From a092c2d46966c50ceaabba905ada422ecd819593 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 9 Dec 2021 15:10:43 -0500
Subject: [PATCH] Add additional validation to prevent wildcards in resource
 object IDs

---
 .../api/v0/02_additional_validation.pb.go     |  47 ++++++++
 .../api/v1/00_additional_validation.pb.go     | 102 ++++++++++++++++++
 2 files changed, 149 insertions(+)
 create mode 100644 proto/authzed/api/v0/02_additional_validation.pb.go
 create mode 100644 proto/authzed/api/v1/00_additional_validation.pb.go

diff --git a/proto/authzed/api/v0/02_additional_validation.pb.go b/proto/authzed/api/v0/02_additional_validation.pb.go
new file mode 100644
index 0000000..d05104d
--- /dev/null
+++ b/proto/authzed/api/v0/02_additional_validation.pb.go
@@ -0,0 +1,47 @@
+// The contents of this file are hand-written to add AdditionalValidation to select message types
+
+package v0
+
+func (m *CheckRequest) AdditionalValidation() error {
+	if m.GetTestUserset() != nil && m.GetTestUserset().GetObjectId() == "*" {
+		return ObjectAndRelationValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *ContentChangeCheckRequest) AdditionalValidation() error {
+	if m.GetTestUserset() != nil && m.GetTestUserset().GetObjectId() == "*" {
+		return ObjectAndRelationValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *ExpandRequest) AdditionalValidation() error {
+	if m.GetUserset() != nil && m.GetUserset().GetObjectId() == "*" {
+		return ObjectAndRelationValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *LookupRequest) AdditionalValidation() error {
+	if m.GetUser() != nil && m.GetUser().GetObjectId() == "*" {
+		return ObjectAndRelationValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
diff --git a/proto/authzed/api/v1/00_additional_validation.pb.go b/proto/authzed/api/v1/00_additional_validation.pb.go
new file mode 100644
index 0000000..2001ced
--- /dev/null
+++ b/proto/authzed/api/v1/00_additional_validation.pb.go
@@ -0,0 +1,102 @@
+// The contents of this file are hand-written to add AdditionalValidation to select message types
+
+package v1
+
+func (m *CheckPermissionRequest) AdditionalValidation() error {
+	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
+		return ObjectReferenceValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *ExpandPermissionTreeRequest) AdditionalValidation() error {
+	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
+		return ObjectReferenceValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *Precondition) AdditionalValidation() error {
+	if m.GetFilter() != nil {
+		return m.GetFilter().AdditionalValidation()
+	}
+
+	return nil
+}
+
+func (m *RelationshipFilter) AdditionalValidation() error {
+	if m.GetOptionalResourceId() == "*" {
+		return RelationshipFilterValidationError{
+			field:  "OptionalResourceId",
+			reason: "alphanumeric value is required",
+		}
+	}
+	return nil
+}
+
+func (m *RelationshipUpdate) AdditionalValidation() error {
+	if m.GetRelationship() != nil {
+		return m.GetRelationship().AdditionalValidation()
+	}
+	return nil
+}
+
+func (m *Relationship) AdditionalValidation() error {
+	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
+		return ObjectReferenceValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *DeleteRelationshipsRequest) AdditionalValidation() error {
+	if m.GetOptionalPreconditions() != nil {
+		for _, precondition := range m.GetOptionalPreconditions() {
+			err := precondition.AdditionalValidation()
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	if m.GetRelationshipFilter() != nil {
+		return m.GetRelationshipFilter().AdditionalValidation()
+	}
+
+	return nil
+}
+
+func (m *WriteRelationshipsRequest) AdditionalValidation() error {
+	if m.GetOptionalPreconditions() != nil {
+		for _, precondition := range m.GetOptionalPreconditions() {
+			err := precondition.AdditionalValidation()
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	if m.GetUpdates() != nil {
+		for _, update := range m.GetUpdates() {
+			if update.GetRelationship() != nil {
+				err := update.GetRelationship().AdditionalValidation()
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
+}