diff --git a/internal/iam/service_list.go b/internal/iam/service_list.go index 3498274770..ffb470984a 100644 --- a/internal/iam/service_list.go +++ b/internal/iam/service_list.go @@ -35,7 +35,7 @@ func ListRoles( return nil, errors.New(ctx, errors.InvalidParameter, op, "missing filter item callback") case repo == nil: return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo") - case withScopeIds == nil: + case len(withScopeIds) == 0: return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids") } diff --git a/internal/iam/service_list_ext_test.go b/internal/iam/service_list_ext_test.go index 1e9408ffbd..652679365f 100644 --- a/internal/iam/service_list_ext_test.go +++ b/internal/iam/service_list_ext_test.go @@ -184,6 +184,16 @@ func TestService_ListRoles(t *testing.T) { _, err = iam.ListRolesPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil) require.ErrorContains(t, err, "missing scope ids") }) + t.Run("wrong token resource type", func(t *testing.T) { + t.Parallel() + filterFunc := func(_ context.Context, r *iam.Role) (bool, error) { + return true, nil + } + tok, err := listtoken.NewPagination(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), "some-id", fiveDaysAgo) + require.NoError(t, err) + _, err = iam.ListRolesPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{org.GetPublicId()}) + require.ErrorContains(t, err, "token did not have a role resource type") + }) }) t.Run("ListRefresh validation", func(t *testing.T) { t.Parallel() @@ -262,6 +272,16 @@ func TestService_ListRoles(t *testing.T) { _, err = iam.ListRolesRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil) require.ErrorContains(t, err, "missing scope ids") }) + t.Run("wrong token resource type", func(t *testing.T) { + t.Parallel() + filterFunc := func(_ context.Context, r *iam.Role) (bool, error) { + return true, nil + } + tok, err := listtoken.NewStartRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo) + require.NoError(t, err) + _, err = iam.ListRolesRefresh(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{org.GetPublicId()}) + require.ErrorContains(t, err, "token did not have a role resource type") + }) }) t.Run("ListRefreshPage validation", func(t *testing.T) { t.Parallel() @@ -340,6 +360,16 @@ func TestService_ListRoles(t *testing.T) { _, err = iam.ListRolesRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, nil) require.ErrorContains(t, err, "missing scope ids") }) + t.Run("wrong token resource type", func(t *testing.T) { + t.Parallel() + filterFunc := func(_ context.Context, r *iam.Role) (bool, error) { + return true, nil + } + tok, err := listtoken.NewRefresh(ctx, fiveDaysAgo, resource.Target, []byte("some hash"), fiveDaysAgo, fiveDaysAgo, fiveDaysAgo, "some other id", fiveDaysAgo) + require.NoError(t, err) + _, err = iam.ListRolesRefreshPage(ctx, []byte("some hash"), 1, filterFunc, tok, repo, []string{org.GetPublicId()}) + require.ErrorContains(t, err, "token did not have a role resource type") + }) }) t.Run("simple pagination", func(t *testing.T) { diff --git a/internal/iam/service_list_page.go b/internal/iam/service_list_page.go index bbdb4822bf..efbc6ed81a 100644 --- a/internal/iam/service_list_page.go +++ b/internal/iam/service_list_page.go @@ -10,6 +10,7 @@ import ( "github.com/hashicorp/boundary/internal/errors" "github.com/hashicorp/boundary/internal/listtoken" "github.com/hashicorp/boundary/internal/pagination" + "github.com/hashicorp/boundary/internal/types/resource" ) // ListRolesPage lists up to page size roles, filtering out entries that @@ -40,8 +41,10 @@ func ListRolesPage( return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token") case repo == nil: return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo") - case withScopeIds == nil: + case len(withScopeIds) == 0: return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids") + case tok.ResourceType != resource.Role: + return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a role resource type") } if _, ok := tok.Subtype.(*listtoken.PaginationToken); !ok { return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a pagination token component") diff --git a/internal/iam/service_list_refresh.go b/internal/iam/service_list_refresh.go index 69d26314ba..6d738ad82d 100644 --- a/internal/iam/service_list_refresh.go +++ b/internal/iam/service_list_refresh.go @@ -11,6 +11,7 @@ import ( "github.com/hashicorp/boundary/internal/errors" "github.com/hashicorp/boundary/internal/listtoken" "github.com/hashicorp/boundary/internal/pagination" + "github.com/hashicorp/boundary/internal/types/resource" ) // ListRolesRefresh lists up to page size roles, filtering out entries that @@ -44,8 +45,10 @@ func ListRolesRefresh( return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token") case repo == nil: return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo") - case withScopeIds == nil: + case len(withScopeIds) == 0: return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids") + case tok.ResourceType != resource.Role: + return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a role resource type") } rt, ok := tok.Subtype.(*listtoken.StartRefreshToken) if !ok { diff --git a/internal/iam/service_list_refresh_page.go b/internal/iam/service_list_refresh_page.go index 81219686e6..0a474cae0a 100644 --- a/internal/iam/service_list_refresh_page.go +++ b/internal/iam/service_list_refresh_page.go @@ -11,6 +11,7 @@ import ( "github.com/hashicorp/boundary/internal/errors" "github.com/hashicorp/boundary/internal/listtoken" "github.com/hashicorp/boundary/internal/pagination" + "github.com/hashicorp/boundary/internal/types/resource" ) // ListRolesRefreshPage lists up to page size roles, filtering out entries that @@ -44,8 +45,10 @@ func ListRolesRefreshPage( return nil, errors.New(ctx, errors.InvalidParameter, op, "missing token") case repo == nil: return nil, errors.New(ctx, errors.InvalidParameter, op, "missing repo") - case withScopeIds == nil: + case len(withScopeIds) == 0: return nil, errors.New(ctx, errors.InvalidParameter, op, "missing scope ids") + case tok.ResourceType != resource.Role: + return nil, errors.New(ctx, errors.InvalidParameter, op, "token did not have a role resource type") } rt, ok := tok.Subtype.(*listtoken.RefreshToken) if !ok {