From 791e3baa4131495a2a5b5a3df22b5e5039a64447 Mon Sep 17 00:00:00 2001
From: Jonathan Marcantonio <jmarcant@redhat.com>
Date: Fri, 14 Jun 2024 11:50:44 -0400
Subject: [PATCH] Validate LookupSubjectsRequest request body (#99)

* Validate LookupSubjectsRequest request body

Signed-off-by: Jonathan Marcantonio <jmarcant@redhat.com>

* Validate ResourceType and ResourceId

Signed-off-by: Jonathan Marcantonio <jmarcant@redhat.com>

* Validate relation

Signed-off-by: Jonathan Marcantonio <jmarcant@redhat.com>

---------

Signed-off-by: Jonathan Marcantonio <jmarcant@redhat.com>
---
 internal/biz/lookup.go | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/internal/biz/lookup.go b/internal/biz/lookup.go
index 0b85b05..ea4b050 100644
--- a/internal/biz/lookup.go
+++ b/internal/biz/lookup.go
@@ -37,6 +37,7 @@ func (s *GetSubjectsUsecase) Get(ctx context.Context, req *v0.LookupSubjectsRequ
 	}
 
 	if req.Resource == nil {
+		s.log.WithContext(ctx).Infof("Missing Resource in request %v", req)
 		return nil, nil, errors.BadRequest("Invalid request", "Object is required")
 	}
 
@@ -44,8 +45,28 @@ func (s *GetSubjectsUsecase) Get(ctx context.Context, req *v0.LookupSubjectsRequ
 		subjectRelation = *req.SubjectRelation
 	}
 
+	if req.SubjectType == nil {
+		s.log.WithContext(ctx).Infof("Missing SubjectType in request %v", req)
+		return nil, nil, errors.BadRequest("Invalid request", "Subject type is required")
+	}
+
+	if req.Relation == "" {
+		s.log.WithContext(ctx).Infof("Missing relation in request %v", req)
+		return nil, nil, errors.BadRequest("Invalid request", "Relation is required")
+	}
+
+	if req.Resource.Type == nil {
+		s.log.WithContext(ctx).Infof("Missing Resource Type in request %v", req)
+		return nil, nil, errors.BadRequest("Invalid request", "Resource Type is required")
+	}
+
+	if req.Resource.Id == "" {
+		s.log.WithContext(ctx).Infof("Missing Resource Id in request %v", req)
+		return nil, nil, errors.BadRequest("Invalid request", "Resource Id is required")
+	}
+
 	subs, errs, err := s.repo.LookupSubjects(ctx, req.SubjectType, subjectRelation, req.Relation, &v0.ObjectReference{
-		Type: req.Resource.Type, //Need null check
+		Type: req.Resource.Type,
 		Id:   req.Resource.Id,
 	}, limit, continuation)