Ensure wildcard subject object IDs are not used with non-empty relations

authzed · Dec 20, 2021 · 6f78067 · 6f78067
1 parent 4126c5f
commit 6f78067
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 0 deletions.
diff --git a/proto/authzed/api/v1/00_handwritten_validation.go b/proto/authzed/api/v1/00_handwritten_validation.go
@@ -9,6 +9,9 @@ func (m *CheckPermissionRequest) HandwrittenValidate() error {
 			reason: "alphanumeric value is required",
 		}
 	}
+	if m.GetSubject() != nil {
+		return m.GetSubject().HandwrittenValidate()
+	}
 
 	return nil
 }
@@ -39,6 +42,19 @@ func (m *RelationshipFilter) HandwrittenValidate() error {
 			reason: "alphanumeric value is required",
 		}
 	}
+	if m.GetOptionalSubjectFilter() != nil {
+		return m.GetOptionalSubjectFilter().HandwrittenValidate()
+	}
+	return nil
+}
+
+func (m *SubjectFilter) HandwrittenValidate() error {
+	if m.GetOptionalSubjectId() == "*" && m.GetOptionalRelation() != nil && m.GetOptionalRelation().GetRelation() != "" {
+		return SubjectFilterValidationError{
+			field:  "OptionalRelation",
+			reason: "optionalrelation must be empty on subject if object ID is a wildcard",
+		}
+	}
 	return nil
 }
 
@@ -49,6 +65,16 @@ func (m *RelationshipUpdate) HandwrittenValidate() error {
 	return nil
 }
 
+func (m *SubjectReference) HandwrittenValidate() error {
+	if m.GetObject() != nil && m.GetObject().GetObjectId() == "*" && m.GetOptionalRelation() != "" {
+		return SubjectReferenceValidationError{
+			field:  "OptionalRelation",
+			reason: "optionalrelation must be empty on subject if object ID is a wildcard",
+		}
+	}
+	return nil
+}
+
 func (m *Relationship) HandwrittenValidate() error {
 	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
 		return ObjectReferenceValidationError{
@@ -57,6 +83,10 @@ func (m *Relationship) HandwrittenValidate() error {
 		}
 	}
 
+	if m.GetSubject() != nil {
+		return m.GetSubject().HandwrittenValidate()
+	}
+
 	return nil
 }
 

diff --git a/proto/authzed/api/validation_test/tuples_test.go b/proto/authzed/api/validation_test/tuples_test.go
@@ -389,3 +389,26 @@ func TestV1CoreObjectValidity(t *testing.T) {
 		}
 	}
 }
+
+func TestWildcardSubjectRelation(t *testing.T) {
+	subjObjRef := &v1.ObjectReference{
+		ObjectType: "somenamespace",
+		ObjectId:   "*",
+	}
+	subRef := &v1.SubjectReference{
+		Object:           subjObjRef,
+		OptionalRelation: "somerelation",
+	}
+	require.Error(t, subRef.HandwrittenValidate())
+}
+
+func TestWildcardSubjectRelationEmpty(t *testing.T) {
+	subjObjRef := &v1.ObjectReference{
+		ObjectType: "somenamespace",
+		ObjectId:   "*",
+	}
+	subRef := &v1.SubjectReference{
+		Object: subjObjRef,
+	}
+	require.NoError(t, subRef.HandwrittenValidate())
+}