diff --git a/dgraphtest/acl_cluster.go b/dgraphtest/acl_cluster.go new file mode 100644 index 00000000000..16b93b6bd72 --- /dev/null +++ b/dgraphtest/acl_cluster.go @@ -0,0 +1,196 @@ +/* + * Copyright 2023 Dgraph Labs, Inc. and Contributors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package dgraphtest + +import ( + "encoding/json" + + "github.com/pkg/errors" +) + +type AclGrpRules struct { + Predicate string `json:"predicate"` + Permission int32 `json:"permission"` +} + +func (hc *HTTPClient) GetCurrentUser() (string, error) { + const query = ` + query { + getCurrentUser { + name + } + }` + params := GraphQLParams{ + Query: query, + } + resp, err := hc.RunGraphqlQuery(params, true) + if err != nil { + return "", err + } + var currentUserResp struct { + GetCurrentUser struct { + Name string + } + } + if err := json.Unmarshal(resp, ¤tUserResp); err != nil { + errors.Wrapf(err, "error unmarshalling getCurrentUser response %v") + } + return currentUserResp.GetCurrentUser.Name, nil +} + +func (hc *HTTPClient) DeleteUser(username string) error { + + delUser := ` + mutation deleteUser($name: String!) { + deleteUser(filter: {name: {eq: $name}}) { + msg + numUids + } + }` + + params := GraphQLParams{ + Query: delUser, + Variables: map[string]interface{}{ + "name": username, + }, + } + _, err := hc.RunGraphqlQuery(params, true) + if err != nil { + return err + } + return nil +} + +func (hc *HTTPClient) CreateUser(username, password string) error { + addUser := ` + mutation addUser($name: String!, $pass: String!) { + addUser(input: [{name: $name, password: $pass}]) { + user { + name + } + } + }` + + params := GraphQLParams{ + Query: addUser, + Variables: map[string]interface{}{ + "name": username, + "pass": password, + }, + } + _, err := hc.RunGraphqlQuery(params, true) + if err != nil { + return err + } + return nil +} + +func (hc *HTTPClient) CreateGroup(name string) error { + addGroup := ` + mutation addGroup($name: String!) { + addGroup(input: [{name: $name}]) { + group { + name + } + } + }` + + params := GraphQLParams{ + Query: addGroup, + Variables: map[string]interface{}{ + "name": name, + }, + } + _, err := hc.RunGraphqlQuery(params, true) + if err != nil { + return err + } + return nil +} + +func (hc *HTTPClient) AddRulesToGroup(group string, rules []AclGrpRules) error { + addRuleToGroup := `mutation updateGroup($name: String!, $rules: [RuleRef!]!) { + updateGroup(input: { + filter: { + name: { + eq: $name + } + }, + set: { + rules: $rules + } + }) { + group { + name + rules { + predicate + permission + } + } + } + }` + + params := GraphQLParams{ + Query: addRuleToGroup, + Variables: map[string]interface{}{ + "name": group, + "rules": rules, + }, + } + _, err := hc.RunGraphqlQuery(params, true) + if err != nil { + return err + } + return nil +} + +func (hc *HTTPClient) AddToGroup(userName, group string) error { + addUserToGroup := `mutation updateUser($name: String!, $group: String!) { + updateUser(input: { + filter: { + name: { + eq: $name + } + }, + set: { + groups: [ + { name: $group } + ] + } + }) { + user { + name + groups { + name + } + } + } + }` + + params := GraphQLParams{ + Query: addUserToGroup, + Variables: map[string]interface{}{ + "name": userName, + "group": group, + }, + } + _, err := hc.RunGraphqlQuery(params, true) + if err != nil { + return err + } + return nil +} diff --git a/dgraphtest/cluster.go b/dgraphtest/cluster.go index bc5e1446c47..640ee529bd3 100644 --- a/dgraphtest/cluster.go +++ b/dgraphtest/cluster.go @@ -407,13 +407,19 @@ func (gc *GrpcClient) DropAll() error { } // Mutate performs a given mutation in a txn -func (gc *GrpcClient) Mutate(rdfs string) (*api.Response, error) { +func (gc *GrpcClient) Mutate(rdfs string, SetNQuads bool) (*api.Response, error) { txn := gc.NewTxn() defer func() { _ = txn.Discard(context.Background()) }() ctx, cancel := context.WithTimeout(context.Background(), requestTimeout) defer cancel() - mu := &api.Mutation{SetNquads: []byte(rdfs), CommitNow: true} + var mu *api.Mutation + if SetNQuads { + mu = &api.Mutation{SetNquads: []byte(rdfs), CommitNow: true} + } else { + mu = &api.Mutation{DelNquads: []byte(rdfs), CommitNow: true} + } + return txn.Mutate(ctx, mu) } diff --git a/dgraphtest/dgraph.go b/dgraphtest/dgraph.go index d38ef9bcb6d..c63596907e2 100644 --- a/dgraphtest/dgraph.go +++ b/dgraphtest/dgraph.go @@ -53,6 +53,7 @@ const ( DefaultUser = "groot" DefaultPassword = "password" + GalaxyNamespace = 0 localVersion = "local" waitDurBeforeRetry = time.Second diff --git a/ee/acl/acl_test.go b/ee/acl/acl_test.go index 0bcf976b4c1..787263cfee7 100644 --- a/ee/acl/acl_test.go +++ b/ee/acl/acl_test.go @@ -39,9 +39,8 @@ var ( func makeRequestAndRefreshTokenIfNecessary(t *testing.T, params dgraphtest.GraphQLParams, hc *dgraphtest.HTTPClient) *dgraphtest.GraphQLResponse { - reqBody, err := json.Marshal(params) - require.NoError(t, err) - resp, err := hc.AdminPost(reqBody) + + resp, err := hc.RunGraphqlQuery(params, true) require.NoError(t, err) var gqlResp dgraphtest.GraphQLResponse @@ -163,30 +162,23 @@ func (suite *AclTestSuite) TestGetCurrentUser() { t := suite.T() hc, err := suite.dc.HTTPClient() require.NoError(t, err) - err = hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0) - require.NoError(t, err, "login failed") - currentUser := getCurrentUser(t, hc) - currentUser.RequireNoGraphQLErrors(t) - require.Equal(t, string(currentUser.Data), `{"getCurrentUser":{"name":"groot"}}`) - + require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, + dgraphtest.DefaultPassword, 0), "login failed") + currentUser, err := hc.GetCurrentUser() + require.Equal(t, currentUser, "groot") // clean up the user to allow repeated running of this test userid := "hamilton" - deleteUserResp := deleteUser(t, hc, userid, false) - deleteUserResp.RequireNoGraphQLErrors(t) + require.NoError(t, hc.DeleteUser(userid), "error while deleteing user") glog.Infof("cleaned up db user state") - resp := createUser(t, hc, userid, userpassword) - resp.RequireNoGraphQLErrors(t) - checkUserCount(t, resp.Data, 1) - + require.NoError(t, hc.CreateUser(userid, userpassword)) suite.Upgrade(hc) hc, err = suite.dc.HTTPClient() require.NoError(t, err) - err = hc.LoginIntoNamespace(userid, userpassword, x.GalaxyNamespace) - require.NoError(t, err, "login failed") - currentUser = getCurrentUser(t, hc) - currentUser.RequireNoGraphQLErrors(t) - require.Equal(t, string(currentUser.Data), `{"getCurrentUser":{"name":"hamilton"}}`) + require.NoError(t, hc.LoginIntoNamespace(userid, userpassword, dgraphtest.GalaxyNamespace), "login failed") + currentUser, err = hc.GetCurrentUser() + + require.Equal(t, currentUser, "hamilton") } func (suite *AclTestSuite) TestCreateAndDeleteUsers() { @@ -199,31 +191,23 @@ func (suite *AclTestSuite) TestCreateAndDeleteUsers() { require.NoError(t, err) // adding the user again should fail require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) - resp := createUser(t, hc, userid, userpassword) - require.Equal(t, 1, len(resp.Errors)) - require.Equal(t, "couldn't rewrite mutation addUser because failed to rewrite mutation payload because id"+ - " alice already exists for field name inside type User", resp.Errors[0].Message) - checkUserCount(t, resp.Data, 0) + require.Equal(t, "error while running admin query: couldn't rewrite mutation addUser because failed to "+ + "rewrite mutation payload because id alice already exists for field name inside type User", + hc.CreateUser(userid, userpassword).Error()) + // checkUserCount(t, resp.Data, 0) // delete the user - _ = deleteUser(t, hc, userid, true) - - resp = createUser(t, hc, userid, userpassword) - resp.RequireNoGraphQLErrors(t) - // now we should be able to create the user again - checkUserCount(t, resp.Data, 1) + require.NoError(t, hc.DeleteUser(userid), "error while deleteing user") + require.NoError(t, hc.CreateUser(userid, userpassword)) } func resetUser(t *testing.T, hc *dgraphtest.HTTPClient) { require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) // clean up the user to allow repeated running of this test - deleteUserResp := deleteUser(t, hc, userid, false) - deleteUserResp.RequireNoGraphQLErrors(t) + require.NoError(t, hc.DeleteUser(userid), "error while deleteing user") glog.Infof("deleted user") - resp := createUser(t, hc, userid, userpassword) - resp.RequireNoGraphQLErrors(t) - checkUserCount(t, resp.Data, 1) + require.NoError(t, hc.CreateUser(userid, userpassword)) glog.Infof("created user") } @@ -235,8 +219,7 @@ func (suite *AclTestSuite) TestPreDefinedPredicates() { require.NoError(t, err) defer cleanup() ctx := context.Background() - err = gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0) - + require.NoError(t, gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) alterPreDefinedPredicates(t, gc.Dgraph) } @@ -248,7 +231,7 @@ func (suite *AclTestSuite) TestPreDefinedTypes() { require.NoError(t, err) defer cleanup() ctx := context.Background() - err = gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0) + require.NoError(t, gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) alterPreDefinedTypes(t, gc.Dgraph) } @@ -259,7 +242,7 @@ func (suite *AclTestSuite) TestAuthorization() { t.Skip("skipping because -short=true") } - glog.Infof("testing with port 9180") + glog.Infof("testing with port 9080") gc, cleanup, err := suite.dc.Client() require.NoError(t, err) defer cleanup() @@ -333,21 +316,18 @@ const timeout = 5 * time.Second const expireJwtSleep = 21 * time.Second func testAuthorization(t *testing.T, gc *dgraphtest.GrpcClient, hc *dgraphtest.HTTPClient, suite *AclTestSuite) { - createAccountAndData(t, gc.Dgraph, hc) + createAccountAndData(t, gc, hc) suite.Upgrade(hc) gc, cleanup, err := suite.dc.Client() require.NoError(t, err) defer cleanup() ctx := context.Background() - if err := gc.LoginIntoNamespace(ctx, userid, userpassword, x.GalaxyNamespace); err != nil { - t.Fatalf("unable to login using the account %v", userid) - } - + require.NoError(t, gc.LoginIntoNamespace(ctx, userid, userpassword, x.GalaxyNamespace)) // initially the query should return empty result, mutate and alter // operations should all fail when there are no rules defined on the predicates - queryPredicateWithUserAccount(t, gc.Dgraph, false) - mutatePredicateWithUserAccount(t, gc.Dgraph, true) - alterPredicateWithUserAccount(t, gc.Dgraph, true) + queryWithShouldFail(t, gc, false, query) + mutatePredicateWithUserAccount(t, gc, true) + alterPredicateWithUserAccount(t, gc, true) createGroupAndAcls(t, unusedGroup, false, hc) // wait for 5 seconds to ensure the new acl have reached all acl caches glog.Infof("Sleeping for acl caches to be refreshed") @@ -355,9 +335,9 @@ func testAuthorization(t *testing.T, gc *dgraphtest.GrpcClient, hc *dgraphtest.H // now all these operations except query should fail since // there are rules defined on the unusedGroup - queryPredicateWithUserAccount(t, gc.Dgraph, false) - mutatePredicateWithUserAccount(t, gc.Dgraph, true) - alterPredicateWithUserAccount(t, gc.Dgraph, true) + queryWithShouldFail(t, gc, false, query) + mutatePredicateWithUserAccount(t, gc, true) + alterPredicateWithUserAccount(t, gc, true) // create the dev group and add the user to it createGroupAndAcls(t, devGroup, true, hc) @@ -366,15 +346,15 @@ func testAuthorization(t *testing.T, gc *dgraphtest.GrpcClient, hc *dgraphtest.H time.Sleep(defaultTimeToSleep) // now the operations should succeed again through the devGroup - queryPredicateWithUserAccount(t, gc.Dgraph, false) + queryWithShouldFail(t, gc, false, query) // sleep long enough (10s per the docker-compose.yml) // for the accessJwt to expire in order to test auto login through refresh jwt glog.Infof("Sleeping for accessJwt to expire") time.Sleep(expireJwtSleep) - mutatePredicateWithUserAccount(t, gc.Dgraph, false) + mutatePredicateWithUserAccount(t, gc, false) glog.Infof("Sleeping for accessJwt to expire") time.Sleep(expireJwtSleep) - alterPredicateWithUserAccount(t, gc.Dgraph, false) + alterPredicateWithUserAccount(t, gc, false) } var predicateToRead = "predicate_to_read" @@ -460,22 +440,8 @@ func alterPreDefinedTypes(t *testing.T, dg *dgo.Dgraph) { "type dgraph.type.Group is pre-defined and is not allowed to be dropped") } -func queryPredicateWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail bool) { - ctx := context.Background() - txn := dg.NewTxn() - _, err := txn.Query(ctx, query) - if shouldFail { - require.Error(t, err, "the query should have failed") - } else { - require.NoError(t, err, "the query should have succeeded") - } -} - -func querySchemaWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail bool) { - ctx := context.Background() - txn := dg.NewTxn() - _, err := txn.Query(ctx, schemaQuery) - +func queryWithShouldFail(t *testing.T, gc *dgraphtest.GrpcClient, shouldFail bool, query string) { + _, err := gc.Query(query) if shouldFail { require.Error(t, err, "the query should have failed") } else { @@ -483,14 +449,8 @@ func querySchemaWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail bool) { } } -func mutatePredicateWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail bool) { - ctx := context.Background() - txn := dg.NewTxn() - _, err := txn.Mutate(ctx, &api.Mutation{ - CommitNow: true, - SetNquads: []byte(fmt.Sprintf(`_:a <%s> "string" .`, predicateToWrite)), - }) - +func mutatePredicateWithUserAccount(t *testing.T, gc *dgraphtest.GrpcClient, shouldFail bool) { + _, err := gc.Mutate(fmt.Sprintf(`_:a <%s> "string" .`, predicateToWrite), true) if shouldFail { require.Error(t, err, "the mutation should have failed") } else { @@ -498,9 +458,9 @@ func mutatePredicateWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail boo } } -func alterPredicateWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail bool) { +func alterPredicateWithUserAccount(t *testing.T, gc *dgraphtest.GrpcClient, shouldFail bool) { ctx := context.Background() - err := dg.Alter(ctx, &api.Operation{ + err := gc.Alter(ctx, &api.Operation{ Schema: fmt.Sprintf(`%s: int .`, predicateToAlter), }) if shouldFail { @@ -510,19 +470,13 @@ func alterPredicateWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail bool } } -func createAccountAndData(t *testing.T, dg *dgo.Dgraph, hc *dgraphtest.HTTPClient) { +func createAccountAndData(t *testing.T, gc *dgraphtest.GrpcClient, hc *dgraphtest.HTTPClient) { // use the groot account to clean the database ctx := context.Background() - if err := dg.LoginIntoNamespace(ctx, x.GrootId, "password", x.GalaxyNamespace); err != nil { - t.Fatalf("unable to login using the groot account:%v", err) - } - op := api.Operation{ - DropAll: true, - } - if err := dg.Alter(ctx, &op); err != nil { - t.Fatalf("Unable to cleanup db:%v", err) - } - require.NoError(t, dg.Alter(ctx, &api.Operation{ + require.NoError(t, gc.LoginIntoNamespace(ctx, x.GrootId, "password", x.GalaxyNamespace)) + + require.NoError(t, gc.DropAll(), "Unable to cleanup db") + require.NoError(t, gc.Alter(ctx, &api.Operation{ Schema: fmt.Sprintf(`%s: string @index(exact) .`, predicateToRead), })) // wait for 5 seconds to ensure the new acl have reached all acl caches @@ -532,7 +486,7 @@ func createAccountAndData(t *testing.T, dg *dgo.Dgraph, hc *dgraphtest.HTTPClien // create some data, e.g. user with name alice resetUser(t, hc) - txn := dg.NewTxn() + txn := gc.NewTxn() _, err := txn.Mutate(ctx, &api.Mutation{ SetNquads: []byte(fmt.Sprintf("_:a <%s> \"SF\" .", predicateToRead)), }) @@ -787,15 +741,14 @@ func addRulesToGroup(t *testing.T, hc *dgraphtest.HTTPClient, group string, rule func createGroupAndAcls(t *testing.T, group string, addUserToGroup bool, hc *dgraphtest.HTTPClient) { // create a new group - resp := createGroup(t, hc, group) - checkGroupCount(t, resp, 1) + require.NoError(t, hc.CreateGroup(group)) // add the user to the group if addUserToGroup { - addToGroup(t, hc, userid, group) + require.NoError(t, hc.AddToGroup(userid, group)) } - rules := []rule{ + rules := []dgraphtest.AclGrpRules{ { predicateToRead, Read.Code, }, @@ -814,7 +767,7 @@ func createGroupAndAcls(t *testing.T, group string, addUserToGroup bool, hc *dgr // also add read permission to the attribute queryAttr, which is used inside the query block // add WRITE permission on the predicateToWrite // add MODIFY permission on the predicateToAlter - addRulesToGroup(t, hc, group, rules) + hc.AddRulesToGroup(group, rules) } func (suite *AclTestSuite) TestPredicatePermission() { @@ -824,43 +777,35 @@ func (suite *AclTestSuite) TestPredicatePermission() { } ctx, cancel := context.WithTimeout(context.Background(), 100*time.Second) defer cancel() - glog.Infof("testing with port 9180") + glog.Infof("testing with port 9080") gc, cleanup, err := suite.dc.Client() require.NoError(t, err) defer cleanup() hc, err := suite.dc.HTTPClient() require.NoError(t, err) - if err := hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0); err != nil { - t.Fatal(err) - } - if err := gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0); err != nil { - t.Fatal(err) - } - createAccountAndData(t, gc.Dgraph, hc) + require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) + require.NoError(t, gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) + + createAccountAndData(t, gc, hc) suite.Upgrade(hc) gc, cleanup, err = suite.dc.Client() require.NoError(t, err) defer cleanup() - if err := gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0); err != nil { - t.Fatal(err) - } + require.NoError(t, gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) hc, err = suite.dc.HTTPClient() require.NoError(t, err) - if err := hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0); err != nil { - t.Fatal(err) - } + require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) - err = gc.LoginIntoNamespace(ctx, userid, userpassword, x.GalaxyNamespace) - require.NoError(t, err, "Logging in with the current password should have succeeded") + require.NoError(t, gc.LoginIntoNamespace(ctx, userid, userpassword, x.GalaxyNamespace), + "Logging in with the current password should have succeeded") // Schema query is allowed to all logged in users. - querySchemaWithUserAccount(t, gc.Dgraph, false) - + queryWithShouldFail(t, gc, false, schemaQuery) // The query should return emptry response, alter and mutation // should be blocked when no rule is defined. - queryPredicateWithUserAccount(t, gc.Dgraph, false) - mutatePredicateWithUserAccount(t, gc.Dgraph, true) - alterPredicateWithUserAccount(t, gc.Dgraph, true) + queryWithShouldFail(t, gc, false, query) + mutatePredicateWithUserAccount(t, gc, true) + alterPredicateWithUserAccount(t, gc, true) createGroupAndAcls(t, unusedGroup, false, hc) // Wait for 5 seconds to ensure the new acl have reached all acl caches. @@ -869,11 +814,11 @@ func (suite *AclTestSuite) TestPredicatePermission() { // The operations except query should fail when there is a rule defined, but the // current user is not allowed. - queryPredicateWithUserAccount(t, gc.Dgraph, false) - mutatePredicateWithUserAccount(t, gc.Dgraph, true) - alterPredicateWithUserAccount(t, gc.Dgraph, true) + queryWithShouldFail(t, gc, false, query) + mutatePredicateWithUserAccount(t, gc, true) + alterPredicateWithUserAccount(t, gc, true) // Schema queries should still succeed since they are not tied to specific predicates. - querySchemaWithUserAccount(t, gc.Dgraph, false) + queryWithShouldFail(t, gc, false, schemaQuery) } func (suite *AclTestSuite) TestAccessWithoutLoggingIn() { @@ -885,14 +830,10 @@ func (suite *AclTestSuite) TestAccessWithoutLoggingIn() { defer cleanup() hc, err := suite.dc.HTTPClient() require.NoError(t, err) - if err := hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0); err != nil { - t.Fatal(err) - } - if err := gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0); err != nil { - t.Fatal(err) - } + require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) + require.NoError(t, gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) - createAccountAndData(t, gc.Dgraph, hc) + createAccountAndData(t, gc, hc) suite.Upgrade(hc) gc, cleanup, err = suite.dc.Client() require.NoError(t, err) @@ -901,12 +842,12 @@ func (suite *AclTestSuite) TestAccessWithoutLoggingIn() { // Without logging in, the anonymous user should be evaluated as if the user does not // belong to any group, and access should not be granted if there is no ACL rule defined // for a predicate. - queryPredicateWithUserAccount(t, gc.Dgraph, true) - mutatePredicateWithUserAccount(t, gc.Dgraph, true) - alterPredicateWithUserAccount(t, gc.Dgraph, true) + queryWithShouldFail(t, gc, true, query) + mutatePredicateWithUserAccount(t, gc, true) + alterPredicateWithUserAccount(t, gc, true) // Schema queries should fail if the user has not logged in. - querySchemaWithUserAccount(t, gc.Dgraph, true) + queryWithShouldFail(t, gc, true, schemaQuery) } func (suite *AclTestSuite) TestUnauthorizedDeletion() { @@ -919,51 +860,38 @@ func (suite *AclTestSuite) TestUnauthorizedDeletion() { gc, cleanup, err := suite.dc.Client() require.NoError(t, err) defer cleanup() - if err := gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0); err != nil { - t.Fatal(err) - } - op := api.Operation{ - DropAll: true, - } - require.NoError(t, gc.Alter(ctx, &op)) + require.NoError(t, gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) - op = api.Operation{ + require.NoError(t, gc.DropAll()) + + op := api.Operation{ Schema: fmt.Sprintf("%s: string @index(exact) .", unAuthPred), } require.NoError(t, gc.Alter(ctx, &op)) hc, err := suite.dc.HTTPClient() require.NoError(t, err) - if err := hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0); err != nil { - t.Fatal(err) - } - resetUser(t, hc) + require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0)) - require.NoError(t, err, "login failed") - createGroup(t, hc, devGroup) + resetUser(t, hc) - addToGroup(t, hc, userid, devGroup) + require.NoError(t, hc.CreateGroup(devGroup)) + require.NoError(t, hc.AddToGroup(userid, devGroup)) - txn := gc.NewTxn() - mutation := &api.Mutation{ - SetNquads: []byte(fmt.Sprintf("_:a <%s> \"testdata\" .", unAuthPred)), - CommitNow: true, - } - resp, err := txn.Mutate(ctx, mutation) + rdf := fmt.Sprintf("_:a <%s> \"testdata\" .", unAuthPred) + resp, err := gc.Mutate(rdf, true) require.NoError(t, err) - nodeUID, ok := resp.Uids["a"] require.True(t, ok) - addRulesToGroup(t, hc, devGroup, []rule{{unAuthPred, 0}}) + require.NoError(t, hc.AddRulesToGroup(devGroup, []dgraphtest.AclGrpRules{{unAuthPred, 0}})) suite.Upgrade(hc) userClient, cleanup, err := suite.dc.Client() require.NoError(t, err) defer cleanup() time.Sleep(defaultTimeToSleep) - require.NoError(t, userClient.LoginIntoNamespace(ctx, userid, userpassword, x.GalaxyNamespace)) - - _, err = deleteUsingNQuad(userClient.Dgraph, "<"+nodeUID+">", "<"+unAuthPred+">", "*") + mutString := fmt.Sprintf("%s %s %s .", "<"+nodeUID+">", "<"+unAuthPred+">", "*") + _, err = gc.Mutate(mutString, false) require.Error(t, err) require.Contains(t, err.Error(), "PermissionDenied") @@ -1116,7 +1044,7 @@ func (suite *AclTestSuite) TestQueryRemoveUnauthorizedPred() { resetUser(t, hc) require.NoError(t, err, "login failed") - createGroup(t, hc, devGroup) + require.NoError(t, hc.CreateGroup(devGroup)) addToGroup(t, hc, userid, devGroup) txn := gc.NewTxn() @@ -1269,8 +1197,8 @@ func (suite *AclTestSuite) TestExpandQueryWithACLPermissions() { resetUser(t, hc) require.NoError(t, err, "login failed") - createGroup(t, hc, devGroup) - createGroup(t, hc, sreGroup) + require.NoError(t, hc.CreateGroup(devGroup)) + require.NoError(t, hc.CreateGroup(sreGroup)) addRulesToGroup(t, hc, sreGroup, []rule{{"age", Read.Code}, {"name", Write.Code}}) addToGroup(t, hc, userid, devGroup) @@ -1384,7 +1312,7 @@ func (suite *AclTestSuite) TestDeleteQueryWithACLPermissions() { require.NoError(t, err, "login failed") - createGroup(t, hc, devGroup) + require.NoError(t, hc.CreateGroup(devGroup)) addToGroup(t, hc, userid, devGroup) @@ -1497,7 +1425,7 @@ func (suite *AclTestSuite) TestValQueryWithACLPermissions() { require.NoError(t, gc.Alter(ctx, &op)) resetUser(t, hc) - createGroup(t, hc, devGroup) + require.NoError(t, hc.CreateGroup(devGroup)) // createGroup(t, accessJwt, sreGroup) // addRulesToGroup(t, accessJwt, sreGroup, []rule{{"age", Read.Code}, {"name", Write.Code}}) @@ -1723,7 +1651,7 @@ func (suite *AclTestSuite) TestAllPredsPermission() { resetUser(t, hc) require.NoError(t, err, "login failed") - createGroup(t, hc, devGroup) + require.NoError(t, hc.CreateGroup(devGroup)) addToGroup(t, hc, userid, devGroup) txn := gc.NewTxn() @@ -2351,7 +2279,7 @@ func (suite *AclTestSuite) TestQueriesWithUserAndGroupOfSameName() { _, err = txn.Mutate(ctx, mutation) require.NoError(t, err) - createGroup(t, hc, "alice") + require.NoError(t, hc.CreateGroup("alice")) addToGroup(t, hc, userid, "alice") // add rules to groups @@ -2924,7 +2852,7 @@ func (suite *AclTestSuite) TestAllowUIDAccess() { resetUser(t, hc) require.NoError(t, err, "login failed") - createGroup(t, hc, devGroup) + require.NoError(t, hc.CreateGroup(devGroup)) addToGroup(t, hc, userid, devGroup) require.NoError(t, suite.dc.AssignUids(gc.Dgraph, 101)) @@ -3034,9 +2962,9 @@ func (suite *AclTestSuite) TestCrossGroupPermission() { require.NoError(t, err) // create groups - createGroup(t, hc, "reader") - createGroup(t, hc, "writer") - createGroup(t, hc, "alterer") + require.NoError(t, hc.CreateGroup("reader")) + require.NoError(t, hc.CreateGroup("writer")) + require.NoError(t, hc.CreateGroup("alterer")) // add rules to groups addRulesToGroup(t, hc, "reader", []rule{{Predicate: "newpred", Permission: 4}}) addRulesToGroup(t, hc, "writer", []rule{{Predicate: "newpred", Permission: 2}}) @@ -3159,7 +3087,7 @@ func (suite *AclTestSuite) TestMutationWithValueVar() { resetUser(t, hc) createUser(t, hc, userid, userpassword) - createGroup(t, hc, devGroup) + require.NoError(t, hc.CreateGroup(devGroup)) addToGroup(t, hc, userid, devGroup) addRulesToGroup(t, hc, devGroup, []rule{ { diff --git a/ee/acl/integration_test.go b/ee/acl/integration_test.go index 31190feb4a7..593c8a74802 100644 --- a/ee/acl/integration_test.go +++ b/ee/acl/integration_test.go @@ -26,14 +26,13 @@ type AclTestSuite struct { } func (suite *AclTestSuite) SetupTest() { - cluster := dgraphtest.NewComposeCluster() - suite.dc = cluster - + suite.dc := dgraphtest.NewComposeCluster() } func (suite *AclTestSuite) Upgrade(hc *dgraphtest.HTTPClient) { // not implemented for integration tests } + func TestSuite(t *testing.T) { suite.Run(t, new(AclTestSuite)) } diff --git a/ee/acl/upgrade_test.go b/ee/acl/upgrade_test.go index 2959a67f027..bb0c03bbe14 100644 --- a/ee/acl/upgrade_test.go +++ b/ee/acl/upgrade_test.go @@ -33,7 +33,9 @@ func (suite *AclTestSuite) SetupTest() { WithACL(20 * time.Second).WithEncryption().WithVersion("0c9f60156").WithReplicas(3) c, err := dgraphtest.NewLocalCluster(conf) x.Panic(err) - c.Start() + if err := c.Start(); err != nil { + panic(err) + } suite.c = c suite.dc = c } @@ -44,10 +46,7 @@ func (suite *AclTestSuite) TearDownTest() { } func (suite *AclTestSuite) Upgrade(hc *dgraphtest.HTTPClient) { - x.Panic(suite.c.Upgrade(hc, "v23.0.0-beta1", dgraphtest.StopStart)) - // need to set admin endpoind after every upgrade - } func TestSuite(t *testing.T) { diff --git a/systest/incremental-restore/incremental_restore_test.go b/systest/incremental-restore/incremental_restore_test.go index f7844af9ae0..bfb7af0a484 100644 --- a/systest/incremental-restore/incremental_restore_test.go +++ b/systest/incremental-restore/incremental_restore_test.go @@ -54,7 +54,7 @@ func TestIncrementalRestore(t *testing.T) { for i := 1; i <= len(uids); i++ { for j := 1; j <= i; j++ { rdfs := fmt.Sprintf(`<%v> "%v" .`, j, i) - _, err := gc.Mutate(rdfs) + _, err := gc.Mutate(rdfs, true) require.NoError(t, err) } t.Logf("taking backup #%v\n", i)