zed backup redact: do not redact wildcards

wilcards were getting redacted, which then caused a backup to fail to be restored, because the relationship written was not a wildcard.
authzed · Jul 17, 2024 · 964958d · 964958d
1 parent 1ddf634
commit 964958d
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 4 deletions.
diff --git a/pkg/backupformat/redaction.go b/pkg/backupformat/redaction.go
@@ -308,8 +308,11 @@ func redactRelationship(rel *v1.Relationship, redactionMap *RedactionMap, opts R
 
 	// Redact the object IDs.
 	if opts.RedactObjectIDs {
+		redactionMap.ObjectIDs["*"] = "*" // wilcards are not redacted
 		if _, ok := redactionMap.ObjectIDs[redactedRel.Resource.ObjectId]; !ok {
-			redactionMap.ObjectIDs[redactedRel.Resource.ObjectId] = "obj" + strconv.Itoa(len(redactionMap.ObjectIDs))
+			if redactedRel.Resource.ObjectId != "*" {
+				redactionMap.ObjectIDs[redactedRel.Resource.ObjectId] = "obj" + strconv.Itoa(len(redactionMap.ObjectIDs))
+			}
 		}
 
 		redactedRel.Resource.ObjectId = redactionMap.ObjectIDs[redactedRel.Resource.ObjectId]

diff --git a/pkg/backupformat/redaction_test.go b/pkg/backupformat/redaction_test.go
@@ -266,7 +266,7 @@ func TestRedactBackup(t *testing.T) {
 	}
 
 	definition resource {
-		relation viewer: user
+		relation viewer: user | user:*
 		permission view = viewer
 	}`
 
@@ -323,6 +323,19 @@ func TestRedactBackup(t *testing.T) {
 				},
 			},
 		},
+		{
+			Resource: &v1.ObjectReference{
+				ObjectType: "resource",
+				ObjectId:   "resource3",
+			},
+			Relation: "viewer",
+			Subject: &v1.SubjectReference{
+				Object: &v1.ObjectReference{
+					ObjectType: "user",
+					ObjectId:   "*",
+				},
+			},
+		},
 	}
 
 	// Write some data.
@@ -367,7 +380,7 @@ func TestRedactBackup(t *testing.T) {
 	redactedDecoder, err := NewDecoder(bytes.NewReader(redactedBuf.Bytes()))
 	require.NoError(t, err)
 
-	require.Equal(t, "definition def0 {}\n\ndefinition def1 {\n\trelation rel3: def0\n}\n\ndefinition def2 {\n\trelation rel4: def0\n\tpermission rel5 = rel4\n}", redactedDecoder.Schema())
+	require.Equal(t, "definition def0 {}\n\ndefinition def1 {\n\trelation rel3: def0\n}\n\ndefinition def2 {\n\trelation rel4: def0 | def0:*\n\tpermission rel5 = rel4\n}", redactedDecoder.Schema())
 	require.Equal(t, decoder.ZedToken(), redactedDecoder.ZedToken())
 
 	for _, expected := range exampleRelationships {
@@ -379,7 +392,12 @@ func TestRedactBackup(t *testing.T) {
 		require.Equal(t, expected.Resource.ObjectId, redactionMap.ObjectIDs[rel.Resource.ObjectId])
 		require.Equal(t, expected.Relation, redactionMap.Relations[rel.Relation])
 		require.Equal(t, expected.Subject.Object.ObjectType, redactionMap.Definitions[rel.Subject.Object.ObjectType])
-		require.Equal(t, expected.Subject.Object.ObjectId, redactionMap.ObjectIDs[rel.Subject.Object.ObjectId])
+		if expected.Subject.Object.ObjectId == "*" {
+			require.Equal(t, "*", rel.Subject.Object.ObjectId)
+		} else {
+			require.Equal(t, expected.Subject.Object.ObjectId, redactionMap.ObjectIDs[rel.Subject.Object.ObjectId])
+		}
 		require.Equal(t, expected.Subject.OptionalRelation, redactionMap.Relations[rel.Subject.OptionalRelation])
+
 	}
 }