Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(GraphQL): Hide info when performing mutation on id field with auth rule. (#6391) #6534

Merged
merged 3 commits into from
Sep 21, 2020
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 22 additions & 22 deletions graphql/e2e/auth/add_mutation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ func TestAddDeepFilter(t *testing.T) {
Name: "project_add_2",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user2",
}},
}},
Expand All @@ -162,12 +162,12 @@ func TestAddDeepFilter(t *testing.T) {
Name: "project_add_4",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user6",
}},
}, {
Permission: "VIEW",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user6",
}},
}},
Expand Down Expand Up @@ -212,7 +212,7 @@ func TestAddDeepFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Column{}, "ColID")
Expand Down Expand Up @@ -249,7 +249,7 @@ func TestAddOrRBACFilter(t *testing.T) {
Name: "project_add_2",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user2",
}},
}},
Expand All @@ -262,12 +262,12 @@ func TestAddOrRBACFilter(t *testing.T) {
Name: "project_add_3",
Roles: []*Role{{
Permission: "ADMIN",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user7",
}},
}, {
Permission: "VIEW",
AssignedTo: []*User{{
AssignedTo: []*common.User{{
Username: "user7",
}},
}},
Expand Down Expand Up @@ -308,7 +308,7 @@ func TestAddOrRBACFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Project{}, "ProjID")
Expand All @@ -329,27 +329,27 @@ func TestAddAndRBACFilterMultiple(t *testing.T) {
result: `{"addIssue": {"issue":[{"msg":"issue_add_5"}, {"msg":"issue_add_6"}, {"msg":"issue_add_7"}]}}`,
variables: map[string]interface{}{"issues": []*Issue{{
Msg: "issue_add_5",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_6",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_7",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}}},
}, {
user: "user8",
role: "ADMIN",
result: ``,
variables: map[string]interface{}{"issues": []*Issue{{
Msg: "issue_add_8",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_9",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}, {
Msg: "issue_add_10",
Owner: &User{Username: "user9"},
Owner: &common.User{Username: "user9"},
}}},
}}

Expand Down Expand Up @@ -386,7 +386,7 @@ func TestAddAndRBACFilterMultiple(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Issue{}, "Id")
Expand All @@ -407,23 +407,23 @@ func TestAddAndRBACFilter(t *testing.T) {
result: `{"addIssue": {"issue":[{"msg":"issue_add_1"}]}}`,
variables: map[string]interface{}{"issue": &Issue{
Msg: "issue_add_1",
Owner: &User{Username: "user7"},
Owner: &common.User{Username: "user7"},
}},
}, {
user: "user7",
role: "ADMIN",
result: ``,
variables: map[string]interface{}{"issue": &Issue{
Msg: "issue_add_2",
Owner: &User{Username: "user8"},
Owner: &common.User{Username: "user8"},
}},
}, {
user: "user7",
role: "USER",
result: ``,
variables: map[string]interface{}{"issue": &Issue{
Msg: "issue_add_3",
Owner: &User{Username: "user7"},
Owner: &common.User{Username: "user7"},
}},
}}

Expand Down Expand Up @@ -460,7 +460,7 @@ func TestAddAndRBACFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Issue{}, "Id")
Expand Down Expand Up @@ -522,7 +522,7 @@ func TestAddComplexFilter(t *testing.T) {
RegionsAvailable: []*Region{{
Name: "add_region_2",
Global: false,
Users: []*User{{
Users: []*common.User{{
Username: "user8",
}},
}},
Expand Down Expand Up @@ -563,7 +563,7 @@ func TestAddComplexFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Movie{}, "Id")
Expand Down Expand Up @@ -628,7 +628,7 @@ func TestAddRBACFilter(t *testing.T) {

err := json.Unmarshal([]byte(tcase.result), &expected)
require.NoError(t, err)
err = json.Unmarshal([]byte(gqlResponse.Data), &result)
err = json.Unmarshal(gqlResponse.Data, &result)
require.NoError(t, err)

opt := cmpopts.IgnoreFields(Log{}, "Id")
Expand Down
84 changes: 50 additions & 34 deletions graphql/e2e/auth/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,31 +43,11 @@ var (
metaInfo *testutil.AuthMeta
)

type Tweets struct {
Id string `json:"id,omitempty"`
Text string `json:"text,omitempty"`
Timestamp string `json:"timestamp,omitempty"`
User User `json:"user,omitempty"`
}

type User struct {
Username string `json:"username,omitempty"`
Age uint64 `json:"age,omitempty"`
IsPublic bool `json:"isPublic,omitempty"`
Disabled bool `json:"disabled,omitempty"`
}

type UserSecret struct {
Id string `json:"id,omitempty"`
ASecret string `json:"aSecret,omitempty"`
OwnedBy string `json:"ownedBy,omitempty"`
}

type Region struct {
Id string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Users []*User `json:"users,omitempty"`
Global bool `json:"global,omitempty"`
Id string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Users []*common.User `json:"users,omitempty"`
Global bool `json:"global,omitempty"`
}

type Movie struct {
Expand All @@ -78,9 +58,9 @@ type Movie struct {
}

type Issue struct {
Id string `json:"id,omitempty"`
Msg string `json:"msg,omitempty"`
Owner *User `json:"owner,omitempty"`
Id string `json:"id,omitempty"`
Msg string `json:"msg,omitempty"`
Owner *common.User `json:"owner,omitempty"`
}

type Log struct {
Expand All @@ -96,16 +76,16 @@ type ComplexLog struct {
}

type Role struct {
Id string `json:"id,omitempty"`
Permission string `json:"permission,omitempty"`
AssignedTo []*User `json:"assignedTo,omitempty"`
Id string `json:"id,omitempty"`
Permission string `json:"permission,omitempty"`
AssignedTo []*common.User `json:"assignedTo,omitempty"`
}

type Ticket struct {
Id string `json:"id,omitempty"`
OnColumn *Column `json:"onColumn,omitempty"`
Title string `json:"title,omitempty"`
AssignedTo []*User `json:"assignedTo,omitempty"`
Id string `json:"id,omitempty"`
OnColumn *Column `json:"onColumn,omitempty"`
Title string `json:"title,omitempty"`
AssignedTo []*common.User `json:"assignedTo,omitempty"`
}

type Column struct {
Expand Down Expand Up @@ -306,6 +286,42 @@ func (s Student) add(t *testing.T) {
require.JSONEq(t, result, string(gqlResponse.Data))
}

func TestAddMutationWithXid(t *testing.T) {
mutation := `
mutation addTweets($tweet: AddTweetsInput!){
addTweets(input: [$tweet]) {
numUids
}
}
`

tweet := common.Tweets{
Id: "tweet1",
Text: "abc",
Timestamp: "2020-10-10",
}
user := "foo"
addTweetsParams := &common.GraphQLParams{
Headers: common.GetJWT(t, user, "", metaInfo),
Query: mutation,
Variables: map[string]interface{}{"tweet": tweet},
}

// Add the tweet for the first time.
gqlResponse := addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Nil(t, gqlResponse.Errors)

// Re-adding the tweet should fail.
gqlResponse = addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Error(t, gqlResponse.Errors)
require.Equal(t, len(gqlResponse.Errors), 1)
require.Contains(t, gqlResponse.Errors[0].Error(),
"GraphQL debug: id already exists for type Tweets")

// Clear the tweet.
tweet.DeleteByID(t, user, metaInfo)
}

func TestAuthWithDgraphDirective(t *testing.T) {
students := []Student{
{
Expand Down
33 changes: 33 additions & 0 deletions graphql/e2e/auth/debug_off/debug_off_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,39 @@ func TestAddGQL(t *testing.T) {
}
}

func TestAddMutationWithXid(t *testing.T) {
mutation := `
mutation addTweets($tweet: AddTweetsInput!){
addTweets(input: [$tweet]) {
numUids
}
}
`

tweet := common.Tweets{
Id: "tweet1",
Text: "abc",
Timestamp: "2020-10-10",
}
user := "foo"
addTweetsParams := &common.GraphQLParams{
Headers: common.GetJWT(t, user, "", metaInfo),
Query: mutation,
Variables: map[string]interface{}{"tweet": tweet},
}

// Add the tweet for the first time.
gqlResponse := addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Nil(t, gqlResponse.Errors)

// Re-adding the tweet should fail.
gqlResponse = addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
require.Nil(t, gqlResponse.Errors)

// Clear the tweet.
tweet.DeleteByID(t, user, metaInfo)
}

func TestMain(m *testing.M) {
schemaFile := "../schema.graphql"
schema, err := ioutil.ReadFile(schemaFile)
Expand Down
6 changes: 4 additions & 2 deletions graphql/e2e/auth/delete_mutation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -374,11 +374,11 @@ func TestDeleteRBACRuleInverseField(t *testing.T) {
addTweetsParams := &common.GraphQLParams{
Headers: getJWT(t, "foo", ""),
Query: mutation,
Variables: map[string]interface{}{"tweet": Tweets{
Variables: map[string]interface{}{"tweet": common.Tweets{
Id: "tweet1",
Text: "abc",
Timestamp: "2020-10-10",
User: User{
User: &common.User{
Username: "foo",
},
}},
Expand All @@ -390,10 +390,12 @@ func TestDeleteRBACRuleInverseField(t *testing.T) {
testCases := []TestCase{
{
user: "foobar",
role: "admin",
result: `{"deleteTweets":{"numUids":0,"tweets":[]}}`,
},
{
user: "foo",
role: "admin",
result: `{"deleteTweets":{"numUids":1,"tweets":[ {"text": "abc"}]}}`,
},
}
Expand Down
1 change: 1 addition & 0 deletions graphql/e2e/auth/schema.graphql
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ type User @auth(
}

type Tweets @auth (
query: { rule: "{$ROLE: { eq: \"admin\" } }"},
add: { rule: "{$USER: { eq: \"foo\" } }"},
delete: { rule: "{$USER: { eq: \"foo\" } }"},
update: { rule: "{$USER: { eq: \"foo\" } }"}
Expand Down
Loading