Skip to content

Commit

Permalink
fix(GraphQL): Hide info when performing mutation on id field with aut…
Browse files Browse the repository at this point in the history
…h rule. (#6391)

* Hide info when performing mutation on id field with auth rule.

(cherry picked from commit 5c33428)
  • Loading branch information
Arijit Das authored and arijitAD committed Sep 21, 2020
1 parent 302afc3 commit 5a3266d
Show file tree
Hide file tree
Showing 9 changed files with 161 additions and 61 deletions.
44 changes: 22 additions & 22 deletions graphql/e2e/auth/add_mutation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ func TestAddDeepFilter(t *testing.T) {
Name: "project_add_2",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user2",
}},
}},
Expand All @@ -162,12 +162,12 @@ func TestAddDeepFilter(t *testing.T) {
Name: "project_add_4",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user6",
}},
}, {
Permission: "VIEW",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user6",
}},
}},
Expand Down Expand Up @@ -212,7 +212,7 @@ func TestAddDeepFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Column{}, "ColID")
Expand Down Expand Up @@ -249,7 +249,7 @@ func TestAddOrRBACFilter(t *testing.T) {
Name: "project_add_2",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user2",
}},
}},
Expand All @@ -262,12 +262,12 @@ func TestAddOrRBACFilter(t *testing.T) {
Name: "project_add_3",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user7",
}},
}, {
Permission: "VIEW",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user7",
}},
}},
Expand Down Expand Up @@ -308,7 +308,7 @@ func TestAddOrRBACFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Project{}, "ProjID")
Expand All @@ -329,27 +329,27 @@ func TestAddAndRBACFilterMultiple(t *testing.T) {
result: `{"addIssue": {"issue":[{"msg":"issue_add_5"}, {"msg":"issue_add_6"}, {"msg":"issue_add_7"}]}}`,
variables: map[string]interface{}{"issues": []*Issue{{
Msg: "issue_add_5",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_6",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_7",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}}},
}, {
user: "user8",
role: "ADMIN",
result: ``,
variables: map[string]interface{}{"issues": []*Issue{{
Msg: "issue_add_8",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_9",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_10",
Owner: &User{Username: "user9"},
Owner: &common.User{Username: "user9"},
}}},
}}

Expand Down Expand Up @@ -386,7 +386,7 @@ func TestAddAndRBACFilterMultiple(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Issue{}, "Id")
Expand All @@ -407,23 +407,23 @@ func TestAddAndRBACFilter(t *testing.T) {
result: `{"addIssue": {"issue":[{"msg":"issue_add_1"}]}}`,
variables: map[string]interface{}{"issue": &Issue{
Msg: "issue_add_1",
Owner: &User{Username: "user7"},
Owner: &common.User{Username: "user7"},
}},
}, {
user: "user7",
role: "ADMIN",
result: ``,
variables: map[string]interface{}{"issue": &Issue{
Msg: "issue_add_2",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}},
}, {
user: "user7",
role: "USER",
result: ``,
variables: map[string]interface{}{"issue": &Issue{
Msg: "issue_add_3",
Owner: &User{Username: "user7"},
Owner: &common.User{Username: "user7"},
}},
}}

Expand Down Expand Up @@ -460,7 +460,7 @@ func TestAddAndRBACFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Issue{}, "Id")
Expand Down Expand Up @@ -522,7 +522,7 @@ func TestAddComplexFilter(t *testing.T) {
RegionsAvailable: []*Region{{
Name: "add_region_2",
Global: false,
Users: []*User{{
Users: []*common.User{{
Username: "user8",
}},
}},
Expand Down Expand Up @@ -563,7 +563,7 @@ func TestAddComplexFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Movie{}, "Id")
Expand Down Expand Up @@ -628,7 +628,7 @@ func TestAddRBACFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Log{}, "Id")
Expand Down
84 changes: 50 additions & 34 deletions graphql/e2e/auth/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,31 +43,11 @@ var (
metaInfo *testutil.AuthMeta
)

type Tweets struct {
Id string `json:"id,omitempty"`
Text string `json:"text,omitempty"`
Timestamp string `json:"timestamp,omitempty"`
User User `json:"user,omitempty"`
}

type User struct {
Username string `json:"username,omitempty"`
Age uint64 `json:"age,omitempty"`
IsPublic bool `json:"isPublic,omitempty"`
Disabled bool `json:"disabled,omitempty"`
}

type UserSecret struct {
Id string `json:"id,omitempty"`
ASecret string `json:"aSecret,omitempty"`
OwnedBy string `json:"ownedBy,omitempty"`
}

type Region struct {
Id string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Users []*User `json:"users,omitempty"`
Global bool `json:"global,omitempty"`
Id string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Users []*common.User `json:"users,omitempty"`
Global bool `json:"global,omitempty"`
}

type Movie struct {
Expand All @@ -78,9 +58,9 @@ type Movie struct {
}

type Issue struct {
Id string `json:"id,omitempty"`
Msg string `json:"msg,omitempty"`
Owner *User `json:"owner,omitempty"`
Id string `json:"id,omitempty"`
Msg string `json:"msg,omitempty"`
Owner *common.User `json:"owner,omitempty"`
}

type Log struct {
Expand All @@ -96,16 +76,16 @@ type ComplexLog struct {
}

type Role struct {
Id string `json:"id,omitempty"`
Permission string `json:"permission,omitempty"`
AssignedTo []*User `json:"assignedTo,omitempty"`
Id string `json:"id,omitempty"`
Permission string `json:"permission,omitempty"`
AssignedTo []*common.User `json:"assignedTo,omitempty"`
}

type Ticket struct {
Id string `json:"id,omitempty"`
OnColumn *Column `json:"onColumn,omitempty"`
Title string `json:"title,omitempty"`
AssignedTo []*User `json:"assignedTo,omitempty"`
Id string `json:"id,omitempty"`
OnColumn *Column `json:"onColumn,omitempty"`
Title string `json:"title,omitempty"`
AssignedTo []*common.User `json:"assignedTo,omitempty"`
}

type Column struct {
Expand Down Expand Up @@ -306,6 +286,42 @@ func (s Student) add(t *testing.T) {
require.JSONEq(t, result, string(gqlResponse.Data))
}

func TestAddMutationWithXid(t *testing.T) {
mutation := `
mutation addTweets($tweet: AddTweetsInput!){
addTweets(input: [$tweet]) {
numUids
}
}
`

tweet := common.Tweets{
Id: "tweet1",
Text: "abc",
Timestamp: "2020-10-10",
}
user := "foo"
addTweetsParams := &common.GraphQLParams{
Headers: common.GetJWT(t, user, "", metaInfo),
Query: mutation,
Variables: map[string]interface{}{"tweet": tweet},
}

// Add the tweet for the first time.
gqlResponse := addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Nil(t, gqlResponse.Errors)

// Re-adding the tweet should fail.
gqlResponse = addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Error(t, gqlResponse.Errors)
require.Equal(t, len(gqlResponse.Errors), 1)
require.Contains(t, gqlResponse.Errors[0].Error(),
"GraphQL debug: id already exists for type Tweets")

// Clear the tweet.
tweet.DeleteByID(t, user, metaInfo)
}

func TestAuthWithDgraphDirective(t *testing.T) {
students := []Student{
{
Expand Down
33 changes: 33 additions & 0 deletions graphql/e2e/auth/debug_off/debug_off_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,39 @@ func TestAddGQL(t *testing.T) {
}
}

func TestAddMutationWithXid(t *testing.T) {
mutation := `
mutation addTweets($tweet: AddTweetsInput!){
addTweets(input: [$tweet]) {
numUids
}
}
`

tweet := common.Tweets{
Id: "tweet1",
Text: "abc",
Timestamp: "2020-10-10",
}
user := "foo"
addTweetsParams := &common.GraphQLParams{
Headers: common.GetJWT(t, user, "", metaInfo),
Query: mutation,
Variables: map[string]interface{}{"tweet": tweet},
}

// Add the tweet for the first time.
gqlResponse := addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Nil(t, gqlResponse.Errors)

// Re-adding the tweet should fail.
gqlResponse = addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Nil(t, gqlResponse.Errors)

// Clear the tweet.
tweet.DeleteByID(t, user, metaInfo)
}

func TestMain(m *testing.M) {
schemaFile := "../schema.graphql"
schema, err := ioutil.ReadFile(schemaFile)
Expand Down
6 changes: 4 additions & 2 deletions graphql/e2e/auth/delete_mutation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -374,11 +374,11 @@ func TestDeleteRBACRuleInverseField(t *testing.T) {
addTweetsParams := &common.GraphQLParams{
Headers: getJWT(t, "foo", ""),
Query: mutation,
Variables: map[string]interface{}{"tweet": Tweets{
Variables: map[string]interface{}{"tweet": common.Tweets{
Id: "tweet1",
Text: "abc",
Timestamp: "2020-10-10",
User: User{
User: &common.User{
Username: "foo",
},
}},
Expand All @@ -390,10 +390,12 @@ func TestDeleteRBACRuleInverseField(t *testing.T) {
testCases := []TestCase{
{
user: "foobar",
role: "admin",
result: `{"deleteTweets":{"numUids":0,"tweets":[]}}`,
},
{
user: "foo",
role: "admin",
result: `{"deleteTweets":{"numUids":1,"tweets":[ {"text": "abc"}]}}`,
},
}
Expand Down
1 change: 1 addition & 0 deletions graphql/e2e/auth/schema.graphql
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ type User @auth(
}

type Tweets @auth (
query: { rule: "{$ROLE: { eq: \"admin\" } }"},
add: { rule: "{$USER: { eq: \"foo\" } }"},
delete: { rule: "{$USER: { eq: \"foo\" } }"},
update: { rule: "{$USER: { eq: \"foo\" } }"}
Expand Down
Loading

0 comments on commit 5a3266d

Please sign in to comment.