types: make EntityUID UnmarshalJSON more strict and add tests

patjakdev · patjakdev · commit ea3a918925a7 · 2026-03-19T11:23:07.000-07:00
Signed-Off-By: Patrick Jakubowski &lt;patrick.jakubowski@strongdm.com&gt;
diff --git a/types/entity_uid.go b/types/entity_uid.go
@@ -82,8 +82,6 @@ func (e *EntityUID) UnmarshalCedar(data []byte) error {
 }
 
 func (e *EntityUID) UnmarshalJSON(b []byte) error {
-	// XXX: We might have to do something here?? For one thing, no extra keys should be allowed.
-	// TODO: review after adding support for schemas
 	var res entityValueJSON
 	if err := json.Unmarshal(b, &res); err != nil {
 		return err
diff --git a/types/entity_uid_test.go b/types/entity_uid_test.go
@@ -119,6 +119,53 @@ func TestEntity(t *testing.T) {
 			})
 		}
 	})
+
+	t.Run("UnmarshalJSON", func(t *testing.T) {
+		t.Parallel()
+		tests := []struct {
+			name  string
+			input string
+		}{
+			{"explicit", `{ "__entity": { "type": "Type", "id": "id" } }`},
+			{"implicit", `{ "type": "Type", "id": "id" }`},
+			{"explicit - extra keys in inner", `{ "__entity": { "type": "Type", "id": "id", "floob": "blah" } }`},
+			{"implicit - extra keys", `{ "type": "Type", "id": "id", "floob": "blah" }`},
+		}
+
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				t.Parallel()
+				var got types.EntityUID
+				err := got.UnmarshalJSON([]byte(tt.input))
+				testutil.OK(t, err)
+				testutil.Equals(t, got, types.NewEntityUID("Type", "id"))
+			})
+		}
+	})
+
+	t.Run("UnmarshalJSON invalid", func(t *testing.T) {
+		t.Parallel()
+		tests := []struct {
+			name  string
+			input string
+		}{
+			{"non-object", `"floob"`},
+			{"explicit - wrong type", `{ "__entity": "wrong type"`},
+			{"implicit - type wrong", `{ "type": 123, "id": "123" }`},
+			{"implicit - id wrong type", `{ "type": "Type", "id": 123 }`},
+			{"implicit - only type", `{ "type": "Type" }`},
+			{"implicit - only id", `{ "id": 123 }`},
+		}
+
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				t.Parallel()
+				var got types.EntityUID
+				err := got.UnmarshalJSON([]byte(tt.input))
+				testutil.Error(t, err)
+			})
+		}
+	})
 }
 
 func TestEntityUIDSet(t *testing.T) {
diff --git a/types/json_test.go b/types/json_test.go
@@ -30,6 +30,7 @@ func TestJSON_Value(t *testing.T) {
 	}{
 		{"entity-likeRecord", `{ "type": "User", "id": "alice" }`, NewRecord(RecordMap{"type": String("User"), "id": String("alice")}), nil},
 		{"explicitEntity", `{ "__entity": { "type": "User", "id": "alice" } }`, EntityUID{Type: "User", ID: "alice"}, nil},
+		{"explicitEntityExtraField", `{ "__entity": { "type": "User", "id": "alice" }, "extra": "stuff" }`, EntityUID{Type: "User", ID: "alice"}, nil},
 		{"explicitLongEntity", `{ "__entity": { "type": "User::External", "id": "alice" } }`, EntityUID{Type: "User::External", ID: "alice"}, nil},
 		{"invalidJSON", `!@#$`, zeroValue(), errJSONDecode},
 		{"numericOverflow", "12341234123412341234", zeroValue(), errJSONLongOutOfRange},
diff --git a/x/exp/types/testdata/explicit-entity-extra-field.cedarschema b/x/exp/types/testdata/explicit-entity-extra-field.cedarschema
@@ -0,0 +1,10 @@
+entity Manager;
+
+entity User = {
+  manager: Manager,
+};
+
+action view appliesTo {
+  principal: [User],
+  resource: [User],
+};
diff --git a/x/exp/types/testdata/explicit-entity-extra-field.entities.json b/x/exp/types/testdata/explicit-entity-extra-field.entities.json
@@ -0,0 +1,14 @@
+[
+  {
+    "uid": {"type": "Manager", "id": "boss"},
+    "attrs": {},
+    "parents": []
+  },
+  {
+    "uid": {"type": "User", "id": "alice"},
+    "attrs": {
+      "manager": {"__entity": {"type": "Manager", "id": "boss"}, "extra": "stuff"}
+    },
+    "parents": []
+  }
+]
diff --git a/x/exp/types/testdata/explicit-entity-extra-field.json b/x/exp/types/testdata/explicit-entity-extra-field.json
@@ -0,0 +1,4 @@
+{
+  "schema": "explicit-entity-extra-field.cedarschema",
+  "entities": "explicit-entity-extra-field.entities.json"
+}
diff --git a/x/exp/types/testdata/explicit-entity-extra-field.parsing.json b/x/exp/types/testdata/explicit-entity-extra-field.parsing.json
@@ -0,0 +1,13 @@
+{
+  "allEntities": {
+    "success": true
+  },
+  "perEntity": {
+    "Manager::boss": {
+      "success": true
+    },
+    "User::alice": {
+      "success": true
+    }
+  }
+}
diff --git a/x/exp/types/testdata/implicit-entity-extra-field.cedarschema b/x/exp/types/testdata/implicit-entity-extra-field.cedarschema
@@ -0,0 +1,10 @@
+entity Manager;
+
+entity User = {
+  manager: Manager,
+};
+
+action view appliesTo {
+  principal: [User],
+  resource: [User],
+};
diff --git a/x/exp/types/testdata/implicit-entity-extra-field.entities.json b/x/exp/types/testdata/implicit-entity-extra-field.entities.json
@@ -0,0 +1,14 @@
+[
+  {
+    "uid": {"type": "Manager", "id": "boss"},
+    "attrs": {},
+    "parents": []
+  },
+  {
+    "uid": {"type": "User", "id": "alice"},
+    "attrs": {
+      "manager": {"type": "Manager", "id": "boss", "extra": "stuff"}
+    },
+    "parents": []
+  }
+]
diff --git a/x/exp/types/testdata/implicit-entity-extra-field.json b/x/exp/types/testdata/implicit-entity-extra-field.json
@@ -0,0 +1,4 @@
+{
+  "schema": "implicit-entity-extra-field.cedarschema",
+  "entities": "implicit-entity-extra-field.entities.json"
+}
diff --git a/x/exp/types/testdata/implicit-entity-extra-field.parsing.json b/x/exp/types/testdata/implicit-entity-extra-field.parsing.json
@@ -0,0 +1,13 @@
+{
+  "allEntities": {
+    "success": true
+  },
+  "perEntity": {
+    "Manager::boss": {
+      "success": true
+    },
+    "User::alice": {
+      "success": true
+    }
+  }
+}
diff --git a/x/exp/types/testdata/uid-extra-field.cedarschema b/x/exp/types/testdata/uid-extra-field.cedarschema
@@ -0,0 +1,8 @@
+entity User = {
+  name: String,
+};
+
+action view appliesTo {
+  principal: [User],
+  resource: [User],
+};
diff --git a/x/exp/types/testdata/uid-extra-field.entities.json b/x/exp/types/testdata/uid-extra-field.entities.json
@@ -0,0 +1,9 @@
+[
+  {
+    "uid": {"type": "User", "id": "alice", "extra": "stuff"},
+    "attrs": {
+      "name": "Alice"
+    },
+    "parents": []
+  }
+]
diff --git a/x/exp/types/testdata/uid-extra-field.json b/x/exp/types/testdata/uid-extra-field.json
@@ -0,0 +1,4 @@
+{
+  "schema": "uid-extra-field.cedarschema",
+  "entities": "uid-extra-field.entities.json"
+}
diff --git a/x/exp/types/testdata/uid-extra-field.parsing.json b/x/exp/types/testdata/uid-extra-field.parsing.json
@@ -0,0 +1,10 @@
+{
+  "allEntities": {
+    "success": true
+  },
+  "perEntity": {
+    "User::alice": {
+      "success": true
+    }
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -82,8 +82,6 @@ func (e *EntityUID) UnmarshalCedar(data []byte) error {`
`82`	`82`	`}`
`83`	`83`
`84`	`84`	`func (e *EntityUID) UnmarshalJSON(b []byte) error {`
`85`		`- // XXX: We might have to do something here?? For one thing, no extra keys should be allowed.`
`86`		`- // TODO: review after adding support for schemas`
`87`	`85`	`var res entityValueJSON`
`88`	`86`	`if err := json.Unmarshal(b, &res); err != nil {`
`89`	`87`	`return err`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +  "schema": "explicit-entity-extra-field.cedarschema",
 +  "entities": "explicit-entity-extra-field.entities.json"
 +}