Skip to content

Commit 0aa62e6

Browse files
barakmichbarakmich
committed
fix: add wildcard invariant checks for subrelations (they must be ellipsis)
1 parent 28af5c9 commit 0aa62e6

File tree

1 file changed

+18
-2
lines changed

1 file changed

+18
-2
lines changed

pkg/query/datastore.go

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,11 +74,19 @@ func (r *DatastoreIterator) checkNormalImpl(ctx *Context, resources []Object, su
7474
}
7575

7676
func (r *DatastoreIterator) checkWildcardImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error) {
77+
// Invariant: wildcard subjects in the datastore are always stored with the ellipsis
78+
// relation. The "*" is only ever an ObjectID; "type:*#relation" is syntactically
79+
// invalid and cannot be written. Any caller passing a non-ellipsis relation here
80+
// would cause us to query with the wrong relation filter and return a false negative.
81+
if subject.Relation != tuple.Ellipsis {
82+
return nil, spiceerrors.MustBugf("checkWildcardImpl called with non-ellipsis subject relation %q for subject %s:%s; wildcard subjects are always stored with ellipsis relation", subject.Relation, subject.ObjectType, subject.ObjectID)
83+
}
84+
7785
// Query the datastore for wildcard relationships (subject ObjectID = "*")
7886
wildcardSubject := ObjectAndRelation{
7987
ObjectType: subject.ObjectType,
8088
ObjectID: WildcardObjectID,
81-
Relation: subject.Relation,
89+
Relation: tuple.Ellipsis,
8290
}
8391

8492
resourceType := ObjectType{Type: r.base.DefinitionName()}
@@ -392,10 +400,18 @@ func (r *DatastoreIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRel
392400
}
393401

394402
func (r *DatastoreIterator) iterResourcesWildcardImpl(ctx *Context, subject ObjectAndRelation) (PathSeq, error) {
403+
// Invariant: wildcard subjects in the datastore are always stored with the ellipsis
404+
// relation. The "*" is only ever an ObjectID; "type:*#relation" is syntactically
405+
// invalid and cannot be written. Any caller passing a non-ellipsis relation here
406+
// would cause us to query with the wrong relation filter and return a false negative.
407+
if subject.Relation != tuple.Ellipsis {
408+
return nil, spiceerrors.MustBugf("iterResourcesWildcardImpl called with non-ellipsis subject relation %q for subject %s:%s; wildcard subjects are always stored with ellipsis relation", subject.Relation, subject.ObjectType, subject.ObjectID)
409+
}
410+
395411
wildcardSubject := ObjectAndRelation{
396412
ObjectType: subject.ObjectType,
397413
ObjectID: WildcardObjectID,
398-
Relation: subject.Relation,
414+
Relation: tuple.Ellipsis,
399415
}
400416

401417
if ctx.PaginationLimit == nil {

0 commit comments

Comments
 (0)