From 6f78067e05ec4085570ec72c3072571eb314c106 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 20 Dec 2021 16:49:05 -0500
Subject: [PATCH] Ensure wildcard subject object IDs are not used with
 non-empty relations

---
 .../api/v1/00_handwritten_validation.go       | 30 +++++++++++++++++++
 .../api/validation_test/tuples_test.go        | 23 ++++++++++++++
 2 files changed, 53 insertions(+)

diff --git a/proto/authzed/api/v1/00_handwritten_validation.go b/proto/authzed/api/v1/00_handwritten_validation.go
index 73429fc..211a53b 100644
--- a/proto/authzed/api/v1/00_handwritten_validation.go
+++ b/proto/authzed/api/v1/00_handwritten_validation.go
@@ -9,6 +9,9 @@ func (m *CheckPermissionRequest) HandwrittenValidate() error {
 			reason: "alphanumeric value is required",
 		}
 	}
+	if m.GetSubject() != nil {
+		return m.GetSubject().HandwrittenValidate()
+	}
 
 	return nil
 }
@@ -39,6 +42,19 @@ func (m *RelationshipFilter) HandwrittenValidate() error {
 			reason: "alphanumeric value is required",
 		}
 	}
+	if m.GetOptionalSubjectFilter() != nil {
+		return m.GetOptionalSubjectFilter().HandwrittenValidate()
+	}
+	return nil
+}
+
+func (m *SubjectFilter) HandwrittenValidate() error {
+	if m.GetOptionalSubjectId() == "*" && m.GetOptionalRelation() != nil && m.GetOptionalRelation().GetRelation() != "" {
+		return SubjectFilterValidationError{
+			field:  "OptionalRelation",
+			reason: "optionalrelation must be empty on subject if object ID is a wildcard",
+		}
+	}
 	return nil
 }
 
@@ -49,6 +65,16 @@ func (m *RelationshipUpdate) HandwrittenValidate() error {
 	return nil
 }
 
+func (m *SubjectReference) HandwrittenValidate() error {
+	if m.GetObject() != nil && m.GetObject().GetObjectId() == "*" && m.GetOptionalRelation() != "" {
+		return SubjectReferenceValidationError{
+			field:  "OptionalRelation",
+			reason: "optionalrelation must be empty on subject if object ID is a wildcard",
+		}
+	}
+	return nil
+}
+
 func (m *Relationship) HandwrittenValidate() error {
 	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
 		return ObjectReferenceValidationError{
@@ -57,6 +83,10 @@ func (m *Relationship) HandwrittenValidate() error {
 		}
 	}
 
+	if m.GetSubject() != nil {
+		return m.GetSubject().HandwrittenValidate()
+	}
+
 	return nil
 }
 
diff --git a/proto/authzed/api/validation_test/tuples_test.go b/proto/authzed/api/validation_test/tuples_test.go
index 5b49dce..295d8bf 100644
--- a/proto/authzed/api/validation_test/tuples_test.go
+++ b/proto/authzed/api/validation_test/tuples_test.go
@@ -389,3 +389,26 @@ func TestV1CoreObjectValidity(t *testing.T) {
 		}
 	}
 }
+
+func TestWildcardSubjectRelation(t *testing.T) {
+	subjObjRef := &v1.ObjectReference{
+		ObjectType: "somenamespace",
+		ObjectId:   "*",
+	}
+	subRef := &v1.SubjectReference{
+		Object:           subjObjRef,
+		OptionalRelation: "somerelation",
+	}
+	require.Error(t, subRef.HandwrittenValidate())
+}
+
+func TestWildcardSubjectRelationEmpty(t *testing.T) {
+	subjObjRef := &v1.ObjectReference{
+		ObjectType: "somenamespace",
+		ObjectId:   "*",
+	}
+	subRef := &v1.SubjectReference{
+		Object: subjObjRef,
+	}
+	require.NoError(t, subRef.HandwrittenValidate())
+}