fix(GraphQL): Fix auth rewriting for nested queries when RBAC rule is…

… true. (#6053) * Fix auth rewriting for nested queries when RBAC rule is true.
hypermodeinc · Jul 27, 2020 · 3e3a53f · 3e3a53f
1 parent c51d007
commit 3e3a53f
Show file tree

Hide file tree

Showing 8 changed files with 527 additions and 90 deletions.
diff --git a/graphql/e2e/auth/schema.graphql b/graphql/e2e/auth/schema.graphql
@@ -522,3 +522,50 @@ query($USER: String!) {
     id: ID!
     email: String! @dgraph(pred: "IOw80vnV") @search(by: [hash])
 }
+
+type Contact @auth(
+    query: { rule: "{$ContactRole: { eq: \"ADMINISTRATOR\"}}" }
+) {
+    id: ID!
+    nickName: String @search(by: [exact, term, fulltext, regexp])
+    adminTasks: [AdminTask] @hasInverse(field: forContact)
+    tasks: [Task] @hasInverse(field: forContact)
+}
+
+type AdminTask @auth(
+    query: { rule: "{$TaskRole: { eq: \"ADMINISTRATOR\"}}" }
+) {
+    id: ID!
+    name: String @search(by: [exact, term, fulltext, regexp])
+    occurrances: [TaskOccurance] @hasInverse(field: adminTask)
+    forContact: Contact @hasInverse(field: adminTasks)
+}
+
+type Task {
+    id: ID!
+    name: String @search(by: [exact, term, fulltext, regexp])
+    occurrances: [TaskOccurance] @hasInverse(field: task)
+    forContact: Contact @hasInverse(field: tasks)
+}
+
+type TaskOccurance @auth(
+    query: { and : [
+        {rule: "{$TaskOccuranceRole: { eq: \"ADMINISTRATOR\"}}"},
+        {rule: """
+        query($TaskOccuranceRole: String!) {
+            queryTaskOccurance(filter: {role: { eq: $TaskOccuranceRole}}) {
+                __typename
+            }
+        }
+        """}
+] }
+) {
+    id: ID!
+    due: DateTime @search
+    comp: DateTime @search
+    task: Task @hasInverse(field: occurrances)
+    adminTask: AdminTask @hasInverse(field: occurrances)
+    isPublic: Boolean @search
+    role: String @search(by: [exact, term, fulltext, regexp])
+}
+
diff --git a/graphql/resolve/auth_add_test.yaml b/graphql/resolve/auth_add_test.yaml
@@ -7,6 +7,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "secret":
       { "aSecret": "it is",
@@ -35,6 +37,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "secrets": 
       [
@@ -64,6 +68,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "secret":
       { "aSecret": "it is",
@@ -94,6 +100,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "secrets": 
       [
@@ -125,6 +133,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "col":
       { "inProject": { "projID": "0x123" },
@@ -191,6 +201,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "col":
       {
@@ -257,6 +269,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "col1":
       { "inProject": { "projID": "0x123" },
@@ -334,6 +348,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "col1":
       { "inProject": { "projID": "0x123" },
@@ -418,6 +434,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "col":
       { "inProject": { "projID": "0x123" },
@@ -493,6 +511,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "col":
       { "inProject": { "projID": "0x123" },
@@ -569,6 +589,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { 
       "proj": {
@@ -658,6 +680,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { 
       "proj": {
@@ -748,6 +772,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "log":
       { "logs": "log123",
@@ -769,7 +795,9 @@
         }
       }
     }
-  role: "ADMIN"
+  jwtvar:
+    ROLE: "ADMIN"
+    USER: "user1"
   variables: |
     { "log":
       { "logs": "log123",
@@ -789,7 +817,9 @@
         }
       }
     }
-  role: "ADMIN"
+  jwtvar:
+    ROLE: "ADMIN"
+    USER: "user1"
   variables: |
     {
       "proj": {
@@ -811,7 +841,9 @@
         }
       }
     }
-  role: "USER"
+  jwtvar:
+    ROLE: "USER"
+    USER: "user1"
   variables: |
     {
       "proj": {
@@ -850,7 +882,9 @@
         }
       }
     }
-  role: "ADMIN"
+  jwtvar:
+    ROLE: "ADMIN"
+    USER: "user1"
   variables: |
     { "issue":
       { "msg": "log123",
@@ -900,7 +934,9 @@
         }
       }
     }
-  role: "USER"
+  jwtvar:
+    ROLE: "USER"
+    USER: "user1"
   variables: |
     { "issue":
       { "msg": "log123",
@@ -950,7 +986,9 @@
         }
       }
     }
-  role: "USER"
+  jwtvar:
+    ROLE: "USER"
+    USER: "user1"
   variables: |
     { "log":
       { "logs": "log123",
@@ -971,7 +1009,9 @@
         }
       }
     }
-  role: "ADMIN"
+  jwtvar:
+    ROLE: "ADMIN"
+    USER: "user1"
   variables: |
     { "log":
       { "logs": "log123",

diff --git a/graphql/resolve/auth_delete_test.yaml b/graphql/resolve/auth_delete_test.yaml
@@ -5,6 +5,8 @@
         msg
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "filter": { "aSecret": { "anyofterms": "auth is applied" } } }
   dgmutations:
@@ -29,6 +31,8 @@
         msg
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "filter": { "title": { "anyofterms": "auth is applied" } } }
   dgmutations:
@@ -90,6 +94,8 @@
         }
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "filter": { "title": { "anyofterms": "auth is applied" } } }
   dgmutations:
@@ -206,7 +212,9 @@
     {
       "projs" : ["0x01", "0x02"]
     }
-  role: "ADMIN"
+  jwtvar:
+    ROLE: "ADMIN"
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [{
@@ -244,7 +252,9 @@
         "id": ["0x1", "0x2"]
       }
     }
-  role: "USER"
+  jwtvar:
+    ROLE: "USER"
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [{
@@ -269,6 +279,8 @@
         "username": { "eq": "userxyz" }
       }
     }
+  jwtvar:
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [
@@ -297,6 +309,8 @@
         msg
       }
     }
+  jwtvar:
+    USER: "user1"
   variables: |
     { "filter":
       {
@@ -331,7 +345,9 @@
         "id": ["0x1", "0x2"]
       }
     }
-  role: "USER"
+  jwtvar:
+    ROLE: "USER"
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [{
@@ -359,7 +375,9 @@
         "id": ["0x1", "0x2"]
       }
     }
-  role: "ADMIN"
+  jwtvar:
+    ROLE: "ADMIN"
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [{
@@ -392,7 +410,9 @@
     {
       "ids" : ["0x01", "0x02"]
     }
-  role: "ADMIN"
+  jwtvar:
+    ROLE: "ADMIN"
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [{ "uid": "uid(x)" }]
@@ -416,6 +436,8 @@
     {
       "ids" : ["0x01", "0x02"]
     }
+  jwtvar:
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [{ "uid": "uid(x)" }]
@@ -442,7 +464,9 @@
         "id": ["0x1", "0x2"]
       }
     }
-  role: "ADMIN"
+  jwtvar:
+    ROLE: "ADMIN"
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [{
@@ -474,7 +498,9 @@
         "id": ["0x1", "0x2"]
       }
     }
-  role: "USER"
+  jwtvar:
+    ROLE: "USER"
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [{
@@ -498,7 +524,9 @@
         "id": ["0x1", "0x2"]
       }
     }
-  role: "USER"
+  jwtvar:
+    ROLE: "USER"
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [{
@@ -522,7 +550,9 @@
         "id": ["0x1", "0x2"]
       }
     }
-  role: "ADMIN"
+  jwtvar:
+    ROLE: "ADMIN"
+    USER: "user1"
   dgmutations:
     - deletejson: |
         [{