refactor: wildcard role check

goto · Jul 10, 2024 · 1a370ee · 1a370ee
1 parent f149322
commit 1a370ee
Showing 1 changed file with 15 additions and 6 deletions.
diff --git a/internal/adapter/relation.go b/internal/adapter/relation.go
@@ -44,13 +44,9 @@ func (a Relation) TransformRelation(ctx context.Context, rlt relation.RelationV2
 		userID := rel.Subject.ID
 
 		if userID == WILDCARD {
-			roleID := rel.Object.NamespaceID + ":" + rel.Subject.RoleID
-			role, err := a.roleService.Get(ctx, roleID)
+			err := a.isWildCardAllowed(ctx, rel)
 			if err != nil {
-				return relation.RelationV2{}, fmt.Errorf("error fetching role: %s", err.Error())
-			}
-			if !slices.Contains(role.Types, schema.UserPrincipalWildcard) {
-				return relation.RelationV2{}, fmt.Errorf("%s does not allow wildcard for subject %s", rlt.Object.NamespaceID, rlt.Subject.Namespace)
+				return relation.RelationV2{}, err
 			}
 		} else if !uuid.IsValid(userID) {
 			fetchedUser, err := a.userService.GetByEmail(ctx, rel.Subject.ID)
@@ -95,3 +91,16 @@ func (a Relation) TransformRelation(ctx context.Context, rlt relation.RelationV2
 
 	return rel, nil
 }
+
+func (a Relation) isWildCardAllowed(ctx context.Context, rlt relation.RelationV2) error {
+	roleID := rlt.Object.NamespaceID + ":" + rlt.Subject.RoleID
+	role, err := a.roleService.Get(ctx, roleID)
+	if err != nil {
+		return fmt.Errorf("error fetching role: %s", err.Error())
+	}
+	if !slices.Contains(role.Types, schema.UserPrincipalWildcard) {
+		return fmt.Errorf("%s does not allow wildcard for subject %s", rlt.Object.NamespaceID, rlt.Subject.Namespace)
+	}
+
+	return nil
+}