fix(GraphQL): Hide info when performing mutation on id field with aut…

…h rule. (#6391) * Hide info when performing mutation on id field with auth rule.
dgraph-io · Sep 14, 2020 · 5c33428 · 5c33428
1 parent afeea49
commit 5c33428
Show file tree

Hide file tree

Showing 10 changed files with 160 additions and 124 deletions.
diff --git a/graphql/e2e/auth/add_mutation_test.go b/graphql/e2e/auth/add_mutation_test.go
@@ -130,7 +130,7 @@ func TestAddDeepFilter(t *testing.T) {
 				Name: "project_add_2",
 				Roles: []*Role{{
 					Permission: "ADMIN",
-					AssignedTo: []*User{{
+					AssignedTo: []*common.User{{
 						Username: "user2",
 					}},
 				}},
@@ -146,12 +146,12 @@ func TestAddDeepFilter(t *testing.T) {
 				Name: "project_add_4",
 				Roles: []*Role{{
 					Permission: "ADMIN",
-					AssignedTo: []*User{{
+					AssignedTo: []*common.User{{
 						Username: "user6",
 					}},
 				}, {
 					Permission: "VIEW",
-					AssignedTo: []*User{{
+					AssignedTo: []*common.User{{
 						Username: "user6",
 					}},
 				}},
@@ -197,7 +197,7 @@ func TestAddDeepFilter(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Column{}, "ColID")
@@ -234,7 +234,7 @@ func TestAddOrRBACFilter(t *testing.T) {
 			Name: "project_add_2",
 			Roles: []*Role{{
 				Permission: "ADMIN",
-				AssignedTo: []*User{{
+				AssignedTo: []*common.User{{
 					Username: "user2",
 				}},
 			}},
@@ -247,12 +247,12 @@ func TestAddOrRBACFilter(t *testing.T) {
 			Name: "project_add_3",
 			Roles: []*Role{{
 				Permission: "ADMIN",
-				AssignedTo: []*User{{
+				AssignedTo: []*common.User{{
 					Username: "user7",
 				}},
 			}, {
 				Permission: "VIEW",
-				AssignedTo: []*User{{
+				AssignedTo: []*common.User{{
 					Username: "user7",
 				}},
 			}},
@@ -294,7 +294,7 @@ func TestAddOrRBACFilter(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Project{}, "ProjID")
@@ -315,27 +315,27 @@ func TestAddAndRBACFilterMultiple(t *testing.T) {
 		result: `{"addIssue": {"issue":[{"msg":"issue_add_5"}, {"msg":"issue_add_6"}, {"msg":"issue_add_7"}]}}`,
 		variables: map[string]interface{}{"issues": []*Issue{{
 			Msg:   "issue_add_5",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}, {
 			Msg:   "issue_add_6",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}, {
 			Msg:   "issue_add_7",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}}},
 	}, {
 		user:   "user8",
 		role:   "ADMIN",
 		result: ``,
 		variables: map[string]interface{}{"issues": []*Issue{{
 			Msg:   "issue_add_8",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}, {
 			Msg:   "issue_add_9",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}, {
 			Msg:   "issue_add_10",
-			Owner: &User{Username: "user9"},
+			Owner: &common.User{Username: "user9"},
 		}}},
 	}}
 
@@ -373,7 +373,7 @@ func TestAddAndRBACFilterMultiple(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Issue{}, "Id")
@@ -394,23 +394,23 @@ func TestAddAndRBACFilter(t *testing.T) {
 		result: `{"addIssue": {"issue":[{"msg":"issue_add_1"}]}}`,
 		variables: map[string]interface{}{"issue": &Issue{
 			Msg:   "issue_add_1",
-			Owner: &User{Username: "user7"},
+			Owner: &common.User{Username: "user7"},
 		}},
 	}, {
 		user:   "user7",
 		role:   "ADMIN",
 		result: ``,
 		variables: map[string]interface{}{"issue": &Issue{
 			Msg:   "issue_add_2",
-			Owner: &User{Username: "user8"},
+			Owner: &common.User{Username: "user8"},
 		}},
 	}, {
 		user:   "user7",
 		role:   "USER",
 		result: ``,
 		variables: map[string]interface{}{"issue": &Issue{
 			Msg:   "issue_add_3",
-			Owner: &User{Username: "user7"},
+			Owner: &common.User{Username: "user7"},
 		}},
 	}}
 
@@ -448,7 +448,7 @@ func TestAddAndRBACFilter(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Issue{}, "Id")
@@ -510,7 +510,7 @@ func TestAddComplexFilter(t *testing.T) {
 			RegionsAvailable: []*Region{{
 				Name:   "add_region_2",
 				Global: false,
-				Users: []*User{{
+				Users: []*common.User{{
 					Username: "user8",
 				}},
 			}},
@@ -552,7 +552,7 @@ func TestAddComplexFilter(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Movie{}, "Id")
@@ -618,7 +618,7 @@ func TestAddRBACFilter(t *testing.T) {
 
 		err := json.Unmarshal([]byte(tcase.result), &expected)
 		require.NoError(t, err)
-		err = json.Unmarshal([]byte(gqlResponse.Data), &result)
+		err = json.Unmarshal(gqlResponse.Data, &result)
 		require.NoError(t, err)
 
 		opt := cmpopts.IgnoreFields(Log{}, "Id")

diff --git a/graphql/e2e/auth/auth_test.go b/graphql/e2e/auth/auth_test.go
@@ -41,25 +41,11 @@ var (
 	metaInfo *testutil.AuthMeta
 )
 
-type Tweets struct {
-	Id        string `json:"id,omitempty"`
-	Text      string `json:"text,omitempty"`
-	Timestamp string `json:"timestamp,omitempty"`
-	User      User   `json:"user,omitempty"`
-}
-
-type User struct {
-	Username string `json:"username,omitempty"`
-	Age      uint64 `json:"age,omitempty"`
-	IsPublic bool   `json:"isPublic,omitempty"`
-	Disabled bool   `json:"disabled,omitempty"`
-}
-
 type Region struct {
-	Id     string  `json:"id,omitempty"`
-	Name   string  `json:"name,omitempty"`
-	Users  []*User `json:"users,omitempty"`
-	Global bool    `json:"global,omitempty"`
+	Id     string         `json:"id,omitempty"`
+	Name   string         `json:"name,omitempty"`
+	Users  []*common.User `json:"users,omitempty"`
+	Global bool           `json:"global,omitempty"`
 }
 
 type Movie struct {
@@ -70,9 +56,9 @@ type Movie struct {
 }
 
 type Issue struct {
-	Id    string `json:"id,omitempty"`
-	Msg   string `json:"msg,omitempty"`
-	Owner *User  `json:"owner,omitempty"`
+	Id    string       `json:"id,omitempty"`
+	Msg   string       `json:"msg,omitempty"`
+	Owner *common.User `json:"owner,omitempty"`
 }
 
 type Log struct {
@@ -88,16 +74,16 @@ type ComplexLog struct {
 }
 
 type Role struct {
-	Id         string  `json:"id,omitempty"`
-	Permission string  `json:"permission,omitempty"`
-	AssignedTo []*User `json:"assignedTo,omitempty"`
+	Id         string         `json:"id,omitempty"`
+	Permission string         `json:"permission,omitempty"`
+	AssignedTo []*common.User `json:"assignedTo,omitempty"`
 }
 
 type Ticket struct {
-	Id         string  `json:"id,omitempty"`
-	OnColumn   *Column `json:"onColumn,omitempty"`
-	Title      string  `json:"title,omitempty"`
-	AssignedTo []*User `json:"assignedTo,omitempty"`
+	Id         string         `json:"id,omitempty"`
+	OnColumn   *Column        `json:"onColumn,omitempty"`
+	Title      string         `json:"title,omitempty"`
+	AssignedTo []*common.User `json:"assignedTo,omitempty"`
 }
 
 type Column struct {
@@ -280,6 +266,42 @@ func (s Student) add(t *testing.T) {
 	require.JSONEq(t, result, string(gqlResponse.Data))
 }
 
+func TestAddMutationWithXid(t *testing.T) {
+	mutation := `
+	mutation addTweets($tweet: AddTweetsInput!){
+      addTweets(input: [$tweet]) {
+        numUids
+      }
+    }
+	`
+
+	tweet := common.Tweets{
+		Id:        "tweet1",
+		Text:      "abc",
+		Timestamp: "2020-10-10",
+	}
+	user := "foo"
+	addTweetsParams := &common.GraphQLParams{
+		Headers:   common.GetJWT(t, user, "", metaInfo),
+		Query:     mutation,
+		Variables: map[string]interface{}{"tweet": tweet},
+	}
+
+	// Add the tweet for the first time.
+	gqlResponse := addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
+	require.Nil(t, gqlResponse.Errors)
+
+	// Re-adding the tweet should fail.
+	gqlResponse = addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
+	require.Error(t, gqlResponse.Errors)
+	require.Equal(t, len(gqlResponse.Errors), 1)
+	require.Contains(t, gqlResponse.Errors[0].Error(),
+		"GraphQL debug: id already exists for type Tweets")
+
+	// Clear the tweet.
+	tweet.DeleteByID(t, user, metaInfo)
+}
+
 func TestAuthWithDgraphDirective(t *testing.T) {
 	students := []Student{
 		{

diff --git a/graphql/e2e/auth/debug_off/debugoff_test.go b/graphql/e2e/auth/debug_off/debugoff_test.go
@@ -89,6 +89,39 @@ func TestAddGQL(t *testing.T) {
 	}
 }
 
+func TestAddMutationWithXid(t *testing.T) {
+	mutation := `
+	mutation addTweets($tweet: AddTweetsInput!){
+      addTweets(input: [$tweet]) {
+        numUids
+      }
+    }
+	`
+
+	tweet := common.Tweets{
+		Id:        "tweet1",
+		Text:      "abc",
+		Timestamp: "2020-10-10",
+	}
+	user := "foo"
+	addTweetsParams := &common.GraphQLParams{
+		Headers:   common.GetJWT(t, user, "", metaInfo),
+		Query:     mutation,
+		Variables: map[string]interface{}{"tweet": tweet},
+	}
+
+	// Add the tweet for the first time.
+	gqlResponse := addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
+	require.Nil(t, gqlResponse.Errors)
+
+	// Re-adding the tweet should fail.
+	gqlResponse = addTweetsParams.ExecuteAsPost(t, common.GraphqlURL)
+	require.Nil(t, gqlResponse.Errors)
+
+	// Clear the tweet.
+	tweet.DeleteByID(t, user, metaInfo)
+}
+
 func TestMain(m *testing.M) {
 	schemaFile := "../schema.graphql"
 	schema, err := ioutil.ReadFile(schemaFile)

diff --git a/graphql/e2e/auth/delete_mutation_test.go b/graphql/e2e/auth/delete_mutation_test.go
@@ -374,11 +374,11 @@ func TestDeleteRBACRuleInverseField(t *testing.T) {
 	addTweetsParams := &common.GraphQLParams{
 		Headers: common.GetJWT(t, "foo", "", metaInfo),
 		Query:   mutation,
-		Variables: map[string]interface{}{"tweet": Tweets{
+		Variables: map[string]interface{}{"tweet": common.Tweets{
 			Id:        "tweet1",
 			Text:      "abc",
 			Timestamp: "2020-10-10",
-			User: User{
+			User: &common.User{
 				Username: "foo",
 			},
 		}},
@@ -390,10 +390,12 @@ func TestDeleteRBACRuleInverseField(t *testing.T) {
 	testCases := []TestCase{
 		{
 			user:   "foobar",
+			role:   "admin",
 			result: `{"deleteTweets":{"numUids":0,"tweets":[]}}`,
 		},
 		{
 			user:   "foo",
+			role:   "admin",
 			result: `{"deleteTweets":{"numUids":1,"tweets":[ {"text": "abc"}]}}`,
 		},
 	}

diff --git a/graphql/e2e/auth/schema.graphql b/graphql/e2e/auth/schema.graphql
@@ -27,6 +27,7 @@ type User @auth(
 }
 
 type Tweets @auth (
+    query: { rule: "{$ROLE: { eq: \"admin\" } }"},
     add: { rule: "{$USER: { eq: \"foo\" } }"},
     delete: { rule: "{$USER: { eq: \"foo\" } }"},
     update: { rule: "{$USER: { eq: \"foo\" } }"}