From 76afe081a5f5fc051862b4446b25d45c28e2f76d Mon Sep 17 00:00:00 2001
From: "Chris S. Kim" <ckim@hashicorp.com>
Date: Mon, 12 Feb 2024 16:41:42 -0500
Subject: [PATCH] Fix broken merge

---
 internal/auth/internal/types/validate.go | 44 ++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/internal/auth/internal/types/validate.go b/internal/auth/internal/types/validate.go
index e85b03872f..d7cd01d67b 100644
--- a/internal/auth/internal/types/validate.go
+++ b/internal/auth/internal/types/validate.go
@@ -5,6 +5,7 @@ package types
 
 import (
 	"github.com/hashicorp/go-multierror"
+	"golang.org/x/exp/slices"
 
 	"github.com/hashicorp/consul/internal/resource"
 	pbauth "github.com/hashicorp/consul/proto-public/pbauth/v2beta1"
@@ -119,6 +120,12 @@ func validatePermission(p *pbauth.Permission, id *pbresource.ID, wrapErr func(er
 				}
 			}
 		}
+		if dest.IsEmpty() {
+			merr = multierror.Append(merr, wrapDestRuleErr(resource.ErrInvalidListElement{
+				Name:    "destination_rule",
+				Wrapped: errInvalidRule,
+			}))
+		}
 		if len(dest.Exclude) > 0 {
 			for e, excl := range dest.Exclude {
 				wrapExclPermRuleErr := func(err error) error {
@@ -136,6 +143,43 @@ func validatePermission(p *pbauth.Permission, id *pbresource.ID, wrapErr func(er
 						Wrapped: errInvalidPrefixValues,
 					}))
 				}
+				for eh, hdr := range excl.Headers {
+					wrapExclHeaderErr := func(err error) error {
+						return wrapDestRuleErr(resource.ErrInvalidListElement{
+							Name:    "exclude_permission_header_rules",
+							Index:   eh,
+							Wrapped: err,
+						})
+					}
+					if len(hdr.Name) == 0 {
+						merr = multierror.Append(merr, wrapExclHeaderErr(resource.ErrInvalidListElement{
+							Name:    "exclude_permission_header_rule",
+							Wrapped: errHeaderRulesInvalid,
+						}))
+					}
+				}
+				for _, m := range excl.Methods {
+					if len(dest.Methods) != 0 && !slices.Contains(dest.Methods, m) {
+						merr = multierror.Append(merr, wrapExclPermRuleErr(resource.ErrInvalidListElement{
+							Name:    "exclude_permission_header_rule",
+							Wrapped: errExclValuesMustBeSubset,
+						}))
+					}
+				}
+				for _, port := range excl.PortNames {
+					if len(dest.PortNames) != 0 && !slices.Contains(dest.PortNames, port) {
+						merr = multierror.Append(merr, wrapExclPermRuleErr(resource.ErrInvalidListElement{
+							Name:    "exclude_permission_header_rule",
+							Wrapped: errExclValuesMustBeSubset,
+						}))
+					}
+				}
+				if excl.IsEmpty() {
+					merr = multierror.Append(merr, wrapExclPermRuleErr(resource.ErrInvalidListElement{
+						Name:    "exclude_permission_rule",
+						Wrapped: errInvalidRule,
+					}))
+				}
 			}
 		}
 	}