require deprecated IDs if new IDs are passed

we'll always have macaroons floating around with the old ids, so facts need to keep specifying them.
superfly · Sep 29, 2023 · d71e797 · d71e797
1 parent 36a215d
commit d71e797
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 103 deletions.
diff --git a/errors.go b/errors.go
@@ -6,9 +6,8 @@ import (
 )
 
 var (
-	ErrUnrecognizedToken          = errors.New("bad token")
-	ErrUnauthorized               = errors.New("unauthorized")
-	ErrInvalidAccess              = fmt.Errorf("%w: bad data for token verification", ErrUnauthorized)
-	ErrResourcesMutuallyExclusive = fmt.Errorf("%w: resources are mutually exclusive", ErrInvalidAccess)
-	ErrBadCaveat                  = fmt.Errorf("%w: bad caveat", ErrUnauthorized)
+	ErrUnrecognizedToken = errors.New("bad token")
+	ErrUnauthorized      = errors.New("unauthorized")
+	ErrInvalidAccess     = fmt.Errorf("%w: bad data for token verification", ErrUnauthorized)
+	ErrBadCaveat         = fmt.Errorf("%w: bad caveat", ErrUnauthorized)
 )
diff --git a/flyio/access.go b/flyio/access.go
@@ -47,15 +47,19 @@ func (a *Access) Now() time.Time {
 //
 // This ensure that a Access represents a single action taken on a single object.
 func (f *Access) Validate() error {
+	// TODO: require both slug/id to be set once clients are updated.
 	// root-level resources = org
-	if f.DeprecatedOrgID == nil && f.OrgSlug == nil {
+	if f.DeprecatedOrgID == nil {
 		return fmt.Errorf("%w org", resset.ErrResourceUnspecified)
 	}
 
-	hasApp := f.DeprecatedAppID != nil || f.AppID != nil
+	// TODO: require both id/hid to be set once clients are updated.
+	if f.AppID != nil && f.DeprecatedAppID == nil {
+		return fmt.Errorf("%w deprecated app id if specifying app id", resset.ErrResourceUnspecified)
+	}
 
 	var orgLevelResources []string
-	if hasApp {
+	if f.DeprecatedAppID != nil {
 		orgLevelResources = append(orgLevelResources, "app")
 	}
 	if f.Feature != nil {
@@ -65,23 +69,23 @@ func (f *Access) Validate() error {
 		orgLevelResources = append(orgLevelResources, "litefs cluster")
 	}
 	if len(orgLevelResources) > 1 {
-		return fmt.Errorf("%w: %s", macaroon.ErrResourcesMutuallyExclusive, strings.Join(orgLevelResources, ", "))
+		return fmt.Errorf("%w: %s", resset.ErrResourcesMutuallyExclusive, strings.Join(orgLevelResources, ", "))
 	}
 
 	// app-level resources = machines, volumes
 	if f.Machine != nil || f.Volume != nil {
-		if !hasApp {
-			return fmt.Errorf("%w app", resset.ErrResourceUnspecified)
+		if f.DeprecatedAppID == nil {
+			return fmt.Errorf("%w app if app-owned resource is specified", resset.ErrResourceUnspecified)
 		}
 
 		if f.Machine != nil && f.Volume != nil {
-			return fmt.Errorf("%w: volume, machine", macaroon.ErrResourcesMutuallyExclusive)
+			return fmt.Errorf("%w: volume, machine", resset.ErrResourcesMutuallyExclusive)
 		}
 	}
 
 	// machine feature requires machine
 	if f.MachineFeature != nil && f.Machine == nil {
-		return fmt.Errorf("%w machine", resset.ErrResourceUnspecified)
+		return fmt.Errorf("%w machine ", resset.ErrResourceUnspecified)
 	}
 
 	return nil

diff --git a/flyio/access_test.go b/flyio/access_test.go
@@ -5,7 +5,6 @@ import (
 	"testing"
 
 	"github.com/alecthomas/assert/v2"
-	"github.com/superfly/macaroon"
 	"github.com/superfly/macaroon/resset"
 )
 
@@ -14,65 +13,61 @@ func TestAccess(t *testing.T) {
 
 	// orgid required
 	assertError(t, resset.ErrResourceUnspecified, (&Access{}).Validate())
-	assertError(t, noError, (&Access{
+	assertError(t, resset.ErrResourceUnspecified, (&Access{
 		OrgSlug: ptr("x"),
 	}).Validate())
 	assertError(t, noError, (&Access{
 		DeprecatedOrgID: uptr(1),
 	}).Validate())
 
 	// org-level resources are mutually exclusive
-	assertError(t, macaroon.ErrResourcesMutuallyExclusive, (&Access{
-		OrgSlug: ptr("x"),
-		AppID:   ptr("x"),
-		Feature: ptr("x"),
-		Cluster: ptr("x"),
-	}).Validate())
-	assertError(t, macaroon.ErrResourcesMutuallyExclusive, (&Access{
-		OrgSlug: ptr("x"),
-		Feature: ptr("x"),
-		Cluster: ptr("x"),
-	}).Validate())
-	assertError(t, macaroon.ErrResourcesMutuallyExclusive, (&Access{
-		OrgSlug: ptr("x"),
-		AppID:   ptr("x"),
-		Cluster: ptr("x"),
-	}).Validate())
-	assertError(t, macaroon.ErrResourcesMutuallyExclusive, (&Access{
-		OrgSlug:         ptr("x"),
+	assertError(t, resset.ErrResourcesMutuallyExclusive, (&Access{
+		DeprecatedOrgID: uptr(1),
 		DeprecatedAppID: uptr(1),
 		Feature:         ptr("x"),
+		Cluster:         ptr("x"),
 	}).Validate())
-	assertError(t, macaroon.ErrResourcesMutuallyExclusive, (&Access{
-		OrgSlug:         ptr("x"),
+	assertError(t, resset.ErrResourcesMutuallyExclusive, (&Access{
+		DeprecatedOrgID: uptr(1),
+		Feature:         ptr("x"),
+		Cluster:         ptr("x"),
+	}).Validate())
+	assertError(t, resset.ErrResourcesMutuallyExclusive, (&Access{
+		DeprecatedOrgID: uptr(1),
 		DeprecatedAppID: uptr(1),
 		Cluster:         ptr("x"),
 	}).Validate())
-	assertError(t, macaroon.ErrResourcesMutuallyExclusive, (&Access{
-		OrgSlug: ptr("x"),
-		AppID:   ptr("x"),
-		Feature: ptr("x"),
+	assertError(t, resset.ErrResourcesMutuallyExclusive, (&Access{
+		DeprecatedOrgID: uptr(1),
+		DeprecatedAppID: uptr(1),
+		Feature:         ptr("x"),
 	}).Validate())
 	assertError(t, noError, (&Access{
-		OrgSlug: ptr("x"),
-		AppID:   ptr("x"),
+		DeprecatedOrgID: uptr(1),
+		DeprecatedAppID: uptr(1),
 	}).Validate())
 	assertError(t, noError, (&Access{
-		OrgSlug:         ptr("x"),
+		DeprecatedOrgID: uptr(1),
 		DeprecatedAppID: uptr(1),
 	}).Validate())
 	assertError(t, noError, (&Access{
-		OrgSlug: ptr("x"),
-		Feature: ptr("x"),
+		DeprecatedOrgID: uptr(1),
+		Feature:         ptr("x"),
 	}).Validate())
 	assertError(t, noError, (&Access{
-		OrgSlug: ptr("x"),
-		Cluster: ptr("x"),
+		DeprecatedOrgID: uptr(1),
+		Cluster:         ptr("x"),
+	}).Validate())
+
+	// can't specify encoded app id without numeric
+	assertError(t, resset.ErrResourceUnspecified, (&Access{
+		DeprecatedOrgID: uptr(1),
+		AppID:           ptr("x"),
 	}).Validate())
 
 	// can (should) specify numeric and encoded app id
 	assertError(t, noError, (&Access{
-		OrgSlug:         ptr("x"),
+		DeprecatedOrgID: uptr(1),
 		AppID:           ptr("x"),
 		DeprecatedAppID: uptr(1),
 	}).Validate())

diff --git a/go.mod b/go.mod
@@ -3,20 +3,17 @@ module github.com/superfly/macaroon
 go 1.20
 
 require (
-	github.com/alecthomas/assert/v2 v2.1.0
+	github.com/alecthomas/assert/v2 v2.3.0
 	github.com/google/uuid v1.3.0
-	github.com/stretchr/testify v1.8.4
 	github.com/vmihailenco/msgpack/v5 v5.3.5
 	golang.org/x/crypto v0.12.0
 	golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1
 )
 
 require (
-	github.com/alecthomas/repr v0.1.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/alecthomas/repr v0.2.0 // indirect
 	github.com/hexops/gotextdiff v1.0.3 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/stretchr/testify v1.8.4 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	golang.org/x/sys v0.11.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1,10 +1,13 @@
 github.com/alecthomas/assert/v2 v2.1.0 h1:tbredtNcQnoSd3QBhQWI7QZ3XHOVkw1Moklp2ojoH/0=
 github.com/alecthomas/assert/v2 v2.1.0/go.mod h1:b/+1DI2Q6NckYi+3mXyH3wFb8qG37K/DuK80n7WefXA=
+github.com/alecthomas/assert/v2 v2.3.0 h1:mAsH2wmvjsuvyBvAmCtm7zFsBlb8mIHx5ySLVdDZXL0=
+github.com/alecthomas/assert/v2 v2.3.0/go.mod h1:pXcQ2Asjp247dahGEmsZ6ru0UVwnkhktn7S0bBDLxvQ=
 github.com/alecthomas/repr v0.1.0 h1:ENn2e1+J3k09gyj2shc0dHr/yjaWSHRlrJ4DPMevDqE=
 github.com/alecthomas/repr v0.1.0/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
+github.com/alecthomas/repr v0.2.0 h1:HAzS41CIzNW5syS8Mf9UwXhNH1J9aix/BvDRf1Ml2Yk=
+github.com/alecthomas/repr v0.2.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
@@ -25,8 +28,6 @@ golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 h1:MGwJjxBy0HJshjDNfLsYO8xpp
 golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
 golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=