Change filterParams String() and return http 4xx if client-passed woo…

…kie is invalid (#245)
warrant-dev · Oct 4, 2023 · cb48bac · cb48bac
1 parent c99d961
commit cb48bac
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 13 deletions.
diff --git a/pkg/authz/warrant/list.go b/pkg/authz/warrant/list.go
@@ -31,16 +31,36 @@ type FilterParams struct {
 }
 
 func (fp FilterParams) String() string {
-	return fmt.Sprintf(
-		"objectType: '%s' objectId: '%s' relation: '%s' subjectType: '%s' subjectId: '%s' subjectRelation: '%s' policy: '%s'",
-		strings.Join(fp.ObjectType, ", "),
-		strings.Join(fp.ObjectId, ", "),
-		strings.Join(fp.Relation, ", "),
-		strings.Join(fp.SubjectType, ", "),
-		strings.Join(fp.SubjectId, ", "),
-		strings.Join(fp.SubjectRelation, ", "),
-		fp.Policy,
-	)
+	s := ""
+	if len(fp.ObjectType) > 0 {
+		s = fmt.Sprintf("%s&objectType=%s", s, strings.Join(fp.ObjectType, ","))
+	}
+
+	if len(fp.ObjectId) > 0 {
+		s = fmt.Sprintf("%s&objectId=%s", s, strings.Join(fp.ObjectId, ","))
+	}
+
+	if len(fp.Relation) > 0 {
+		s = fmt.Sprintf("%s&relation=%s", s, strings.Join(fp.Relation, ","))
+	}
+
+	if len(fp.SubjectType) > 0 {
+		s = fmt.Sprintf("%s&subjectType=%s", s, strings.Join(fp.SubjectType, ","))
+	}
+
+	if len(fp.SubjectId) > 0 {
+		s = fmt.Sprintf("%s&subjectId=%s", s, strings.Join(fp.SubjectId, ","))
+	}
+
+	if len(fp.SubjectRelation) > 0 {
+		s = fmt.Sprintf("%s&subjectRelation=%s", s, strings.Join(fp.SubjectRelation, ","))
+	}
+
+	if fp.Policy != "" {
+		s = fmt.Sprintf("%s&policy=%s", s, fp.Policy)
+	}
+
+	return strings.TrimPrefix(s, "&")
 }
 
 type WarrantListParamParser struct{}

diff --git a/pkg/authz/wookie/middleware.go b/pkg/authz/wookie/middleware.go
@@ -50,10 +50,17 @@ func wookieMiddleware(next http.Handler, wookieSvc *WookieService) http.Handler
 			ctxWithWookie := wookie.WithWookie(r.Context(), token)
 			next.ServeHTTP(w, r.WithContext(ctxWithWookie))
 		default:
-			token, err := wookie.FromString(headerVal)
+			tokenFromString, err := wookie.FromString(headerVal)
 			if err != nil {
-				hlog.FromRequest(r).Error().Err(err).Msg("wookie: error deserializing wookie from string")
-				service.SendErrorResponse(w, service.NewInternalError("Something went wrong"))
+				hlog.FromRequest(r).Warn().Err(err).Msgf("wookie: invalid client provided wookie %s", headerVal)
+				service.SendErrorResponse(w, service.NewInvalidRequestError("Invalid Warrant-Token provided"))
+				return
+			}
+
+			token, err := wookieSvc.GetById(r.Context(), tokenFromString.ID)
+			if err != nil {
+				hlog.FromRequest(r).Error().Err(err).Msgf("wookie: error fetching wookie %d from db", tokenFromString.ID)
+				service.SendErrorResponse(w, service.NewInvalidRequestError("Invalid Warrant-Token provided"))
 				return
 			}