Merge pull request #2699 from Infisical/misc/address-remaining-ui-ux-issues-audit

misc: address other ui/ux issues with audit logs

.env.example

@@ -78,3 +78,5 @@ PLAIN_API_KEY=
 PLAIN_WISH_LABEL_IDS=
 
 SSL_CLIENT_CERTIFICATE_HEADER_KEY=
+
+ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=

.github/workflows/deployment-pipeline.yml

@@ -170,6 +170,12 @@ jobs:
         - uses: twingate/github-action@v1
           with:
             service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
+        - name: Configure AWS Credentials 
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+            audience: sts.amazonaws.com
+            aws-region: eu-central-1
+            role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment
         - name: Checkout code
           uses: actions/checkout@v2
         - name: Setup Node.js environment
@@ -183,12 +189,6 @@ jobs:
             cd backend
             npm install
             npm run migration:latest
-        - name: Configure AWS Credentials 
-          uses: aws-actions/configure-aws-credentials@v4
-          with:
-            audience: sts.eu-central-1.amazonaws.com
-            aws-region: eu-central-1
-            role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment
         - name: Save commit hashes for tag
           id: commit
           uses: pr-mpt/actions-commit-hash@v2

backend/e2e-test/routes/v1/identity.spec.ts

@@ -34,7 +34,7 @@ describe("Identity v1", async () => {
   test("Create identity", async () => {
     const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
     expect(newIdentity.name).toBe("mac1");
-    expect(newIdentity.authMethod).toBeNull();
+    expect(newIdentity.authMethods).toEqual([]);
 
     await deleteIdentity(newIdentity.id);
   });
@@ -42,7 +42,7 @@ describe("Identity v1", async () => {
   test("Update identity", async () => {
     const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
     expect(newIdentity.name).toBe("mac1");
-    expect(newIdentity.authMethod).toBeNull();
+    expect(newIdentity.authMethods).toEqual([]);
 
     const updatedIdentity = await testServer.inject({
       method: "PATCH",

backend/package.json

@@ -44,7 +44,7 @@
     "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
     "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
     "generate:component": "tsx ./scripts/create-backend-file.ts",
-    "generate:schema": "tsx ./scripts/generate-schema-types.ts",
+    "generate:schema": "tsx ./scripts/generate-schema-types.ts && eslint --fix --ext ts ./src/db/schemas",
     "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
     "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
     "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
@@ -156,11 +156,12 @@
     "connect-redis": "^7.1.1",
     "cron": "^3.1.7",
     "dotenv": "^16.4.1",
-    "fastify": "^4.26.0",
+    "fastify": "^4.28.1",
     "fastify-plugin": "^4.5.1",
     "google-auth-library": "^9.9.0",
     "googleapis": "^137.1.0",
     "handlebars": "^4.7.8",
+    "hdb": "^0.19.10",
     "ioredis": "^5.3.2",
     "jmespath": "^0.16.0",
     "jsonwebtoken": "^9.0.2",
@@ -195,6 +196,7 @@
     "scim2-parse-filter": "^0.2.10",
     "sjcl": "^1.0.8",
     "smee-client": "^2.0.0",
+    "snowflake-sdk": "^1.14.0",
     "tedious": "^18.2.1",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",

backend/src/@types/hdb.d.ts

@@ -0,0 +1,4 @@
+declare module "hdb" {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Untyped, the function returns `any`.
+  function createClient(options): any;
+}

backend/src/db/migrations/20231222172455_integration.ts

@@ -9,7 +9,7 @@ export async function up(knex: Knex): Promise<void> {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
       t.string("integration").notNullable();
       t.string("teamId"); // vercel-specific
-      t.string("url"); // for self hosted
+      t.string("url"); // for self-hosted
       t.string("namespace"); // hashicorp specific
       t.string("accountId"); // netlify
       t.text("refreshCiphertext");
@@ -36,7 +36,7 @@ export async function up(knex: Knex): Promise<void> {
     await knex.schema.createTable(TableName.Integration, (t) => {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
       t.boolean("isActive").notNullable();
-      t.string("url"); // self hosted
+      t.string("url"); // self-hosted
       t.string("app"); // name of app in provider
       t.string("appId");
       t.string("targetEnvironment");

backend/src/db/migrations/20241014084900_identity-multiple-auth-methods.ts

@@ -0,0 +1,76 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const BATCH_SIZE = 30_000;
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAuthMethodColumnAccessToken = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
+
+  if (!hasAuthMethodColumnAccessToken) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.string("authMethod").nullable();
+    });
+
+    let nullableAccessTokens = await knex(TableName.IdentityAccessToken).whereNull("authMethod").limit(BATCH_SIZE);
+    let totalUpdated = 0;
+
+    do {
+      const batchIds = nullableAccessTokens.map((token) => token.id);
+
+      // ! Update the auth method column in batches for the current batch
+      // eslint-disable-next-line no-await-in-loop
+      await knex(TableName.IdentityAccessToken)
+        .whereIn("id", batchIds)
+        .update({
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore because generate schema happens after this
+          authMethod: knex(TableName.Identity)
+            .select("authMethod")
+            .whereRaw(`${TableName.IdentityAccessToken}."identityId" = ${TableName.Identity}.id`)
+            .whereNotNull("authMethod")
+            .first()
+        });
+
+      // eslint-disable-next-line no-await-in-loop
+      nullableAccessTokens = await knex(TableName.IdentityAccessToken).whereNull("authMethod").limit(BATCH_SIZE);
+
+      totalUpdated += batchIds.length;
+      console.log(`Updated ${batchIds.length} access tokens in batch <> Total updated: ${totalUpdated}`);
+    } while (nullableAccessTokens.length > 0);
+
+    // ! We delete all access tokens where the identity has no auth method set!
+    // ! Which means un-configured identities that for some reason have access tokens, will have their access tokens deleted.
+    await knex(TableName.IdentityAccessToken)
+      .whereNotExists((queryBuilder) => {
+        void queryBuilder
+          .select("id")
+          .from(TableName.Identity)
+          .whereRaw(`${TableName.IdentityAccessToken}."identityId" = ${TableName.Identity}.id`)
+          .whereNotNull("authMethod");
+      })
+      .delete();
+
+    // Finally we set the authMethod to notNullable after populating the column.
+    // This will fail if the data is not populated correctly, so it's safe.
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.string("authMethod").notNullable().alter();
+    });
+  }
+
+  // ! We aren't dropping the authMethod column from the Identity itself, because we wan't to be able to easily rollback for the time being.
+}
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export async function down(knex: Knex): Promise<void> {
+  const hasAuthMethodColumnAccessToken = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
+
+  if (hasAuthMethodColumnAccessToken) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.dropColumn("authMethod");
+    });
+  }
+}
+
+const config = { transaction: false };
+export { config };

backend/src/db/schemas/identity-access-tokens.ts

@@ -20,7 +20,8 @@ export const IdentityAccessTokensSchema = z.object({
   identityId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  name: z.string().nullable().optional()
+  name: z.string().nullable().optional(),
+  authMethod: z.string()
 });
 
 export type TIdentityAccessTokens = z.infer<typeof IdentityAccessTokensSchema>;

backend/src/db/schemas/models.ts

@@ -189,7 +189,7 @@ export enum ProjectUpgradeStatus {
 
 export enum IdentityAuthMethod {
   TOKEN_AUTH = "token-auth",
-  Univeral = "universal-auth",
+  UNIVERSAL_AUTH = "universal-auth",
   KUBERNETES_AUTH = "kubernetes-auth",
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",

backend/src/db/seeds/5-machine-identity.ts

@@ -16,7 +16,7 @@ export async function seed(knex: Knex): Promise<void> {
       // @ts-ignore
       id: seedData1.machineIdentity.id,
       name: seedData1.machineIdentity.name,
-      authMethod: IdentityAuthMethod.Univeral
+      authMethod: IdentityAuthMethod.UNIVERSAL_AUTH
     }
   ]);
   const identityUa = await knex(TableName.IdentityUniversalAuth)

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -0,0 +1,20 @@
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
+import { getDbConnectionHost } from "@app/lib/knex";
+
+export const verifyHostInputValidity = (host: string) => {
+  const appCfg = getConfig();
+  const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
+
+  if (
+    appCfg.isCloud &&
+    // localhost
+    // internal ips
+    (host === "host.docker.internal" || host.match(/^10\.\d+\.\d+\.\d+/) || host.match(/^192\.168\.\d+\.\d+/))
+  )
+    throw new BadRequestError({ message: "Invalid db host" });
+
+  if (host === "localhost" || host === "127.0.0.1" || dbHost === host) {
+    throw new BadRequestError({ message: "Invalid db host" });
+  }
+};

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -9,7 +9,7 @@ import {
 } from "@app/ee/services/permission/project-permission";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { OrderByDirection } from "@app/lib/types";
+import { OrderByDirection, ProjectServiceActor } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 
@@ -22,6 +22,7 @@ import {
   TDeleteDynamicSecretDTO,
   TDetailsDynamicSecretDTO,
   TGetDynamicSecretsCountDTO,
+  TListDynamicSecretsByFolderMappingsDTO,
   TListDynamicSecretsDTO,
   TListDynamicSecretsMultiEnvDTO,
   TUpdateDynamicSecretDTO
@@ -454,8 +455,44 @@ export const dynamicSecretServiceFactory = ({
     return dynamicSecretCfg;
   };
 
+  const listDynamicSecretsByFolderIds = async (
+    { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
+    actor: ProjectServiceActor
+  ) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
+      permission.can(
+        ProjectPermissionDynamicSecretActions.ReadRootCredential,
+        subject(ProjectPermissionSub.DynamicSecrets, { environment, secretPath: path })
+      )
+    );
+
+    const groupedFolderMappings = new Map(userAccessibleFolderMappings.map((path) => [path.folderId, path]));
+
+    const dynamicSecrets = await dynamicSecretDAL.listDynamicSecretsByFolderIds({
+      folderIds: userAccessibleFolderMappings.map(({ folderId }) => folderId),
+      ...filters
+    });
+
+    return dynamicSecrets.map((dynamicSecret) => {
+      const { environment, path } = groupedFolderMappings.get(dynamicSecret.folderId)!;
+      return {
+        ...dynamicSecret,
+        environment,
+        path
+      };
+    });
+  };
+
   // get dynamic secrets for multiple envs
-  const listDynamicSecretsByFolderIds = async ({
+  const listDynamicSecretsByEnvs = async ({
     actorAuthMethod,
     actorOrgId,
     actorId,
@@ -521,9 +558,10 @@ export const dynamicSecretServiceFactory = ({
     deleteByName,
     getDetails,
     listDynamicSecretsByEnv,
-    listDynamicSecretsByFolderIds,
+    listDynamicSecretsByEnvs,
     getDynamicSecretCount,
     getCountMultiEnv,
-    fetchAzureEntraIdUsers
+    fetchAzureEntraIdUsers,
+    listDynamicSecretsByFolderIds
   };
 };

backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts

@@ -48,17 +48,27 @@ export type TDetailsDynamicSecretDTO = {
   projectSlug: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TListDynamicSecretsDTO = {
-  path: string;
-  environmentSlug: string;
-  projectSlug?: string;
-  projectId?: string;
+export type ListDynamicSecretsFilters = {
   offset?: number;
   limit?: number;
   orderBy?: SecretsOrderBy;
   orderDirection?: OrderByDirection;
   search?: string;
-} & Omit<TProjectPermission, "projectId">;
+};
+
+export type TListDynamicSecretsDTO = {
+  path: string;
+  environmentSlug: string;
+  projectSlug?: string;
+  projectId?: string;
+} & ListDynamicSecretsFilters &
+  Omit<TProjectPermission, "projectId">;
+
+export type TListDynamicSecretsByFolderMappingsDTO = {
+  projectId: string;
+  folderMappings: { folderId: string; path: string; environment: string }[];
+  filters: ListDynamicSecretsFilters;
+};
 
 export type TListDynamicSecretsMultiEnvDTO = Omit<
   TListDynamicSecretsDTO,

backend/src/ee/services/dynamic-secret/providers/elastic-search.ts

@@ -2,10 +2,9 @@ import { Client as ElasticSearchClient } from "@elastic/elasticsearch";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretElasticSearchSchema, ElasticSearchAuthTypes, TDynamicProviderFns } from "./models";
 
 const generatePassword = () => {
@@ -19,23 +18,8 @@ const generateUsername = () => {
 
 export const ElasticSearchProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
-    const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
-
     const providerInputs = await DynamicSecretElasticSearchSchema.parseAsync(inputs);
-    if (
-      isCloud &&
-      // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    ) {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1") {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
+    verifyHostInputValidity(providerInputs.host);
 
     return providerInputs;
   };

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -1,3 +1,5 @@
+import { SnowflakeProvider } from "@app/ee/services/dynamic-secret/providers/snowflake";
+
 import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
@@ -9,6 +11,7 @@ import { MongoAtlasProvider } from "./mongo-atlas";
 import { MongoDBProvider } from "./mongo-db";
 import { RabbitMqProvider } from "./rabbit-mq";
 import { RedisDatabaseProvider } from "./redis";
+import { SapHanaProvider } from "./sap-hana";
 import { SqlDatabaseProvider } from "./sql-database";
 
 export const buildDynamicSecretProviders = () => ({
@@ -22,5 +25,7 @@ export const buildDynamicSecretProviders = () => ({
   [DynamicSecretProviders.ElasticSearch]: ElasticSearchProvider(),
   [DynamicSecretProviders.RabbitMq]: RabbitMqProvider(),
   [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider(),
-  [DynamicSecretProviders.Ldap]: LdapProvider()
+  [DynamicSecretProviders.Ldap]: LdapProvider(),
+  [DynamicSecretProviders.SapHana]: SapHanaProvider(),
+  [DynamicSecretProviders.Snowflake]: SnowflakeProvider()
 });

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -166,6 +166,27 @@ export const DynamicSecretMongoDBSchema = z.object({
     )
 });
 
+export const DynamicSecretSapHanaSchema = z.object({
+  host: z.string().trim().toLowerCase(),
+  port: z.number(),
+  username: z.string().trim(),
+  password: z.string().trim(),
+  creationStatement: z.string().trim(),
+  revocationStatement: z.string().trim(),
+  renewStatement: z.string().trim().optional(),
+  ca: z.string().optional()
+});
+
+export const DynamicSecretSnowflakeSchema = z.object({
+  accountId: z.string().trim().min(1),
+  orgId: z.string().trim().min(1),
+  username: z.string().trim().min(1),
+  password: z.string().trim().min(1),
+  creationStatement: z.string().trim().min(1),
+  revocationStatement: z.string().trim().min(1),
+  renewStatement: z.string().trim().optional()
+});
+
 export const AzureEntraIDSchema = z.object({
   tenantId: z.string().trim().min(1),
   userId: z.string().trim().min(1),
@@ -196,7 +217,9 @@ export enum DynamicSecretProviders {
   MongoDB = "mongo-db",
   RabbitMq = "rabbit-mq",
   AzureEntraID = "azure-entra-id",
-  Ldap = "ldap"
+  Ldap = "ldap",
+  SapHana = "sap-hana",
+  Snowflake = "snowflake"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -204,13 +227,15 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.Cassandra), inputs: DynamicSecretCassandraSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.AwsIam), inputs: DynamicSecretAwsIamSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Redis), inputs: DynamicSecretRedisDBSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.SapHana), inputs: DynamicSecretSapHanaSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.AwsElastiCache), inputs: DynamicSecretAwsElastiCacheSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.MongoAtlas), inputs: DynamicSecretMongoAtlasSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.ElasticSearch), inputs: DynamicSecretElasticSearchSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.MongoDB), inputs: DynamicSecretMongoDBSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Snowflake), inputs: DynamicSecretSnowflakeSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/dynamic-secret/providers/mongo-db.ts

@@ -2,10 +2,9 @@ import { MongoClient } from "mongodb";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretMongoDBSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = (size = 48) => {
@@ -19,22 +18,8 @@ const generateUsername = () => {
 
 export const MongoDBProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
     const providerInputs = await DynamicSecretMongoDBSchema.parseAsync(inputs);
-    if (
-      appCfg.isCloud &&
-      // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    )
-      throw new BadRequestError({ message: "Invalid db host" });
-
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1") {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
-
+    verifyHostInputValidity(providerInputs.host);
     return providerInputs;
   };
 

backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts

@@ -3,12 +3,11 @@ import https from "https";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRabbitMqSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = () => {
@@ -79,23 +78,8 @@ async function deleteRabbitMqUser({ axiosInstance, usernameToDelete }: TDeleteRa
 
 export const RabbitMqProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
-    const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
-
     const providerInputs = await DynamicSecretRabbitMqSchema.parseAsync(inputs);
-    if (
-      isCloud &&
-      // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    ) {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1") {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
+    verifyHostInputValidity(providerInputs.host);
 
     return providerInputs;
   };

backend/src/ee/services/dynamic-secret/providers/redis.ts

@@ -3,11 +3,10 @@ import { Redis } from "ioredis";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRedisDBSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = () => {
@@ -51,22 +50,8 @@ const executeTransactions = async (connection: Redis, commands: string[]): Promi
 
 export const RedisDatabaseProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
-    const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
-    const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-
     const providerInputs = await DynamicSecretRedisDBSchema.parseAsync(inputs);
-    if (
-      isCloud &&
-      // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    )
-      throw new BadRequestError({ message: "Invalid db host" });
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1" || dbHost === providerInputs.host)
-      throw new BadRequestError({ message: "Invalid db host" });
+    verifyHostInputValidity(providerInputs.host);
     return providerInputs;
   };
 

backend/src/ee/services/dynamic-secret/providers/sap-hana.ts

@@ -0,0 +1,174 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable @typescript-eslint/no-unsafe-call */
+/* eslint-disable @typescript-eslint/no-unsafe-return */
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+
+import handlebars from "handlebars";
+import hdb from "hdb";
+import { customAlphabet } from "nanoid";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
+import { DynamicSecretSapHanaSchema, TDynamicProviderFns } from "./models";
+
+const generatePassword = (size = 48) => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  return customAlphabet(charset, 48)(size);
+};
+
+const generateUsername = () => {
+  return alphaNumericNanoId(32);
+};
+
+export const SapHanaProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretSapHanaSchema.parseAsync(inputs);
+
+    verifyHostInputValidity(providerInputs.host);
+    return providerInputs;
+  };
+
+  const getClient = async (providerInputs: z.infer<typeof DynamicSecretSapHanaSchema>) => {
+    const client = hdb.createClient({
+      host: providerInputs.host,
+      port: providerInputs.port,
+      user: providerInputs.username,
+      password: providerInputs.password,
+      ...(providerInputs.ca
+        ? {
+            ca: providerInputs.ca
+          }
+        : {})
+    });
+
+    await new Promise((resolve, reject) => {
+      client.connect((err: any) => {
+        if (err) {
+          return reject(err);
+        }
+
+        if (client.readyState) {
+          return resolve(true);
+        }
+
+        reject(new Error("SAP HANA client not ready"));
+      });
+    });
+
+    return client;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+
+    const testResult: boolean = await new Promise((resolve, reject) => {
+      client.exec("SELECT 1 FROM DUMMY;", (err: any) => {
+        if (err) {
+          reject();
+        }
+
+        resolve(true);
+      });
+    });
+
+    return testResult;
+  };
+
+  const create = async (inputs: unknown, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const username = generateUsername();
+    const password = generatePassword();
+    const expiration = new Date(expireAt).toISOString();
+
+    const client = await getClient(providerInputs);
+    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+      username,
+      password,
+      expiration
+    });
+
+    const queries = creationStatement.toString().split(";").filter(Boolean);
+    for await (const query of queries) {
+      await new Promise((resolve, reject) => {
+        client.exec(query, (err: any) => {
+          if (err) {
+            reject(
+              new BadRequestError({
+                message: err.message
+              })
+            );
+          }
+          resolve(true);
+        });
+      });
+    }
+
+    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+  };
+
+  const revoke = async (inputs: unknown, username: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
+    const queries = revokeStatement.toString().split(";").filter(Boolean);
+    for await (const query of queries) {
+      await new Promise((resolve, reject) => {
+        client.exec(query, (err: any) => {
+          if (err) {
+            reject(
+              new BadRequestError({
+                message: err.message
+              })
+            );
+          }
+          resolve(true);
+        });
+      });
+    }
+
+    return { entityId: username };
+  };
+
+  const renew = async (inputs: unknown, username: string, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+    try {
+      const expiration = new Date(expireAt).toISOString();
+
+      const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration });
+      const queries = renewStatement.toString().split(";").filter(Boolean);
+      for await (const query of queries) {
+        await new Promise((resolve, reject) => {
+          client.exec(query, (err: any) => {
+            if (err) {
+              reject(
+                new BadRequestError({
+                  message: err.message
+                })
+              );
+            }
+            resolve(true);
+          });
+        });
+      }
+    } finally {
+      client.disconnect();
+    }
+
+    return { entityId: username };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/snowflake.ts

@@ -0,0 +1,174 @@
+import handlebars from "handlebars";
+import { customAlphabet } from "nanoid";
+import snowflake from "snowflake-sdk";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { DynamicSecretSnowflakeSchema, TDynamicProviderFns } from "./models";
+
+// destroy client requires callback...
+const noop = () => {};
+
+const generatePassword = (size = 48) => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  return customAlphabet(charset, 48)(size);
+};
+
+const generateUsername = () => {
+  return `infisical_${alphaNumericNanoId(32)}`; // username must start with alpha character, hence prefix
+};
+
+const getDaysToExpiry = (expiryDate: Date) => {
+  const start = new Date().getTime();
+  const end = new Date(expiryDate).getTime();
+  const diffTime = Math.abs(end - start);
+
+  return Math.ceil(diffTime / (1000 * 60 * 60 * 24));
+};
+
+export const SnowflakeProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretSnowflakeSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const getClient = async (providerInputs: z.infer<typeof DynamicSecretSnowflakeSchema>) => {
+    const client = snowflake.createConnection({
+      account: `${providerInputs.orgId}-${providerInputs.accountId}`,
+      username: providerInputs.username,
+      password: providerInputs.password,
+      application: "Infisical"
+    });
+
+    await client.connectAsync(noop);
+
+    return client;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+
+    let isValidConnection: boolean;
+
+    try {
+      isValidConnection = await Promise.race([
+        client.isValidAsync(),
+        new Promise((resolve) => {
+          setTimeout(resolve, 10000);
+        }).then(() => {
+          throw new BadRequestError({ message: "Unable to establish connection - verify credentials" });
+        })
+      ]);
+    } finally {
+      client.destroy(noop);
+    }
+
+    return isValidConnection;
+  };
+
+  const create = async (inputs: unknown, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const client = await getClient(providerInputs);
+
+    const username = generateUsername();
+    const password = generatePassword();
+
+    try {
+      const expiration = getDaysToExpiry(new Date(expireAt));
+      const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+        username,
+        password,
+        expiration
+      });
+
+      await new Promise((resolve, reject) => {
+        client.execute({
+          sqlText: creationStatement,
+          complete(err) {
+            if (err) {
+              return reject(new BadRequestError({ name: "CreateLease", message: err.message }));
+            }
+
+            return resolve(true);
+          }
+        });
+      });
+    } finally {
+      client.destroy(noop);
+    }
+
+    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+  };
+
+  const revoke = async (inputs: unknown, username: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const client = await getClient(providerInputs);
+
+    try {
+      const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
+
+      await new Promise((resolve, reject) => {
+        client.execute({
+          sqlText: revokeStatement,
+          complete(err) {
+            if (err) {
+              return reject(new BadRequestError({ name: "RevokeLease", message: err.message }));
+            }
+
+            return resolve(true);
+          }
+        });
+      });
+    } finally {
+      client.destroy(noop);
+    }
+
+    return { entityId: username };
+  };
+
+  const renew = async (inputs: unknown, username: string, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    if (!providerInputs.renewStatement) return { entityId: username };
+
+    const client = await getClient(providerInputs);
+
+    try {
+      const expiration = getDaysToExpiry(new Date(expireAt));
+      const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+        username,
+        expiration
+      });
+
+      await new Promise((resolve, reject) => {
+        client.execute({
+          sqlText: renewStatement,
+          complete(err) {
+            if (err) {
+              return reject(new BadRequestError({ name: "RenewLease", message: err.message }));
+            }
+
+            return resolve(true);
+          }
+        });
+      });
+    } finally {
+      client.destroy(noop);
+    }
+
+    return { entityId: username };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -3,11 +3,9 @@ import knex from "knex";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
-import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretSqlDBSchema, SqlProviders, TDynamicProviderFns } from "./models";
 
 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
@@ -29,27 +27,8 @@ const generateUsername = (provider: SqlProviders) => {
 
 export const SqlDatabaseProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
-    const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
-    const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-
     const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
-    if (
-      isCloud &&
-      // localhost
-      // internal ips
-      (providerInputs.host === "host.docker.internal" ||
-        providerInputs.host.match(/^10\.\d+\.\d+\.\d+/) ||
-        providerInputs.host.match(/^192\.168\.\d+\.\d+/))
-    )
-      throw new BadRequestError({ message: "Invalid db host" });
-    if (
-      providerInputs.host === "localhost" ||
-      providerInputs.host === "127.0.0.1" ||
-      // database infisical uses
-      dbHost === providerInputs.host
-    )
-      throw new BadRequestError({ message: "Invalid db host" });
+    verifyHostInputValidity(providerInputs.host);
     return providerInputs;
   };
 

backend/src/ee/services/license/license-service.ts

@@ -129,7 +129,7 @@ export const licenseServiceFactory = ({
         }
       }
 
-      // this means this is self hosted oss version
+      // this means this is the self-hosted oss version
       // else it would reach catch statement
       isValidLicense = true;
     } catch (error) {

backend/src/ee/services/permission/project-permission.ts

@@ -694,31 +694,35 @@ export const buildServiceTokenProjectPermission = (
   const canRead = permission.includes("read");
   const { can, build } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
   scopes.forEach(({ secretPath, environment }) => {
-    if (canWrite) {
-      // TODO: @Akhi
-      // @ts-expect-error type
-      can(ProjectPermissionActions.Edit, ProjectPermissionSub.Secrets, {
-        secretPath: { $glob: secretPath },
-        environment
-      });
-      // @ts-expect-error type
-      can(ProjectPermissionActions.Create, ProjectPermissionSub.Secrets, {
-        secretPath: { $glob: secretPath },
-        environment
-      });
-      // @ts-expect-error type
-      can(ProjectPermissionActions.Delete, ProjectPermissionSub.Secrets, {
-        secretPath: { $glob: secretPath },
-        environment
-      });
-    }
-    if (canRead) {
-      // @ts-expect-error type
-      can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets, {
-        secretPath: { $glob: secretPath },
-        environment
-      });
-    }
+    [ProjectPermissionSub.Secrets, ProjectPermissionSub.SecretImports, ProjectPermissionSub.SecretFolders].forEach(
+      (subject) => {
+        if (canWrite) {
+          // TODO: @Akhi
+          // @ts-expect-error type
+          can(ProjectPermissionActions.Edit, subject, {
+            secretPath: { $glob: secretPath },
+            environment
+          });
+          // @ts-expect-error type
+          can(ProjectPermissionActions.Create, subject, {
+            secretPath: { $glob: secretPath },
+            environment
+          });
+          // @ts-expect-error type
+          can(ProjectPermissionActions.Delete, subject, {
+            secretPath: { $glob: secretPath },
+            environment
+          });
+        }
+        if (canRead) {
+          // @ts-expect-error type
+          can(ProjectPermissionActions.Read, subject, {
+            secretPath: { $glob: secretPath },
+            environment
+          });
+        }
+      }
+    );
   });
 
   return build({ conditionsMatcher });

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -267,7 +267,8 @@ export const secretApprovalRequestServiceFactory = ({
                 : "",
               secretComment: el.secretVersion.encryptedComment
                 ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedComment }).toString()
-                : ""
+                : "",
+              tags: el.secretVersion.tags
             }
           : undefined
       }));
@@ -571,7 +572,7 @@ export const secretApprovalRequestServiceFactory = ({
                     reminderNote: el.reminderNote,
                     skipMultilineEncoding: el.skipMultilineEncoding,
                     key: el.key,
-                    tagIds: el?.tags.map(({ id }) => id),
+                    tags: el?.tags.map(({ id }) => id),
                     ...encryptedValue
                   }
                 };

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -85,7 +85,8 @@ export const secretRotationDbFn = async ({
   password,
   username,
   client,
-  variables
+  variables,
+  options
 }: TSecretRotationDbFn) => {
   const appCfg = getConfig();
 
@@ -117,7 +118,8 @@ export const secretRotationDbFn = async ({
       password,
       connectionTimeoutMillis: EXTERNAL_REQUEST_TIMEOUT,
       ssl,
-      pool: { min: 0, max: 1 }
+      pool: { min: 0, max: 1 },
+      options
     }
   });
   const data = await db.raw(query, variables);
@@ -153,6 +155,14 @@ export const getDbSetQuery = (db: TDbProviderClients, variables: { username: str
       variables: [variables.username]
     };
   }
+
+  if (db === TDbProviderClients.MsSqlServer) {
+    return {
+      query: `ALTER LOGIN ?? WITH PASSWORD = '${variables.password}'`,
+      variables: [variables.username]
+    };
+  }
+
   // add more based on client
   return {
     query: `ALTER USER ?? IDENTIFIED BY '${variables.password}'`,

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-types.ts

@@ -24,4 +24,5 @@ export type TSecretRotationDbFn = {
   query: string;
   variables: unknown[];
   ca?: string;
+  options?: Record<string, unknown>;
 };

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -94,7 +94,9 @@ export const secretRotationQueueFactory = ({
           // on prod it this will be in days, in development this will be second
           every: appCfg.NODE_ENV === "development" ? secondsToMillis(interval) : daysToMillisecond(interval),
           immediately: true
-        }
+        },
+        removeOnComplete: true,
+        removeOnFail: true
       }
     );
   };
@@ -114,6 +116,7 @@ export const secretRotationQueueFactory = ({
 
   queue.start(QueueName.SecretRotation, async (job) => {
     const { rotationId } = job.data;
+    const appCfg = getConfig();
     logger.info(`secretRotationQueue.process: [rotationDocument=${rotationId}]`);
     const secretRotation = await secretRotationDAL.findById(rotationId);
     const rotationProvider = rotationTemplates.find(({ name }) => name === secretRotation?.provider);
@@ -172,6 +175,15 @@ export const secretRotationQueueFactory = ({
         // set a random value for new password
         newCredential.internal.rotated_password = alphaNumericNanoId(32);
         const { admin_username: username, admin_password: password, host, database, port, ca } = newCredential.inputs;
+
+        const options =
+          provider.template.client === TDbProviderClients.MsSqlServer
+            ? ({
+                encrypt: appCfg.ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT,
+                cryptoCredentialsDetails: ca ? { ca } : {}
+              } as Record<string, unknown>)
+            : undefined;
+
         const dbFunctionArg = {
           username,
           password,
@@ -179,8 +191,10 @@ export const secretRotationQueueFactory = ({
           database,
           port,
           ca: ca as string,
-          client: provider.template.client === TDbProviderClients.MySql ? "mysql2" : provider.template.client
+          client: provider.template.client === TDbProviderClients.MySql ? "mysql2" : provider.template.client,
+          options
         } as TSecretRotationDbFn;
+
         // set function
         await secretRotationDbFn({
           ...dbFunctionArg,
@@ -189,12 +203,17 @@ export const secretRotationQueueFactory = ({
             username: newCredential.internal.username as string
           })
         });
+
         // test function
+        const testQuery =
+          provider.template.client === TDbProviderClients.MsSqlServer ? "SELECT GETDATE()" : "SELECT NOW()";
+
         await secretRotationDbFn({
           ...dbFunctionArg,
-          query: "SELECT NOW()",
+          query: testQuery,
           variables: []
         });
+
         newCredential.outputs.db_username = newCredential.internal.username;
         newCredential.outputs.db_password = newCredential.internal.rotated_password;
         // clean up

backend/src/ee/services/secret-rotation/templates/index.ts

@@ -1,4 +1,5 @@
 import { AWS_IAM_TEMPLATE } from "./aws-iam";
+import { MSSQL_TEMPLATE } from "./mssql";
 import { MYSQL_TEMPLATE } from "./mysql";
 import { POSTGRES_TEMPLATE } from "./postgres";
 import { SENDGRID_TEMPLATE } from "./sendgrid";
@@ -26,6 +27,13 @@ export const rotationTemplates: TSecretRotationProviderTemplate[] = [
     description: "Rotate MySQL@7/MariaDB user credentials",
     template: MYSQL_TEMPLATE
   },
+  {
+    name: "mssql",
+    title: "Microsoft SQL Server",
+    image: "mssqlserver.png",
+    description: "Rotate Microsoft SQL server user credentials",
+    template: MSSQL_TEMPLATE
+  },
   {
     name: "aws-iam",
     title: "AWS IAM",

backend/src/ee/services/secret-rotation/templates/mssql.ts

@@ -0,0 +1,33 @@
+import { TDbProviderClients, TProviderFunctionTypes } from "./types";
+
+export const MSSQL_TEMPLATE = {
+  type: TProviderFunctionTypes.DB as const,
+  client: TDbProviderClients.MsSqlServer,
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_username: { type: "string" as const },
+      admin_password: { type: "string" as const },
+      host: { type: "string" as const },
+      database: { type: "string" as const, default: "master" },
+      port: { type: "integer" as const, default: "1433" },
+      username1: {
+        type: "string",
+        default: "infisical-sql-user1",
+        desc: "SQL Server login name that must be created at server level with a matching database user"
+      },
+      username2: {
+        type: "string",
+        default: "infisical-sql-user2",
+        desc: "SQL Server login name that must be created at server level with a matching database user"
+      },
+      ca: { type: "string", desc: "SSL certificate for db auth(string)" }
+    },
+    required: ["admin_username", "admin_password", "host", "database", "username1", "username2", "port"],
+    additionalProperties: false
+  },
+  outputs: {
+    db_username: { type: "string" },
+    db_password: { type: "string" }
+  }
+};

backend/src/ee/services/secret-rotation/templates/types.ts

@@ -8,7 +8,9 @@ export enum TDbProviderClients {
   // postgres, cockroack db, amazon red shift
   Pg = "pg",
   // mysql and maria db
-  MySql = "mysql"
+  MySql = "mysql",
+
+  MsSqlServer = "mssql"
 }
 
 export enum TAwsProviderSystems {

backend/src/lib/config/env.ts

@@ -162,7 +162,8 @@ const envSchema = z
     DISABLE_AUDIT_LOG_GENERATION: zodStrBool.default("false"),
     SSL_CLIENT_CERTIFICATE_HEADER_KEY: zpStr(z.string().optional()).default("x-ssl-client-cert"),
     WORKFLOW_SLACK_CLIENT_ID: zpStr(z.string().optional()),
-    WORKFLOW_SLACK_CLIENT_SECRET: zpStr(z.string().optional())
+    WORKFLOW_SLACK_CLIENT_SECRET: zpStr(z.string().optional()),
+    ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT: zodStrBool.default("true")
   })
   .transform((data) => ({
     ...data,

backend/src/lib/types/index.ts

@@ -57,3 +57,10 @@ export enum OrderByDirection {
   ASC = "asc",
   DESC = "desc"
 }
+
+export type ProjectServiceActor = {
+  type: ActorType;
+  id: string;
+  authMethod: ActorAuthMethod;
+  orgId: string;
+};

backend/src/server/plugins/swagger.ts

@@ -15,8 +15,12 @@ export const fastifySwagger = fp(async (fastify) => {
       },
       servers: [
         {
-          url: "https://app.infisical.com",
-          description: "Production server"
+          url: "https://us.infisical.com",
+          description: "Production server (US)"
+        },
+        {
+          url: "https://eu.infisical.com",
+          description: "Production server (EU)"
         },
         {
           url: "http://localhost:8080",

backend/src/server/routes/index.ts

@@ -1087,7 +1087,6 @@ export const registerRoutes = async (
 
   const identityTokenAuthService = identityTokenAuthServiceFactory({
     identityTokenAuthDAL,
-    identityDAL,
     identityOrgMembershipDAL,
     identityAccessTokenDAL,
     permissionService,
@@ -1096,7 +1095,6 @@ export const registerRoutes = async (
   const identityUaService = identityUaServiceFactory({
     identityOrgMembershipDAL,
     permissionService,
-    identityDAL,
     identityAccessTokenDAL,
     identityUaClientSecretDAL,
     identityUaDAL,
@@ -1106,7 +1104,6 @@ export const registerRoutes = async (
     identityKubernetesAuthDAL,
     identityOrgMembershipDAL,
     identityAccessTokenDAL,
-    identityDAL,
     orgBotDAL,
     permissionService,
     licenseService
@@ -1115,7 +1112,6 @@ export const registerRoutes = async (
     identityGcpAuthDAL,
     identityOrgMembershipDAL,
     identityAccessTokenDAL,
-    identityDAL,
     permissionService,
     licenseService
   });
@@ -1124,7 +1120,6 @@ export const registerRoutes = async (
     identityAccessTokenDAL,
     identityAwsAuthDAL,
     identityOrgMembershipDAL,
-    identityDAL,
     licenseService,
     permissionService
   });
@@ -1133,7 +1128,6 @@ export const registerRoutes = async (
     identityAzureAuthDAL,
     identityOrgMembershipDAL,
     identityAccessTokenDAL,
-    identityDAL,
     permissionService,
     licenseService
   });
@@ -1142,7 +1136,6 @@ export const registerRoutes = async (
     identityOidcAuthDAL,
     identityOrgMembershipDAL,
     identityAccessTokenDAL,
-    identityDAL,
     permissionService,
     licenseService,
     orgBotDAL

backend/src/server/routes/v1/admin-router.ts

@@ -29,6 +29,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
           }).extend({
             isMigrationModeOn: z.boolean(),
             defaultAuthOrgSlug: z.string().nullable(),
+            defaultAuthOrgAuthEnforced: z.boolean().nullish(),
+            defaultAuthOrgAuthMethod: z.string().nullish(),
             isSecretScanningDisabled: z.boolean()
           })
         })

backend/src/server/routes/v1/dashboard-router.ts

@@ -20,6 +20,8 @@ import { AuthMode } from "@app/services/auth/auth-type";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
+const MAX_DEEP_SEARCH_LIMIT = 500; // arbitrary limit to prevent excessive results
+
 // handle querystring boolean values
 const booleanSchema = z
   .union([z.boolean(), z.string().trim()])
@@ -34,6 +36,35 @@ const booleanSchema = z
   .optional()
   .default(true);
 
+const parseSecretPathSearch = (search?: string) => {
+  if (!search)
+    return {
+      searchName: "",
+      searchPath: ""
+    };
+
+  if (!search.includes("/"))
+    return {
+      searchName: search,
+      searchPath: ""
+    };
+
+  if (search === "/")
+    return {
+      searchName: "",
+      searchPath: "/"
+    };
+
+  const [searchName, ...searchPathSegments] = search.split("/").reverse();
+  let searchPath = removeTrailingSlash(searchPathSegments.reverse().join("/").toLowerCase());
+  if (!searchPath.startsWith("/")) searchPath = `/${searchPath}`;
+
+  return {
+    searchName,
+    searchPath
+  };
+};
+
 export const registerDashboardRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "GET",
@@ -134,7 +165,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
       let folders: Awaited<ReturnType<typeof server.services.folder.getFoldersMultiEnv>> | undefined;
       let secrets: Awaited<ReturnType<typeof server.services.secret.getSecretsRawMultiEnv>> | undefined;
       let dynamicSecrets:
-        | Awaited<ReturnType<typeof server.services.dynamicSecret.listDynamicSecretsByFolderIds>>
+        | Awaited<ReturnType<typeof server.services.dynamicSecret.listDynamicSecretsByEnvs>>
         | undefined;
 
       let totalFolderCount: number | undefined;
@@ -218,7 +249,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
         });
 
         if (remainingLimit > 0 && totalDynamicSecretCount > adjustedOffset) {
-          dynamicSecrets = await server.services.dynamicSecret.listDynamicSecretsByFolderIds({
+          dynamicSecrets = await server.services.dynamicSecret.listDynamicSecretsByEnvs({
             actor: req.permission.type,
             actorId: req.permission.id,
             actorAuthMethod: req.permission.authMethod,
@@ -633,4 +664,180 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
       };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/secrets-deep-search",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        projectId: z.string().trim(),
+        environments: z.string().trim().transform(decodeURIComponent),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        search: z.string().trim().optional(),
+        tags: z.string().trim().transform(decodeURIComponent).optional()
+      }),
+      response: {
+        200: z.object({
+          folders: SecretFoldersSchema.extend({ path: z.string() }).array().optional(),
+          dynamicSecrets: SanitizedDynamicSecretSchema.extend({ path: z.string(), environment: z.string() })
+            .array()
+            .optional(),
+          secrets: secretRawSchema
+            .extend({
+              secretPath: z.string().optional(),
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
+            })
+            .array()
+            .optional()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { secretPath, projectId, search } = req.query;
+
+      const environments = req.query.environments.split(",").filter((env) => Boolean(env.trim()));
+      if (!environments.length) throw new BadRequestError({ message: "One or more environments required" });
+
+      const tags = req.query.tags?.split(",").filter((tag) => Boolean(tag.trim())) ?? [];
+      if (!search && !tags.length) throw new BadRequestError({ message: "Search or tags required" });
+
+      const searchHasTags = Boolean(tags.length);
+
+      const allFolders = await server.services.folder.getFoldersDeepByEnvs(
+        {
+          projectId,
+          environments,
+          secretPath
+        },
+        req.permission
+      );
+
+      const { searchName, searchPath } = parseSecretPathSearch(search);
+
+      const folderMappings = allFolders.map((folder) => ({
+        folderId: folder.id,
+        path: folder.path,
+        environment: folder.environment
+      }));
+
+      const sharedFilters = {
+        search: searchName,
+        limit: MAX_DEEP_SEARCH_LIMIT,
+        orderBy: SecretsOrderBy.Name
+      };
+
+      const secrets = await server.services.secret.getSecretsRawByFolderMappings(
+        {
+          projectId,
+          folderMappings,
+          filters: {
+            ...sharedFilters,
+            tagSlugs: tags,
+            includeTagsInSearch: true
+          }
+        },
+        req.permission
+      );
+
+      const dynamicSecrets = searchHasTags
+        ? []
+        : await server.services.dynamicSecret.listDynamicSecretsByFolderIds(
+            {
+              projectId,
+              folderMappings,
+              filters: sharedFilters
+            },
+            req.permission
+          );
+
+      for await (const environment of environments) {
+        const secretCountForEnv = secrets.filter((secret) => secret.environment === environment).length;
+
+        if (secretCountForEnv) {
+          await server.services.auditLog.createAuditLog({
+            projectId,
+            ...req.auditLogInfo,
+            event: {
+              type: EventType.GET_SECRETS,
+              metadata: {
+                environment,
+                secretPath,
+                numberOfSecrets: secretCountForEnv
+              }
+            }
+          });
+
+          if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+            await server.services.telemetry.sendPostHogEvents({
+              event: PostHogEventTypes.SecretPulled,
+              distinctId: getTelemetryDistinctId(req),
+              properties: {
+                numberOfSecrets: secretCountForEnv,
+                workspaceId: projectId,
+                environment,
+                secretPath,
+                channel: getUserAgentType(req.headers["user-agent"]),
+                ...req.auditLogInfo
+              }
+            });
+          }
+        }
+      }
+
+      const sliceQuickSearch = <T>(array: T[]) => array.slice(0, 25);
+
+      return {
+        secrets: sliceQuickSearch(
+          searchPath ? secrets.filter((secret) => secret.secretPath.endsWith(searchPath)) : secrets
+        ),
+        dynamicSecrets: sliceQuickSearch(
+          searchPath
+            ? dynamicSecrets.filter((dynamicSecret) => dynamicSecret.path.endsWith(searchPath))
+            : dynamicSecrets
+        ),
+        folders: searchHasTags
+          ? []
+          : sliceQuickSearch(
+              allFolders.filter((folder) => {
+                const [folderName, ...folderPathSegments] = folder.path.split("/").reverse();
+                const folderPath = folderPathSegments.reverse().join("/").toLowerCase() || "/";
+
+                if (searchPath) {
+                  if (searchPath === "/") {
+                    // only show root folders if no folder name search
+                    if (!searchName) return folderPath === searchPath;
+
+                    // start partial match on root folders
+                    return folderName.toLowerCase().startsWith(searchName.toLowerCase());
+                  }
+
+                  // support ending partial path match
+                  return (
+                    folderPath.endsWith(searchPath) && folderName.toLowerCase().startsWith(searchName.toLowerCase())
+                  );
+                }
+
+                // no search path, "fuzzy" match all folders
+                return folderName.toLowerCase().includes(searchName.toLowerCase());
+              })
+            )
+      };
+    }
+  });
 };

backend/src/server/routes/v1/identity-router.ts

@@ -37,7 +37,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          identity: IdentitiesSchema
+          identity: IdentitiesSchema.extend({
+            authMethods: z.array(z.string())
+          })
         })
       }
     },
@@ -216,7 +218,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
               permissions: true,
               description: true
             }).optional(),
-            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+            identity: IdentitiesSchema.pick({ name: true, id: true }).extend({
+              authMethods: z.array(z.string())
+            })
           })
         })
       }
@@ -261,7 +265,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
               permissions: true,
               description: true
             }).optional(),
-            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+            identity: IdentitiesSchema.pick({ name: true, id: true }).extend({
+              authMethods: z.array(z.string())
+            })
           }).array(),
           totalCount: z.number()
         })
@@ -319,7 +325,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
                   temporaryAccessEndTime: z.date().nullable().optional()
                 })
               ),
-              identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true }),
+              identity: IdentitiesSchema.pick({ name: true, id: true }).extend({
+                authMethods: z.array(z.string())
+              }),
               project: SanitizedProjectSchema.pick({ name: true, id: true })
             })
           )

backend/src/server/routes/v2/identity-org-router.ts

@@ -58,7 +58,9 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
                 permissions: true,
                 description: true
               }).optional(),
-              identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+              identity: IdentitiesSchema.pick({ name: true, id: true }).extend({
+                authMethods: z.array(z.string())
+              })
             })
           ).array(),
           totalCount: z.number()

backend/src/server/routes/v2/identity-project-router.ts

@@ -264,7 +264,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
                   temporaryAccessEndTime: z.date().nullable().optional()
                 })
               ),
-              identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true }),
+              identity: IdentitiesSchema.pick({ name: true, id: true }).extend({
+                authMethods: z.array(z.string())
+              }),
               project: SanitizedProjectSchema.pick({ name: true, id: true })
             })
             .array(),
@@ -285,6 +287,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         orderDirection: req.query.orderDirection,
         search: req.query.search
       });
+
       return { identityMemberships, totalCount };
     }
   });
@@ -328,7 +331,9 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
                 temporaryAccessEndTime: z.date().nullable().optional()
               })
             ),
-            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true }),
+            identity: IdentitiesSchema.pick({ name: true, id: true }).extend({
+              authMethods: z.array(z.string())
+            }),
             project: SanitizedProjectSchema.pick({ name: true, id: true })
           })
         })

backend/src/services/cmek/cmek-service.ts

@@ -1,9 +1,9 @@
 import { ForbiddenError } from "@casl/ability";
-import { FastifyRequest } from "fastify";
 
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { ProjectServiceActor } from "@app/lib/types";
 import {
   TCmekDecryptDTO,
   TCmekEncryptDTO,
@@ -23,7 +23,7 @@ type TCmekServiceFactoryDep = {
 export type TCmekServiceFactory = ReturnType<typeof cmekServiceFactory>;
 
 export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TCmekServiceFactoryDep) => {
-  const createCmek = async ({ projectId, ...dto }: TCreateCmekDTO, actor: FastifyRequest["permission"]) => {
+  const createCmek = async ({ projectId, ...dto }: TCreateCmekDTO, actor: ProjectServiceActor) => {
     const { permission } = await permissionService.getProjectPermission(
       actor.type,
       actor.id,
@@ -43,7 +43,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
     return cmek;
   };
 
-  const updateCmekById = async ({ keyId, ...data }: TUpdabteCmekByIdDTO, actor: FastifyRequest["permission"]) => {
+  const updateCmekById = async ({ keyId, ...data }: TUpdabteCmekByIdDTO, actor: ProjectServiceActor) => {
     const key = await kmsDAL.findById(keyId);
 
     if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });
@@ -65,7 +65,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
     return cmek;
   };
 
-  const deleteCmekById = async (keyId: string, actor: FastifyRequest["permission"]) => {
+  const deleteCmekById = async (keyId: string, actor: ProjectServiceActor) => {
     const key = await kmsDAL.findById(keyId);
 
     if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });
@@ -89,7 +89,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
 
   const listCmeksByProjectId = async (
     { projectId, ...filters }: TListCmeksByProjectIdDTO,
-    actor: FastifyRequest["permission"]
+    actor: ProjectServiceActor
   ) => {
     const { permission } = await permissionService.getProjectPermission(
       actor.type,
@@ -106,7 +106,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
     return { cmeks, totalCount };
   };
 
-  const cmekEncrypt = async ({ keyId, plaintext }: TCmekEncryptDTO, actor: FastifyRequest["permission"]) => {
+  const cmekEncrypt = async ({ keyId, plaintext }: TCmekEncryptDTO, actor: ProjectServiceActor) => {
     const key = await kmsDAL.findById(keyId);
 
     if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });
@@ -132,7 +132,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
     return cipherTextBlob.toString("base64");
   };
 
-  const cmekDecrypt = async ({ keyId, ciphertext }: TCmekDecryptDTO, actor: FastifyRequest["permission"]) => {
+  const cmekDecrypt = async ({ keyId, ciphertext }: TCmekDecryptDTO, actor: ProjectServiceActor) => {
     const key = await kmsDAL.findById(keyId);
 
     if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });

backend/src/services/external-group-org-role-mapping/external-group-org-role-mapping-service.ts

@@ -1,9 +1,9 @@
 import { ForbiddenError } from "@casl/ability";
-import { FastifyRequest } from "fastify";
 
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ProjectServiceActor } from "@app/lib/types";
 import { constructGroupOrgMembershipRoleMappings } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-fns";
 import { TSyncExternalGroupOrgMembershipRoleMappingsDTO } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-types";
 import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
@@ -25,7 +25,7 @@ export const externalGroupOrgRoleMappingServiceFactory = ({
   permissionService,
   orgRoleDAL
 }: TExternalGroupOrgRoleMappingServiceFactoryDep) => {
-  const listExternalGroupOrgRoleMappings = async (actor: FastifyRequest["permission"]) => {
+  const listExternalGroupOrgRoleMappings = async (actor: ProjectServiceActor) => {
     const { permission } = await permissionService.getOrgPermission(
       actor.type,
       actor.id,
@@ -46,7 +46,7 @@ export const externalGroupOrgRoleMappingServiceFactory = ({
 
   const updateExternalGroupOrgRoleMappings = async (
     dto: TSyncExternalGroupOrgMembershipRoleMappingsDTO,
-    actor: FastifyRequest["permission"]
+    actor: ProjectServiceActor
   ) => {
     const { permission } = await permissionService.getOrgPermission(
       actor.type,

backend/src/services/identity-access-token/identity-access-token-dal.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { IdentityAuthMethod, TableName, TIdentityAccessTokens } from "@app/db/schemas";
+import { TableName, TIdentityAccessTokens } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
@@ -17,54 +17,27 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
       const doc = await (tx || db.replicaNode())(TableName.IdentityAccessToken)
         .where(filter)
         .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityAccessToken}.identityId`)
-        .leftJoin(TableName.IdentityUaClientSecret, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.Univeral])).andOn(
-            `${TableName.IdentityAccessToken}.identityUAClientSecretId`,
-            `${TableName.IdentityUaClientSecret}.id`
-          );
-        })
-        .leftJoin(TableName.IdentityUniversalAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.Univeral])).andOn(
-            `${TableName.IdentityUaClientSecret}.identityUAId`,
-            `${TableName.IdentityUniversalAuth}.id`
-          );
-        })
-        .leftJoin(TableName.IdentityGcpAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.GCP_AUTH])).andOn(
-            `${TableName.Identity}.id`,
-            `${TableName.IdentityGcpAuth}.identityId`
-          );
-        })
-        .leftJoin(TableName.IdentityAwsAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.AWS_AUTH])).andOn(
-            `${TableName.Identity}.id`,
-            `${TableName.IdentityAwsAuth}.identityId`
-          );
-        })
-        .leftJoin(TableName.IdentityAzureAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.AZURE_AUTH])).andOn(
-            `${TableName.Identity}.id`,
-            `${TableName.IdentityAzureAuth}.identityId`
-          );
-        })
-        .leftJoin(TableName.IdentityKubernetesAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.KUBERNETES_AUTH])).andOn(
-            `${TableName.Identity}.id`,
-            `${TableName.IdentityKubernetesAuth}.identityId`
-          );
-        })
-        .leftJoin(TableName.IdentityOidcAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.OIDC_AUTH])).andOn(
-            `${TableName.Identity}.id`,
-            `${TableName.IdentityOidcAuth}.identityId`
-          );
-        })
-        .leftJoin(TableName.IdentityTokenAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.TOKEN_AUTH])).andOn(
-            `${TableName.Identity}.id`,
-            `${TableName.IdentityTokenAuth}.identityId`
-          );
-        })
+        .leftJoin(
+          TableName.IdentityUaClientSecret,
+          `${TableName.IdentityAccessToken}.identityUAClientSecretId`,
+          `${TableName.IdentityUaClientSecret}.id`
+        )
+        .leftJoin(
+          TableName.IdentityUniversalAuth,
+          `${TableName.IdentityUaClientSecret}.identityUAId`,
+          `${TableName.IdentityUniversalAuth}.id`
+        )
+        .leftJoin(TableName.IdentityGcpAuth, `${TableName.Identity}.id`, `${TableName.IdentityGcpAuth}.identityId`)
+        .leftJoin(TableName.IdentityAwsAuth, `${TableName.Identity}.id`, `${TableName.IdentityAwsAuth}.identityId`)
+        .leftJoin(TableName.IdentityAzureAuth, `${TableName.Identity}.id`, `${TableName.IdentityAzureAuth}.identityId`)
+        .leftJoin(
+          TableName.IdentityKubernetesAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityKubernetesAuth}.identityId`
+        )
+        .leftJoin(TableName.IdentityOidcAuth, `${TableName.Identity}.id`, `${TableName.IdentityOidcAuth}.identityId`)
+        .leftJoin(TableName.IdentityTokenAuth, `${TableName.Identity}.id`, `${TableName.IdentityTokenAuth}.identityId`)
+
         .select(selectAllTableCols(TableName.IdentityAccessToken))
         .select(
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth).as("accessTokenTrustedIpsUa"),
@@ -82,14 +55,13 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
 
       return {
         ...doc,
-        accessTokenTrustedIps:
-          doc.accessTokenTrustedIpsUa ||
-          doc.accessTokenTrustedIpsGcp ||
-          doc.accessTokenTrustedIpsAws ||
-          doc.accessTokenTrustedIpsAzure ||
-          doc.accessTokenTrustedIpsK8s ||
-          doc.accessTokenTrustedIpsOidc ||
-          doc.accessTokenTrustedIpsToken
+        trustedIpsUniversalAuth: doc.accessTokenTrustedIpsUa,
+        trustedIpsGcpAuth: doc.accessTokenTrustedIpsGcp,
+        trustedIpsAwsAuth: doc.accessTokenTrustedIpsAws,
+        trustedIpsAzureAuth: doc.accessTokenTrustedIpsAzure,
+        trustedIpsKubernetesAuth: doc.accessTokenTrustedIpsK8s,
+        trustedIpsOidcAuth: doc.accessTokenTrustedIpsOidc,
+        trustedIpsAccessTokenAuth: doc.accessTokenTrustedIpsToken
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "IdAccessTokenFindOne" });

backend/src/services/identity-access-token/identity-access-token-service.ts

@@ -1,6 +1,6 @@
 import jwt, { JwtPayload } from "jsonwebtoken";
 
-import { TableName, TIdentityAccessTokens } from "@app/db/schemas";
+import { IdentityAuthMethod, TableName, TIdentityAccessTokens } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { checkIPAgainstBlocklist, TIp } from "@app/lib/ip";
@@ -164,10 +164,22 @@ export const identityAccessTokenServiceFactory = ({
         message: "Failed to authorize revoked access token, access token is revoked"
       });
 
-    if (ipAddress && identityAccessToken) {
+    const trustedIpsMap: Record<IdentityAuthMethod, unknown> = {
+      [IdentityAuthMethod.UNIVERSAL_AUTH]: identityAccessToken.trustedIpsUniversalAuth,
+      [IdentityAuthMethod.GCP_AUTH]: identityAccessToken.trustedIpsGcpAuth,
+      [IdentityAuthMethod.AWS_AUTH]: identityAccessToken.trustedIpsAwsAuth,
+      [IdentityAuthMethod.AZURE_AUTH]: identityAccessToken.trustedIpsAzureAuth,
+      [IdentityAuthMethod.KUBERNETES_AUTH]: identityAccessToken.trustedIpsKubernetesAuth,
+      [IdentityAuthMethod.OIDC_AUTH]: identityAccessToken.trustedIpsOidcAuth,
+      [IdentityAuthMethod.TOKEN_AUTH]: identityAccessToken.trustedIpsAccessTokenAuth
+    };
+
+    const trustedIps = trustedIpsMap[identityAccessToken.authMethod as IdentityAuthMethod];
+
+    if (ipAddress) {
       checkIPAgainstBlocklist({
         ipAddress,
-        trustedIps: identityAccessToken?.accessTokenTrustedIps as TIp[]
+        trustedIps: trustedIps as TIp[]
       });
     }
 

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -13,7 +13,6 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedErro
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
@@ -33,7 +32,6 @@ type TIdentityAwsAuthServiceFactoryDep = {
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
   identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
 };
@@ -44,7 +42,6 @@ export const identityAwsAuthServiceFactory = ({
   identityAccessTokenDAL,
   identityAwsAuthDAL,
   identityOrgMembershipDAL,
-  identityDAL,
   licenseService,
   permissionService
 }: TIdentityAwsAuthServiceFactoryDep) => {
@@ -113,7 +110,8 @@ export const identityAwsAuthServiceFactory = ({
           accessTokenTTL: identityAwsAuth.accessTokenTTL,
           accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
           accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
+          accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit,
+          authMethod: IdentityAuthMethod.AWS_AUTH
         },
         tx
       );
@@ -155,10 +153,12 @@ export const identityAwsAuthServiceFactory = ({
   }: TAttachAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity.authMethod)
+
+    if (identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.AWS_AUTH)) {
       throw new BadRequestError({
         message: "Failed to add AWS Auth to already configured identity"
       });
+    }
 
     if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
       throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
@@ -206,13 +206,6 @@ export const identityAwsAuthServiceFactory = ({
         },
         tx
       );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.AWS_AUTH
-        },
-        tx
-      );
       return doc;
     });
     return { ...identityAwsAuth, orgId: identityMembershipOrg.orgId };
@@ -234,10 +227,12 @@ export const identityAwsAuthServiceFactory = ({
   }: TUpdateAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
-      throw new BadRequestError({
-        message: "Failed to update AWS Auth"
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.AWS_AUTH)) {
+      throw new NotFoundError({
+        message: "The identity does not have AWS Auth attached"
       });
+    }
 
     const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
 
@@ -293,10 +288,12 @@ export const identityAwsAuthServiceFactory = ({
   const getAwsAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.AWS_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have AWS Auth attached"
       });
+    }
 
     const awsIdentityAuth = await identityAwsAuthDAL.findOne({ identityId });
 
@@ -320,10 +317,11 @@ export const identityAwsAuthServiceFactory = ({
   }: TRevokeAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.AWS_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have aws auth"
       });
+    }
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -348,7 +346,6 @@ export const identityAwsAuthServiceFactory = ({
 
     const revokedIdentityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
       const deletedAwsAuth = await identityAwsAuthDAL.delete({ identityId }, tx);
-      await identityDAL.updateById(identityId, { authMethod: null }, tx);
       return { ...deletedAwsAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
     return revokedIdentityAwsAuth;

backend/src/services/identity-azure-auth/identity-azure-auth-service.ts

@@ -11,7 +11,6 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedErro
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
@@ -32,7 +31,6 @@ type TIdentityAzureAuthServiceFactoryDep = {
   >;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -43,7 +41,6 @@ export const identityAzureAuthServiceFactory = ({
   identityAzureAuthDAL,
   identityOrgMembershipDAL,
   identityAccessTokenDAL,
-  identityDAL,
   permissionService,
   licenseService
 }: TIdentityAzureAuthServiceFactoryDep) => {
@@ -84,7 +81,8 @@ export const identityAzureAuthServiceFactory = ({
           accessTokenTTL: identityAzureAuth.accessTokenTTL,
           accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
           accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
+          accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit,
+          authMethod: IdentityAuthMethod.AZURE_AUTH
         },
         tx
       );
@@ -126,11 +124,12 @@ export const identityAzureAuthServiceFactory = ({
   }: TAttachAzureAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity.authMethod)
+
+    if (identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.AZURE_AUTH)) {
       throw new BadRequestError({
         message: "Failed to add Azure Auth to already configured identity"
       });
-
+    }
     if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
       throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
     }
@@ -176,13 +175,7 @@ export const identityAzureAuthServiceFactory = ({
         },
         tx
       );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.AZURE_AUTH
-        },
-        tx
-      );
+
       return doc;
     });
     return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
@@ -204,10 +197,11 @@ export const identityAzureAuthServiceFactory = ({
   }: TUpdateAzureAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.AZURE_AUTH)) {
       throw new BadRequestError({
         message: "Failed to update Azure Auth"
       });
+    }
 
     const identityGcpAuth = await identityAzureAuthDAL.findOne({ identityId });
 
@@ -266,10 +260,11 @@ export const identityAzureAuthServiceFactory = ({
   const getAzureAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAzureAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.AZURE_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have Azure Auth attached"
       });
+    }
 
     const identityAzureAuth = await identityAzureAuthDAL.findOne({ identityId });
 
@@ -294,10 +289,11 @@ export const identityAzureAuthServiceFactory = ({
   }: TRevokeAzureAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.AZURE_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have azure auth"
       });
+    }
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -321,7 +317,6 @@ export const identityAzureAuthServiceFactory = ({
 
     const revokedIdentityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
       const deletedAzureAuth = await identityAzureAuthDAL.delete({ identityId }, tx);
-      await identityDAL.updateById(identityId, { authMethod: null }, tx);
       return { ...deletedAzureAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
     return revokedIdentityAzureAuth;

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -11,7 +11,6 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedErro
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
@@ -30,7 +29,6 @@ type TIdentityGcpAuthServiceFactoryDep = {
   identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -41,7 +39,6 @@ export const identityGcpAuthServiceFactory = ({
   identityGcpAuthDAL,
   identityOrgMembershipDAL,
   identityAccessTokenDAL,
-  identityDAL,
   permissionService,
   licenseService
 }: TIdentityGcpAuthServiceFactoryDep) => {
@@ -125,7 +122,8 @@ export const identityGcpAuthServiceFactory = ({
           accessTokenTTL: identityGcpAuth.accessTokenTTL,
           accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
           accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
+          accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit,
+          authMethod: IdentityAuthMethod.GCP_AUTH
         },
         tx
       );
@@ -168,10 +166,12 @@ export const identityGcpAuthServiceFactory = ({
   }: TAttachGcpAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity.authMethod)
+
+    if (identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.GCP_AUTH)) {
       throw new BadRequestError({
         message: "Failed to add GCP Auth to already configured identity"
       });
+    }
 
     if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
       throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
@@ -219,13 +219,6 @@ export const identityGcpAuthServiceFactory = ({
         },
         tx
       );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.GCP_AUTH
-        },
-        tx
-      );
       return doc;
     });
     return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
@@ -248,10 +241,12 @@ export const identityGcpAuthServiceFactory = ({
   }: TUpdateGcpAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.GCP_AUTH)) {
       throw new BadRequestError({
         message: "Failed to update GCP Auth"
       });
+    }
 
     const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
 
@@ -311,10 +306,12 @@ export const identityGcpAuthServiceFactory = ({
   const getGcpAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetGcpAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.GCP_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have GCP Auth attached"
       });
+    }
 
     const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
 
@@ -339,10 +336,12 @@ export const identityGcpAuthServiceFactory = ({
   }: TRevokeGcpAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.GCP_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have gcp auth"
       });
+    }
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -366,7 +365,6 @@ export const identityGcpAuthServiceFactory = ({
 
     const revokedIdentityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
       const deletedGcpAuth = await identityGcpAuthDAL.delete({ identityId }, tx);
-      await identityDAL.updateById(identityId, { authMethod: null }, tx);
       return { ...deletedGcpAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
     return revokedIdentityGcpAuth;

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -22,7 +22,6 @@ import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
@@ -44,7 +43,6 @@ type TIdentityKubernetesAuthServiceFactoryDep = {
   >;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "transaction" | "create">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -56,7 +54,6 @@ export const identityKubernetesAuthServiceFactory = ({
   identityKubernetesAuthDAL,
   identityOrgMembershipDAL,
   identityAccessTokenDAL,
-  identityDAL,
   orgBotDAL,
   permissionService,
   licenseService
@@ -215,7 +212,8 @@ export const identityKubernetesAuthServiceFactory = ({
           accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
           accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
           accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
+          accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit,
+          authMethod: IdentityAuthMethod.KUBERNETES_AUTH
         },
         tx
       );
@@ -260,10 +258,12 @@ export const identityKubernetesAuthServiceFactory = ({
   }: TAttachKubernetesAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity.authMethod)
+
+    if (identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.KUBERNETES_AUTH)) {
       throw new BadRequestError({
         message: "Failed to add Kubernetes Auth to already configured identity"
       });
+    }
 
     if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
       throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
@@ -372,13 +372,6 @@ export const identityKubernetesAuthServiceFactory = ({
         },
         tx
       );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.KUBERNETES_AUTH
-        },
-        tx
-      );
       return doc;
     });
 
@@ -404,10 +397,12 @@ export const identityKubernetesAuthServiceFactory = ({
   }: TUpdateKubernetesAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.KUBERNETES_AUTH)) {
       throw new BadRequestError({
         message: "Failed to update Kubernetes Auth"
       });
+    }
 
     const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
 
@@ -532,11 +527,12 @@ export const identityKubernetesAuthServiceFactory = ({
   }: TGetKubernetesAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.KUBERNETES_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have Kubernetes Auth attached"
       });
-
+    }
     const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
 
     const { permission } = await permissionService.getOrgPermission(
@@ -597,10 +593,12 @@ export const identityKubernetesAuthServiceFactory = ({
   }: TRevokeKubernetesAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.KUBERNETES_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have kubernetes auth"
       });
+    }
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -624,7 +622,6 @@ export const identityKubernetesAuthServiceFactory = ({
 
     const revokedIdentityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
       const deletedKubernetesAuth = await identityKubernetesAuthDAL.delete({ identityId }, tx);
-      await identityDAL.updateById(identityId, { authMethod: null }, tx);
       return { ...deletedKubernetesAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
     return revokedIdentityKubernetesAuth;

backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts

@@ -22,7 +22,6 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedErro
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
@@ -41,7 +40,6 @@ type TIdentityOidcAuthServiceFactoryDep = {
   identityOidcAuthDAL: TIdentityOidcAuthDALFactory;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "transaction" | "create">;
@@ -52,7 +50,6 @@ export type TIdentityOidcAuthServiceFactory = ReturnType<typeof identityOidcAuth
 export const identityOidcAuthServiceFactory = ({
   identityOidcAuthDAL,
   identityOrgMembershipDAL,
-  identityDAL,
   permissionService,
   licenseService,
   identityAccessTokenDAL,
@@ -61,7 +58,7 @@ export const identityOidcAuthServiceFactory = ({
   const login = async ({ identityId, jwt: oidcJwt }: TLoginOidcAuthDTO) => {
     const identityOidcAuth = await identityOidcAuthDAL.findOne({ identityId });
     if (!identityOidcAuth) {
-      throw new NotFoundError({ message: "GCP auth method not found for identity, did you configure GCP auth?" });
+      throw new NotFoundError({ message: "OIDC auth method not found for identity, did you configure OIDC auth?" });
     }
 
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({
@@ -181,7 +178,8 @@ export const identityOidcAuthServiceFactory = ({
           accessTokenTTL: identityOidcAuth.accessTokenTTL,
           accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL,
           accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityOidcAuth.accessTokenNumUsesLimit
+          accessTokenNumUsesLimit: identityOidcAuth.accessTokenNumUsesLimit,
+          authMethod: IdentityAuthMethod.OIDC_AUTH
         },
         tx
       );
@@ -228,10 +226,11 @@ export const identityOidcAuthServiceFactory = ({
     if (!identityMembershipOrg) {
       if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
     }
-    if (identityMembershipOrg.identity.authMethod)
+    if (identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.OIDC_AUTH)) {
       throw new BadRequestError({
         message: "Failed to add OIDC Auth to already configured identity"
       });
+    }
 
     if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
       throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
@@ -334,13 +333,6 @@ export const identityOidcAuthServiceFactory = ({
         },
         tx
       );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.OIDC_AUTH
-        },
-        tx
-      );
       return doc;
     });
     return { ...identityOidcAuth, orgId: identityMembershipOrg.orgId, caCert };
@@ -364,11 +356,9 @@ export const identityOidcAuthServiceFactory = ({
     actorOrgId
   }: TUpdateOidcAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) {
-      if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    }
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.OIDC_AUTH) {
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.OIDC_AUTH)) {
       throw new BadRequestError({
         message: "Failed to update OIDC Auth"
       });
@@ -467,11 +457,9 @@ export const identityOidcAuthServiceFactory = ({
 
   const getOidcAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetOidcAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) {
-      if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    }
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.OIDC_AUTH) {
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.OIDC_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have OIDC Auth attached"
       });
@@ -519,7 +507,7 @@ export const identityOidcAuthServiceFactory = ({
       throw new NotFoundError({ message: "Failed to find identity" });
     }
 
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.OIDC_AUTH) {
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.OIDC_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have OIDC auth"
       });
@@ -551,7 +539,6 @@ export const identityOidcAuthServiceFactory = ({
 
     const revokedIdentityOidcAuth = await identityOidcAuthDAL.transaction(async (tx) => {
       const deletedOidcAuth = await identityOidcAuthDAL.delete({ identityId }, tx);
-      await identityDAL.updateById(identityId, { authMethod: null }, tx);
       return { ...deletedOidcAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
 

backend/src/services/identity-project/identity-project-dal.ts

@@ -1,12 +1,24 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName, TIdentities } from "@app/db/schemas";
+import {
+  TableName,
+  TIdentities,
+  TIdentityAwsAuths,
+  TIdentityAzureAuths,
+  TIdentityGcpAuths,
+  TIdentityKubernetesAuths,
+  TIdentityOidcAuths,
+  TIdentityTokenAuths,
+  TIdentityUniversalAuths
+} from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { ProjectIdentityOrderBy, TListProjectIdentityDTO } from "@app/services/identity-project/identity-project-types";
 
+import { buildAuthMethods } from "../identity/identity-fns";
+
 export type TIdentityProjectDALFactory = ReturnType<typeof identityProjectDALFactory>;
 
 export const identityProjectDALFactory = (db: TDbClient) => {
@@ -33,11 +45,48 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           `${TableName.IdentityProjectMembership}.id`,
           `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`
         )
+
+        .leftJoin(
+          TableName.IdentityUniversalAuth,
+          `${TableName.IdentityProjectMembership}.identityId`,
+          `${TableName.IdentityUniversalAuth}.identityId`
+        )
+        .leftJoin(
+          TableName.IdentityGcpAuth,
+          `${TableName.IdentityProjectMembership}.identityId`,
+          `${TableName.IdentityGcpAuth}.identityId`
+        )
+        .leftJoin(
+          TableName.IdentityAwsAuth,
+          `${TableName.IdentityProjectMembership}.identityId`,
+          `${TableName.IdentityAwsAuth}.identityId`
+        )
+        .leftJoin(
+          TableName.IdentityKubernetesAuth,
+          `${TableName.IdentityProjectMembership}.identityId`,
+          `${TableName.IdentityKubernetesAuth}.identityId`
+        )
+        .leftJoin(
+          TableName.IdentityOidcAuth,
+          `${TableName.IdentityProjectMembership}.identityId`,
+          `${TableName.IdentityOidcAuth}.identityId`
+        )
+        .leftJoin(
+          TableName.IdentityAzureAuth,
+          `${TableName.IdentityProjectMembership}.identityId`,
+          `${TableName.IdentityAzureAuth}.identityId`
+        )
+        .leftJoin(
+          TableName.IdentityTokenAuth,
+          `${TableName.IdentityProjectMembership}.identityId`,
+          `${TableName.IdentityTokenAuth}.identityId`
+        )
+
         .select(
           db.ref("id").withSchema(TableName.IdentityProjectMembership),
           db.ref("createdAt").withSchema(TableName.IdentityProjectMembership),
           db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership),
-          db.ref("authMethod").as("identityAuthMethod").withSchema(TableName.Identity),
+
           db.ref("id").as("identityId").withSchema(TableName.Identity),
           db.ref("name").as("identityName").withSchema(TableName.Identity),
           db.ref("id").withSchema(TableName.IdentityProjectMembership),
@@ -52,12 +101,33 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           db.ref("temporaryAccessStartTime").withSchema(TableName.IdentityProjectMembershipRole),
           db.ref("temporaryAccessEndTime").withSchema(TableName.IdentityProjectMembershipRole),
           db.ref("projectId").withSchema(TableName.IdentityProjectMembership),
-          db.ref("name").as("projectName").withSchema(TableName.Project)
+          db.ref("name").as("projectName").withSchema(TableName.Project),
+          db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
+          db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
+          db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
+          db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
+          db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
+          db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
+          db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth)
         );
 
       const members = sqlNestRelationships({
         data: docs,
-        parentMapper: ({ identityName, identityAuthMethod, id, createdAt, updatedAt, projectId, projectName }) => ({
+        parentMapper: ({
+          identityName,
+          uaId,
+          awsId,
+          gcpId,
+          kubernetesId,
+          oidcId,
+          azureId,
+          tokenId,
+          id,
+          createdAt,
+          updatedAt,
+          projectId,
+          projectName
+        }) => ({
           id,
           identityId,
           createdAt,
@@ -65,7 +135,15 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           identity: {
             id: identityId,
             name: identityName,
-            authMethod: identityAuthMethod
+            authMethods: buildAuthMethods({
+              uaId,
+              awsId,
+              gcpId,
+              kubernetesId,
+              oidcId,
+              azureId,
+              tokenId
+            })
           },
           project: {
             id: projectId,
@@ -150,7 +228,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
         })
         .where((qb) => {
           if (filter.identityId) {
-            void qb.where("identityId", filter.identityId);
+            void qb.where(`${TableName.IdentityProjectMembership}.identityId`, filter.identityId);
           }
         })
         .join(
@@ -168,6 +246,43 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           `${TableName.IdentityProjectMembership}.id`,
           `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`
         )
+
+        .leftJoin<TIdentityUniversalAuths>(
+          TableName.IdentityUniversalAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityUniversalAuth}.identityId`
+        )
+        .leftJoin<TIdentityGcpAuths>(
+          TableName.IdentityGcpAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityGcpAuth}.identityId`
+        )
+        .leftJoin<TIdentityAwsAuths>(
+          TableName.IdentityAwsAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityAwsAuth}.identityId`
+        )
+        .leftJoin<TIdentityKubernetesAuths>(
+          TableName.IdentityKubernetesAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityKubernetesAuth}.identityId`
+        )
+        .leftJoin<TIdentityOidcAuths>(
+          TableName.IdentityOidcAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityOidcAuth}.identityId`
+        )
+        .leftJoin<TIdentityAzureAuths>(
+          TableName.IdentityAzureAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityAzureAuth}.identityId`
+        )
+        .leftJoin<TIdentityTokenAuths>(
+          TableName.IdentityTokenAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityTokenAuth}.identityId`
+        )
+
         .select(
           db.ref("id").withSchema(TableName.IdentityProjectMembership),
           db.ref("createdAt").withSchema(TableName.IdentityProjectMembership),
@@ -186,7 +301,14 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           db.ref("temporaryRange").withSchema(TableName.IdentityProjectMembershipRole),
           db.ref("temporaryAccessStartTime").withSchema(TableName.IdentityProjectMembershipRole),
           db.ref("temporaryAccessEndTime").withSchema(TableName.IdentityProjectMembershipRole),
-          db.ref("name").as("projectName").withSchema(TableName.Project)
+          db.ref("name").as("projectName").withSchema(TableName.Project),
+          db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
+          db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
+          db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
+          db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
+          db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
+          db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
+          db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth)
         );
 
       // TODO: scott - joins seem to reorder identities so need to order again, for the sake of urgency will optimize at a later point
@@ -204,7 +326,21 @@ export const identityProjectDALFactory = (db: TDbClient) => {
 
       const members = sqlNestRelationships({
         data: docs,
-        parentMapper: ({ identityId, identityName, identityAuthMethod, id, createdAt, updatedAt, projectName }) => ({
+        parentMapper: ({
+          identityId,
+          identityName,
+          uaId,
+          awsId,
+          gcpId,
+          kubernetesId,
+          oidcId,
+          azureId,
+          tokenId,
+          id,
+          createdAt,
+          updatedAt,
+          projectName
+        }) => ({
           id,
           identityId,
           createdAt,
@@ -212,7 +348,15 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           identity: {
             id: identityId,
             name: identityName,
-            authMethod: identityAuthMethod
+            authMethods: buildAuthMethods({
+              uaId,
+              awsId,
+              gcpId,
+              kubernetesId,
+              oidcId,
+              azureId,
+              tokenId
+            })
           },
           project: {
             id: projectId,

backend/src/services/identity-token-auth/identity-token-auth-service.ts

@@ -11,7 +11,6 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
@@ -32,11 +31,10 @@ type TIdentityTokenAuthServiceFactoryDep = {
     TIdentityTokenAuthDALFactory,
     "transaction" | "create" | "findOne" | "updateById" | "delete"
   >;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityAccessTokenDAL: Pick<
     TIdentityAccessTokenDALFactory,
-    "create" | "find" | "update" | "findById" | "findOne" | "updateById"
+    "create" | "find" | "update" | "findById" | "findOne" | "updateById" | "delete"
   >;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -46,7 +44,7 @@ export type TIdentityTokenAuthServiceFactory = ReturnType<typeof identityTokenAu
 
 export const identityTokenAuthServiceFactory = ({
   identityTokenAuthDAL,
-  identityDAL,
+  // identityDAL,
   identityOrgMembershipDAL,
   identityAccessTokenDAL,
   permissionService,
@@ -65,10 +63,12 @@ export const identityTokenAuthServiceFactory = ({
   }: TAttachTokenAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity.authMethod)
+
+    if (identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.TOKEN_AUTH)) {
       throw new BadRequestError({
         message: "Failed to add Token Auth to already configured identity"
       });
+    }
 
     if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
       throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
@@ -112,13 +112,6 @@ export const identityTokenAuthServiceFactory = ({
         },
         tx
       );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.TOKEN_AUTH
-        },
-        tx
-      );
       return doc;
     });
     return { ...identityTokenAuth, orgId: identityMembershipOrg.orgId };
@@ -137,10 +130,12 @@ export const identityTokenAuthServiceFactory = ({
   }: TUpdateTokenAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.TOKEN_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.TOKEN_AUTH)) {
       throw new BadRequestError({
-        message: "Failed to update Token Auth"
+        message: "The identity does not have token auth"
       });
+    }
 
     const identityTokenAuth = await identityTokenAuthDAL.findOne({ identityId });
 
@@ -197,10 +192,12 @@ export const identityTokenAuthServiceFactory = ({
   const getTokenAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetTokenAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.TOKEN_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.TOKEN_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have Token Auth attached"
       });
+    }
 
     const identityTokenAuth = await identityTokenAuthDAL.findOne({ identityId });
 
@@ -225,10 +222,12 @@ export const identityTokenAuthServiceFactory = ({
   }: TRevokeTokenAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.TOKEN_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.TOKEN_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have Token Auth"
       });
+    }
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -254,7 +253,11 @@ export const identityTokenAuthServiceFactory = ({
 
     const revokedIdentityTokenAuth = await identityTokenAuthDAL.transaction(async (tx) => {
       const deletedTokenAuth = await identityTokenAuthDAL.delete({ identityId }, tx);
-      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      await identityAccessTokenDAL.delete({
+        identityId,
+        authMethod: IdentityAuthMethod.TOKEN_AUTH
+      });
+
       return { ...deletedTokenAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
     return revokedIdentityTokenAuth;
@@ -270,10 +273,12 @@ export const identityTokenAuthServiceFactory = ({
   }: TCreateTokenAuthTokenDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.TOKEN_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.TOKEN_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have Token Auth"
       });
+    }
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -307,7 +312,8 @@ export const identityTokenAuthServiceFactory = ({
           accessTokenMaxTTL: identityTokenAuth.accessTokenMaxTTL,
           accessTokenNumUses: 0,
           accessTokenNumUsesLimit: identityTokenAuth.accessTokenNumUsesLimit,
-          name
+          name,
+          authMethod: IdentityAuthMethod.TOKEN_AUTH
         },
         tx
       );
@@ -344,10 +350,12 @@ export const identityTokenAuthServiceFactory = ({
   }: TGetTokenAuthTokensDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.TOKEN_AUTH)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.TOKEN_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have Token Auth"
       });
+    }
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -359,7 +367,8 @@ export const identityTokenAuthServiceFactory = ({
 
     const tokens = await identityAccessTokenDAL.find(
       {
-        identityId
+        identityId,
+        authMethod: IdentityAuthMethod.TOKEN_AUTH
       },
       { offset, limit, sort: [["updatedAt", "desc"]] }
     );
@@ -375,16 +384,21 @@ export const identityTokenAuthServiceFactory = ({
     actorAuthMethod,
     actorOrgId
   }: TUpdateTokenAuthTokenDTO) => {
-    const foundToken = await identityAccessTokenDAL.findById(tokenId);
+    const foundToken = await identityAccessTokenDAL.findOne({
+      id: tokenId,
+      authMethod: IdentityAuthMethod.TOKEN_AUTH
+    });
     if (!foundToken) throw new NotFoundError({ message: `Token with ID ${tokenId} not found` });
+
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: foundToken.identityId });
     if (!identityMembershipOrg) {
       throw new NotFoundError({ message: `Failed to find identity with ID ${foundToken.identityId}` });
     }
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.TOKEN_AUTH)
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.TOKEN_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have Token Auth"
       });
+    }
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -409,6 +423,7 @@ export const identityTokenAuthServiceFactory = ({
 
     const [token] = await identityAccessTokenDAL.update(
       {
+        authMethod: IdentityAuthMethod.TOKEN_AUTH,
         identityId: foundToken.identityId,
         id: tokenId
       },
@@ -429,7 +444,8 @@ export const identityTokenAuthServiceFactory = ({
   }: TRevokeTokenAuthTokenDTO) => {
     const identityAccessToken = await identityAccessTokenDAL.findOne({
       [`${TableName.IdentityAccessToken}.id` as "id"]: tokenId,
-      isAccessTokenRevoked: false
+      isAccessTokenRevoked: false,
+      authMethod: IdentityAuthMethod.TOKEN_AUTH
     });
     if (!identityAccessToken)
       throw new NotFoundError({
@@ -453,9 +469,15 @@ export const identityTokenAuthServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
-    const revokedToken = await identityAccessTokenDAL.updateById(identityAccessToken.id, {
-      isAccessTokenRevoked: true
-    });
+    const [revokedToken] = await identityAccessTokenDAL.update(
+      {
+        id: identityAccessToken.id,
+        authMethod: IdentityAuthMethod.TOKEN_AUTH
+      },
+      {
+        isAccessTokenRevoked: true
+      }
+    );
 
     return { revokedToken };
   };

backend/src/services/identity-ua/identity-ua-service.ts

@@ -14,7 +14,6 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedErro
 import { checkIPAgainstBlocklist, extractIPDetails, isValidIpOrCidr, TIp } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
@@ -36,7 +35,6 @@ type TIdentityUaServiceFactoryDep = {
   identityUaClientSecretDAL: TIdentityUaClientSecretDALFactory;
   identityAccessTokenDAL: TIdentityAccessTokenDALFactory;
   identityOrgMembershipDAL: TIdentityOrgDALFactory;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -48,7 +46,6 @@ export const identityUaServiceFactory = ({
   identityUaClientSecretDAL,
   identityAccessTokenDAL,
   identityOrgMembershipDAL,
-  identityDAL,
   permissionService,
   licenseService
 }: TIdentityUaServiceFactoryDep) => {
@@ -115,7 +112,8 @@ export const identityUaServiceFactory = ({
           accessTokenTTL: identityUa.accessTokenTTL,
           accessTokenMaxTTL: identityUa.accessTokenMaxTTL,
           accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityUa.accessTokenNumUsesLimit
+          accessTokenNumUsesLimit: identityUa.accessTokenNumUsesLimit,
+          authMethod: IdentityAuthMethod.UNIVERSAL_AUTH
         },
         tx
       );
@@ -156,10 +154,12 @@ export const identityUaServiceFactory = ({
   }: TAttachUaDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity.authMethod)
+
+    if (identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.UNIVERSAL_AUTH)) {
       throw new BadRequestError({
         message: "Failed to add universal auth to already configured identity"
       });
+    }
 
     if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
       throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
@@ -221,13 +221,6 @@ export const identityUaServiceFactory = ({
         },
         tx
       );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.Univeral
-        },
-        tx
-      );
       return doc;
     });
     return { ...identityUa, orgId: identityMembershipOrg.orgId };
@@ -247,10 +240,12 @@ export const identityUaServiceFactory = ({
   }: TUpdateUaDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.UNIVERSAL_AUTH)) {
       throw new BadRequestError({
-        message: "Failed to updated universal auth"
+        message: "The identity does not have universal auth"
       });
+    }
 
     const uaIdentityAuth = await identityUaDAL.findOne({ identityId });
 
@@ -321,10 +316,12 @@ export const identityUaServiceFactory = ({
   const getIdentityUniversalAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetUaDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.UNIVERSAL_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have universal auth"
       });
+    }
 
     const uaIdentityAuth = await identityUaDAL.findOne({ identityId });
 
@@ -348,10 +345,12 @@ export const identityUaServiceFactory = ({
   }: TRevokeUaDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.UNIVERSAL_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have universal auth"
       });
+    }
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -375,7 +374,6 @@ export const identityUaServiceFactory = ({
 
     const revokedIdentityUniversalAuth = await identityUaDAL.transaction(async (tx) => {
       const deletedUniversalAuth = await identityUaDAL.delete({ identityId }, tx);
-      await identityDAL.updateById(identityId, { authMethod: null }, tx);
       return { ...deletedUniversalAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
     return revokedIdentityUniversalAuth;
@@ -393,10 +391,13 @@ export const identityUaServiceFactory = ({
   }: TCreateUaClientSecretDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.UNIVERSAL_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have universal auth"
       });
+    }
+
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -422,12 +423,11 @@ export const identityUaServiceFactory = ({
     const appCfg = getConfig();
     const clientSecret = crypto.randomBytes(32).toString("hex");
     const clientSecretHash = await bcrypt.hash(clientSecret, appCfg.SALT_ROUNDS);
-    const identityUniversalAuth = await identityUaDAL.findOne({
-      identityId
-    });
+
+    const identityUaAuth = await identityUaDAL.findOne({ identityId: identityMembershipOrg.identityId });
 
     const identityUaClientSecret = await identityUaClientSecretDAL.create({
-      identityUAId: identityUniversalAuth.id,
+      identityUAId: identityUaAuth.id,
       description,
       clientSecretPrefix: clientSecret.slice(0, 4),
       clientSecretHash,
@@ -439,7 +439,6 @@ export const identityUaServiceFactory = ({
     return {
       clientSecret,
       clientSecretData: identityUaClientSecret,
-      uaAuth: identityUniversalAuth,
       orgId: identityMembershipOrg.orgId
     };
   };
@@ -453,10 +452,12 @@ export const identityUaServiceFactory = ({
   }: TGetUaClientSecretsDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.UNIVERSAL_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have universal auth"
       });
+    }
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -500,10 +501,13 @@ export const identityUaServiceFactory = ({
   }: TGetUniversalAuthClientSecretByIdDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.UNIVERSAL_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have universal auth"
       });
+    }
+
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -539,10 +543,13 @@ export const identityUaServiceFactory = ({
   }: TRevokeUaClientSecretDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.UNIVERSAL_AUTH)) {
       throw new BadRequestError({
         message: "The identity does not have universal auth"
       });
+    }
+
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,

backend/src/services/identity/identity-fns.ts

@@ -0,0 +1,29 @@
+import { IdentityAuthMethod } from "@app/db/schemas";
+
+export const buildAuthMethods = ({
+  uaId,
+  gcpId,
+  awsId,
+  kubernetesId,
+  oidcId,
+  azureId,
+  tokenId
+}: {
+  uaId?: string;
+  gcpId?: string;
+  awsId?: string;
+  kubernetesId?: string;
+  oidcId?: string;
+  azureId?: string;
+  tokenId?: string;
+}) => {
+  return [
+    ...[uaId ? IdentityAuthMethod.UNIVERSAL_AUTH : null],
+    ...[gcpId ? IdentityAuthMethod.GCP_AUTH : null],
+    ...[awsId ? IdentityAuthMethod.AWS_AUTH : null],
+    ...[kubernetesId ? IdentityAuthMethod.KUBERNETES_AUTH : null],
+    ...[oidcId ? IdentityAuthMethod.OIDC_AUTH : null],
+    ...[azureId ? IdentityAuthMethod.AZURE_AUTH : null],
+    ...[tokenId ? IdentityAuthMethod.TOKEN_AUTH : null]
+  ].filter((authMethod) => authMethod) as IdentityAuthMethod[];
+};

backend/src/services/identity/identity-org-dal.ts

@@ -1,12 +1,25 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName, TIdentityOrgMemberships, TOrgRoles } from "@app/db/schemas";
+import {
+  TableName,
+  TIdentityAwsAuths,
+  TIdentityAzureAuths,
+  TIdentityGcpAuths,
+  TIdentityKubernetesAuths,
+  TIdentityOidcAuths,
+  TIdentityOrgMemberships,
+  TIdentityTokenAuths,
+  TIdentityUniversalAuths,
+  TOrgRoles
+} from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { OrgIdentityOrderBy, TListOrgIdentitiesByOrgIdDTO } from "@app/services/identity/identity-types";
 
+import { buildAuthMethods } from "./identity-fns";
+
 export type TIdentityOrgDALFactory = ReturnType<typeof identityOrgDALFactory>;
 
 export const identityOrgDALFactory = (db: TDbClient) => {
@@ -15,14 +28,73 @@ export const identityOrgDALFactory = (db: TDbClient) => {
   const findOne = async (filter: Partial<TIdentityOrgMemberships>, tx?: Knex) => {
     try {
       const [data] = await (tx || db.replicaNode())(TableName.IdentityOrgMembership)
-        .where(filter)
+        .where((queryBuilder) => {
+          Object.entries(filter).forEach(([key, value]) => {
+            void queryBuilder.where(`${TableName.IdentityOrgMembership}.${key}`, value);
+          });
+        })
         .join(TableName.Identity, `${TableName.IdentityOrgMembership}.identityId`, `${TableName.Identity}.id`)
-        .select(selectAllTableCols(TableName.IdentityOrgMembership))
-        .select(db.ref("name").withSchema(TableName.Identity))
-        .select(db.ref("authMethod").withSchema(TableName.Identity));
+
+        .leftJoin<TIdentityUniversalAuths>(
+          TableName.IdentityUniversalAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityUniversalAuth}.identityId`
+        )
+        .leftJoin<TIdentityGcpAuths>(
+          TableName.IdentityGcpAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityGcpAuth}.identityId`
+        )
+        .leftJoin<TIdentityAwsAuths>(
+          TableName.IdentityAwsAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityAwsAuth}.identityId`
+        )
+        .leftJoin<TIdentityKubernetesAuths>(
+          TableName.IdentityKubernetesAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityKubernetesAuth}.identityId`
+        )
+        .leftJoin<TIdentityOidcAuths>(
+          TableName.IdentityOidcAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityOidcAuth}.identityId`
+        )
+        .leftJoin<TIdentityAzureAuths>(
+          TableName.IdentityAzureAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityAzureAuth}.identityId`
+        )
+        .leftJoin<TIdentityTokenAuths>(
+          TableName.IdentityTokenAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityTokenAuth}.identityId`
+        )
+
+        .select(
+          selectAllTableCols(TableName.IdentityOrgMembership),
+
+          db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
+          db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
+          db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
+          db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
+          db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
+          db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
+          db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth),
+
+          db.ref("name").withSchema(TableName.Identity)
+        );
+
       if (data) {
-        const { name, authMethod } = data;
-        return { ...data, identity: { id: data.identityId, name, authMethod } };
+        const { name } = data;
+        return {
+          ...data,
+          identity: {
+            id: data.identityId,
+            name,
+            authMethods: buildAuthMethods(data)
+          }
+        };
       }
     } catch (error) {
       throw new DatabaseError({ error, name: "FindOne" });
@@ -51,8 +123,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
         .orderBy(`${TableName.Identity}.${orderBy}`, orderDirection)
         .select(
           selectAllTableCols(TableName.IdentityOrgMembership),
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("authMethod").withSchema(TableName.Identity).as("identityAuthMethod")
+          db.ref("name").withSchema(TableName.Identity).as("identityName")
         )
         .where(filter)
         .as("paginatedIdentity");
@@ -70,11 +141,49 @@ export const identityOrgDALFactory = (db: TDbClient) => {
       const query = (tx || db.replicaNode())
         .from<TSubquery[number], TSubquery>(paginatedIdentity)
         .leftJoin<TOrgRoles>(TableName.OrgRoles, `paginatedIdentity.roleId`, `${TableName.OrgRoles}.id`)
+
         .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
           void queryBuilder
             .on(`paginatedIdentity.identityId`, `${TableName.IdentityMetadata}.identityId`)
             .andOn(`paginatedIdentity.orgId`, `${TableName.IdentityMetadata}.orgId`);
         })
+
+        .leftJoin<TIdentityUniversalAuths>(
+          TableName.IdentityUniversalAuth,
+          "paginatedIdentity.identityId",
+          `${TableName.IdentityUniversalAuth}.identityId`
+        )
+        .leftJoin<TIdentityGcpAuths>(
+          TableName.IdentityGcpAuth,
+          "paginatedIdentity.identityId",
+          `${TableName.IdentityGcpAuth}.identityId`
+        )
+        .leftJoin<TIdentityAwsAuths>(
+          TableName.IdentityAwsAuth,
+          "paginatedIdentity.identityId",
+          `${TableName.IdentityAwsAuth}.identityId`
+        )
+        .leftJoin<TIdentityKubernetesAuths>(
+          TableName.IdentityKubernetesAuth,
+          "paginatedIdentity.identityId",
+          `${TableName.IdentityKubernetesAuth}.identityId`
+        )
+        .leftJoin<TIdentityOidcAuths>(
+          TableName.IdentityOidcAuth,
+          "paginatedIdentity.identityId",
+          `${TableName.IdentityOidcAuth}.identityId`
+        )
+        .leftJoin<TIdentityAzureAuths>(
+          TableName.IdentityAzureAuth,
+          "paginatedIdentity.identityId",
+          `${TableName.IdentityAzureAuth}.identityId`
+        )
+        .leftJoin<TIdentityTokenAuths>(
+          TableName.IdentityTokenAuth,
+          "paginatedIdentity.identityId",
+          `${TableName.IdentityTokenAuth}.identityId`
+        )
+
         .select(
           db.ref("id").withSchema("paginatedIdentity"),
           db.ref("role").withSchema("paginatedIdentity"),
@@ -82,9 +191,16 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           db.ref("orgId").withSchema("paginatedIdentity"),
           db.ref("createdAt").withSchema("paginatedIdentity"),
           db.ref("updatedAt").withSchema("paginatedIdentity"),
-          db.ref("identityId").withSchema("paginatedIdentity"),
+          db.ref("identityId").withSchema("paginatedIdentity").as("identityId"),
           db.ref("identityName").withSchema("paginatedIdentity"),
-          db.ref("identityAuthMethod").withSchema("paginatedIdentity")
+
+          db.ref("id").as("uaId").withSchema(TableName.IdentityUniversalAuth),
+          db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
+          db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
+          db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
+          db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
+          db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
+          db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth)
         )
         // cr stands for custom role
         .select(db.ref("id").as("crId").withSchema(TableName.OrgRoles))
@@ -114,11 +230,17 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           crName,
           identityId,
           identityName,
-          identityAuthMethod,
           role,
           roleId,
           id,
           orgId,
+          uaId,
+          awsId,
+          gcpId,
+          kubernetesId,
+          oidcId,
+          azureId,
+          tokenId,
           createdAt,
           updatedAt
         }) => ({
@@ -126,6 +248,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           roleId,
           identityId,
           id,
+
           orgId,
           createdAt,
           updatedAt,
@@ -141,7 +264,15 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           identity: {
             id: identityId,
             name: identityName,
-            authMethod: identityAuthMethod as string
+            authMethods: buildAuthMethods({
+              uaId,
+              awsId,
+              gcpId,
+              kubernetesId,
+              oidcId,
+              azureId,
+              tokenId
+            })
           }
         }),
         childrenMapper: [

backend/src/services/identity/identity-service.ts

@@ -93,7 +93,7 @@ export const identityServiceFactory = ({
           tx
         );
       }
-      return newIdentity;
+      return { ...newIdentity, authMethods: [] };
     });
     await licenseService.updateSubscriptionOrgMemberCount(orgId);
 

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -2540,9 +2540,9 @@ const syncSecretsAzureDevops = async ({
 
   const { groupId, groupName } = await getEnvGroupId(integration.app, integration.appId, integration.environment.name);
 
-  const variables: Record<string, { value: string }> = {};
+  const variables: Record<string, { value: string; isSecret: boolean }> = {};
   for (const key of Object.keys(secrets)) {
-    variables[key] = { value: secrets[key].value };
+    variables[key] = { value: secrets[key].value, isSecret: true };
   }
 
   if (!groupId) {

backend/src/services/org/org-service.ts

@@ -291,7 +291,7 @@ export const orgServiceFactory = ({
     }
 
     if (authEnforced !== undefined) {
-      if (!plan?.samlSSO || !plan.oidcSSO)
+      if (!plan?.samlSSO && !plan.oidcSSO)
         throw new BadRequestError({
           message: "Failed to enforce/un-enforce SSO due to plan restriction. Upgrade plan to enforce/un-enforce SSO."
         });

backend/src/services/secret-folder/secret-folder-dal.ts

@@ -8,6 +8,8 @@ import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
+import { TFindFoldersDeepByParentIdsDTO } from "./secret-folder-types";
+
 export const validateFolderName = (folderName: string) => {
   const validNameRegex = /^[a-zA-Z0-9-_]+$/;
   return validNameRegex.test(folderName);
@@ -444,6 +446,48 @@ export const secretFolderDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findByEnvsDeep = async ({ parentIds }: TFindFoldersDeepByParentIdsDTO, tx?: Knex) => {
+    try {
+      const folders = await (tx || db.replicaNode())
+        .withRecursive("parents", (qb) =>
+          qb
+            .select(
+              selectAllTableCols(TableName.SecretFolder),
+              db.raw("0 as depth"),
+              db.raw(`'/' as path`),
+              db.ref(`${TableName.Environment}.slug`).as("environment")
+            )
+            .from(TableName.SecretFolder)
+            .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+            .whereIn(`${TableName.SecretFolder}.id`, parentIds)
+            .union((un) => {
+              void un
+                .select(
+                  selectAllTableCols(TableName.SecretFolder),
+                  db.raw("parents.depth + 1 as depth"),
+                  db.raw(
+                    `CONCAT(
+                        CASE WHEN parents.path = '/' THEN '' ELSE parents.path END, 
+                        CASE WHEN  ${TableName.SecretFolder}."parentId" is NULL THEN '' ELSE CONCAT('/', secret_folders.name) END
+                    )`
+                  ),
+                  db.ref("parents.environment")
+                )
+                .from(TableName.SecretFolder)
+                .join("parents", `${TableName.SecretFolder}.parentId`, "parents.id");
+            })
+        )
+        .select<(TSecretFolders & { path: string; depth: number; environment: string })[]>("*")
+        .from("parents")
+        .orderBy("depth")
+        .orderBy(`name`);
+
+      return folders;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindByEnvsDeep" });
+    }
+  };
+
   return {
     ...secretFolderOrm,
     update,
@@ -454,6 +498,7 @@ export const secretFolderDALFactory = (db: TDbClient) => {
     findSecretPathByFolderIds,
     findClosestFolder,
     findByProjectId,
-    findByMultiEnv
+    findByMultiEnv,
+    findByEnvsDeep
   };
 };

backend/src/services/secret-folder/secret-folder-service.ts

@@ -7,7 +7,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { OrderByDirection } from "@app/lib/types";
+import { OrderByDirection, ProjectServiceActor } from "@app/lib/types";
 
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
@@ -17,6 +17,7 @@ import {
   TDeleteFolderDTO,
   TGetFolderByIdDTO,
   TGetFolderDTO,
+  TGetFoldersDeepByEnvsDTO,
   TUpdateFolderDTO,
   TUpdateManyFoldersDTO
 } from "./secret-folder-types";
@@ -511,6 +512,30 @@ export const secretFolderServiceFactory = ({
     };
   };
 
+  const getFoldersDeepByEnvs = async (
+    { projectId, environments, secretPath }: TGetFoldersDeepByEnvsDTO,
+    actor: ProjectServiceActor
+  ) => {
+    // folder list is allowed to be read by anyone
+    // permission to check does user have access
+    await permissionService.getProjectPermission(actor.type, actor.id, projectId, actor.authMethod, actor.orgId);
+
+    const envs = await projectEnvDAL.findBySlugs(projectId, environments);
+
+    if (!envs.length)
+      throw new NotFoundError({
+        message: `Environments '${environments.join(", ")}' not found`,
+        name: "GetFoldersDeep"
+      });
+
+    const parentFolders = await folderDAL.findBySecretPathMultiEnv(projectId, environments, secretPath);
+    if (!parentFolders.length) return [];
+
+    const folders = await folderDAL.findByEnvsDeep({ parentIds: parentFolders.map((parent) => parent.id) });
+
+    return folders;
+  };
+
   return {
     createFolder,
     updateFolder,
@@ -519,6 +544,7 @@ export const secretFolderServiceFactory = ({
     getFolders,
     getFolderById,
     getProjectFolderCount,
-    getFoldersMultiEnv
+    getFoldersMultiEnv,
+    getFoldersDeepByEnvs
   };
 };

backend/src/services/secret-folder/secret-folder-types.ts

@@ -47,3 +47,13 @@ export type TGetFolderDTO = {
 export type TGetFolderByIdDTO = {
   id: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TGetFoldersDeepByEnvsDTO = {
+  projectId: string;
+  environments: string[];
+  secretPath: string;
+};
+
+export type TFindFoldersDeepByParentIdsDTO = {
+  parentIds: string[];
+};

backend/src/services/secret-sharing/secret-sharing-service.ts

@@ -272,11 +272,11 @@ export const secretSharingServiceFactory = ({
       ? await secretSharingDAL.findById(sharedSecretId)
       : await secretSharingDAL.findOne({ identifier: sharedSecretId });
 
-    const deletedSharedSecret = await secretSharingDAL.deleteById(sharedSecretId);
-
     if (sharedSecret.orgId && sharedSecret.orgId !== orgId)
       throw new ForbiddenRequestError({ message: "User does not have permission to delete shared secret" });
 
+    const deletedSharedSecret = await secretSharingDAL.deleteById(sharedSecretId);
+
     return deletedSharedSecret;
   };
 

backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts

@@ -14,6 +14,7 @@ import {
 } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
+import { TFindSecretsByFolderIdsFilter } from "@app/services/secret-v2-bridge/secret-v2-bridge-types";
 
 export type TSecretV2BridgeDALFactory = ReturnType<typeof secretV2BridgeDALFactory>;
 
@@ -339,14 +340,7 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
     folderIds: string[],
     userId?: string,
     tx?: Knex,
-    filters?: {
-      limit?: number;
-      offset?: number;
-      orderBy?: SecretsOrderBy;
-      orderDirection?: OrderByDirection;
-      search?: string;
-      tagSlugs?: string[];
-    }
+    filters?: TFindSecretsByFolderIdsFilter
   ) => {
     try {
       // check if not uui then userId id is null (corner case because service token's ID is not UUI in effort to keep backwards compatibility from mongo)
@@ -356,14 +350,20 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
       }
 
       const query = (tx || db.replicaNode())(TableName.SecretV2)
-        .whereIn("folderId", folderIds)
+        .whereIn(`${TableName.SecretV2}.folderId`, folderIds)
         .where((bd) => {
           if (filters?.search) {
-            void bd.whereILike("key", `%${filters?.search}%`);
+            if (filters?.includeTagsInSearch) {
+              void bd
+                .whereILike(`${TableName.SecretV2}.key`, `%${filters?.search}%`)
+                .orWhereILike(`${TableName.SecretTag}.slug`, `%${filters?.search}%`);
+            } else {
+              void bd.whereILike(`${TableName.SecretV2}.key`, `%${filters?.search}%`);
+            }
           }
         })
         .where((bd) => {
-          void bd.whereNull("userId").orWhere({ userId: userId || null });
+          void bd.whereNull(`${TableName.SecretV2}.userId`).orWhere({ userId: userId || null });
         })
         .leftJoin(
           TableName.SecretV2JnTag,
@@ -385,7 +385,7 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
         .where((bd) => {
           const slugs = filters?.tagSlugs?.filter(Boolean);
           if (slugs && slugs.length > 0) {
-            void bd.whereIn("slug", slugs);
+            void bd.whereIn(`${TableName.SecretTag}.slug`, slugs);
           }
         })
         .orderBy(

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -43,6 +43,7 @@ import {
   TGetASecretDTO,
   TGetSecretReferencesTreeDTO,
   TGetSecretsDTO,
+  TGetSecretsRawByFolderMappingsDTO,
   TGetSecretVersionsDTO,
   TMoveSecretsDTO,
   TSecretReference,
@@ -652,6 +653,56 @@ export const secretV2BridgeServiceFactory = ({
     return count;
   };
 
+  const getSecretsByFolderMappings = async (
+    { projectId, userId, filters, folderMappings }: TGetSecretsRawByFolderMappingsDTO,
+    projectPermission: Awaited<ReturnType<typeof permissionService.getProjectPermission>>["permission"]
+  ) => {
+    const groupedFolderMappings = groupBy(folderMappings, (folderMapping) => folderMapping.folderId);
+
+    const secrets = await secretDAL.findByFolderIds(
+      folderMappings.map((folderMapping) => folderMapping.folderId),
+      userId,
+      undefined,
+      filters
+    );
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId
+    });
+
+    const decryptedSecrets = secrets
+      .filter((el) =>
+        projectPermission.can(
+          ProjectPermissionActions.Read,
+          subject(ProjectPermissionSub.Secrets, {
+            environment: groupedFolderMappings[el.folderId][0].environment,
+            secretPath: groupedFolderMappings[el.folderId][0].path,
+            secretName: el.key,
+            secretTags: el.tags.map((i) => i.slug)
+          })
+        )
+      )
+      .map((secret) =>
+        reshapeBridgeSecret(
+          projectId,
+          groupedFolderMappings[secret.folderId][0].environment,
+          groupedFolderMappings[secret.folderId][0].path,
+          {
+            ...secret,
+            value: secret.encryptedValue
+              ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedValue }).toString()
+              : "",
+            comment: secret.encryptedComment
+              ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedComment }).toString()
+              : ""
+          }
+        )
+      );
+
+    return decryptedSecrets;
+  };
+
   // get secrets for multiple envs
   const getSecretsMultiEnv = async ({
     actorId,
@@ -678,59 +729,28 @@ export const secretV2BridgeServiceFactory = ({
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
     }
 
-    let paths: { folderId: string; path: string; environment: string }[] = [];
-
     const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environments, path);
 
     if (!folders.length) {
       return [];
     }
 
-    paths = folders.map((folder) => ({ folderId: folder.id, path, environment: folder.environment.slug }));
+    const folderMappings = folders.map((folder) => ({
+      folderId: folder.id,
+      path,
+      environment: folder.environment.slug
+    }));
 
-    const groupedPaths = groupBy(paths, (p) => p.folderId);
-
-    const secrets = await secretDAL.findByFolderIds(
-      paths.map((p) => p.folderId),
-      actorId,
-      undefined,
-      params
+    const decryptedSecrets = await getSecretsByFolderMappings(
+      {
+        projectId,
+        folderMappings,
+        filters: params,
+        userId: actorId
+      },
+      permission
     );
 
-    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.SecretManager,
-      projectId
-    });
-
-    const decryptedSecrets = secrets
-      .filter((el) =>
-        permission.can(
-          ProjectPermissionActions.Read,
-          subject(ProjectPermissionSub.Secrets, {
-            environment: groupedPaths[el.folderId][0].environment,
-            secretPath: groupedPaths[el.folderId][0].path,
-            secretName: el.key,
-            secretTags: el.tags.map((i) => i.slug)
-          })
-        )
-      )
-      .map((secret) =>
-        reshapeBridgeSecret(
-          projectId,
-          groupedPaths[secret.folderId][0].environment,
-          groupedPaths[secret.folderId][0].path,
-          {
-            ...secret,
-            value: secret.encryptedValue
-              ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedValue }).toString()
-              : "",
-            comment: secret.encryptedComment
-              ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedComment }).toString()
-              : ""
-          }
-        )
-      );
-
     return decryptedSecrets;
   };
 
@@ -2027,6 +2047,7 @@ export const secretV2BridgeServiceFactory = ({
     getSecretsCount,
     getSecretsCountMultiEnv,
     getSecretsMultiEnv,
-    getSecretReferenceTree
+    getSecretReferenceTree,
+    getSecretsByFolderMappings
   };
 };

backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts

@@ -285,3 +285,20 @@ export type TGetSecretReferencesTreeDTO = {
   environment: string;
   secretPath: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TFindSecretsByFolderIdsFilter = {
+  limit?: number;
+  offset?: number;
+  orderBy?: SecretsOrderBy;
+  orderDirection?: OrderByDirection;
+  search?: string;
+  tagSlugs?: string[];
+  includeTagsInSearch?: boolean;
+};
+
+export type TGetSecretsRawByFolderMappingsDTO = {
+  projectId: string;
+  folderMappings: { folderId: string; path: string; environment: string }[];
+  userId: string;
+  filters: TFindSecretsByFolderIdsFilter;
+};

backend/src/services/secret/secret-service.ts

@@ -27,6 +27,8 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/
 import { groupBy, pick } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { ProjectServiceActor } from "@app/lib/types";
+import { TGetSecretsRawByFolderMappingsDTO } from "@app/services/secret-v2-bridge/secret-v2-bridge-types";
 
 import { ActorType } from "../auth/auth-type";
 import { TProjectDALFactory } from "../project/project-dal";
@@ -2845,6 +2847,27 @@ export const secretServiceFactory = ({
     return { message: "Migrating project to new KMS architecture" };
   };
 
+  const getSecretsRawByFolderMappings = async (
+    params: Omit<TGetSecretsRawByFolderMappingsDTO, "userId">,
+    actor: ProjectServiceActor
+  ) => {
+    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(params.projectId);
+
+    if (!shouldUseSecretV2Bridge) throw new BadRequestError({ message: "Project version not supported" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      params.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    const secrets = secretV2BridgeService.getSecretsByFolderMappings({ ...params, userId: actor.id }, permission);
+
+    return secrets;
+  };
+
   return {
     attachTags,
     detachTags,
@@ -2871,6 +2894,7 @@ export const secretServiceFactory = ({
     getSecretsCount,
     getSecretsCountMultiEnv,
     getSecretsRawMultiEnv,
-    getSecretReferenceTree
+    getSecretReferenceTree,
+    getSecretsRawByFolderMappings
   };
 };

backend/src/services/super-admin/super-admin-dal.ts

@@ -14,9 +14,31 @@ export const superAdminDALFactory = (db: TDbClient) => {
     const config = await (tx || db)(TableName.SuperAdmin)
       .where(`${TableName.SuperAdmin}.id`, id)
       .leftJoin(TableName.Organization, `${TableName.SuperAdmin}.defaultAuthOrgId`, `${TableName.Organization}.id`)
+      .leftJoin(TableName.SamlConfig, (qb) => {
+        qb.on(`${TableName.SamlConfig}.orgId`, "=", `${TableName.Organization}.id`).andOn(
+          `${TableName.SamlConfig}.isActive`,
+          "=",
+          db.raw("true")
+        );
+      })
+      .leftJoin(TableName.OidcConfig, (qb) => {
+        qb.on(`${TableName.OidcConfig}.orgId`, "=", `${TableName.Organization}.id`).andOn(
+          `${TableName.OidcConfig}.isActive`,
+          "=",
+          db.raw("true")
+        );
+      })
       .select(
         db.ref("*").withSchema(TableName.SuperAdmin) as unknown as keyof TSuperAdmin,
-        db.ref("slug").withSchema(TableName.Organization).as("defaultAuthOrgSlug")
+        db.ref("slug").withSchema(TableName.Organization).as("defaultAuthOrgSlug"),
+        db.ref("authEnforced").withSchema(TableName.Organization).as("defaultAuthOrgAuthEnforced"),
+        db.raw(`
+            CASE 
+              WHEN ${TableName.SamlConfig}."orgId" IS NOT NULL THEN 'saml'
+              WHEN ${TableName.OidcConfig}."orgId" IS NOT NULL THEN 'oidc'
+              ELSE NULL
+            END as "defaultAuthOrgAuthMethod"
+        `)
       )
       .first();
 
@@ -27,7 +49,11 @@ export const superAdminDALFactory = (db: TDbClient) => {
     return {
       ...config,
       defaultAuthOrgSlug: config?.defaultAuthOrgSlug || null
-    } as TSuperAdmin & { defaultAuthOrgSlug: string | null };
+    } as TSuperAdmin & {
+      defaultAuthOrgSlug: string | null;
+      defaultAuthOrgAuthEnforced?: boolean | null;
+      defaultAuthOrgAuthMethod?: string | null;
+    };
   };
 
   const updateById = async (id: string, data: TSuperAdminUpdate, tx?: Knex) => {

backend/src/services/super-admin/super-admin-service.ts

@@ -29,7 +29,13 @@ type TSuperAdminServiceFactoryDep = {
 export type TSuperAdminServiceFactory = ReturnType<typeof superAdminServiceFactory>;
 
 // eslint-disable-next-line
-export let getServerCfg: () => Promise<TSuperAdmin & { defaultAuthOrgSlug: string | null }>;
+export let getServerCfg: () => Promise<
+  TSuperAdmin & {
+    defaultAuthOrgSlug: string | null;
+    defaultAuthOrgAuthEnforced?: boolean | null;
+    defaultAuthOrgAuthMethod?: string | null;
+  }
+>;
 
 const ADMIN_CONFIG_KEY = "infisical-admin-cfg";
 const ADMIN_CONFIG_KEY_EXP = 60; // 60s

backend/src/services/telemetry/telemetry-queue.ts

@@ -48,7 +48,7 @@ export const telemetryQueueServiceFactory = ({
     await keyStore.deleteItem(TELEMETRY_SECRET_OPERATIONS_KEY);
   });
 
-  // every day at midnight a telemetry job executes on self hosted
+  // every day at midnight a telemetry job executes on self-hosted instances
   // this sends some telemetry information like instance id secrets operated etc
   const startTelemetryCheck = async () => {
     // this is a fast way to check its cloud or not

backend/src/services/telemetry/telemetry-service.ts

@@ -62,7 +62,7 @@ To opt into telemetry, you can set "TELEMETRY_ENABLED=true" within the environme
   const sendPostHogEvents = async (event: TPostHogEvent) => {
     if (postHog) {
       const instanceType = licenseService.getInstanceType();
-      // capture posthog only when its cloud or signup event happens in self hosted
+      // capture posthog only when its cloud or signup event happens in self-hosted
       if (instanceType === InstanceType.Cloud || event.event === PostHogEventTypes.UserSignedUp) {
         postHog.capture({
           event: event.event,

cli/packages/api/api.go

@@ -429,7 +429,7 @@ func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Reques
 		(strings.Contains(response.String(), "bot_not_found_error") ||
 			strings.Contains(strings.ToLower(response.String()), "failed to find bot key") ||
 			strings.Contains(strings.ToLower(response.String()), "bot is not active")) {
-		return GetRawSecretsV3Response{}, fmt.Errorf(`Project with id %s is incompatible with your current CLI version. Upgrade your project by visiting the project settings page. If you're self hosting and project upgrade option isn't yet available, contact your administrator to upgrade your Infisical instance to the latest release.
+		return GetRawSecretsV3Response{}, fmt.Errorf(`Project with id %s is incompatible with your current CLI version. Upgrade your project by visiting the project settings page. If you're self-hosting and project upgrade option isn't yet available, contact your administrator to upgrade your Infisical instance to the latest release.
 		`, request.WorkspaceId)
 	}
 

cli/packages/cmd/login.go

@@ -236,7 +236,7 @@ var loginCmd = &cobra.Command{
 
 			}
 
-			//prompt user to select domain between Infisical cloud and self hosting
+			//prompt user to select domain between Infisical cloud and self-hosting
 			if domainQuery {
 				err = askForDomain()
 				if err != nil {
@@ -528,11 +528,11 @@ func DomainOverridePrompt() (bool, error) {
 
 func askForDomain() error {
 
-	// query user to choose between Infisical cloud or self hosting
+	// query user to choose between Infisical cloud or self-hosting
 	const (
 		INFISICAL_CLOUD_US = "Infisical Cloud (US Region)"
 		INFISICAL_CLOUD_EU = "Infisical Cloud (EU Region)"
-		SELF_HOSTING       = "Self Hosting"
+		SELF_HOSTING       = "Self-Hosting"
 		ADD_NEW_DOMAIN     = "Add a new domain"
 	)
 
@@ -609,7 +609,7 @@ func askForDomain() error {
 		return err
 	}
 
-	// Trimmed the '/' from the end of the self hosting url, and set the api & login url
+	// Trimmed the '/' from the end of the self-hosting url, and set the api & login url
 	domain = strings.TrimRight(domain, "/")
 	config.INFISICAL_URL = fmt.Sprintf("%s/api", domain)
 	config.INFISICAL_LOGIN_URL = fmt.Sprintf("%s/login", domain)

docs/cli/usage.mdx

@@ -167,7 +167,7 @@ For security and privacy concerns, we recommend you to configure your terminal t
 
     #### Method 2: Export environment variable
 
-    You can point the CLI to the self hosted Infisical instance by exporting the environment variable `INFISICAL_API_URL` in your terminal.
+    You can point the CLI to the self-hosted Infisical instance by exporting the environment variable `INFISICAL_API_URL` in your terminal.
 
     <Tabs>
     <Tab title="Linux/MacOs">
@@ -197,7 +197,7 @@ For security and privacy concerns, we recommend you to configure your terminal t
 
 #### Method 3: Set manually on every command
 
-Another option to point the CLI to your self hosted Infisical instance is to set it via a flag on every command you run.
+Another option to point the CLI to your self-hosted Infisical instance is to set it via a flag on every command you run.
 
 ```bash
 # Example

docs/documentation/guides/organization-structure.mdx

@@ -0,0 +1,71 @@
+---
+title: "Infisical Organizational Structure Blueprint"
+sidebarTitle: "Organization Structure"
+description: "Learn how to structure your projects, secrets, and other resources within Infisical."
+---
+
+Infisical is designed to provide comprehensive, centralized, and efficient management of secrets, certificates, and encryption keys within organizations. Below is an overview of Infisical's structured components, which developers and administrators can leverage for optimal project management and security posture.
+
+### 1. Projects
+
+- **Definition and Role**: [Projects](/documentation/platform/project) are the highest-level construct within an [organization](/documentation/platform/organization) in Infisical. They serve as the primary container for all functionalities.
+- **Correspondence to Code Repositories**: Projects typically align with specific code repositories.
+- **Functional Capabilities**: Each project encompasses features for managing secrets, certificates, and encryption keys, serving as the central hub for these resources.
+
+### 2. Environments
+
+- **Purpose**: Environments are designed for organizing and compartmentalizing secrets within projects.
+- **Customization Options**: Environments can be tailored to align with existing infrastructure setups of any project. Default options include **Development**, **Staging**, and **Production**.
+- **Structure**: Each environment inherently has a root level for storing secrets, but additional sub-organizations can be created through [folders](/documentation/platform/folder) for better secret management.
+
+### 3. Folders
+
+- **Use Case**: Folders are available for more advanced organizational needs, allowing logical separation of secrets.
+- **Typical Structure**: Folders can correspond to specific logical units, such as microservices or different layers of an application, providing refined control over secrets.
+
+### 4. Imports
+
+- **Purpose and Benefits**: To promote reusability and avoid redundancy, Infisical supports the use of imports. This allows secrets, folders, or entire environments to be referenced across multiple projects as needed.
+- **Best Practice**: Utilizing [secret imports](/documentation/platform/secret-reference#secret-imports) or [references](/documentation/platform/secret-reference#secret-referencing) ensures consistency and minimizes manual overhead.
+
+### 5. Approval Workflows
+
+- **Importance**: Implementing approval workflows is recommended for organizations aiming to enhance efficiency and strengthen their security posture.
+- **Types of Workflows**:
+    - **[Access Requests](/documentation/platform/pr-workflows)**: This workflow allows developers to request access to sensitive resources. Such access can be configured for temporary use, a practice known as "just-in-time" access.
+    - **[Change Requests](/documentation/platform/access-controls/access-requests)**: Facilitates reviews and approvals when changes are proposed for sensitive environments or specific folders, ensuring proper oversight.
+
+### 6. Access Controls
+
+Infisical’s access control framework is unified for both human users and machine identities, ensuring consistent management across the board.
+
+### 6.1 Roles
+
+- **2 Role Types**:
+    - **Organization-Level Roles**: Provide broad access across the organization (e.g., ability to manage billing, configure settings, etc.).
+    - **Project-Level Roles**: Essential for configuring access to specific secrets and other sensitive assets within a project.
+- **Granular Permissions**: While default roles are available, [custom roles](/documentation/platform/access-controls/role-based-access-controls#creating-custom-roles) can be created for more tailored access controls.
+- **Admin Considerations**: Note that admin users are able to access all projects. This role should be assigned judiciously to prevent unintended overreach.
+
+<Note>Project access is defined not via an organization-level role, but rather through specific project memberships of both human and machine identities. Admin roles bypass this by default. </Note>
+
+### 6.2 Additional Privileges
+
+[Additional privileges](/documentation/platform/access-controls/additional-privileges) can be assigned to users and machines on an ad-hoc basis for specific scenarios where roles alone are insufficient. If you find yourself using additional privileges too much, it is recommended to create custom roles. Additional privileges can be temporary or permanent.
+
+
+
+### 6.3 Attribute-Based Access Control (ABAC)
+
+[Attribute-based Access Controls](/documentation/platform/access-controls/attribute-based-access-controls) allow restrictions based on tags or attributes linked to secrets. These can be integrated with SAML assertions and other security frameworks for dynamic access management.
+
+### 6.4 User Groups
+
+- **Application**: Organizations should use users groups in situations when they have a lot of developers with the same level of access (e.g., separated by team, department, seniority, etc.).
+- **Synchronization**: [User groups](/documentation/platform/groups) can be synced with an identity provider to maintain consistency and reduce manual management.
+
+### **Implementation Note**
+
+For larger-scale organizations, automating configurations through **Terraform** or other infrastructure-as-code (IaC) tools is advisable. Manual configurations may lead to errors, so leveraging IaC enhances reliability and consistency in managing Infisical's robust capabilities.
+
+This structured approach ensures that Infisical's functionalities are fully leveraged, providing both flexibility and rigorous control over an organization's sensitive information and access needs.

docs/documentation/platform/access-controls/attribute-based-access-controls.mdx

@@ -0,0 +1,65 @@
+---
+title: "Attribute-based Access Controls"
+description: "Learn how to use ABAC to manage permissions based on identity attributes."
+---
+
+Infisical's Attribute-based Access Controls (ABAC) allow for dynamic, attribute-driven permissions for both user and machine identities. 
+ABAC policies use metadata attributes—stored as key-value pairs on identities—to enforce fine-grained permissions that are context aware.
+
+In ABAC, access controls are defined using metadata attributes, such as location or department, which can be set directly on user or machine identities. 
+During policy execution, these attributes are evaluated, and determine whether said actor can access the requested resource or perform the requested operation.
+
+## Project-level Permissions
+
+Attribute-based access controls are currently available for polices defined on projects. You can set ABAC permissions to control access to environments, folders, secrets, and secret tags.
+
+### Setting Metadata on Identities
+
+<Tabs>
+  <Tab title="Manually Configure Metadata">
+    <Steps>
+        <Step title="Navigate to the Access Control page on the organization sidebar and select an identity (user or machine).">
+            <img src="/images/platform/access-controls/add-metadata-step1.png" />
+        </Step>
+        <Step title="On the Identity Page, click the pencil icon to edit the selected identity.">
+            <img src="/images/platform/access-controls/add-metadata-step2.png" />
+        </Step>
+        <Step title="Add metadata via key-value pairs and update the identity.">
+            <img src="/images/platform/access-controls/add-metadata-step3.png" />
+        </Step>
+    </Steps>
+  </Tab>
+  <Tab title="Automatically Populate Metadata">
+    For organizations using SAML for login, Infisical automatically maps metadata attributes from SAML assertions to user identities.
+    This makes it easy to create policies that dynamically adapt based on the SAML user’s attributes.
+  </Tab>
+</Tabs>
+
+
+## Defining ABAC Policies
+
+<img src="/images/platform/access-controls/example-abac-1.png" />
+
+ABAC policies make use of identity metadata to define dynamic permissions. Each attribute must start and end with double curly-brackets `{{ <attribute-name> }}`.
+The following attributes are available within project permissions:
+
+- **User ID**: `{{ identity.id }}`
+- **Username**: `{{ identity.username }}`
+- **Metadata Attributes**: `{{ identity.metadata.<metadata-key-name> }}`
+
+During policy execution, these placeholders are replaced by their actual values prior to evaluation.
+
+### Example Use Case
+
+#### Location-based Access Control
+
+Suppose you want to restrict access to secrets within a specific folder based on a user's geographic region.
+You could assign a `location` attribute to each user (e.g., `identity.metadata.location`).
+You could then structure your folders to align with this attribute and define permissions accordingly.
+
+For example, a policy might restrict access to folders matching the user's location attribute in the following pattern:
+```
+/appA/{{ identity.metadata.location }}
+```
+Using this structure, users can only access folders that correspond to their configured `location` attribute.
+Consequently, if a users attribute changes due to relocation, no policies need to be changed to gain access to the folders associated with their new location.

docs/documentation/platform/access-controls/overview.mdx

@@ -15,6 +15,15 @@ To make sure that users and machine identities are only accessing the resources
   >
     Manage user and machine identitity permissions through predefined roles. 
   </Card>
+
+  <Card 
+    title="Attribute-based Access Control" 
+    href="./attribute-based-access-controls" 
+    icon="address-book" 
+    color="#000000"
+  >
+    Manage user and machine identitity permissions based on their attributes.
+  </Card>
   <Card
     title="Additional Privileges"
     href="./additional-privileges"

docs/documentation/platform/admin-panel/server-admin.mdx

@@ -33,7 +33,7 @@ Signup can be restricted to users matching one or more email domains, such as yo
 
 ### Default Organization
 
-If you're using SAML/LDAP for only one organization on your instance, you can specify a default organization to use at login to skip requiring users to manually enter the organization slug.
+If you're using SAML/LDAP/OIDC for only one organization on your instance, you can specify a default organization to use at login to skip requiring users to manually enter the organization slug.
 
 ### Trust Emails
 

docs/documentation/platform/audit-log-streams/audit-log-streams.mdx

@@ -20,10 +20,10 @@ The logs are formatted in JSON, requiring your logging provider to support JSON-
 <Steps>
     <Step title="Navigate to Organization Settings in your sidebar." />
     <Step title="Select Audit Log Streams Tab.">
-				![stream create](../../images/platform/audit-log-streams/stream-create.png)
+				![stream create](/images/platform/audit-log-streams/stream-create.png)
 		</Step>
 		<Step title="Click on Create">
-		 ![stream create](../../images/platform/audit-log-streams/stream-inputs.png)
+		 ![stream create](/images/platform/audit-log-streams/stream-inputs.png)
 
 		 Provide the following values
 		 <ParamField path="Endpoint URL" type="string" required>
@@ -35,7 +35,7 @@ The logs are formatted in JSON, requiring your logging provider to support JSON-
 		</Step>
 </Steps>
 
-![stream listt](../../images/platform/audit-log-streams/stream-list.png)
+![stream listt](/images/platform/audit-log-streams/stream-list.png)
 Your Audit Logs are now ready to be streamed.
 
 ## Example Providers
@@ -44,11 +44,11 @@ Your Audit Logs are now ready to be streamed.
 
 <Steps>
     <Step title="Select Connect Source">
-				![better stack connect source](../../images/platform/audit-log-streams/betterstack-create-source.png)
+				![better stack connect source](/images/platform/audit-log-streams/betterstack-create-source.png)
 		</Step>
     <Step title="Provide a name and select platform"/>
    <Step title="Provide Audit Log Stream inputs">
-				![better stack connect](../../images/platform/audit-log-streams/betterstack-source-details.png)
+				![better stack connect](/images/platform/audit-log-streams/betterstack-source-details.png)
 
 				1. Copy the **endpoint** from Better Stack to the **Endpoint URL** field.
 				3. Create a new header with key **Authorization** and set the value as **Bearer \<source token from betterstack\>**.
@@ -59,21 +59,21 @@ Your Audit Logs are now ready to be streamed.
 
 <Steps>
     <Step title="Navigate to API Keys section">
-				![api key create](../../images/platform/audit-log-streams/datadog-api-sidebar.png)
+				![api key create](/images/platform/audit-log-streams/datadog-api-sidebar.png)
 		</Step>
     <Step title="Select New Key and provide a key name">
-				![api key form](../../images/platform/audit-log-streams/data-create-api-key.png)
-				![api key form](../../images/platform/audit-log-streams/data-dog-api-key.png)
+				![api key form](/images/platform/audit-log-streams/data-create-api-key.png)
+				![api key form](/images/platform/audit-log-streams/data-dog-api-key.png)
 		</Step>
    <Step title="Find your Datadog region specific logging endpoint.">
-				![datadog url](../../images/platform/audit-log-streams/datadog-logging-endpoint.png)
+				![datadog url](/images/platform/audit-log-streams/datadog-logging-endpoint.png)
 
 				1. Navigate to the [Datadog Send Logs API documentation](https://docs.datadoghq.com/api/latest/logs/?code-lang=curl&site=us5#send-logs).
 				2. Pick your Datadog account region.
 				3. Obtain your Datadog logging endpoint URL.
 	 </Step>
    <Step title="Provide audit log stream inputs">
-				![datadog api key details](../../images/platform/audit-log-streams/datadog-source-details.png)
+				![datadog api key details](/images/platform/audit-log-streams/datadog-source-details.png)
 
 				1. Copy the **logging endpoint** from Datadog to the **Endpoint URL** field.
 				2. Copy the **API Key** from previous step

docs/documentation/platform/dynamic-secrets/sap-hana.mdx

@@ -0,0 +1,121 @@
+---
+title: "SAP HANA"
+description: "Learn how to dynamically generate SAP HANA database account credentials."
+---
+
+The Infisical SAP HANA dynamic secret allows you to generate SAP HANA database credentials on demand.
+
+## Prerequisite
+
+- Infisical requires a SAP HANA database user in your instance with the necessary permissions. This user will facilitate the creation of new accounts as needed.
+  Ensure the user possesses privileges for creating, dropping, and granting permissions to roles for it to be able to create dynamic secrets.
+
+- The SAP HANA instance should be reachable by Infisical.
+
+## Set up Dynamic Secrets with SAP HANA
+
+<Steps>
+  <Step title="Open Secret Overview Dashboard">
+	Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
+  </Step>
+  <Step title="Click on the 'Add Dynamic Secret' button">
+	![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+  </Step>
+  <Step title="Select SAP HANA">
+	![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-modal-sap-hana.png)
+  </Step>
+  <Step title="Provide the inputs for dynamic secret parameters">
+	<ParamField path="Secret Name" type="string" required>
+		Name by which you want the secret to be referenced
+	</ParamField>
+
+    <ParamField path="Default TTL" type="string" required>
+    	Default time-to-live for a generated secret (it is possible to modify this value when a secret is generate)
+    </ParamField>
+
+    <ParamField path="Max TTL" type="string" required>
+    	Maximum time-to-live for a generated secret
+    </ParamField>
+
+    <ParamField path="Host" type="string" required>
+    	SAP HANA Host
+
+  </ParamField>
+
+    <ParamField path="Port" type="number" required>
+    	SAP HANA Port
+    </ParamField>
+
+    <ParamField path="User" type="string" required>
+    	Username that will be used to create dynamic secrets
+    </ParamField>
+
+    <ParamField path="Password" type="string" required>
+    	Password that will be used to create dynamic secrets
+    </ParamField>
+
+    <ParamField path="CA(SSL)" type="string">
+    	A CA may be required for SSL if you are self-hosting SAP HANA
+
+  </ParamField>
+
+    ![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-setup-modal-sap-hana.png)
+
+  </Step>
+  <Step title="(Optional) Modify SQL Statements">
+  	If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL statement to your needs.
+    ![Modify SQL Statements Modal](../../../images/platform/dynamic-secrets/modify-sap-hana-sql-statements.png)
+
+    <Warning>
+      Due to SAP HANA limitations, the attached SQL statements are not executed as a transaction.
+    </Warning>
+
+  </Step>
+  <Step title="Click 'Submit'">
+  	After submitting the form, you will see a dynamic secret created in the dashboard.
+
+    <Note>
+    	If this step fails, you may have to add the CA certficate.
+    </Note>
+
+  </Step>
+  <Step title="Generate dynamic secrets">
+	Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials. 
+	To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item. 
+	Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+
+    ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
+    ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+
+    When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
+
+    ![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+
+    <Tip>
+    	Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret in step 4.
+    </Tip>
+
+
+    Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you.
+
+    ![Provision Lease](/images/platform/dynamic-secrets/lease-values.png)
+
+  </Step>
+</Steps>
+
+## Audit or Revoke Leases
+
+Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard.
+This will allow you see the lease details and delete the lease ahead of its expiration time.
+
+![Provision Lease](/images/platform/dynamic-secrets/lease-data.png)
+
+## Renew Leases
+
+To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the **Renew** as illustrated below.
+![Provision Lease](/images/platform/dynamic-secrets/dynamic-secret-lease-renew.png)
+
+<Warning>
+  Lease renewals cannot exceed the maximum TTL set when configuring the dynamic
+  secret.
+</Warning>

docs/documentation/platform/dynamic-secrets/snowflake.mdx

@@ -0,0 +1,124 @@
+---
+title: "Snowflake"
+description: "Learn how to dynamically generate Snowflake user credentials."
+---
+
+Infisical's Snowflake dynamic secrets allow you to generate Snowflake user credentials on demand.
+
+## Snowflake Prerequisites
+
+<Note>
+    Infisical requires a Snowflake user in your account with the USERADMIN role. This user will act as a service account for Infisical and facilitate the creation of new users as needed.
+</Note>
+
+<Steps>
+    <Step title="Navigate to Snowflake's User Dashboard and press the '+ User' button">
+        ![Snowflake User Dashboard](/images/platform/dynamic-secrets/snowflake/dynamic-secret-snowflake-users-page.png)
+    </Step>
+    <Step title="Create a Snowflake user with the USERADMIN role for Infisical">
+        <Warning>
+                Be sure to uncheck "Force user to change password on first time login"
+        </Warning>
+        ![Snowflake Create Service User](/images/platform/dynamic-secrets/snowflake/dynamic-secret-snowflake-create-service-user.png)
+    </Step>
+    <Step title="Click on the Account Menu in the bottom left and take note of your Account and Organization identifiers">
+        ![Snowflake Account And Organization Identifiers](/images/platform/dynamic-secrets/snowflake/dynamic-secret-snowflake-identifiers.png)
+    </Step>
+</Steps>
+
+## Set up Dynamic Secrets with Snowflake
+
+<Steps>
+    <Step title="Open the Secret Overview Dashboard">
+        Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
+    </Step>
+    <Step title="Click on the 'Add Dynamic Secret' button">
+        ![Add Dynamic Secret Button](/images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+    </Step>
+    <Step title="Select the Snowflake option in the grid list">
+        ![Dynamic Secret Modal](/images/platform/dynamic-secrets/snowflake/dynamic-secret-snowflake-modal.png)
+    </Step>
+    <Step title="Provide the required parameters for the Snowflake dynamic secret">
+        <ParamField path="Secret Name" type="string" required>
+            The name you want to reference this secret by
+        </ParamField>
+
+        <ParamField path="Default TTL" type="string" required>
+            Default time-to-live for a generated secret (it is possible to modify this value when generating a secret)
+        </ParamField>
+
+        <ParamField path="Max TTL" type="string" required>
+            Maximum time-to-live for a generated secret
+        </ParamField>
+
+        <ParamField path="Account Identifier" type="string" required>
+            Snowflake account identifier
+        </ParamField>
+
+        <ParamField path="Organization Identifier" type="string" required>
+            Snowflake organization identifier
+        </ParamField>
+
+        <ParamField path="User" type="string" required>
+            Username of the Infisical Service User
+        </ParamField>
+
+        <ParamField path="Password" type="string" required>
+            Password of the Infisical Service User
+        </ParamField>
+
+        ![Dynamic Secret Setup Modal](/images/platform/dynamic-secrets/snowflake/dynamic-secret-snowflake-setup-modal.png)
+
+    </Step>
+    <Step title="(Optional) Modify SQL Statements">
+        If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL
+        statement to your needs.
+        ![Modify SQL Statements Modal](/images/platform/dynamic-secrets/snowflake/dynamic-secret-snowflake-sql-statements.png)
+    </Step>
+    <Step title="Click 'Submit'">
+        After submitting the form, you will see a dynamic secret created in the dashboard.
+    </Step>
+    <Step title="Generate dynamic secrets">
+        Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
+        To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
+        Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret
+        lease list section.
+
+        ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
+        ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+
+        When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how
+        long the credentials are valid for.
+
+        ![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+
+        <Tip>
+            Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret in
+            step 4.
+        </Tip>
+
+
+        Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be
+        shown to you.
+
+        ![Provision Lease](/images/platform/dynamic-secrets/lease-values.png)
+
+    </Step>
+</Steps>
+
+## Audit or Revoke Leases
+
+Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard.
+This will allow you see the lease details and delete the lease ahead of its expiration time.
+
+![Provision Lease](/images/platform/dynamic-secrets/lease-data.png)
+
+## Renew Leases
+
+To extend the life of the generated dynamic secret lease past its initial time to live, simply click on the **Renew** button as illustrated below.
+![Provision Lease](/images/platform/dynamic-secrets/dynamic-secret-lease-renew.png)
+
+<Warning>
+    Lease renewals cannot exceed the maximum TTL set when configuring the dynamic
+    secret.
+</Warning>

docs/documentation/platform/identities/machine-identities.mdx

@@ -20,7 +20,7 @@ Key Features:
 
 A typical workflow for using identities consists of four steps:
 
-1. Creating the identity with a name and [role](/documentation/platform/role-based-access-controls) in Organization Access Control > Machine Identities.
+1. Creating the identity with a name and [role](/documentation/platform/access-controls/role-based-access-controls) in Organization Access Control > Machine Identities.
    This step also involves configuring an authentication method for it.
 2. Adding the identity to the project(s) you want it to have access to.
 3. Authenticating the identity with the Infisical API based on the configured authentication method on it and receiving a short-lived access token back.

docs/documentation/platform/identities/overview.mdx

@@ -4,7 +4,7 @@ sidebarTitle: "Overview"
 description: "Learn more about identities to interact with resources in Infisical."
 ---
 
-To interact with secrets and resource with Infisical, it is important to undrestand the concept of identities. 
+To interact with secrets and resource with Infisical, it is important to understand the concept of identities. 
 Identities can be of two types: 
 - **People** (e.g., developers, platform engineers, administrators)
 - **Machines** (e.g., machine entities for managing secrets in CI/CD pipelines, production applications, and more)

docs/documentation/platform/kms/kubernetes-encryption.mdx

@@ -0,0 +1,5 @@
+---
+title: "Kubernetes Encryption with KMS"
+sidebarTitle: "Kubernetes Encryption"
+url: "https://github.com/Infisical/k8-kms-plugin"
+---

docs/documentation/platform/kms/overview.mdx

@@ -1,6 +1,6 @@
 ---
 title: "Key Management Service (KMS)"
-sidebarTitle: "Key Management (KMS)"
+sidebarTitle: "Overview"
 description: "Learn how to manage and use cryptographic keys with Infisical."
 ---
 

docs/documentation/platform/secret-rotation/mssql.mdx

@@ -0,0 +1,139 @@
+---
+title: "Microsoft SQL Server"
+description: "Learn how to automatically rotate Microsoft SQL Server user passwords."
+---
+
+The Infisical SQL Server secret rotation allows you to automatically rotate your database users' passwords at a predefined interval.
+
+## Prerequisites
+
+1. Create two SQL Server logins and database users with the required permissions. We'll refer to them as `user-a` and `user-b`.
+2. Create another SQL Server login with permissions to alter logins for `user-a` and `user-b`. We'll refer to this as the `admin` login.
+
+Here's how to set up the prerequisites:
+
+```sql
+-- Create the logins (at server level)
+CREATE LOGIN [user-a] WITH PASSWORD = 'ComplexPassword1';
+CREATE LOGIN [user-b] WITH PASSWORD = 'ComplexPassword2';
+
+-- Create database users for the logins (in your specific database)
+USE [YourDatabase];
+CREATE USER [user-a] FOR LOGIN [user-a];
+CREATE USER [user-b] FOR LOGIN [user-b];
+
+-- Grant necessary permissions to the users
+GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo TO [user-a];
+GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo TO [user-b];
+
+-- Create admin login with permission to alter other logins
+CREATE LOGIN [admin] WITH PASSWORD = 'AdminComplexPassword';
+CREATE USER [admin] FOR LOGIN [admin];
+
+-- Grant permission to alter any login
+GRANT ALTER ANY LOGIN TO [admin];
+```
+
+To learn more about SQL Server's permission system, please visit this [documentation](https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/getting-started-with-database-engine-permissions).
+
+## How it works
+
+1. Infisical connects to your database using the provided `admin` login credentials.
+2. A random value is generated and the password for `user-a` is updated with the new value.
+3. The new password is then tested by logging into the database.
+4. If test is successful, it's saved to the output secret mappings so that rest of the system gets the newly rotated value(s).
+5. The process is then repeated for `user-b` on the next rotation.
+6. The cycle repeats until secret rotation is deleted/stopped.
+
+## Rotation Configuration
+
+<Steps>
+  <Step title="Open Secret Rotation Page">
+	Head over to Secret Rotation configuration page of your project by clicking on `Secret Rotation` in the left side bar 
+  </Step>
+  <Step title="Click on Microsoft SQL Server card" />
+  <Step title="Provide the inputs">
+	<ParamField path="Admin Username" type="string" required>
+		SQL Server admin username
+	</ParamField>
+
+    <ParamField path="Admin password" type="string" required>
+    	SQL Server admin password
+    </ParamField>
+
+    <ParamField path="Host" type="string" required>
+    	SQL Server host url (e.g., your-server.database.windows.net)
+    </ParamField>
+
+    <ParamField path="Port" type="number" required>
+    	Database port number (default: 1433)
+    </ParamField>
+
+    <ParamField path="Database" type="string" required>
+    	Database name (default: master)
+    </ParamField>
+
+    <ParamField path="Username1" type="string" required>
+    	The first login name to rotate - `user-a`
+    </ParamField>
+
+    <ParamField path="Username2" type="string" required>
+    	The second login name to rotate - `user-b`
+    </ParamField>
+
+    <ParamField path="CA" type="string">
+    	Optional database certificate to connect with database
+    </ParamField>
+
+  </Step>
+  <Step title="Configure the output secret mapping">
+  	When a secret rotation is successful, the updated values needs to be saved to an existing key(s) in your project.
+
+    <ParamField path="Environment" type="string" required>
+    	The environment where the rotated credentials should be mapped to.
+    </ParamField>
+
+    <ParamField path="Secret Path" type="string" required>
+    	The secret path where the rotated credentials should be mapped to.
+    </ParamField>
+
+    <ParamField path="Interval" type="number" required>
+    	What interval should the credentials be rotated in days.
+    </ParamField>
+
+    <ParamField path="DB USERNAME" type="string" required>
+    	Select an existing secret key where the rotated database username value should be saved to.
+    </ParamField>
+
+    <ParamField path="DB PASSWORD" type="string" required>
+    	Select an existing select key where the rotated database password value should be saved to.
+    </ParamField>
+
+  </Step>
+</Steps>
+
+## FAQ
+
+<AccordionGroup>
+ <Accordion title="Why can't we delete the other user when rotating?">
+ 	When a system has multiple nodes by horizontal scaling, redeployment doesn't happen instantly.
+
+    This means that when the secrets are rotated, and the redeployment is triggered, the existing system will still be using the old credentials until the change rolls out.
+
+    To avoid causing failure for them, the old credentials are not removed. Instead, in the next rotation, the previous user's credentials are updated.
+
+ </Accordion>
+ <Accordion title="Why do you need an admin account?">
+    The admin account is used by Infisical to update the credentials for `user-a` and `user-b`.
+
+    You don't need to grant all permissions for your admin account but rather just the permission to alter logins (ALTER ANY LOGIN).
+
+ </Accordion>
+ <Accordion title="How does this work with Azure SQL Database?">
+   When using Azure SQL Database, you'll need to:
+   
+   1. Use the full server name as your host (e.g., your-server.database.windows.net)
+   2. Ensure your admin account is either the Azure SQL Server admin or an Azure AD account with appropriate permissions
+   3. Configure your Azure SQL Server firewall rules to allow connections from Infisical's IP addresses
+ </Accordion>
+</AccordionGroup>

docs/documentation/platform/sso/auth0-oidc.mdx

@@ -69,11 +69,18 @@ description: "Learn how to configure Auth0 OIDC for Infisical SSO."
    </Step>
 </Steps>
 
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite OIDC login.
+</Tip>
+
 <Note>
   If you're configuring OIDC SSO on a self-hosted instance of Infisical, make
   sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
-  work: - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+  work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
   can be a random 32-byte base64 string generated with `openssl rand -base64
-  32`. - `SITE_URL`: The URL of your self-hosted instance of Infisical - should
-  be an absolute URL including the protocol (e.g. https://app.infisical.com)
+  32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
 </Note>

docs/documentation/platform/sso/azure.mdx

@@ -109,12 +109,20 @@ description: "Learn how to configure Microsoft Entra ID for Infisical SSO."
    </Step>
 </Steps>
 
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite SAML login.
+</Tip>
+
 <Note>
-   If you're configuring SAML SSO on a self-hosted instance of Infisical, make sure to
-   set the `AUTH_SECRET` and `SITE_URL` environment variable for it to work:
-   
-   - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
-   - `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
+    If you're configuring SAML SSO on a self-hosted instance of Infisical, make
+    sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
+    work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+    can be a random 32-byte base64 string generated with `openssl rand -base64
+    32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
 </Note>
 
 <Note>

docs/documentation/platform/sso/general-oidc.mdx

@@ -20,11 +20,11 @@ Prerequisites:
 <Steps>
    <Step title="Setup Identity Provider">
       1.1. Register your application with the IdP to obtain a **Client ID** and **Client Secret**. These credentials are used by Infisical to authenticate with your IdP.
-      
+
       1.2. Configure **Redirect URL** to be `https://app.infisical.com/api/v1/sso/oidc/callback`. If you're self-hosting Infisical, replace the domain with your own.
-      
+
       1.3. Configure the scopes needed by Infisical (email, profile, openid) and ensure that they are mapped to the ID token claims.
-      
+
       1.4. Access the IdP’s OIDC discovery document (usually located at `https://<idp-domain>/.well-known/openid-configuration`). This document contains important endpoints such as authorization, token, userinfo, and keys.
    </Step>
    <Step title="Finish configuring OIDC in Infisical">
@@ -70,11 +70,19 @@ Prerequisites:
 
   </Steps>
 
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite OIDC login.
+</Tip>
+
+
 <Note>
   If you're configuring OIDC SSO on a self-hosted instance of Infisical, make
   sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
-  work: - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+  work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
   can be a random 32-byte base64 string generated with `openssl rand -base64
-  32`. - `SITE_URL`: The URL of your self-hosted instance of Infisical - should
-  be an absolute URL including the protocol (e.g. https://app.infisical.com)
+  32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
 </Note>

docs/documentation/platform/sso/google-saml.mdx

@@ -85,13 +85,20 @@ description: "Learn how to configure Google SAML for Infisical SSO."
 
 </Steps>
 
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite SAML login.
+</Tip>
+
 <Note>
-  If you're configuring SAML SSO on a self-hosted instance of Infisical, make
-  sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
-  work: - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
-  can be a random 32-byte base64 string generated with `openssl rand -base64
-  32`. - `SITE_URL`: The URL of your self-hosted instance of Infisical - should
-  be an absolute URL including the protocol (e.g. https://app.infisical.com)
+    If you're configuring SAML SSO on a self-hosted instance of Infisical, make
+    sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
+    work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+    can be a random 32-byte base64 string generated with `openssl rand -base64
+    32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
 </Note>
 
 References:

docs/documentation/platform/sso/jumpcloud.mdx

@@ -89,10 +89,18 @@ description: "Learn how to configure JumpCloud SAML for Infisical SSO."
    </Step>
 </Steps>
 
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite SAML login.
+</Tip>
+
 <Note>
-   If you're configuring SAML SSO on a self-hosted instance of Infisical, make sure to
-   set the `AUTH_SECRET` and `SITE_URL` environment variable for it to work:
-   
-   - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
-   - `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
+    If you're configuring SAML SSO on a self-hosted instance of Infisical, make
+    sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
+    work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+    can be a random 32-byte base64 string generated with `openssl rand -base64
+    32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
 </Note>

docs/documentation/platform/sso/keycloak-oidc.mdx

@@ -95,11 +95,18 @@ description: "Learn how to configure Keycloak OIDC for Infisical SSO."
    </Step>
 </Steps>
 
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite OIDC login.
+</Tip>
+
 <Note>
   If you're configuring OIDC SSO on a self-hosted instance of Infisical, make
   sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
-  work: - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+  work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
   can be a random 32-byte base64 string generated with `openssl rand -base64
-  32`. - `SITE_URL`: The URL of your self-hosted instance of Infisical - should
-  be an absolute URL including the protocol (e.g. https://app.infisical.com)
+  32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
 </Note>

docs/documentation/platform/sso/keycloak-saml.mdx

@@ -130,10 +130,18 @@ description: "Learn how to configure Keycloak SAML for Infisical SSO."
    </Step>
 </Steps>
 
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite SAML login.
+</Tip>
+
 <Note>
-   If you're configuring SAML SSO on a self-hosted instance of Infisical, make sure to
-   set the `AUTH_SECRET` and `SITE_URL` environment variable for it to work:
-   
-   - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This can be a random 32-byte base64 string generated with `openssl rand -base64 32`.
-   - `SITE_URL`: The URL of your self-hosted instance of Infisical - should be an absolute URL including the protocol (e.g. https://app.infisical.com)
+    If you're configuring SAML SSO on a self-hosted instance of Infisical, make
+    sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
+    work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+    can be a random 32-byte base64 string generated with `openssl rand -base64
+    32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
 </Note>

docs/documentation/platform/sso/okta.mdx

@@ -98,11 +98,18 @@ description: "Learn how to configure Okta SAML 2.0 for Infisical SSO."
    </Step>
 </Steps>
 
+<Tip>
+    If you are only using one organization on your Infisical instance, you can configure a default organization in the [Server Admin Console](../admin-panel/server-admin#default-organization) to expedite SAML login.
+</Tip>
+
 <Note>
-  If you're configuring SAML SSO on a self-hosted instance of Infisical, make
-  sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
-  work: - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
-  can be a random 32-byte base64 string generated with `openssl rand -base64
-  32`. - `SITE_URL`: The URL of your self-hosted instance of Infisical - should
-  be an absolute URL including the protocol (e.g. https://app.infisical.com)
+    If you're configuring SAML SSO on a self-hosted instance of Infisical, make
+    sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
+    work:
+    <div class="height:1px;"/>
+    - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+    can be a random 32-byte base64 string generated with `openssl rand -base64
+    32`.
+    <div class="height:1px;"/>
+    - `SITE_URL`: The absolute URL of your self-hosted instance of Infisical including the protocol (e.g. https://app.infisical.com)
 </Note>