feat: validate iam policy filters

internal/service/iam.go

@@ -46,6 +46,10 @@ func (s *Service) SetIAMPolicy(ctx context.Context, req *connect.Request[api.Set
 		return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("tailnet does not exist"))
 	}
 
+	if err := validateIamPolicy(req.Msg.Policy); err != nil {
+		return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
+	}
+
 	tailnet.IAMPolicy = domain.IAMPolicy{
 		Subs:    req.Msg.Policy.Subs,
 		Emails:  req.Msg.Policy.Emails,

internal/service/service.go

@@ -2,7 +2,10 @@ package service
 
 import (
 	"context"
+	"fmt"
 	"github.com/bufbuild/connect-go"
+	"github.com/hashicorp/go-bexpr/grammar"
+	"github.com/hashicorp/go-multierror"
 	"github.com/jsiebens/ionscale/internal/auth"
 	"github.com/jsiebens/ionscale/internal/config"
 	"github.com/jsiebens/ionscale/internal/core"
@@ -37,3 +40,13 @@ func (s *Service) GetVersion(_ context.Context, _ *connect.Request[api.GetVersio
 		Revision: revision,
 	}), nil
 }
+
+func validateIamPolicy(p *api.IAMPolicy) error {
+	var mErr *multierror.Error
+	for i, exp := range p.Filters {
+		if _, err := grammar.Parse(fmt.Sprintf("filter %d", i), []byte(exp)); err != nil {
+			mErr = multierror.Append(mErr, err)
+		}
+	}
+	return mErr.ErrorOrNil()
+}

internal/service/tailnet.go

@@ -42,6 +42,10 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr
 		return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("permission denied"))
 	}
 
+	if err := validateIamPolicy(req.Msg.IamPolicy); err != nil {
+		return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
+	}
+
 	tailnet := &domain.Tailnet{
 		ID:                          util.NextID(),
 		Name:                        req.Msg.Name,