From f5daf687d781a4821aeed3e386b86aafec049845 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 9 Dec 2021 15:10:43 -0500
Subject: [PATCH] Add additional validation to prevent wildcards in resource
 object IDs

---
 ...on.pb.fix.go => 00_legacy_registration.go} |   0
 ...s.pb.fix.go => 01_workaround_num_items.go} |   0
 .../api/v0/02_handwritten_validation.go       |  47 ++++++++
 .../api/v1/00_handwritten_validation.go       | 102 ++++++++++++++++++
 4 files changed, 149 insertions(+)
 rename proto/authzed/api/v0/{00_legacy_registration.pb.fix.go => 00_legacy_registration.go} (100%)
 rename proto/authzed/api/v0/{01_workaround_num_items.pb.fix.go => 01_workaround_num_items.go} (100%)
 create mode 100644 proto/authzed/api/v0/02_handwritten_validation.go
 create mode 100644 proto/authzed/api/v1/00_handwritten_validation.go

diff --git a/proto/authzed/api/v0/00_legacy_registration.pb.fix.go b/proto/authzed/api/v0/00_legacy_registration.go
similarity index 100%
rename from proto/authzed/api/v0/00_legacy_registration.pb.fix.go
rename to proto/authzed/api/v0/00_legacy_registration.go
diff --git a/proto/authzed/api/v0/01_workaround_num_items.pb.fix.go b/proto/authzed/api/v0/01_workaround_num_items.go
similarity index 100%
rename from proto/authzed/api/v0/01_workaround_num_items.pb.fix.go
rename to proto/authzed/api/v0/01_workaround_num_items.go
diff --git a/proto/authzed/api/v0/02_handwritten_validation.go b/proto/authzed/api/v0/02_handwritten_validation.go
new file mode 100644
index 0000000..dc35bbd
--- /dev/null
+++ b/proto/authzed/api/v0/02_handwritten_validation.go
@@ -0,0 +1,47 @@
+// The contents of this file are hand-written to add HandwrittenValidation to select message types
+
+package v0
+
+func (m *CheckRequest) HandwrittenValidation() error {
+	if m.GetTestUserset() != nil && m.GetTestUserset().GetObjectId() == "*" {
+		return ObjectAndRelationValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *ContentChangeCheckRequest) HandwrittenValidation() error {
+	if m.GetTestUserset() != nil && m.GetTestUserset().GetObjectId() == "*" {
+		return ObjectAndRelationValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *ExpandRequest) HandwrittenValidation() error {
+	if m.GetUserset() != nil && m.GetUserset().GetObjectId() == "*" {
+		return ObjectAndRelationValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *LookupRequest) HandwrittenValidation() error {
+	if m.GetUser() != nil && m.GetUser().GetObjectId() == "*" {
+		return ObjectAndRelationValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
diff --git a/proto/authzed/api/v1/00_handwritten_validation.go b/proto/authzed/api/v1/00_handwritten_validation.go
new file mode 100644
index 0000000..835adfd
--- /dev/null
+++ b/proto/authzed/api/v1/00_handwritten_validation.go
@@ -0,0 +1,102 @@
+// The contents of this file are hand-written to add HandwrittenValidation to select message types
+
+package v1
+
+func (m *CheckPermissionRequest) HandwrittenValidation() error {
+	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
+		return ObjectReferenceValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *ExpandPermissionTreeRequest) HandwrittenValidation() error {
+	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
+		return ObjectReferenceValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *Precondition) HandwrittenValidation() error {
+	if m.GetFilter() != nil {
+		return m.GetFilter().HandwrittenValidation()
+	}
+
+	return nil
+}
+
+func (m *RelationshipFilter) HandwrittenValidation() error {
+	if m.GetOptionalResourceId() == "*" {
+		return RelationshipFilterValidationError{
+			field:  "OptionalResourceId",
+			reason: "alphanumeric value is required",
+		}
+	}
+	return nil
+}
+
+func (m *RelationshipUpdate) HandwrittenValidation() error {
+	if m.GetRelationship() != nil {
+		return m.GetRelationship().HandwrittenValidation()
+	}
+	return nil
+}
+
+func (m *Relationship) HandwrittenValidation() error {
+	if m.GetResource() != nil && m.GetResource().GetObjectId() == "*" {
+		return ObjectReferenceValidationError{
+			field:  "ObjectId",
+			reason: "alphanumeric value is required",
+		}
+	}
+
+	return nil
+}
+
+func (m *DeleteRelationshipsRequest) HandwrittenValidation() error {
+	if m.GetOptionalPreconditions() != nil {
+		for _, precondition := range m.GetOptionalPreconditions() {
+			err := precondition.HandwrittenValidation()
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	if m.GetRelationshipFilter() != nil {
+		return m.GetRelationshipFilter().HandwrittenValidation()
+	}
+
+	return nil
+}
+
+func (m *WriteRelationshipsRequest) HandwrittenValidation() error {
+	if m.GetOptionalPreconditions() != nil {
+		for _, precondition := range m.GetOptionalPreconditions() {
+			err := precondition.HandwrittenValidation()
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	if m.GetUpdates() != nil {
+		for _, update := range m.GetUpdates() {
+			if update.GetRelationship() != nil {
+				err := update.GetRelationship().HandwrittenValidation()
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
+}