internal/authtoken: validate token resource type

2 years ago · 799009fc04
parent 597ac645b2
commit 799009fc04
4 changed files with 39 additions and 0 deletions
--- a/internal/authtoken/service_list_ext_test.go
+++ b/internal/authtoken/service_list_ext_test.go
@ -188,6 +188,16 @@ func TestService_List(t *testing.T) {
 			_, err = authtoken.ListPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil)
 			require.ErrorContains(t, err, "missing scope ids")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, at *authtoken.AuthToken) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewPagination(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), "some-id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = authtoken.ListPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{org.GetPublicId()})
+			require.ErrorContains(t, err, "token did not have an auth token resource type")
+		})
 	})
 	t.Run("ListRefresh validation", func(t *testing.T) {
 		t.Parallel()
@ -266,6 +276,16 @@ func TestService_List(t *testing.T) {
 			_, err = authtoken.ListRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil)
 			require.ErrorContains(t, err, "missing scope ids")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, at *authtoken.AuthToken) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewStartRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = authtoken.ListRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{org.GetPublicId()})
+			require.ErrorContains(t, err, "token did not have an auth token resource type")
+		})
 	})
 	t.Run("ListRefreshPage validation", func(t *testing.T) {
 		t.Parallel()
@ -344,6 +364,16 @@ func TestService_List(t *testing.T) {
 			_, err = authtoken.ListRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil)
 			require.ErrorContains(t, err, "missing scope ids")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, at *authtoken.AuthToken) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo, fiveDaysAgo, "some other id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = authtoken.ListRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{org.GetPublicId()})
+			require.ErrorContains(t, err, "token did not have an auth token resource type")
+		})
 	})

 	t.Run("simple pagination", func(t *testing.T) {
--- a/internal/authtoken/service_list_page.go
+++ b/internal/authtoken/service_list_page.go
@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
 )

 // ListPage lists up to page size auth tokens, filtering out entries that
@ -42,6 +43,8 @@ func ListPage(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")
 	case withScopeIds == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids")
+	case tok.ResourceType != resource.AuthToken:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have an auth token resource type")
 	}
 	if _, ok := tok.Subtype.(*listtoken.PaginationToken); !ok {
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a pagination token component")
--- a/internal/authtoken/service_list_refresh.go
+++ b/internal/authtoken/service_list_refresh.go
@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
 )

 // ListRefresh lists up to page size auth tokens, filtering out entries that
@ -46,6 +47,8 @@ func ListRefresh(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")
 	case withScopeIds == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids")
+	case tok.ResourceType != resource.AuthToken:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have an auth token resource type")
 	}
 	rt, ok := tok.Subtype.(*listtoken.StartRefreshToken)
 	if !ok {
--- a/internal/authtoken/service_list_refresh_page.go
+++ b/internal/authtoken/service_list_refresh_page.go
@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
 )

 // ListRefreshPage lists up to page size auth tokens, filtering out entries that
@ -46,6 +47,8 @@ func ListRefreshPage(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")
 	case withScopeIds == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids")
+	case tok.ResourceType != resource.AuthToken:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have an auth token resource type")
 	}
 	rt, ok := tok.Subtype.(*listtoken.RefreshToken)
 	if !ok {