipOrgConfig = "kmip_org_configs",
-  KmipOrgServerCertificates = "kmip_org_server_certificates",
-  KmipClientCertificates = "kmip_client_certificates"
+  AppConnection = "app_connections"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
@@ -222,12 +214,3 @@ export enum ProjectType {
   KMS = "kms",
   SSH = "ssh"
 }
-
-export enum ActionProjectType {
-  SecretManager = ProjectType.SecretManager,
-  CertificateManager = ProjectType.CertificateManager,
-  KMS = ProjectType.KMS,
-  SSH = ProjectType.SSH,
-  // project operations that happen on all types
-  Any = "any"
-}

backend/src/db/schemas/oidc-configs.ts

@@ -5,8 +5,6 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const OidcConfigsSchema = z.object({
@@ -17,22 +15,19 @@ export const OidcConfigsSchema = z.object({
   jwksUri: z.string().nullable().optional(),
   tokenEndpoint: z.string().nullable().optional(),
   userinfoEndpoint: z.string().nullable().optional(),
-  encryptedClientId: z.string().nullable().optional(),
+  encryptedClientId: z.string(),
   configurationType: z.string(),
-  clientIdIV: z.string().nullable().optional(),
-  clientIdTag: z.string().nullable().optional(),
-  encryptedClientSecret: z.string().nullable().optional(),
-  clientSecretIV: z.string().nullable().optional(),
-  clientSecretTag: z.string().nullable().optional(),
+  clientIdIV: z.string(),
+  clientIdTag: z.string(),
+  encryptedClientSecret: z.string(),
+  clientSecretIV: z.string(),
+  clientSecretTag: z.string(),
   allowedEmailDomains: z.string().nullable().optional(),
   isActive: z.boolean(),
   createdAt: z.date(),
   updatedAt: z.date(),
   orgId: z.string().uuid(),
-  lastUsed: z.date().nullable().optional(),
-  manageGroupMemberships: z.boolean().default(false),
-  encryptedOidcClientId: zodBuffer,
-  encryptedOidcClientSecret: zodBuffer
+  lastUsed: z.date().nullable().optional()
 });
 
 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;

backend/src/db/schemas/projects.ts

@@ -13,7 +13,7 @@ export const ProjectsSchema = z.object({
   id: z.string(),
   name: z.string(),
   slug: z.string(),
-  autoCapitalization: z.boolean().default(false).nullable().optional(),
+  autoCapitalization: z.boolean().default(true).nullable().optional(),
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
@@ -25,8 +25,7 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
-  type: z.string(),
-  enforceCapitalization: z.boolean().default(false)
+  type: z.string()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/resource-metadata.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ResourceMetadataSchema = z.object({
-  id: z.string().uuid(),
-  key: z.string(),
-  value: z.string(),
-  orgId: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional(),
-  identityId: z.string().uuid().nullable().optional(),
-  secretId: z.string().uuid().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
-export type TResourceMetadataInsert = Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>;
-export type TResourceMetadataUpdate = Partial<Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/saml-configs.ts

@@ -5,8 +5,6 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const SamlConfigsSchema = z.object({
@@ -25,10 +23,7 @@ export const SamlConfigsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   orgId: z.string().uuid(),
-  lastUsed: z.date().nullable().optional(),
-  encryptedSamlEntryPoint: zodBuffer,
-  encryptedSamlIssuer: zodBuffer,
-  encryptedSamlCertificate: zodBuffer
+  lastUsed: z.date().nullable().optional()
 });
 
 export type TSamlConfigs = z.infer<typeof SamlConfigsSchema>;

backend/src/db/schemas/secret-approval-requests-secrets-v2.ts

@@ -24,8 +24,7 @@ export const SecretApprovalRequestsSecretsV2Schema = z.object({
   requestId: z.string().uuid(),
   op: z.string(),
   secretId: z.string().uuid().nullable().optional(),
-  secretVersion: z.string().uuid().nullable().optional(),
-  secretMetadata: z.unknown().nullable().optional()
+  secretVersion: z.string().uuid().nullable().optional()
 });
 
 export type TSecretApprovalRequestsSecretsV2 = z.infer<typeof SecretApprovalRequestsSecretsV2Schema>;

backend/src/db/schemas/secret-rotations.ts

@@ -5,8 +5,6 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const SecretRotationsSchema = z.object({
@@ -24,8 +22,7 @@ export const SecretRotationsSchema = z.object({
   keyEncoding: z.string().nullable().optional(),
   envId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  encryptedRotationData: zodBuffer
+  updatedAt: z.date()
 });
 
 export type TSecretRotations = z.infer<typeof SecretRotationsSchema>;

backend/src/db/schemas/secret-syncs.ts

@@ -1,40 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretSyncsSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  description: z.string().nullable().optional(),
-  destination: z.string(),
-  isAutoSyncEnabled: z.boolean().default(true),
-  version: z.number().default(1),
-  destinationConfig: z.unknown(),
-  syncOptions: z.unknown(),
-  projectId: z.string(),
-  folderId: z.string().uuid().nullable().optional(),
-  connectionId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  syncStatus: z.string().nullable().optional(),
-  lastSyncJobId: z.string().nullable().optional(),
-  lastSyncMessage: z.string().nullable().optional(),
-  lastSyncedAt: z.date().nullable().optional(),
-  importStatus: z.string().nullable().optional(),
-  lastImportJobId: z.string().nullable().optional(),
-  lastImportMessage: z.string().nullable().optional(),
-  lastImportedAt: z.date().nullable().optional(),
-  removeStatus: z.string().nullable().optional(),
-  lastRemoveJobId: z.string().nullable().optional(),
-  lastRemoveMessage: z.string().nullable().optional(),
-  lastRemovedAt: z.date().nullable().optional()
-});
-
-export type TSecretSyncs = z.infer<typeof SecretSyncsSchema>;
-export type TSecretSyncsInsert = Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>;
-export type TSecretSyncsUpdate = Partial<Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/webhooks.ts

@@ -5,14 +5,12 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const WebhooksSchema = z.object({
   id: z.string().uuid(),
   secretPath: z.string().default("/"),
-  url: z.string().nullable().optional(),
+  url: z.string(),
   lastStatus: z.string().nullable().optional(),
   lastRunErrorMessage: z.string().nullable().optional(),
   isDisabled: z.boolean().default(false),
@@ -27,9 +25,7 @@ export const WebhooksSchema = z.object({
   urlCipherText: z.string().nullable().optional(),
   urlIV: z.string().nullable().optional(),
   urlTag: z.string().nullable().optional(),
-  type: z.string().default("general").nullable().optional(),
-  encryptedPassKey: zodBuffer.nullable().optional(),
-  encryptedUrl: zodBuffer
+  type: z.string().default("general").nullable().optional()
 });
 
 export type TWebhooks = z.infer<typeof WebhooksSchema>;

backend/src/ee/routes/v1/index.ts

@@ -9,8 +9,6 @@ import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerExternalKmsRouter } from "./external-kms-router";
 import { registerGroupRouter } from "./group-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
-import { registerKmipRouter } from "./kmip-router";
-import { registerKmipSpecRouter } from "./kmip-spec-router";
 import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOidcRouter } from "./oidc-router";
@@ -24,7 +22,6 @@ import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-rou
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
 import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
 import { registerSecretRotationRouter } from "./secret-rotation-router";
-import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
@@ -95,7 +92,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerLdapRouter, { prefix: "/ldap" });
   await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
   await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
-  await server.register(registerSecretRouter, { prefix: "/secrets" });
   await server.register(registerSecretVersionRouter, { prefix: "/secret" });
   await server.register(registerGroupRouter, { prefix: "/groups" });
   await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });
@@ -112,12 +108,4 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   });
 
   await server.register(registerProjectTemplateRouter, { prefix: "/project-templates" });
-
-  await server.register(
-    async (kmipRouter) => {
-      await kmipRouter.register(registerKmipRouter);
-      await kmipRouter.register(registerKmipSpecRouter, { prefix: "/spec" });
-    },
-    { prefix: "/kmip" }
-  );
 };

backend/src/ee/routes/v1/kmip-router.ts

@@ -1,428 +0,0 @@
-import ms from "ms";
-import { z } from "zod";
-
-import { KmipClientsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { KmipPermission } from "@app/ee/services/kmip/kmip-enum";
-import { KmipClientOrderBy } from "@app/ee/services/kmip/kmip-types";
-import { OrderByDirection } from "@app/lib/types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
-import { validateAltNamesField } from "@app/services/certificate-authority/certificate-authority-validators";
-
-const KmipClientResponseSchema = KmipClientsSchema.pick({
-  projectId: true,
-  name: true,
-  id: true,
-  description: true,
-  permissions: true
-});
-
-export const registerKmipRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/clients",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.object({
-        projectId: z.string(),
-        name: z.string().trim().min(1),
-        description: z.string().optional(),
-        permissions: z.nativeEnum(KmipPermission).array()
-      }),
-      response: {
-        200: KmipClientResponseSchema
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const kmipClient = await server.services.kmip.createKmipClient({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        projectId: kmipClient.projectId,
-        event: {
-          type: EventType.CREATE_KMIP_CLIENT,
-          metadata: {
-            id: kmipClient.id,
-            name: kmipClient.name,
-            permissions: (kmipClient.permissions ?? []) as KmipPermission[]
-          }
-        }
-      });
-
-      return kmipClient;
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/clients/:id",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        id: z.string()
-      }),
-      body: z.object({
-        name: z.string().trim().min(1),
-        description: z.string().optional(),
-        permissions: z.nativeEnum(KmipPermission).array()
-      }),
-      response: {
-        200: KmipClientResponseSchema
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const kmipClient = await server.services.kmip.updateKmipClient({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.params,
-        ...req.body
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        projectId: kmipClient.projectId,
-        event: {
-          type: EventType.UPDATE_KMIP_CLIENT,
-          metadata: {
-            id: kmipClient.id,
-            name: kmipClient.name,
-            permissions: (kmipClient.permissions ?? []) as KmipPermission[]
-          }
-        }
-      });
-
-      return kmipClient;
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/clients/:id",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        id: z.string()
-      }),
-      response: {
-        200: KmipClientResponseSchema
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const kmipClient = await server.services.kmip.deleteKmipClient({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.params
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        projectId: kmipClient.projectId,
-        event: {
-          type: EventType.DELETE_KMIP_CLIENT,
-          metadata: {
-            id: kmipClient.id
-          }
-        }
-      });
-
-      return kmipClient;
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/clients/:id",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        id: z.string()
-      }),
-      response: {
-        200: KmipClientResponseSchema
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const kmipClient = await server.services.kmip.getKmipClient({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.params
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        projectId: kmipClient.projectId,
-        event: {
-          type: EventType.GET_KMIP_CLIENT,
-          metadata: {
-            id: kmipClient.id
-          }
-        }
-      });
-
-      return kmipClient;
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/clients",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "List KMIP clients",
-      querystring: z.object({
-        projectId: z.string(),
-        offset: z.coerce.number().min(0).optional().default(0),
-        limit: z.coerce.number().min(1).max(100).optional().default(100),
-        orderBy: z.nativeEnum(KmipClientOrderBy).optional().default(KmipClientOrderBy.Name),
-        orderDirection: z.nativeEnum(OrderByDirection).optional().default(OrderByDirection.ASC),
-        search: z.string().trim().optional()
-      }),
-      response: {
-        200: z.object({
-          kmipClients: KmipClientResponseSchema.array(),
-          totalCount: z.number()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { kmipClients, totalCount } = await server.services.kmip.listKmipClientsByProjectId({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.query
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: req.query.projectId,
-        event: {
-          type: EventType.GET_KMIP_CLIENTS,
-          metadata: {
-            ids: kmipClients.map((key) => key.id)
-          }
-        }
-      });
-
-      return { kmipClients, totalCount };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/clients/:id/certificates",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        id: z.string()
-      }),
-      body: z.object({
-        keyAlgorithm: z.nativeEnum(CertKeyAlgorithm),
-        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number")
-      }),
-      response: {
-        200: z.object({
-          serialNumber: z.string(),
-          certificateChain: z.string(),
-          certificate: z.string(),
-          privateKey: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificate = await server.services.kmip.createKmipClientCertificate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        clientId: req.params.id,
-        ...req.body
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        projectId: certificate.projectId,
-        event: {
-          type: EventType.CREATE_KMIP_CLIENT_CERTIFICATE,
-          metadata: {
-            clientId: req.params.id,
-            serialNumber: certificate.serialNumber,
-            ttl: req.body.ttl,
-            keyAlgorithm: req.body.keyAlgorithm
-          }
-        }
-      });
-
-      return certificate;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.object({
-        caKeyAlgorithm: z.nativeEnum(CertKeyAlgorithm)
-      }),
-      response: {
-        200: z.object({
-          serverCertificateChain: z.string(),
-          clientCertificateChain: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const chains = await server.services.kmip.setupOrgKmip({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.SETUP_KMIP,
-          metadata: {
-            keyAlgorithm: req.body.caKeyAlgorithm
-          }
-        }
-      });
-
-      return chains;
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      response: {
-        200: z.object({
-          serverCertificateChain: z.string(),
-          clientCertificateChain: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const kmip = await server.services.kmip.getOrgKmip({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.GET_KMIP,
-          metadata: {
-            id: kmip.id
-          }
-        }
-      });
-
-      return kmip;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/server-registration",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.object({
-        hostnamesOrIps: validateAltNamesField,
-        commonName: z.string().trim().min(1).optional(),
-        keyAlgorithm: z.nativeEnum(CertKeyAlgorithm).optional().default(CertKeyAlgorithm.RSA_2048),
-        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number")
-      }),
-      response: {
-        200: z.object({
-          clientCertificateChain: z.string(),
-          certificateChain: z.string(),
-          certificate: z.string(),
-          privateKey: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const configs = await server.services.kmip.registerServer({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.REGISTER_KMIP_SERVER,
-          metadata: {
-            serverCertificateSerialNumber: configs.serverCertificateSerialNumber,
-            hostnamesOrIps: req.body.hostnamesOrIps,
-            commonName: req.body.commonName ?? "kmip-server",
-            keyAlgorithm: req.body.keyAlgorithm,
-            ttl: req.body.ttl
-          }
-        }
-      });
-
-      return configs;
-    }
-  });
-};

backend/src/ee/routes/v1/kmip-spec-router.ts

@@ -1,477 +0,0 @@
-import z from "zod";
-
-import { KmsKeysSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SymmetricEncryption } from "@app/lib/crypto/cipher";
-import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { ActorType, AuthMode } from "@app/services/auth/auth-type";
-
-export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
-  server.decorateRequest("kmipUser", null);
-
-  server.addHook("onRequest", async (req) => {
-    const clientId = req.headers["x-kmip-client-id"] as string;
-    const projectId = req.headers["x-kmip-project-id"] as string;
-    const clientCertSerialNumber = req.headers["x-kmip-client-certificate-serial-number"] as string;
-    const serverCertSerialNumber = req.headers["x-kmip-server-certificate-serial-number"] as string;
-
-    if (!serverCertSerialNumber) {
-      throw new ForbiddenRequestError({
-        message: "Missing server certificate serial number from request"
-      });
-    }
-
-    if (!clientCertSerialNumber) {
-      throw new ForbiddenRequestError({
-        message: "Missing client certificate serial number from request"
-      });
-    }
-
-    if (!clientId) {
-      throw new ForbiddenRequestError({
-        message: "Missing client ID from request"
-      });
-    }
-
-    if (!projectId) {
-      throw new ForbiddenRequestError({
-        message: "Missing project ID from request"
-      });
-    }
-
-    // TODO: assert that server certificate used is not revoked
-    // TODO: assert that client certificate used is not revoked
-
-    const kmipClient = await server.store.kmipClient.findByProjectAndClientId(projectId, clientId);
-
-    if (!kmipClient) {
-      throw new NotFoundError({
-        message: "KMIP client cannot be found."
-      });
-    }
-
-    if (kmipClient.orgId !== req.permission.orgId) {
-      throw new ForbiddenRequestError({
-        message: "Client specified in the request does not belong in the organization"
-      });
-    }
-
-    req.kmipUser = {
-      projectId,
-      clientId,
-      name: kmipClient.name
-    };
-  });
-
-  server.route({
-    method: "POST",
-    url: "/create",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "KMIP endpoint for creating managed objects",
-      body: z.object({
-        algorithm: z.nativeEnum(SymmetricEncryption)
-      }),
-      response: {
-        200: KmsKeysSchema
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const object = await server.services.kmipOperation.create({
-        ...req.kmipUser,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        algorithm: req.body.algorithm
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: req.kmipUser.projectId,
-        actor: {
-          type: ActorType.KMIP_CLIENT,
-          metadata: {
-            clientId: req.kmipUser.clientId,
-            name: req.kmipUser.name
-          }
-        },
-        event: {
-          type: EventType.KMIP_OPERATION_CREATE,
-          metadata: {
-            id: object.id,
-            algorithm: req.body.algorithm
-          }
-        }
-      });
-
-      return object;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/get",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "KMIP endpoint for getting managed objects",
-      body: z.object({
-        id: z.string()
-      }),
-      response: {
-        200: z.object({
-          id: z.string(),
-          value: z.string(),
-          algorithm: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const object = await server.services.kmipOperation.get({
-        ...req.kmipUser,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.body.id
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: req.kmipUser.projectId,
-        actor: {
-          type: ActorType.KMIP_CLIENT,
-          metadata: {
-            clientId: req.kmipUser.clientId,
-            name: req.kmipUser.name
-          }
-        },
-        event: {
-          type: EventType.KMIP_OPERATION_GET,
-          metadata: {
-            id: object.id
-          }
-        }
-      });
-
-      return object;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/get-attributes",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "KMIP endpoint for getting attributes of managed object",
-      body: z.object({
-        id: z.string()
-      }),
-      response: {
-        200: z.object({
-          id: z.string(),
-          algorithm: z.string(),
-          isActive: z.boolean(),
-          createdAt: z.date(),
-          updatedAt: z.date()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const object = await server.services.kmipOperation.getAttributes({
-        ...req.kmipUser,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.body.id
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: req.kmipUser.projectId,
-        actor: {
-          type: ActorType.KMIP_CLIENT,
-          metadata: {
-            clientId: req.kmipUser.clientId,
-            name: req.kmipUser.name
-          }
-        },
-        event: {
-          type: EventType.KMIP_OPERATION_GET_ATTRIBUTES,
-          metadata: {
-            id: object.id
-          }
-        }
-      });
-
-      return object;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/destroy",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "KMIP endpoint for destroying managed objects",
-      body: z.object({
-        id: z.string()
-      }),
-      response: {
-        200: z.object({
-          id: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const object = await server.services.kmipOperation.destroy({
-        ...req.kmipUser,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.body.id
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: req.kmipUser.projectId,
-        actor: {
-          type: ActorType.KMIP_CLIENT,
-          metadata: {
-            clientId: req.kmipUser.clientId,
-            name: req.kmipUser.name
-          }
-        },
-        event: {
-          type: EventType.KMIP_OPERATION_DESTROY,
-          metadata: {
-            id: object.id
-          }
-        }
-      });
-
-      return object;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/activate",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "KMIP endpoint for activating managed object",
-      body: z.object({
-        id: z.string()
-      }),
-      response: {
-        200: z.object({
-          id: z.string(),
-          isActive: z.boolean()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const object = await server.services.kmipOperation.activate({
-        ...req.kmipUser,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.body.id
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: req.kmipUser.projectId,
-        actor: {
-          type: ActorType.KMIP_CLIENT,
-          metadata: {
-            clientId: req.kmipUser.clientId,
-            name: req.kmipUser.name
-          }
-        },
-        event: {
-          type: EventType.KMIP_OPERATION_ACTIVATE,
-          metadata: {
-            id: object.id
-          }
-        }
-      });
-
-      return object;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/revoke",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "KMIP endpoint for revoking managed object",
-      body: z.object({
-        id: z.string()
-      }),
-      response: {
-        200: z.object({
-          id: z.string(),
-          updatedAt: z.date()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const object = await server.services.kmipOperation.revoke({
-        ...req.kmipUser,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.body.id
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: req.kmipUser.projectId,
-        actor: {
-          type: ActorType.KMIP_CLIENT,
-          metadata: {
-            clientId: req.kmipUser.clientId,
-            name: req.kmipUser.name
-          }
-        },
-        event: {
-          type: EventType.KMIP_OPERATION_REVOKE,
-          metadata: {
-            id: object.id
-          }
-        }
-      });
-
-      return object;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/locate",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "KMIP endpoint for locating managed objects",
-      response: {
-        200: z.object({
-          objects: z
-            .object({
-              id: z.string(),
-              name: z.string(),
-              isActive: z.boolean(),
-              algorithm: z.string(),
-              createdAt: z.date(),
-              updatedAt: z.date()
-            })
-            .array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const objects = await server.services.kmipOperation.locate({
-        ...req.kmipUser,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: req.kmipUser.projectId,
-        actor: {
-          type: ActorType.KMIP_CLIENT,
-          metadata: {
-            clientId: req.kmipUser.clientId,
-            name: req.kmipUser.name
-          }
-        },
-        event: {
-          type: EventType.KMIP_OPERATION_LOCATE,
-          metadata: {
-            ids: objects.map((obj) => obj.id)
-          }
-        }
-      });
-
-      return {
-        objects
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/register",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "KMIP endpoint for registering managed object",
-      body: z.object({
-        key: z.string(),
-        name: z.string(),
-        algorithm: z.nativeEnum(SymmetricEncryption)
-      }),
-      response: {
-        200: z.object({
-          id: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const object = await server.services.kmipOperation.register({
-        ...req.kmipUser,
-        ...req.body,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId: req.kmipUser.projectId,
-        actor: {
-          type: ActorType.KMIP_CLIENT,
-          metadata: {
-            clientId: req.kmipUser.clientId,
-            name: req.kmipUser.name
-          }
-        },
-        event: {
-          type: EventType.KMIP_OPERATION_REGISTER,
-          metadata: {
-            id: object.id,
-            algorithm: req.body.algorithm,
-            name: object.name
-          }
-        }
-      });
-
-      return object;
-    }
-  });
-};

backend/src/ee/routes/v1/ldap-router.ts

@@ -14,7 +14,7 @@ import { FastifyRequest } from "fastify";
 import LdapStrategy from "passport-ldapauth";
 import { z } from "zod";
 
-import { LdapGroupMapsSchema } from "@app/db/schemas";
+import { LdapConfigsSchema, LdapGroupMapsSchema } from "@app/db/schemas";
 import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
 import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
 import { getConfig } from "@app/lib/config/env";
@@ -22,7 +22,6 @@ import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedLdapConfigSchema } from "@app/server/routes/sanitizedSchema/directory-config";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerLdapRouter = async (server: FastifyZodProvider) => {
@@ -188,7 +187,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
         caCert: z.string().trim().default("")
       }),
       response: {
-        200: SanitizedLdapConfigSchema
+        200: LdapConfigsSchema
       }
     },
     handler: async (req) => {
@@ -229,7 +228,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
         .partial()
         .merge(z.object({ organizationId: z.string() })),
       response: {
-        200: SanitizedLdapConfigSchema
+        200: LdapConfigsSchema
       }
     },
     handler: async (req) => {

backend/src/ee/routes/v1/oidc-router.ts

@@ -11,28 +11,13 @@ import fastifySession from "@fastify/session";
 import RedisStore from "connect-redis";
 import { z } from "zod";
 
-import { OidcConfigsSchema } from "@app/db/schemas";
+import { OidcConfigsSchema } from "@app/db/schemas/oidc-configs";
 import { OIDCConfigurationType } from "@app/ee/services/oidc/oidc-config-types";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
-const SanitizedOidcConfigSchema = OidcConfigsSchema.pick({
-  id: true,
-  issuer: true,
-  authorizationEndpoint: true,
-  configurationType: true,
-  discoveryURL: true,
-  jwksUri: true,
-  tokenEndpoint: true,
-  userinfoEndpoint: true,
-  orgId: true,
-  isActive: true,
-  allowedEmailDomains: true,
-  manageGroupMemberships: true
-});
-
 export const registerOidcRouter = async (server: FastifyZodProvider) => {
   const appCfg = getConfig();
   const passport = new Authenticator({ key: "oidc", userProperty: "passportUser" });
@@ -157,7 +142,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
         orgSlug: z.string().trim()
       }),
       response: {
-        200: SanitizedOidcConfigSchema.pick({
+        200: OidcConfigsSchema.pick({
           id: true,
           issuer: true,
           authorizationEndpoint: true,
@@ -168,8 +153,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           discoveryURL: true,
           isActive: true,
           orgId: true,
-          allowedEmailDomains: true,
-          manageGroupMemberships: true
+          allowedEmailDomains: true
         }).extend({
           clientId: z.string(),
           clientSecret: z.string()
@@ -223,13 +207,12 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           userinfoEndpoint: z.string().trim(),
           clientId: z.string().trim(),
           clientSecret: z.string().trim(),
-          isActive: z.boolean(),
-          manageGroupMemberships: z.boolean().optional()
+          isActive: z.boolean()
         })
         .partial()
         .merge(z.object({ orgSlug: z.string() })),
       response: {
-        200: SanitizedOidcConfigSchema.pick({
+        200: OidcConfigsSchema.pick({
           id: true,
           issuer: true,
           authorizationEndpoint: true,
@@ -240,8 +223,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           userinfoEndpoint: true,
           orgId: true,
           allowedEmailDomains: true,
-          isActive: true,
-          manageGroupMemberships: true
+          isActive: true
         })
       }
     },
@@ -290,8 +272,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           clientId: z.string().trim(),
           clientSecret: z.string().trim(),
           isActive: z.boolean(),
-          orgSlug: z.string().trim(),
-          manageGroupMemberships: z.boolean().optional().default(false)
+          orgSlug: z.string().trim()
         })
         .superRefine((data, ctx) => {
           if (data.configurationType === OIDCConfigurationType.CUSTOM) {
@@ -342,7 +323,19 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           }
         }),
       response: {
-        200: SanitizedOidcConfigSchema
+        200: OidcConfigsSchema.pick({
+          id: true,
+          issuer: true,
+          authorizationEndpoint: true,
+          configurationType: true,
+          discoveryURL: true,
+          jwksUri: true,
+          tokenEndpoint: true,
+          userinfoEndpoint: true,
+          orgId: true,
+          isActive: true,
+          allowedEmailDomains: true
+        })
       }
     },
 
@@ -357,25 +350,4 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
       return oidc;
     }
   });
-
-  server.route({
-    method: "GET",
-    url: "/manage-group-memberships",
-    schema: {
-      querystring: z.object({
-        orgId: z.string().trim().min(1, "Org ID is required")
-      }),
-      response: {
-        200: z.object({
-          isEnabled: z.boolean()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const isEnabled = await server.services.oidc.isOidcManageGroupMembershipsEnabled(req.query.orgId, req.permission);
-
-      return { isEnabled };
-    }
-  });
 };

backend/src/ee/routes/v1/org-role-router.ts

@@ -24,7 +24,6 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         ),
         name: z.string().trim(),
         description: z.string().trim().nullish(),
-        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array()
         permissions: z.any().array()
       }),
       response: {
@@ -97,7 +96,6 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           .optional(),
         name: z.string().trim().optional(),
         description: z.string().trim().nullish(),
-        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array().optional()
         permissions: z.any().array().optional()
       }),
       response: {

backend/src/ee/routes/v1/project-template-router.ts

@@ -9,7 +9,7 @@ import { ProjectTemplates } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
+import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 const MAX_JSON_SIZE_LIMIT_IN_BYTES = 32_768;

backend/src/ee/routes/v1/saml-router.ts

@@ -12,13 +12,13 @@ import { MultiSamlStrategy } from "@node-saml/passport-saml";
 import { FastifyRequest } from "fastify";
 import { z } from "zod";
 
+import { SamlConfigsSchema } from "@app/db/schemas";
 import { SamlProviders, TGetSamlCfgDTO } from "@app/ee/services/saml-config/saml-config-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedSamlConfigSchema } from "@app/server/routes/sanitizedSchema/directory-config";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 type TSAMLConfig = {
@@ -84,10 +84,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                 samlConfig.audience = `spn:${ssoConfig.issuer}`;
               }
             }
-            if (
-              ssoConfig.authProvider === SamlProviders.GOOGLE_SAML ||
-              ssoConfig.authProvider === SamlProviders.AUTH0_SAML
-            ) {
+            if (ssoConfig.authProvider === SamlProviders.GOOGLE_SAML) {
               samlConfig.wantAssertionsSigned = false;
             }
 
@@ -126,10 +123,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
               `email: ${email} firstName: ${profile.firstName as string}`
             );
 
-            throw new BadRequestError({
-              message:
-                "Missing email or first name. Please double check your SAML attribute mapping for the selected provider."
-            });
+            throw new Error("Invalid saml request. Missing email or first name");
           }
 
           const userMetadata = Object.keys(profile.attributes || {})
@@ -298,7 +292,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
         cert: z.string()
       }),
       response: {
-        200: SanitizedSamlConfigSchema
+        200: SamlConfigsSchema
       }
     },
     handler: async (req) => {
@@ -333,7 +327,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
         .partial()
         .merge(z.object({ organizationId: z.string() })),
       response: {
-        200: SanitizedSamlConfigSchema
+        200: SamlConfigsSchema
       }
     },
     handler: async (req) => {

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -12,7 +12,6 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
   UsersSchema.pick({
@@ -275,7 +274,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 .extend({
                   op: z.string(),
                   tags: tagSchema,
-                  secretMetadata: ResourceMetadataSchema.nullish(),
                   secret: z
                     .object({
                       id: z.string(),
@@ -293,8 +291,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                       secretKey: z.string(),
                       secretValue: z.string().optional(),
                       secretComment: z.string().optional(),
-                      tags: tagSchema,
-                      secretMetadata: ResourceMetadataSchema.nullish()
+                      tags: tagSchema
                     })
                     .optional()
                 })

backend/src/ee/routes/v1/secret-router.ts

@@ -1,71 +0,0 @@
-import z from "zod";
-
-import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
-import { RAW_SECRETS } from "@app/lib/api-docs";
-import { removeTrailingSlash } from "@app/lib/fn";
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-const AccessListEntrySchema = z
-  .object({
-    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
-    id: z.string(),
-    membershipId: z.string(),
-    name: z.string()
-  })
-  .array();
-
-export const registerSecretRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/:secretName/access-list",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Get list of users, machine identities, and groups with access to a secret",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.secretName)
-      }),
-      querystring: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.GET_ACCESS_LIST.secretPath)
-      }),
-      response: {
-        200: z.object({
-          groups: AccessListEntrySchema,
-          identities: AccessListEntrySchema,
-          users: AccessListEntrySchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { secretName } = req.params;
-      const { secretPath, environment, workspaceId: projectId } = req.query;
-
-      return server.services.secret.getSecretAccessList({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        secretPath,
-        environment,
-        projectId,
-        secretName
-      });
-    }
-  });
-};

backend/src/ee/routes/v1/secret-scanning-router.ts

@@ -1,13 +1,9 @@
 import { z } from "zod";
 
 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
-import {
-  SecretScanningResolvedStatus,
-  SecretScanningRiskStatus
-} from "@app/ee/services/secret-scanning/secret-scanning-types";
+import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -101,45 +97,6 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
     }
   });
 
-  server.route({
-    url: "/organization/:organizationId/risks/export",
-    method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({ organizationId: z.string().trim() }),
-      querystring: z.object({
-        repositoryNames: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
-      }),
-      response: {
-        200: z.object({
-          risks: SecretScanningGitRisksSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const risks = await server.services.secretScanning.getAllRisksByOrg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId,
-        filter: {
-          repositoryNames: req.query.repositoryNames,
-          resolvedStatus: req.query.resolvedStatus
-        }
-      });
-      return { risks };
-    }
-  });
-
   server.route({
     url: "/organization/:organizationId/risks",
     method: "GET",
@@ -148,46 +105,20 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
     },
     schema: {
       params: z.object({ organizationId: z.string().trim() }),
-
-      querystring: z.object({
-        offset: z.coerce.number().min(0).default(0),
-        limit: z.coerce.number().min(1).max(20000).default(100),
-        orderBy: z.enum(["createdAt", "name"]).default("createdAt"),
-        orderDirection: z.nativeEnum(OrderByDirection).default(OrderByDirection.DESC),
-        repositoryNames: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
-      }),
-
       response: {
-        200: z.object({
-          risks: SecretScanningGitRisksSchema.array(),
-          totalCount: z.number(),
-          repos: z.array(z.string())
-        })
+        200: z.object({ risks: SecretScanningGitRisksSchema.array() })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const { risks, totalCount, repos } = await server.services.secretScanning.getRisksByOrg({
+      const { risks } = await server.services.secretScanning.getRisksByOrg({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId,
-        filter: {
-          limit: req.query.limit,
-          offset: req.query.offset,
-          orderBy: req.query.orderBy,
-          orderDirection: req.query.orderDirection,
-          repositoryNames: req.query.repositoryNames,
-          resolvedStatus: req.query.resolvedStatus
-        }
+        orgId: req.params.organizationId
       });
-      return { risks, totalCount, repos };
+      return { risks };
     }
   });
 

backend/src/ee/routes/v1/user-additional-privilege-router.ts

@@ -9,7 +9,7 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedUserProjectAdditionalPrivilegeSchema } from "@app/server/routes/sanitizedSchema/user-additional-privilege";
+import { SanitizedUserProjectAdditionalPrivilegeSchema } from "@app/server/routes/santizedSchemas/user-additional-privilege";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {

backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts

@@ -9,7 +9,7 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchema/identitiy-additional-privilege";
+import { SanitizedIdentityPrivilegeSchema } from "@app/server/routes/santizedSchemas/identitiy-additional-privilege";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -87,14 +87,14 @@ export const accessApprovalPolicyServiceFactory = ({
     if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -193,14 +193,7 @@ export const accessApprovalPolicyServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     // Anyone in the project should be able to get the policies.
-    await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: project.id,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+    await permissionService.getProjectPermission(actor, actorId, project.id, actorAuthMethod, actorOrgId);
 
     const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
     return accessApprovalPolicies;
@@ -244,14 +237,14 @@ export const accessApprovalPolicyServiceFactory = ({
     if (!accessApprovalPolicy) {
       throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
     }
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: accessApprovalPolicy.projectId,
+      accessApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
@@ -328,14 +321,14 @@ export const accessApprovalPolicyServiceFactory = ({
     const policy = await accessApprovalPolicyDAL.findById(policyId);
     if (!policy) throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: policy.projectId,
+      policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SecretApproval
@@ -379,14 +372,13 @@ export const accessApprovalPolicyServiceFactory = ({
 
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
@@ -419,14 +411,13 @@ export const accessApprovalPolicyServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: policy.projectId,
+      policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 
-import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -100,14 +100,13 @@ export const accessApprovalRequestServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     // Anyone can create an access approval request.
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
@@ -214,7 +213,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/secret-manager/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/project/${project.id}/approval`;
 
       await triggerSlackNotification({
         projectId: project.id,
@@ -274,14 +273,13 @@ export const accessApprovalRequestServiceFactory = ({
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
@@ -320,14 +318,13 @@ export const accessApprovalRequestServiceFactory = ({
       });
     }
 
-    const { membership, hasRole } = await permissionService.getProjectPermission({
+    const { membership, hasRole } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: accessApprovalRequest.projectId,
+      accessApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -425,14 +422,13 @@ export const accessApprovalRequestServiceFactory = ({
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -93,7 +93,7 @@ export const auditLogStreamServiceFactory = ({
         }
       )
       .catch((err) => {
-        throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
+        throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
       });
     const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
     const logStream = await auditLogStreamDAL.create({

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -39,13 +39,11 @@ export const auditLogDALFactory = (db: TDbClient) => {
       offset = 0,
       actorId,
       actorType,
-      secretPath,
       eventType,
       eventMetadata
     }: Omit<TFindQuery, "actor" | "eventType"> & {
       actorId?: string;
       actorType?: ActorType;
-      secretPath?: string;
       eventType?: EventType[];
       eventMetadata?: Record<string, string>;
     },
@@ -90,10 +88,6 @@ export const auditLogDALFactory = (db: TDbClient) => {
         });
       }
 
-      if (projectId && secretPath) {
-        void sqlQuery.whereRaw(`"eventMetadata" @> jsonb_build_object('secretPath', ?::text)`, [secretPath]);
-      }
-
       // Filter by actor type
       if (actorType) {
         void sqlQuery.where("actor", actorType);
@@ -106,10 +100,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
 
       // Filter by date range
       if (startDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
+        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
       }
       if (endDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
+        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
       }
 
       // we timeout long running queries to prevent DB resource issues (2 minutes)

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 
@@ -27,14 +26,13 @@ export const auditLogServiceFactory = ({
   const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
     // Filter logs for specific project
     if (filter.projectId) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
         actor,
         actorId,
-        projectId: filter.projectId,
+        filter.projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.Any
-      });
+        actorOrgId
+      );
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {
       // Organization-wide logs
@@ -46,6 +44,10 @@ export const auditLogServiceFactory = ({
         actorOrgId
       );
 
+      /**
+       * NOTE (dangtony98): Update this to organization-level audit log permission check once audit logs are moved
+       * to the organization level ✅
+       */
       ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
     }
 
@@ -60,7 +62,6 @@ export const auditLogServiceFactory = ({
       actorId: filter.auditLogActorId,
       actorType: filter.actorType,
       eventMetadata: filter.eventMetadata,
-      secretPath: filter.secretPath,
       ...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
     });
 
@@ -78,8 +79,7 @@ export const auditLogServiceFactory = ({
     }
     // add all cases in which project id or org id cannot be added
     if (data.event.type !== EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH) {
-      if (!data.projectId && !data.orgId)
-        throw new BadRequestError({ message: "Must specify either project id or org id" });
+      if (!data.projectId && !data.orgId) throw new BadRequestError({ message: "Must either project id or org id" });
     }
 
     return auditLogQueue.pushToLog(data);

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -13,15 +13,6 @@ import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
-import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
-import {
-  TCreateSecretSyncDTO,
-  TDeleteSecretSyncDTO,
-  TSecretSyncRaw,
-  TUpdateSecretSyncDTO
-} from "@app/services/secret-sync/secret-sync-types";
-
-import { KmipPermission } from "../kmip/kmip-enum";
 
 export type TListProjectAuditLogDTO = {
   filter: {
@@ -34,21 +25,13 @@ export type TListProjectAuditLogDTO = {
     projectId?: string;
     auditLogActorId?: string;
     actorType?: ActorType;
-    secretPath?: string;
     eventMetadata?: Record<string, string>;
   };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TCreateAuditLogDTO = {
   event: Event;
-  actor:
-    | UserActor
-    | IdentityActor
-    | ServiceActor
-    | ScimClientActor
-    | PlatformActor
-    | UnknownUserActor
-    | KmipClientActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
   orgId?: string;
   projectId?: string;
 } & BaseAuthData;
@@ -232,7 +215,6 @@ export enum EventType {
   UPDATE_CMEK = "update-cmek",
   DELETE_CMEK = "delete-cmek",
   GET_CMEKS = "get-cmeks",
-  GET_CMEK = "get-cmek",
   CMEK_ENCRYPT = "cmek-encrypt",
   CMEK_DECRYPT = "cmek-decrypt",
   UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
@@ -244,43 +226,10 @@ export enum EventType {
   DELETE_PROJECT_TEMPLATE = "delete-project-template",
   APPLY_PROJECT_TEMPLATE = "apply-project-template",
   GET_APP_CONNECTIONS = "get-app-connections",
-  GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
   GET_APP_CONNECTION = "get-app-connection",
   CREATE_APP_CONNECTION = "create-app-connection",
   UPDATE_APP_CONNECTION = "update-app-connection",
-  DELETE_APP_CONNECTION = "delete-app-connection",
-  CREATE_SHARED_SECRET = "create-shared-secret",
-  DELETE_SHARED_SECRET = "delete-shared-secret",
-  READ_SHARED_SECRET = "read-shared-secret",
-  GET_SECRET_SYNCS = "get-secret-syncs",
-  GET_SECRET_SYNC = "get-secret-sync",
-  CREATE_SECRET_SYNC = "create-secret-sync",
-  UPDATE_SECRET_SYNC = "update-secret-sync",
-  DELETE_SECRET_SYNC = "delete-secret-sync",
-  SECRET_SYNC_SYNC_SECRETS = "secret-sync-sync-secrets",
-  SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
-  SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets",
-  OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER = "oidc-group-membership-mapping-assign-user",
-  OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER = "oidc-group-membership-mapping-remove-user",
-  CREATE_KMIP_CLIENT = "create-kmip-client",
-  UPDATE_KMIP_CLIENT = "update-kmip-client",
-  DELETE_KMIP_CLIENT = "delete-kmip-client",
-  GET_KMIP_CLIENT = "get-kmip-client",
-  GET_KMIP_CLIENTS = "get-kmip-clients",
-  CREATE_KMIP_CLIENT_CERTIFICATE = "create-kmip-client-certificate",
-
-  SETUP_KMIP = "setup-kmip",
-  GET_KMIP = "get-kmip",
-  REGISTER_KMIP_SERVER = "register-kmip-server",
-
-  KMIP_OPERATION_CREATE = "kmip-operation-create",
-  KMIP_OPERATION_GET = "kmip-operation-get",
-  KMIP_OPERATION_DESTROY = "kmip-operation-destroy",
-  KMIP_OPERATION_GET_ATTRIBUTES = "kmip-operation-get-attributes",
-  KMIP_OPERATION_ACTIVATE = "kmip-operation-activate",
-  KMIP_OPERATION_REVOKE = "kmip-operation-revoke",
-  KMIP_OPERATION_LOCATE = "kmip-operation-locate",
-  KMIP_OPERATION_REGISTER = "kmip-operation-register"
+  DELETE_APP_CONNECTION = "delete-app-connection"
 }
 
 interface UserActorMetadata {
@@ -303,13 +252,6 @@ interface ScimClientActorMetadata {}
 
 interface PlatformActorMetadata {}
 
-interface KmipClientActorMetadata {
-  clientId: string;
-  name: string;
-}
-
-interface UnknownUserActorMetadata {}
-
 export interface UserActor {
   type: ActorType.USER;
   metadata: UserActorMetadata;
@@ -325,16 +267,6 @@ export interface PlatformActor {
   metadata: PlatformActorMetadata;
 }
 
-export interface KmipClientActor {
-  type: ActorType.KMIP_CLIENT;
-  metadata: KmipClientActorMetadata;
-}
-
-export interface UnknownUserActor {
-  type: ActorType.UNKNOWN_USER;
-  metadata: UnknownUserActorMetadata;
-}
-
 export interface IdentityActor {
   type: ActorType.IDENTITY;
   metadata: IdentityActorMetadata;
@@ -345,7 +277,7 @@ export interface ScimClientActor {
   metadata: ScimClientActorMetadata;
 }
 
-export type Actor = UserActor | ServiceActor | IdentityActor | ScimClientActor | PlatformActor | KmipClientActor;
+export type Actor = UserActor | ServiceActor | IdentityActor | ScimClientActor | PlatformActor;
 
 interface GetSecretsEvent {
   type: EventType.GET_SECRETS;
@@ -356,8 +288,6 @@ interface GetSecretsEvent {
   };
 }
 
-type TSecretMetadata = { key: string; value: string }[];
-
 interface GetSecretEvent {
   type: EventType.GET_SECRET;
   metadata: {
@@ -366,7 +296,6 @@ interface GetSecretEvent {
     secretId: string;
     secretKey: string;
     secretVersion: number;
-    secretMetadata?: TSecretMetadata;
   };
 }
 
@@ -378,7 +307,6 @@ interface CreateSecretEvent {
     secretId: string;
     secretKey: string;
     secretVersion: number;
-    secretMetadata?: TSecretMetadata;
   };
 }
 
@@ -387,13 +315,7 @@ interface CreateSecretBatchEvent {
   metadata: {
     environment: string;
     secretPath: string;
-    secrets: Array<{
-      secretId: string;
-      secretKey: string;
-      secretPath?: string;
-      secretVersion: number;
-      secretMetadata?: TSecretMetadata;
-    }>;
+    secrets: Array<{ secretId: string; secretKey: string; secretVersion: number }>;
   };
 }
 
@@ -405,7 +327,6 @@ interface UpdateSecretEvent {
     secretId: string;
     secretKey: string;
     secretVersion: number;
-    secretMetadata?: TSecretMetadata;
   };
 }
 
@@ -413,14 +334,8 @@ interface UpdateSecretBatchEvent {
   type: EventType.UPDATE_SECRETS;
   metadata: {
     environment: string;
-    secretPath?: string;
-    secrets: Array<{
-      secretId: string;
-      secretKey: string;
-      secretVersion: number;
-      secretMetadata?: TSecretMetadata;
-      secretPath?: string;
-    }>;
+    secretPath: string;
+    secrets: Array<{ secretId: string; secretKey: string; secretVersion: number }>;
   };
 }
 
@@ -818,9 +733,9 @@ interface AddIdentityGcpAuthEvent {
   metadata: {
     identityId: string;
     type: string;
-    allowedServiceAccounts?: string | null;
-    allowedProjects?: string | null;
-    allowedZones?: string | null;
+    allowedServiceAccounts: string;
+    allowedProjects: string;
+    allowedZones: string;
     accessTokenTTL: number;
     accessTokenMaxTTL: number;
     accessTokenNumUsesLimit: number;
@@ -840,9 +755,9 @@ interface UpdateIdentityGcpAuthEvent {
   metadata: {
     identityId: string;
     type?: string;
-    allowedServiceAccounts?: string | null;
-    allowedProjects?: string | null;
-    allowedZones?: string | null;
+    allowedServiceAccounts?: string;
+    allowedProjects?: string;
+    allowedZones?: string;
     accessTokenTTL?: number;
     accessTokenMaxTTL?: number;
     accessTokenNumUsesLimit?: number;
@@ -1893,13 +1808,6 @@ interface GetCmeksEvent {
   };
 }
 
-interface GetCmekEvent {
-  type: EventType.GET_CMEK;
-  metadata: {
-    keyId: string;
-  };
-}
-
 interface CmekEncryptEvent {
   type: EventType.CMEK_ENCRYPT;
   metadata: {
@@ -1975,15 +1883,6 @@ interface GetAppConnectionsEvent {
   };
 }
 
-interface GetAvailableAppConnectionsDetailsEvent {
-  type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS;
-  metadata: {
-    app?: AppConnection;
-    count: number;
-    connectionIds: string[];
-  };
-}
-
 interface GetAppConnectionEvent {
   type: EventType.GET_APP_CONNECTION;
   metadata: {
@@ -2008,260 +1907,6 @@ interface DeleteAppConnectionEvent {
   };
 }
 
-interface CreateSharedSecretEvent {
-  type: EventType.CREATE_SHARED_SECRET;
-  metadata: {
-    id: string;
-    accessType: string;
-    name?: string;
-    expiresAfterViews?: number;
-    usingPassword: boolean;
-    expiresAt: string;
-  };
-}
-
-interface DeleteSharedSecretEvent {
-  type: EventType.DELETE_SHARED_SECRET;
-  metadata: {
-    id: string;
-    name?: string;
-  };
-}
-
-interface ReadSharedSecretEvent {
-  type: EventType.READ_SHARED_SECRET;
-  metadata: {
-    id: string;
-    name?: string;
-    accessType: string;
-  };
-}
-
-interface GetSecretSyncsEvent {
-  type: EventType.GET_SECRET_SYNCS;
-  metadata: {
-    destination?: SecretSync;
-    count: number;
-    syncIds: string[];
-  };
-}
-
-interface GetSecretSyncEvent {
-  type: EventType.GET_SECRET_SYNC;
-  metadata: {
-    destination: SecretSync;
-    syncId: string;
-  };
-}
-
-interface CreateSecretSyncEvent {
-  type: EventType.CREATE_SECRET_SYNC;
-  metadata: Omit<TCreateSecretSyncDTO, "projectId"> & { syncId: string };
-}
-
-interface UpdateSecretSyncEvent {
-  type: EventType.UPDATE_SECRET_SYNC;
-  metadata: TUpdateSecretSyncDTO;
-}
-
-interface DeleteSecretSyncEvent {
-  type: EventType.DELETE_SECRET_SYNC;
-  metadata: TDeleteSecretSyncDTO;
-}
-
-interface SecretSyncSyncSecretsEvent {
-  type: EventType.SECRET_SYNC_SYNC_SECRETS;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "syncStatus" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    syncMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-  };
-}
-
-interface SecretSyncImportSecretsEvent {
-  type: EventType.SECRET_SYNC_IMPORT_SECRETS;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "importStatus" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    importMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-    importBehavior: SecretSyncImportBehavior;
-  };
-}
-
-interface SecretSyncRemoveSecretsEvent {
-  type: EventType.SECRET_SYNC_REMOVE_SECRETS;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "removeStatus" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    removeMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-  };
-}
-
-interface OidcGroupMembershipMappingAssignUserEvent {
-  type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER;
-  metadata: {
-    assignedToGroups: { id: string; name: string }[];
-    userId: string;
-    userEmail: string;
-    userGroupsClaim: string[];
-  };
-}
-
-interface OidcGroupMembershipMappingRemoveUserEvent {
-  type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER;
-  metadata: {
-    removedFromGroups: { id: string; name: string }[];
-    userId: string;
-    userEmail: string;
-    userGroupsClaim: string[];
-  };
-}
-
-interface CreateKmipClientEvent {
-  type: EventType.CREATE_KMIP_CLIENT;
-  metadata: {
-    name: string;
-    id: string;
-    permissions: KmipPermission[];
-  };
-}
-
-interface UpdateKmipClientEvent {
-  type: EventType.UPDATE_KMIP_CLIENT;
-  metadata: {
-    name: string;
-    id: string;
-    permissions: KmipPermission[];
-  };
-}
-
-interface DeleteKmipClientEvent {
-  type: EventType.DELETE_KMIP_CLIENT;
-  metadata: {
-    id: string;
-  };
-}
-
-interface GetKmipClientEvent {
-  type: EventType.GET_KMIP_CLIENT;
-  metadata: {
-    id: string;
-  };
-}
-
-interface GetKmipClientsEvent {
-  type: EventType.GET_KMIP_CLIENTS;
-  metadata: {
-    ids: string[];
-  };
-}
-
-interface CreateKmipClientCertificateEvent {
-  type: EventType.CREATE_KMIP_CLIENT_CERTIFICATE;
-  metadata: {
-    clientId: string;
-    ttl: string;
-    keyAlgorithm: string;
-    serialNumber: string;
-  };
-}
-
-interface KmipOperationGetEvent {
-  type: EventType.KMIP_OPERATION_GET;
-  metadata: {
-    id: string;
-  };
-}
-
-interface KmipOperationDestroyEvent {
-  type: EventType.KMIP_OPERATION_DESTROY;
-  metadata: {
-    id: string;
-  };
-}
-
-interface KmipOperationCreateEvent {
-  type: EventType.KMIP_OPERATION_CREATE;
-  metadata: {
-    id: string;
-    algorithm: string;
-  };
-}
-
-interface KmipOperationGetAttributesEvent {
-  type: EventType.KMIP_OPERATION_GET_ATTRIBUTES;
-  metadata: {
-    id: string;
-  };
-}
-
-interface KmipOperationActivateEvent {
-  type: EventType.KMIP_OPERATION_ACTIVATE;
-  metadata: {
-    id: string;
-  };
-}
-
-interface KmipOperationRevokeEvent {
-  type: EventType.KMIP_OPERATION_REVOKE;
-  metadata: {
-    id: string;
-  };
-}
-
-interface KmipOperationLocateEvent {
-  type: EventType.KMIP_OPERATION_LOCATE;
-  metadata: {
-    ids: string[];
-  };
-}
-
-interface KmipOperationRegisterEvent {
-  type: EventType.KMIP_OPERATION_REGISTER;
-  metadata: {
-    id: string;
-    algorithm: string;
-    name: string;
-  };
-}
-
-interface SetupKmipEvent {
-  type: EventType.SETUP_KMIP;
-  metadata: {
-    keyAlgorithm: CertKeyAlgorithm;
-  };
-}
-
-interface GetKmipEvent {
-  type: EventType.GET_KMIP;
-  metadata: {
-    id: string;
-  };
-}
-
-interface RegisterKmipServerEvent {
-  type: EventType.REGISTER_KMIP_SERVER;
-  metadata: {
-    serverCertificateSerialNumber: string;
-    hostnamesOrIps: string;
-    commonName: string;
-    keyAlgorithm: CertKeyAlgorithm;
-    ttl: string;
-  };
-}
-
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2423,7 +2068,6 @@ export type Event =
   | CreateCmekEvent
   | UpdateCmekEvent
   | DeleteCmekEvent
-  | GetCmekEvent
   | GetCmeksEvent
   | CmekEncryptEvent
   | CmekDecryptEvent
@@ -2436,38 +2080,7 @@ export type Event =
   | DeleteProjectTemplateEvent
   | ApplyProjectTemplateEvent
   | GetAppConnectionsEvent
-  | GetAvailableAppConnectionsDetailsEvent
   | GetAppConnectionEvent
   | CreateAppConnectionEvent
   | UpdateAppConnectionEvent
-  | DeleteAppConnectionEvent
-  | CreateSharedSecretEvent
-  | DeleteSharedSecretEvent
-  | ReadSharedSecretEvent
-  | GetSecretSyncsEvent
-  | GetSecretSyncEvent
-  | CreateSecretSyncEvent
-  | UpdateSecretSyncEvent
-  | DeleteSecretSyncEvent
-  | SecretSyncSyncSecretsEvent
-  | SecretSyncImportSecretsEvent
-  | SecretSyncRemoveSecretsEvent
-  | OidcGroupMembershipMappingAssignUserEvent
-  | OidcGroupMembershipMappingRemoveUserEvent
-  | CreateKmipClientEvent
-  | UpdateKmipClientEvent
-  | DeleteKmipClientEvent
-  | GetKmipClientEvent
-  | GetKmipClientsEvent
-  | CreateKmipClientCertificateEvent
-  | SetupKmipEvent
-  | GetKmipEvent
-  | RegisterKmipServerEvent
-  | KmipOperationGetEvent
-  | KmipOperationDestroyEvent
-  | KmipOperationCreateEvent
-  | KmipOperationGetAttributesEvent
-  | KmipOperationActivateEvent
-  | KmipOperationRevokeEvent
-  | KmipOperationLocateEvent
-  | KmipOperationRegisterEvent;
+  | DeleteAppConnectionEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -67,14 +66,13 @@ export const certificateAuthorityCrlServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal.ts

@@ -37,7 +37,11 @@ export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
           db.ref("type").withSchema(TableName.DynamicSecret).as("dynType"),
           db.ref("defaultTTL").withSchema(TableName.DynamicSecret).as("dynDefaultTTL"),
           db.ref("maxTTL").withSchema(TableName.DynamicSecret).as("dynMaxTTL"),
-          db.ref("encryptedInput").withSchema(TableName.DynamicSecret).as("dynEncryptedInput"),
+          db.ref("inputIV").withSchema(TableName.DynamicSecret).as("dynInputIV"),
+          db.ref("inputTag").withSchema(TableName.DynamicSecret).as("dynInputTag"),
+          db.ref("inputCiphertext").withSchema(TableName.DynamicSecret).as("dynInputCiphertext"),
+          db.ref("algorithm").withSchema(TableName.DynamicSecret).as("dynAlgorithm"),
+          db.ref("keyEncoding").withSchema(TableName.DynamicSecret).as("dynKeyEncoding"),
           db.ref("folderId").withSchema(TableName.DynamicSecret).as("dynFolderId"),
           db.ref("status").withSchema(TableName.DynamicSecret).as("dynStatus"),
           db.ref("statusDetails").withSchema(TableName.DynamicSecret).as("dynStatusDetails"),
@@ -55,7 +59,11 @@ export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
           type: doc.dynType,
           defaultTTL: doc.dynDefaultTTL,
           maxTTL: doc.dynMaxTTL,
-          encryptedInput: doc.dynEncryptedInput,
+          inputIV: doc.dynInputIV,
+          inputTag: doc.dynInputTag,
+          inputCiphertext: doc.dynInputCiphertext,
+          algorithm: doc.dynAlgorithm,
+          keyEncoding: doc.dynKeyEncoding,
           folderId: doc.dynFolderId,
           status: doc.dynStatus,
           statusDetails: doc.dynStatusDetails,

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts

@@ -1,10 +1,8 @@
+import { SecretKeyEncoding } from "@app/db/schemas";
 import { DisableRotationErrors } from "@app/ee/services/secret-rotation/secret-rotation-queue";
-import { NotFoundError } from "@app/lib/errors";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 
 import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
 import { DynamicSecretStatus } from "../dynamic-secret/dynamic-secret-types";
@@ -16,8 +14,6 @@ type TDynamicSecretLeaseQueueServiceFactoryDep = {
   dynamicSecretLeaseDAL: Pick<TDynamicSecretLeaseDALFactory, "findById" | "deleteById" | "find" | "updateById">;
   dynamicSecretDAL: Pick<TDynamicSecretDALFactory, "findById" | "deleteById" | "updateById">;
   dynamicSecretProviders: Record<DynamicSecretProviders, TDynamicProviderFns>;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findById">;
 };
 
 export type TDynamicSecretLeaseQueueServiceFactory = ReturnType<typeof dynamicSecretLeaseQueueServiceFactory>;
@@ -26,9 +22,7 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
   queueService,
   dynamicSecretDAL,
   dynamicSecretProviders,
-  dynamicSecretLeaseDAL,
-  kmsService,
-  folderDAL
+  dynamicSecretLeaseDAL
 }: TDynamicSecretLeaseQueueServiceFactoryDep) => {
   const pruneDynamicSecret = async (dynamicSecretCfgId: string) => {
     await queueService.queue(
@@ -82,21 +76,15 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
         const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
         if (!dynamicSecretLease) throw new DisableRotationErrors({ message: "Dynamic secret lease not found" });
 
-        const folder = await folderDAL.findById(dynamicSecretLease.dynamicSecret.folderId);
-        if (!folder)
-          throw new NotFoundError({
-            message: `Failed to find folder with ${dynamicSecretLease.dynamicSecret.folderId}`
-          });
-
-        const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-          type: KmsDataKey.SecretManager,
-          projectId: folder.projectId
-        });
-
         const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
         const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
         const decryptedStoredInput = JSON.parse(
-          secretManagerDecryptor({ cipherTextBlob: dynamicSecretCfg.encryptedInput }).toString()
+          infisicalSymmetricDecrypt({
+            keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+            ciphertext: dynamicSecretCfg.inputCiphertext,
+            tag: dynamicSecretCfg.inputTag,
+            iv: dynamicSecretCfg.inputIV
+          })
         ) as object;
 
         await selectedProvider.revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId);
@@ -112,22 +100,16 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
         if ((dynamicSecretCfg.status as DynamicSecretStatus) !== DynamicSecretStatus.Deleting)
           throw new DisableRotationErrors({ message: "Document not deleted" });
 
-        const folder = await folderDAL.findById(dynamicSecretCfg.folderId);
-        if (!folder)
-          throw new NotFoundError({
-            message: `Failed to find folder with ${dynamicSecretCfg.folderId}`
-          });
-
-        const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-          type: KmsDataKey.SecretManager,
-          projectId: folder.projectId
-        });
-
         const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfgId });
         if (dynamicSecretLeases.length) {
           const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
           const decryptedStoredInput = JSON.parse(
-            secretManagerDecryptor({ cipherTextBlob: dynamicSecretCfg.encryptedInput }).toString()
+            infisicalSymmetricDecrypt({
+              keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+              ciphertext: dynamicSecretCfg.inputCiphertext,
+              tag: dynamicSecretCfg.inputTag,
+              iv: dynamicSecretCfg.inputIV
+            })
           ) as object;
 
           await Promise.all(dynamicSecretLeases.map(({ id }) => unsetLeaseRevocation(id)));

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import ms from "ms";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@@ -9,10 +9,9 @@ import {
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 
@@ -38,7 +37,6 @@ type TDynamicSecretLeaseServiceFactoryDep = {
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
 };
 
 export type TDynamicSecretLeaseServiceFactory = ReturnType<typeof dynamicSecretLeaseServiceFactory>;
@@ -51,8 +49,7 @@ export const dynamicSecretLeaseServiceFactory = ({
   permissionService,
   dynamicSecretQueueService,
   projectDAL,
-  licenseService,
-  kmsService
+  licenseService
 }: TDynamicSecretLeaseServiceFactoryDep) => {
   const create = async ({
     environmentSlug,
@@ -70,14 +67,14 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -107,14 +104,13 @@ export const dynamicSecretLeaseServiceFactory = ({
       throw new BadRequestError({ message: `Max lease limit reached. Limit: ${appCfg.MAX_LEASE_LIMIT}` });
 
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-
-    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.SecretManager,
-      projectId
-    });
-
     const decryptedStoredInput = JSON.parse(
-      secretManagerDecryptor({ cipherTextBlob: Buffer.from(dynamicSecretCfg.encryptedInput) }).toString()
+      infisicalSymmetricDecrypt({
+        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+        ciphertext: dynamicSecretCfg.inputCiphertext,
+        tag: dynamicSecretCfg.inputTag,
+        iv: dynamicSecretCfg.inputIV
+      })
     ) as object;
 
     const selectedTTL = ttl || dynamicSecretCfg.defaultTTL;
@@ -151,24 +147,19 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
     );
 
-    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.SecretManager,
-      projectId
-    });
-
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan?.dynamicSecret) {
       throw new BadRequestError({
@@ -190,7 +181,12 @@ export const dynamicSecretLeaseServiceFactory = ({
     const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
     const decryptedStoredInput = JSON.parse(
-      secretManagerDecryptor({ cipherTextBlob: Buffer.from(dynamicSecretCfg.encryptedInput) }).toString()
+      infisicalSymmetricDecrypt({
+        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+        ciphertext: dynamicSecretCfg.inputCiphertext,
+        tag: dynamicSecretCfg.inputTag,
+        iv: dynamicSecretCfg.inputIV
+      })
     ) as object;
 
     const selectedTTL = ttl || dynamicSecretCfg.defaultTTL;
@@ -231,24 +227,19 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
     );
 
-    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.SecretManager,
-      projectId
-    });
-
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder)
       throw new NotFoundError({
@@ -262,7 +253,12 @@ export const dynamicSecretLeaseServiceFactory = ({
     const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
     const decryptedStoredInput = JSON.parse(
-      secretManagerDecryptor({ cipherTextBlob: Buffer.from(dynamicSecretCfg.encryptedInput) }).toString()
+      infisicalSymmetricDecrypt({
+        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+        ciphertext: dynamicSecretCfg.inputCiphertext,
+        tag: dynamicSecretCfg.inputTag,
+        iv: dynamicSecretCfg.inputIV
+      })
     ) as object;
 
     const revokeResponse = await selectedProvider
@@ -301,14 +297,13 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -344,14 +339,13 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,16 +1,15 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
   ProjectPermissionDynamicSecretActions,
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
+import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 
@@ -43,7 +42,6 @@ type TDynamicSecretServiceFactoryDep = {
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
 };
 
 export type TDynamicSecretServiceFactory = ReturnType<typeof dynamicSecretServiceFactory>;
@@ -56,8 +54,7 @@ export const dynamicSecretServiceFactory = ({
   dynamicSecretProviders,
   permissionService,
   dynamicSecretQueueService,
-  projectDAL,
-  kmsService
+  projectDAL
 }: TDynamicSecretServiceFactoryDep) => {
   const create = async ({
     path,
@@ -76,14 +73,14 @@ export const dynamicSecretServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.CreateRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -111,15 +108,16 @@ export const dynamicSecretServiceFactory = ({
     const isConnected = await selectedProvider.validateConnection(provider.inputs);
     if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
 
-    const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.SecretManager,
-      projectId
-    });
+    const encryptedInput = infisicalSymmetricEncypt(JSON.stringify(inputs));
 
     const dynamicSecretCfg = await dynamicSecretDAL.create({
       type: provider.type,
       version: 1,
-      encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(inputs)) }).cipherTextBlob,
+      inputIV: encryptedInput.iv,
+      inputTag: encryptedInput.tag,
+      inputCiphertext: encryptedInput.ciphertext,
+      algorithm: encryptedInput.algorithm,
+      keyEncoding: encryptedInput.encoding,
       maxTTL,
       defaultTTL,
       folderId: folder.id,
@@ -147,14 +145,14 @@ export const dynamicSecretServiceFactory = ({
 
     const projectId = project.id;
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.EditRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -182,15 +180,15 @@ export const dynamicSecretServiceFactory = ({
       if (existingDynamicSecret)
         throw new BadRequestError({ message: "Provided dynamic secret already exist under the folder" });
     }
-    const { encryptor: secretManagerEncryptor, decryptor: secretManagerDecryptor } =
-      await kmsService.createCipherPairWithDataKey({
-        type: KmsDataKey.SecretManager,
-        projectId
-      });
 
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
     const decryptedStoredInput = JSON.parse(
-      secretManagerDecryptor({ cipherTextBlob: dynamicSecretCfg.encryptedInput }).toString()
+      infisicalSymmetricDecrypt({
+        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+        ciphertext: dynamicSecretCfg.inputCiphertext,
+        tag: dynamicSecretCfg.inputTag,
+        iv: dynamicSecretCfg.inputIV
+      })
     ) as object;
     const newInput = { ...decryptedStoredInput, ...(inputs || {}) };
     const updatedInput = await selectedProvider.validateProviderInputs(newInput);
@@ -198,8 +196,13 @@ export const dynamicSecretServiceFactory = ({
     const isConnected = await selectedProvider.validateConnection(newInput);
     if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
 
+    const encryptedInput = infisicalSymmetricEncypt(JSON.stringify(updatedInput));
     const updatedDynamicCfg = await dynamicSecretDAL.updateById(dynamicSecretCfg.id, {
-      encryptedInput: secretManagerEncryptor({ plainText: Buffer.from(JSON.stringify(updatedInput)) }).cipherTextBlob,
+      inputIV: encryptedInput.iv,
+      inputTag: encryptedInput.tag,
+      inputCiphertext: encryptedInput.ciphertext,
+      algorithm: encryptedInput.algorithm,
+      keyEncoding: encryptedInput.encoding,
       maxTTL,
       defaultTTL,
       name: newName ?? name,
@@ -226,14 +229,14 @@ export const dynamicSecretServiceFactory = ({
 
     const projectId = project.id;
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.DeleteRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -287,14 +290,13 @@ export const dynamicSecretServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -312,13 +314,13 @@ export const dynamicSecretServiceFactory = ({
     if (!dynamicSecretCfg) {
       throw new NotFoundError({ message: `Dynamic secret with name '${name} in folder '${path}' not found` });
     }
-    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.SecretManager,
-      projectId
-    });
-
     const decryptedStoredInput = JSON.parse(
-      secretManagerDecryptor({ cipherTextBlob: dynamicSecretCfg.encryptedInput }).toString()
+      infisicalSymmetricDecrypt({
+        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
+        ciphertext: dynamicSecretCfg.inputCiphertext,
+        tag: dynamicSecretCfg.inputTag,
+        iv: dynamicSecretCfg.inputIV
+      })
     ) as object;
     const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
     const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput)) as object;
@@ -338,14 +340,13 @@ export const dynamicSecretServiceFactory = ({
     isInternal
   }: TListDynamicSecretsMultiEnvDTO) => {
     if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
         actor,
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
+        actorOrgId
+      );
 
       // verify user has access to each env in request
       environmentSlugs.forEach((environmentSlug) =>
@@ -382,14 +383,13 @@ export const dynamicSecretServiceFactory = ({
     search,
     projectId
   }: TGetDynamicSecretsCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -431,14 +431,13 @@ export const dynamicSecretServiceFactory = ({
       projectId = project.id;
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -463,14 +462,13 @@ export const dynamicSecretServiceFactory = ({
     { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
     actor: OrgServiceActor
   ) => {
-    const { permission } = await permissionService.getProjectPermission({
-      actor: actor.type,
-      actorId: actor.id,
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
       projectId,
-      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actor.authMethod,
+      actor.orgId
+    );
 
     const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
       permission.can(
@@ -509,14 +507,13 @@ export const dynamicSecretServiceFactory = ({
     ...params
   }: TListDynamicSecretsMultiEnvDTO) => {
     if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
         actor,
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
+        actorOrgId
+      );
 
       // verify user has access to each env in request
       environmentSlugs.forEach((environmentSlug) =>

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -34,8 +34,6 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
     const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
-    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;
-
     const db = knex({
       client: providerInputs.client,
       connection: {
@@ -45,16 +43,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
         user: providerInputs.username,
         password: providerInputs.password,
         ssl,
-        pool: { min: 0, max: 1 },
-        // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
-        // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
-        // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
-        options: isMsSQLClient
-          ? {
-              trustServerCertificate: !providerInputs.ca,
-              cryptoCredentialsDetails: providerInputs.ca ? { ca: providerInputs.ca } : {}
-            }
-          : undefined
+        pool: { min: 0, max: 1 }
       },
       acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
     });

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -1,9 +1,7 @@
-import { KMSServiceException } from "@aws-sdk/client-kms";
-import { STSServiceException } from "@aws-sdk/client-sts";
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
-import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -73,16 +71,7 @@ export const externalKmsServiceFactory = ({
     switch (provider.type) {
       case KmsProviders.Aws:
         {
-          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs }).catch((error) => {
-            if (error instanceof STSServiceException || error instanceof KMSServiceException) {
-              throw new InternalServerError({
-                message: error.message ? `AWS error: ${error.message}` : ""
-              });
-            }
-
-            throw error;
-          });
-
+          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs });
           // if missing kms key this generate a new kms key id and returns new provider input
           const newProviderInput = await externalKms.generateInputKmsKey();
           sanitizedProviderInput = JSON.stringify(newProviderInput);

backend/src/ee/services/group/group-dal.ts

@@ -111,7 +111,7 @@ export const groupDALFactory = (db: TDbClient) => {
       }
 
       if (search) {
-        void query.andWhereRaw(`CONCAT_WS(' ', "firstName", "lastName", "username") ilike ?`, [`%${search}%`]);
+        void query.andWhereRaw(`CONCAT_WS(' ', "firstName", "lastName", "username") ilike '%${search}%'`);
       } else if (username) {
         void query.andWhere(`${TableName.Users}.username`, "ilike", `%${username}%`);
       }

backend/src/ee/services/group/group-service.ts

@@ -2,7 +2,6 @@ import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
-import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -33,7 +32,7 @@ type TGroupServiceFactoryDep = {
   userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
   groupDAL: Pick<
     TGroupDALFactory,
-    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById" | "transaction"
+    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
   >;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
   orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
@@ -46,7 +45,6 @@ type TGroupServiceFactoryDep = {
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "findLatestProjectKey" | "insertMany">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne">;
 };
 
 export type TGroupServiceFactory = ReturnType<typeof groupServiceFactory>;
@@ -61,8 +59,7 @@ export const groupServiceFactory = ({
   projectBotDAL,
   projectKeyDAL,
   permissionService,
-  licenseService,
-  oidcConfigDAL
+  licenseService
 }: TGroupServiceFactoryDep) => {
   const createGroup = async ({ name, slug, role, actor, actorId, actorAuthMethod, actorOrgId }: TCreateGroupDTO) => {
     if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
@@ -91,26 +88,12 @@ export const groupServiceFactory = ({
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
 
-    const group = await groupDAL.transaction(async (tx) => {
-      const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-      if (existingGroup) {
-        throw new BadRequestError({
-          message: `Failed to create group with name '${name}'. Group with the same name already exists`
-        });
-      }
-
-      const newGroup = await groupDAL.create(
-        {
-          name,
-          slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
-          orgId: actorOrgId,
-          role: isCustomRole ? OrgMembershipRole.Custom : role,
-          roleId: customRole?.id
-        },
-        tx
-      );
-
-      return newGroup;
+    const group = await groupDAL.create({
+      name,
+      slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
+      orgId: actorOrgId,
+      role: isCustomRole ? OrgMembershipRole.Custom : role,
+      roleId: customRole?.id
     });
 
     return group;
@@ -162,36 +145,21 @@ export const groupServiceFactory = ({
       if (isCustomRole) customRole = customOrgRole;
     }
 
-    const updatedGroup = await groupDAL.transaction(async (tx) => {
-      if (name) {
-        const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-
-        if (existingGroup && existingGroup.id !== id) {
-          throw new BadRequestError({
-            message: `Failed to update group with name '${name}'. Group with the same name already exists`
-          });
-        }
+    const [updatedGroup] = await groupDAL.update(
+      {
+        id: group.id
+      },
+      {
+        name,
+        slug: slug ? slugify(slug) : undefined,
+        ...(role
+          ? {
+              role: customRole ? OrgMembershipRole.Custom : role,
+              roleId: customRole?.id ?? null
+            }
+          : {})
       }
-
-      const [updated] = await groupDAL.update(
-        {
-          id: group.id
-        },
-        {
-          name,
-          slug: slug ? slugify(slug) : undefined,
-          ...(role
-            ? {
-                role: customRole ? OrgMembershipRole.Custom : role,
-                roleId: customRole?.id ?? null
-              }
-            : {})
-        },
-        tx
-      );
-
-      return updated;
-    });
+    );
 
     return updatedGroup;
   };
@@ -314,18 +282,6 @@ export const groupServiceFactory = ({
         message: `Failed to find group with ID ${id}`
       });
 
-    const oidcConfig = await oidcConfigDAL.findOne({
-      orgId: group.orgId,
-      isActive: true
-    });
-
-    if (oidcConfig?.manageGroupMemberships) {
-      throw new BadRequestError({
-        message:
-          "Cannot add user to group: OIDC group membership mapping is enabled - user must be assigned to this group in your OIDC provider."
-      });
-    }
-
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
 
     // check if user has broader or equal to privileges than group
@@ -381,18 +337,6 @@ export const groupServiceFactory = ({
         message: `Failed to find group with ID ${id}`
       });
 
-    const oidcConfig = await oidcConfigDAL.findOne({
-      orgId: group.orgId,
-      isActive: true
-    });
-
-    if (oidcConfig?.manageGroupMemberships) {
-      throw new BadRequestError({
-        message:
-          "Cannot remove user from group: OIDC group membership mapping is enabled - user must be removed from this group in your OIDC provider."
-      });
-    }
-
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
 
     // check if user has broader or equal to privileges than group

backend/src/ee/services/hsm/hsm-fns.ts

@@ -1,23 +1,25 @@
 import * as pkcs11js from "pkcs11js";
 
-import { TEnvConfig } from "@app/lib/config/env";
+import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
 
 import { HsmModule } from "./hsm-types";
 
-export const initializeHsmModule = (envConfig: Pick<TEnvConfig, "isHsmConfigured" | "HSM_LIB_PATH">) => {
+export const initializeHsmModule = () => {
+  const appCfg = getConfig();
+
   // Create a new instance of PKCS11 module
   const pkcs11 = new pkcs11js.PKCS11();
   let isInitialized = false;
 
   const initialize = () => {
-    if (!envConfig.isHsmConfigured) {
+    if (!appCfg.isHsmConfigured) {
       return;
     }
 
     try {
       // Load the PKCS#11 module
-      pkcs11.load(envConfig.HSM_LIB_PATH!);
+      pkcs11.load(appCfg.HSM_LIB_PATH!);
 
       // Initialize the module
       pkcs11.C_Initialize();

backend/src/ee/services/hsm/hsm-service.ts

@@ -1,13 +1,12 @@
 import pkcs11js from "pkcs11js";
 
-import { TEnvConfig } from "@app/lib/config/env";
+import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
 
 import { HsmKeyType, HsmModule } from "./hsm-types";
 
 type THsmServiceFactoryDep = {
   hsmModule: HsmModule;
-  envConfig: Pick<TEnvConfig, "HSM_PIN" | "HSM_SLOT" | "HSM_LIB_PATH" | "HSM_KEY_LABEL" | "isHsmConfigured">;
 };
 
 export type THsmServiceFactory = ReturnType<typeof hsmServiceFactory>;
@@ -16,7 +15,9 @@ type SyncOrAsync<T> = T | Promise<T>;
 type SessionCallback<T> = (session: pkcs11js.Handle) => SyncOrAsync<T>;
 
 // eslint-disable-next-line no-empty-pattern
-export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envConfig }: THsmServiceFactoryDep) => {
+export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 } }: THsmServiceFactoryDep) => {
+  const appCfg = getConfig();
+
   // Constants for buffer structures
   const IV_LENGTH = 16; // Luna HSM typically expects 16-byte IV for cbc
   const BLOCK_SIZE = 16;
@@ -62,11 +63,11 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
         throw new Error("No slots available");
       }
 
-      if (envConfig.HSM_SLOT >= slots.length) {
-        throw new Error(`HSM slot ${envConfig.HSM_SLOT} not found or not initialized`);
+      if (appCfg.HSM_SLOT >= slots.length) {
+        throw new Error(`HSM slot ${appCfg.HSM_SLOT} not found or not initialized`);
       }
 
-      const slotId = slots[envConfig.HSM_SLOT];
+      const slotId = slots[appCfg.HSM_SLOT];
 
       const startTime = Date.now();
       while (Date.now() - startTime < MAX_TIMEOUT) {
@@ -77,7 +78,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
 
           // Login
           try {
-            pkcs11.C_Login(sessionHandle, pkcs11js.CKU_USER, envConfig.HSM_PIN);
+            pkcs11.C_Login(sessionHandle, pkcs11js.CKU_USER, appCfg.HSM_PIN);
             logger.info("HSM: Successfully authenticated");
             break;
           } catch (error) {
@@ -85,7 +86,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
             if (error instanceof pkcs11js.Pkcs11Error) {
               if (error.code === pkcs11js.CKR_PIN_INCORRECT) {
                 // We throw instantly here to prevent further attempts, because if too many attempts are made, the HSM will potentially wipe all key material
-                logger.error(error, `HSM: Incorrect PIN detected for HSM slot ${envConfig.HSM_SLOT}`);
+                logger.error(error, `HSM: Incorrect PIN detected for HSM slot ${appCfg.HSM_SLOT}`);
                 throw new Error("HSM: Incorrect HSM Pin detected. Please check the HSM configuration.");
               }
               if (error.code === pkcs11js.CKR_USER_ALREADY_LOGGED_IN) {
@@ -132,7 +133,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
   };
 
   const $findKey = (sessionHandle: pkcs11js.Handle, type: HsmKeyType) => {
-    const label = type === HsmKeyType.HMAC ? `${envConfig.HSM_KEY_LABEL}_HMAC` : envConfig.HSM_KEY_LABEL;
+    const label = type === HsmKeyType.HMAC ? `${appCfg.HSM_KEY_LABEL}_HMAC` : appCfg.HSM_KEY_LABEL;
     const keyType = type === HsmKeyType.HMAC ? pkcs11js.CKK_GENERIC_SECRET : pkcs11js.CKK_AES;
 
     const template = [
@@ -359,7 +360,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
   };
 
   const isActive = async () => {
-    if (!isInitialized || !envConfig.isHsmConfigured) {
+    if (!isInitialized || !appCfg.isHsmConfigured) {
       return false;
     }
 
@@ -371,11 +372,11 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
       logger.error(err, "HSM: Error testing PKCS#11 module");
     }
 
-    return envConfig.isHsmConfigured && isInitialized && pkcs11TestPassed;
+    return appCfg.isHsmConfigured && isInitialized && pkcs11TestPassed;
   };
 
   const startService = async () => {
-    if (!envConfig.isHsmConfigured || !pkcs11 || !isInitialized) return;
+    if (!appCfg.isHsmConfigured || !pkcs11 || !isInitialized) return;
 
     try {
       await $withSession(async (sessionHandle) => {
@@ -394,7 +395,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
             { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
             { type: pkcs11js.CKA_KEY_TYPE, value: pkcs11js.CKK_AES },
             { type: pkcs11js.CKA_VALUE_LEN, value: AES_KEY_SIZE / 8 },
-            { type: pkcs11js.CKA_LABEL, value: envConfig.HSM_KEY_LABEL! },
+            { type: pkcs11js.CKA_LABEL, value: appCfg.HSM_KEY_LABEL! },
             { type: pkcs11js.CKA_ENCRYPT, value: true }, // Allow encryption
             { type: pkcs11js.CKA_DECRYPT, value: true }, // Allow decryption
             ...genericAttributes
@@ -409,7 +410,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
             keyTemplate
           );
 
-          logger.info(`HSM: Master key created successfully with label: ${envConfig.HSM_KEY_LABEL}`);
+          logger.info(`HSM: Master key created successfully with label: ${appCfg.HSM_KEY_LABEL}`);
         }
 
         // Check if HMAC key exists, create if not
@@ -418,7 +419,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
             { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
             { type: pkcs11js.CKA_KEY_TYPE, value: pkcs11js.CKK_GENERIC_SECRET },
             { type: pkcs11js.CKA_VALUE_LEN, value: HMAC_KEY_SIZE / 8 }, // 256-bit key
-            { type: pkcs11js.CKA_LABEL, value: `${envConfig.HSM_KEY_LABEL!}_HMAC` },
+            { type: pkcs11js.CKA_LABEL, value: `${appCfg.HSM_KEY_LABEL!}_HMAC` },
             { type: pkcs11js.CKA_SIGN, value: true }, // Allow signing
             { type: pkcs11js.CKA_VERIFY, value: true }, // Allow verification
             ...genericAttributes
@@ -433,7 +434,7 @@ export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 }, envCon
             hmacKeyTemplate
           );
 
-          logger.info(`HSM: HMAC key created successfully with label: ${envConfig.HSM_KEY_LABEL}_HMAC`);
+          logger.info(`HSM: HMAC key created successfully with label: ${appCfg.HSM_KEY_LABEL}_HMAC`);
         }
 
         // Get slot info to check supported mechanisms

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -2,10 +2,10 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 import ms from "ms";
 
-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { unpackPermissions } from "@app/server/routes/sanitizedSchema/permission";
+import { unpackPermissions } from "@app/server/routes/santizedSchemas/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -55,26 +55,24 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -137,26 +135,24 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -219,26 +215,24 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
@@ -266,14 +260,13 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@@ -301,14 +294,13 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@@ -337,14 +329,13 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -2,10 +2,9 @@ import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability"
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
+import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -63,27 +62,25 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -146,28 +143,26 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -247,27 +242,25 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });
@@ -306,14 +299,13 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId })
@@ -349,14 +341,13 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,

backend/src/ee/services/kmip/kmip-client-certificate-dal.ts

@@ -1,11 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TKmipClientCertificateDALFactory = ReturnType<typeof kmipClientCertificateDALFactory>;
-
-export const kmipClientCertificateDALFactory = (db: TDbClient) => {
-  const kmipClientCertOrm = ormify(db, TableName.KmipClientCertificates);
-
-  return kmipClientCertOrm;
-};

backend/src/ee/services/kmip/kmip-client-dal.ts

@@ -1,86 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { TableName, TKmipClients } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
-import { OrderByDirection } from "@app/lib/types";
-
-import { KmipClientOrderBy } from "./kmip-types";
-
-export type TKmipClientDALFactory = ReturnType<typeof kmipClientDALFactory>;
-
-export const kmipClientDALFactory = (db: TDbClient) => {
-  const kmipClientOrm = ormify(db, TableName.KmipClient);
-
-  const findByProjectAndClientId = async (projectId: string, clientId: string) => {
-    try {
-      const client = await db
-        .replicaNode()(TableName.KmipClient)
-        .join(TableName.Project, `${TableName.Project}.id`, `${TableName.KmipClient}.projectId`)
-        .join(TableName.Organization, `${TableName.Organization}.id`, `${TableName.Project}.orgId`)
-        .where({
-          [`${TableName.KmipClient}.projectId` as "projectId"]: projectId,
-          [`${TableName.KmipClient}.id` as "id"]: clientId
-        })
-        .select(selectAllTableCols(TableName.KmipClient))
-        .select(db.ref("id").withSchema(TableName.Organization).as("orgId"))
-        .first();
-
-      return client;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find by project and client ID" });
-    }
-  };
-
-  const findByProjectId = async (
-    {
-      projectId,
-      offset = 0,
-      limit,
-      orderBy = KmipClientOrderBy.Name,
-      orderDirection = OrderByDirection.ASC,
-      search
-    }: {
-      projectId: string;
-      offset?: number;
-      limit?: number;
-      orderBy?: KmipClientOrderBy;
-      orderDirection?: OrderByDirection;
-      search?: string;
-    },
-    tx?: Knex
-  ) => {
-    try {
-      const query = (tx || db.replicaNode())(TableName.KmipClient)
-        .where("projectId", projectId)
-        .where((qb) => {
-          if (search) {
-            void qb.whereILike("name", `%${search}%`);
-          }
-        })
-        .select<
-          (TKmipClients & {
-            total_count: number;
-          })[]
-        >(selectAllTableCols(TableName.KmipClient), db.raw(`count(*) OVER() as total_count`))
-        .orderBy(orderBy, orderDirection);
-
-      if (limit) {
-        void query.limit(limit).offset(offset);
-      }
-
-      const data = await query;
-
-      return { kmipClients: data, totalCount: Number(data?.[0]?.total_count ?? 0) };
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find KMIP clients by project id" });
-    }
-  };
-
-  return {
-    ...kmipClientOrm,
-    findByProjectId,
-    findByProjectAndClientId
-  };
-};

backend/src/ee/services/kmip/kmip-enum.ts

@@ -1,11 +0,0 @@
-export enum KmipPermission {
-  Create = "create",
-  Locate = "locate",
-  Check = "check",
-  Get = "get",
-  GetAttributes = "get-attributes",
-  Activate = "activate",
-  Revoke = "revoke",
-  Destroy = "destroy",
-  Register = "register"
-}

backend/src/ee/services/kmip/kmip-operation-service.ts

@@ -1,422 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
-import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
-import { TKmsServiceFactory } from "@app/services/kms/kms-service";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-
-import { OrgPermissionKmipActions, OrgPermissionSubjects } from "../permission/org-permission";
-import { TPermissionServiceFactory } from "../permission/permission-service";
-import { TKmipClientDALFactory } from "./kmip-client-dal";
-import { KmipPermission } from "./kmip-enum";
-import {
-  TKmipCreateDTO,
-  TKmipDestroyDTO,
-  TKmipGetAttributesDTO,
-  TKmipGetDTO,
-  TKmipLocateDTO,
-  TKmipRegisterDTO,
-  TKmipRevokeDTO
-} from "./kmip-types";
-
-type TKmipOperationServiceFactoryDep = {
-  kmsService: TKmsServiceFactory;
-  kmsDAL: TKmsKeyDALFactory;
-  kmipClientDAL: TKmipClientDALFactory;
-  projectDAL: Pick<TProjectDALFactory, "getProjectFromSplitId" | "findById">;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-};
-
-export type TKmipOperationServiceFactory = ReturnType<typeof kmipOperationServiceFactory>;
-
-export const kmipOperationServiceFactory = ({
-  kmsService,
-  kmsDAL,
-  projectDAL,
-  kmipClientDAL,
-  permissionService
-}: TKmipOperationServiceFactoryDep) => {
-  const create = async ({
-    projectId,
-    clientId,
-    algorithm,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TKmipCreateDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
-
-    const kmipClient = await kmipClientDAL.findOne({
-      id: clientId,
-      projectId
-    });
-
-    if (!kmipClient.permissions?.includes(KmipPermission.Create)) {
-      throw new ForbiddenRequestError({
-        message: "Client does not have sufficient permission to perform KMIP create"
-      });
-    }
-
-    const kmsKey = await kmsService.generateKmsKey({
-      encryptionAlgorithm: algorithm,
-      orgId: actorOrgId,
-      projectId,
-      isReserved: false
-    });
-
-    return kmsKey;
-  };
-
-  const destroy = async ({ projectId, id, clientId, actor, actorId, actorOrgId, actorAuthMethod }: TKmipDestroyDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
-
-    const kmipClient = await kmipClientDAL.findOne({
-      id: clientId,
-      projectId
-    });
-
-    if (!kmipClient.permissions?.includes(KmipPermission.Destroy)) {
-      throw new ForbiddenRequestError({
-        message: "Client does not have sufficient permission to perform KMIP destroy"
-      });
-    }
-
-    const key = await kmsDAL.findOne({
-      id,
-      projectId
-    });
-
-    if (!key) {
-      throw new NotFoundError({ message: `Key with ID ${id} not found` });
-    }
-
-    if (key.isReserved) {
-      throw new BadRequestError({ message: "Cannot destroy reserved keys" });
-    }
-
-    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
-    if (!completeKeyDetails.internalKms) {
-      throw new BadRequestError({
-        message: "Cannot destroy external keys"
-      });
-    }
-
-    if (!completeKeyDetails.isDisabled) {
-      throw new BadRequestError({
-        message: "Cannot destroy active keys"
-      });
-    }
-
-    const kms = kmsDAL.deleteById(id);
-
-    return kms;
-  };
-
-  const get = async ({ projectId, id, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipGetDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
-
-    const kmipClient = await kmipClientDAL.findOne({
-      id: clientId,
-      projectId
-    });
-
-    if (!kmipClient.permissions?.includes(KmipPermission.Get)) {
-      throw new ForbiddenRequestError({
-        message: "Client does not have sufficient permission to perform KMIP get"
-      });
-    }
-
-    const key = await kmsDAL.findOne({
-      id,
-      projectId
-    });
-
-    if (!key) {
-      throw new NotFoundError({ message: `Key with ID ${id} not found` });
-    }
-
-    if (key.isReserved) {
-      throw new BadRequestError({ message: "Cannot get reserved keys" });
-    }
-
-    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
-
-    if (!completeKeyDetails.internalKms) {
-      throw new BadRequestError({
-        message: "Cannot get external keys"
-      });
-    }
-
-    const kmsKey = await kmsService.getKeyMaterial({
-      kmsId: key.id
-    });
-
-    return {
-      id: key.id,
-      value: kmsKey.toString("base64"),
-      algorithm: completeKeyDetails.internalKms.encryptionAlgorithm,
-      isActive: !key.isDisabled,
-      createdAt: key.createdAt,
-      updatedAt: key.updatedAt
-    };
-  };
-
-  const activate = async ({ projectId, id, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipGetDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
-
-    const kmipClient = await kmipClientDAL.findOne({
-      id: clientId,
-      projectId
-    });
-
-    if (!kmipClient.permissions?.includes(KmipPermission.Activate)) {
-      throw new ForbiddenRequestError({
-        message: "Client does not have sufficient permission to perform KMIP activate"
-      });
-    }
-
-    const key = await kmsDAL.findOne({
-      id,
-      projectId
-    });
-
-    if (!key) {
-      throw new NotFoundError({ message: `Key with ID ${id} not found` });
-    }
-
-    return {
-      id: key.id,
-      isActive: !key.isDisabled
-    };
-  };
-
-  const revoke = async ({ projectId, id, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipRevokeDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
-
-    const kmipClient = await kmipClientDAL.findOne({
-      id: clientId,
-      projectId
-    });
-
-    if (!kmipClient.permissions?.includes(KmipPermission.Revoke)) {
-      throw new ForbiddenRequestError({
-        message: "Client does not have sufficient permission to perform KMIP revoke"
-      });
-    }
-
-    const key = await kmsDAL.findOne({
-      id,
-      projectId
-    });
-
-    if (!key) {
-      throw new NotFoundError({ message: `Key with ID ${id} not found` });
-    }
-
-    if (key.isReserved) {
-      throw new BadRequestError({ message: "Cannot revoke reserved keys" });
-    }
-
-    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
-
-    if (!completeKeyDetails.internalKms) {
-      throw new BadRequestError({
-        message: "Cannot revoke external keys"
-      });
-    }
-
-    const revokedKey = await kmsDAL.updateById(key.id, {
-      isDisabled: true
-    });
-
-    return {
-      id: key.id,
-      updatedAt: revokedKey.updatedAt
-    };
-  };
-
-  const getAttributes = async ({
-    projectId,
-    id,
-    clientId,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TKmipGetAttributesDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
-
-    const kmipClient = await kmipClientDAL.findOne({
-      id: clientId,
-      projectId
-    });
-
-    if (!kmipClient.permissions?.includes(KmipPermission.GetAttributes)) {
-      throw new ForbiddenRequestError({
-        message: "Client does not have sufficient permission to perform KMIP get attributes"
-      });
-    }
-
-    const key = await kmsDAL.findOne({
-      id,
-      projectId
-    });
-
-    if (!key) {
-      throw new NotFoundError({ message: `Key with ID ${id} not found` });
-    }
-
-    if (key.isReserved) {
-      throw new BadRequestError({ message: "Cannot get reserved keys" });
-    }
-
-    const completeKeyDetails = await kmsDAL.findByIdWithAssociatedKms(id);
-
-    if (!completeKeyDetails.internalKms) {
-      throw new BadRequestError({
-        message: "Cannot get external keys"
-      });
-    }
-
-    return {
-      id: key.id,
-      algorithm: completeKeyDetails.internalKms.encryptionAlgorithm,
-      isActive: !key.isDisabled,
-      createdAt: key.createdAt,
-      updatedAt: key.updatedAt
-    };
-  };
-
-  const locate = async ({ projectId, clientId, actor, actorId, actorAuthMethod, actorOrgId }: TKmipLocateDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
-
-    const kmipClient = await kmipClientDAL.findOne({
-      id: clientId,
-      projectId
-    });
-
-    if (!kmipClient.permissions?.includes(KmipPermission.Locate)) {
-      throw new ForbiddenRequestError({
-        message: "Client does not have sufficient permission to perform KMIP locate"
-      });
-    }
-
-    const keys = await kmsDAL.findProjectCmeks(projectId);
-
-    return keys;
-  };
-
-  const register = async ({
-    projectId,
-    clientId,
-    key,
-    algorithm,
-    name,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TKmipRegisterDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
-
-    const kmipClient = await kmipClientDAL.findOne({
-      id: clientId,
-      projectId
-    });
-
-    if (!kmipClient.permissions?.includes(KmipPermission.Register)) {
-      throw new ForbiddenRequestError({
-        message: "Client does not have sufficient permission to perform KMIP register"
-      });
-    }
-
-    const project = await projectDAL.findById(projectId);
-
-    const kmsKey = await kmsService.importKeyMaterial({
-      name,
-      key: Buffer.from(key, "base64"),
-      algorithm,
-      isReserved: false,
-      projectId,
-      orgId: project.orgId
-    });
-
-    return kmsKey;
-  };
-
-  return {
-    create,
-    get,
-    activate,
-    getAttributes,
-    destroy,
-    revoke,
-    locate,
-    register
-  };
-};