Skip to content

Commit

Permalink
graphql: process auth query rules (#5181)
Browse files Browse the repository at this point in the history 
* Send auth variable in custom jwt token. (#5220)
* graphql: auth on get and mutation results (#5259)
  • Loading branch information
@MichaelJCompton
MichaelJCompton authored Apr 22, 2020
1 parent b513780 commit 22ceae6
Show file tree
Hide file tree
Showing 16 changed files with 1,061 additions and 433 deletions.
4 changes: 4 additions & 0 deletions graphql/dgraph/graphquery.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,10 @@ func writeQuery(b *strings.Builder, query *gql.GraphQuery, prefix string, root b
x.Check2(b.WriteRune(')'))
}

if query.Cascade {
x.Check2(b.WriteString(" @cascade"))
}

switch {
case len(query.Children) > 0:
prefixAdd := ""
Expand Down
265 changes: 158 additions & 107 deletions graphql/e2e/auth/schema.graphql
View file
Original file line number Diff line number Diff line change
@@ -1,101 +1,144 @@
type User @auth(
query: { or : [
{ rule: "filter: {isPublic: true}" },
{ rule: "filter: {username: {eq: $USER }}"},
]},
add: { rule: "$ROLE: { eq: ADD-BOT }" },
update: { or: [
{ rule: "$ROLE: { eq: ADMIN }" },
{ rule: "(filter: { username: { eq: $USER } })"}
]}
delete: { rule: "false" }) {
type User {
# @auth(
# add: { rule: "$ROLE: { eq: ADD-BOT }" },
# update: { or: [
# { rule: "$ROLE: { eq: ADMIN }" },
# { rule: "(filter: { username: { eq: $USER } })"}
# ]}
# delete: { rule: "false" }) {
username: String! @id
age: Int @auth(query: {rule: "filter: {username: {eq: $USER }}"})
age: Int # @auth(query: {rule: "filter: {username: {eq: $USER }}"})
isPublic: Boolean
disabled: Boolean @auth(update: { rule: "$ROLE: { eq: ADMIN }" })
disabled: Boolean # @auth(update: { rule: "$ROLE: { eq: ADMIN }" })
tickets: [Ticket] @hasInverse(field: assignedTo)
secrets: [UserSecret]
}

type UserSecret @auth(
query: { rule: """
query($USER: String!) {
queryUserSecret(filter: { ownedBy: { eq: $USER } }) {
__typename
}
}
"""}
){
id: ID!
ownedBy: String @search(by: [hash])
}

type Region {
id: ID!
name: String
global: Boolean @search
users: [User]
}

type Movie @auth(
# You can query a movie if
# - it's not hidden
# AND
# - you are in a region it's available OR it's globally available
query: { and: [
{rule: """filter: {disabled: false}"""},
{rule: """regionsAvailable { users ( filter: {username: {eq: $USER}})}"""},
{not: {rule: """regionsAvailable { users ( filter: {disabled: {eq: true}})}"""}},
{ not: { rule: """
query {
queryMovie(filter: { hidden: true }) { __typename }
}
"""}},
{ or: [
{ rule: """
query($USER: String!) {
queryMovie {
regionsAvailable {
users(filter: {username: {eq: $USER}}) {
__typename
}
}
}
}"""
},
{ rule: """
query {
queryMovie {
regionsAvailable(filter: { global: true }) {
__typename
}
}
}"""
}
]}
]}

add: { rule: "$ROLE: { eq: ADMIN }" }
update: { rule: "$ROLE: { eq: ADMIN }" }
delete: { rule: "$ROLE: { eq: ADMIN }" }
# add: { rule: "$ROLE: { eq: ADMIN }" }
# update: { rule: "$ROLE: { eq: ADMIN }" }
# delete: { rule: "$ROLE: { eq: ADMIN }" }
) {
content: String
disabled: Boolean
hidden: Boolean @search
regionsAvailable: [Region]
}

type Issue @auth(
query: { and: [
{rule: "$ROLE: { eq: ADMIN }"},
{rule: "owner(filter: { username: { eq: $USER } })"},
]}
add: { and: [
{rule: "$ROLE: { eq: ADMIN }"},
{rule: "owner(filter: { username: { eq: $USER } })"},
]}
update: { and: [
{rule: "$ROLE: { eq: ADMIN }"},
{rule: "owner(filter: { username: { eq: $USER } })"},
]}
delete: { and: [
{rule: "$ROLE: { eq: ADMIN }"},
{rule: "owner(filter: { username: { eq: $USER } })"},
]}
) {
type Issue {
# @auth(
# query: { and: [
# {rule: "$ROLE: { eq: ADMIN }"},
# {rule: "owner(filter: { username: { eq: $USER } })"},
# ]}
# add: { and: [
# {rule: "$ROLE: { eq: ADMIN }"},
# {rule: "owner(filter: { username: { eq: $USER } })"},
# ]}
# update: { and: [
# {rule: "$ROLE: { eq: ADMIN }"},
# {rule: "owner(filter: { username: { eq: $USER } })"},
# ]}
# delete: { and: [
# {rule: "$ROLE: { eq: ADMIN }"},
# {rule: "owner(filter: { username: { eq: $USER } })"},
# ]}
# ) {
id: ID!
msg: String
owner: User!
}

type Log @auth(
query: { rule: "$ROLE: { eq: ADMIN }" }
add: { rule: "$ROLE: { eq: ADMIN }" }
update: { rule: "$ROLE: { eq: ADMIN }" }
delete: { rule: "$ROLE: { eq: ADMIN }" }
) {
type Log {
# @auth(
# query: { rule: "$ROLE: { eq: ADMIN }" }
# add: { rule: "$ROLE: { eq: ADMIN }" }
# update: { rule: "$ROLE: { eq: ADMIN }" }
# delete: { rule: "$ROLE: { eq: ADMIN }" }
# ) {
id: ID!
logs: String
}

type Project @auth(
query: { or: [
{ rule: """roles(filter: { permissions: { eq: VIEW } }) {
assignedTo(filter: { username: { eq: $USER } })
}""" },
{ rule: "$ROLE: { eq: ADMIN }" }
]}
type Project {
# @auth(
# query: { or: [
# { rule: """roles(filter: { permissions: { eq: VIEW } }) {
# assignedTo(filter: { username: { eq: $USER } })
# }""" },
# { rule: "$ROLE: { eq: ADMIN }" }
# ]}

# Only admins can create projects
add: { rule: "$ROLE: { eq: ADMIN }" }
# # Only admins can create projects
# add: { rule: "$ROLE: { eq: ADMIN }" }

update: { rule: """roles(filter: { permissions: { eq: CREATE } }) {
assignedTo(filter: { username: { eq: $USER } })
}""" }
# update: { rule: """roles(filter: { permissions: { eq: CREATE } }) {
# assignedTo(filter: { username: { eq: $USER } })
# }""" }

delete: { rule: "false" }
) {
# delete: { rule: "false" }
# ) {
projID: ID!
name: String!
roles: [Role]
columns: [Column] @hasInverse(field: inProject) @auth(add: {rule: "DENY"})
columns: [Column] @hasInverse(field: inProject) # @auth(add: {rule: "DENY"})
}

type Role {
id: ID!
permissions: [Permission]
permission: Permission @search
assignedTo: [User]
}

Expand All @@ -105,62 +148,70 @@ enum Permission {
ADMIN
}

type Column @auth(
query: { rule: """inProject {
role(filter: { permission: { eq: VIEW } } ) {
users(filter: { username: { eq: $USER } })
}
}"""},
add: { rule: """inProject {
role(filter: { permission: { eq: ADMIN } } ) {
users(filter: { username: { eq: $USER } })
}
}"""},
update: { rule: """inProject {
role(filter: { permission: { eq: EDIT } } ) {
users(filter: { username: { eq: $USER } })
}
}"""},
delete: { rule: "false" }
) {
type Column {
# @auth(
# query: { rule: """inProject {
# role(filter: { permission: { eq: VIEW } } ) {
# users(filter: { username: { eq: $USER } })
# }
# }"""},
# add: { rule: """inProject {
# role(filter: { permission: { eq: ADMIN } } ) {
# users(filter: { username: { eq: $USER } })
# }
# }"""},
# update: { rule: """inProject {
# role(filter: { permission: { eq: EDIT } } ) {
# users(filter: { username: { eq: $USER } })
# }
# }"""},
# delete: { rule: "false" }
# ) {
colID: ID!
inProject: Project! @auth(update: { rule: "DENY" })
inProject: Project! # @auth(update: { rule: "DENY" })
name: String!
tickets: [Ticket] @hasInverse(field: onColumn)
}

type Ticket @auth(
query: { rule: """onColumn {
inProject {
role(filter: { permission: { eq: VIEW } } ) {
users(filter: { username: { eq: $USER } })
query: { rule: """
query($USER: String!) {
queryTicket {
onColumn{
inProject {
roles(filter: { permission: { eq: VIEW } } ) {
assignedTo(filter: { username: { eq: $USER } }) {
__typename
}
}
}"""},
add: { rule: """onColumn {
inProject {
role(filter: { permission: { eq: WRITE } } ) {
users(filter: { username: { eq: $USER } })
}
}
}"""},
update: { rule: """onColumn {
inProject {
role(filter: { permission: { eq: WRITE } } ) {
users(filter: { username: { eq: $USER } })
}
}
}"""},
delete: { rule: """onColumn {
inProject {
role(filter: { permission: { eq: WRITE } } ) {
users(filter: { username: { eq: $USER } })
}
}
}"""}
}
}
}
}"""}
# add: { rule: """onColumn {
# inProject {
# role(filter: { permission: { eq: WRITE } } ) {
# users(filter: { username: { eq: $USER } })
# }
# }
# }"""},
# update: { rule: """onColumn {
# inProject {
# role(filter: { permission: { eq: WRITE } } ) {
# users(filter: { username: { eq: $USER } })
# }
# }
# }"""},
# delete: { rule: """onColumn {
# inProject {
# role(filter: { permission: { eq: WRITE } } ) {
# users(filter: { username: { eq: $USER } })
# }
# }
# }"""}
){
id: ID!
onColumn: Column!
title: String!
title: String! @search(by: [term])
assignedTo: [User!]
}
Loading

0 comments on commit 22ceae6

Please sign in to comment.