fixed issues for testing auto login

hypermodeinc · Jan 16, 2019 · 8c2e542 · 8c2e542
1 parent 0205ca7
commit 8c2e542
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 30 deletions.
diff --git a/edgraph/access_ee.go b/edgraph/access_ee.go
@@ -14,9 +14,7 @@ package edgraph
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"strconv"
 	"sync"
 	"time"
 
@@ -59,17 +57,17 @@ func (s *Server) Login(ctx context.Context,
 	}
 
 	resp := &api.Response{}
-	accessJwt, err := getAccessJwt(request.Userid, user.Groups)
+	accessJwt, err := getAccessJwt(user.UserID, user.Groups)
 	if err != nil {
 		errMsg := fmt.Sprintf("unable to get access jwt (userid=%s,addr=%s):%v",
-			request.Userid, addr, err)
+			user.UserID, addr, err)
 		glog.Errorf(errMsg)
 		return nil, fmt.Errorf(errMsg)
 	}
-	refreshJwt, err := getRefreshJwt(request.Userid)
+	refreshJwt, err := getRefreshJwt(user.UserID)
 	if err != nil {
 		errMsg := fmt.Sprintf("unable to get refresh jwt (userid=%s,addr=%s):%v",
-			request.Userid, addr, err)
+			user.UserID, addr, err)
 		glog.Errorf(errMsg)
 		return nil, fmt.Errorf(errMsg)
 	}
@@ -82,7 +80,7 @@ func (s *Server) Login(ctx context.Context,
 	jwtBytes, err := loginJwt.Marshal()
 	if err != nil {
 		errMsg := fmt.Sprintf("unable to marshal jwt (userid=%s,addr=%s):%v",
-			request.Userid, addr, err)
+			user.UserID, addr, err)
 		glog.Errorf(errMsg)
 		return nil, fmt.Errorf(errMsg)
 	}
@@ -217,8 +215,7 @@ func getAccessJwt(userId string, groups []acl.Group) (string, error) {
 		"userid": userId,
 		"groups": acl.GetGroupIDs(groups),
 		// set the jwt exp according to the ttl
-		"exp": json.Number(
-			strconv.FormatInt(time.Now().Add(Config.AccessJwtTtl).Unix(), 10)),
+		"exp": time.Now().Add(Config.AccessJwtTtl).Unix(),
 	})
 
 	jwtString, err := token.SignedString(Config.HmacSecret)
@@ -233,9 +230,7 @@ func getAccessJwt(userId string, groups []acl.Group) (string, error) {
 func getRefreshJwt(userId string) (string, error) {
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		"userid": userId,
-		// set the jwt exp according to the ttl
-		"exp": json.Number(
-			strconv.FormatInt(time.Now().Add(Config.RefreshJwtTtl).Unix(), 10)),
+		"exp":    time.Now().Add(Config.RefreshJwtTtl).Unix(),
 	})
 
 	jwtString, err := token.SignedString(Config.HmacSecret)
@@ -249,6 +244,7 @@ const queryUser = `
     query search($userid: string, $password: string){
       user(func: eq(dgraph.xid, $userid)) {
 	    uid
+        dgraph.xid
         password_match: checkpwd(dgraph.password, $password)
         dgraph.user.group {
           uid
@@ -453,14 +449,15 @@ func authorizeAlter(ctx context.Context, op *api.Operation) error {
 
 	// if we get here, we know the user is not Groot.
 	if op.DropAll {
-		return fmt.Errorf("only Groot is allowed to drop all data")
+		return fmt.Errorf("only Groot is allowed to drop all data, current user is %s", userData[0])
 	}
 
 	groupIds := userData[1:]
 	if len(op.DropAttr) > 0 {
 		// check that we have the modify permission on the predicate
 		if err := authorizePredicate(groupIds, op.DropAttr, acl.Modify); err != nil {
-			return fmt.Errorf("unauthorized to modify the predicate:%v", err)
+			return status.Error(codes.PermissionDenied,
+				fmt.Sprintf("unauthorized to alter the predicate:%v", err))
 		}
 		return nil
 	}
@@ -471,7 +468,8 @@ func authorizeAlter(ctx context.Context, op *api.Operation) error {
 	}
 	for _, update := range updates {
 		if err := authorizePredicate(groupIds, update.Predicate, acl.Modify); err != nil {
-			return fmt.Errorf("unauthorized to modify the predicate: %v", err)
+			return status.Error(codes.PermissionDenied,
+				fmt.Sprintf("unauthorized to alter the predicate: %v", err))
 		}
 	}
 	return nil
@@ -510,7 +508,8 @@ func authorizeMutation(ctx context.Context, mu *api.Mutation) error {
 	groupIds := userData[1:]
 	for pred := range parsePredsFromMutation(gmu.Set) {
 		if err := authorizePredicate(groupIds, pred, acl.Write); err != nil {
-			return fmt.Errorf("unauthorized to access the predicate: %v", err)
+			return status.Error(codes.PermissionDenied,
+				fmt.Sprintf("unauthorized to mutate the predicate: %v", err))
 		}
 	}
 	return nil
@@ -570,7 +569,7 @@ func authorizeQuery(ctx context.Context, req *api.Request) error {
 	for pred := range parsePredsFromQuery(parsedReq.Query) {
 		if err := authorizePredicate(groupIds, pred, acl.Read); err != nil {
 			return status.Error(codes.PermissionDenied,
-				fmt.Sprintf("unauthorized to access the predicate: %v", err))
+				fmt.Sprintf("unauthorized to query the predicate: %v", err))
 		}
 	}
 	return nil

diff --git a/ee/acl/acl_test.go b/ee/acl/acl_test.go
@@ -112,13 +112,16 @@ func testAuthorization(t *testing.T, dg *dgo.Dgraph) {
 	alterPredicateWithUserAccount(t, dg, true)
 	createGroupAndAcls(t)
 	// wait for 35 seconds to ensure the new acl have reached all acl caches
-	// on all alpha servers, this also tests that the automatic login with refresh
-	// jwt works after the access jwt expires in 30 seconds
 	log.Println("Sleeping for 35 seconds for acl to catch up")
 	time.Sleep(35 * time.Second)
-
 	queryPredicateWithUserAccount(t, dg, false)
+	// sleep long enough (10s per the docker-compose.yml in this directory)
+	// for the accessJwt to expire in order to test auto login through refresh jwt
+	log.Println("Sleeping for 12 seconds for accessJwt to expire")
+	time.Sleep(12 * time.Second)
 	mutatePredicateWithUserAccount(t, dg, false)
+	log.Println("Sleeping for 12 seconds for accessJwt to expire")
+	time.Sleep(12 * time.Second)
 	alterPredicateWithUserAccount(t, dg, false)
 }
 
@@ -151,10 +154,6 @@ func queryPredicateWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail bool
 
 func mutatePredicateWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail bool) {
 	ctx := context.Background()
-	if err := dg.Login(ctx, userid, userpassword); err != nil {
-		t.Fatalf("unable to login using the account %v", userid)
-	}
-
 	txn := dg.NewTxn()
 	_, err := txn.Mutate(ctx, &api.Mutation{
 		CommitNow: true,
@@ -170,10 +169,6 @@ func mutatePredicateWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail boo
 
 func alterPredicateWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail bool) {
 	ctx := context.Background()
-	if err := dg.Login(ctx, userid, userpassword); err != nil {
-		t.Fatalf("unable to login using the account %v", userid)
-	}
-
 	err := dg.Alter(ctx, &api.Operation{
 		Schema: fmt.Sprintf(`%s: int .`, predicateToAlter),
 	})

diff --git a/ee/acl/docker-compose.yml b/ee/acl/docker-compose.yml
@@ -37,7 +37,7 @@ services:
       - 9180:9180
     security_opt:
       - seccomp:unconfined
-    command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5080 -o 100 --expose_trace  --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=3 --hmac_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 30s
+    command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5080 -o 100 --expose_trace  --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=3 --hmac_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
     labels:
       cluster: test
 
@@ -58,6 +58,6 @@ services:
       - 9182:9182
     security_opt:
       - seccomp:unconfined
-    command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5080 -o 102 --expose_trace  --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=3 --hmac_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 30s
+    command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5080 -o 102 --expose_trace  --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=3 --hmac_secret_file /dgraph-acl/hmac-secret --enterprise_features --acl_access_ttl 10s
     labels:
       cluster: test