update regex to capature comment

Added tags to secrets in the dashboard

.env.example

@@ -64,7 +64,7 @@ POSTHOG_PROJECT_API_KEY=
 STRIPE_SECRET_KEY=
 STRIPE_PUBLISHABLE_KEY=
 STRIPE_WEBHOOK_SECRET=
-STRIPE_PRODUCT_CARD_AUTH=
-STRIPE_PRODUCT_PRO=
 STRIPE_PRODUCT_STARTER=
+STRIPE_PRODUCT_TEAM=
+STRIPE_PRODUCT_PRO=
 NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=

.eslintignore

@@ -1,3 +1,4 @@
 node_modules
 built
 healthcheck.js
+tailwind.config.js

.github/values.yaml

@@ -1,36 +1,93 @@
+#####
+# INFISICAL K8 DEFAULT VALUES FILE
+# PLEASE REPLACE VALUES/EDIT AS REQUIRED 
+#####
+
+nameOverride: ""
+
 frontend:
-  replicaCount: 1
+  name: frontend
+  podAnnotations: {}
+  deploymentAnnotations:
+    secrets.infisical.com/auto-reload: "true"
+  replicaCount: 2
   image:
-    repository: 
-    pullPolicy: Always
+    repository: infisical/frontend
+    pullPolicy: Always 
     tag: "latest"
   kubeSecretRef: managed-secret-frontend
+  service:
+    # type of the frontend service
+    type: ClusterIP
+    # define the nodePort if service type is NodePort
+    # nodePort: 
+    annotations: {}
 
 backend:
-  replicaCount: 1
+  name: backend
+  podAnnotations: {}
+  deploymentAnnotations:
+    secrets.infisical.com/auto-reload: "true"
+  replicaCount: 2
   image:
-    repository: 
+    repository: infisical/backend
     pullPolicy: Always
     tag: "latest"
   kubeSecretRef: managed-backend-secret
+  service:
+    annotations: {}
+
+mongodb:
+  name: mongodb
+  podAnnotations: {}
+  image:
+    repository: mongo
+    pullPolicy: IfNotPresent
+    tag: "latest"
+  service:
+    annotations: {}
+
+# By default the backend will be connected to a Mongo instance in the cluster.
+# However, it is recommended to add a managed document DB connection string because the DB instance in the cluster does not have persistence yet ( data will be deleted on next deploy).
+# Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
+mongodbConnection: {}
+  # externalMongoDBConnectionString: <>
 
 ingress:
   enabled: true
   annotations:
     kubernetes.io/ingress.class: "nginx"
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-  hostName: gamma.infisical.com
+  hostName: gamma.infisical.com # replace with your domain 
   frontend: 
     path: /
     pathType: Prefix
   backend:
     path: /api
     pathType: Prefix
-  tls:
-    - secretName: echo-tls
-      hosts:
-        - gamma.infisical.com
+  tls: []
 
-backendEnvironmentVariables:
 
-frontendEnvironmentVariables:
+## Complete Ingress example 
+# ingress:
+#   enabled: true
+#   annotations:
+#     kubernetes.io/ingress.class: "nginx"
+#     cert-manager.io/issuer: letsencrypt-nginx
+#   hostName: k8.infisical.com
+#   frontend: 
+#     path: /
+#     pathType: Prefix
+#   backend:
+#     path: /api
+#     pathType: Prefix
+#   tls:
+#     - secretName: letsencrypt-nginx
+#       hosts:
+#         - k8.infisical.com
+
+###
+### YOU MUST FILL IN ALL SECRETS BELOW
+### 
+backendEnvironmentVariables: {}
+
+frontendEnvironmentVariables: {}

.github/workflows/release_build.yml

@@ -19,6 +19,7 @@ jobs:
         with:
           fetch-depth: 0
       - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
       - uses: actions/setup-go@v3
         with:
           go-version: '>=1.19.3'
@@ -33,11 +34,11 @@ jobs:
         run: |
           mkdir ../../osxcross
           git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v2
+      - uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}

.goreleaser.yaml

@@ -14,6 +14,9 @@ before:
 builds:
   - id: darwin-build
     binary: infisical
+    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    flags:
+      - -trimpath
     env:
       - CGO_ENABLED=1
       - CC=/home/runner/work/osxcross/target/bin/o64-clang
@@ -24,10 +27,14 @@ builds:
       - goos: darwin
         goarch: "386"
     dir: ./cli
+
   - id: all-other-builds
     env:
       - CGO_ENABLED=0
     binary: infisical
+    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    flags:
+      - -trimpath
     goos:
       - freebsd
       - linux
@@ -65,8 +72,10 @@ release:
 
 checksum:
   name_template: 'checksums.txt'
+
 snapshot:
-  name_template: "{{ incpatch .Version }}"
+  name_template: "{{ incpatch .Version }}-devel"
+
 changelog:
   sort: asc
   filters:
@@ -80,6 +89,7 @@ changelog:
 #       - infisical
 #     dir: "{{ dir .ArtifactPath }}"
 #     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
+
 brews:
   - name: infisical
     tap:
@@ -91,6 +101,13 @@ brews:
     folder: Formula
     homepage: "https://infisical.com"
     description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+
 nfpms:
 - id: infisical
   package_name: infisical
@@ -116,6 +133,7 @@ nfpms:
       dst: /usr/share/zsh/site-functions/_infisical
     - src: ./manpages/infisical.1.gz
       dst: /usr/share/man/man1/infisical.1.gz
+
 scoop:
   bucket:
     owner: Infisical
@@ -126,6 +144,7 @@ scoop:
   homepage: "https://infisical.com"
   description: "The official Infisical CLI"
   license: MIT
+
 aurs:
   -
     name: infisical-bin

Makefile

@@ -8,7 +8,7 @@ up-dev:
 	docker-compose -f docker-compose.dev.yml up --build
 
 i-dev:
-	infisical export && infisical export > .env && docker-compose -f docker-compose.dev.yml up --build
+	infisical run -- docker-compose -f docker-compose.dev.yml up --build
 
 up-prod:
 	docker-compose -f docker-compose.yml up --build

backend/environment.d.ts

@@ -3,8 +3,10 @@ export {};
 declare global {
   namespace NodeJS {
     interface ProcessEnv {
+      PORT: string;
       EMAIL_TOKEN_LIFETIME: string;
       ENCRYPTION_KEY: string;
+      SALT_ROUNDS: string;
       JWT_AUTH_LIFETIME: string;
       JWT_AUTH_SECRET: string;
       JWT_REFRESH_LIFETIME: string;
@@ -19,23 +21,31 @@ declare global {
       CLIENT_ID_HEROKU: string;
       CLIENT_ID_VERCEL: string;
       CLIENT_ID_NETLIFY: string;
+      CLIENT_ID_GITHUB: string;
       CLIENT_SECRET_HEROKU: string;
       CLIENT_SECRET_VERCEL: string;
       CLIENT_SECRET_NETLIFY: string;
+      CLIENT_SECRET_GITHUB: string;
+      CLIENT_SLUG_VERCEL: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;
       SENTRY_DSN: string;
       SITE_URL: string;
       SMTP_HOST: string;
-      SMTP_NAME: string;
-      SMTP_PASSWORD: string;
+      SMTP_SECURE: string;
+      SMTP_PORT: string;
       SMTP_USERNAME: string;
-      STRIPE_PRODUCT_CARD_AUTH: string;
-      STRIPE_PRODUCT_PRO: string;
+      SMTP_PASSWORD: string;
+      SMTP_FROM_ADDRESS: string;
+      SMTP_FROM_NAME: string;
       STRIPE_PRODUCT_STARTER: string;
+      STRIPE_PRODUCT_TEAM: string;
+      STRIPE_PRODUCT_PRO: string;
       STRIPE_PUBLISHABLE_KEY: string;
       STRIPE_SECRET_KEY: string;
       STRIPE_WEBHOOK_SECRET: string;
+      TELEMETRY_ENABLED: string;
+      LICENSE_KEY: string;
     }
   }
 }

backend/package-lock.json

@@ -19,6 +19,7 @@
         "axios": "^1.1.3",
         "bcrypt": "^5.1.0",
         "bigint-conversion": "^2.2.2",
+        "builder-pattern": "^2.2.0",
         "cookie-parser": "^1.4.6",
         "cors": "^2.8.5",
         "crypto-js": "^4.1.1",
@@ -32,6 +33,7 @@
         "jsonwebtoken": "^9.0.0",
         "jsrp": "^0.2.4",
         "libsodium-wrappers": "^0.7.10",
+        "lodash": "^4.17.21",
         "mongoose": "^6.7.2",
         "nodemailer": "^6.8.0",
         "posthog-node": "^2.2.2",
@@ -58,6 +60,7 @@
         "@types/express": "^4.17.14",
         "@types/jest": "^29.2.4",
         "@types/jsonwebtoken": "^8.5.9",
+        "@types/lodash": "^4.14.191",
         "@types/node": "^18.11.3",
         "@types/nodemailer": "^6.4.6",
         "@types/supertest": "^2.0.12",
@@ -2889,14 +2892,27 @@
       "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz",
       "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw=="
     },
-    "node_modules/@sentry/node": {
-      "version": "7.19.0",
-      "resolved": "https://registry.npmjs.org/@sentry/node/-/node-7.19.0.tgz",
-      "integrity": "sha512-yG7Tx32WqOkEHVotFLrumCcT9qlaSDTkFNZ+yLSvZXx74ifsE781DzBA9W7K7bBdYO3op+p2YdsOKzf3nPpAyQ==",
+    "node_modules/@sentry/core": {
+      "version": "7.21.1",
+      "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.21.1.tgz",
+      "integrity": "sha512-Og5wEEsy24fNvT/T7IKjcV4EvVK5ryY2kxbJzKY6GU2eX+i+aBl+n/vp7U0Es351C/AlTkS+0NOUsp2TQQFxZA==",
       "dependencies": {
-        "@sentry/core": "7.19.0",
-        "@sentry/types": "7.19.0",
-        "@sentry/utils": "7.19.0",
+        "@sentry/types": "7.21.1",
+        "@sentry/utils": "7.21.1",
+        "tslib": "^1.9.3"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/@sentry/node": {
+      "version": "7.21.1",
+      "resolved": "https://registry.npmjs.org/@sentry/node/-/node-7.21.1.tgz",
+      "integrity": "sha512-B+p1nQHaFWdCCRVmvqlr/+vdQCI3mGLObucNfK2YC22IQZg7+3u6tEbxJ7umITIjeSSKgf7ZoZwCxL9VfkrNXg==",
+      "dependencies": {
+        "@sentry/core": "7.21.1",
+        "@sentry/types": "7.21.1",
+        "@sentry/utils": "7.21.1",
         "cookie": "^0.4.1",
         "https-proxy-agent": "^5.0.0",
         "lru_map": "^0.3.3",
@@ -2906,80 +2922,34 @@
         "node": ">=8"
       }
     },
-    "node_modules/@sentry/node/node_modules/@sentry/core": {
-      "version": "7.19.0",
-      "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.19.0.tgz",
-      "integrity": "sha512-YF9cTBcAnO4R44092BJi5Wa2/EO02xn2ziCtmNgAVTN2LD31a/YVGxGBt/FDr4Y6yeuVehaqijVVvtpSmXrGJw==",
-      "dependencies": {
-        "@sentry/types": "7.19.0",
-        "@sentry/utils": "7.19.0",
-        "tslib": "^1.9.3"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/@sentry/node/node_modules/@sentry/types": {
-      "version": "7.19.0",
-      "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.19.0.tgz",
-      "integrity": "sha512-oGRAT6lfzoKrxO1mvxiSj0XHxWPd6Gd1wpPGuu6iJo03xgWDS+MIlD1h2unqL4N5fAzLjzmbC2D2lUw50Kn2pA==",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/@sentry/node/node_modules/@sentry/utils": {
-      "version": "7.19.0",
-      "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.19.0.tgz",
-      "integrity": "sha512-2L6lq+c9Ol2uiRxQDdcgoapmHJp24MhMN0gIkn2alSfMJ+ls6bGXzQHx6JAIdoOiwFQXRZHKL9ecfAc8O+vItA==",
-      "dependencies": {
-        "@sentry/types": "7.19.0",
-        "tslib": "^1.9.3"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
     "node_modules/@sentry/tracing": {
-      "version": "7.19.0",
-      "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.19.0.tgz",
-      "integrity": "sha512-SWY17M3TsgBePaGowUcSqBwaT0TJQzuNexVnLojuU0k6F57L9hubvP9zaoosoCfARXQ/3NypAFWnlJyf570rFQ==",
+      "version": "7.21.1",
+      "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.21.1.tgz",
+      "integrity": "sha512-b1BTPsRaNQpohzegoz59KGuBl+To651vEq0vMS4tCzSyIdxkYso3JCrjDdEqW/2MliQYANNVrUai2bmwmU9h1g==",
       "dependencies": {
-        "@sentry/core": "7.19.0",
-        "@sentry/types": "7.19.0",
-        "@sentry/utils": "7.19.0",
+        "@sentry/core": "7.21.1",
+        "@sentry/types": "7.21.1",
+        "@sentry/utils": "7.21.1",
         "tslib": "^1.9.3"
       },
       "engines": {
         "node": ">=8"
       }
     },
-    "node_modules/@sentry/tracing/node_modules/@sentry/core": {
-      "version": "7.19.0",
-      "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.19.0.tgz",
-      "integrity": "sha512-YF9cTBcAnO4R44092BJi5Wa2/EO02xn2ziCtmNgAVTN2LD31a/YVGxGBt/FDr4Y6yeuVehaqijVVvtpSmXrGJw==",
-      "dependencies": {
-        "@sentry/types": "7.19.0",
-        "@sentry/utils": "7.19.0",
-        "tslib": "^1.9.3"
-      },
+    "node_modules/@sentry/types": {
+      "version": "7.21.1",
+      "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.21.1.tgz",
+      "integrity": "sha512-3/IKnd52Ol21amQvI+kz+WB76s8/LR5YvFJzMgIoI2S8d82smIr253zGijRXxHPEif8kMLX4Yt+36VzrLxg6+A==",
       "engines": {
         "node": ">=8"
       }
     },
-    "node_modules/@sentry/tracing/node_modules/@sentry/types": {
-      "version": "7.19.0",
-      "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.19.0.tgz",
-      "integrity": "sha512-oGRAT6lfzoKrxO1mvxiSj0XHxWPd6Gd1wpPGuu6iJo03xgWDS+MIlD1h2unqL4N5fAzLjzmbC2D2lUw50Kn2pA==",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/@sentry/tracing/node_modules/@sentry/utils": {
-      "version": "7.19.0",
-      "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.19.0.tgz",
-      "integrity": "sha512-2L6lq+c9Ol2uiRxQDdcgoapmHJp24MhMN0gIkn2alSfMJ+ls6bGXzQHx6JAIdoOiwFQXRZHKL9ecfAc8O+vItA==",
+    "node_modules/@sentry/utils": {
+      "version": "7.21.1",
+      "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.21.1.tgz",
+      "integrity": "sha512-F0W0AAi8tgtTx6ApZRI2S9HbXEA9ENX1phTZgdNNWcMFm1BNbc21XEwLqwXBNjub5nlA6CE8xnjXRgdZKx4kzQ==",
       "dependencies": {
-        "@sentry/types": "7.19.0",
+        "@sentry/types": "7.21.1",
         "tslib": "^1.9.3"
       },
       "engines": {
@@ -3221,6 +3191,12 @@
       "resolved": "https://registry.npmjs.org/@types/libsodium-wrappers/-/libsodium-wrappers-0.7.10.tgz",
       "integrity": "sha512-BqI9B92u+cM3ccp8mpHf+HzJ8fBlRwdmyd6+fz3p99m3V6ifT5O3zmOMi612PGkpeFeG/G6loxUnzlDNhfjPSA=="
     },
+    "node_modules/@types/lodash": {
+      "version": "4.14.191",
+      "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.191.tgz",
+      "integrity": "sha512-BdZ5BCCvho3EIXw6wUCXHe7rS53AIDPLE+JzwgT+OsJk53oBfbSmZZ7CX4VaRoN78N+TJpFi9QPlfIVNmJYWxQ==",
+      "dev": true
+    },
     "node_modules/@types/long": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/@types/long/-/long-4.0.2.tgz",
@@ -3758,9 +3734,9 @@
       }
     },
     "node_modules/axios": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.1.3.tgz",
-      "integrity": "sha512-00tXVRwKx/FZr/IDVFt4C+f9FYairX517WoGCL6dpOntqLkZofjhu43F/Xl44UOpqa+9sLFDrG/XAnFsUYgkDA==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.2.0.tgz",
+      "integrity": "sha512-zT7wZyNYu3N5Bu0wuZ6QccIf93Qk1eV8LOewxgjOZFd2DenOs98cJ7+Y6703d0wkaXGY6/nZd4EweJaHz9uzQw==",
       "dependencies": {
         "follow-redirects": "^1.15.0",
         "form-data": "^4.0.0",
@@ -4085,6 +4061,11 @@
       "integrity": "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==",
       "dev": true
     },
+    "node_modules/builder-pattern": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/builder-pattern/-/builder-pattern-2.2.0.tgz",
+      "integrity": "sha512-cES3qdeBzA4QyJi7rV/l/kAhIFX6AKo3vK66ZPXLNpjcQWCS8sjLKscly8imlfW2YPTo/hquMRMnaWpZ80Kj+g=="
+    },
     "node_modules/bytes": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
@@ -4434,9 +4415,9 @@
       "integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="
     },
     "node_modules/cookiejar": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz",
-      "integrity": "sha512-JxbCBUdrfr6AQjOXrxoTvAMJO4HBTUIlBzslcJPAz+/KT8yk53fXun51u+RenNYvad/+Vc2DIz5o9UxlCDymFQ==",
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.4.tgz",
+      "integrity": "sha512-LDx6oHrK+PhzLKJU9j5S7/Y3jM/mUHvD/DeI1WQmJn652iPC5Y4TBzC9l+5OMOXlyTTA+SmVUPm0HQUwpD5Jqw==",
       "dev": true
     },
     "node_modules/core-util-is": {
@@ -7151,9 +7132,9 @@
       }
     },
     "node_modules/mongoose": {
-      "version": "6.7.2",
-      "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-6.7.2.tgz",
-      "integrity": "sha512-lrP2V5U1qhaf+z33fiIn7aYAZZ1fVDly+TkFRjTujNBF/FIHESATj2RbgAOSlWqv32fsZXkXejXzeVfjbv35Ow==",
+      "version": "6.7.3",
+      "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-6.7.3.tgz",
+      "integrity": "sha512-bLC2Pt6Vpoov+1kBYvQgJXG/2DWXbfIvfK4Gh68kCdYGh6CVO31YxYuIGz70hyGwX2g4DmSzbs5IA8Px2neMCQ==",
       "dependencies": {
         "bson": "^4.7.0",
         "kareem": "2.4.1",
@@ -14329,81 +14310,53 @@
       "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz",
       "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw=="
     },
-    "@sentry/node": {
-      "version": "7.19.0",
-      "resolved": "https://registry.npmjs.org/@sentry/node/-/node-7.19.0.tgz",
-      "integrity": "sha512-yG7Tx32WqOkEHVotFLrumCcT9qlaSDTkFNZ+yLSvZXx74ifsE781DzBA9W7K7bBdYO3op+p2YdsOKzf3nPpAyQ==",
+    "@sentry/core": {
+      "version": "7.21.1",
+      "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.21.1.tgz",
+      "integrity": "sha512-Og5wEEsy24fNvT/T7IKjcV4EvVK5ryY2kxbJzKY6GU2eX+i+aBl+n/vp7U0Es351C/AlTkS+0NOUsp2TQQFxZA==",
       "requires": {
-        "@sentry/core": "7.19.0",
-        "@sentry/types": "7.19.0",
-        "@sentry/utils": "7.19.0",
+        "@sentry/types": "7.21.1",
+        "@sentry/utils": "7.21.1",
+        "tslib": "^1.9.3"
+      }
+    },
+    "@sentry/node": {
+      "version": "7.21.1",
+      "resolved": "https://registry.npmjs.org/@sentry/node/-/node-7.21.1.tgz",
+      "integrity": "sha512-B+p1nQHaFWdCCRVmvqlr/+vdQCI3mGLObucNfK2YC22IQZg7+3u6tEbxJ7umITIjeSSKgf7ZoZwCxL9VfkrNXg==",
+      "requires": {
+        "@sentry/core": "7.21.1",
+        "@sentry/types": "7.21.1",
+        "@sentry/utils": "7.21.1",
         "cookie": "^0.4.1",
         "https-proxy-agent": "^5.0.0",
         "lru_map": "^0.3.3",
         "tslib": "^1.9.3"
-      },
-      "dependencies": {
-        "@sentry/core": {
-          "version": "7.19.0",
-          "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.19.0.tgz",
-          "integrity": "sha512-YF9cTBcAnO4R44092BJi5Wa2/EO02xn2ziCtmNgAVTN2LD31a/YVGxGBt/FDr4Y6yeuVehaqijVVvtpSmXrGJw==",
-          "requires": {
-            "@sentry/types": "7.19.0",
-            "@sentry/utils": "7.19.0",
-            "tslib": "^1.9.3"
-          }
-        },
-        "@sentry/types": {
-          "version": "7.19.0",
-          "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.19.0.tgz",
-          "integrity": "sha512-oGRAT6lfzoKrxO1mvxiSj0XHxWPd6Gd1wpPGuu6iJo03xgWDS+MIlD1h2unqL4N5fAzLjzmbC2D2lUw50Kn2pA=="
-        },
-        "@sentry/utils": {
-          "version": "7.19.0",
-          "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.19.0.tgz",
-          "integrity": "sha512-2L6lq+c9Ol2uiRxQDdcgoapmHJp24MhMN0gIkn2alSfMJ+ls6bGXzQHx6JAIdoOiwFQXRZHKL9ecfAc8O+vItA==",
-          "requires": {
-            "@sentry/types": "7.19.0",
-            "tslib": "^1.9.3"
-          }
-        }
       }
     },
     "@sentry/tracing": {
-      "version": "7.19.0",
-      "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.19.0.tgz",
-      "integrity": "sha512-SWY17M3TsgBePaGowUcSqBwaT0TJQzuNexVnLojuU0k6F57L9hubvP9zaoosoCfARXQ/3NypAFWnlJyf570rFQ==",
+      "version": "7.21.1",
+      "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.21.1.tgz",
+      "integrity": "sha512-b1BTPsRaNQpohzegoz59KGuBl+To651vEq0vMS4tCzSyIdxkYso3JCrjDdEqW/2MliQYANNVrUai2bmwmU9h1g==",
       "requires": {
-        "@sentry/core": "7.19.0",
-        "@sentry/types": "7.19.0",
-        "@sentry/utils": "7.19.0",
+        "@sentry/core": "7.21.1",
+        "@sentry/types": "7.21.1",
+        "@sentry/utils": "7.21.1",
+        "tslib": "^1.9.3"
+      }
+    },
+    "@sentry/types": {
+      "version": "7.21.1",
+      "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.21.1.tgz",
+      "integrity": "sha512-3/IKnd52Ol21amQvI+kz+WB76s8/LR5YvFJzMgIoI2S8d82smIr253zGijRXxHPEif8kMLX4Yt+36VzrLxg6+A=="
+    },
+    "@sentry/utils": {
+      "version": "7.21.1",
+      "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.21.1.tgz",
+      "integrity": "sha512-F0W0AAi8tgtTx6ApZRI2S9HbXEA9ENX1phTZgdNNWcMFm1BNbc21XEwLqwXBNjub5nlA6CE8xnjXRgdZKx4kzQ==",
+      "requires": {
+        "@sentry/types": "7.21.1",
         "tslib": "^1.9.3"
-      },
-      "dependencies": {
-        "@sentry/core": {
-          "version": "7.19.0",
-          "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.19.0.tgz",
-          "integrity": "sha512-YF9cTBcAnO4R44092BJi5Wa2/EO02xn2ziCtmNgAVTN2LD31a/YVGxGBt/FDr4Y6yeuVehaqijVVvtpSmXrGJw==",
-          "requires": {
-            "@sentry/types": "7.19.0",
-            "@sentry/utils": "7.19.0",
-            "tslib": "^1.9.3"
-          }
-        },
-        "@sentry/types": {
-          "version": "7.19.0",
-          "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.19.0.tgz",
-          "integrity": "sha512-oGRAT6lfzoKrxO1mvxiSj0XHxWPd6Gd1wpPGuu6iJo03xgWDS+MIlD1h2unqL4N5fAzLjzmbC2D2lUw50Kn2pA=="
-        },
-        "@sentry/utils": {
-          "version": "7.19.0",
-          "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.19.0.tgz",
-          "integrity": "sha512-2L6lq+c9Ol2uiRxQDdcgoapmHJp24MhMN0gIkn2alSfMJ+ls6bGXzQHx6JAIdoOiwFQXRZHKL9ecfAc8O+vItA==",
-          "requires": {
-            "@sentry/types": "7.19.0",
-            "tslib": "^1.9.3"
-          }
-        }
       }
     },
     "@sinclair/typebox": {
@@ -14641,6 +14594,12 @@
       "resolved": "https://registry.npmjs.org/@types/libsodium-wrappers/-/libsodium-wrappers-0.7.10.tgz",
       "integrity": "sha512-BqI9B92u+cM3ccp8mpHf+HzJ8fBlRwdmyd6+fz3p99m3V6ifT5O3zmOMi612PGkpeFeG/G6loxUnzlDNhfjPSA=="
     },
+    "@types/lodash": {
+      "version": "4.14.191",
+      "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.191.tgz",
+      "integrity": "sha512-BdZ5BCCvho3EIXw6wUCXHe7rS53AIDPLE+JzwgT+OsJk53oBfbSmZZ7CX4VaRoN78N+TJpFi9QPlfIVNmJYWxQ==",
+      "dev": true
+    },
     "@types/long": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/@types/long/-/long-4.0.2.tgz",
@@ -15031,9 +14990,9 @@
       "integrity": "sha512-zJAaP9zxTcvTHRlejau3ZOY4V7SRpiByf3/dxx2uyKxxor19tpmpV2QRsTKikckwhaPmr2dVpxxMr7jOCYVp5g=="
     },
     "axios": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.1.3.tgz",
-      "integrity": "sha512-00tXVRwKx/FZr/IDVFt4C+f9FYairX517WoGCL6dpOntqLkZofjhu43F/Xl44UOpqa+9sLFDrG/XAnFsUYgkDA==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.2.0.tgz",
+      "integrity": "sha512-zT7wZyNYu3N5Bu0wuZ6QccIf93Qk1eV8LOewxgjOZFd2DenOs98cJ7+Y6703d0wkaXGY6/nZd4EweJaHz9uzQw==",
       "requires": {
         "follow-redirects": "^1.15.0",
         "form-data": "^4.0.0",
@@ -15269,6 +15228,11 @@
       "integrity": "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==",
       "dev": true
     },
+    "builder-pattern": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/builder-pattern/-/builder-pattern-2.2.0.tgz",
+      "integrity": "sha512-cES3qdeBzA4QyJi7rV/l/kAhIFX6AKo3vK66ZPXLNpjcQWCS8sjLKscly8imlfW2YPTo/hquMRMnaWpZ80Kj+g=="
+    },
     "bytes": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
@@ -15536,9 +15500,9 @@
       "integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="
     },
     "cookiejar": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz",
-      "integrity": "sha512-JxbCBUdrfr6AQjOXrxoTvAMJO4HBTUIlBzslcJPAz+/KT8yk53fXun51u+RenNYvad/+Vc2DIz5o9UxlCDymFQ==",
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.4.tgz",
+      "integrity": "sha512-LDx6oHrK+PhzLKJU9j5S7/Y3jM/mUHvD/DeI1WQmJn652iPC5Y4TBzC9l+5OMOXlyTTA+SmVUPm0HQUwpD5Jqw==",
       "dev": true
     },
     "core-util-is": {
@@ -17601,9 +17565,9 @@
       }
     },
     "mongoose": {
-      "version": "6.7.2",
-      "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-6.7.2.tgz",
-      "integrity": "sha512-lrP2V5U1qhaf+z33fiIn7aYAZZ1fVDly+TkFRjTujNBF/FIHESATj2RbgAOSlWqv32fsZXkXejXzeVfjbv35Ow==",
+      "version": "6.7.3",
+      "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-6.7.3.tgz",
+      "integrity": "sha512-bLC2Pt6Vpoov+1kBYvQgJXG/2DWXbfIvfK4Gh68kCdYGh6CVO31YxYuIGz70hyGwX2g4DmSzbs5IA8Px2neMCQ==",
       "requires": {
         "bson": "^4.7.0",
         "kareem": "2.4.1",

backend/package.json

@@ -1,4 +1,32 @@
 {
+  "dependencies": {
+    "@godaddy/terminus": "^4.11.2",
+    "@sentry/node": "^7.21.1",
+    "@sentry/tracing": "^7.21.1",
+    "@types/crypto-js": "^4.1.1",
+    "axios": "^1.2.0",
+    "bigint-conversion": "^2.2.2",
+    "cookie-parser": "^1.4.6",
+    "cors": "^2.8.5",
+    "crypto-js": "^4.1.1",
+    "dotenv": "^16.0.1",
+    "express": "^4.18.1",
+    "express-rate-limit": "^6.7.0",
+    "express-validator": "^6.14.2",
+    "handlebars": "^4.7.7",
+    "helmet": "^5.1.1",
+    "jsonwebtoken": "^8.5.1",
+    "jsrp": "^0.2.4",
+    "mongoose": "^6.7.3",
+    "nodemailer": "^6.8.0",
+    "posthog-node": "^2.1.0",
+    "query-string": "^7.1.3",
+    "rimraf": "^3.0.2",
+    "stripe": "^10.7.0",
+    "tweetnacl": "^1.0.3",
+    "tweetnacl-util": "^0.15.1",
+    "typescript": "^4.9.3"
+  },
   "name": "infisical-api",
   "version": "1.0.0",
   "main": "src/index.js",
@@ -36,6 +64,7 @@
     "@types/express": "^4.17.14",
     "@types/jest": "^29.2.4",
     "@types/jsonwebtoken": "^8.5.9",
+    "@types/lodash": "^4.14.191",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
     "@types/supertest": "^2.0.12",
@@ -85,6 +114,7 @@
     "axios": "^1.1.3",
     "bcrypt": "^5.1.0",
     "bigint-conversion": "^2.2.2",
+    "builder-pattern": "^2.2.0",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "crypto-js": "^4.1.1",
@@ -98,6 +128,7 @@
     "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
     "libsodium-wrappers": "^0.7.10",
+    "lodash": "^4.17.21",
     "mongoose": "^6.7.2",
     "nodemailer": "^6.8.0",
     "posthog-node": "^2.2.2",

backend/src/app.ts

@@ -50,6 +50,7 @@ import {
   serviceTokenData as v2ServiceTokenDataRouter,
   apiKeyData as v2APIKeyDataRouter,
   environment as v2EnvironmentRouter,
+  tags as v2TagsRouter,
 } from './routes/v2';
 
 import { healthCheck } from './routes/status';
@@ -112,6 +113,7 @@ app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
 app.use('/api/v2/users', v2UsersRouter);
 app.use('/api/v2/organizations', v2OrganizationsRouter);
 app.use('/api/v2/workspace', v2EnvironmentRouter);
+app.use('/api/v2/workspace', v2TagsRouter);
 app.use('/api/v2/workspace', v2WorkspaceRouter);
 app.use('/api/v2/secret', v2SecretRouter); // deprecated
 app.use('/api/v2/secrets', v2SecretsRouter);

backend/src/config/index.ts

@@ -13,11 +13,14 @@ const MONGO_URL = process.env.MONGO_URL!;
 const NODE_ENV = process.env.NODE_ENV! || 'production';
 const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
 const LOKI_HOST = process.env.LOKI_HOST || undefined;
-const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
+const CLIENT_ID_AZURE = process.env.CLIENT_ID_AZURE!;
+const TENANT_ID_AZURE = process.env.TENANT_ID_AZURE!;
 const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
 const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
 const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
 const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
+const CLIENT_SECRET_AZURE = process.env.CLIENT_SECRET_AZURE!;
+const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
 const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
 const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
 const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
@@ -35,9 +38,9 @@ const SMTP_USERNAME = process.env.SMTP_USERNAME!;
 const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
 const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
 const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
-const STRIPE_PRODUCT_CARD_AUTH = process.env.STRIPE_PRODUCT_CARD_AUTH!;
-const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
 const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
+const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
+const STRIPE_PRODUCT_TEAM = process.env.STRIPE_PRODUCT_TEAM!;
 const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
 const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
 const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
@@ -60,10 +63,13 @@ export {
   NODE_ENV,
   VERBOSE_ERROR_OUTPUT,
   LOKI_HOST,
+  CLIENT_ID_AZURE,
+  TENANT_ID_AZURE,
   CLIENT_ID_HEROKU,
   CLIENT_ID_VERCEL,
   CLIENT_ID_NETLIFY,
   CLIENT_ID_GITHUB,
+  CLIENT_SECRET_AZURE,
   CLIENT_SECRET_HEROKU,
   CLIENT_SECRET_VERCEL,
   CLIENT_SECRET_NETLIFY,
@@ -80,9 +86,9 @@ export {
   SMTP_PASSWORD,
   SMTP_FROM_ADDRESS,
   SMTP_FROM_NAME,
-  STRIPE_PRODUCT_CARD_AUTH,
-  STRIPE_PRODUCT_PRO,
   STRIPE_PRODUCT_STARTER,
+  STRIPE_PRODUCT_TEAM,
+  STRIPE_PRODUCT_PRO,
   STRIPE_PUBLISHABLE_KEY,
   STRIPE_SECRET_KEY,
   STRIPE_WEBHOOK_SECRET,

backend/src/controllers/v1/authController.ts

@@ -4,14 +4,21 @@ import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
 const jsrp = require('jsrp');
-import { User } from '../../models';
+import { User, LoginSRPDetail } from '../../models';
 import { createToken, issueTokens, clearTokens } from '../../helpers/auth';
+import {
+  ACTION_LOGIN,
+  ACTION_LOGOUT
+} from '../../variables';
 import {
   NODE_ENV,
   JWT_AUTH_LIFETIME,
   JWT_AUTH_SECRET,
   JWT_REFRESH_SECRET
 } from '../../config';
+import { BadRequestError } from '../../utils/errors';
+import { EELogService } from '../../ee/services';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
 
 declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -19,8 +26,6 @@ declare module 'jsonwebtoken' {
   }
 }
 
-const clientPublicKeys: any = {};
-
 /**
  * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
  * @param req
@@ -46,13 +51,15 @@ export const login1 = async (req: Request, res: Response) => {
         salt: user.salt,
         verifier: user.verifier
       },
-      () => {
+      async () => {
         // generate server-side public key
         const serverPublicKey = server.getPublicKey();
-        clientPublicKeys[email] = {
-          clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt)
-        };
+
+        await LoginSRPDetail.findOneAndReplace({ email: email }, {
+          email: email,
+          clientPublicKey: clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt),
+        }, { upsert: true, returnNewDocument: false })
 
         return res.status(200).send({
           serverPublicKey,
@@ -85,15 +92,21 @@ export const login2 = async (req: Request, res: Response) => {
 
     if (!user) throw new Error('Failed to find user');
 
+    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
+
+    if (!loginSRPDetailFromDB) {
+      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+    }
+
     const server = new jsrp.server();
     server.init(
       {
         salt: user.salt,
         verifier: user.verifier,
-        b: clientPublicKeys[email].serverBInt
+        b: loginSRPDetailFromDB.serverBInt
       },
       async () => {
-        server.setClientPublicKey(clientPublicKeys[email].clientPublicKey);
+        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
         // compare server and client shared keys
         if (server.checkClientProof(clientProof)) {
@@ -108,6 +121,18 @@ export const login2 = async (req: Request, res: Response) => {
             secure: NODE_ENV === 'production' ? true : false
           });
 
+          const loginAction = await EELogService.createAction({
+            name: ACTION_LOGIN,
+            userId: user._id
+          });
+          
+          loginAction && await EELogService.createLog({
+            userId: user._id,
+            actions: [loginAction],
+            channel: getChannelFromUserAgent(req.headers['user-agent']),
+            ipAddress: req.ip
+          });
+          
           // return (access) token in response
           return res.status(200).send({
             token: tokens.token,
@@ -151,6 +176,19 @@ export const logout = async (req: Request, res: Response) => {
       sameSite: 'strict',
       secure: NODE_ENV === 'production' ? true : false
     });
+
+    const logoutAction = await EELogService.createAction({
+      name: ACTION_LOGOUT,
+      userId: req.user._id
+    });
+    
+    logoutAction && await EELogService.createLog({
+      userId: req.user._id,
+      actions: [logoutAction],
+      channel: getChannelFromUserAgent(req.headers['user-agent']),
+      ipAddress: req.ip
+    });
+
   } catch (err) {
     Sentry.setUser({ email: req.user.email });
     Sentry.captureException(err);

backend/src/controllers/v1/integrationAuthController.ts

@@ -1,12 +1,40 @@
 import { Request, Response } from 'express';
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
-import axios from 'axios';
-import { readFileSync } from 'fs';
-import { IntegrationAuth, Integration } from '../../models';
+import {
+	Integration, 
+	IntegrationAuth,
+	Bot 
+} from '../../models';
 import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
 import { IntegrationService } from '../../services';
 import { getApps, revokeAccess } from '../../integrations';
 
+/***
+ * Return integration authorization with id [integrationAuthId]
+ */
+export const getIntegrationAuth = async (req: Request, res: Response) => {
+	let integrationAuth;
+	try {
+		const { integrationAuthId } = req.params;
+		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+		
+		if (!integrationAuth) return res.status(400).send({
+			message: 'Failed to find integration authorization'
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get integration authorization'
+		});	
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}
+
 export const getIntegrationOptions = async (
 	req: Request,
 	res: Response
@@ -28,7 +56,6 @@ export const oAuthExchange = async (
 ) => {
 	try {
 		const { workspaceId, code, integration } = req.body;
-
 		if (!INTEGRATION_SET.has(integration))
 			throw new Error('Failed to validate integration');
 		
@@ -37,25 +64,86 @@ export const oAuthExchange = async (
 			throw new Error("Failed to get environments")
 		}
 	
-		await IntegrationService.handleOAuthExchange({
+		const integrationAuth = await IntegrationService.handleOAuthExchange({
 			workspaceId,
 			integration,
 			code,
 			environment: environments[0].slug,
 		});
+		
+		return res.status(200).send({
+			integrationAuth
+		});
 	} catch (err) {
-		Sentry.setUser(null);
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get OAuth2 code-token exchange'
 		});
 	}
-
-	return res.status(200).send({
-		message: 'Successfully enabled integration authorization'
-	});
 };
 
+/**
+ * Save integration access token as part of integration [integration] for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const saveIntegrationAccessToken = async (
+	req: Request,
+	res: Response
+) => {
+	// TODO: refactor
+	let integrationAuth;
+	try {
+		const {
+			workspaceId,
+			accessToken,
+			integration
+		}: {
+			workspaceId: string;
+			accessToken: string;
+			integration: string;
+		} = req.body;
+
+		const bot = await Bot.findOne({
+            workspace: new Types.ObjectId(workspaceId),
+            isActive: true
+        });
+        
+        if (!bot) throw new Error('Bot must be enabled to save integration access token');
+
+		integrationAuth = await IntegrationAuth.findOneAndUpdate({
+            workspace: new Types.ObjectId(workspaceId),
+            integration
+        }, {
+            workspace: new Types.ObjectId(workspaceId),
+            integration
+		}, {
+            new: true,
+            upsert: true
+        });
+		
+		// encrypt and save integration access token
+		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+			integrationAuthId: integrationAuth._id.toString(),
+			accessToken,
+			accessExpiresAt: undefined
+		});
+		
+		if (!integrationAuth) throw new Error('Failed to save integration access token');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to save access token for integration'
+		});
+	}
+	
+	return res.status(200).send({
+		integrationAuth
+	});
+}
+
 /**
  * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
  * @param req
@@ -70,7 +158,7 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {
 			accessToken: req.accessToken
 		});
 	} catch (err) {
-		Sentry.setUser(null);
+		Sentry.setUser({ email: req.user.email });
         Sentry.captureException(err);	
 		return res.status(400).send({
 			message: 'Failed to get integration authorization applications'
@@ -89,15 +177,14 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
+	let integrationAuth;
 	try {
-		const { integrationAuthId } = req.params;
-
-		await revokeAccess({
+		integrationAuth = await revokeAccess({
 			integrationAuth: req.integrationAuth,
 			accessToken: req.accessToken
 		});
 	} catch (err) {
-		Sentry.setUser(null);
+		Sentry.setUser({ email: req.user.email });
         Sentry.captureException(err);	
 		return res.status(400).send({
 			message: 'Failed to delete integration authorization'
@@ -105,6 +192,6 @@ export const deleteIntegrationAuth = async (req: Request, res: Response) => {
 	}
 	
 	return res.status(200).send({
-		message: 'Successfully deleted integration authorization'
+		integrationAuth
 	});
 }

backend/src/controllers/v1/integrationController.ts

@@ -1,25 +1,69 @@
 import { Request, Response } from 'express';
-import { readFileSync } from 'fs';
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
-import { Integration, Bot, BotKey } from '../../models';
+import { 
+	Integration, 
+	Workspace,
+	Bot, 
+	BotKey 
+} from '../../models';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 
-interface Key {
-	encryptedKey: string;
-	nonce: string;
-}
+/**
+ * Create/initialize an (empty) integration for integration authorization
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createIntegration = async (req: Request, res: Response) => {
+	let integration;
+	try {
+		const {
+			integrationAuthId,
+			app,
+			appId,
+			isActive,
+			sourceEnvironment,
+			targetEnvironment,
+			owner
+		} = req.body;
+		
+		// TODO: validate [sourceEnvironment] and [targetEnvironment]
 
-interface PushSecret {
-	ciphertextKey: string;
-	ivKey: string;
-	tagKey: string;
-	hashKey: string;
-	ciphertextValue: string;
-	ivValue: string;
-	tagValue: string;
-	hashValue: string;
-	type: 'shared' | 'personal';
+		// initialize new integration after saving integration access token
+        integration = await new Integration({
+            workspace: req.integrationAuth.workspace._id,
+            environment: sourceEnvironment,
+            isActive,
+            app,
+			appId,
+			targetEnvironment,
+			owner,
+            integration: req.integrationAuth.integration,
+            integrationAuth: new Types.ObjectId(integrationAuthId)
+        }).save();
+		
+		if (integration) {
+			// trigger event - push secrets
+			EventService.handleEvent({
+				event: eventPushSecrets({
+					workspaceId: integration.workspace.toString()
+				})
+			});
+		}
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to create integration'
+		});
+	}
+
+	return res.status(200).send({
+		integration
+	});
 }
 
 /**
@@ -36,12 +80,12 @@ export const updateIntegration = async (req: Request, res: Response) => {
 	
 	try {
 		const { 
-			app, 
 			environment, 
 			isActive, 
-			target, // vercel-specific integration param
-			context, // netlify-specific integration param
-			siteId // netlify-specific integration param
+			app, 
+			appId,
+			targetEnvironment,
+			owner, // github-specific integration param
 		} = req.body;
 		
 		integration = await Integration.findOneAndUpdate(
@@ -52,9 +96,9 @@ export const updateIntegration = async (req: Request, res: Response) => {
 				environment,
 				isActive,
 				app,
-				target,
-				context,
-				siteId
+				appId,
+				targetEnvironment,
+				owner
 			},
 			{
 				new: true
@@ -90,36 +134,15 @@ export const updateIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteIntegration = async (req: Request, res: Response) => {
-	let deletedIntegration;
+	let integration;
 	try {
 		const { integrationId } = req.params;
 
-		deletedIntegration = await Integration.findOneAndDelete({
+		integration = await Integration.findOneAndDelete({
 			_id: integrationId
 		});
 		
-		if (!deletedIntegration) throw new Error('Failed to find integration');
-		
-		const integrations = await Integration.find({
-			workspace: deletedIntegration.workspace
-		});
-			
-		if (integrations.length === 0) {
-			// case: no integrations left, deactivate bot
-			const bot = await Bot.findOneAndUpdate({
-				workspace: deletedIntegration.workspace
-			}, {
-				isActive: false
-			}, {
-				new: true
-			});
-			
-			if (bot) {
-				await BotKey.deleteOne({
-					bot: bot._id
-				});
-			}
-		}
+		if (!integration) throw new Error('Failed to find integration');
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@@ -127,8 +150,8 @@ export const deleteIntegration = async (req: Request, res: Response) => {
 			message: 'Failed to delete integration'
 		});
 	}
-
+	
 	return res.status(200).send({
-		deletedIntegration
+		integration
 	});
 };

backend/src/controllers/v1/membershipController.ts

@@ -1,6 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Membership, MembershipOrg, User, Key } from '../../models';
+import { Membership, MembershipOrg, User, Key, IMembership, Workspace } from '../../models';
 import {
 	findMembership,
 	deleteMembership as deleteMember
@@ -230,4 +230,4 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		invitee,
 		latestKey
 	});
-};
+};

backend/src/controllers/v1/membershipOrgController.ts

@@ -77,8 +77,6 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 	// change role for (target) organization membership with id
 	// [membershipOrgId]
 
-	// TODO
-
 	let membershipToChangeRole;
 	// try {
 	// } catch (err) {

backend/src/controllers/v1/organizationController.ts

@@ -2,10 +2,7 @@ import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import {
 	SITE_URL,
-	STRIPE_SECRET_KEY,
-	STRIPE_PRODUCT_STARTER,
-	STRIPE_PRODUCT_PRO,
-	STRIPE_PRODUCT_CARD_AUTH
+	STRIPE_SECRET_KEY
 } from '../../config';
 import Stripe from 'stripe';
 
@@ -23,12 +20,6 @@ import { createOrganization as create } from '../../helpers/organization';
 import { addMembershipsOrg } from '../../helpers/membershipOrg';
 import { OWNER, ACCEPTED } from '../../variables';
 
-const productToPriceMap = {
-	starter: STRIPE_PRODUCT_STARTER,
-	pro: STRIPE_PRODUCT_PRO,
-	cardAuth: STRIPE_PRODUCT_CARD_AUTH
-};
-
 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
 	try {
@@ -340,7 +331,6 @@ export const createOrganizationPortalSession = async (
 
 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
-			productToPriceMap['cardAuth'];
 			session = await stripe.checkout.sessions.create({
 				customer: req.membershipOrg.organization.customerId,
 				mode: 'setup',

backend/src/controllers/v1/passwordController.ts

@@ -4,13 +4,12 @@ import crypto from 'crypto';
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
-import { User, Token, BackupPrivateKey } from '../../models';
+import { User, Token, BackupPrivateKey, LoginSRPDetail } from '../../models';
 import { checkEmailVerification } from '../../helpers/signup';
 import { createToken } from '../../helpers/auth';
 import { sendMail } from '../../helpers/nodemailer';
 import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
-
-const clientPublicKeys: any = {};
+import { BadRequestError } from '../../utils/errors';
 
 /**
  * Password reset step 1: Send email verification link to email [email] 
@@ -32,7 +31,7 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 				error: 'Failed to send email verification for password reset'
 			});
 		}
-		
+
 		const token = crypto.randomBytes(16).toString('hex');
 
 		await Token.findOneAndUpdate(
@@ -44,7 +43,7 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			},
 			{ upsert: true, new: true }
 		);
-		
+
 		await sendMail({
 			template: 'passwordReset.handlebars',
 			subjectLine: 'Infisical password reset',
@@ -55,15 +54,15 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 				callback_url: SITE_URL + '/password-reset'
 			}
 		});
-		
+
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to send email for account recovery'
-		});	
+		});
 	}
-	
+
 	return res.status(200).send({
 		message: `Sent an email for account recovery to ${email}`
 	});
@@ -79,7 +78,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 	let user, token;
 	try {
 		const { email, code } = req.body;
-		
+
 		user = await User.findOne({ email }).select('+publicKey');
 		if (!user || !user?.publicKey) {
 			// case: user doesn't exist with email [email] or 
@@ -93,7 +92,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 			email,
 			code
 		});
-		
+
 		// generate temporary password-reset token
 		token = createToken({
 			payload: {
@@ -107,7 +106,7 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed email verification for password reset'
-		});	
+		});
 	}
 
 	return res.status(200).send({
@@ -130,7 +129,7 @@ export const srp1 = async (req: Request, res: Response) => {
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');
-		
+
 		if (!user) throw new Error('Failed to find user');
 
 		const server = new jsrp.server();
@@ -139,13 +138,15 @@ export const srp1 = async (req: Request, res: Response) => {
 				salt: user.salt,
 				verifier: user.verifier
 			},
-			() => {
+			async () => {
 				// generate server-side public key
 				const serverPublicKey = server.getPublicKey();
-				clientPublicKeys[req.user.email] = {
-					clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt)
-				};
+
+				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
+					email: req.user.email,
+					clientPublicKey: clientPublicKey,
+					serverBInt: bigintConversion.bigintToBuf(server.bInt),
+				}, { upsert: true, returnNewDocument: false })
 
 				return res.status(200).send({
 					serverPublicKey,
@@ -180,17 +181,21 @@ export const changePassword = async (req: Request, res: Response) => {
 
 		if (!user) throw new Error('Failed to find user');
 
+		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+
+		if (!loginSRPDetailFromDB) {
+			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+		}
+
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: clientPublicKeys[req.user.email].serverBInt
+				b: loginSRPDetailFromDB.serverBInt
 			},
 			async () => {
-				server.setClientPublicKey(
-					clientPublicKeys[req.user.email].clientPublicKey
-				);
+				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
 				// compare server and client shared keys
 				if (server.checkClientProof(clientProof)) {
@@ -249,16 +254,22 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
 
 		if (!user) throw new Error('Failed to find user');
 
+		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+
+		if (!loginSRPDetailFromDB) {
+			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+		}
+
 		const server = new jsrp.server();
 		server.init(
 			{
 				salt: user.salt,
 				verifier: user.verifier,
-				b: clientPublicKeys[req.user.email].serverBInt
+				b: loginSRPDetailFromDB.serverBInt
 			},
 			async () => {
 				server.setClientPublicKey(
-					clientPublicKeys[req.user.email].clientPublicKey
+					loginSRPDetailFromDB.clientPublicKey
 				);
 
 				// compare server and client shared keys
@@ -311,16 +322,16 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 		backupPrivateKey = await BackupPrivateKey.findOne({
 			user: req.user._id
 		}).select('+encryptedPrivateKey +iv +tag');
-		
+
 		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email});
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
 		});
 	}
-	
+
 	return res.status(200).send({
 		backupPrivateKey
 	});
@@ -348,15 +359,15 @@ export const resetPassword = async (req: Request, res: Response) => {
 			{
 				new: true
 			}
-		);	
+		);
 	} catch (err) {
-		Sentry.setUser({ email: req.user.email});
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to get backup private key'
-		});	
+		});
 	}
-	
+
 	return res.status(200).send({
 		message: 'Successfully reset password'
 	});

backend/src/controllers/v2/environmentController.ts

@@ -6,8 +6,12 @@ import {
   Workspace,
   Integration,
   ServiceTokenData,
+  Membership,
 } from '../../models';
 import { SecretVersion } from '../../ee/models';
+import { BadRequestError } from '../../utils/errors';
+import _ from 'lodash';
+import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
 
 /**
  * Create new workspace environment named [environmentName] under workspace with id
@@ -33,7 +37,7 @@ export const createWorkspaceEnvironment = async (
     }
 
     workspace?.environments.push({
-      name: environmentName.toLowerCase(),
+      name: environmentName,
       slug: environmentSlug.toLowerCase(),
     });
     await workspace.save();
@@ -96,7 +100,7 @@ export const renameWorkspaceEnvironment = async (
       throw new Error('Invalid environment given');
     }
 
-    workspace.environments[envIndex].name = environmentName.toLowerCase();
+    workspace.environments[envIndex].name = environmentName;
     workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
 
     await workspace.save();
@@ -120,6 +124,15 @@ export const renameWorkspaceEnvironment = async (
       { workspace: workspaceId, environment: oldEnvironmentSlug },
       { environment: environmentSlug }
     );
+    await Membership.updateMany(
+      {
+        workspace: workspaceId,
+        "deniedPermissions.environmentSlug": oldEnvironmentSlug
+      },
+      { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
+      { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
+    )
+
   } catch (err) {
     Sentry.setUser({ email: req.user.email });
     Sentry.captureException(err);
@@ -188,6 +201,11 @@ export const deleteWorkspaceEnvironment = async (
       workspace: workspaceId,
       environment: environmentSlug,
     });
+    await Membership.updateMany(
+      { workspace: workspaceId },
+      { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
+    )
+
   } catch (err) {
     Sentry.setUser({ email: req.user.email });
     Sentry.captureException(err);
@@ -202,3 +220,42 @@ export const deleteWorkspaceEnvironment = async (
     environment: environmentSlug,
   });
 };
+
+
+export const getAllAccessibleEnvironmentsOfWorkspace = async (
+  req: Request,
+  res: Response
+) => {
+  const { workspaceId } = req.params;
+  const workspacesUserIsMemberOf = await Membership.findOne({
+    workspace: workspaceId,
+    user: req.user
+  })
+
+  if (!workspacesUserIsMemberOf) {
+    throw BadRequestError()
+  }
+
+  const accessibleEnvironments: any = []
+  const deniedPermission = workspacesUserIsMemberOf.deniedPermissions
+
+  const relatedWorkspace = await Workspace.findById(workspaceId)
+  if (!relatedWorkspace) {
+    throw BadRequestError()
+  }
+  relatedWorkspace.environments.forEach(environment => {
+    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
+    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
+    if (isReadBlocked) {
+      return
+    } else {
+      accessibleEnvironments.push({
+        name: environment.name,
+        slug: environment.slug,
+        isWriteDenied: isWriteBlocked
+      })
+    }
+  })
+
+  res.json({ accessibleEnvironments })
+};

backend/src/controllers/v2/index.ts

@@ -6,6 +6,7 @@ import * as apiKeyDataController from './apiKeyDataController';
 import * as secretController from './secretController';
 import * as secretsController from './secretsController';
 import * as environmentController from './environmentController';
+import * as tagController from './tagController';
 
 export {
     usersController,
@@ -15,5 +16,6 @@ export {
     apiKeyDataController,
     secretController,
     secretsController,
-    environmentController
+    environmentController,
+    tagController
 }

backend/src/controllers/v2/secretsController.ts

@@ -1,7 +1,7 @@
 import to from 'await-to-js';
 import { Types } from 'mongoose';
 import { Request, Response } from 'express';
-import { ISecret, Secret } from '../../models';
+import { ISecret, Membership, Secret, Workspace } from '../../models';
 import {
     SECRET_PERSONAL,
     SECRET_SHARED,
@@ -10,13 +10,14 @@ import {
     ACTION_UPDATE_SECRETS,
     ACTION_DELETE_SECRETS
 } from '../../variables';
-import { ValidationError } from '../../utils/errors';
+import { UnauthorizedRequestError, ValidationError } from '../../utils/errors';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
 import { EESecretService, EELogService } from '../../ee/services';
 import { postHogClient } from '../../services';
-import { BadRequestError } from '../../utils/errors';
 import { getChannelFromUserAgent } from '../../utils/posthog';
+import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
 
 /**
  * Create secret(s) for workspace with id [workspaceId] and environment [environment]
@@ -76,20 +77,40 @@ export const createSecrets = async (req: Request, res: Response) => {
         }
     }   
     */
-    const channel = getChannelFromUserAgent(req.headers['user-agent'])
-    const { workspaceId, environment } = req.body;
 
-    let toAdd;
-    if (Array.isArray(req.body.secrets)) {
-        // case: create multiple secrets
-        toAdd = req.body.secrets;
-    } else if (typeof req.body.secrets === 'object') {
-        // case: create 1 secret
-        toAdd = [req.body.secrets];
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
+    const { workspaceId, environment }: { workspaceId: string, environment: string } = req.body;
+
+    const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_WRITE)
+    if (!hasAccess) {
+        throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
     }
 
-    const newSecrets = await Secret.insertMany(
-        toAdd.map(({
+    let listOfSecretsToCreate;
+    if (Array.isArray(req.body.secrets)) {
+        // case: create multiple secrets
+        listOfSecretsToCreate = req.body.secrets;
+    } else if (typeof req.body.secrets === 'object') {
+        // case: create 1 secret
+        listOfSecretsToCreate = [req.body.secrets];
+    }
+
+    type secretsToCreateType = {
+        type: string;
+        secretKeyCiphertext: string;
+        secretKeyIV: string;
+        secretKeyTag: string;
+        secretValueCiphertext: string;
+        secretValueIV: string;
+        secretValueTag: string;
+        secretCommentCiphertext: string;
+        secretCommentIV: string;
+        secretCommentTag: string;
+        tags: string[]
+    }
+
+    const newlyCreatedSecrets = await Secret.insertMany(
+        listOfSecretsToCreate.map(({
             type,
             secretKeyCiphertext,
             secretKeyIV,
@@ -97,27 +118,29 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretValueCiphertext,
             secretValueIV,
             secretValueTag,
-        }: {
-            type: string;
-            secretKeyCiphertext: string;
-            secretKeyIV: string;
-            secretKeyTag: string;
-            secretValueCiphertext: string;
-            secretValueIV: string;
-            secretValueTag: string;
-        }) => ({
-            version: 1,
-            workspace: new Types.ObjectId(workspaceId),
-            type,
-            user: type === SECRET_PERSONAL ? req.user : undefined,
-            environment,
-            secretKeyCiphertext,
-            secretKeyIV,
-            secretKeyTag,
-            secretValueCiphertext,
-            secretValueIV,
-            secretValueTag
-        }))
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
+        }: secretsToCreateType) => {
+            return ({
+                version: 1,
+                workspace: new Types.ObjectId(workspaceId),
+                type,
+                user: type === SECRET_PERSONAL ? req.user : undefined,
+                environment,
+                secretKeyCiphertext,
+                secretKeyIV,
+                secretKeyTag,
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag,
+                tags
+            });
+        })
     );
 
     setTimeout(async () => {
@@ -131,7 +154,7 @@ export const createSecrets = async (req: Request, res: Response) => {
 
     // (EE) add secret versions for new secrets
     await EESecretService.addSecretVersions({
-        secretVersions: newSecrets.map(({
+        secretVersions: newlyCreatedSecrets.map(({
             _id,
             version,
             workspace,
@@ -145,7 +168,11 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretValueCiphertext,
             secretValueIV,
             secretValueTag,
-            secretValueHash
+            secretValueHash,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
         }) => ({
             _id: new Types.ObjectId(),
             secret: _id,
@@ -162,21 +189,25 @@ export const createSecrets = async (req: Request, res: Response) => {
             secretValueCiphertext,
             secretValueIV,
             secretValueTag,
-            secretValueHash
+            secretValueHash,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
         }))
     });
 
-    const addAction = await EELogService.createActionSecret({
+    const addAction = await EELogService.createAction({
         name: ACTION_ADD_SECRETS,
-        userId: req.user._id.toString(),
-        workspaceId,
-        secretIds: newSecrets.map((n) => n._id)
+        userId: req.user._id,
+        workspaceId: new Types.ObjectId(workspaceId),
+        secretIds: newlyCreatedSecrets.map((n) => n._id)
     });
 
     // (EE) create (audit) log
     addAction && await EELogService.createLog({
         userId: req.user._id.toString(),
-        workspaceId,
+        workspaceId: new Types.ObjectId(workspaceId),
         actions: [addAction],
         channel,
         ipAddress: req.ip
@@ -192,7 +223,7 @@ export const createSecrets = async (req: Request, res: Response) => {
             event: 'secrets added',
             distinctId: req.user.email,
             properties: {
-                numberOfSecrets: toAdd.length,
+                numberOfSecrets: listOfSecretsToCreate.length,
                 environment,
                 workspaceId,
                 channel: channel,
@@ -202,7 +233,7 @@ export const createSecrets = async (req: Request, res: Response) => {
     }
 
     return res.status(200).send({
-        secrets: newSecrets
+        secrets: newlyCreatedSecrets
     });
 }
 
@@ -267,6 +298,14 @@ export const getSecrets = async (req: Request, res: Response) => {
         userEmail = req.serviceTokenData.user.email;
     }
 
+    // none service token case as service tokens are already scoped
+    if (!req.serviceTokenData) {
+        const hasAccess = await userHasWorkspaceAccess(userId, workspaceId, environment, ABILITY_READ)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+    }
+
     const [err, secrets] = await to(Secret.find(
         {
             workspace: workspaceId,
@@ -277,22 +316,22 @@ export const getSecrets = async (req: Request, res: Response) => {
             ],
             type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
         }
-    ).then())
+    ).populate("tags").then())
 
     if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
 
     const channel = getChannelFromUserAgent(req.headers['user-agent'])
 
-    const readAction = await EELogService.createActionSecret({
+    const readAction = await EELogService.createAction({
         name: ACTION_READ_SECRETS,
-        userId: userId,
-        workspaceId: workspaceId as string,
+        userId: new Types.ObjectId(userId),
+        workspaceId: new Types.ObjectId(workspaceId as string),
         secretIds: secrets.map((n: any) => n._id)
     });
 
     readAction && await EELogService.createLog({
-        userId: userId,
-        workspaceId: workspaceId as string,
+        userId: new Types.ObjectId(userId),
+        workspaceId: new Types.ObjectId(workspaceId as string),
         actions: [readAction],
         channel,
         ipAddress: req.ip
@@ -369,7 +408,6 @@ export const updateSecrets = async (req: Request, res: Response) => {
     */
     const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
 
-
     // TODO: move type
     interface PatchSecret {
         id: string;
@@ -382,6 +420,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
         secretCommentCiphertext: string;
         secretCommentIV: string;
         secretCommentTag: string;
+        tags: string[]
     }
 
     const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
@@ -394,7 +433,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
             secretValueTag,
             secretCommentCiphertext,
             secretCommentIV,
-            secretCommentTag
+            secretCommentTag,
+            tags
         } = secret;
 
         return ({
@@ -410,6 +450,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
                     secretValueCiphertext,
                     secretValueIV,
                     secretValueTag,
+                    tags,
                     ...((
                         secretCommentCiphertext &&
                         secretCommentIV &&
@@ -444,6 +485,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
                 secretCommentCiphertext,
                 secretCommentIV,
                 secretCommentTag,
+                tags
             } = secretModificationsBySecretId[secret._id.toString()]
 
             return ({
@@ -461,6 +503,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
                 secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
                 secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
                 secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
+                tags: tags ? tags : secret.tags
             });
         })
     }
@@ -489,17 +532,17 @@ export const updateSecrets = async (req: Request, res: Response) => {
             });
         }, 10000);
 
-        const updateAction = await EELogService.createActionSecret({
+        const updateAction = await EELogService.createAction({
             name: ACTION_UPDATE_SECRETS,
-            userId: req.user._id.toString(),
-            workspaceId: key,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(key),
             secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
         });
 
         // (EE) create (audit) log
         updateAction && await EELogService.createLog({
             userId: req.user._id.toString(),
-            workspaceId: key,
+            workspaceId: new Types.ObjectId(key),
             actions: [updateAction],
             channel,
             ipAddress: req.ip
@@ -615,17 +658,17 @@ export const deleteSecrets = async (req: Request, res: Response) => {
                 workspaceId: key
             })
         });
-        const deleteAction = await EELogService.createActionSecret({
+        const deleteAction = await EELogService.createAction({
             name: ACTION_DELETE_SECRETS,
-            userId: req.user._id.toString(),
-            workspaceId: key,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(key),
             secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
         });
 
         // (EE) create (audit) log
         deleteAction && await EELogService.createLog({
             userId: req.user._id.toString(),
-            workspaceId: key,
+            workspaceId: new Types.ObjectId(key),
             actions: [deleteAction],
             channel,
             ipAddress: req.ip

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -8,6 +8,8 @@ import {
 import {
     SALT_ROUNDS
 } from '../../config';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+import { ABILITY_READ } from '../../variables/organization';
 
 /**
  * Return service token data associated with service token on request
@@ -37,6 +39,11 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
             expiresIn
         } = req.body;
 
+        const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_READ)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+
         const secret = crypto.randomBytes(16).toString('hex');
         const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
 
@@ -100,4 +107,8 @@ export const deleteServiceTokenData = async (req: Request, res: Response) => {
     return res.status(200).send({
         serviceTokenData
     });
-}
+}
+
+function UnauthorizedRequestError(arg0: { message: string; }) {
+    throw new Error('Function not implemented.');
+}

backend/src/controllers/v2/tagController.ts

@@ -0,0 +1,66 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import {
+	Membership,
+} from '../../models';
+import Tag, { ITag } from '../../models/tag';
+import { Builder } from "builder-pattern"
+import to from 'await-to-js';
+import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
+import { MongoError } from 'mongodb';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+
+export const createWorkspaceTag = async (req: Request, res: Response) => {
+	const { workspaceId } = req.params
+	const { name, slug } = req.body
+	const sanitizedTagToCreate = Builder<ITag>()
+		.name(name)
+		.workspace(new Types.ObjectId(workspaceId))
+		.slug(slug)
+		.user(new Types.ObjectId(req.user._id))
+		.build();
+
+	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
+
+	if (err) {
+		if ((err as MongoError).code === 11000) {
+			throw BadRequestError({ message: "Tags must be unique in a workspace" })
+		}
+
+		throw err
+	}
+
+	res.json(createdTag)
+}
+
+export const deleteWorkspaceTag = async (req: Request, res: Response) => {
+	const { tagId } = req.params
+
+	const tagFromDB = await Tag.findById(tagId)
+	if (!tagFromDB) {
+		throw BadRequestError()
+	}
+
+	// can only delete if the request user is one that belongs to the same workspace as the tag
+	const membership = await Membership.findOne({
+		user: req.user,
+		workspace: tagFromDB.workspace
+	});
+
+	if (!membership) {
+		UnauthorizedRequestError({ message: 'Failed to validate membership' });
+	}
+
+	const result = await Tag.findByIdAndDelete(tagId);
+
+	res.json(result);
+}
+
+export const getWorkspaceTags = async (req: Request, res: Response) => {
+	const { workspaceId } = req.params
+	const workspaceTags = await Tag.find({ workspace: workspaceId })
+	return res.json({
+		workspaceTags
+	})
+}

backend/src/ee/controllers/v1/index.ts

@@ -3,11 +3,13 @@ import * as secretController from './secretController';
 import * as secretSnapshotController from './secretSnapshotController';
 import * as workspaceController from './workspaceController';
 import * as actionController from './actionController';
+import * as membershipController from './membershipController';
 
 export {
     stripeController,
     secretController,
     secretSnapshotController,
     workspaceController,
-    actionController
+    actionController,
+    membershipController
 }

backend/src/ee/controllers/v1/membershipController.ts

@@ -0,0 +1,63 @@
+import { Request, Response } from "express";
+import { Membership, Workspace } from "../../../models";
+import { IMembershipPermission } from "../../../models/membership";
+import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
+import { ABILITY_READ, ABILITY_WRITE, ADMIN, MEMBER } from "../../../variables/organization";
+import { Builder } from "builder-pattern"
+import _ from "lodash";
+
+export const denyMembershipPermissions = async (req: Request, res: Response) => {
+  const { membershipId } = req.params;
+  const { permissions } = req.body;
+  const sanitizedMembershipPermissions: IMembershipPermission[] = permissions.map((permission: IMembershipPermission) => {
+    if (!permission.ability || !permission.environmentSlug || ![ABILITY_READ, ABILITY_WRITE].includes(permission.ability)) {
+      throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
+    }
+
+    return Builder<IMembershipPermission>()
+      .environmentSlug(permission.environmentSlug)
+      .ability(permission.ability)
+      .build();
+  })
+
+  const sanitizedMembershipPermissionsUnique = _.uniqWith(sanitizedMembershipPermissions, _.isEqual)
+
+  const membershipToModify = await Membership.findById(membershipId)
+  if (!membershipToModify) {
+    throw BadRequestError({ message: "Unable to locate resource" })
+  }
+
+  // check if the user making the request is a admin of this project 
+  if (![ADMIN, MEMBER].includes(membershipToModify.role)) {
+    throw UnauthorizedRequestError()
+  }
+
+  // check if the requested slugs are indeed a part of this related workspace 
+  const relatedWorkspace = await Workspace.findById(membershipToModify.workspace)
+  if (!relatedWorkspace) {
+    throw BadRequestError({ message: "Something went wrong when locating the related workspace" })
+  }
+
+  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, 'slug')));
+
+  sanitizedMembershipPermissionsUnique.forEach(permission => {
+    if (!uniqueEnvironmentSlugs.has(permission.environmentSlug)) {
+      throw BadRequestError({ message: "Unknown environment slug reference" })
+    }
+  })
+
+  // update the permissions 
+  const updatedMembershipWithPermissions = await Membership.findByIdAndUpdate(
+    { _id: membershipToModify._id },
+    { $set: { deniedPermissions: sanitizedMembershipPermissionsUnique } },
+    { new: true }
+  )
+
+  if (!updatedMembershipWithPermissions) {
+    throw BadRequestError({ message: "The resource has been removed before it can be modified" })
+  }
+
+  res.send({
+    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions
+  })
+}

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -15,7 +15,13 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {
 
         secretSnapshot = await SecretSnapshot
             .findById(secretSnapshotId)
-            .populate('secretVersions');
+            .populate({
+                path: 'secretVersions',
+                populate: {
+                    path: 'tags',
+                    model: 'Tag',
+                }
+            });
         
         if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
         

backend/src/ee/helpers/action.ts

@@ -1,39 +1,40 @@
 import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
-import { SecretVersion, Action } from '../models';
+import { Action } from '../models';
 import { 
     getLatestSecretVersionIds,
     getLatestNSecretSecretVersionIds
 } from '../helpers/secretVersion';
-import { ACTION_UPDATE_SECRETS } from '../../variables';
+import { 
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
+    ACTION_ADD_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS,
+    ACTION_UPDATE_SECRETS,
+} from '../../variables';
 
 /**
- * Create an (audit) action for secrets including
- * add, delete, update, and read actions.
+ * Create an (audit) action for updating secrets
  * @param {Object} obj
  * @param {String} obj.name - name of action
- * @param {ObjectId[]} obj.secretIds - ids of relevant secrets
+ * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
  * @returns {Action} action - new action
  */
-const createActionSecretHelper = async ({
+const createActionUpdateSecret = async ({
     name,
     userId,
     workspaceId,
     secretIds
 }: {
     name: string;
-    userId: string;
-    workspaceId: string;
+    userId: Types.ObjectId;
+    workspaceId: Types.ObjectId;
     secretIds: Types.ObjectId[];
 }) => {
-
     let action;
-    let latestSecretVersions;
     try {
-        if (name === ACTION_UPDATE_SECRETS) {
-            // case: action is updating secrets
-            // -> add old and new secret versions
-            latestSecretVersions = (await getLatestNSecretSecretVersionIds({
+        const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
                 secretIds,
                 n: 2
             }))
@@ -41,17 +42,7 @@ const createActionSecretHelper = async ({
                 oldSecretVersion: s.versions[0]._id,
                 newSecretVersion: s.versions[1]._id
             }));
-        } else {
-            // case: action is adding, deleting, or reading secrets
-            // -> add new secret versions
-            latestSecretVersions = (await getLatestSecretVersionIds({
-                secretIds
-            }))
-            .map((s) => ({
-                newSecretVersion: s.versionId
-            }));
-        }
-
+        
         action = await new Action({
             name,
             user: userId,
@@ -64,10 +55,148 @@ const createActionSecretHelper = async ({
     } catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
+        throw new Error('Failed to create update secret action');
+    }
+    
+    return action;
+}
+
+/**
+ * Create an (audit) action for creating, reading, and deleting
+ * secrets
+ * @param {Object} obj
+ * @param {String} obj.name - name of action
+ * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
+ * @returns {Action} action - new action
+ */
+const createActionSecret = async ({
+    name,
+    userId,
+    workspaceId,
+    secretIds
+}: {
+    name: string;
+    userId: Types.ObjectId;
+    workspaceId: Types.ObjectId;
+    secretIds: Types.ObjectId[];
+}) => {
+    let action;
+    try {
+        // case: action is adding, deleting, or reading secrets
+        // -> add new secret versions
+        const latestSecretVersions = (await getLatestSecretVersionIds({
+            secretIds
+        }))
+        .map((s) => ({
+            newSecretVersion: s.versionId
+        }));
+        
+       action = await new Action({
+            name,
+            user: userId,
+            workspace: workspaceId,
+            payload: {
+                secretVersions: latestSecretVersions
+            }
+        }).save(); 
+
+    } catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+        throw new Error('Failed to create action create/read/delete secret action');
+    }
+    
+    return action;
+}
+
+/**
+ * Create an (audit) action for user with id [userId]
+ * @param {Object} obj 
+ * @param {String} obj.name - name of action
+ * @param {String} obj.userId - id of user associated with action
+ * @returns 
+ */
+const createActionUser = ({
+    name,
+    userId
+}: {
+    name: string;
+    userId: Types.ObjectId;
+}) => {
+    let action;
+    try {
+        action = new Action({
+            name,
+            user: userId
+        }).save();
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to create user action');
+    }
+
+    return action; 
+}
+
+/**
+ * Create an (audit) action. 
+ * @param {Object} obj
+ * @param {Object} obj.name - name of action
+ * @param {Types.ObjectId} obj.userId - id of user associated with action
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with action
+ * @param {Types.ObjectId[]} obj.secretIds - ids of secrets associated with action
+*/
+const createActionHelper = async ({
+    name,
+    userId,
+    workspaceId,
+    secretIds,
+}: {
+    name: string;
+    userId: Types.ObjectId;
+    workspaceId?: Types.ObjectId;
+    secretIds?: Types.ObjectId[];
+}) => {
+    let action;
+    try {
+        switch (name) {
+            case ACTION_LOGIN:
+            case ACTION_LOGOUT:
+                action = await createActionUser({
+                    name,
+                    userId
+                });
+                break;
+            case ACTION_ADD_SECRETS:
+            case ACTION_READ_SECRETS:
+            case ACTION_DELETE_SECRETS:
+                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+                action = await createActionSecret({
+                    name,
+                    userId,
+                    workspaceId,
+                    secretIds
+                });
+                break;
+            case ACTION_UPDATE_SECRETS:
+                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+                action = await createActionUpdateSecret({
+                    name,
+                    userId,
+                    workspaceId,
+                    secretIds
+                });
+                break;
+        }
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
         throw new Error('Failed to create action');
     }
     
     return action;
 }
 
-export { createActionSecretHelper };
+export { 
+    createActionHelper
+};

backend/src/ee/helpers/checkMembershipPermissions.ts

@@ -0,0 +1,18 @@
+import _ from "lodash";
+import { Membership } from "../../models";
+
+export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
+  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
+  if (!membershipForWorkspace) {
+    return false
+  }
+
+  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
+  const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: action });
+
+  if (isDisallowed) {
+    return false
+  }
+
+  return true
+}

backend/src/ee/helpers/log.ts

@@ -1,9 +1,19 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { 
     Log,
     IAction
 } from '../models';
-
+/**
+ * Create an (audit) log
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.userId - id of user associated with the log
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the log
+ * @param {IAction[]} obj.actions - actions to include in log
+ * @param {String} obj.channel - channel (web/cli/auto) associated with the log
+ * @param {String} obj.ipAddress - ip address associated with the log
+ * @returns {Log} log - new audit log
+ */
 const createLogHelper = async ({
     userId,
     workspaceId,
@@ -11,8 +21,8 @@ const createLogHelper = async ({
     channel,
     ipAddress
 }: {
-    userId: string;
-    workspaceId: string;
+    userId: Types.ObjectId;
+    workspaceId?: Types.ObjectId;
     actions: IAction[];
     channel: string;
     ipAddress: string;
@@ -21,7 +31,7 @@ const createLogHelper = async ({
     try {
         log = await new Log({
             user: userId,
-            workspace: workspaceId,
+            workspace: workspaceId ?? undefined,
             actionNames: actions.map((a) => a.name),
             actions,
             channel,

backend/src/ee/models/action.ts

@@ -1,10 +1,18 @@
 import { Schema, model, Types } from 'mongoose';
+import {
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
+    ACTION_ADD_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../../variables';
 
 export interface IAction {
     name: string;
     user?: Types.ObjectId,
     workspace?: Types.ObjectId,
-    payload: {
+    payload?: {
         secretVersions?: Types.ObjectId[]
     }
 }
@@ -13,7 +21,15 @@ const actionSchema = new Schema<IAction>(
     {
         name: {
             type: String,
-            required: true
+            required: true,
+            enum: [
+                ACTION_LOGIN,
+                ACTION_LOGOUT,
+                ACTION_ADD_SECRETS,
+                ACTION_UPDATE_SECRETS,
+                ACTION_READ_SECRETS,
+                ACTION_DELETE_SECRETS
+            ]
         },
         user: {
             type: Schema.Types.ObjectId,

backend/src/ee/models/log.ts

@@ -1,5 +1,7 @@
 import { Schema, model, Types } from 'mongoose';
 import {
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
     ACTION_ADD_SECRETS,
     ACTION_UPDATE_SECRETS,
     ACTION_READ_SECRETS,
@@ -29,6 +31,8 @@ const logSchema = new Schema<ILog>(
         actionNames: {
             type: [String],
             enum: [
+                ACTION_LOGIN,
+                ACTION_LOGOUT,
                 ACTION_ADD_SECRETS,
                 ACTION_UPDATE_SECRETS,
                 ACTION_READ_SECRETS,

backend/src/ee/models/secretVersion.ts

@@ -21,6 +21,7 @@ export interface ISecretVersion {
 	secretValueIV: string;
 	secretValueTag: string;
 	secretValueHash: string;
+	tags?: string[];
 }
 
 const secretVersionSchema = new Schema<ISecretVersion>(
@@ -88,7 +89,12 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 		},
 		secretValueHash: {
 			type: String
-		}
+		},
+		tags: {
+			ref: 'Tag',
+			type: [Schema.Types.ObjectId],
+			default: []
+		},
 	},
 	{
 		timestamps: true

backend/src/ee/services/EELogService.ts

@@ -1,14 +1,12 @@
 import { Types } from 'mongoose';
 import { 
-    Log,
-    Action,
     IAction
 } from '../models';
 import {
     createLogHelper
 } from '../helpers/log';
 import {
-    createActionSecretHelper
+    createActionHelper
 } from '../helpers/action';
 import EELicenseService from './EELicenseService';
 
@@ -33,8 +31,8 @@ class EELogService {
         channel,
         ipAddress
     }: {
-        userId: string;
-        workspaceId: string;
+        userId: Types.ObjectId;
+        workspaceId?: Types.ObjectId;
         actions: IAction[];
         channel: string;
         ipAddress: string;
@@ -50,26 +48,26 @@ class EELogService {
     }
     
     /**
-     * Create an (audit) action for secrets including
-     * add, delete, update, and read actions.
+     * Create an (audit) action
      * @param {Object} obj
      * @param {String} obj.name - name of action
-     * @param {ObjectId[]} obj.secretIds - secret ids
+     * @param {Types.ObjectId} obj.userId - id of user associated with the action
+     * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the action
+     * @param {ObjectId[]} obj.secretIds - ids of secrets associated with the action
      * @returns {Action} action - new action
      */
-    static async createActionSecret({
+    static async createAction({
         name,
         userId,
         workspaceId,
         secretIds
     }: {
         name: string;
-        userId: string;
-        workspaceId: string;
-        secretIds: Types.ObjectId[];
+        userId: Types.ObjectId;
+        workspaceId?: Types.ObjectId;
+        secretIds?: Types.ObjectId[];
     }) {
-        if (!EELicenseService.isLicenseValid) return null; 
-        return await createActionSecretHelper({
+        return await createActionHelper({
             name,
             userId,
             workspaceId,

backend/src/helpers/database.ts

@@ -1,5 +1,4 @@
 import mongoose from 'mongoose';
-import { ISecret, Secret } from '../models';
 import { EESecretService } from '../ee/services';
 import { getLogger } from '../utils/logger';
 
@@ -16,6 +15,10 @@ const initDatabaseHelper = async ({
 }) => {
     try {
         await mongoose.connect(mongoURL);
+    
+        // allow empty strings to pass the required validator
+        mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
+
         getLogger("database").info("Database connection established");
         
         await EESecretService.initSecretVersioning();

backend/src/helpers/integration.ts

@@ -30,6 +30,7 @@ interface Update {
  * @param {String} obj.workspaceId - id of workspace
  * @param {String} obj.integration - name of integration 
  * @param {String} obj.code - code
+ * @returns {IntegrationAuth} integrationAuth - integration auth after OAuth2 code-token exchange
 */
 const handleOAuthExchangeHelper = async ({
     workspaceId,
@@ -42,7 +43,6 @@ const handleOAuthExchangeHelper = async ({
     code: string;
     environment: string;
 }) => {
-    let action;
     let integrationAuth;
     try {
         const bot = await Bot.findOne({
@@ -98,21 +98,13 @@ const handleOAuthExchangeHelper = async ({
                 accessExpiresAt: res.accessExpiresAt
             });
         }
-
-        // initialize new integration after exchange
-        await new Integration({
-            workspace: workspaceId,
-            isActive: false,
-            app: null,
-            environment,
-            integration,
-            integrationAuth: integrationAuth._id
-        }).save();
     } catch (err) {
         Sentry.setUser(null);
         Sentry.captureException(err);
         throw new Error('Failed to handle OAuth2 code-token exchange')
     }
+    
+    return integrationAuth;
 }
 /**
  * Sync/push environment variables in workspace with id [workspaceId] to
@@ -127,7 +119,6 @@ const syncIntegrationsHelper = async ({
 }) => {
     let integrations;
     try {
-
         integrations = await Integration.find({
             workspace: workspaceId,
             isActive: true,
@@ -142,7 +133,7 @@ const syncIntegrationsHelper = async ({
                 workspaceId: integration.workspace.toString(),
                 environment: integration.environment
             });
-            
+
             const integrationAuth = await IntegrationAuth.findById(integration.integrationAuth);
             if (!integrationAuth) throw new Error('Failed to find integration auth');
             
@@ -316,7 +307,7 @@ const setIntegrationAuthAccessHelper = async ({
 }: {
     integrationAuthId: string;
     accessToken: string;
-    accessExpiresAt: Date;
+    accessExpiresAt: Date | undefined;
 }) => {
     let integrationAuth;
     try {

backend/src/helpers/organization.ts

@@ -3,6 +3,7 @@ import Stripe from 'stripe';
 import {
 	STRIPE_SECRET_KEY,
 	STRIPE_PRODUCT_STARTER,
+	STRIPE_PRODUCT_TEAM,
 	STRIPE_PRODUCT_PRO
 } from '../config';
 const stripe = new Stripe(STRIPE_SECRET_KEY, {
@@ -14,6 +15,7 @@ import { Organization, MembershipOrg } from '../models';
 
 const productToPriceMap = {
 	starter: STRIPE_PRODUCT_STARTER,
+	team: STRIPE_PRODUCT_TEAM,
 	pro: STRIPE_PRODUCT_PRO
 };
 
@@ -55,7 +57,7 @@ const createOrganization = async ({
 	} catch (err) {
 		Sentry.setUser({ email });
 		Sentry.captureException(err);
-		throw new Error('Failed to create organization');
+		throw new Error(`Failed to create organization [err=${err}]`);
 	}
 
 	return organization;

backend/src/helpers/secret.ts

@@ -12,14 +12,17 @@ import {
 import {
 	IAction
 } from '../ee/models';
-import { 
-	SECRET_SHARED, 
+import {
+	SECRET_SHARED,
 	SECRET_PERSONAL,
 	ACTION_ADD_SECRETS,
 	ACTION_UPDATE_SECRETS,
 	ACTION_DELETE_SECRETS,
 	ACTION_READ_SECRETS
 } from '../variables';
+import _ from 'lodash';
+import { ABILITY_WRITE } from '../variables/organization';
+import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
 
 /**
  * Validate that user with id [userId] can modify secrets with ids [secretIds]
@@ -34,7 +37,7 @@ const validateSecrets = async ({
 }: {
 	userId: string;
 	secretIds: string[];
-}) =>{
+}) => {
 	let secrets;
 	try {
 		secrets = await Secret.find({
@@ -42,20 +45,31 @@ const validateSecrets = async ({
 				$in: secretIds.map((secretId: string) => new Types.ObjectId(secretId))
 			}
 		});
-		
-		const workspaceIdsSet = new Set((await Membership.find({
-			user: userId
-		}, 'workspace'))
-		.map((m) => m.workspace.toString()));
-		
+
+		if (secrets.length != secretIds.length) {
+			throw BadRequestError({ message: 'Unable to validate some secrets' })
+		}
+
+		const userMemberships = await Membership.find({ user: userId })
+		const userMembershipById = _.keyBy(userMemberships, 'workspace');
+		const workspaceIdsSet = new Set(userMemberships.map((m) => m.workspace.toString()));
+
+		// for each secret check if the secret belongs to a workspace the user is a member of
 		secrets.forEach((secret: ISecret) => {
-			if (!workspaceIdsSet.has(secret.workspace.toString())) {
-				throw new Error('Failed to validate secret');
+			if (workspaceIdsSet.has(secret.workspace.toString())) {
+				const deniedMembershipPermissions = userMembershipById[secret.workspace.toString()].deniedPermissions;
+				const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: secret.environment, ability: ABILITY_WRITE });
+
+				if (isDisallowed) {
+					throw UnauthorizedRequestError({ message: 'You do not have the required permissions to perform this action' });
+				}
+			} else {
+				throw BadRequestError({ message: 'You cannot edit secrets of a workspace you are not a member of' });
 			}
 		});
-		
+
 	} catch (err) {
-		throw new Error('Failed to validate secrets');
+		throw BadRequestError({ message: 'Unable to validate secrets' })
 	}
 
 	return secrets;
@@ -127,13 +141,13 @@ const v1PushSecrets = async ({
 			workspaceId,
 			environment
 		});
-		
-		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) => 
+
+		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) =>
 			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
-		, {});
-		const newSecretsObj: any = secrets.reduce((accumulator, s) => 
+			, {});
+		const newSecretsObj: any = secrets.reduce((accumulator, s) =>
 			({ ...accumulator, [`${s.type}-${s.hashKey}`]: s })
-		, {});
+			, {});
 
 		// handle deleting secrets
 		const toDelete = oldSecrets
@@ -150,12 +164,12 @@ const v1PushSecrets = async ({
 				secretIds: toDelete
 			});
 		}
-		
+
 		const toUpdate = oldSecrets
 			.filter((s) => {
 				if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
-					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashValue 
-					|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashComment) {
+					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashValue
+						|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashComment) {
 						// case: filter secrets where value or comment changed
 						return true;
 					}
@@ -165,7 +179,7 @@ const v1PushSecrets = async ({
 						return true;
 					}
 				}
-				
+
 				return false;
 			});
 
@@ -217,7 +231,7 @@ const v1PushSecrets = async ({
 				};
 			});
 		await Secret.bulkWrite(operations as any);
-		
+
 		// (EE) add secret versions for updated secrets
 		await EESecretService.addSecretVersions({
 			secretVersions: toUpdate.map(({
@@ -245,7 +259,7 @@ const v1PushSecrets = async ({
 					secretValueTag: newSecret.tagValue,
 					secretValueHash: newSecret.hashValue
 				})
-			}) 
+			})
 		});
 
 		// handle adding new secrets
@@ -319,7 +333,7 @@ const v1PushSecrets = async ({
 				}))
 			});
 		}
-		
+
 		// (EE) take a secret snapshot
 		await EESecretService.takeSecretSnapshot({
 			workspaceId
@@ -344,7 +358,7 @@ const v1PushSecrets = async ({
  * @param {String} obj.channel - channel (web/cli/auto)
  * @param {String} obj.ipAddress - ip address of request to push secrets
  */
- const v2PushSecrets = async ({
+const v2PushSecrets = async ({
 	userId,
 	workspaceId,
 	environment,
@@ -362,20 +376,20 @@ const v1PushSecrets = async ({
 	// TODO: clean up function and fix up types
 	try {
 		const actions: IAction[] = [];
-		
+
 		// construct useful data structures
 		const oldSecrets = await getSecrets({
 			userId,
 			workspaceId,
 			environment
 		});
-		
-		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) => 
+
+		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) =>
 			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
-		, {});
-		const newSecretsObj: any = secrets.reduce((accumulator, s) => 
+			, {});
+		const newSecretsObj: any = secrets.reduce((accumulator, s) =>
 			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
-		, {});
+			, {});
 
 		// handle deleting secrets
 		const toDelete = oldSecrets
@@ -391,22 +405,22 @@ const v1PushSecrets = async ({
 			await EESecretService.markDeletedSecretVersions({
 				secretIds: toDelete
 			});
-			
-			const deleteAction = await EELogService.createActionSecret({
+
+			const deleteAction = await EELogService.createAction({
 				name: ACTION_DELETE_SECRETS,
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(userId),
 				secretIds: toDelete
 			});
 
 			deleteAction && actions.push(deleteAction);
 		}
-		
+
 		const toUpdate = oldSecrets
 			.filter((s) => {
 				if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
-					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretValueHash 
-					|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretCommentHash) {
+					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretValueHash
+						|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretCommentHash) {
 						// case: filter secrets where value or comment changed
 						return true;
 					}
@@ -416,7 +430,7 @@ const v1PushSecrets = async ({
 						return true;
 					}
 				}
-				
+
 				return false;
 			});
 
@@ -469,7 +483,7 @@ const v1PushSecrets = async ({
 					};
 				});
 			await Secret.bulkWrite(operations as any);
-			
+
 			// (EE) add secret versions for updated secrets
 			await EESecretService.addSecretVersions({
 				secretVersions: toUpdate.map((s) => {
@@ -482,13 +496,13 @@ const v1PushSecrets = async ({
 						environment: s.environment,
 						isDeleted: false
 					})
-				}) 
+				})
 			});
 
-			const updateAction = await EELogService.createActionSecret({
+			const updateAction = await EELogService.createAction({
 				name: ACTION_UPDATE_SECRETS,
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(workspaceId),
 				secretIds: toUpdate.map((u) => u._id)
 			});
 
@@ -507,29 +521,30 @@ const v1PushSecrets = async ({
 					workspace: workspaceId,
 					type: toAdd[idx].type,
 					environment,
-					...( toAdd[idx].type === 'personal' ? { user: userId } : {})
+					...(toAdd[idx].type === 'personal' ? { user: userId } : {})
 				}))
 			);
 
 			// (EE) add secret versions for new secrets
 			EESecretService.addSecretVersions({
-				secretVersions: newSecrets.map((secretDocument) => { 
+				secretVersions: newSecrets.map((secretDocument) => {
 					return {
 						...secretDocument.toObject(),
 						secret: secretDocument._id,
 						isDeleted: false
-				}})
+					}
+				})
 			});
 
-			const addAction = await EELogService.createActionSecret({
+			const addAction = await EELogService.createAction({
 				name: ACTION_ADD_SECRETS,
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(workspaceId),
 				secretIds: newSecrets.map((n) => n._id)
 			});
 			addAction && actions.push(addAction);
 		}
-		
+
 		// (EE) take a secret snapshot
 		await EESecretService.takeSecretSnapshot({
 			workspaceId
@@ -538,8 +553,8 @@ const v1PushSecrets = async ({
 		// (EE) create (audit) log
 		if (actions.length > 0) {
 			await EELogService.createLog({
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(workspaceId),
 				actions,
 				channel,
 				ipAddress
@@ -560,7 +575,7 @@ const v1PushSecrets = async ({
  * @param {String} obj.workspaceId - id of workspace to pull from
  * @param {String} obj.environment - environment for secrets
  */
- const getSecrets = async ({
+const getSecrets = async ({
 	userId,
 	workspaceId,
 	environment
@@ -570,7 +585,7 @@ const v1PushSecrets = async ({
 	environment: string;
 }): Promise<ISecret[]> => {
 	let secrets: any; // TODO: FIX any
-	
+
 	try {
 		// get shared workspace secrets
 		const sharedSecrets = await Secret.find({
@@ -622,7 +637,7 @@ const pullSecrets = async ({
 	ipAddress: string;
 }): Promise<ISecret[]> => {
 	let secrets: any;
-	
+
 	try {
 		secrets = await getSecrets({
 			userId,
@@ -630,16 +645,16 @@ const pullSecrets = async ({
 			environment
 		})
 
-		const readAction = await EELogService.createActionSecret({
+		const readAction = await EELogService.createAction({
 			name: ACTION_READ_SECRETS,
-			userId,
-			workspaceId,
+			userId: new Types.ObjectId(userId),
+			workspaceId: new Types.ObjectId(workspaceId),
 			secretIds: secrets.map((n: any) => n._id)
 		});
 
 		readAction && await EELogService.createLog({
-			userId,
-			workspaceId,
+			userId: new Types.ObjectId(userId),
+			workspaceId: new Types.ObjectId(workspaceId),
 			actions: [readAction],
 			channel,
 			ipAddress

backend/src/helpers/signup.ts

@@ -66,7 +66,7 @@ const checkEmailVerification = async ({
 			email,
 			token: code
 		});
-	
+
 		if (!token) throw new Error('Failed to find email verification token');
 	} catch (err) {
 		Sentry.setUser(null);
@@ -116,7 +116,7 @@ const initializeDefaultOrg = async ({
 			roles: [ADMIN]
 		});
 	} catch (err) {
-		throw new Error('Failed to initialize default organization and workspace');
+		throw new Error(`Failed to initialize default organization and workspace [err=${err}]`);
 	}
 };
 

backend/src/index.ts

@@ -8,6 +8,7 @@ import { DatabaseService } from './services';
 import { setUpHealthEndpoint } from './services/health';
 import { initSmtp } from './services/smtp';
 import { setTransporter } from './helpers/nodemailer';
+import { createTestUserForDevelopment } from './utils/addDevelopmentUser';
 
 DatabaseService.initDatabase(MONGO_URL);
 
@@ -23,3 +24,5 @@ if (NODE_ENV !== 'test') {
     environment: NODE_ENV
   });
 }
+
+createTestUserForDevelopment()

backend/src/integrations/apps.ts

@@ -3,13 +3,18 @@ import * as Sentry from '@sentry/node';
 import { Octokit } from '@octokit/rest';
 import { IIntegrationAuth } from '../models';
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_VERCEL_API_URL,
-  INTEGRATION_NETLIFY_API_URL
+  INTEGRATION_NETLIFY_API_URL,
+  INTEGRATION_RENDER_API_URL,
+  INTEGRATION_FLYIO_API_URL
 } from '../variables';
 
 /**
@@ -29,12 +34,18 @@ const getApps = async ({
 }) => {
   interface App {
     name: string;
-    siteId?: string;
+    appId?: string;
+    owner?: string;
   }
 
-  let apps: App[]; // TODO: add type and define payloads for apps
+  let apps: App[];
   try {
     switch (integrationAuth.integration) {
+      case INTEGRATION_AZURE_KEY_VAULT:
+        apps = await getAppsAzureKeyVault({
+          accessToken
+        });
+      break;
       case INTEGRATION_HEROKU:
         apps = await getAppsHeroku({
           accessToken
@@ -48,13 +59,21 @@ const getApps = async ({
         break;
       case INTEGRATION_NETLIFY:
         apps = await getAppsNetlify({
-          integrationAuth,
           accessToken
         });
         break;
       case INTEGRATION_GITHUB:
         apps = await getAppsGithub({
-          integrationAuth,
+          accessToken
+        });
+        break;
+      case INTEGRATION_RENDER:
+        apps = await getAppsRender({
+          accessToken
+        });
+        break;
+      case INTEGRATION_FLYIO:
+        apps = await getAppsFlyio({
           accessToken
         });
         break;
@@ -68,8 +87,17 @@ const getApps = async ({
   return apps;
 };
 
+const getAppsAzureKeyVault = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
+  // TODO
+  return [];
+}
+
 /**
- * Return list of names of apps for Heroku integration
+ * Return list of apps for Heroku integration
  * @param {Object} obj
  * @param {String} obj.accessToken - access token for Heroku API
  * @returns {Object[]} apps - names of Heroku apps
@@ -141,17 +169,15 @@ const getAppsVercel = async ({
 };
 
 /**
- * Return list of names of sites for Netlify integration
+ * Return list of sites for Netlify integration
  * @param {Object} obj
  * @param {String} obj.accessToken - access token for Netlify API
  * @returns {Object[]} apps - names of Netlify sites
  * @returns {String} apps.name - name of Netlify site
  */
 const getAppsNetlify = async ({
-  integrationAuth,
   accessToken
 }: {
-  integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
   let apps;
@@ -166,7 +192,7 @@ const getAppsNetlify = async ({
 
     apps = res.map((a: any) => ({
       name: a.name,
-      siteId: a.site_id
+      appId: a.site_id
     }));
   } catch (err) {
     Sentry.setUser(null);
@@ -178,17 +204,15 @@ const getAppsNetlify = async ({
 };
 
 /**
- * Return list of names of repositories for Github integration
+ * Return list of repositories for Github integration
  * @param {Object} obj
  * @param {String} obj.accessToken - access token for Netlify API
  * @returns {Object[]} apps - names of Netlify sites
  * @returns {String} apps.name - name of Netlify site
  */
 const getAppsGithub = async ({
-  integrationAuth,
   accessToken
 }: {
-  integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
   let apps;
@@ -199,13 +223,16 @@ const getAppsGithub = async ({
 
     const repos = (await octokit.request(
       'GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}',
-      {}
+      {
+        per_page: 100
+      }
     )).data;
 
     apps = repos
       .filter((a:any) => a.permissions.admin === true)
       .map((a: any) => ({
-          name: a.name
+          name: a.name,
+          owner: a.owner.login
         })
       );
   } catch (err) {
@@ -217,4 +244,99 @@ const getAppsGithub = async ({
   return apps;
 };
 
+/**
+ * Return list of services for Render integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Render API
+ * @returns {Object[]} apps - names and ids of Render services
+ * @returns {String} apps.name - name of Render service
+ * @returns {String} apps.appId - id of Render service
+ */
+const getAppsRender = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
+  let apps: any;
+  try {
+    const res = (
+      await axios.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: 'application/json',
+          'Accept-Encoding': 'application/json'
+        }
+      })
+    ).data;
+    
+    apps = res
+      .map((a: any) => ({
+        name: a.service.name,
+        appId: a.service.id
+      })); 
+    
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get Render services');
+  }
+  
+  return apps;
+}
+
+/**
+ * Return list of apps for Fly.io integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Fly.io API
+ * @returns {Object[]} apps - names and ids of Fly.io apps
+ * @returns {String} apps.name - name of Fly.io apps
+ */
+const getAppsFlyio = async ({
+  accessToken
+}: {
+  accessToken: string;
+}) => {
+  let apps;
+  try {
+    const query = `
+      query($role: String) {
+        apps(type: "container", first: 400, role: $role) {
+          nodes {
+            id
+            name
+            hostname
+          }
+        }
+      }
+    `;
+    
+    const res = (await axios({
+      url: INTEGRATION_FLYIO_API_URL,
+      method: 'post',
+      headers: {
+        'Authorization': 'Bearer ' + accessToken,
+        'Accept': 'application/json',
+        'Accept-Encoding': 'application/json'
+      },
+      data: {
+        query,
+        variables: {
+          role: null
+        }
+      }
+    })).data.data.apps.nodes;
+    
+    apps = res
+      .map((a: any) => ({
+        name: a.name
+      })); 
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get Fly.io apps');
+  }
+  
+  return apps;
+}
+
 export { getApps };

backend/src/integrations/exchange.ts

@@ -1,10 +1,12 @@
 import axios from 'axios';
 import * as Sentry from '@sentry/node';
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_AZURE_TOKEN_URL,
   INTEGRATION_HEROKU_TOKEN_URL,
   INTEGRATION_VERCEL_TOKEN_URL,
   INTEGRATION_NETLIFY_TOKEN_URL,
@@ -12,15 +14,27 @@ import {
 } from '../variables';
 import {
   SITE_URL,
+  CLIENT_ID_AZURE,
   CLIENT_ID_VERCEL,
   CLIENT_ID_NETLIFY,
   CLIENT_ID_GITHUB,
+  CLIENT_SECRET_AZURE,
   CLIENT_SECRET_HEROKU,
   CLIENT_SECRET_VERCEL,
   CLIENT_SECRET_NETLIFY,
   CLIENT_SECRET_GITHUB
 } from '../config';
 
+interface ExchangeCodeAzureResponse {
+  token_type: string;
+  scope: string;
+  expires_in: number;
+  ext_expires_in: number;
+  access_token: string;
+  refresh_token: string;
+  id_token: string;
+}
+
 interface ExchangeCodeHerokuResponse {
   token_type: string;
   access_token: string;
@@ -75,6 +89,11 @@ const exchangeCode = async ({
 
   try {
     switch (integration) {
+      case INTEGRATION_AZURE_KEY_VAULT:
+        obj = await exchangeCodeAzure({
+          code
+        });
+        break;
       case INTEGRATION_HEROKU:
         obj = await exchangeCodeHeroku({
           code
@@ -105,6 +124,46 @@ const exchangeCode = async ({
   return obj;
 };
 
+/**
+ * Return [accessToken] for Azure OAuth2 code-token exchange
+ * @param param0 
+ */
+const exchangeCodeAzure = async ({
+  code
+}: {
+  code: string;
+}) => {
+  const accessExpiresAt = new Date();
+  let res: ExchangeCodeAzureResponse;
+  try {
+    res = (await axios.post(
+      INTEGRATION_AZURE_TOKEN_URL,
+       new URLSearchParams({
+        grant_type: 'authorization_code',
+        code: code,
+        scope: 'https://vault.azure.net/.default openid offline_access', // TODO: do we need all these permissions?
+        client_id: CLIENT_ID_AZURE,
+        client_secret: CLIENT_SECRET_AZURE,
+        redirect_uri: `${SITE_URL}/integrations/azure-key-vault/oauth2/callback`
+      } as any)
+    )).data;
+    
+    accessExpiresAt.setSeconds(
+        accessExpiresAt.getSeconds() + res.expires_in
+    );
+  } catch (err: any) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange with Azure');
+  }
+  
+  return ({
+    accessToken: res.access_token,
+    refreshToken: res.refresh_token,
+    accessExpiresAt
+  });
+}
+
 /**
  * Return [accessToken], [accessExpiresAt], and [refreshToken] for Heroku
  * OAuth2 code-token exchange
@@ -168,7 +227,7 @@ const exchangeCodeVercel = async ({ code }: { code: string }) => {
           code: code,
           client_id: CLIENT_ID_VERCEL,
           client_secret: CLIENT_SECRET_VERCEL,
-          redirect_uri: `${SITE_URL}/vercel`
+          redirect_uri: `${SITE_URL}/integrations/vercel/oauth2/callback`
         } as any)
       )
     ).data;
@@ -208,7 +267,7 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
           code: code,
           client_id: CLIENT_ID_NETLIFY,
           client_secret: CLIENT_SECRET_NETLIFY,
-          redirect_uri: `${SITE_URL}/netlify`
+          redirect_uri: `${SITE_URL}/integrations/netlify/oauth2/callback`
         } as any)
       )
     ).data;
@@ -260,10 +319,11 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
           client_id: CLIENT_ID_GITHUB,
           client_secret: CLIENT_SECRET_GITHUB,
           code: code,
-          redirect_uri: `${SITE_URL}/github`
+          redirect_uri: `${SITE_URL}/integrations/github/oauth2/callback`
         },
         headers: {
-          Accept: 'application/json'
+          'Accept': 'application/json',
+          'Accept-Encoding': 'application/json'
         }
       })
     ).data;

backend/src/integrations/refresh.ts

@@ -1,13 +1,26 @@
 import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import { INTEGRATION_HEROKU } from '../variables';
+import { INTEGRATION_AZURE_KEY_VAULT, INTEGRATION_HEROKU } from '../variables';
 import {
-    CLIENT_SECRET_HEROKU
+  SITE_URL,
+  CLIENT_ID_AZURE,
+  CLIENT_SECRET_AZURE,
+  CLIENT_SECRET_HEROKU
 } from '../config';
 import {
-    INTEGRATION_HEROKU_TOKEN_URL
+  INTEGRATION_AZURE_TOKEN_URL,
+  INTEGRATION_HEROKU_TOKEN_URL
 } from '../variables';
 
+interface RefreshTokenAzureResponse {
+  token_type: string;
+  scope: string;
+  expires_in: number;
+  ext_expires_in: 4871;
+  access_token: string;
+  refresh_token: string;
+}
+
 /**
  * Return new access token by exchanging refresh token [refreshToken] for integration
  * named [integration]
@@ -25,6 +38,11 @@ const exchangeRefresh = async ({
   let accessToken;
   try {
     switch (integration) {
+      case INTEGRATION_AZURE_KEY_VAULT:
+        accessToken = await exchangeRefreshAzure({
+          refreshToken
+        });
+        break;
       case INTEGRATION_HEROKU:
         accessToken = await exchangeRefreshHeroku({
           refreshToken
@@ -40,6 +58,38 @@ const exchangeRefresh = async ({
   return accessToken;
 };
 
+/**
+ * Return new access token by exchanging refresh token [refreshToken] for the
+ * Azure integration
+ * @param {Object} obj
+ * @param {String} obj.refreshToken - refresh token to use to get new access token for Azure
+ * @returns
+ */
+const exchangeRefreshAzure = async ({
+  refreshToken
+}: {
+  refreshToken: string;
+}) => {
+  try {
+    const res: RefreshTokenAzureResponse = (await axios.post(
+      INTEGRATION_AZURE_TOKEN_URL,
+       new URLSearchParams({
+        client_id: CLIENT_ID_AZURE,
+        scope: 'openid offline_access',
+        refresh_token: refreshToken,
+        grant_type: 'refresh_token',
+        client_secret: CLIENT_SECRET_AZURE
+      } as any)
+    )).data;
+    
+    return res.access_token;
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get refresh OAuth2 access token for Azure'); 
+  }
+}
+
 /**
  * Return new access token by exchanging refresh token [refreshToken] for the
  * Heroku integration
@@ -52,23 +102,23 @@ const exchangeRefreshHeroku = async ({
 }: {
   refreshToken: string;
 }) => {
-    let accessToken;
-	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
-    try {
-        const res = await axios.post(
-            INTEGRATION_HEROKU_TOKEN_URL,
-            new URLSearchParams({
-                grant_type: 'refresh_token',
-                refresh_token: refreshToken,
-                client_secret: CLIENT_SECRET_HEROKU
-            } as any)
-        );
+  
+  let accessToken;
+  try {
+    const res = await axios.post(
+        INTEGRATION_HEROKU_TOKEN_URL,
+        new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_secret: CLIENT_SECRET_HEROKU
+        } as any)
+    );
 
     accessToken = res.data.access_token;
   } catch (err) {
     Sentry.setUser(null);
     Sentry.captureException(err);
-    throw new Error('Failed to get new OAuth2 access token for Heroku');
+    throw new Error('Failed to refresh OAuth2 access token for Heroku');
   }
 
   return accessToken;

backend/src/integrations/revoke.ts

@@ -1,6 +1,11 @@
-import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import { IIntegrationAuth, IntegrationAuth, Integration } from '../models';
+import { 
+  IIntegrationAuth, 
+  IntegrationAuth, 
+  Integration,
+  Bot,
+  BotKey
+} from '../models';
 import {
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
@@ -15,6 +20,7 @@ const revokeAccess = async ({
   integrationAuth: IIntegrationAuth;
   accessToken: string;
 }) => {
+  let deletedIntegrationAuth;
   try {
     // add any integration-specific revocation logic
     switch (integrationAuth.integration) {
@@ -28,7 +34,7 @@ const revokeAccess = async ({
         break;
     }
 
-    const deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
+    deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
       _id: integrationAuth._id
     });
 
@@ -42,6 +48,8 @@ const revokeAccess = async ({
     Sentry.captureException(err);
     throw new Error('Failed to delete integration authorization');
   }
+  
+  return deletedIntegrationAuth;
 };
 
 export { revokeAccess };

backend/src/integrations/sync.ts

@@ -1,28 +1,28 @@
-import axios, { AxiosError } from 'axios';
+import axios from 'axios';
 import * as Sentry from '@sentry/node';
 import { Octokit } from '@octokit/rest';
-// import * as sodium from 'libsodium-wrappers';
 import sodium from 'libsodium-wrappers';
-// const sodium = require('libsodium-wrappers');
 import { IIntegration, IIntegrationAuth } from '../models';
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_VERCEL_API_URL,
-  INTEGRATION_NETLIFY_API_URL
+  INTEGRATION_NETLIFY_API_URL,
+  INTEGRATION_RENDER_API_URL,
+  INTEGRATION_FLYIO_API_URL
 } from '../variables';
-import { access, appendFile } from 'fs';
 
 /**
  * Sync/push [secrets] to [app] in integration named [integration]
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
- * @param {Object} obj.app - app in integration
- * @param {Object} obj.target - (optional) target (environment) in integration
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
  * @param {String} obj.accessToken - access token for integration
  */
@@ -39,6 +39,13 @@ const syncSecrets = async ({
 }) => {
   try {
     switch (integration.integration) {
+      case INTEGRATION_AZURE_KEY_VAULT:
+        await syncSecretsAzureKeyVault({
+          integration,
+          secrets,
+          accessToken
+        });
+        break;
       case INTEGRATION_HEROKU:
         await syncSecretsHeroku({
           integration,
@@ -69,6 +76,20 @@ const syncSecrets = async ({
           accessToken
         });
         break;
+      case INTEGRATION_RENDER:
+        await syncSecretsRender({
+          integration,
+          secrets,
+          accessToken
+        });
+        break;
+      case INTEGRATION_FLYIO:
+        await syncSecretsFlyio({
+          integration,
+          secrets,
+          accessToken
+        });
+        break;
     }
   } catch (err) {
     Sentry.setUser(null);
@@ -78,10 +99,156 @@ const syncSecrets = async ({
 };
 
 /**
- * Sync/push [secrets] to Heroku [app]
+ * Sync/push [secrets] to Azure Key Vault with vault URI [integration.app]
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Azure Key Vault integration
+ */
+const syncSecretsAzureKeyVault = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+
+    interface GetAzureKeyVaultSecret {
+      id: string; // secret URI
+      attributes: {
+        enabled: true,
+        created: number;
+        updated: number;
+        recoveryLevel: string;
+        recoverableDays: number;
+      }
+    }
+    
+    interface AzureKeyVaultSecret extends GetAzureKeyVaultSecret {
+      key: string;
+    }
+    
+    /**
+     * Return all secrets from Azure Key Vault by paginating through URL [url]
+     * @param {String} url - pagination URL to get next set of secrets from Azure Key Vault
+     * @returns 
+     */
+    const paginateAzureKeyVaultSecrets = async (url: string) => {
+      let result: GetAzureKeyVaultSecret[] = [];
+      
+      while (url) {
+        const res = await axios.get(url, {
+          headers: {
+            Authorization: `Bearer ${accessToken}`
+          }
+        });
+        
+        result = result.concat(res.data.value);
+        url = res.data.nextLink;
+      }
+      
+      return result;
+    }
+    
+    const getAzureKeyVaultSecrets = await paginateAzureKeyVaultSecrets(`${integration.app}/secrets?api-version=7.3`);
+    
+    let lastSlashIndex: number;
+    const res = (await Promise.all(getAzureKeyVaultSecrets.map(async (getAzureKeyVaultSecret) => {
+      if (!lastSlashIndex) {
+        lastSlashIndex = getAzureKeyVaultSecret.id.lastIndexOf('/');
+      }
+      
+      const azureKeyVaultSecret = await axios.get(`${getAzureKeyVaultSecret.id}?api-version=7.3`, {
+        headers: {
+          'Authorization': `Bearer ${accessToken}`
+        }
+      });
+
+      return ({
+        ...azureKeyVaultSecret.data,
+        key: getAzureKeyVaultSecret.id.substring(lastSlashIndex + 1),
+      });
+    })))
+    .reduce((obj: any, secret: any) => ({
+        ...obj,
+        [secret.key]: secret
+    }), {});
+    
+    const setSecrets: {
+      key: string;
+      value: string;
+    }[] = [];
+
+    Object.keys(secrets).forEach((key) => {
+      const hyphenatedKey = key.replace(/_/g, '-');
+      if (!(hyphenatedKey in res)) {
+        // case: secret has been created
+        setSecrets.push({
+          key: hyphenatedKey,
+          value: secrets[key]
+        });
+      } else {
+        if (secrets[key] !== res[hyphenatedKey].value) {
+          // case: secret has been updated
+          setSecrets.push({
+            key: hyphenatedKey,
+            value: secrets[key]
+          });
+        }
+      }
+    });
+    
+    const deleteSecrets: AzureKeyVaultSecret[] = [];
+    
+    Object.keys(res).forEach((key) => {
+      const underscoredKey = key.replace(/-/g, '_');
+      if (!(underscoredKey in secrets)) {
+        deleteSecrets.push(res[key]);
+      }
+    });
+    
+    // Sync/push set secrets
+    if (setSecrets.length > 0) {
+      setSecrets.forEach(async ({ key, value }) => {
+        await axios.put(
+          `${integration.app}/secrets/${key}?api-version=7.3`,
+          {
+            value
+          },
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`
+            }
+          }
+        );
+      });
+    }
+    
+    if (deleteSecrets.length > 0) {
+      deleteSecrets.forEach(async (secret) => {
+        await axios.delete(`${integration.app}/secrets/${secret.key}?api-version=7.3`, {
+          headers: {
+            'Authorization': `Bearer ${accessToken}`
+          }
+        });
+      });
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to sync secrets to Azure Key Vault');
+  }
+};
+
+/**
+ * Sync/push [secrets] to Heroku app named [integration.app]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Heroku integration
  */
 const syncSecretsHeroku = async ({
   integration,
@@ -129,7 +296,7 @@ const syncSecretsHeroku = async ({
 };
 
 /**
- * Sync/push [secrets] to Heroku [app]
+ * Sync/push [secrets] to Vercel project named [integration.app]
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
@@ -174,7 +341,7 @@ const syncSecretsVercel = async ({
       ))
       .data
       .envs
-      .filter((secret: VercelSecret) => secret.target.includes(integration.target))
+      .filter((secret: VercelSecret) => secret.target.includes(integration.targetEnvironment))
       .map(async (secret: VercelSecret) => (await axios.get(
               `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
               {
@@ -201,7 +368,7 @@ const syncSecretsVercel = async ({
                   key: key,
                   value: secrets[key],
                   type: 'encrypted',
-                  target: [integration.target]
+                  target: [integration.targetEnvironment]
               });
           }
       });
@@ -216,7 +383,7 @@ const syncSecretsVercel = async ({
                       key: key,
                       value: secrets[key],
                       type: 'encrypted',
-                      target: [integration.target]
+                      target: [integration.targetEnvironment]
                   });
               }
           } else {
@@ -226,7 +393,7 @@ const syncSecretsVercel = async ({
                   key: key,
                   value: res[key].value,
                   type: 'encrypted',
-                  target: [integration.target],
+                  target: [integration.targetEnvironment],
               });
           }
       });
@@ -287,11 +454,12 @@ const syncSecretsVercel = async ({
 }
 
 /**
- * Sync/push [secrets] to Netlify site [app]
+ * Sync/push [secrets] to Netlify site with id [integration.appId]
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {Object} obj.accessToken - access token for Netlify integration
  */
 const syncSecretsNetlify = async ({
     integration,
@@ -323,7 +491,7 @@ const syncSecretsNetlify = async ({
       
       const getParams = new URLSearchParams({
           context_name: 'all', // integration.context or all
-          site_id: integration.siteId
+          site_id: integration.appId
       });
       
       const res = (await axios.get(
@@ -354,7 +522,7 @@ const syncSecretsNetlify = async ({
                   key,
                   values: [{
                       value: secrets[key],
-                      context: integration.context
+                      context: integration.targetEnvironment
                   }]
               });
           } else {
@@ -365,15 +533,15 @@ const syncSecretsNetlify = async ({
                       [value.context]: value
                   }), {});
               
-              if (integration.context in contexts) {
+              if (integration.targetEnvironment in contexts) {
                   // case: Netlify secret value exists in integration context
-                  if (secrets[key] !== contexts[integration.context].value) {
+                  if (secrets[key] !== contexts[integration.targetEnvironment].value) {
                       // case: Infisical and Netlify secret values are different
                       // -> update Netlify secret context and value
                       updateSecrets.push({
                           key,
                           values: [{
-                              context: integration.context,
+                              context: integration.targetEnvironment,
                               value: secrets[key]
                           }]
                       });
@@ -384,7 +552,7 @@ const syncSecretsNetlify = async ({
                   updateSecrets.push({
                       key,
                       values: [{
-                          context: integration.context,
+                          context: integration.targetEnvironment,
                           value: secrets[key]
                       }]
                   });
@@ -402,7 +570,7 @@ const syncSecretsNetlify = async ({
               const numberOfValues = res[key].values.length;
               
               res[key].values.forEach((value: NetlifyValue) => {
-                  if (value.context === integration.context) {
+                  if (value.context === integration.targetEnvironment) {
                       if (numberOfValues <= 1) {
                           // case: Netlify secret value has less than 1 context -> delete secret
                           deleteSecrets.push(key); 
@@ -412,7 +580,7 @@ const syncSecretsNetlify = async ({
                               key,
                               values: [{
                                   id: value.id,
-                                  context: integration.context,
+                                  context: integration.targetEnvironment,
                                   value: value.value
                               }]
                           });
@@ -423,7 +591,7 @@ const syncSecretsNetlify = async ({
       });
 
       const syncParams = new URLSearchParams({
-          site_id: integration.siteId
+          site_id: integration.appId
       });
 
       if (newSecrets.length > 0) {
@@ -492,11 +660,12 @@ const syncSecretsNetlify = async ({
 }
 
 /**
- * Sync/push [secrets] to GitHub [repo]
+ * Sync/push [secrets] to GitHub repo with name [integration.app]
  * @param {Object} obj
  * @param {IIntegration} obj.integration - integration details
  * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
  * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for GitHub integration 
  */
 const syncSecretsGitHub = async ({
   integration,
@@ -530,21 +699,20 @@ const syncSecretsGitHub = async ({
       auth: accessToken
     });
 
-    const user = (await octokit.request('GET /user', {})).data;
-    
+    // const user = (await octokit.request('GET /user', {})).data;
     const repoPublicKey: GitHubRepoKey = (await octokit.request(
       'GET /repos/{owner}/{repo}/actions/secrets/public-key',
       {
-        owner: user.login,
+        owner: integration.owner,
         repo: integration.app
       }
     )).data;
 
-    // // Get local copy of decrypted secrets. We cannot decrypt them as we dont have access to GH private key
+    // Get local copy of decrypted secrets. We cannot decrypt them as we dont have access to GH private key
     const encryptedSecrets: GitHubSecretRes = (await octokit.request(
       'GET /repos/{owner}/{repo}/actions/secrets',
       {
-        owner: user.login,
+        owner: integration.owner,
         repo: integration.app
       }
     ))
@@ -560,7 +728,7 @@ const syncSecretsGitHub = async ({
         await octokit.request(
           'DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}',
           {
-            owner: user.login,
+            owner: integration.owner,
             repo: integration.app,
             secret_name: key
           }
@@ -590,7 +758,7 @@ const syncSecretsGitHub = async ({
           await octokit.request(
             'PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}',
             {
-              owner: user.login,
+              owner: integration.owner,
               repo: integration.app,
               secret_name: key,
               encrypted_value: encryptedSecret,
@@ -606,4 +774,175 @@ const syncSecretsGitHub = async ({
   }
 };
 
+/**
+ * Sync/push [secrets] to Render service with id [integration.appId]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Render integration
+ */
+const syncSecretsRender = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    await axios.put(
+      `${INTEGRATION_RENDER_API_URL}/v1/services/${integration.appId}/env-vars`,
+      Object.keys(secrets).map((key) => ({
+        key,
+        value: secrets[key]
+      })),
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`
+        }
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to sync secrets to Render');
+  }
+}
+
+/**
+ * Sync/push [secrets] to Fly.io app
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Render integration
+ */
+const syncSecretsFlyio = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    // set secrets
+    const SetSecrets = `
+      mutation($input: SetSecretsInput!) {
+        setSecrets(input: $input) {
+          release {
+            id
+            version
+            reason
+            description
+            user {
+              id
+              email
+              name
+            }
+            evaluationId
+            createdAt
+          }
+        }
+      }
+    `;
+
+    await axios({
+      url: INTEGRATION_FLYIO_API_URL,
+      method: 'post',
+      headers: {
+        'Authorization': 'Bearer ' + accessToken
+      },
+      data: {
+        query: SetSecrets,
+        variables: {
+          input: {
+            appId: integration.app,
+            secrets: Object.entries(secrets).map(([key, value]) => ({ key, value }))
+          }
+        }
+      }
+    });
+    
+    // get secrets
+    interface FlyioSecret {
+      name: string;
+      digest: string;
+      createdAt: string;
+    }
+    
+    const GetSecrets = `query ($appName: String!) {
+        app(name: $appName) {
+            secrets {
+                name
+                digest
+                createdAt
+            }
+        }
+    }`;
+
+    const getSecretsRes = (await axios({
+        method: 'post',
+        url: INTEGRATION_FLYIO_API_URL,
+        headers: {
+            'Authorization': 'Bearer ' + accessToken,
+            'Content-Type': 'application/json'
+        },
+        data: {
+          query: GetSecrets,
+          variables: {
+            appName: integration.app
+          }
+        }
+    })).data.data.app.secrets;
+    
+    const deleteSecretsKeys = getSecretsRes
+      .filter((secret: FlyioSecret) => !(secret.name in secrets))
+      .map((secret: FlyioSecret) => secret.name);
+    
+    // unset (delete) secrets
+    const DeleteSecrets = `mutation($input: UnsetSecretsInput!) {
+        unsetSecrets(input: $input) {
+            release {
+                id
+                version
+                reason
+                description
+                user {
+                    id
+                    email
+                    name
+                }
+                evaluationId
+                createdAt
+            }
+        }
+    }`;
+
+    await axios({
+        method: 'post',
+        url: INTEGRATION_FLYIO_API_URL,
+        headers: {
+          'Authorization': 'Bearer ' + accessToken,
+          'Content-Type': 'application/json'
+        },
+        data: {
+          query: DeleteSecrets,
+          variables: {
+            input: {
+              appId: integration.app,
+              keys: deleteSecretsKeys
+            }
+          }
+        }
+    });
+
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to sync secrets to Fly.io');
+  }
+}
+
 export { syncSecrets };

backend/src/middleware/requireIntegrationAuthorizationAuth.ts

@@ -1,10 +1,12 @@
 import * as Sentry from '@sentry/node';
 import { Request, Response, NextFunction } from 'express';
-import { IntegrationAuth } from '../models';
+import { IntegrationAuth, IWorkspace } from '../models';
 import { IntegrationService } from '../services';
 import { validateMembership } from '../helpers/membership';
 import { UnauthorizedRequestError } from '../utils/errors';
 
+type req = 'params' | 'body' | 'query';
+
 /**
  * Validate if user on request is a member of workspace with proper roles associated
  * with the integration authorization on request params.
@@ -14,17 +16,20 @@ import { UnauthorizedRequestError } from '../utils/errors';
  */
 const requireIntegrationAuthorizationAuth = ({
 	acceptedRoles,
-	attachAccessToken = true
+	attachAccessToken = true,
+	location = 'params'
 }: {
 	acceptedRoles: string[];
 	attachAccessToken?: boolean;
+	location?: req;
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
-		const { integrationAuthId } = req.params;
-
+		const { integrationAuthId } = req[location];
 		const integrationAuth = await IntegrationAuth.findOne({
 			_id: integrationAuthId
-		}).select(
+		})
+		.populate<{ workspace: IWorkspace }>('workspace')
+		.select(
 			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
 		);
 
@@ -34,7 +39,7 @@ const requireIntegrationAuthorizationAuth = ({
 		
 		await validateMembership({
 			userId: req.user._id.toString(),
-			workspaceId: integrationAuth.workspace.toString(),
+			workspaceId: integrationAuth.workspace._id.toString(),
 			acceptedRoles
 		});
 

backend/src/models/index.ts

@@ -16,6 +16,7 @@ import UserAction, { IUserAction } from './userAction';
 import Workspace, { IWorkspace } from './workspace';
 import ServiceTokenData, { IServiceTokenData } from './serviceTokenData';
 import APIKeyData, { IAPIKeyData } from './apiKeyData';
+import LoginSRPDetail, { ILoginSRPDetail } from './loginSRPDetail';
 
 export {
 	BackupPrivateKey,
@@ -53,5 +54,7 @@ export {
 	ServiceTokenData,
 	IServiceTokenData,
 	APIKeyData,
-	IAPIKeyData
+	IAPIKeyData,
+	LoginSRPDetail,
+	ILoginSRPDetail
 };

backend/src/models/integration.ts

@@ -1,9 +1,12 @@
 import { Schema, model, Types } from 'mongoose';
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
-  INTEGRATION_GITHUB
+  INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO
 } from '../variables';
 
 export interface IIntegration {
@@ -12,19 +15,19 @@ export interface IIntegration {
   environment: string;
   isActive: boolean;
   app: string;
-  target: string;
-  context: string;
-  siteId: string;
-  integration: 'heroku' | 'vercel' | 'netlify' | 'github';
+  owner: string;
+  targetEnvironment: string;
+  appId: string;
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'render' | 'flyio' | 'azure-key-vault';
   integrationAuth: Types.ObjectId;
 }
 
 const integrationSchema = new Schema<IIntegration>(
   {
     workspace: {
-      type: Schema.Types.ObjectId,
-      ref: 'Workspace',
-      required: true
+        type: Schema.Types.ObjectId,
+        ref: 'Workspace',
+        required: true
     },
     environment: {
       type: String,
@@ -39,28 +42,31 @@ const integrationSchema = new Schema<IIntegration>(
       type: String,
       default: null
     },
-    target: {
-      // vercel-specific target (environment)
+    appId: { // (new)
+      // id of app in provider
       type: String,
       default: null
     },
-    context: {
-      // netlify-specific context (deploy)
+    targetEnvironment: { // (new)
+      // target environment 
       type: String,
       default: null
     },
-    siteId: {
-      // netlify-specific site (app) id
+    owner: {
+      // github-specific repo owner-login
       type: String,
       default: null
     },
     integration: {
       type: String,
       enum: [
+        INTEGRATION_AZURE_KEY_VAULT,
         INTEGRATION_HEROKU,
         INTEGRATION_VERCEL,
         INTEGRATION_NETLIFY,
-        INTEGRATION_GITHUB
+        INTEGRATION_GITHUB,
+        INTEGRATION_RENDER,
+        INTEGRATION_FLYIO
       ],
       required: true
     },

backend/src/models/integrationAuth.ts

@@ -1,5 +1,6 @@
 import { Schema, model, Types } from 'mongoose';
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
@@ -9,7 +10,7 @@ import {
 export interface IIntegrationAuth {
   _id: Types.ObjectId;
   workspace: Types.ObjectId;
-  integration: 'heroku' | 'vercel' | 'netlify' | 'github';
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'render' | 'flyio' | 'azure-key-vault';
   teamId: string;
   accountId: string;
   refreshCiphertext?: string;
@@ -24,12 +25,14 @@ export interface IIntegrationAuth {
 const integrationAuthSchema = new Schema<IIntegrationAuth>(
   {
     workspace: {
-      type: Schema.Types.ObjectId,
-      required: true
+        type: Schema.Types.ObjectId,
+        ref: 'Workspace',
+        required: true
     },
     integration: {
       type: String,
       enum: [
+        INTEGRATION_AZURE_KEY_VAULT,
         INTEGRATION_HEROKU,
         INTEGRATION_VERCEL,
         INTEGRATION_NETLIFY,

backend/src/models/loginSRPDetail.ts

@@ -0,0 +1,29 @@
+import mongoose, { Schema, model, Types } from 'mongoose';
+
+export interface ILoginSRPDetail {
+	_id: Types.ObjectId;
+	clientPublicKey: string;
+	email: string;
+	serverBInt: mongoose.Schema.Types.Buffer;
+	expireAt: Date;
+}
+
+const loginSRPDetailSchema = new Schema<ILoginSRPDetail>(
+	{
+		clientPublicKey: {
+			type: String,
+			required: true
+		},
+		email: {
+			type: String,
+			required: true,
+			unique: true
+		},
+		serverBInt: { type: mongoose.Schema.Types.Buffer },
+		expireAt: { type: Date }
+	}
+);
+
+const LoginSRPDetail = model('LoginSRPDetail', loginSRPDetailSchema);
+
+export default LoginSRPDetail;

backend/src/models/membership.ts

@@ -1,15 +1,21 @@
 import { Schema, model, Types } from 'mongoose';
 import { ADMIN, MEMBER } from '../variables';
 
+export interface IMembershipPermission {
+	environmentSlug: string,
+	ability: string
+}
+
 export interface IMembership {
 	_id: Types.ObjectId;
 	user: Types.ObjectId;
 	inviteEmail?: string;
 	workspace: Types.ObjectId;
 	role: 'admin' | 'member';
+	deniedPermissions: IMembershipPermission[]
 }
 
-const membershipSchema = new Schema(
+const membershipSchema = new Schema<IMembership>(
 	{
 		user: {
 			type: Schema.Types.ObjectId,
@@ -23,6 +29,18 @@ const membershipSchema = new Schema(
 			ref: 'Workspace',
 			required: true
 		},
+		deniedPermissions: {
+			type: [
+				{
+					environmentSlug: String,
+					ability: {
+						type: String,
+						enum: ['read', 'write']
+					},
+				},
+			],
+			default: []
+		},
 		role: {
 			type: String,
 			enum: [ADMIN, MEMBER],

backend/src/models/secret.ts

@@ -23,6 +23,7 @@ export interface ISecret {
 	secretCommentIV?: string;
 	secretCommentTag?: string;
 	secretCommentHash?: string;
+	tags?: string[];
 }
 
 const secretSchema = new Schema<ISecret>(
@@ -47,6 +48,11 @@ const secretSchema = new Schema<ISecret>(
 			type: Schema.Types.ObjectId,
 			ref: 'User'
 		},
+		tags: {
+			ref: 'Tag',
+			type: [Schema.Types.ObjectId],
+			default: []
+		},
 		environment: {
 			type: String,
 			required: true

backend/src/models/tag.ts

@@ -0,0 +1,49 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface ITag {
+	_id: Types.ObjectId;
+	name: string;
+	slug: string;
+	user: Types.ObjectId;
+	workspace: Types.ObjectId;
+}
+
+const tagSchema = new Schema<ITag>(
+	{
+		name: {
+			type: String,
+			required: true,
+			trim: true,
+		},
+		slug: {
+			type: String,
+			required: true,
+			trim: true,
+			lowercase: true,
+			validate: [
+				function (value: any) {
+					return value.indexOf(' ') === -1;
+				},
+				'slug cannot contain spaces'
+			]
+		},
+		user: {
+			type: Schema.Types.ObjectId,
+			ref: 'User'
+		},
+		workspace: {
+			type: Schema.Types.ObjectId,
+			ref: 'Workspace'
+		},
+	},
+	{
+		timestamps: true
+	}
+);
+
+tagSchema.index({ slug: 1, workspace: 1 }, { unique: true })
+tagSchema.index({ workspace: 1 })
+
+const Tag = model<ITag>('Tag', tagSchema);
+
+export default Tag;

backend/src/models/user.ts

@@ -12,6 +12,7 @@ export interface IUser {
 	salt?: string;
 	verifier?: string;
 	refreshVersion?: number;
+	seenIps: [string];
 }
 
 const userSchema = new Schema<IUser>(
@@ -54,7 +55,8 @@ const userSchema = new Schema<IUser>(
 			type: Number,
 			default: 0,
 			select: false
-		}
+		},
+		seenIps: [String]
 	},
 	{
 		timestamps: true

backend/src/models/workspace.ts

@@ -29,19 +29,19 @@ const workspaceSchema = new Schema<IWorkspace>({
 		],
 		default: [
 			{
-				name: "development",
+				name: "Development",
 				slug: "dev"
 			},
 			{
-				name: "test",
+				name: "Test",
 				slug: "test"
 			},
 			{
-				name: "staging",
+				name: "Staging",
 				slug: "staging"
 			},
 			{
-				name: "production",
+				name: "Production",
 				slug: "prod"
 			}
 		],

backend/src/routes/v1/integration.ts

@@ -3,12 +3,33 @@ const router = express.Router();
 import {
 	requireAuth,
 	requireIntegrationAuth,
+	requireIntegrationAuthorizationAuth,
 	validateRequest
 } from '../../middleware';
 import { ADMIN, MEMBER } from '../../variables';
 import { body, param } from 'express-validator';
 import { integrationController } from '../../controllers/v1';
 
+router.post( // new: add new integration for integration auth
+	'/',
+	requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+	requireIntegrationAuthorizationAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+		location: 'body'
+	}),
+	body('integrationAuthId').exists().isString().trim(),
+	body('app').isString().trim(),
+	body('isActive').exists().isBoolean(),
+	body('appId').trim(),
+	body('sourceEnvironment').trim(),
+	body('targetEnvironment').trim(),
+	body('owner').trim(),
+	validateRequest,
+	integrationController.createIntegration
+);
+
 router.patch(
 	'/:integrationId',
 	requireAuth({
@@ -18,12 +39,12 @@ router.patch(
 		acceptedRoles: [ADMIN, MEMBER]
 	}),
 	param('integrationId').exists().trim(),
+	body('isActive').exists().isBoolean(),
 	body('app').exists().trim(),
 	body('environment').exists().trim(),
-	body('isActive').exists().isBoolean(),
-	body('target').exists(),
-	body('context').exists(),
-	body('siteId').exists(),
+	body('appId').exists(),
+	body('targetEnvironment').exists(),
+	body('owner').exists(),
 	validateRequest,
 	integrationController.updateIntegration
 );

backend/src/routes/v1/integrationAuth.ts

@@ -18,6 +18,19 @@ router.get(
 	integrationAuthController.getIntegrationOptions
 );
 
+router.get(
+	'/:integrationAuthId',
+	requireAuth({
+        acceptedAuthModes: ['jwt']
+    }),
+	requireIntegrationAuthorizationAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('integrationAuthId'),
+	validateRequest,
+	integrationAuthController.getIntegrationAuth	
+);
+
 router.post(
 	'/oauth-token',
 	requireAuth({
@@ -34,6 +47,22 @@ router.post(
 	integrationAuthController.oAuthExchange
 );
 
+router.post(
+	'/access-token',
+	requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+		location: 'body'
+	}),
+	body('workspaceId').exists().trim().notEmpty(),
+	body('accessToken').exists().trim().notEmpty(),
+	body('integration').exists().trim().notEmpty(),
+	validateRequest,
+	integrationAuthController.saveIntegrationAccessToken
+);
+
 router.get(
 	'/:integrationAuthId/apps',
 	requireAuth({

backend/src/routes/v1/membership.ts

@@ -3,14 +3,15 @@ const router = express.Router();
 import { body, param } from 'express-validator';
 import { requireAuth, validateRequest } from '../../middleware';
 import { membershipController } from '../../controllers/v1';
+import { membershipController as EEMembershipControllers } from '../../ee/controllers/v1';
 
 // note: ALL DEPRECIATED (moved to api/v2/workspace/:workspaceId/memberships/:membershipId)
 
 router.get( // used for old CLI (deprecate)
 	'/:workspaceId/connect',
 	requireAuth({
-        acceptedAuthModes: ['jwt']
-    }),
+		acceptedAuthModes: ['jwt']
+	}),
 	param('workspaceId').exists().trim(),
 	validateRequest,
 	membershipController.validateMembership
@@ -19,8 +20,8 @@ router.get( // used for old CLI (deprecate)
 router.delete(
 	'/:membershipId',
 	requireAuth({
-        acceptedAuthModes: ['jwt']
-    }),
+		acceptedAuthModes: ['jwt']
+	}),
 	param('membershipId').exists().trim(),
 	validateRequest,
 	membershipController.deleteMembership
@@ -29,11 +30,22 @@ router.delete(
 router.post(
 	'/:membershipId/change-role',
 	requireAuth({
-        acceptedAuthModes: ['jwt']
-    }),
+		acceptedAuthModes: ['jwt']
+	}),
 	body('role').exists().trim(),
 	validateRequest,
 	membershipController.changeMembershipRole
 );
 
+router.post(
+	'/:membershipId/deny-permissions',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	param('membershipId').isMongoId().exists().trim(),
+	body('permissions').isArray().exists(),
+	validateRequest,
+	EEMembershipControllers.denyMembershipPermissions
+);
+
 export default router;

backend/src/routes/v2/environment.ts

@@ -54,4 +54,17 @@ router.delete(
   environmentController.deleteWorkspaceEnvironment
 );
 
+router.get(
+  '/:workspaceId/environments',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [MEMBER, ADMIN],
+  }),
+  param('workspaceId').exists().trim(),
+  validateRequest,
+  environmentController.getAllAccessibleEnvironmentsOfWorkspace
+);
+
 export default router;

backend/src/routes/v2/index.ts

@@ -6,6 +6,7 @@ import secrets from './secrets';
 import serviceTokenData from './serviceTokenData';
 import apiKeyData from './apiKeyData';
 import environment from "./environment"
+import tags from "./tags"
 
 export {
     users,
@@ -15,5 +16,6 @@ export {
     secrets,
     serviceTokenData,
     apiKeyData,
-    environment
+    environment,
+    tags
 }

backend/src/routes/v2/organizations.ts

@@ -30,7 +30,7 @@ router.patch(
     '/:organizationId/memberships/:membershipId',
     param('organizationId').exists().trim(),
     param('membershipId').exists().trim(),
-    body('role').exists().isString().trim().isIn([ADMIN, MEMBER]),
+    body('role').exists().isString().trim().isIn([OWNER, ADMIN, MEMBER]),
     validateRequest,
     requireAuth({
         acceptedAuthModes: ['jwt', 'apiKey']

backend/src/routes/v2/secrets.ts

@@ -32,7 +32,7 @@ router.post(
                         !secret.secretKeyCiphertext ||
                         !secret.secretKeyIV ||
                         !secret.secretKeyTag ||
-                        !secret.secretValueCiphertext ||
+                        (typeof secret.secretValueCiphertext !== 'string') ||
                         !secret.secretValueIV ||
                         !secret.secretValueTag
                     ) {

backend/src/routes/v2/tags.ts

@@ -0,0 +1,50 @@
+import express, { Response, Request } from 'express';
+const router = express.Router();
+import { body, param } from 'express-validator';
+import { tagController } from '../../controllers/v2';
+import {
+  requireAuth,
+  requireWorkspaceAuth,
+  validateRequest,
+} from '../../middleware';
+import { ADMIN, MEMBER } from '../../variables';
+
+router.get(
+  '/:workspaceId/tags',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [MEMBER, ADMIN],
+  }),
+  param('workspaceId').exists().trim(),
+  validateRequest,
+  tagController.getWorkspaceTags
+);
+
+router.delete(
+  '/tags/:tagId',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  param('tagId').exists().trim(),
+  validateRequest,
+  tagController.deleteWorkspaceTag
+);
+
+router.post(
+  '/:workspaceId/tags',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [MEMBER, ADMIN],
+  }),
+  param('workspaceId').exists().trim(),
+  body('name').exists().trim(),
+  body('slug').exists().trim(),
+  validateRequest,
+  tagController.createWorkspaceTag
+);
+
+export default router;

backend/src/services/IntegrationService.ts

@@ -1,7 +1,3 @@
-import * as Sentry from '@sentry/node';
-import {
-    Integration
-} from '../models';
 import { 
     handleOAuthExchangeHelper,
     syncIntegrationsHelper,
@@ -10,7 +6,6 @@ import {
     setIntegrationAuthRefreshHelper,
     setIntegrationAuthAccessHelper,
 } from '../helpers/integration';
-import { exchangeCode } from '../integrations';
 
 // should sync stuff be here too? Probably.
 // TODO: move bot functions to IntegrationService.
@@ -26,11 +21,12 @@ class IntegrationService {
      * - Store integration access and refresh tokens returned from the OAuth2 code-token exchange
      * - Add placeholder inactive integration
      * - Create bot sequence for integration
-     * @param {Object} obj
-     * @param {String} obj.workspaceId - id of workspace
-     * @param {String} obj.environment - workspace environment
-     * @param {String} obj.integration - name of integration 
-     * @param {String} obj.code - code
+     * @param {Object} obj1
+     * @param {String} obj1.workspaceId - id of workspace
+     * @param {String} obj1.environment - workspace environment
+     * @param {String} obj1.integration - name of integration 
+     * @param {String} obj1.code - code
+     * @returns {IntegrationAuth} integrationAuth - integration authorization after OAuth2 code-token exchange
      */
     static async handleOAuthExchange({ 
         workspaceId,
@@ -43,7 +39,7 @@ class IntegrationService {
         code: string;
         environment: string;
     }) {
-        await handleOAuthExchangeHelper({
+        return await handleOAuthExchangeHelper({
             workspaceId,
             integration,
             code,
@@ -122,7 +118,7 @@ class IntegrationService {
      * @param {Object} obj
      * @param {String} obj.integrationAuthId - id of integration auth
      * @param {String} obj.accessToken - access token
-     * @param {String} obj.accessExpiresAt - expiration date of access token
+     * @param {Date} obj.accessExpiresAt - expiration date of access token
      * @returns {IntegrationAuth} - updated integration auth
      */
     static async setIntegrationAuthAccess({ 
@@ -132,7 +128,7 @@ class IntegrationService {
     }: { 
         integrationAuthId: string;
         accessToken: string;
-        accessExpiresAt: Date;
+        accessExpiresAt: Date | undefined;
     }) {
         return await setIntegrationAuthAccessHelper({
             integrationAuthId,

backend/src/utils/addDevelopmentUser.ts

@@ -0,0 +1,140 @@
+/************************************************************************************************
+*
+*  Attention: The credentials below are only for development purposes, it should never be used for production  
+*
+************************************************************************************************/
+
+import { NODE_ENV } from "../config"
+import { Key, Membership, MembershipOrg, Organization, User, Workspace } from "../models";
+import { Types } from 'mongoose';
+
+export const createTestUserForDevelopment = async () => {
+  if (NODE_ENV === "development") {
+    const testUserEmail = "test@localhost.local"
+    const testUserPassword = "testInfisical1"
+    const testUserId = "63cefa6ec8d3175601cfa980"
+    const testWorkspaceId = "63cefb15c8d3175601cfa989"
+    const testOrgId = "63cefb15c8d3175601cfa985"
+    const testMembershipId = "63cefb159185d9aa3ef0cf35"
+    const testMembershipOrgId = "63cefb159185d9aa3ef0cf31"
+    const testWorkspaceKeyId = "63cf48f0225e6955acec5eff"
+
+    const testUser = {
+      _id: testUserId,
+      email: testUserEmail,
+      refreshVersion: 0,
+      encryptedPrivateKey: 'ITMdDXtLoxib4+53U/qzvIV/T/UalRwimogFCXv/UsulzEoiKM+aK2aqOb0=',
+      firstName: 'Jake',
+      iv: '9fp0dZHI+UuHeKkWMDvD6w==',
+      lastName: 'Moni',
+      publicKey: 'cf44BhkybbBfsE0fZHe2jvqtCj6KLXvSq4hVjV0svzk=',
+      salt: 'd8099dc70958090346910fb9639262b83cf526fc9b4555a171b36a9e1bcd0240',
+      tag: 'bQ/UTghqcQHRoSMpLQD33g==',
+      verifier: '12271fcd50937ca4512e1e3166adaf9d9fc7a5cd0e4c4cb3eda89f35572ede4d9eef23f64aef9220367abff9437b0b6fa55792c442f177201d87051cf77dadade254ff667170440327355fb7d6ac4745d4db302f4843632c2ed5919ebdcff343287a4cd552255d9e3ce81177edefe089617b7616683901475d393405f554634b9bf9230c041ac85624f37a60401be20b78044932580ae0868323be3749fbf856df1518153ba375fec628275f0c445f237446ea4aa7f12c1aa1d6b5fd74b7f2e88d062845a19819ec63f2d2ed9e9f37c055149649461d997d2ae1482f53b04f9de7493efbb9686fb19b2d559b9aa2b502c22dec83f9fc43290dfea89a1dc6f03580b3642b3824513853e81a441be9a0b2fde2231bac60f3287872617a36884697805eeea673cf1a351697834484ada0f282e4745015c9c2928d61e6d092f1b9c3a27eda8413175d23bb2edae62f82ccaf52bf5a6a90344a766c7e4ebf65dae9ae90b2ad4ae65dbf16e3a6948e429771cc50307ae86d454f71a746939ed061f080dd3ae369c1a0739819aca17af46a085bac1f2a5d936d198e7951a8ac3bb38b893665fe7312835abd3f61811f81efa2a8761af5070085f9b6adcca80bf9b0d81899c3d41487fba90728bb24eceb98bd69770360a232624133700ceb4d153f2ad702e0a5b7dfaf97d20bc8aa71dc8c20024a58c06a8fecdad18cb5a2f89c51eaf7'
+    }
+
+    const testWorkspaceKey = {
+      _id: new Types.ObjectId(testWorkspaceKeyId),
+      workspace: testWorkspaceId,
+      encryptedKey: '96ZIRSU21CjVzIQ4Yp994FGWQvDdyK3gq+z+NCaJLK0ByTlvUePmf+AYGFJjkAdz',
+      nonce: '1jhCGqg9Wx3n0OtVxbDgiYYGq4S3EdgO',
+      sender: '63cefa6ec8d3175601cfa980',
+      receiver: '63cefa6ec8d3175601cfa980',
+    }
+
+    const testWorkspace = {
+      _id: new Types.ObjectId(testWorkspaceId),
+      name: 'Example Project',
+      organization: testOrgId,
+      environments: [
+        {
+          _id: '63cefb15c8d3175601cfa98a',
+          name: 'Development',
+          slug: 'dev'
+        },
+        {
+          _id: '63cefb15c8d3175601cfa98b',
+          name: 'Test',
+          slug: 'test'
+        },
+        {
+          _id: '63cefb15c8d3175601cfa98c',
+          name: 'Staging',
+          slug: 'staging'
+        },
+        {
+          _id: '63cefb15c8d3175601cfa98d',
+          name: 'Production',
+          slug: 'prod'
+        }
+      ],
+    }
+
+    const testOrg = {
+      _id: testOrgId,
+      name: 'Jake\'s organization'
+    }
+
+    const testMembershipOrg = {
+      _id: testMembershipOrgId,
+      organization: testOrgId,
+      role: 'owner',
+      status: 'accepted',
+      user: testUserId,
+    }
+
+    const testMembership = {
+      _id: testMembershipId,
+      role: 'admin',
+      user: testUserId,
+      workspace: testWorkspaceId
+    }
+
+    try {
+      // create user if not exist 
+      const userInDB = await User.findById(testUserId)
+      if (!userInDB) {
+        await User.create(testUser)
+      }
+
+      // create org if not exist 
+      const orgInDB = await Organization.findById(testOrgId)
+      if (!orgInDB) {
+        await Organization.create(testOrg)
+      }
+
+      // create membership org if not exist
+      const membershipOrgInDB = await MembershipOrg.findById(testMembershipOrgId)
+      if (!membershipOrgInDB) {
+        await MembershipOrg.create(testMembershipOrg)
+      }
+
+      // create membership
+      const membershipInDB = await Membership.findById(testMembershipId)
+      if (!membershipInDB) {
+        await Membership.create(testMembership)
+      }
+
+      // create workspace if not exist 
+      const workspaceInDB = await Workspace.findById(testWorkspaceId)
+      if (!workspaceInDB) {
+        await Workspace.create(testWorkspace)
+      }
+
+      // create workspace key if not exist
+      const workspaceKeyInDB = await Key.findById(testWorkspaceKeyId)
+      if (!workspaceKeyInDB) {
+        await Key.create(testWorkspaceKey)
+      }
+
+      /* eslint-disable no-console */
+      console.info(`DEVELOPMENT MODE DETECTED: You may login with test user with email: ${testUserEmail} and password: ${testUserPassword}`)
+      /* eslint-enable no-console */
+
+    } catch (e) {
+      /* eslint-disable no-console */
+      console.error(`Unable to create test user while booting up [err=${e}]`)
+      /* eslint-enable no-console */
+    }
+  }
+}

backend/src/variables/action.ts

@@ -1,9 +1,13 @@
+const ACTION_LOGIN = 'login';
+const ACTION_LOGOUT = 'logout';
 const ACTION_ADD_SECRETS = 'addSecrets';
 const ACTION_DELETE_SECRETS = 'deleteSecrets';
 const ACTION_UPDATE_SECRETS = 'updateSecrets';
 const ACTION_READ_SECRETS = 'readSecrets';
 
 export {
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
     ACTION_ADD_SECRETS,
     ACTION_DELETE_SECRETS,
     ACTION_UPDATE_SECRETS,

backend/src/variables/index.ts

@@ -6,12 +6,16 @@ import {
   ENV_SET
 } from './environment';
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
   INTEGRATION_SET,
   INTEGRATION_OAUTH2,
+  INTEGRATION_AZURE_TOKEN_URL,
   INTEGRATION_HEROKU_TOKEN_URL,
   INTEGRATION_VERCEL_TOKEN_URL,
   INTEGRATION_NETLIFY_TOKEN_URL,
@@ -19,6 +23,8 @@ import {
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_VERCEL_API_URL,
   INTEGRATION_NETLIFY_API_URL,
+  INTEGRATION_RENDER_API_URL,
+  INTEGRATION_FLYIO_API_URL,
   INTEGRATION_OPTIONS
 } from './integration';
 import {
@@ -31,6 +37,8 @@ import {
 import { SECRET_SHARED, SECRET_PERSONAL } from './secret';
 import { EVENT_PUSH_SECRETS, EVENT_PULL_SECRETS } from './event';
 import {
+  ACTION_LOGIN,
+  ACTION_LOGOUT,
   ACTION_ADD_SECRETS,
   ACTION_UPDATE_SECRETS,
   ACTION_DELETE_SECRETS,
@@ -52,12 +60,16 @@ export {
   ENV_STAGING,
   ENV_PROD,
   ENV_SET,
+  INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
   INTEGRATION_VERCEL,
   INTEGRATION_NETLIFY,
   INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
   INTEGRATION_SET,
   INTEGRATION_OAUTH2,
+  INTEGRATION_AZURE_TOKEN_URL,
   INTEGRATION_HEROKU_TOKEN_URL,
   INTEGRATION_VERCEL_TOKEN_URL,
   INTEGRATION_NETLIFY_TOKEN_URL,
@@ -65,8 +77,12 @@ export {
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_VERCEL_API_URL,
   INTEGRATION_NETLIFY_API_URL,
+  INTEGRATION_RENDER_API_URL,
+  INTEGRATION_FLYIO_API_URL,
   EVENT_PUSH_SECRETS,
   EVENT_PULL_SECRETS,
+  ACTION_LOGIN,
+  ACTION_LOGOUT,
   ACTION_ADD_SECRETS,
   ACTION_UPDATE_SECRETS,
   ACTION_DELETE_SECRETS,

backend/src/variables/integration.ts

@@ -1,3 +1,7 @@
+import {
+    CLIENT_ID_AZURE,
+    TENANT_ID_AZURE
+} from '../config';
 import {
     CLIENT_ID_HEROKU,
     CLIENT_ID_NETLIFY,
@@ -6,21 +10,28 @@ import {
 } from '../config';
 
 // integrations
+const INTEGRATION_AZURE_KEY_VAULT = 'azure-key-vault';
 const INTEGRATION_HEROKU = 'heroku';
 const INTEGRATION_VERCEL = 'vercel';
 const INTEGRATION_NETLIFY = 'netlify';
 const INTEGRATION_GITHUB = 'github';
+const INTEGRATION_RENDER = 'render';
+const INTEGRATION_FLYIO = 'flyio';
 const INTEGRATION_SET = new Set([
+    INTEGRATION_AZURE_KEY_VAULT,
     INTEGRATION_HEROKU,
     INTEGRATION_VERCEL,
     INTEGRATION_NETLIFY,
-    INTEGRATION_GITHUB
+    INTEGRATION_GITHUB,
+    INTEGRATION_RENDER,
+    INTEGRATION_FLYIO
 ]);
 
 // integration types
 const INTEGRATION_OAUTH2 = 'oauth2';
 
 // integration oauth endpoints
+const INTEGRATION_AZURE_TOKEN_URL = `https://login.microsoftonline.com/${TENANT_ID_AZURE}/oauth2/v2.0/token`;
 const INTEGRATION_HEROKU_TOKEN_URL = 'https://id.heroku.com/oauth/token';
 const INTEGRATION_VERCEL_TOKEN_URL =
     'https://api.vercel.com/v2/oauth/access_token';
@@ -32,23 +43,35 @@ const INTEGRATION_GITHUB_TOKEN_URL =
 const INTEGRATION_HEROKU_API_URL = 'https://api.heroku.com';
 const INTEGRATION_VERCEL_API_URL = 'https://api.vercel.com';
 const INTEGRATION_NETLIFY_API_URL = 'https://api.netlify.com';
+const INTEGRATION_RENDER_API_URL = 'https://api.render.com';
+const INTEGRATION_FLYIO_API_URL = 'https://api.fly.io/graphql';
 
 const INTEGRATION_OPTIONS = [
+    {
+        name: 'Azure Key Vault',
+        slug: 'azure-key-vault',
+        image: 'Microsoft Azure.png',
+        isAvailable: true,
+        type: 'oauth',
+        clientId: CLIENT_ID_AZURE,
+        tenantId: TENANT_ID_AZURE,
+        docsLink: ''
+    },
     {
         name: 'Heroku',
         slug: 'heroku',
-        image: 'Heroku',
+        image: 'Heroku.png',
         isAvailable: true,
-        type: 'oauth2',
+        type: 'oauth',
         clientId: CLIENT_ID_HEROKU,
         docsLink: ''
     },
     {
         name: 'Vercel',
         slug: 'vercel',
-        image: 'Vercel',
+        image: 'Vercel.png',
         isAvailable: true,
-        type: 'vercel',
+        type: 'oauth',
         clientId: '',
         clientSlug: CLIENT_SLUG_VERCEL,
         docsLink: ''
@@ -56,26 +79,43 @@ const INTEGRATION_OPTIONS = [
     {
         name: 'Netlify',
         slug: 'netlify',
-        image: 'Netlify',
-        isAvailable: false,
-        type: 'oauth2',
+        image: 'Netlify.png',
+        isAvailable: true,
+        type: 'oauth',
         clientId: CLIENT_ID_NETLIFY,
         docsLink: ''
     },
     {
         name: 'GitHub',
         slug: 'github',
-        image: 'GitHub',
-        isAvailable: false,
-        type: 'oauth2',
+        image: 'GitHub.png',
+        isAvailable: true,
+        type: 'oauth',
         clientId: CLIENT_ID_GITHUB,
         docsLink: ''
-
+    },
+    {
+        name: 'Render',
+        slug: 'render',
+        image: 'Render.png',
+        isAvailable: true,
+        type: 'pat',
+        clientId: '',
+        docsLink: ''
+    },
+    {
+        name: 'Fly.io',
+        slug: 'flyio',
+        image: 'Flyio.svg',
+        isAvailable: true,
+        type: 'pat',
+        clientId: '',
+        docsLink: ''
     },
     {
         name: 'Google Cloud Platform',
         slug: 'gcp',
-        image: 'Google Cloud Platform',
+        image: 'Google Cloud Platform.png',
         isAvailable: false,
         type: '',
         clientId: '',
@@ -84,7 +124,7 @@ const INTEGRATION_OPTIONS = [
     {
         name: 'Amazon Web Services',
         slug: 'aws',
-        image: 'Amazon Web Services',
+        image: 'Amazon Web Services.png',
         isAvailable: false,
         type: '',
         clientId: '',
@@ -93,7 +133,7 @@ const INTEGRATION_OPTIONS = [
     {
         name: 'Microsoft Azure',
         slug: 'azure',
-        image: 'Microsoft Azure',
+        image: 'Microsoft Azure.png',
         isAvailable: false,
         type: '',
         clientId: '',
@@ -102,7 +142,7 @@ const INTEGRATION_OPTIONS = [
     {
         name: 'Travis CI',
         slug: 'travisci',
-        image: 'Travis CI',
+        image: 'Travis CI.png',
         isAvailable: false,
         type: '',
         clientId: '',
@@ -111,7 +151,7 @@ const INTEGRATION_OPTIONS = [
     {
         name: 'Circle CI',
         slug: 'circleci',
-        image: 'Circle CI',
+        image: 'Circle CI.png',
         isAvailable: false,
         type: '',
         clientId: '',
@@ -120,12 +160,16 @@ const INTEGRATION_OPTIONS = [
 ]
 
 export {
+    INTEGRATION_AZURE_KEY_VAULT,
     INTEGRATION_HEROKU,
     INTEGRATION_VERCEL,
     INTEGRATION_NETLIFY,
     INTEGRATION_GITHUB,
+    INTEGRATION_RENDER,
+    INTEGRATION_FLYIO,
     INTEGRATION_SET,
     INTEGRATION_OAUTH2,
+    INTEGRATION_AZURE_TOKEN_URL,
     INTEGRATION_HEROKU_TOKEN_URL,
     INTEGRATION_VERCEL_TOKEN_URL,
     INTEGRATION_NETLIFY_TOKEN_URL,
@@ -133,5 +177,7 @@ export {
     INTEGRATION_HEROKU_API_URL,
     INTEGRATION_VERCEL_API_URL,
     INTEGRATION_NETLIFY_API_URL,
+    INTEGRATION_RENDER_API_URL,
+    INTEGRATION_FLYIO_API_URL,
     INTEGRATION_OPTIONS
 };

backend/src/variables/organization.ts

@@ -6,6 +6,10 @@ const MEMBER = 'member';
 // membership statuses
 const INVITED = 'invited';
 
+// membership permissions ability
+const ABILITY_READ = 'read';
+const ABILITY_WRITE = 'write';
+
 // -- organization
 const ACCEPTED = 'accepted';
 
@@ -14,5 +18,7 @@ export {
     ADMIN,
     MEMBER,
     INVITED,
-    ACCEPTED
+    ACCEPTED,
+    ABILITY_READ,
+    ABILITY_WRITE
 }

cli/main.go

@@ -1,5 +1,5 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package main
 

cli/packages/api/api.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/Infisical/infisical-merge/packages/config"
 	"github.com/go-resty/resty/v2"
+	log "github.com/sirupsen/logrus"
 )
 
 const USER_AGENT = "cli"
@@ -144,3 +145,24 @@ func CallGetAllWorkSpacesUserBelongsTo(httpClient *resty.Client) (GetWorkSpacesR
 
 	return workSpacesResponse, nil
 }
+
+func CallIsAuthenticated(httpClient *resty.Client) bool {
+	var workSpacesResponse GetWorkSpacesResponse
+	response, err := httpClient.
+		R().
+		SetResult(&workSpacesResponse).
+		SetHeader("User-Agent", USER_AGENT).
+		Post(fmt.Sprintf("%v/v1/auth/checkAuth", config.INFISICAL_URL))
+
+	log.Debugln(fmt.Errorf("CallIsAuthenticated: Unsuccessful response:  [response=%v]", response))
+
+	if err != nil {
+		return false
+	}
+
+	if response.IsError() {
+		return false
+	}
+
+	return true
+}

cli/packages/api/model.go

@@ -201,21 +201,30 @@ type GetEncryptedSecretsV2Request struct {
 
 type GetEncryptedSecretsV2Response struct {
 	Secrets []struct {
-		ID                    string    `json:"_id"`
-		Version               int       `json:"version"`
-		Workspace             string    `json:"workspace"`
-		Type                  string    `json:"type"`
-		Environment           string    `json:"environment"`
-		SecretKeyCiphertext   string    `json:"secretKeyCiphertext"`
-		SecretKeyIV           string    `json:"secretKeyIV"`
-		SecretKeyTag          string    `json:"secretKeyTag"`
-		SecretValueCiphertext string    `json:"secretValueCiphertext"`
-		SecretValueIV         string    `json:"secretValueIV"`
-		SecretValueTag        string    `json:"secretValueTag"`
-		V                     int       `json:"__v"`
-		CreatedAt             time.Time `json:"createdAt"`
-		UpdatedAt             time.Time `json:"updatedAt"`
-		User                  string    `json:"user,omitempty"`
+		ID                      string    `json:"_id"`
+		Version                 int       `json:"version"`
+		Workspace               string    `json:"workspace"`
+		Type                    string    `json:"type"`
+		Environment             string    `json:"environment"`
+		SecretKeyCiphertext     string    `json:"secretKeyCiphertext"`
+		SecretKeyIV             string    `json:"secretKeyIV"`
+		SecretKeyTag            string    `json:"secretKeyTag"`
+		SecretValueCiphertext   string    `json:"secretValueCiphertext"`
+		SecretValueIV           string    `json:"secretValueIV"`
+		SecretValueTag          string    `json:"secretValueTag"`
+		SecretCommentCiphertext string    `json:"secretCommentCiphertext"`
+		SecretCommentIV         string    `json:"secretCommentIV"`
+		SecretCommentTag        string    `json:"secretCommentTag"`
+		V                       int       `json:"__v"`
+		CreatedAt               time.Time `json:"createdAt"`
+		UpdatedAt               time.Time `json:"updatedAt"`
+		User                    string    `json:"user,omitempty"`
+		Tags                    []struct {
+			ID        string `json:"_id"`
+			Name      string `json:"name"`
+			Slug      string `json:"slug"`
+			Workspace string `json:"workspace"`
+		} `json:"tags"`
 	} `json:"secrets"`
 }
 

cli/packages/cmd/export.go

@@ -1,5 +1,5 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package cmd
 
@@ -51,11 +51,27 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err)
 		}
 
-		secrets, err := util.GetAllEnvironmentVariables(envName)
+		secretOverriding, err := cmd.Flags().GetBool("secret-overriding")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
+		infisicalToken, err := cmd.Flags().GetString("token")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: envName, InfisicalToken: infisicalToken})
 		if err != nil {
 			util.HandleError(err, "Unable to fetch secrets")
 		}
 
+		if secretOverriding {
+			secrets = util.OverrideSecrets(secrets, util.SECRET_TYPE_PERSONAL)
+		} else {
+			secrets = util.OverrideSecrets(secrets, util.SECRET_TYPE_SHARED)
+		}
+
 		var output string
 		if shouldExpandSecrets {
 			substitutions := util.SubstituteSecrets(secrets)
@@ -79,6 +95,8 @@ func init() {
 	exportCmd.Flags().StringP("env", "e", "dev", "Set the environment (dev, prod, etc.) from which your secrets should be pulled from")
 	exportCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	exportCmd.Flags().StringP("format", "f", "dotenv", "Set the format of the output file (dotenv, json, csv)")
+	exportCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
+	exportCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
 }
 
 // Format according to the format flag

cli/packages/cmd/init.go

@@ -1,5 +1,5 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package cmd
 

cli/packages/cmd/login.go

@@ -1,5 +1,5 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package cmd
 
@@ -33,13 +33,13 @@ var loginCmd = &cobra.Command{
 	PreRun:                toggleDebug,
 	Run: func(cmd *cobra.Command, args []string) {
 		currentLoggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
-		if err != nil && strings.Contains(err.Error(), "The specified item could not be found in the keyring") { // if the key can't be found allow them to override
+		if err != nil && (strings.Contains(err.Error(), "The specified item could not be found in the keyring") || strings.Contains(err.Error(), "unable to get key from Keyring")) { // if the key can't be found allow them to override
 			log.Debug(err)
 		} else if err != nil {
 			util.HandleError(err)
 		}
 
-		if currentLoggedInUserDetails.IsUserLoggedIn {
+		if currentLoggedInUserDetails.IsUserLoggedIn && !currentLoggedInUserDetails.LoginExpired { // if you are logged in but not expired
 			shouldOverride, err := shouldOverrideLoginPrompt(currentLoggedInUserDetails.UserCredentials.Email)
 			if err != nil {
 				util.HandleError(err)
@@ -101,6 +101,9 @@ var loginCmd = &cobra.Command{
 			util.HandleError(err, "Unable to write write to Infisical Config file. Please try again")
 		}
 
+		// clear backed up secrets from prev account
+		util.DeleteBackupSecrets()
+
 		color.Green("Nice! You are logged in as: %v", email)
 
 	},

cli/packages/cmd/man.go

@@ -1,5 +1,5 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package cmd
 

cli/packages/cmd/root.go

@@ -1,13 +1,15 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package cmd
 
 import (
 	"os"
 
-	"github.com/Infisical/infisical-merge/packages/config"
 	"github.com/spf13/cobra"
+
+	"github.com/Infisical/infisical-merge/packages/config"
+	"github.com/Infisical/infisical-merge/packages/util"
 )
 
 var rootCmd = &cobra.Command{
@@ -15,7 +17,7 @@ var rootCmd = &cobra.Command{
 	Short:             "Infisical CLI is used to inject environment variables into any process",
 	Long:              `Infisical is a simple, end-to-end encrypted service that enables teams to sync and manage their environment variables across their development life cycle.`,
 	CompletionOptions: cobra.CompletionOptions{HiddenDefaultCmd: true},
-	Version:           "0.2.3",
+	Version:           util.CLI_VERSION,
 }
 
 // Execute adds all child commands to the root command and sets flags appropriately.
@@ -30,7 +32,17 @@ func Execute() {
 func init() {
 	rootCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
 	rootCmd.PersistentFlags().BoolVarP(&debugLogging, "debug", "d", false, "Enable verbose logging")
-	rootCmd.PersistentFlags().StringVar(&config.INFISICAL_URL, "domain", "https://app.infisical.com/api", "Point the CLI to your own backend")
-	// rootCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
-	// }
+	rootCmd.PersistentFlags().StringVar(&config.INFISICAL_URL, "domain", util.INFISICAL_DEFAULT_API_URL, "Point the CLI to your own backend [can also set via environment variable name: INFISICAL_API_URL]")
+	rootCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
+		util.CheckForUpdate()
+	}
+
+	// if config.INFISICAL_URL is set to the default value, check if INFISICAL_URL is set in the environment
+	// this is used to allow overrides of the default value
+	if !rootCmd.Flag("domain").Changed {
+		if envInfisicalBackendUrl, ok := os.LookupEnv("INFISICAL_API_URL"); ok {
+			config.INFISICAL_URL = envInfisicalBackendUrl
+		}
+	}
+
 }

cli/packages/cmd/run.go

@@ -1,5 +1,5 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package cmd
 
@@ -12,6 +12,7 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/fatih/color"
 	log "github.com/sirupsen/logrus"
@@ -58,10 +59,15 @@ var runCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		if !util.IsSecretEnvironmentValid(envName) {
-			util.PrintMessageAndExit("Invalid environment name passed. Environment names can only be prod, dev, test or staging")
+		infisicalToken, err := cmd.Flags().GetString("token")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
 		}
 
+		// if !util.IsSecretEnvironmentValid(envName) {
+		// 	util.PrintMessageAndExit("Invalid environment name passed. Environment names can only be prod, dev, test or staging")
+		// }
+
 		secretOverriding, err := cmd.Flags().GetBool("secret-overriding")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
@@ -72,17 +78,20 @@ var runCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		secrets, err := util.GetAllEnvironmentVariables(envName)
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: envName, InfisicalToken: infisicalToken})
+
 		if err != nil {
 			util.HandleError(err, "Could not fetch secrets", "If you are using a service token to fetch secrets, please ensure it is valid")
 		}
 
-		if shouldExpandSecrets {
-			secrets = util.SubstituteSecrets(secrets)
+		if secretOverriding {
+			secrets = util.OverrideSecrets(secrets, util.SECRET_TYPE_PERSONAL)
+		} else {
+			secrets = util.OverrideSecrets(secrets, util.SECRET_TYPE_SHARED)
 		}
 
-		if secretOverriding {
-			secrets = util.OverrideWithPersonalSecrets(secrets)
+		if shouldExpandSecrets {
+			secrets = util.SubstituteSecrets(secrets)
 		}
 
 		secretsByKey := getSecretsByKeys(secrets)
@@ -138,6 +147,7 @@ var runCmd = &cobra.Command{
 
 func init() {
 	rootCmd.AddCommand(runCmd)
+	runCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
 	runCmd.Flags().StringP("env", "e", "dev", "Set the environment (dev, prod, etc.) from which your secrets should be pulled from")
 	runCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	runCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
@@ -164,7 +174,10 @@ func executeMultipleCommandWithEnvs(fullCommand string, secretsCount int, env []
 	if runtime.GOOS == "windows" {
 		shell = [2]string{"cmd", "/C"}
 	} else {
-		shell[0] = os.Getenv("SHELL")
+		currentShell := os.Getenv("SHELL")
+		if currentShell != "" {
+			shell[0] = currentShell
+		}
 	}
 
 	cmd := exec.Command(shell[0], shell[1], fullCommand)

cli/packages/cmd/secrets.go

@@ -1,11 +1,13 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package cmd
 
 import (
 	"encoding/base64"
 	"fmt"
+	"regexp"
+	"sort"
 	"strings"
 	"unicode"
 
@@ -22,7 +24,7 @@ import (
 )
 
 var secretsCmd = &cobra.Command{
-	Example:               `infisical secrets"`,
+	Example:               `infisical secrets`,
 	Short:                 "Used to create, read update and delete secrets",
 	Use:                   "secrets",
 	DisableFlagsInUseLine: true,
@@ -34,12 +36,17 @@ var secretsCmd = &cobra.Command{
 			util.HandleError(err)
 		}
 
+		infisicalToken, err := cmd.Flags().GetString("token")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
 		shouldExpandSecrets, err := cmd.Flags().GetBool("expand")
 		if err != nil {
 			util.HandleError(err)
 		}
 
-		secrets, err := util.GetAllEnvironmentVariables(environmentName)
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken})
 		if err != nil {
 			util.HandleError(err)
 		}
@@ -62,6 +69,16 @@ var secretsGetCmd = &cobra.Command{
 	Run:                   getSecretsByNames,
 }
 
+var secretsGenerateExampleEnvCmd = &cobra.Command{
+	Example:               `secrets generate-example-env > .example-env`,
+	Short:                 "Used to generate a example .env file",
+	Use:                   "generate-example-env",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+	PreRun:                toggleDebug,
+	Run:                   generateExampleEnv,
+}
+
 var secretsSetCmd = &cobra.Command{
 	Example:               `secrets set <secretName=secretValue> <secretName=secretValue>..."`,
 	Short:                 "Used set secrets",
@@ -111,7 +128,7 @@ var secretsSetCmd = &cobra.Command{
 		plainTextEncryptionKey := crypto.DecryptAsymmetric(encryptedWorkspaceKey, encryptedWorkspaceKeyNonce, encryptedWorkspaceKeySenderPublicKey, currentUsersPrivateKey)
 
 		// pull current secrets
-		secrets, err := util.GetAllEnvironmentVariables(environmentName)
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName})
 		if err != nil {
 			util.HandleError(err, "unable to retrieve secrets")
 		}
@@ -267,7 +284,7 @@ var secretsDeleteCmd = &cobra.Command{
 			util.HandleError(err, "Unable to get local project details")
 		}
 
-		secrets, err := util.GetAllEnvironmentVariables(environmentName)
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName})
 		if err != nil {
 			util.HandleError(err, "Unable to fetch secrets")
 		}
@@ -309,30 +326,6 @@ var secretsDeleteCmd = &cobra.Command{
 	},
 }
 
-func init() {
-	secretsCmd.AddCommand(secretsGetCmd)
-	secretsGetCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
-		util.RequireLogin()
-		util.RequireLocalWorkspaceFile()
-	}
-
-	secretsCmd.AddCommand(secretsSetCmd)
-	secretsSetCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
-		util.RequireLogin()
-		util.RequireLocalWorkspaceFile()
-	}
-
-	secretsCmd.AddCommand(secretsDeleteCmd)
-	secretsDeleteCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
-		util.RequireLogin()
-		util.RequireLocalWorkspaceFile()
-	}
-
-	secretsCmd.PersistentFlags().String("env", "dev", "Used to select the environment name on which actions should be taken on")
-	secretsCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
-	rootCmd.AddCommand(secretsCmd)
-}
-
 func getSecretsByNames(cmd *cobra.Command, args []string) {
 	environmentName, err := cmd.Flags().GetString("env")
 	if err != nil {
@@ -344,7 +337,12 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
-	secrets, err := util.GetAllEnvironmentVariables(environmentName)
+	infisicalToken, err := cmd.Flags().GetString("token")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken})
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}
@@ -371,6 +369,171 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 	visualize.PrintAllSecretDetails(requestedSecrets)
 }
 
+func generateExampleEnv(cmd *cobra.Command, args []string) {
+	environmentName, err := cmd.Flags().GetString("env")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	workspaceFileExists := util.WorkspaceConfigFileExistsInCurrentPath()
+	if !workspaceFileExists {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	infisicalToken, err := cmd.Flags().GetString("token")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken})
+	if err != nil {
+		util.HandleError(err, "To fetch all secrets")
+	}
+
+	tagsHashToSecretKey := make(map[string]int)
+
+	type TagsAndSecrets struct {
+		Secrets []models.SingleEnvironmentVariable
+		Tags    []struct {
+			ID        string `json:"_id"`
+			Name      string `json:"name"`
+			Slug      string `json:"slug"`
+			Workspace string `json:"workspace"`
+		}
+	}
+
+	// sort secrets by associated tags (most number of tags to least tags)
+	sort.Slice(secrets, func(i, j int) bool {
+		return len(secrets[i].Tags) > len(secrets[j].Tags)
+	})
+
+	for _, secret := range secrets {
+		listOfTagSlugs := []string{}
+
+		for _, tag := range secret.Tags {
+			listOfTagSlugs = append(listOfTagSlugs, tag.Slug)
+		}
+		sort.Strings(listOfTagSlugs)
+
+		tagsHash := util.GetHashFromStringList(listOfTagSlugs)
+
+		tagsHashToSecretKey[tagsHash] += 1
+	}
+
+	finalTagHashToSecretKey := make(map[string]TagsAndSecrets)
+
+	for _, secret := range secrets {
+		listOfTagSlugs := []string{}
+		for _, tag := range secret.Tags {
+			listOfTagSlugs = append(listOfTagSlugs, tag.Slug)
+		}
+
+		// sort the slug so we get the same hash each time
+		sort.Strings(listOfTagSlugs)
+
+		tagsHash := util.GetHashFromStringList(listOfTagSlugs)
+		occurrence, exists := tagsHashToSecretKey[tagsHash]
+		if exists && occurrence > 0 {
+
+			value, exists2 := finalTagHashToSecretKey[tagsHash]
+			allSecretsForTags := append(value.Secrets, secret)
+
+			// sort the the secrets by keys so that they can later be sorted by the first item in the secrets array
+			sort.Slice(allSecretsForTags, func(i, j int) bool {
+				return allSecretsForTags[i].Key < allSecretsForTags[j].Key
+			})
+
+			if exists2 {
+				finalTagHashToSecretKey[tagsHash] = TagsAndSecrets{
+					Tags:    secret.Tags,
+					Secrets: allSecretsForTags,
+				}
+			} else {
+				finalTagHashToSecretKey[tagsHash] = TagsAndSecrets{
+					Tags:    secret.Tags,
+					Secrets: []models.SingleEnvironmentVariable{secret},
+				}
+			}
+
+			tagsHashToSecretKey[tagsHash] -= 1
+		}
+	}
+
+	// sort the fianl result by secret key fo consistent print order
+	listOfsecretDetails := make([]TagsAndSecrets, 0, len(finalTagHashToSecretKey))
+	for _, secretDetails := range finalTagHashToSecretKey {
+		listOfsecretDetails = append(listOfsecretDetails, secretDetails)
+	}
+
+	// sort the order of the headings by the order of the secrets
+	sort.Slice(listOfsecretDetails, func(i, j int) bool {
+		return len(listOfsecretDetails[i].Tags) < len(listOfsecretDetails[j].Tags)
+	})
+
+	for _, secretDetails := range listOfsecretDetails {
+		listOfKeyValue := []string{}
+
+		for _, secret := range secretDetails.Secrets {
+			re := regexp.MustCompile(`(?s)(.*)DEFAULT:(.*)`)
+			match := re.FindStringSubmatch(secret.Comment)
+			defaultValue := ""
+			comment := secret.Comment
+
+			// Case: Only has default value
+			if len(match) == 2 {
+				defaultValue = strings.TrimSpace(match[1])
+			}
+
+			// Case: has a comment and a default value
+			if len(match) == 3 {
+				comment = match[1]
+				defaultValue = match[2]
+			}
+
+			row := ""
+			if comment != "" {
+				comment = addHash(comment)
+				row = fmt.Sprintf("%s \n%s=%s", strings.TrimSpace(comment), strings.TrimSpace(secret.Key), strings.TrimSpace(defaultValue))
+			} else {
+				row = fmt.Sprintf("%s=%s", strings.TrimSpace(secret.Key), strings.TrimSpace(defaultValue))
+			}
+
+			// each secret row to be added to the file
+			listOfKeyValue = append(listOfKeyValue, row)
+		}
+
+		listOfTagNames := []string{}
+		for _, tag := range secretDetails.Tags {
+			listOfTagNames = append(listOfTagNames, tag.Name)
+		}
+
+		heading := CenterString(strings.Join(listOfTagNames, " & "), 80)
+
+		if len(listOfTagNames) == 0 {
+			fmt.Printf("\n%s \n", strings.Join(listOfKeyValue, "\n \n"))
+		} else {
+			fmt.Printf("\n\n\n%s\n \n%s \n", heading, strings.Join(listOfKeyValue, "\n \n"))
+		}
+	}
+}
+
+func CenterString(s string, numStars int) string {
+	stars := strings.Repeat("*", numStars)
+	padding := (numStars - len(s)) / 2
+	cenetredTextWithStar := stars[:padding] + " " + strings.ToUpper(s) + " " + stars[padding:]
+
+	hashes := strings.Repeat("#", len(cenetredTextWithStar)+2)
+	return fmt.Sprintf("%s \n# %s \n%s", hashes, cenetredTextWithStar, hashes)
+}
+
+func addHash(input string) string {
+	lines := strings.Split(input, "\n")
+	for i, line := range lines {
+		lines[i] = "# " + line
+	}
+	return strings.Join(lines, "\n")
+}
+
 func getSecretsByKeys(secrets []models.SingleEnvironmentVariable) map[string]models.SingleEnvironmentVariable {
 	secretMapByName := make(map[string]models.SingleEnvironmentVariable)
 
@@ -380,3 +543,29 @@ func getSecretsByKeys(secrets []models.SingleEnvironmentVariable) map[string]mod
 
 	return secretMapByName
 }
+
+func init() {
+
+	secretsGenerateExampleEnvCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
+	secretsCmd.AddCommand(secretsGenerateExampleEnvCmd)
+
+	secretsGetCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
+	secretsCmd.AddCommand(secretsGetCmd)
+
+	secretsCmd.AddCommand(secretsSetCmd)
+	secretsSetCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+	}
+
+	secretsCmd.AddCommand(secretsDeleteCmd)
+	secretsDeleteCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+	}
+
+	secretsCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
+	secretsCmd.PersistentFlags().String("env", "dev", "Used to select the environment name on which actions should be taken on")
+	secretsCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
+	rootCmd.AddCommand(secretsCmd)
+}

cli/packages/cmd/vault.go

@@ -1,5 +1,5 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package cmd
 

cli/packages/config/config.go

@@ -1,3 +1,3 @@
 package config
 
-var INFISICAL_URL = "http://localhost:8080/api"
+var INFISICAL_URL string

cli/packages/crypto/crypto.go

@@ -12,6 +12,11 @@ import (
 
 // will decrypt cipher text to plain text using iv and tag
 func DecryptSymmetric(key []byte, cipherText []byte, tag []byte, iv []byte) ([]byte, error) {
+	// Case: empty string
+	if len(cipherText) == 0 && len(tag) == 0 && len(iv) == 0 {
+		return []byte{}, nil
+	}
+
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err

cli/packages/models/cli.go

@@ -1,6 +1,8 @@
 package models
 
-import "github.com/99designs/keyring"
+import (
+	"github.com/99designs/keyring"
+)
 
 type UserCredentials struct {
 	Email      string `json:"email"`
@@ -19,6 +21,13 @@ type SingleEnvironmentVariable struct {
 	Value string `json:"value"`
 	Type  string `json:"type"`
 	ID    string `json:"_id"`
+	Tags  []struct {
+		ID        string `json:"_id"`
+		Name      string `json:"name"`
+		Slug      string `json:"slug"`
+		Workspace string `json:"workspace"`
+	} `json:"tags"`
+	Comment string `json:"comment"`
 }
 
 type Workspace struct {
@@ -34,7 +43,12 @@ type WorkspaceConfigFile struct {
 }
 
 type SymmetricEncryptionResult struct {
-	CipherText []byte
-	Nonce      []byte
-	AuthTag    []byte
+	CipherText []byte `json:"CipherText"`
+	Nonce      []byte `json:"Nonce"`
+	AuthTag    []byte `json:"AuthTag"`
+}
+
+type GetAllSecretsParameters struct {
+	Environment    string
+	InfisicalToken string
 }

cli/packages/util/check-for-update.go

@@ -0,0 +1,46 @@
+package util
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+)
+
+func CheckForUpdate() {
+	latestVersion, err := getLatestTag("Infisical", "infisical")
+	if err != nil {
+		// do nothing and continue
+		return
+	}
+	if latestVersion != CLI_VERSION {
+		PrintWarning(fmt.Sprintf("Please update your CLI. You are running version %s but the latest version is %s", CLI_VERSION, latestVersion))
+	}
+}
+
+func getLatestTag(repoOwner string, repoName string) (string, error) {
+	url := fmt.Sprintf("https://api.github.com/repos/%s/%s/tags", repoOwner, repoName)
+	resp, err := http.Get(url)
+	if err != nil {
+		return "", err
+	}
+	if resp.StatusCode != 200 {
+		return "", errors.New(fmt.Sprintf("GitHub API returned status code %d", resp.StatusCode))
+	}
+
+	defer resp.Body.Close()
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	var tags []struct {
+		Name string `json:"name"`
+	}
+
+	json.Unmarshal(body, &tags)
+
+	return tags[0].Name[1:], nil
+}

cli/packages/util/common.go

@@ -2,6 +2,7 @@ package util
 
 import (
 	"fmt"
+	"net/http"
 	"os"
 )
 
@@ -19,3 +20,11 @@ func WriteToFile(fileName string, dataToWrite []byte, filePerm os.FileMode) erro
 
 	return nil
 }
+
+func CheckIsConnectedToInternet() (ok bool) {
+	_, err := http.Get("http://clients3.google.com/generate_204")
+	if err != nil {
+		return false
+	}
+	return true
+}

cli/packages/util/constants.go

@@ -3,6 +3,7 @@ package util
 const (
 	CONFIG_FILE_NAME                     = "infisical-config.json"
 	CONFIG_FOLDER_NAME                   = ".infisical"
+	INFISICAL_DEFAULT_API_URL            = "https://app.infisical.com/api"
 	INFISICAL_WORKSPACE_CONFIG_FILE_NAME = ".infisical.json"
 	INFISICAL_TOKEN_NAME                 = "INFISICAL_TOKEN"
 	SECRET_TYPE_PERSONAL                 = "personal"
@@ -11,3 +12,7 @@ const (
 	PERSONAL_SECRET_TYPE_NAME            = "personal"
 	SHARED_SECRET_TYPE_NAME              = "shared"
 )
+
+var (
+	CLI_VERSION = "devel"
+)

cli/packages/util/credentials.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/99designs/keyring"
-	"github.com/Infisical/infisical-merge/packages/config"
+	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/go-resty/resty/v2"
 )
@@ -87,17 +87,10 @@ func GetCurrentLoggedInUserDetails() (LoggedInUserDetails, error) {
 			SetAuthToken(userCreds.JTWToken).
 			SetHeader("Accept", "application/json")
 
-		response, err := httpClient.
-			R().
-			Post(fmt.Sprintf("%v/v1/auth/checkAuth", config.INFISICAL_URL))
-
-		if err != nil {
-			return LoggedInUserDetails{}, err
-		}
-
-		if response.StatusCode() > 299 {
+		isAuthenticated := api.CallIsAuthenticated(httpClient)
+		if !isAuthenticated {
 			return LoggedInUserDetails{
-				IsUserLoggedIn:  true,
+				IsUserLoggedIn:  true, // was logged in
 				LoginExpired:    true,
 				UserCredentials: userCreds,
 			}, nil

cli/packages/util/helper.go

@@ -1,6 +1,7 @@
 package util
 
 import (
+	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 	"os"
@@ -98,3 +99,14 @@ func RequireLocalWorkspaceFile() {
 		PrintMessageAndExit("Your project id is missing in your local config file. Please add it or run again [infisical init]")
 	}
 }
+
+func GetHashFromStringList(list []string) string {
+	hash := sha256.New()
+
+	for _, item := range list {
+		hash.Write([]byte(item))
+	}
+
+	sum := sha256.Sum256(hash.Sum(nil))
+	return fmt.Sprintf("%x", sum)
+}

cli/packages/util/log.go

@@ -24,7 +24,7 @@ func PrintErrorAndExit(exitCode int, err error, messages ...string) {
 }
 
 func PrintWarning(message string) {
-	color.Yellow("Warning: %v", message)
+	color.New(color.FgYellow).Fprintf(os.Stderr, "Warning: %v \n", message)
 }
 
 func PrintMessageAndExit(messages ...string) {

cli/packages/util/secrets.go

@@ -2,6 +2,8 @@ package util
 
 import (
 	"encoding/base64"
+	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"regexp"
@@ -97,13 +99,26 @@ func GetPlainTextSecretsViaJTW(JTWToken string, receiversPrivateKey string, work
 	return plainTextSecrets, nil
 }
 
-func GetAllEnvironmentVariables(envName string) ([]models.SingleEnvironmentVariable, error) {
-	infisicalToken := os.Getenv(INFISICAL_TOKEN_NAME)
+func GetAllEnvironmentVariables(params models.GetAllSecretsParameters) ([]models.SingleEnvironmentVariable, error) {
+	var infisicalToken string
+	if params.InfisicalToken == "" {
+		infisicalToken = os.Getenv(INFISICAL_TOKEN_NAME)
+	} else {
+		infisicalToken = params.InfisicalToken
+	}
+
+	isConnected := CheckIsConnectedToInternet()
+	var secretsToReturn []models.SingleEnvironmentVariable
+	var errorToReturn error
 
 	if infisicalToken == "" {
-		RequireLocalWorkspaceFile()
-		RequireLogin()
-		log.Debug("Trying to fetch secrets using logged in details")
+		if isConnected {
+			log.Debug("GetAllEnvironmentVariables: Connected to internet, checking logged in creds")
+			RequireLocalWorkspaceFile()
+			RequireLogin()
+		}
+
+		log.Debug("GetAllEnvironmentVariables: Trying to fetch secrets using logged in details")
 
 		loggedInUserDetails, err := GetCurrentLoggedInUserDetails()
 		if err != nil {
@@ -115,13 +130,30 @@ func GetAllEnvironmentVariables(envName string) ([]models.SingleEnvironmentVaria
 			return nil, err
 		}
 
-		secrets, err := GetPlainTextSecretsViaJTW(loggedInUserDetails.UserCredentials.JTWToken, loggedInUserDetails.UserCredentials.PrivateKey, workspaceFile.WorkspaceId, envName)
-		return secrets, err
+		secretsToReturn, errorToReturn = GetPlainTextSecretsViaJTW(loggedInUserDetails.UserCredentials.JTWToken, loggedInUserDetails.UserCredentials.PrivateKey, workspaceFile.WorkspaceId, params.Environment)
+		log.Debugf("GetAllEnvironmentVariables: Trying to fetch secrets JTW token [err=%s]", errorToReturn)
+
+		backupSecretsEncryptionKey := []byte(loggedInUserDetails.UserCredentials.PrivateKey)[0:32]
+		if errorToReturn == nil {
+			WriteBackupSecrets(workspaceFile.WorkspaceId, params.Environment, backupSecretsEncryptionKey, secretsToReturn)
+		}
+
+		// only attempt to serve cached secrets if no internet connection and if at least one secret cached
+		if !isConnected {
+			backedSecrets, err := ReadBackupSecrets(workspaceFile.WorkspaceId, params.Environment, backupSecretsEncryptionKey)
+			if len(backedSecrets) > 0 {
+				PrintWarning("Unable to fetch latest secret(s) due to connection error, serving secrets from last successful fetch. For more info, run with --debug")
+				secretsToReturn = backedSecrets
+				errorToReturn = err
+			}
+		}
 
 	} else {
 		log.Debug("Trying to fetch secrets using service token")
-		return GetPlainTextSecretsViaServiceToken(infisicalToken)
+		secretsToReturn, errorToReturn = GetPlainTextSecretsViaServiceToken(infisicalToken)
 	}
+
+	return secretsToReturn, errorToReturn
 }
 
 func getExpandedEnvVariable(secrets []models.SingleEnvironmentVariable, variableWeAreLookingFor string, hashMapOfCompleteVariables map[string]string, hashMapOfSelfRefs map[string]string) string {
@@ -195,33 +227,46 @@ func SubstituteSecrets(secrets []models.SingleEnvironmentVariable) []models.Sing
 	return expandedSecrets
 }
 
-//
-
-// if two secrets with the same name are found, the one that has type `personal` will be in the returned list
-func OverrideWithPersonalSecrets(secrets []models.SingleEnvironmentVariable) []models.SingleEnvironmentVariable {
-	personalSecret := make(map[string]models.SingleEnvironmentVariable)
-	sharedSecret := make(map[string]models.SingleEnvironmentVariable)
+func OverrideSecrets(secrets []models.SingleEnvironmentVariable, secretType string) []models.SingleEnvironmentVariable {
+	personalSecrets := make(map[string]models.SingleEnvironmentVariable)
+	sharedSecrets := make(map[string]models.SingleEnvironmentVariable)
 	secretsToReturn := []models.SingleEnvironmentVariable{}
+	secretsToReturnMap := make(map[string]models.SingleEnvironmentVariable)
 
 	for _, secret := range secrets {
 		if secret.Type == PERSONAL_SECRET_TYPE_NAME {
-			personalSecret[secret.Key] = secret
+			personalSecrets[secret.Key] = secret
 		}
-
 		if secret.Type == SHARED_SECRET_TYPE_NAME {
-			sharedSecret[secret.Key] = secret
+			sharedSecrets[secret.Key] = secret
 		}
 	}
 
-	for _, secret := range sharedSecret {
-		personalValue, personalExists := personalSecret[secret.Key]
-		if personalExists {
-			secretsToReturn = append(secretsToReturn, personalValue)
-		} else {
-			secretsToReturn = append(secretsToReturn, secret)
+	if secretType == PERSONAL_SECRET_TYPE_NAME {
+		for _, secret := range secrets {
+			if personalSecret, exists := personalSecrets[secret.Key]; exists {
+				secretsToReturnMap[secret.Key] = personalSecret
+			} else {
+				if _, exists = secretsToReturnMap[secret.Key]; !exists {
+					secretsToReturnMap[secret.Key] = secret
+				}
+			}
+		}
+	} else if secretType == SHARED_SECRET_TYPE_NAME {
+		for _, secret := range secrets {
+			if sharedSecret, exists := sharedSecrets[secret.Key]; exists {
+				secretsToReturnMap[secret.Key] = sharedSecret
+			} else {
+				if _, exists := secretsToReturnMap[secret.Key]; !exists {
+					secretsToReturnMap[secret.Key] = secret
+				}
+			}
 		}
 	}
 
+	for _, secret := range secretsToReturnMap {
+		secretsToReturn = append(secretsToReturn, secret)
+	}
 	return secretsToReturn
 }
 
@@ -270,11 +315,34 @@ func GetPlainTextSecrets(key []byte, encryptedSecrets api.GetEncryptedSecretsV2R
 			return nil, fmt.Errorf("unable to symmetrically decrypt secret value")
 		}
 
+		// Decrypt comment
+		comment_iv, err := base64.StdEncoding.DecodeString(secret.SecretCommentIV)
+		if err != nil {
+			return nil, fmt.Errorf("unable to decode secret IV for secret value")
+		}
+
+		comment_tag, err := base64.StdEncoding.DecodeString(secret.SecretCommentTag)
+		if err != nil {
+			return nil, fmt.Errorf("unable to decode secret authentication tag for secret value")
+		}
+
+		comment_ciphertext, _ := base64.StdEncoding.DecodeString(secret.SecretCommentCiphertext)
+		if err != nil {
+			return nil, fmt.Errorf("unable to decode secret cipher text for secret key")
+		}
+
+		plainTextComment, err := crypto.DecryptSymmetric(key, comment_ciphertext, comment_tag, comment_iv)
+		if err != nil {
+			return nil, fmt.Errorf("unable to symmetrically decrypt secret comment")
+		}
+
 		plainTextSecret := models.SingleEnvironmentVariable{
-			Key:   string(plainTextKey),
-			Value: string(plainTextValue),
-			Type:  string(secret.Type),
-			ID:    secret.ID,
+			Key:     string(plainTextKey),
+			Value:   string(plainTextValue),
+			Type:    string(secret.Type),
+			ID:      secret.ID,
+			Tags:    secret.Tags,
+			Comment: string(plainTextComment),
 		}
 
 		plainTextSecrets = append(plainTextSecrets, plainTextSecret)
@@ -282,3 +350,100 @@ func GetPlainTextSecrets(key []byte, encryptedSecrets api.GetEncryptedSecretsV2R
 
 	return plainTextSecrets, nil
 }
+
+func WriteBackupSecrets(workspace string, environment string, encryptionKey []byte, secrets []models.SingleEnvironmentVariable) error {
+	fileName := fmt.Sprintf("secrets_%s_%s", workspace, environment)
+	secrets_backup_folder_name := "secrets-backup"
+
+	_, fullConfigFileDirPath, err := GetFullConfigFilePath()
+	if err != nil {
+		return fmt.Errorf("WriteBackupSecrets: unable to get full config folder path [err=%s]", err)
+	}
+
+	// create secrets backup directory
+	fullPathToSecretsBackupFolder := fmt.Sprintf("%s/%s", fullConfigFileDirPath, secrets_backup_folder_name)
+	if _, err := os.Stat(fullPathToSecretsBackupFolder); errors.Is(err, os.ErrNotExist) {
+		err := os.Mkdir(fullPathToSecretsBackupFolder, os.ModePerm)
+		if err != nil {
+			return err
+		}
+	}
+
+	var encryptedSecrets []models.SymmetricEncryptionResult
+	for _, secret := range secrets {
+		marshaledSecrets, _ := json.Marshal(secret)
+		result, err := crypto.EncryptSymmetric(marshaledSecrets, encryptionKey)
+		if err != nil {
+			return err
+		}
+
+		encryptedSecrets = append(encryptedSecrets, result)
+	}
+
+	listOfSecretsMarshalled, _ := json.Marshal(encryptedSecrets)
+	err = os.WriteFile(fmt.Sprintf("%s/%s", fullPathToSecretsBackupFolder, fileName), listOfSecretsMarshalled, os.ModePerm)
+	if err != nil {
+		return fmt.Errorf("WriteBackupSecrets: Unable to write backup secrets to file [err=%s]", err)
+	}
+
+	return nil
+}
+
+func ReadBackupSecrets(workspace string, environment string, encryptionKey []byte) ([]models.SingleEnvironmentVariable, error) {
+	fileName := fmt.Sprintf("secrets_%s_%s", workspace, environment)
+	secrets_backup_folder_name := "secrets-backup"
+
+	_, fullConfigFileDirPath, err := GetFullConfigFilePath()
+	if err != nil {
+		return nil, fmt.Errorf("ReadBackupSecrets: unable to write config file because an error occurred when getting config file path [err=%s]", err)
+	}
+
+	fullPathToSecretsBackupFolder := fmt.Sprintf("%s/%s", fullConfigFileDirPath, secrets_backup_folder_name)
+	if _, err := os.Stat(fullPathToSecretsBackupFolder); errors.Is(err, os.ErrNotExist) {
+		return nil, nil
+	}
+
+	encryptedBackupSecretsFilePath := fmt.Sprintf("%s/%s", fullPathToSecretsBackupFolder, fileName)
+
+	encryptedBackupSecretsAsBytes, err := os.ReadFile(encryptedBackupSecretsFilePath)
+	if err != nil {
+		return nil, err
+	}
+
+	var listOfEncryptedBackupSecrets []models.SymmetricEncryptionResult
+
+	_ = json.Unmarshal(encryptedBackupSecretsAsBytes, &listOfEncryptedBackupSecrets)
+
+	var plainTextSecrets []models.SingleEnvironmentVariable
+	for _, encryptedSecret := range listOfEncryptedBackupSecrets {
+		result, err := crypto.DecryptSymmetric(encryptionKey, encryptedSecret.CipherText, encryptedSecret.AuthTag, encryptedSecret.Nonce)
+		if err != nil {
+			return nil, err
+		}
+
+		var plainTextSecret models.SingleEnvironmentVariable
+
+		err = json.Unmarshal(result, &plainTextSecret)
+		if err != nil {
+			return nil, err
+		}
+
+		plainTextSecrets = append(plainTextSecrets, plainTextSecret)
+	}
+
+	return plainTextSecrets, nil
+
+}
+
+func DeleteBackupSecrets() error {
+	secrets_backup_folder_name := "secrets-backup"
+
+	_, fullConfigFileDirPath, err := GetFullConfigFilePath()
+	if err != nil {
+		return fmt.Errorf("ReadBackupSecrets: unable to write config file because an error occurred when getting config file path [err=%s]", err)
+	}
+
+	fullPathToSecretsBackupFolder := fmt.Sprintf("%s/%s", fullConfigFileDirPath, secrets_backup_folder_name)
+
+	return os.RemoveAll(fullPathToSecretsBackupFolder)
+}

cli/packages/util/vault.go

@@ -57,7 +57,7 @@ func fileKeyringPassphrasePrompt(prompt string) (string, error) {
 	if password, ok := os.LookupEnv("INFISICAL_VAULT_FILE_PASSPHRASE"); ok {
 		return password, nil
 	} else {
-		fmt.Println("You may set the `INFISICAL_VAULT_FILE_PASSPHRASE` environment variable to avoid typing password")
+		fmt.Println("You may set the environment variable `INFISICAL_VAULT_FILE_PASSPHRASE` with your password to avoid typing it")
 	}
 
 	fmt.Fprintf(os.Stderr, "%s:", prompt)
@@ -65,6 +65,7 @@ func fileKeyringPassphrasePrompt(prompt string) (string, error) {
 	if err != nil {
 		return "", err
 	}
+
 	fmt.Println("")
 	return string(b), nil
 }

docker-compose.dev.yml

@@ -46,11 +46,7 @@ services:
       context: ./frontend
       dockerfile: Dockerfile.dev
     volumes:
-      - ./frontend/src/pages:/app/src/pages
-      - ./frontend/src/components:/app/src/components
-      - ./frontend/src/ee:/app/src/ee
-      - ./frontend/src/locales:/app/src/locales
-      - ./frontend/src/styles:/app/src/styles
+      - ./frontend/src:/app/src/ # mounted whole src to avoid missing reload on new files
       - ./frontend/public:/app/public
       - ./frontend/next-i18next.config.js:/app/next-i18next.config.js
     env_file: .env
@@ -58,6 +54,7 @@ services:
       - NEXT_PUBLIC_ENV=development
       - INFISICAL_TELEMETRY_ENABLED=${TELEMETRY_ENABLED}
       - NEXT_PUBLIC_STRIPE_PRODUCT_PRO=${STRIPE_PRODUCT_PRO}
+      - NEXT_PUBLIC_STRIPE_PRODUCT_TEAM=${STRIPE_PRODUCT_TEAM}
       - NEXT_PUBLIC_STRIPE_PRODUCT_STARTER=${STRIPE_PRODUCT_STARTER}
     networks:
       - infisical-dev
@@ -93,7 +90,7 @@ services:
 
   smtp-server:
     container_name: infisical-dev-smtp-server
-    image: mailhog/mailhog
+    image: lytrax/mailhog:latest # https://github.com/mailhog/MailHog/issues/353#issuecomment-821137362
     restart: always
     logging:
       driver: 'none' # disable saving logs

docker-compose.yml

@@ -40,6 +40,7 @@ services:
       # - NEXT_PUBLIC_POSTHOG_API_KEY=${POSTHOG_PROJECT_API_KEY}
       - INFISICAL_TELEMETRY_ENABLED=${TELEMETRY_ENABLED}
       - NEXT_PUBLIC_STRIPE_PRODUCT_PRO=${STRIPE_PRODUCT_PRO}
+      - NEXT_PUBLIC_STRIPE_PRODUCT_TEAM=${STRIPE_PRODUCT_TEAM}
       - NEXT_PUBLIC_STRIPE_PRODUCT_STARTER=${STRIPE_PRODUCT_STARTER}
     networks:
       - infisical

docs/cli/commands/commands.mdx

@@ -1,5 +1,6 @@
 ---
 title: "Commands"
+description: "Infisical CLI command overview"
 ---
 
 ## Commands

docs/cli/commands/export.mdx

@@ -1,5 +1,6 @@
 ---
 title: "infisical export"
+description: "Export Infisical secrets from CLI into different file formats"
 ---
 
 ```bash

docs/cli/commands/init.mdx

@@ -1,5 +1,6 @@
 ---
 title: "infisical init"
+description: "Switch between Infisical projects within CLI"
 ---
 
 ```bash
@@ -8,6 +9,8 @@ infisical init
 
 ## Description
 
-Link a local project to the platform
+Link a local project to your Infisical project. Once connected, you can then access the secrets locally from the connected Infisical project.
 
-The command creates a `infisical.json` file containing your Project ID.
+<Info>
+This command creates a `infisical.json` file containing your Project ID.
+</Info>

docs/cli/commands/login.mdx

@@ -1,5 +1,6 @@
 ---
 title: "infisical login"
+description: "Login into Infisical from the CLI"
 ---
 
 ```bash

docs/cli/commands/run.mdx

@@ -1,5 +1,6 @@
 ---
 title: "infisical run"
+description: "The command that injects your secrets into local environment"
 ---
 
 <Tabs>
@@ -24,13 +25,58 @@ title: "infisical run"
 
 ## Description
 
-Inject environment variables from the platform into an application process.
+Inject secrets from Infisical into your application process.
 
-## Options
 
-| Option         | Description                                                                                                 | Default value |
-| -------------- | ----------------------------------------------------------------------------------------------------------- | ------------- |
-| `--env`        | Used to set the environment that secrets are pulled from. Accepted values: `dev`, `staging`, `test`, `prod` | `dev`         |
-| `--expand`     | Parse shell parameter expansions in your secrets (e.g., `${DOMAIN}`)      | `true`        |
-| `--command`    | Pass secrets into chained commands (e.g., `"first-command && second-command; more-commands..."`)      | None        |
-| `--secret-overriding`|  Prioritizes personal secrets with the same name over shared secrets      | `true`        |
+## Subcommands & flags
+
+<Accordion title="infisical run" defaultOpen="true">
+  Use this command to inject secrets into your applications process
+
+  ```bash
+  $ infisical run -- <your application command>
+
+  # Example 
+  $ infisical run -- npm run dev
+  ```
+
+  ### flags 
+  <Accordion title="--command">
+    Pass secrets into multiple commands at once
+
+    ```bash
+    # Example 
+    infisical run --command="npm run build && npm run dev; more-commands..."
+    ```
+  </Accordion>
+
+  <Accordion title="--token">
+    If you are using a [service token](../../getting-started/dashboard/token) to authenticate, you can pass the token as a flag
+
+    ```bash
+    # Example 
+    infisical run --token="st.63e03c4a97cb4a747186c71e.ed5b46a34c078a8f94e8228f4ab0ff97.4f7f38034811995997d72badf44b42ec" -- npm run start
+    ```
+
+    You may also expose the token to the CLI by setting the environment variable `INFISICAL_TOKEN` before executing the run command. This will have the same effect as setting the token with `--token` flag 
+  </Accordion>
+
+  <Accordion title="--expand">
+    Turn on or off the shell parameter expansion in your secrets. If you have used shell parameters in your secret(s), activating this feature will populate them before injecting them into your application process.
+
+    Default value: `true`
+  </Accordion>
+
+  <Accordion title="--env">
+    This is used to specify the environment from which secrets should be retrieved. The accepted values are the environment slugs defined for your project, such as `dev`, `staging`, `test`, and `prod`.
+    
+    Default value: `dev`
+  </Accordion>
+
+  <Accordion title="--secret-overriding">
+    Prioritizes personal secrets with the same name over shared secrets
+
+    Default value: `true`
+  </Accordion>
+
+</Accordion>

docs/cli/commands/secrets.mdx

@@ -1,5 +1,6 @@
 ---
 title: "infisical secrets"
+description: "Perform CRUD operations with Infisical secrets"
 ---
 
 ```
@@ -13,17 +14,8 @@ This command enables you to perform CRUD (create, read, update, delete) operatio
 <Accordion title="infisical secrets" defaultOpen="true">
   Use this command to print out all of the secrets in your project
 
-  ```
+  ```bash
   $ infisical secrets
-
-  ## Example 
-  $ infisical secrets
-  ┌─────────────┬──────────────┬─────────────┐
-  │ SECRET NAME │ SECRET VALUE │ SECRET TYPE │
-  ├─────────────┼──────────────┼─────────────┤
-  │ DOMAIN      │ example.com  │ shared      │
-  │ HASH        │ jebhfbwe     │ shared      │
-  └─────────────┴──────────────┴─────────────┘
   ```
 
   ### flags 
@@ -44,16 +36,11 @@ This command enables you to perform CRUD (create, read, update, delete) operatio
 <Accordion title="infisical secrets get">
   This command allows you selectively print the requested secrets by name
 
-  ``` 
+  ```bash 
   $ infisical secrets get <secret-name-a> <secret-name-b> ...
 
   # Example
   $ infisical secrets get DOMAIN
-  ┌─────────────┬──────────────┬─────────────┐
-  │ SECRET NAME │ SECRET VALUE │ SECRET TYPE │
-  ├─────────────┼──────────────┼─────────────┤
-  │ DOMAIN      │ example.com  │ shared      │
-  └─────────────┴──────────────┴─────────────┘
 
   ```
 
@@ -69,18 +56,11 @@ This command enables you to perform CRUD (create, read, update, delete) operatio
 This command allows you to set or update secrets in your environment. If the secret key provided already exists, its value will be updated with the new value. 
 If the secret key does not exist, a new secret will be created using both the key and value provided.
 
-```
+```bash
 $ infisical secrets set <key1=value1> <key2=value2>...
 
 ## Example 
 $ infisical secrets set STRIPE_API_KEY=sjdgwkeudyjwe DOMAIN=example.com HASH=jebhfbwe
-┌────────────────┬───────────────┬────────────────────────┐
-│ SECRET NAME    │ SECRET VALUE  │ STATUS                 │
-├────────────────┼───────────────┼────────────────────────┤
-│ STRIPE_API_KEY │ sjdgwkeudyjwe │ SECRET VALUE UNCHANGED │
-│ DOMAIN         │ example.com   │ SECRET VALUE MODIFIED  │
-│ HASH           │ jebhfbwe      │ SECRET CREATED         │
-└────────────────┴───────────────┴────────────────────────┘
 ```
 
   ### Flags 
@@ -94,12 +74,11 @@ $ infisical secrets set STRIPE_API_KEY=sjdgwkeudyjwe DOMAIN=example.com HASH=jeb
 <Accordion title="infisical secrets delete">
   This command allows you to delete secrets by their name(s).
 
-  ```
+  ```bash
   $ infisical secrets delete <keyName1> <keyName2>...
 
   ## Example 
   $ infisical secrets delete STRIPE_API_KEY DOMAIN HASH
-  secret name(s) [STRIPE_API_KEY, DOMAIN, HASH] have been deleted from your project
   ```
 
   ### Flags 

docs/cli/commands/vault.mdx

@@ -1,5 +1,6 @@
 ---
 title: "infisical vault"
+description: "Change the vault type in Infisical"
 ---
 
 <Tabs>