From 2d9ece2f3a7a987c745e4f6d7d6ba02a74756577 Mon Sep 17 00:00:00 2001
From: Alberto Ricart <alberto@synadia.com>
Date: Fri, 13 Sep 2024 11:28:03 -0500
Subject: [PATCH] Added validation to cluster traffic - as downstream tools
 like nsc will need to perform some level of validation (#224)

* Added validation to cluster traffic - as downstream tools like nsc will need to perform some level of validation
* removed parsing of account for cluster traffic as that option will be delayed.
---
 v2/account_claims.go      | 20 +++++++++++++++++++-
 v2/account_claims_test.go | 28 ++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/v2/account_claims.go b/v2/account_claims.go
index e071a8c..05850fc 100644
--- a/v2/account_claims.go
+++ b/v2/account_claims.go
@@ -230,6 +230,20 @@ func (ac *ExternalAuthorization) Validate(vr *ValidationResults) {
 	}
 }
 
+const (
+	ClusterTrafficSystem = "system"
+	ClusterTrafficOwner  = "owner"
+)
+
+type ClusterTraffic string
+
+func (ct ClusterTraffic) Valid() error {
+	if ct == "" || ct == ClusterTrafficSystem || ct == ClusterTrafficOwner {
+		return nil
+	}
+	return fmt.Errorf("unknown cluster traffic option: %q", ct)
+}
+
 // Account holds account specific claims data
 type Account struct {
 	Imports            Imports               `json:"imports,omitempty"`
@@ -241,7 +255,7 @@ type Account struct {
 	Mappings           Mapping               `json:"mappings,omitempty"`
 	Authorization      ExternalAuthorization `json:"authorization,omitempty"`
 	Trace              *MsgTrace             `json:"trace,omitempty"`
-	ClusterTraffic     string                `json:"cluster_traffic,omitempty"`
+	ClusterTraffic     ClusterTraffic        `json:"cluster_traffic,omitempty"`
 	Info
 	GenericFields
 }
@@ -309,6 +323,10 @@ func (a *Account) Validate(acct *AccountClaims, vr *ValidationResults) {
 	}
 	a.SigningKeys.Validate(vr)
 	a.Info.Validate(vr)
+
+	if err := a.ClusterTraffic.Valid(); err != nil {
+		vr.AddError(err.Error())
+	}
 }
 
 // AccountClaims defines the body of an account JWT
diff --git a/v2/account_claims_test.go b/v2/account_claims_test.go
index c3cfa5e..5930313 100644
--- a/v2/account_claims_test.go
+++ b/v2/account_claims_test.go
@@ -990,3 +990,31 @@ func TestAccountClaimsTraceDestSampling(t *testing.T) {
 		})
 	}
 }
+
+func TestClusterTraffic_Valid(t *testing.T) {
+	type clustertest struct {
+		input string
+		ok    bool
+	}
+
+	tests := []clustertest{
+		{input: "", ok: true},
+		{input: "system", ok: true},
+		{input: "SYSTEM", ok: false},
+		{input: "owner", ok: true},
+		{input: "OWNER", ok: false},
+		{input: "unknown", ok: false},
+		{input: "account", ok: false},
+	}
+
+	for _, test := range tests {
+		ct := ClusterTraffic(test.input)
+		err := ct.Valid()
+		if test.ok && err != nil {
+			t.Fatalf("unexpected err for input %q: %v", test.input, err)
+		}
+		if !test.ok && err == nil {
+			t.Fatalf("expected to fail input %q", test.input)
+		}
+	}
+}