fix: race condition on permission check API (#11)

fix: remove close on channel Co-authored-by: Bala Sekar <[email protected]>
goto · Jun 12, 2023 · 85210db · 85210db
1 parent cfbd86d
commit 85210db
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/internal/api/v1beta1/permission_check.go b/internal/api/v1beta1/permission_check.go
@@ -43,10 +43,8 @@ func (h Handler) CheckResourcePermission(ctx context.Context, req *shieldv1beta1
 	var results []*shieldv1beta1.CheckResourcePermissionResponse_ResourcePermissionResponse
 	checkCtx, cancel := context.WithCancel(ctx)
 	defer cancel()
-	resultCh := make(chan resourcePermissionResult)
-	defer close(resultCh)
-	errorCh := make(chan error)
-	defer close(errorCh)
+	resultCh := make(chan resourcePermissionResult, len(req.ResourcePermissions))
+	errorCh := make(chan error, len(req.ResourcePermissions))
 
 	for _, permission := range req.ResourcePermissions {
 		go func(checkCtx context.Context, resourcePermission *shieldv1beta1.ResourcePermission,

diff --git a/internal/api/v1beta1/permission_check_test.go b/internal/api/v1beta1/permission_check_test.go
@@ -78,6 +78,22 @@ func TestHandler_CheckResourcePermission(t *testing.T) {
 			},
 			wantErr: nil,
 		},
+		{
+			name: "Deprecated check single resource permission: should return unauthenticated error if relation service's CheckAuthz function returns auth error",
+			setup: func(res *mocks.ResourceService) {
+				res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.emptyCtx"), resource.Resource{
+					Name:        testRelationV2.Object.ID,
+					NamespaceID: testRelationV2.Object.NamespaceID,
+				}, action.Action{ID: schema.EditPermission}).Return(false, user.ErrInvalidEmail)
+			},
+			request: &shieldv1beta1.CheckResourcePermissionRequest{
+				ObjectId:        testRelationV2.Object.ID,
+				ObjectNamespace: testRelationV2.Object.NamespaceID,
+				Permission:      schema.EditPermission,
+			},
+			want:    nil,
+			wantErr: grpcUnauthenticated,
+		},
 		{
 			name: "should return internal error if relation service's CheckAuthz function returns some error",
 			setup: func(res *mocks.ResourceService) {