diff --git a/cmd/warrant/main.go b/cmd/warrant/main.go index 346c5b0a..9e38d008 100644 --- a/cmd/warrant/main.go +++ b/cmd/warrant/main.go @@ -232,7 +232,7 @@ func main() { warrantSvc := warrant.NewService(svcEnv, warrantRepository, eventSvc, objectTypeSvc, objectSvc) // Init check service - checkSvc := check.NewService(svcEnv, warrantRepository, eventSvc, objectTypeSvc, cfg.Check, nil) + checkSvc := check.NewService(svcEnv, warrantSvc, eventSvc, objectTypeSvc, cfg.Check, nil) // Init query service querySvc := query.NewService(svcEnv, objectTypeSvc, warrantSvc, objectSvc) diff --git a/pkg/authz/check/service.go b/pkg/authz/check/service.go index c22970eb..a1d61e93 100644 --- a/pkg/authz/check/service.go +++ b/pkg/authz/check/service.go @@ -29,11 +29,15 @@ import ( "github.com/warrant-dev/warrant/pkg/wookie" ) +const ( + MaxWarrants = 5000 +) + type CheckContextFunc func(ctx context.Context) (context.Context, error) type CheckService struct { service.BaseService - WarrantRepository warrant.WarrantRepository + warrantSvc warrant.Service EventSvc event.Service ObjectTypeSvc objecttype.Service CheckConfig *config.CheckConfig @@ -48,10 +52,10 @@ func defaultCreateCheckContext(ctx context.Context) (context.Context, error) { return checkCtx, nil } -func NewService(env service.Env, warrantRepo warrant.WarrantRepository, eventSvc event.Service, objectTypeSvc objecttype.Service, checkConfig *config.CheckConfig, checkContext CheckContextFunc) *CheckService { +func NewService(env service.Env, warrantSvc warrant.Service, eventSvc event.Service, objectTypeSvc objecttype.Service, checkConfig *config.CheckConfig, checkContext CheckContextFunc) *CheckService { svc := &CheckService{ BaseService: service.NewBaseService(env), - WarrantRepository: warrantRepo, + warrantSvc: warrantSvc, EventSvc: eventSvc, ObjectTypeSvc: objectTypeSvc, CheckConfig: checkConfig, @@ -69,22 +73,35 @@ func (svc CheckService) getWithPolicyMatch(ctx context.Context, checkPipeline *p checkPipeline.AcquireServiceLock() defer checkPipeline.ReleaseServiceLock() - warrants, err := svc.WarrantRepository.GetAllMatchingObjectRelationAndSubject(ctx, spec.ObjectType, spec.ObjectId, spec.Relation, spec.Subject.ObjectType, spec.Subject.ObjectId, spec.Subject.Relation) - if err != nil || len(warrants) == 0 { + listParams := service.DefaultListParams(warrant.WarrantListParamParser{}) + listParams.Limit = MaxWarrants + warrantSpecs, err := svc.warrantSvc.List( + ctx, + &warrant.FilterParams{ + ObjectType: []string{spec.ObjectType}, + ObjectId: []string{spec.ObjectId}, + Relation: []string{spec.Relation}, + SubjectType: []string{spec.Subject.ObjectType}, + SubjectId: []string{spec.Subject.ObjectId}, + SubjectRelation: []string{spec.Subject.Relation}, + }, + listParams, + ) + if err != nil || len(warrantSpecs) == 0 { return nil, err } // if a warrant without a policy is found, match it - for _, warrant := range warrants { - if warrant.GetPolicy() == "" { - return warrant.ToWarrantSpec(), nil + for _, warrant := range warrantSpecs { + if warrant.Policy == "" { + return &warrant, nil } } - for _, warrant := range warrants { - if warrant.GetPolicy() != "" { + for _, warrant := range warrantSpecs { + if warrant.Policy != "" { if policyMatched := evalWarrantPolicy(warrant, spec.Context); policyMatched { - return warrant.ToWarrantSpec(), nil + return &warrant, nil } } } @@ -106,31 +123,33 @@ func (svc CheckService) getMatchingSubjects(ctx context.Context, checkPipeline * return warrantSpecs, nil } - warrants, err := svc.WarrantRepository.GetAllMatchingObjectAndRelation( + listParams := service.DefaultListParams(warrant.WarrantListParamParser{}) + listParams.Limit = MaxWarrants + warrantSpecs, err = svc.warrantSvc.List( ctx, - objectType, - objectId, - relation, + &warrant.FilterParams{ + ObjectType: []string{objectType}, + ObjectId: []string{objectId}, + Relation: []string{relation}, + }, + listParams, ) if err != nil { return warrantSpecs, err } - for _, warrant := range warrants { - if warrant.GetPolicy() == "" { - warrantSpecs = append(warrantSpecs, *warrant.ToWarrantSpec()) + matchingSpecs := make([]warrant.WarrantSpec, 0) + for _, warrant := range warrantSpecs { + if warrant.Policy == "" { + matchingSpecs = append(matchingSpecs, warrant) } else { if policyMatched := evalWarrantPolicy(warrant, checkCtx); policyMatched { - warrantSpecs = append(warrantSpecs, *warrant.ToWarrantSpec()) + matchingSpecs = append(matchingSpecs, warrant) } } } - if err != nil { - return warrantSpecs, err - } - - return warrantSpecs, nil + return matchingSpecs, nil } func (svc CheckService) getMatchingSubjectsBySubjectType(ctx context.Context, checkPipeline *pipeline, objectType string, @@ -148,32 +167,34 @@ func (svc CheckService) getMatchingSubjectsBySubjectType(ctx context.Context, ch return warrantSpecs, nil } - warrants, err := svc.WarrantRepository.GetAllMatchingObjectAndRelationBySubjectType( + listParams := service.DefaultListParams(warrant.WarrantListParamParser{}) + listParams.Limit = MaxWarrants + warrantSpecs, err = svc.warrantSvc.List( ctx, - objectType, - objectId, - relation, - subjectType, + &warrant.FilterParams{ + ObjectType: []string{objectType}, + ObjectId: []string{objectId}, + Relation: []string{relation}, + SubjectType: []string{subjectType}, + }, + listParams, ) if err != nil { return warrantSpecs, err } - for _, warrant := range warrants { - if warrant.GetPolicy() == "" { - warrantSpecs = append(warrantSpecs, *warrant.ToWarrantSpec()) + matchingSpecs := make([]warrant.WarrantSpec, 0) + for _, warrant := range warrantSpecs { + if warrant.Policy == "" { + matchingSpecs = append(matchingSpecs, warrant) } else { if policyMatched := evalWarrantPolicy(warrant, checkCtx); policyMatched { - warrantSpecs = append(warrantSpecs, *warrant.ToWarrantSpec()) + matchingSpecs = append(matchingSpecs, warrant) } } } - if err != nil { - return warrantSpecs, err - } - - return warrantSpecs, nil + return matchingSpecs, nil } func (svc CheckService) CheckMany(ctx context.Context, authInfo *service.AuthInfo, warrantCheck *CheckManySpec) (*CheckResultSpec, error) { @@ -713,16 +734,16 @@ func (p *pipeline) execTasks(ctx context.Context, parentResultC chan<- result, t } } -func evalWarrantPolicy(w warrant.Model, policyCtx warrant.PolicyContext) bool { +func evalWarrantPolicy(w warrant.WarrantSpec, policyCtx warrant.PolicyContext) bool { policyCtxWithWarrant := make(warrant.PolicyContext) for k, v := range policyCtx { policyCtxWithWarrant[k] = v } policyCtxWithWarrant["warrant"] = w - policyMatched, err := w.GetPolicy().Eval(policyCtxWithWarrant) + policyMatched, err := w.Policy.Eval(policyCtxWithWarrant) if err != nil { - log.Err(err).Msgf("check: error while evaluating policy %s", w.GetPolicy()) + log.Err(err).Msgf("check: error while evaluating policy %s", w.Policy) return false } diff --git a/pkg/authz/warrant/mysql.go b/pkg/authz/warrant/mysql.go index ee26d159..10960a69 100644 --- a/pkg/authz/warrant/mysql.go +++ b/pkg/authz/warrant/mysql.go @@ -120,72 +120,6 @@ func (repo MySQLRepository) Delete(ctx context.Context, objectType string, objec return nil } -func (repo MySQLRepository) GetAllMatchingObject(ctx context.Context, objectType string, objectId string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, objectType, objectId, relation, subjectType, subjectId, subjectRelation, policy, createdAt, updatedAt, deletedAt - FROM warrant - WHERE - objectType = ? AND - objectId = ? AND - deletedAt IS NULL - `, - objectType, - objectId, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return models, errors.Wrapf(err, "error deleting warrants with object %s:%s", objectType, objectId) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - -func (repo MySQLRepository) GetAllMatchingSubject(ctx context.Context, subjectType string, subjectId string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, objectType, objectId, relation, subjectType, subjectId, subjectRelation, policy, createdAt, updatedAt, deletedAt - FROM warrant - WHERE - subjectType = ? AND - subjectId = ? AND - deletedAt IS NULL - `, - subjectType, - subjectId, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return models, errors.Wrapf(err, "error deleting warrants with subject %s:%s", subjectType, subjectId) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - func (repo MySQLRepository) Get(ctx context.Context, objectType string, objectId string, relation string, subjectType string, subjectId string, subjectRelation string, policyHash string) (Model, error) { var warrant Warrant err := repo.DB.GetContext( @@ -458,121 +392,3 @@ func (repo MySQLRepository) List(ctx context.Context, filterParams *FilterParams return models, nil } - -func (repo MySQLRepository) GetAllMatchingObjectRelationAndSubject(ctx context.Context, objectType string, objectId string, relation string, subjectType string, subjectId string, subjectRelation string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, objectType, objectId, relation, subjectType, subjectId, subjectRelation, policy, createdAt, updatedAt, deletedAt - FROM warrant - WHERE - objectType = ? AND - (objectId = ? OR objectId = ?) AND - relation = ? AND - subjectType = ? AND - subjectId = ? AND - subjectRelation = ? AND - deletedAt IS NULL - `, - objectType, - objectId, - Wildcard, - relation, - subjectType, - subjectId, - subjectRelation, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return nil, errors.Wrapf(err, "error getting warrants with object type %s, object id %s, relation %s, subject type %s, subject id %s, and subject relation %s", objectType, objectId, relation, subjectType, subjectId, subjectRelation) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - -func (repo MySQLRepository) GetAllMatchingObjectAndRelation(ctx context.Context, objectType string, objectId string, relation string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, objectType, objectId, relation, subjectType, subjectId, subjectRelation, policy, createdAt, updatedAt, deletedAt - FROM warrant - WHERE - objectType = ? AND - (objectId = ? OR objectId = ?) AND - relation = ? AND - deletedAt IS NULL - ORDER BY createdAt DESC, id DESC - `, - objectType, - objectId, - Wildcard, - relation, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return nil, errors.Wrapf(err, "error getting warrants with object type %s, object id %s, and relation %s", objectType, objectId, relation) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - -func (repo MySQLRepository) GetAllMatchingObjectAndRelationBySubjectType(ctx context.Context, objectType string, objectId string, relation string, subjectType string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, objectType, objectId, relation, subjectType, subjectId, subjectRelation, policy, createdAt, updatedAt, deletedAt - FROM warrant - WHERE - objectType = ? AND - (objectId = ? OR objectId = ?) AND - relation = ? AND - subjectType = ? AND - deletedAt IS NULL - ORDER BY createdAt DESC, id DESC - `, - objectType, - objectId, - Wildcard, - relation, - subjectType, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return nil, errors.Wrapf(err, "error getting warrants with object type %s, object id %s, and relation %s", objectType, objectId, relation) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} diff --git a/pkg/authz/warrant/postgres.go b/pkg/authz/warrant/postgres.go index c9cea0f8..74d2b088 100644 --- a/pkg/authz/warrant/postgres.go +++ b/pkg/authz/warrant/postgres.go @@ -121,72 +121,6 @@ func (repo PostgresRepository) Delete(ctx context.Context, objectType string, ob return nil } -func (repo PostgresRepository) GetAllMatchingObject(ctx context.Context, objectType string, objectId string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, object_type, object_id, relation, subject_type, subject_id, subject_relation, policy, created_at, updated_at, deleted_at - FROM warrant - WHERE - object_type = ? AND - object_id = ? AND - deleted_at IS NULL - `, - objectType, - objectId, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return models, errors.Wrapf(err, "error deleting warrants with object %s:%s", objectType, objectId) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - -func (repo PostgresRepository) GetAllMatchingSubject(ctx context.Context, subjectType string, subjectId string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, object_type, object_id, relation, subject_type, subject_id, subject_relation, policy, created_at, updated_at, deleted_at - FROM warrant - WHERE - subject_type = ? AND - subject_id = ? AND - deleted_at IS NULL - `, - subjectType, - subjectId, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return models, errors.Wrapf(err, "error deleting warrants with subject %s:%s", subjectType, subjectId) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - func (repo PostgresRepository) Get(ctx context.Context, objectType string, objectId string, relation string, subjectType string, subjectId string, subjectRelation string, policyHash string) (Model, error) { var warrant Warrant err := repo.DB.GetContext( @@ -467,118 +401,3 @@ func (repo PostgresRepository) List(ctx context.Context, filterParams *FilterPar return models, nil } - -func (repo PostgresRepository) GetAllMatchingObjectRelationAndSubject(ctx context.Context, objectType string, objectId string, relation string, subjectType string, subjectId string, subjectRelation string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, object_type, object_id, relation, subject_type, subject_id, subject_relation, policy, created_at, updated_at, deleted_at - FROM warrant - WHERE - object_type = ? AND - (object_id = ? OR object_id = '*') AND - relation = ? AND - subject_type = ? AND - subject_id = ? AND - subject_relation = ? AND - deleted_at IS NULL - `, - objectType, - objectId, - relation, - subjectType, - subjectId, - subjectRelation, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return nil, errors.Wrapf(err, "error getting warrants with object type %s, object id %s, relation %s, subject type %s, subject id %s, and subject relation %s", objectType, objectId, relation, subjectType, subjectId, subjectRelation) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - -func (repo PostgresRepository) GetAllMatchingObjectAndRelation(ctx context.Context, objectType string, objectId string, relation string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, object_type, object_id, relation, subject_type, subject_id, subject_relation, policy, created_at, updated_at, deleted_at - FROM warrant - WHERE - object_type = ? AND - (object_id = ? OR object_id = '*') AND - relation = ? AND - deleted_at IS NULL - ORDER BY created_at DESC, id DESC - `, - objectType, - objectId, - relation, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return nil, errors.Wrapf(err, "error getting warrants with object type %s, object id %s, and relation %s", objectType, objectId, relation) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - -func (repo PostgresRepository) GetAllMatchingObjectAndRelationBySubjectType(ctx context.Context, objectType string, objectId string, relation string, subjectType string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, object_type, object_id, relation, subject_type, subject_id, subject_relation, policy, created_at, updated_at, deleted_at - FROM warrant - WHERE - object_type = ? AND - (object_id = ? OR object_id = '*') AND - relation = ? AND - subject_type = ? AND - deleted_at IS NULL - ORDER BY created_at DESC, id DESC - `, - objectType, - objectId, - relation, - subjectType, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return nil, errors.Wrapf(err, "error getting warrants with object type %s, object id %s, and relation %s", objectType, objectId, relation) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} diff --git a/pkg/authz/warrant/repository.go b/pkg/authz/warrant/repository.go index 9541b282..60411afc 100644 --- a/pkg/authz/warrant/repository.go +++ b/pkg/authz/warrant/repository.go @@ -28,9 +28,6 @@ type WarrantRepository interface { Create(ctx context.Context, warrant Model) (int64, error) Get(ctx context.Context, objectType string, objectId string, relation string, subjectType string, subjectId string, subjectRelation string, policyHash string) (Model, error) GetByID(ctx context.Context, id int64) (Model, error) - GetAllMatchingObjectRelationAndSubject(ctx context.Context, objectType string, objectId string, relation string, subjectType string, subjectId string, subjectRelation string) ([]Model, error) - GetAllMatchingObjectAndRelation(ctx context.Context, objectType string, objectId string, relation string) ([]Model, error) - GetAllMatchingObjectAndRelationBySubjectType(ctx context.Context, objectType string, objectId string, relation string, subjectType string) ([]Model, error) List(ctx context.Context, filterParams *FilterParams, listParams service.ListParams) ([]Model, error) Delete(ctx context.Context, objectType string, objectId string, relation string, subjectType string, subjectId string, subjectRelation string, policyHash string) error } diff --git a/pkg/authz/warrant/sqlite.go b/pkg/authz/warrant/sqlite.go index cc693145..e8b34d33 100644 --- a/pkg/authz/warrant/sqlite.go +++ b/pkg/authz/warrant/sqlite.go @@ -129,72 +129,6 @@ func (repo SQLiteRepository) Delete(ctx context.Context, objectType string, obje return nil } -func (repo SQLiteRepository) GetAllMatchingObject(ctx context.Context, objectType string, objectId string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, objectType, objectId, relation, subjectType, subjectId, subjectRelation, policy, createdAt, updatedAt, deletedAt - FROM warrant - WHERE - objectType = ? AND - objectId = ? AND - deletedAt IS NULL - `, - objectType, - objectId, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return models, errors.Wrapf(err, "error deleting warrants with object %s:%s", objectType, objectId) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - -func (repo SQLiteRepository) GetAllMatchingSubject(ctx context.Context, subjectType string, subjectId string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, objectType, objectId, relation, subjectType, subjectId, subjectRelation, policy, createdAt, updatedAt, deletedAt - FROM warrant - WHERE - subjectType = ? AND - subjectId = ? AND - deletedAt IS NULL - `, - subjectType, - subjectId, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return models, errors.Wrapf(err, "error deleting warrants with subject %s:%s", subjectType, subjectId) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - func (repo SQLiteRepository) Get(ctx context.Context, objectType string, objectId string, relation string, subjectType string, subjectId string, subjectRelation string, policyHash string) (Model, error) { var warrant Warrant err := repo.DB.GetContext( @@ -467,118 +401,3 @@ func (repo SQLiteRepository) List(ctx context.Context, filterParams *FilterParam return models, nil } - -func (repo SQLiteRepository) GetAllMatchingObjectRelationAndSubject(ctx context.Context, objectType string, objectId string, relation string, subjectType string, subjectId string, subjectRelation string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, objectType, objectId, relation, subjectType, subjectId, subjectRelation, policy, createdAt, updatedAt, deletedAt - FROM warrant - WHERE - objectType = ? AND - (objectId = ? OR objectId = "*") AND - relation = ? AND - subjectType = ? AND - subjectId = ? AND - subjectRelation = ? AND - deletedAt IS NULL - `, - objectType, - objectId, - relation, - subjectType, - subjectId, - subjectRelation, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return nil, errors.Wrapf(err, "error getting warrants with object type %s, object id %s, relation %s, subject type %s, subject id %s, and subject relation %s", objectType, objectId, relation, subjectType, subjectId, subjectRelation) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - -func (repo SQLiteRepository) GetAllMatchingObjectAndRelation(ctx context.Context, objectType string, objectId string, relation string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, objectType, objectId, relation, subjectType, subjectId, subjectRelation, policy, createdAt, updatedAt, deletedAt - FROM warrant - WHERE - objectType = ? AND - (objectId = ? OR objectId = "*") AND - relation = ? AND - deletedAt IS NULL - ORDER BY createdAt DESC, id DESC - `, - objectType, - objectId, - relation, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return nil, errors.Wrapf(err, "error getting warrants with object type %s, object id %s, and relation %s", objectType, objectId, relation) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -} - -func (repo SQLiteRepository) GetAllMatchingObjectAndRelationBySubjectType(ctx context.Context, objectType string, objectId string, relation string, subjectType string) ([]Model, error) { - models := make([]Model, 0) - warrants := make([]Warrant, 0) - err := repo.DB.SelectContext( - ctx, - &warrants, - ` - SELECT id, objectType, objectId, relation, subjectType, subjectId, subjectRelation, policy, createdAt, updatedAt, deletedAt - FROM warrant - WHERE - objectType = ? AND - (objectId = ? OR objectId = "*") AND - relation = ? AND - subjectType = ? AND - deletedAt IS NULL - ORDER BY createdAt DESC, id DESC - `, - objectType, - objectId, - relation, - subjectType, - ) - if err != nil { - switch err { - case sql.ErrNoRows: - return models, nil - default: - return nil, errors.Wrapf(err, "error getting warrants with object type %s, object id %s, and relation %s", objectType, objectId, relation) - } - } - - for i := range warrants { - models = append(models, &warrants[i]) - } - - return models, nil -}