Skip to content

Enhance Permission Validation #253

New issue
New issue
Open
Bug
Open
Enhance Permission Validation#253
Bug
Assignees
ozkanturidi
Labels
bugSomething isn't workingenhancementNew feature or requestgood first issueGood for newcomerssecurityuser experience
@v0lkan

Description

@v0lkan
v0lkan
opened on Dec 9, 2025

When creating policies via spike policy create --permissions=..., the CLI accepts any string as a permission without validation. Invalid permissions like delete, admin, or typos like raed are silently accepted and stored, only to fail at authorization
time.

Current Behavior

// Convert comma-separated permissions to slice
var permissions []data.PolicyPermission
if permsStr != "" {
    for _, perm := range strings.Split(permsStr, ",") {
        perm = strings.TrimSpace(perm)
        if perm != "" {
            permissions = append(permissions, data.PolicyPermission(perm))
        }
    }
}

The code splits and trims the input but does not validate that each permission is one of the allowed values.

Example of problematic usage:

# These all succeed but store invalid permissions
spike policy create --name=test --permissions=delete,admin
spike policy create --name=test --permissions=raed  # typo

Expected Behavior

The CLI should validate permissions and fail fast with a clear error:

$ spike policy create --name=test --permissions=delete,read
Error: Invalid permission. Valid permissions: read, write, list, execute, super

SDK Support Already Exists

The SDK already provides everything needed:

Permission constants (spike-sdk-go/api/entity/data/policy.go):

const PermissionRead PolicyPermission = "read"
const PermissionWrite PolicyPermission = "write"
const PermissionList PolicyPermission = "list"
const PermissionExecute PolicyPermission = "execute"
const PermissionSuper PolicyPermission = "super"

Validation function (spike-sdk-go/validation/validation.go):

func ValidatePermissions(
    permissions []data.PolicyPermission,
) *sdkErrors.SDKError

Suggested Implementation

// Convert comma-separated permissions to slice
var permissions []data.PolicyPermission
if permsStr != "" {
    for _, perm := range strings.Split(permsStr, ",") {
        perm = strings.TrimSpace(perm)
        if perm != "" {
            permissions = append(permissions, data.PolicyPermission(perm))
        }
    }
}

// Validate permissions before proceeding
if validationErr := validation.ValidatePermissions(permissions); validationErr != nil {
    // Use the SDK error - consider cloning if a custom message is needed
    log.FatalErr("policy create", *validationErr)
    return
}

Note: SDK ValidatePermissions May Be Missing execute; that will require fixing too.

allowedPermissions := []data.PolicyPermission{
    data.PermissionList,
    data.PermissionRead,
    data.PermissionWrite,
    data.PermissionSuper,
    // Missing: data.PermissionExecute : if this is intentional document it; if not, fix it.
}

Files to Modify

  • app/pilot/internal/cmd/policy/create.go - Add validation.ValidatePermissions() call
  • Possibly spike-sdk-go/validation/validation.go - Add PermissionExecute to allowed list

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingenhancementNew feature or requestgood first issueGood for newcomerssecurityuser experience

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions