From f8bbbfd8f9d7c9d4909faa73a190d51219e82235 Mon Sep 17 00:00:00 2001
From: Jesse Haber-Kucharsky <jhaberku@scylladb.com>
Date: Wed, 14 Feb 2018 00:37:53 -0500
Subject: [PATCH] auth: Check role existence when querying perms

---
 auth/service.cc | 12 +++++++++++-
 auth/service.hh |  3 +++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/auth/service.cc b/auth/service.cc
index f133c90931..e22dfdc914 100644
--- a/auth/service.cc
+++ b/auth/service.cc
@@ -88,6 +88,14 @@ private:
     void on_drop_view(const sstring& ks_name, const sstring& view_name) override {}
 };
 
+static future<> validate_role_exists(const service& ser, stdx::string_view role_name) {
+    return ser.underlying_role_manager().exists(role_name).then([role_name](bool exists) {
+        if (!exists) {
+            throw nonexistant_role(role_name);
+        }
+    });
+}
+
 service_config service_config::from_db_config(const db::config& dc) {
     const qualified_name qualified_authorizer_name(meta::AUTH_PACKAGE_NAME, dc.authorizer());
     const qualified_name qualified_authenticator_name(meta::AUTH_PACKAGE_NAME, dc.authenticator());
@@ -233,7 +241,9 @@ future<bool> service::has_existing_legacy_users() const {
 }
 
 future<permission_set> service::get_permissions(stdx::string_view role_name, resource r) const {
-    return _permissions_cache->get(role_name, std::move(r));
+    return validate_role_exists(*this, role_name).then([this, role_name, r = std::move(r)] {
+        return _permissions_cache->get(role_name, std::move(r));
+    });
 }
 
 future<bool> service::role_has_superuser(stdx::string_view role_name) const {
diff --git a/auth/service.hh b/auth/service.hh
index 3469e7bbae..af71187a45 100644
--- a/auth/service.hh
+++ b/auth/service.hh
@@ -119,6 +119,9 @@ public:
 
     future<> stop();
 
+    ///
+    /// \returns an exceptional future with \ref nonexistant_role if the named role does not exist.
+    ///
     future<permission_set> get_permissions(stdx::string_view role_name, resource) const;
 
     ///