Skip to content

Commit

Permalink
fix(GraphQL): Hide info when performing mutation on id field with aut…
Browse files Browse the repository at this point in the history
…h rule. (#6391)

* Hide info when performing mutation on id field with auth rule.
  • Loading branch information
Arijit Das authored Sep 14, 2020
1 parent afeea49 commit 5c33428
Show file tree
Hide file tree
Showing 10 changed files with 160 additions and 124 deletions.
44 changes: 22 additions & 22 deletions graphql/e2e/auth/add_mutation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ func TestAddDeepFilter(t *testing.T) {
Name: "project_add_2",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user2",
}},
}},
Expand All @@ -146,12 +146,12 @@ func TestAddDeepFilter(t *testing.T) {
Name: "project_add_4",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user6",
}},
}, {
Permission: "VIEW",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user6",
}},
}},
Expand Down Expand Up @@ -197,7 +197,7 @@ func TestAddDeepFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Column{}, "ColID")
Expand Down Expand Up @@ -234,7 +234,7 @@ func TestAddOrRBACFilter(t *testing.T) {
Name: "project_add_2",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user2",
}},
}},
Expand All @@ -247,12 +247,12 @@ func TestAddOrRBACFilter(t *testing.T) {
Name: "project_add_3",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user7",
}},
}, {
Permission: "VIEW",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user7",
}},
}},
Expand Down Expand Up @@ -294,7 +294,7 @@ func TestAddOrRBACFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Project{}, "ProjID")
Expand All @@ -315,27 +315,27 @@ func TestAddAndRBACFilterMultiple(t *testing.T) {
result: `{"addIssue": {"issue":[{"msg":"issue_add_5"}, {"msg":"issue_add_6"}, {"msg":"issue_add_7"}]}}`,
variables: map[string]interface{}{"issues": []*Issue{{
Msg: "issue_add_5",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_6",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_7",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}}},
}, {
user: "user8",
role: "ADMIN",
result: ``,
variables: map[string]interface{}{"issues": []*Issue{{
Msg: "issue_add_8",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_9",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_10",
Owner: &User{Username: "user9"},
Owner: &common.User{Username: "user9"},
}}},
}}

Expand Down Expand Up @@ -373,7 +373,7 @@ func TestAddAndRBACFilterMultiple(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Issue{}, "Id")
Expand All @@ -394,23 +394,23 @@ func TestAddAndRBACFilter(t *testing.T) {
result: `{"addIssue": {"issue":[{"msg":"issue_add_1"}]}}`,
variables: map[string]interface{}{"issue": &Issue{
Msg: "issue_add_1",
Owner: &User{Username: "user7"},
Owner: &common.User{Username: "user7"},
}},
}, {
user: "user7",
role: "ADMIN",
result: ``,
variables: map[string]interface{}{"issue": &Issue{
Msg: "issue_add_2",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}},
}, {
user: "user7",
role: "USER",
result: ``,
variables: map[string]interface{}{"issue": &Issue{
Msg: "issue_add_3",
Owner: &User{Username: "user7"},
Owner: &common.User{Username: "user7"},
}},
}}

Expand Down Expand Up @@ -448,7 +448,7 @@ func TestAddAndRBACFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Issue{}, "Id")
Expand Down Expand Up @@ -510,7 +510,7 @@ func TestAddComplexFilter(t *testing.T) {
RegionsAvailable: []*Region{{
Name: "add_region_2",
Global: false,
Users: []*User{{
Users: []*common.User{{
Username: "user8",
}},
}},
Expand Down Expand Up @@ -552,7 +552,7 @@ func TestAddComplexFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Movie{}, "Id")
Expand Down Expand Up @@ -618,7 +618,7 @@ func TestAddRBACFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Log{}, "Id")
Expand Down
78 changes: 50 additions & 28 deletions graphql/e2e/auth/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,25 +41,11 @@ var (
metaInfo *testutil.AuthMeta
)

type Tweets struct {
Id string `json:"id,omitempty"`
Text string `json:"text,omitempty"`
Timestamp string `json:"timestamp,omitempty"`
User User `json:"user,omitempty"`
}

type User struct {
Username string `json:"username,omitempty"`
Age uint64 `json:"age,omitempty"`
IsPublic bool `json:"isPublic,omitempty"`
Disabled bool `json:"disabled,omitempty"`
}

type Region struct {
Id string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Users []*User `json:"users,omitempty"`
Global bool `json:"global,omitempty"`
Id string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Users []*common.User `json:"users,omitempty"`
Global bool `json:"global,omitempty"`
}

type Movie struct {
Expand All @@ -70,9 +56,9 @@ type Movie struct {
}

type Issue struct {
Id string `json:"id,omitempty"`
Msg string `json:"msg,omitempty"`
Owner *User `json:"owner,omitempty"`
Id string `json:"id,omitempty"`
Msg string `json:"msg,omitempty"`
Owner *common.User `json:"owner,omitempty"`
}

type Log struct {
Expand All @@ -88,16 +74,16 @@ type ComplexLog struct {
}

type Role struct {
Id string `json:"id,omitempty"`
Permission string `json:"permission,omitempty"`
AssignedTo []*User `json:"assignedTo,omitempty"`
Id string `json:"id,omitempty"`
Permission string `json:"permission,omitempty"`
AssignedTo []*common.User `json:"assignedTo,omitempty"`
}

type Ticket struct {
Id string `json:"id,omitempty"`
OnColumn *Column `json:"onColumn,omitempty"`
Title string `json:"title,omitempty"`
AssignedTo []*User `json:"assignedTo,omitempty"`
Id string `json:"id,omitempty"`
OnColumn *Column `json:"onColumn,omitempty"`
Title string `json:"title,omitempty"`
AssignedTo []*common.User `json:"assignedTo,omitempty"`
}

type Column struct {
Expand Down Expand Up @@ -280,6 +266,42 @@ func (s Student) add(t *testing.T) {
require.JSONEq(t, result, string(gqlResponse.Data))
}

func TestAddMutationWithXid(t *testing.T) {
mutation := `
mutation addTweets($tweet: AddTweetsInput!){
addTweets(input: [$tweet]) {
numUids
}
}
`

tweet := common.Tweets{
Id: "tweet1",
Text: "abc",
Timestamp: "2020-10-10",
}
user := "foo"
addTweetsParams := &common.GraphQLParams{
Headers: common.GetJWT(t, user, "", metaInfo),
Query: mutation,
Variables: map[string]interface{}{"tweet": tweet},
}

// Add the tweet for the first time.
gqlResponse := addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Nil(t, gqlResponse.Errors)

// Re-adding the tweet should fail.
gqlResponse = addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Error(t, gqlResponse.Errors)
require.Equal(t, len(gqlResponse.Errors), 1)
require.Contains(t, gqlResponse.Errors[0].Error(),
"GraphQL debug: id already exists for type Tweets")

// Clear the tweet.
tweet.DeleteByID(t, user, metaInfo)
}

func TestAuthWithDgraphDirective(t *testing.T) {
students := []Student{
{
Expand Down
33 changes: 33 additions & 0 deletions graphql/e2e/auth/debug_off/debugoff_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,39 @@ func TestAddGQL(t *testing.T) {
}
}

func TestAddMutationWithXid(t *testing.T) {
mutation := `
mutation addTweets($tweet: AddTweetsInput!){
addTweets(input: [$tweet]) {
numUids
}
}
`

tweet := common.Tweets{
Id: "tweet1",
Text: "abc",
Timestamp: "2020-10-10",
}
user := "foo"
addTweetsParams := &common.GraphQLParams{
Headers: common.GetJWT(t, user, "", metaInfo),
Query: mutation,
Variables: map[string]interface{}{"tweet": tweet},
}

// Add the tweet for the first time.
gqlResponse := addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Nil(t, gqlResponse.Errors)

// Re-adding the tweet should fail.
gqlResponse = addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Nil(t, gqlResponse.Errors)

// Clear the tweet.
tweet.DeleteByID(t, user, metaInfo)
}

func TestMain(m *testing.M) {
schemaFile := "../schema.graphql"
schema, err := ioutil.ReadFile(schemaFile)
Expand Down
6 changes: 4 additions & 2 deletions graphql/e2e/auth/delete_mutation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -374,11 +374,11 @@ func TestDeleteRBACRuleInverseField(t *testing.T) {
addTweetsParams := &common.GraphQLParams{
Headers: common.GetJWT(t, "foo", "", metaInfo),
Query: mutation,
Variables: map[string]interface{}{"tweet": Tweets{
Variables: map[string]interface{}{"tweet": common.Tweets{
Id: "tweet1",
Text: "abc",
Timestamp: "2020-10-10",
User: User{
User: &common.User{
Username: "foo",
},
}},
Expand All @@ -390,10 +390,12 @@ func TestDeleteRBACRuleInverseField(t *testing.T) {
testCases := []TestCase{
{
user: "foobar",
role: "admin",
result: `{"deleteTweets":{"numUids":0,"tweets":[]}}`,
},
{
user: "foo",
role: "admin",
result: `{"deleteTweets":{"numUids":1,"tweets":[ {"text": "abc"}]}}`,
},
}
Expand Down
1 change: 1 addition & 0 deletions graphql/e2e/auth/schema.graphql
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ type User @auth(
}

type Tweets @auth (
query: { rule: "{$ROLE: { eq: \"admin\" } }"},
add: { rule: "{$USER: { eq: \"foo\" } }"},
delete: { rule: "{$USER: { eq: \"foo\" } }"},
update: { rule: "{$USER: { eq: \"foo\" } }"}
Expand Down
Loading

0 comments on commit 5c33428

Please sign in to comment.