fix(GraphQL): Hide info when performing mutation on id field with aut…

…h rule. (#6391) * Hide info when performing mutation on id field with auth rule. (cherry picked from commit 5c33428)
dgraph-io · Sep 21, 2020 · 5a3266d · 5a3266d
1 parent 302afc3
commit 5a3266d
Show file tree

Hide file tree

Showing 9 changed files with 161 additions and 61 deletions.
diff --git a/graphql/e2e/auth/add_mutation_test.go b/graphql/e2e/auth/add_mutation_test.go
@@ -146,7 +146,7 @@ func TestAddDeepFilter(t *testing.T) {
 				Name: "project_add_2",
 				Roles: []*Role{{
 					Permission: "ADMIN",
-					AssignedTo: []*User{{
+					AssignedTo: []*common.User{{
 						Username: "user2",
 					}},
 				}},
@@ -162,12 +162,12 @@ func TestAddDeepFilter(t *testing.T) {
 				Name: "project_add_4",
 				Roles: []*Role{{
 					Permission: "ADMIN",
-					AssignedTo: []*User{{
+					AssignedTo: []*common.User{{
 						Username: "user6",
 					}},
 				}, {
 					Permission: "VIEW",
-					AssignedTo: []*User{{
+					AssignedTo: []*common.User{{
 						Username: "user6",
 					}},
 				}},
@@ -212,7 +212,7 @@ func TestAddDeepFilter(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Column{}, "ColID")
@@ -249,7 +249,7 @@ func TestAddOrRBACFilter(t *testing.T) {
 			Name: "project_add_2",
 			Roles: []*Role{{
 				Permission: "ADMIN",
-				AssignedTo: []*User{{
+				AssignedTo: []*common.User{{
 					Username: "user2",
 				}},
 			}},
@@ -262,12 +262,12 @@ func TestAddOrRBACFilter(t *testing.T) {
 			Name: "project_add_3",
 			Roles: []*Role{{
 				Permission: "ADMIN",
-				AssignedTo: []*User{{
+				AssignedTo: []*common.User{{
 					Username: "user7",
 				}},
 			}, {
 				Permission: "VIEW",
-				AssignedTo: []*User{{
+				AssignedTo: []*common.User{{
 					Username: "user7",
 				}},
 			}},
@@ -308,7 +308,7 @@ func TestAddOrRBACFilter(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Project{}, "ProjID")
@@ -329,27 +329,27 @@ func TestAddAndRBACFilterMultiple(t *testing.T) {
 		result: `{"addIssue": {"issue":[{"msg":"issue_add_5"}, {"msg":"issue_add_6"}, {"msg":"issue_add_7"}]}}`,
 		variables: map[string]interface{}{"issues": []*Issue{{
 			Msg:   "issue_add_5",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}, {
 			Msg:   "issue_add_6",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}, {
 			Msg:   "issue_add_7",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}}},
 	}, {
 		user:   "user8",
 		role:   "ADMIN",
 		result: ``,
 		variables: map[string]interface{}{"issues": []*Issue{{
 			Msg:   "issue_add_8",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}, {
 			Msg:   "issue_add_9",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}, {
 			Msg:   "issue_add_10",
-			Owner: &User{Username: "user9"},
+			Owner: &common.User{Username: "user9"},
 		}}},
 	}}
 
@@ -386,7 +386,7 @@ func TestAddAndRBACFilterMultiple(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Issue{}, "Id")
@@ -407,23 +407,23 @@ func TestAddAndRBACFilter(t *testing.T) {
 		result: `{"addIssue": {"issue":[{"msg":"issue_add_1"}]}}`,
 		variables: map[string]interface{}{"issue": &Issue{
 			Msg:   "issue_add_1",
-			Owner: &User{Username: "user7"},
+			Owner: &common.User{Username: "user7"},
 		}},
 	}, {
 		user:   "user7",
 		role:   "ADMIN",
 		result: ``,
 		variables: map[string]interface{}{"issue": &Issue{
 			Msg:   "issue_add_2",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}},
 	}, {
 		user:   "user7",
 		role:   "USER",
 		result: ``,
 		variables: map[string]interface{}{"issue": &Issue{
 			Msg:   "issue_add_3",
-			Owner: &User{Username: "user7"},
+			Owner: &common.User{Username: "user7"},
 		}},
 	}}
 
@@ -460,7 +460,7 @@ func TestAddAndRBACFilter(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Issue{}, "Id")
@@ -522,7 +522,7 @@ func TestAddComplexFilter(t *testing.T) {
 			RegionsAvailable: []*Region{{
 				Name:   "add_region_2",
 				Global: false,
-				Users: []*User{{
+				Users: []*common.User{{
 					Username: "user8",
 				}},
 			}},
@@ -563,7 +563,7 @@ func TestAddComplexFilter(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Movie{}, "Id")
@@ -628,7 +628,7 @@ func TestAddRBACFilter(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Log{}, "Id")

diff --git a/graphql/e2e/auth/auth_test.go b/graphql/e2e/auth/auth_test.go
@@ -43,31 +43,11 @@ var (
 	metaInfo *testutil.AuthMeta
 )
 
-type Tweets struct {
-	Id        string `json:"id,omitempty"`
-	Text      string `json:"text,omitempty"`
-	Timestamp string `json:"timestamp,omitempty"`
-	User      User   `json:"user,omitempty"`
-}
-
-type User struct {
-	Username string `json:"username,omitempty"`
-	Age      uint64 `json:"age,omitempty"`
-	IsPublic bool   `json:"isPublic,omitempty"`
-	Disabled bool   `json:"disabled,omitempty"`
-}
-
-type UserSecret struct {
-	Id      string `json:"id,omitempty"`
-	ASecret string `json:"aSecret,omitempty"`
-	OwnedBy string `json:"ownedBy,omitempty"`
-}
-
 type Region struct {
-	Id     string  `json:"id,omitempty"`
-	Name   string  `json:"name,omitempty"`
-	Users  []*User `json:"users,omitempty"`
-	Global bool    `json:"global,omitempty"`
+	Id     string         `json:"id,omitempty"`
+	Name   string         `json:"name,omitempty"`
+	Users  []*common.User `json:"users,omitempty"`
+	Global bool           `json:"global,omitempty"`
 }
 
 type Movie struct {
@@ -78,9 +58,9 @@ type Movie struct {
 }
 
 type Issue struct {
-	Id    string `json:"id,omitempty"`
-	Msg   string `json:"msg,omitempty"`
-	Owner *User  `json:"owner,omitempty"`
+	Id    string       `json:"id,omitempty"`
+	Msg   string       `json:"msg,omitempty"`
+	Owner *common.User `json:"owner,omitempty"`
 }
 
 type Log struct {
@@ -96,16 +76,16 @@ type ComplexLog struct {
 }
 
 type Role struct {
-	Id         string  `json:"id,omitempty"`
-	Permission string  `json:"permission,omitempty"`
-	AssignedTo []*User `json:"assignedTo,omitempty"`
+	Id         string         `json:"id,omitempty"`
+	Permission string         `json:"permission,omitempty"`
+	AssignedTo []*common.User `json:"assignedTo,omitempty"`
 }
 
 type Ticket struct {
-	Id         string  `json:"id,omitempty"`
-	OnColumn   *Column `json:"onColumn,omitempty"`
-	Title      string  `json:"title,omitempty"`
-	AssignedTo []*User `json:"assignedTo,omitempty"`
+	Id         string         `json:"id,omitempty"`
+	OnColumn   *Column        `json:"onColumn,omitempty"`
+	Title      string         `json:"title,omitempty"`
+	AssignedTo []*common.User `json:"assignedTo,omitempty"`
 }
 
 type Column struct {
@@ -306,6 +286,42 @@ func (s Student) add(t *testing.T) {
 	require.JSONEq(t, result, string(gqlResponse.Data))
 }
 
+func TestAddMutationWithXid(t *testing.T) {
+	mutation := `
+	mutation addTweets($tweet: AddTweetsInput!){
+      addTweets(input: [$tweet]) {
+        numUids
+      }
+    }
+	`
+
+	tweet := common.Tweets{
+		Id:        "tweet1",
+		Text:      "abc",
+		Timestamp: "2020-10-10",
+	}
+	user := "foo"
+	addTweetsParams := &common.GraphQLParams{
+		Headers:   common.GetJWT(t, user, "", metaInfo),
+		Query:     mutation,
+		Variables: map[string]interface{}{"tweet": tweet},
+	}
+
+	// Add the tweet for the first time.
+	gqlResponse := addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
+	require.Nil(t, gqlResponse.Errors)
+
+	// Re-adding the tweet should fail.
+	gqlResponse = addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
+	require.Error(t, gqlResponse.Errors)
+	require.Equal(t, len(gqlResponse.Errors), 1)
+	require.Contains(t, gqlResponse.Errors[0].Error(),
+		"GraphQL debug: id already exists for type Tweets")
+
+	// Clear the tweet.
+	tweet.DeleteByID(t, user, metaInfo)
+}
+
 func TestAuthWithDgraphDirective(t *testing.T) {
 	students := []Student{
 		{

diff --git a/graphql/e2e/auth/debug_off/debug_off_test.go b/graphql/e2e/auth/debug_off/debug_off_test.go
@@ -89,6 +89,39 @@ func TestAddGQL(t *testing.T) {
 	}
 }
 
+func TestAddMutationWithXid(t *testing.T) {
+	mutation := `
+	mutation addTweets($tweet: AddTweetsInput!){
+      addTweets(input: [$tweet]) {
+        numUids
+      }
+    }
+	`
+
+	tweet := common.Tweets{
+		Id:        "tweet1",
+		Text:      "abc",
+		Timestamp: "2020-10-10",
+	}
+	user := "foo"
+	addTweetsParams := &common.GraphQLParams{
+		Headers:   common.GetJWT(t, user, "", metaInfo),
+		Query:     mutation,
+		Variables: map[string]interface{}{"tweet": tweet},
+	}
+
+	// Add the tweet for the first time.
+	gqlResponse := addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
+	require.Nil(t, gqlResponse.Errors)
+
+	// Re-adding the tweet should fail.
+	gqlResponse = addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
+	require.Nil(t, gqlResponse.Errors)
+
+	// Clear the tweet.
+	tweet.DeleteByID(t, user, metaInfo)
+}
+
 func TestMain(m *testing.M) {
 	schemaFile := "../schema.graphql"
 	schema, err := ioutil.ReadFile(schemaFile)

diff --git a/graphql/e2e/auth/delete_mutation_test.go b/graphql/e2e/auth/delete_mutation_test.go
@@ -374,11 +374,11 @@ func TestDeleteRBACRuleInverseField(t *testing.T) {
 	addTweetsParams := &common.GraphQLParams{
 		Headers: getJWT(t, "foo", ""),
 		Query:   mutation,
-		Variables: map[string]interface{}{"tweet": Tweets{
+		Variables: map[string]interface{}{"tweet": common.Tweets{
 			Id:        "tweet1",
 			Text:      "abc",
 			Timestamp: "2020-10-10",
-			User: User{
+			User: &common.User{
 				Username: "foo",
 			},
 		}},
@@ -390,10 +390,12 @@ func TestDeleteRBACRuleInverseField(t *testing.T) {
 	testCases := []TestCase{
 		{
 			user:   "foobar",
+			role:   "admin",
 			result: `{"deleteTweets":{"numUids":0,"tweets":[]}}`,
 		},
 		{
 			user:   "foo",
+			role:   "admin",
 			result: `{"deleteTweets":{"numUids":1,"tweets":[ {"text": "abc"}]}}`,
 		},
 	}

diff --git a/graphql/e2e/auth/schema.graphql b/graphql/e2e/auth/schema.graphql
@@ -27,6 +27,7 @@ type User @auth(
 }
 
 type Tweets @auth (
+    query: { rule: "{$ROLE: { eq: \"admin\" } }"},
     add: { rule: "{$USER: { eq: \"foo\" } }"},
     delete: { rule: "{$USER: { eq: \"foo\" } }"},
     update: { rule: "{$USER: { eq: \"foo\" } }"}