permission-backend: throw if resourceRef is passed along with a basic permission
Signed-off-by: Vincenzo Scamporlino <vincenzos@spotify.com>
This commit is contained in:
Vincenzo Scamporlino
@@ -774,6 +774,35 @@ describe('createRouter', () => {
|
||||
{ id: '123', permission: { attributes: { invalid: 'attribute' } } },
|
||||
],
|
||||
},
|
||||
{
|
||||
items: [
|
||||
{
|
||||
id: '123',
|
||||
// basic permission can't have resourceRef
|
||||
resourceRef: 'resource:1',
|
||||
permission: {
|
||||
type: 'basic',
|
||||
name: 'test.permission',
|
||||
attributes: {},
|
||||
},
|
||||
},
|
||||
],
|
||||
},
|
||||
{
|
||||
items: [
|
||||
{
|
||||
id: '123',
|
||||
// resource ref should be a string
|
||||
resourceRef: ['resource:1'],
|
||||
permission: {
|
||||
type: 'resource',
|
||||
name: 'test.permission',
|
||||
attributes: {},
|
||||
resourceType: 'test-resource-1',
|
||||
},
|
||||
},
|
||||
],
|
||||
},
|
||||
])('returns a 400 error for invalid request %#', async requestBody => {
|
||||
const response = await request(app).post('/authorize').send(requestBody);
|
||||
|
||||
|
||||
@@ -62,27 +62,33 @@ const attributesSchema: z.ZodSchema<PermissionAttributes> = z.object({
|
||||
.optional(),
|
||||
});
|
||||
|
||||
const permissionSchema = z.union([
|
||||
z.object({
|
||||
type: z.literal('basic'),
|
||||
name: z.string(),
|
||||
attributes: attributesSchema,
|
||||
}),
|
||||
z.object({
|
||||
type: z.literal('resource'),
|
||||
name: z.string(),
|
||||
attributes: attributesSchema,
|
||||
resourceType: z.string(),
|
||||
}),
|
||||
]);
|
||||
const basicPermissionSchema = z.object({
|
||||
type: z.literal('basic'),
|
||||
name: z.string(),
|
||||
attributes: attributesSchema,
|
||||
});
|
||||
|
||||
const resourcePermissionSchema = z.object({
|
||||
type: z.literal('resource'),
|
||||
name: z.string(),
|
||||
attributes: attributesSchema,
|
||||
resourceType: z.string(),
|
||||
});
|
||||
|
||||
const evaluatePermissionRequestSchema: z.ZodSchema<
|
||||
IdentifiedPermissionMessage<EvaluatePermissionRequest>
|
||||
> = z.object({
|
||||
id: z.string(),
|
||||
resourceRef: z.string().optional(),
|
||||
permission: permissionSchema,
|
||||
});
|
||||
> = z.union([
|
||||
z.object({
|
||||
id: z.string(),
|
||||
resourceRef: z.undefined().optional(),
|
||||
permission: basicPermissionSchema,
|
||||
}),
|
||||
z.object({
|
||||
id: z.string(),
|
||||
resourceRef: z.string().optional(),
|
||||
permission: resourcePermissionSchema,
|
||||
}),
|
||||
]);
|
||||
|
||||
const evaluatePermissionRequestBatchSchema: z.ZodSchema<EvaluatePermissionRequestBatch> =
|
||||
z.object({
|
||||
|
||||
Reference in New Issue
Block a user