Address greptile comments

Author: carlosmonastyrski

backend/src/ee/services/permission/project-permission.ts

@@ -307,6 +307,7 @@ export type SecretSyncSubjectFields = {
 };
 
 export type PkiSyncSubjectFields = {
+  subscriberName?: string;
   name: string;
 };
 

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -332,8 +332,8 @@ export const certificateAuthorityServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionCertificateAuthorityActions.Read,
-      subject(ProjectPermissionSub.CertificateAuthorities, { name: "*" })
+      ProjectPermissionCertificateAuthorityActions.List,
+      ProjectPermissionSub.CertificateAuthorities
     );
 
     if (type === CaType.INTERNAL) {
@@ -724,7 +724,10 @@ export const certificateAuthorityServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionCertificateAuthorityActions.Read,
-      ProjectPermissionSub.CertificateAuthorities
+      subject(ProjectPermissionSub.CertificateAuthorities, {
+        caId: ca.id,
+        name: ca.name
+      })
     );
 
     return ca;

backend/src/services/pki-sync/pki-sync-service.ts

@@ -145,7 +145,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Create,
-      subject(ProjectPermissionSub.PkiSyncs, { name: subscriber ? subscriber.name : name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: subscriber?.name,
+        name
+      })
     );
 
     // Get the destination app type based on PKI sync destination
@@ -233,9 +236,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Edit,
-      currentSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: currentSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: currentSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     if (name && name !== pkiSync.name) {
@@ -329,9 +333,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Delete,
-      pkiSyncSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: pkiSyncSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: pkiSyncSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     return pkiSyncDAL.deleteById(id);
@@ -404,9 +409,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Read,
-      findSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: findSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: findSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     const result = {
@@ -440,9 +446,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.SyncCertificates,
-      syncSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: syncSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: syncSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     await pkiSyncQueue.queuePkiSyncSyncCertificatesById({ syncId: id });
@@ -481,9 +488,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.ImportCertificates,
-      importSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: importSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: importSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     await pkiSyncQueue.queuePkiSyncImportCertificatesById({ syncId: id });
@@ -514,9 +522,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.RemoveCertificates,
-      removeSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: removeSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: removeSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     await pkiSyncQueue.queuePkiSyncRemoveCertificatesById({ syncId: id });
@@ -554,9 +563,10 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Edit,
-      pkiSyncSubscriber
-        ? subject(ProjectPermissionSub.PkiSyncs, { name: pkiSyncSubscriber.name })
-        : subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        subscriberName: pkiSyncSubscriber?.name,
+        name: pkiSync.name
+      })
     );
 
     await validateCertificatesProjectOwnership(certificateIds, pkiSync.projectId);
@@ -598,7 +608,9 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Edit,
-      subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        name: pkiSync.name
+      })
     );
 
     const removedCount = await certificateSyncDAL.removeCertificates(pkiSyncId, certificateIds);
@@ -639,7 +651,9 @@ export const pkiSyncServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionPkiSyncActions.Read,
-      subject(ProjectPermissionSub.PkiSyncs, { name: pkiSync.name })
+      subject(ProjectPermissionSub.PkiSyncs, {
+        name: pkiSync.name
+      })
     );
 
     const result = await certificateSyncDAL.findWithDetails({