internal/iam: validate token resource type

internal/iam/service_list.go

@@ -35,7 +35,7 @@ func ListRoles(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback")
 	case repo == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")
-	case withScopeIds == nil:
+	case len(withScopeIds) == 0:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids")
 	}
 

internal/iam/service_list_ext_test.go

@@ -184,6 +184,16 @@ func TestService_ListRoles(t *testing.T) {
 			_, err = iam.ListRolesPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil)
 			require.ErrorContains(t, err, "missing scope ids")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, r *iam.Role) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewPagination(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), "some-id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = iam.ListRolesPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{org.GetPublicId()})
+			require.ErrorContains(t, err, "token did not have a role resource type")
+		})
 	})
 	t.Run("ListRefresh validation", func(t *testing.T) {
 		t.Parallel()
@@ -262,6 +272,16 @@ func TestService_ListRoles(t *testing.T) {
 			_, err = iam.ListRolesRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil)
 			require.ErrorContains(t, err, "missing scope ids")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, r *iam.Role) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewStartRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = iam.ListRolesRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{org.GetPublicId()})
+			require.ErrorContains(t, err, "token did not have a role resource type")
+		})
 	})
 	t.Run("ListRefreshPage validation", func(t *testing.T) {
 		t.Parallel()
@@ -340,6 +360,16 @@ func TestService_ListRoles(t *testing.T) {
 			_, err = iam.ListRolesRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil)
 			require.ErrorContains(t, err, "missing scope ids")
 		})
+		t.Run("wrong token resource type", func(t *testing.T) {
+			t.Parallel()
+			filterFunc := func(_ context.Context, r *iam.Role) (bool, error) {
+				return true, nil
+			}
+			tok, err := listtoken.NewRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo, fiveDaysAgo, "some other id", fiveDaysAgo)
+			require.NoError(t, err)
+			_, err = iam.ListRolesRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{org.GetPublicId()})
+			require.ErrorContains(t, err, "token did not have a role resource type")
+		})
 	})
 
 	t.Run("simple pagination", func(t *testing.T) {

internal/iam/service_list_page.go

@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
 )
 
 // ListRolesPage lists up to page size roles, filtering out entries that
@@ -40,8 +41,10 @@ func ListRolesPage(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
 	case repo == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")
-	case withScopeIds == nil:
+	case len(withScopeIds) == 0:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids")
+	case tok.ResourceType != resource.Role:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a role resource type")
 	}
 	if _, ok := tok.Subtype.(*listtoken.PaginationToken); !ok {
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a pagination token component")

internal/iam/service_list_refresh.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
 )
 
 // ListRolesRefresh lists up to page size roles, filtering out entries that
@@ -44,8 +45,10 @@ func ListRolesRefresh(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
 	case repo == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")
-	case withScopeIds == nil:
+	case len(withScopeIds) == 0:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids")
+	case tok.ResourceType != resource.Role:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a role resource type")
 	}
 	rt, ok := tok.Subtype.(*listtoken.StartRefreshToken)
 	if !ok {

internal/iam/service_list_refresh_page.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/boundary/internal/errors"
 	"github.com/hashicorp/boundary/internal/listtoken"
 	"github.com/hashicorp/boundary/internal/pagination"
+	"github.com/hashicorp/boundary/internal/types/resource"
 )
 
 // ListRolesRefreshPage lists up to page size roles, filtering out entries that
@@ -44,8 +45,10 @@ func ListRolesRefreshPage(
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token")
 	case repo == nil:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo")
-	case withScopeIds == nil:
+	case len(withScopeIds) == 0:
 		return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids")
+	case tok.ResourceType != resource.Role:
+		return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a role resource type")
 	}
 	rt, ok := tok.Subtype.(*listtoken.RefreshToken)
 	if !ok {