Merge pull request #1940 from josephschorr/schema-prefix-rewrite-caveat

Ensure the object type prefix is used for caveat refs as well
authzed · Jun 15, 2024 · ebe0417 · ebe0417
2 parents 819f424 + c670d53
commit ebe0417
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/pkg/schemadsl/compiler/compiler_test.go b/pkg/schemadsl/compiler/compiler_test.go
@@ -154,15 +154,22 @@ func TestCompile(t *testing.T) {
 		{
 			"relation with required caveat",
 			withTenantPrefix,
-			`definition simple {
+			`
+			caveat somecaveat(someparam int) { someparam == 42}
+			definition simple {
 				relation viewer: user with somecaveat
 			}`,
 			"",
 			[]SchemaDefinition{
+				namespace.MustCaveatDefinition(caveats.MustEnvForVariables(
+					map[string]caveattypes.VariableType{
+						"someparam": caveattypes.IntType,
+					},
+				), "sometenant/somecaveat", "someparam == 42"),
 				namespace.Namespace("sometenant/simple",
 					namespace.MustRelation("viewer", nil,
 						namespace.AllowedRelationWithCaveat("sometenant/user", "...",
-							namespace.AllowedCaveat("somecaveat")),
+							namespace.AllowedCaveat("sometenant/somecaveat")),
 					),
 				),
 			},
@@ -178,7 +185,7 @@ func TestCompile(t *testing.T) {
 				namespace.Namespace("sometenant/simple",
 					namespace.MustRelation("viewer", nil,
 						namespace.AllowedRelationWithCaveat("sometenant/user", "...",
-							namespace.AllowedCaveat("somecaveat")),
+							namespace.AllowedCaveat("sometenant/somecaveat")),
 						namespace.AllowedRelation("sometenant/user", "..."),
 					),
 				),
@@ -195,10 +202,10 @@ func TestCompile(t *testing.T) {
 				namespace.Namespace("sometenant/simple",
 					namespace.MustRelation("viewer", nil,
 						namespace.AllowedRelationWithCaveat("sometenant/user", "...",
-							namespace.AllowedCaveat("somecaveat")),
+							namespace.AllowedCaveat("sometenant/somecaveat")),
 						namespace.AllowedRelation("sometenant/user", "..."),
 						namespace.AllowedRelationWithCaveat("sometenant/team", "member",
-							namespace.AllowedCaveat("anothercaveat")),
+							namespace.AllowedCaveat("sometenant/anothercaveat")),
 					),
 				),
 			},

diff --git a/pkg/schemadsl/compiler/translator.go b/pkg/schemadsl/compiler/translator.go
@@ -630,7 +630,7 @@ func translateSpecificTypeReference(tctx translationContext, typeRefNode *dslNod
 	return ref, nil
 }
 
-func addWithCaveats(_ translationContext, typeRefNode *dslNode, ref *core.AllowedRelation) error {
+func addWithCaveats(tctx translationContext, typeRefNode *dslNode, ref *core.AllowedRelation) error {
 	caveats := typeRefNode.List(dslshape.NodeSpecificReferencePredicateCaveat)
 	if len(caveats) == 0 {
 		return nil
@@ -645,8 +645,13 @@ func addWithCaveats(_ translationContext, typeRefNode *dslNode, ref *core.Allowe
 		return err
 	}
 
+	nspath, err := tctx.prefixedPath(name)
+	if err != nil {
+		return err
+	}
+
 	ref.RequiredCaveat = &core.AllowedCaveat{
-		CaveatName: name,
+		CaveatName: nspath,
 	}
 	return nil
 }