From 47a35935d62725bdb28397da2af4317158f0a5cb Mon Sep 17 00:00:00 2001
From: Kishore Nallan <kishorenc@gmail.com>
Date: Mon, 10 May 2021 07:53:53 +0530
Subject: [PATCH] Support `resource:*` API key permission.

---
 src/auth_manager.cpp       | 12 ++++++++++++
 test/auth_manager_test.cpp |  8 ++++++++
 2 files changed, 20 insertions(+)

diff --git a/src/auth_manager.cpp b/src/auth_manager.cpp
index f3408261..4c93fb4a 100644
--- a/src/auth_manager.cpp
+++ b/src/auth_manager.cpp
@@ -194,6 +194,18 @@ bool AuthManager::auth_against_key(const std::vector<std::string>& collections,
                 action_is_allowed = true;
                 break;
             }
+
+            // e.g. collections:create or documents:create
+            if (allowed_action.size() >= 2 && allowed_action[allowed_action.size() - 2] == ':' &&
+                allowed_action.back() == '*') {
+                std::string allowed_resource = allowed_action.substr(0, allowed_action.size() - 2);
+                std::vector<std::string> actual_action_parts;
+                StringUtils::split(action, actual_action_parts, ":");
+                if(actual_action_parts[0] == allowed_resource) {
+                    action_is_allowed = true;
+                    break;
+                }
+            }
         }
 
         if(!action_is_allowed) {
diff --git a/test/auth_manager_test.cpp b/test/auth_manager_test.cpp
index ae5a9273..4423fea2 100644
--- a/test/auth_manager_test.cpp
+++ b/test/auth_manager_test.cpp
@@ -195,6 +195,14 @@ TEST_F(AuthManagerTest, VerifyAuthentication) {
     api_key_t unexpired_key1 = api_key_t("abcd9", "expiry key", {"*"}, {"*"}, 2237712220);
     auth_manager.create_key(unexpired_key1);
     ASSERT_TRUE(auth_manager.authenticate(unexpired_key1.value, "collections:list", {"collection"}, sparams));
+
+    // wildcard action on any collection
+    api_key_t wildcard_action_coll_key = api_key_t("abcd10", "wildcard coll action key", {"collections:*"}, {"*"}, FUTURE_TS);
+    auth_manager.create_key(wildcard_action_coll_key);
+
+    ASSERT_TRUE(auth_manager.authenticate(wildcard_action_coll_key.value, "collections:create", {"collection1"}, sparams));
+    ASSERT_TRUE(auth_manager.authenticate(wildcard_action_coll_key.value, "collections:delete", {"collection1", "collection2"}, sparams));
+    ASSERT_FALSE(auth_manager.authenticate(wildcard_action_coll_key.value, "documents:create", {"collection1"}, sparams));
 }
 
 TEST_F(AuthManagerTest, HandleAuthentication) {