Merge pull request #4581 from Infisical/ENG-3748

Secret Approval Request: check if user is a reviewer to trigger hasSecretReadValueOrDescribePermission

Author: carlosmonastyrski

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -285,13 +285,10 @@ export const secretApprovalRequestServiceFactory = ({
     ) {
       throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
     }
-    const getHasSecretReadAccess = (
-      shouldCheckSecretPermission: boolean | null | undefined,
-      environment: string,
-      tags: { slug: string }[],
-      secretPath?: string
-    ) => {
-      if (shouldCheckSecretPermission) {
+    const getHasSecretReadAccess = (environment: string, tags: { slug: string }[], secretPath?: string) => {
+      const isReviewer = policy.approvers.some(({ userId }) => userId === actorId);
+
+      if (!isReviewer) {
         const canRead = hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
           environment,
           secretPath: secretPath || "/",
@@ -322,18 +319,8 @@ export const secretApprovalRequestServiceFactory = ({
         version: el.version,
         secretMetadata: el.secretMetadata as ResourceMetadataDTO,
         isRotatedSecret: el.secret?.isRotatedSecret ?? false,
-        secretValueHidden: !getHasSecretReadAccess(
-          secretApprovalRequest.policy.shouldCheckSecretPermission,
-          secretApprovalRequest.environment,
-          el.tags,
-          secretPath?.[0]?.path
-        ),
-        secretValue: !getHasSecretReadAccess(
-          secretApprovalRequest.policy.shouldCheckSecretPermission,
-          secretApprovalRequest.environment,
-          el.tags,
-          secretPath?.[0]?.path
-        )
+        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
+        secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
           ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
           : el.secret && el.secret.isRotatedSecret
             ? undefined
@@ -354,17 +341,11 @@ export const secretApprovalRequestServiceFactory = ({
               id: el.secret.id,
               version: el.secret.version,
               secretValueHidden: !getHasSecretReadAccess(
-                secretApprovalRequest.policy.shouldCheckSecretPermission,
                 secretApprovalRequest.environment,
                 el.tags,
                 secretPath?.[0]?.path
               ),
-              secretValue: !getHasSecretReadAccess(
-                secretApprovalRequest.policy.shouldCheckSecretPermission,
-                secretApprovalRequest.environment,
-                el.tags,
-                secretPath?.[0]?.path
-              )
+              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
                 ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                 : el.secret.encryptedValue
                   ? secretManagerDecryptor({ cipherTextBlob: el.secret.encryptedValue }).toString()
@@ -380,17 +361,11 @@ export const secretApprovalRequestServiceFactory = ({
               id: el.secretVersion.id,
               version: el.secretVersion.version,
               secretValueHidden: !getHasSecretReadAccess(
-                secretApprovalRequest.policy.shouldCheckSecretPermission,
                 secretApprovalRequest.environment,
                 el.tags,
                 secretPath?.[0]?.path
               ),
-              secretValue: !getHasSecretReadAccess(
-                secretApprovalRequest.policy.shouldCheckSecretPermission,
-                secretApprovalRequest.environment,
-                el.tags,
-                secretPath?.[0]?.path
-              )
+              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
                 ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                 : el.secretVersion.encryptedValue
                   ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedValue }).toString()
@@ -409,12 +384,7 @@ export const secretApprovalRequestServiceFactory = ({
       const encryptedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
       secrets = encryptedSecrets.map((el) => ({
         ...el,
-        secretValueHidden: !getHasSecretReadAccess(
-          secretApprovalRequest.policy.shouldCheckSecretPermission,
-          secretApprovalRequest.environment,
-          el.tags,
-          secretPath?.[0]?.path
-        ),
+        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
         ...decryptSecretWithBot(el, botKey),
         secret: el.secret
           ? {