From a350a383d34db9da6d3268ab07e155a56328a43e Mon Sep 17 00:00:00 2001
From: Bisakh Mondal <bisakhmondal00@gmail.com>
Date: Wed, 13 Oct 2021 02:49:11 +0530
Subject: [PATCH] add service resolver subset filter validation

---
 agent/structs/config_entry_discoverychain.go      |  8 +++++++-
 agent/structs/config_entry_discoverychain_test.go | 11 +++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/agent/structs/config_entry_discoverychain.go b/agent/structs/config_entry_discoverychain.go
index 0a8567d67c..35287f442a 100644
--- a/agent/structs/config_entry_discoverychain.go
+++ b/agent/structs/config_entry_discoverychain.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hashicorp/go-bexpr"
 	"github.com/mitchellh/copystructure"
 	"github.com/mitchellh/hashstructure"
 
@@ -901,13 +902,18 @@ func (e *ServiceResolverConfigEntry) Validate() error {
 	}
 
 	if len(e.Subsets) > 0 {
-		for name := range e.Subsets {
+		for name, subset := range e.Subsets {
 			if name == "" {
 				return fmt.Errorf("Subset defined with empty name")
 			}
 			if err := validateServiceSubset(name); err != nil {
 				return fmt.Errorf("Subset %q is invalid: %v", name, err)
 			}
+			if subset.Filter != "" {
+				if _, err := bexpr.CreateEvaluator(subset.Filter, nil); err != nil {
+					return fmt.Errorf("Filter for subset %q is not a valid expression: %v", name, err)
+				}
+			}
 		}
 	}
 
diff --git a/agent/structs/config_entry_discoverychain_test.go b/agent/structs/config_entry_discoverychain_test.go
index 5cc43e4680..37f41e925b 100644
--- a/agent/structs/config_entry_discoverychain_test.go
+++ b/agent/structs/config_entry_discoverychain_test.go
@@ -552,6 +552,17 @@ func TestServiceResolverConfigEntry(t *testing.T) {
 			},
 			validateErr: "Subset defined with empty name",
 		},
+		{
+			name: "invalid boolean expression subset filter",
+			entry: &ServiceResolverConfigEntry{
+				Kind: ServiceResolver,
+				Name: "test",
+				Subsets: map[string]ServiceResolverSubset{
+					"v1": {Filter: "random string"},
+				},
+			},
+			validateErr: `Filter for subset "v1" is not a valid expression`,
+		},
 		{
 			name: "default subset does not exist",
 			entry: &ServiceResolverConfigEntry{