From 59201560e63747c13fc44c70b84462803269c297 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?= Date: Wed, 17 Jul 2024 13:29:22 +0100 Subject: [PATCH] zed backup redact: do not redact wildcards wilcards were getting redacted, which then caused a backup to fail to be restored, because the relationship written was not a wildcard. --- pkg/backupformat/redaction.go | 6 +++++- pkg/backupformat/redaction_test.go | 24 +++++++++++++++++++++--- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/pkg/backupformat/redaction.go b/pkg/backupformat/redaction.go index c3b875db..c89c03fb 100644 --- a/pkg/backupformat/redaction.go +++ b/pkg/backupformat/redaction.go @@ -12,6 +12,7 @@ import ( "github.com/authzed/spicedb/pkg/schemadsl/generator" "github.com/authzed/spicedb/pkg/schemadsl/input" "github.com/authzed/spicedb/pkg/spiceerrors" + "github.com/authzed/spicedb/pkg/tuple" ) // RedactionOptions are the options to use when redacting data. @@ -308,8 +309,11 @@ func redactRelationship(rel *v1.Relationship, redactionMap *RedactionMap, opts R // Redact the object IDs. if opts.RedactObjectIDs { + redactionMap.ObjectIDs[tuple.PublicWildcard] = tuple.PublicWildcard // wilcards are not redacted if _, ok := redactionMap.ObjectIDs[redactedRel.Resource.ObjectId]; !ok { - redactionMap.ObjectIDs[redactedRel.Resource.ObjectId] = "obj" + strconv.Itoa(len(redactionMap.ObjectIDs)) + if redactedRel.Resource.ObjectId != tuple.PublicWildcard { + redactionMap.ObjectIDs[redactedRel.Resource.ObjectId] = "obj" + strconv.Itoa(len(redactionMap.ObjectIDs)) + } } redactedRel.Resource.ObjectId = redactionMap.ObjectIDs[redactedRel.Resource.ObjectId] diff --git a/pkg/backupformat/redaction_test.go b/pkg/backupformat/redaction_test.go index ec4b476e..2c0bad9a 100644 --- a/pkg/backupformat/redaction_test.go +++ b/pkg/backupformat/redaction_test.go @@ -7,6 +7,7 @@ import ( "testing" v1 "github.com/authzed/authzed-go/proto/authzed/api/v1" + "github.com/authzed/spicedb/pkg/tuple" "github.com/brianvoe/gofakeit/v6" "github.com/stretchr/testify/require" ) @@ -266,7 +267,7 @@ func TestRedactBackup(t *testing.T) { } definition resource { - relation viewer: user + relation viewer: user | user:* permission view = viewer }` @@ -323,6 +324,19 @@ func TestRedactBackup(t *testing.T) { }, }, }, + { + Resource: &v1.ObjectReference{ + ObjectType: "resource", + ObjectId: "resource3", + }, + Relation: "viewer", + Subject: &v1.SubjectReference{ + Object: &v1.ObjectReference{ + ObjectType: "user", + ObjectId: tuple.PublicWildcard, + }, + }, + }, } // Write some data. @@ -367,7 +381,7 @@ func TestRedactBackup(t *testing.T) { redactedDecoder, err := NewDecoder(bytes.NewReader(redactedBuf.Bytes())) require.NoError(t, err) - require.Equal(t, "definition def0 {}\n\ndefinition def1 {\n\trelation rel3: def0\n}\n\ndefinition def2 {\n\trelation rel4: def0\n\tpermission rel5 = rel4\n}", redactedDecoder.Schema()) + require.Equal(t, "definition def0 {}\n\ndefinition def1 {\n\trelation rel3: def0\n}\n\ndefinition def2 {\n\trelation rel4: def0 | def0:*\n\tpermission rel5 = rel4\n}", redactedDecoder.Schema()) require.Equal(t, decoder.ZedToken(), redactedDecoder.ZedToken()) for _, expected := range exampleRelationships { @@ -379,7 +393,11 @@ func TestRedactBackup(t *testing.T) { require.Equal(t, expected.Resource.ObjectId, redactionMap.ObjectIDs[rel.Resource.ObjectId]) require.Equal(t, expected.Relation, redactionMap.Relations[rel.Relation]) require.Equal(t, expected.Subject.Object.ObjectType, redactionMap.Definitions[rel.Subject.Object.ObjectType]) - require.Equal(t, expected.Subject.Object.ObjectId, redactionMap.ObjectIDs[rel.Subject.Object.ObjectId]) + if expected.Subject.Object.ObjectId == tuple.PublicWildcard { + require.Equal(t, tuple.PublicWildcard, rel.Subject.Object.ObjectId) + } else { + require.Equal(t, expected.Subject.Object.ObjectId, redactionMap.ObjectIDs[rel.Subject.Object.ObjectId]) + } require.Equal(t, expected.Subject.OptionalRelation, redactionMap.Relations[rel.Subject.OptionalRelation]) } }