From 3130cce72d59165060a6af643bc529be11da2802 Mon Sep 17 00:00:00 2001
From: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
Date: Mon, 15 Sep 2025 21:08:16 +0300
Subject: [PATCH] [management] Add rule ID validation for policy updates
 (#4499)

---
 management/server/policy.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/management/server/policy.go b/management/server/policy.go
index 312fd53b2..3adee6397 100644
--- a/management/server/policy.go
+++ b/management/server/policy.go
@@ -167,10 +167,22 @@ func arePolicyChangesAffectPeers(ctx context.Context, transaction store.Store, a
 // validatePolicy validates the policy and its rules.
 func validatePolicy(ctx context.Context, transaction store.Store, accountID string, policy *types.Policy) error {
 	if policy.ID != "" {
-		_, err := transaction.GetPolicyByID(ctx, store.LockingStrengthNone, accountID, policy.ID)
+		existingPolicy, err := transaction.GetPolicyByID(ctx, store.LockingStrengthNone, accountID, policy.ID)
 		if err != nil {
 			return err
 		}
+
+		// TODO: Refactor to support multiple rules per policy
+		existingRuleIDs := make(map[string]bool)
+		for _, rule := range existingPolicy.Rules {
+			existingRuleIDs[rule.ID] = true
+		}
+
+		for _, rule := range policy.Rules {
+			if rule.ID != "" && !existingRuleIDs[rule.ID] {
+				return status.Errorf(status.InvalidArgument, "invalid rule ID: %s", rule.ID)
+			}
+		}
 	} else {
 		policy.ID = xid.New().String()
 		policy.AccountID = accountID