Skip to content

Commit

Permalink
move verb export check to before req body validation
Browse files Browse the repository at this point in the history
  • Loading branch information
mistermoe committed Oct 3, 2024
1 parent dcd3dc7 commit 3420663
Showing 1 changed file with 17 additions and 16 deletions.
33 changes: 17 additions & 16 deletions backend/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -1012,34 +1012,35 @@ func (s *Service) callWithRequest(
return nil, err
}

err := ingress.ValidateCallBody(req.Msg.Body, verb, sch)
callers, err := headers.GetCallers(req.Header())
if err != nil {
observability.Calls.Request(ctx, req.Msg.Verb, start, optional.Some("invalid request: invalid call body"))
observability.Calls.Request(ctx, req.Msg.Verb, start, optional.Some("failed to get callers"))
return nil, err
}

var currentCaller *schema.Ref
if len(callers) > 0 {
currentCaller = callers[len(callers)-1]
}

module := verbRef.Module
route, ok := sstate.routes[module]
if !ok {
observability.Calls.Request(ctx, req.Msg.Verb, start, optional.Some("no routes for module"))
return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("no routes for module %q", module))
if currentCaller.Module != module && !verb.IsExported() {
observability.Calls.Request(ctx, req.Msg.Verb, start, optional.Some("invalid request: verb not exported"))
return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("verb %q is not exported", verbRef))
}
client := s.clientsForEndpoint(route.Endpoint)

callers, err := headers.GetCallers(req.Header())
err = ingress.ValidateCallBody(req.Msg.Body, verb, sch)
if err != nil {
observability.Calls.Request(ctx, req.Msg.Verb, start, optional.Some("failed to get callers"))
observability.Calls.Request(ctx, req.Msg.Verb, start, optional.Some("invalid request: invalid call body"))
return nil, err
}

if !verb.IsExported() {
for _, caller := range callers {
if caller.Module != module {
observability.Calls.Request(ctx, req.Msg.Verb, start, optional.Some("invalid request: verb not exported"))
return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("verb %q is not exported", verbRef))
}
}
route, ok := sstate.routes[module]
if !ok {
observability.Calls.Request(ctx, req.Msg.Verb, start, optional.Some("no routes for module"))
return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("no routes for module %q", module))
}
client := s.clientsForEndpoint(route.Endpoint)

var requestKey model.RequestKey
isNewRequestKey := false
Expand Down

0 comments on commit 3420663

Please sign in to comment.