internal/credential: validate token resource type

internal/credential/service_list_credentials.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/util"
 )
 
 // CredentialService defines the interface expected
@@ -43,7 +44,7 @@ func List(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "page size must be at least 1")
 	case filterItemFn == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
-	case service == nil:
+	case util.IsNil(service):
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing service")
 	case credentialStoreId == "":
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing credential store ID")

internal/credential/service_list_credentials_ext_test.go

@@ -215,6 +215,16 @@ func TestService_List(t *testing.T) {
 			_, err = credential.ListPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, "")
 			require.ErrorContains(t, err, "missing credential store ID")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, c credential.Static) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewPagination(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), "some-id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = credential.ListPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, credStore.GetPublicId())
+			require.ErrorContains(t, err, "token did not have a credential resource type")
+		})
 	})
 	t.Run("ListRefresh validation", func(t *testing.T) {
 		t.Parallel()
@@ -283,6 +293,16 @@ func TestService_List(t *testing.T) {
 			_, err = credential.ListRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, "")
 			require.ErrorContains(t, err, "missing credential store ID")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, c credential.Static) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewStartRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = credential.ListRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, credStore.GetPublicId())
+			require.ErrorContains(t, err, "token did not have a credential resource type")
+		})
 	})
 	t.Run("ListRefreshPage validation", func(t *testing.T) {
 		t.Parallel()
@@ -361,6 +381,16 @@ func TestService_List(t *testing.T) {
 			_, err = credential.ListRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, "")
 			require.ErrorContains(t, err, "missing credential store ID")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, c credential.Static) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo, fiveDaysAgo, "some other id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = credential.ListRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, credStore.GetPublicId())
+			require.ErrorContains(t, err, "token did not have a credential resource type")
+		})
 	})
 
 	t.Run("simple pagination", func(t *testing.T) {

internal/credential/service_list_credentials_page.go

@@ -10,6 +10,8 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
+	"github.com/hashicorp/boundary/internal/util"
 )
 
 // ListPage lists up to page size credentials, filtering out entries that
@@ -38,10 +40,12 @@ func ListPage(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
 	case tok == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
-	case service == nil:
+	case util.IsNil(service):
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing service")
 	case credentialStoreId == "":
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing credential store ID")
+	case tok.ResourceType != resource.Credential:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a credential resource type")
 	}
 	if _, ok := tok.Subtype.(*listtoken.PaginationToken); !ok {
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a pagination token component")

internal/credential/service_list_credentials_refresh.go

@@ -11,6 +11,8 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
+	"github.com/hashicorp/boundary/internal/util"
 )
 
 // ListRefresh lists up to page size credentials, filtering out entries that
@@ -42,10 +44,12 @@ func ListRefresh(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
 	case tok == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
-	case service == nil:
+	case util.IsNil(service):
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing service")
 	case credentialStoreId == "":
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing credential store ID")
+	case tok.ResourceType != resource.Credential:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a credential resource type")
 	}
 	rt, ok := tok.Subtype.(*listtoken.StartRefreshToken)
 	if !ok {

internal/credential/service_list_credentials_refresh_page.go

@@ -11,6 +11,8 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
+	"github.com/hashicorp/boundary/internal/util"
 )
 
 // ListRefreshPage lists up to page size credentials, filtering out entries that
@@ -42,10 +44,12 @@ func ListRefreshPage(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
 	case tok == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
-	case service == nil:
+	case util.IsNil(service):
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing service")
 	case credentialStoreId == "":
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing credential store ID")
+	case tok.ResourceType != resource.Credential:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a credential resource type")
 	}
 	rt, ok := tok.Subtype.(*listtoken.RefreshToken)
 	if !ok {

internal/credential/service_list_libraries.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/util"
 )
 
 // LibraryService defines the interface expected
@@ -43,7 +44,7 @@ func ListLibraries(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "page size must be at least 1")
 	case filterItemFn == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
-	case service == nil:
+	case util.IsNil(service):
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing service")
 	case credentialStoreId == "":
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing credential store ID")

internal/credential/service_list_libraries_ext_test.go

@@ -196,7 +196,17 @@ func TestLibraryService_List(t *testing.T) {
 			tok, err := listtoken.NewPagination(ctx, fiveDaysAgo, resource.CredentialLibrary, []byte("some hash"), "some-id", fiveDaysAgo)
 			require.NoError(t, err)
 			_, err = credential.ListLibrariesPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, "")
-			require.ErrorContains(t, err, "missing store id")
+			require.ErrorContains(t, err, "missing credential store id")
+		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, l credential.Library) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewPagination(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), "some-id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = credential.ListLibrariesPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, credStore.GetPublicId())
+			require.ErrorContains(t, err, "token did not have an credential library resource type")
 		})
 	})
 	t.Run("ListLibrariesRefresh validation", func(t *testing.T) {
@@ -266,6 +276,16 @@ func TestLibraryService_List(t *testing.T) {
 			_, err = credential.ListLibrariesRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, "")
 			require.ErrorContains(t, err, "missing credential store ID")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, l credential.Library) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewStartRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = credential.ListLibrariesRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, credStore.GetPublicId())
+			require.ErrorContains(t, err, "token did not have an credential library resource type")
+		})
 	})
 	t.Run("ListLibrariesRefreshPage validation", func(t *testing.T) {
 		t.Parallel()
@@ -334,6 +354,26 @@ func TestLibraryService_List(t *testing.T) {
 			_, err = credential.ListLibrariesRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, nil, credStore.GetPublicId())
 			require.ErrorContains(t, err, "missing service")
 		})
+		t.Run("missing credential store ID", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, l credential.Library) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewRefresh(ctx, fiveDaysAgo, resource.CredentialLibrary, []byte("some hash"), fiveDaysAgo, fiveDaysAgo, fiveDaysAgo, "some other id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = credential.ListLibrariesRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, "")
+			require.ErrorContains(t, err, "missing credential store id")
+		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, l credential.Library) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo, fiveDaysAgo, "some other id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = credential.ListLibrariesRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, credStore.GetPublicId())
+			require.ErrorContains(t, err, "token did not have an credential library resource type")
+		})
 	})
 
 	t.Run("simple pagination", func(t *testing.T) {

internal/credential/service_list_libraries_page.go

@@ -10,6 +10,8 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
+	"github.com/hashicorp/boundary/internal/util"
 )
 
 // ListLibrariesPage lists up to page size credential libraries, filtering out entries that
@@ -38,8 +40,12 @@ func ListLibrariesPage(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
 	case tok == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
-	case service == nil:
+	case util.IsNil(service):
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing service")
+	case credentialStoreId == "":
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing credential store id")
+	case tok.ResourceType != resource.CredentialLibrary:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have an credential library resource type")
 	}
 	if _, ok := tok.Subtype.(*listtoken.PaginationToken); !ok {
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a pagination token component")

internal/credential/service_list_libraries_refresh.go

@@ -11,6 +11,8 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
+	"github.com/hashicorp/boundary/internal/util"
 )
 
 // ListRefresh lists up to page size credential libraries, filtering out entries that
@@ -42,10 +44,12 @@ func ListLibrariesRefresh(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
 	case tok == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
-	case service == nil:
+	case util.IsNil(service):
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing service")
 	case credentialStoreId == "":
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing credential store ID")
+	case tok.ResourceType != resource.CredentialLibrary:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have an credential library resource type")
 	}
 	rt, ok := tok.Subtype.(*listtoken.StartRefreshToken)
 	if !ok {

internal/credential/service_list_libraries_refresh_page.go

@@ -11,6 +11,8 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
+	"github.com/hashicorp/boundary/internal/util"
 )
 
 // ListRefreshPage lists up to page size credential libraries, filtering out entries that
@@ -42,8 +44,12 @@ func ListLibrariesRefreshPage(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
 	case tok == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
-	case service == nil:
+	case util.IsNil(service):
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing service")
+	case credentialStoreId == "":
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing credential store id")
+	case tok.ResourceType != resource.CredentialLibrary:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have an credential library resource type")
 	}
 	rt, ok := tok.Subtype.(*listtoken.RefreshToken)
 	if !ok {

internal/credential/service_list_stores.go

@@ -33,7 +33,7 @@ func ListStores(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "page size must be at least 1")
 	case filterItemFn == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
-	case projectIds == nil:
+	case len(projectIds) == 0:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing project ids")
 	case repo == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")

internal/credential/service_list_stores_ext_test.go

@@ -151,7 +151,7 @@ func TestStoreService_List(t *testing.T) {
 			_, err := credential.ListStores(ctx, []byte("some hash"), 1, filterFunc, nil, []string{prj.PublicId})
 			require.ErrorContains(t, err, "missing repo")
 		})
-		t.Run("missing public Ids", func(t *testing.T) {
+		t.Run("missing project ids", func(t *testing.T) {
 			t.Parallel()
 			filterFunc := func(_ context.Context, s credential.Store) (bool, error) {
 				return true, nil
@@ -237,6 +237,16 @@ func TestStoreService_List(t *testing.T) {
 			_, err = credential.ListStoresPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil)
 			require.ErrorContains(t, err, "missing project ids")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, s credential.Store) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewPagination(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), "some-id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = credential.ListStoresPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{prj.PublicId})
+			require.ErrorContains(t, err, "token did not have a credential store resource type")
+		})
 	})
 	t.Run("ListRefresh validation", func(t *testing.T) {
 		t.Parallel()
@@ -305,6 +315,16 @@ func TestStoreService_List(t *testing.T) {
 			_, err = credential.ListStoresRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil)
 			require.ErrorContains(t, err, "missing project ids")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, s credential.Store) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewStartRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = credential.ListStoresRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{prj.PublicId})
+			require.ErrorContains(t, err, "token did not have a credential store resource type")
+		})
 	})
 	t.Run("ListRefreshPage validation", func(t *testing.T) {
 		t.Parallel()
@@ -383,6 +403,16 @@ func TestStoreService_List(t *testing.T) {
 			_, err = credential.ListStoresRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil)
 			require.ErrorContains(t, err, "missing project ids")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, s credential.Store) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo, fiveDaysAgo, "some other id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = credential.ListStoresRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{prj.PublicId})
+			require.ErrorContains(t, err, "token did not have a credential store resource type")
+		})
 	})
 
 	t.Run("simple pagination", func(t *testing.T) {

internal/credential/service_list_stores_page.go

@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
 )
 
 // ListStoresPage lists up to page size credential stores, filtering out entries that
@@ -38,8 +39,12 @@ func ListStoresPage(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
 	case tok == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
+	case len(projectIds) == 0:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing project ids")
 	case repo == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")
+	case tok.ResourceType != resource.CredentialStore:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a credential store resource type")
 	}
 	if _, ok := tok.Subtype.(*listtoken.PaginationToken); !ok {
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a pagination token component")

internal/credential/service_list_stores_refresh.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
 )
 
 // ListStoresRefresh lists up to page size credential stores, filtering out entries that
@@ -42,10 +43,12 @@ func ListStoresRefresh(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
 	case tok == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
-	case projectIds == nil:
+	case len(projectIds) == 0:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing project ids")
 	case repo == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")
+	case tok.ResourceType != resource.CredentialStore:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a credential store resource type")
 	}
 	rt, ok := tok.Subtype.(*listtoken.StartRefreshToken)
 	if !ok {

internal/credential/service_list_stores_refresh_page.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
 )
 
 // ListStoresRefreshPage lists up to page size credential stores, filtering out entries that
@@ -42,8 +43,12 @@ func ListStoresRefreshPage(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
 	case tok == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
+	case len(projectIds) == 0:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing project ids")
 	case repo == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")
+	case tok.ResourceType != resource.CredentialStore:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a credential store resource type")
 	}
 	rt, ok := tok.Subtype.(*listtoken.RefreshToken)
 	if !ok {