From 964958d1167573d3a8f488dc3aaea46a9ed9b61b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Wed, 17 Jul 2024 13:29:22 +0100 Subject: [PATCH] zed backup redact: do not redact wildcards wilcards were getting redacted, which then caused a backup to fail to be restored, because the relationship written was not a wildcard. --- pkg/backupformat/redaction.go | 5 ++++- pkg/backupformat/redaction_test.go | 24 +++++++++++++++++++++--- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/pkg/backupformat/redaction.go b/pkg/backupformat/redaction.go index c3b875db..d123d5c9 100644 --- a/pkg/backupformat/redaction.go +++ b/pkg/backupformat/redaction.go @@ -308,8 +308,11 @@ func redactRelationship(rel *v1.Relationship, redactionMap *RedactionMap, opts R // Redact the object IDs. if opts.RedactObjectIDs { + redactionMap.ObjectIDs["*"] = "*" // wilcards are not redacted if _, ok := redactionMap.ObjectIDs[redactedRel.Resource.ObjectId]; !ok { - redactionMap.ObjectIDs[redactedRel.Resource.ObjectId] = "obj" + strconv.Itoa(len(redactionMap.ObjectIDs)) + if redactedRel.Resource.ObjectId != "*" { + redactionMap.ObjectIDs[redactedRel.Resource.ObjectId] = "obj" + strconv.Itoa(len(redactionMap.ObjectIDs)) + } } redactedRel.Resource.ObjectId = redactionMap.ObjectIDs[redactedRel.Resource.ObjectId] diff --git a/pkg/backupformat/redaction_test.go b/pkg/backupformat/redaction_test.go index ec4b476e..01c509b1 100644 --- a/pkg/backupformat/redaction_test.go +++ b/pkg/backupformat/redaction_test.go @@ -266,7 +266,7 @@ func TestRedactBackup(t *testing.T) { } definition resource { - relation viewer: user + relation viewer: user | user:* permission view = viewer }` @@ -323,6 +323,19 @@ func TestRedactBackup(t *testing.T) { }, }, }, + { + Resource: &v1.ObjectReference{ + ObjectType: "resource", + ObjectId: "resource3", + }, + Relation: "viewer", + Subject: &v1.SubjectReference{ + Object: &v1.ObjectReference{ + ObjectType: "user", + ObjectId: "*", + }, + }, + }, } // Write some data. @@ -367,7 +380,7 @@ func TestRedactBackup(t *testing.T) { redactedDecoder, err := NewDecoder(bytes.NewReader(redactedBuf.Bytes())) require.NoError(t, err) - require.Equal(t, "definition def0 {}\n\ndefinition def1 {\n\trelation rel3: def0\n}\n\ndefinition def2 {\n\trelation rel4: def0\n\tpermission rel5 = rel4\n}", redactedDecoder.Schema()) + require.Equal(t, "definition def0 {}\n\ndefinition def1 {\n\trelation rel3: def0\n}\n\ndefinition def2 {\n\trelation rel4: def0 | def0:*\n\tpermission rel5 = rel4\n}", redactedDecoder.Schema()) require.Equal(t, decoder.ZedToken(), redactedDecoder.ZedToken()) for _, expected := range exampleRelationships { @@ -379,7 +392,12 @@ func TestRedactBackup(t *testing.T) { require.Equal(t, expected.Resource.ObjectId, redactionMap.ObjectIDs[rel.Resource.ObjectId]) require.Equal(t, expected.Relation, redactionMap.Relations[rel.Relation]) require.Equal(t, expected.Subject.Object.ObjectType, redactionMap.Definitions[rel.Subject.Object.ObjectType]) - require.Equal(t, expected.Subject.Object.ObjectId, redactionMap.ObjectIDs[rel.Subject.Object.ObjectId]) + if expected.Subject.Object.ObjectId == "*" { + require.Equal(t, "*", rel.Subject.Object.ObjectId) + } else { + require.Equal(t, expected.Subject.Object.ObjectId, redactionMap.ObjectIDs[rel.Subject.Object.ObjectId]) + } require.Equal(t, expected.Subject.OptionalRelation, redactionMap.Relations[rel.Subject.OptionalRelation]) + } }