Merge pull request #47 from josephschorr/wildcard-relation

Ensure wildcard subject object IDs are not used with non-empty relations
authzed · Dec 20, 2021 · a36f722 · a36f722
2 parents 4126c5f + 3dedc2a
commit a36f722
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 12 deletions.
diff --git a/proto/authzed/api/v1/00_handwritten_validation.go b/proto/authzed/api/v1/00_handwritten_validation.go
@@ -3,17 +3,25 @@
 package v1
 
 func (m *CheckPermissionRequest) HandwrittenValidate() error {
+	if m == nil {
+		return nil
+	}
+
 	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
 		return ObjectReferenceValidationError{
 			field:  "ObjectId",
 			reason: "alphanumeric value is required",
 		}
 	}
 
-	return nil
+	return m.GetSubject().HandwrittenValidate()
 }
 
 func (m *ExpandPermissionTreeRequest) HandwrittenValidate() error {
+	if m == nil {
+		return nil
+	}
+
 	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
 		return ObjectReferenceValidationError{
 			field:  "ObjectId",
@@ -25,42 +33,76 @@ func (m *ExpandPermissionTreeRequest) HandwrittenValidate() error {
 }
 
 func (m *Precondition) HandwrittenValidate() error {
-	if m.GetFilter() != nil {
-		return m.GetFilter().HandwrittenValidate()
+	if m == nil {
+		return nil
 	}
 
-	return nil
+	return m.GetFilter().HandwrittenValidate()
 }
 
 func (m *RelationshipFilter) HandwrittenValidate() error {
+	if m == nil {
+		return nil
+	}
+
 	if m.GetOptionalResourceId() == "*" {
 		return RelationshipFilterValidationError{
 			field:  "OptionalResourceId",
 			reason: "alphanumeric value is required",
 		}
 	}
+
+	return m.GetOptionalSubjectFilter().HandwrittenValidate()
+}
+
+func (m *SubjectFilter) HandwrittenValidate() error {
+	if m == nil {
+		return nil
+	}
+
+	if m.GetOptionalSubjectId() == "*" && m.GetOptionalRelation() != nil && m.GetOptionalRelation().GetRelation() != "" {
+		return SubjectFilterValidationError{
+			field:  "OptionalRelation",
+			reason: "optionalrelation must be empty on subject if object ID is a wildcard",
+		}
+	}
 	return nil
 }
 
 func (m *RelationshipUpdate) HandwrittenValidate() error {
-	if m.GetRelationship() != nil {
-		return m.GetRelationship().HandwrittenValidate()
+	return m.GetRelationship().HandwrittenValidate()
+}
+
+func (m *SubjectReference) HandwrittenValidate() error {
+	if m.GetObject() != nil && m.GetObject().GetObjectId() == "*" && m.GetOptionalRelation() != "" {
+		return SubjectReferenceValidationError{
+			field:  "OptionalRelation",
+			reason: "optionalrelation must be empty on subject if object ID is a wildcard",
+		}
 	}
 	return nil
 }
 
 func (m *Relationship) HandwrittenValidate() error {
+	if m == nil {
+		return nil
+	}
+
 	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
 		return ObjectReferenceValidationError{
 			field:  "ObjectId",
 			reason: "alphanumeric value is required",
 		}
 	}
 
-	return nil
+	return m.GetSubject().HandwrittenValidate()
 }
 
 func (m *DeleteRelationshipsRequest) HandwrittenValidate() error {
+	if m == nil {
+		return nil
+	}
+
 	if m.GetOptionalPreconditions() != nil {
 		for _, precondition := range m.GetOptionalPreconditions() {
 			err := precondition.HandwrittenValidate()
@@ -70,14 +112,14 @@ func (m *DeleteRelationshipsRequest) HandwrittenValidate() error {
 		}
 	}
 
-	if m.GetRelationshipFilter() != nil {
-		return m.GetRelationshipFilter().HandwrittenValidate()
-	}
-
-	return nil
+	return m.GetRelationshipFilter().HandwrittenValidate()
 }
 
 func (m *WriteRelationshipsRequest) HandwrittenValidate() error {
+	if m == nil {
+		return nil
+	}
+
 	if m.GetOptionalPreconditions() != nil {
 		for _, precondition := range m.GetOptionalPreconditions() {
 			err := precondition.HandwrittenValidate()

diff --git a/proto/authzed/api/validation_test/tuples_test.go b/proto/authzed/api/validation_test/tuples_test.go
@@ -389,3 +389,26 @@ func TestV1CoreObjectValidity(t *testing.T) {
 		}
 	}
 }
+
+func TestWildcardSubjectRelation(t *testing.T) {
+	subjObjRef := &v1.ObjectReference{
+		ObjectType: "somenamespace",
+		ObjectId:   "*",
+	}
+	subRef := &v1.SubjectReference{
+		Object:           subjObjRef,
+		OptionalRelation: "somerelation",
+	}
+	require.Error(t, subRef.HandwrittenValidate())
+}
+
+func TestWildcardSubjectRelationEmpty(t *testing.T) {
+	subjObjRef := &v1.ObjectReference{
+		ObjectType: "somenamespace",
+		ObjectId:   "*",
+	}
+	subRef := &v1.SubjectReference{
+		Object: subjObjRef,
+	}
+	require.NoError(t, subRef.HandwrittenValidate())
+}