Fix(GraphQL): Add support for using auth with secret directive (#6907) (#6920)

* Fix(GraphQL): Add support for using auth with secret directive (#6907)

* Add password field in auth directive

* Add query resolving tests

* Add e2e tests

* Address feedback

(cherry picked from commit 3311923)

* Fix failing auth tests (#6923)

(cherry picked from commit 74fb2c7)

Author: vmrajas

graphql/e2e/auth/add_mutation_test.go

@@ -159,6 +159,7 @@ func TestAuth_AddOnTypeWithRBACRuleOnInterface(t *testing.T) {
 		role: "ADMIN",
 		variables: map[string]interface{}{"fbpost": &FbPost{
 			Text: "New FbPost",
+			Pwd:  "password",
 			Author: &Author{
 				Name: "[email protected]",
 			},
@@ -177,6 +178,7 @@ func TestAuth_AddOnTypeWithRBACRuleOnInterface(t *testing.T) {
 		role: "USER",
 		variables: map[string]interface{}{"fbpost": &FbPost{
 			Text: "New FbPost",
+			Pwd:  "password",
 			Author: &Author{
 				Name: "[email protected]",
 			},
@@ -264,6 +266,7 @@ func TestAuth_AddOnTypeWithGraphTraversalRuleOnInterface(t *testing.T) {
 		ans:  true,
 		variables: map[string]interface{}{"question": &Question{
 			Text: "A Question",
+			Pwd:  "password",
 			Author: &Author{
 				Name: "[email protected]",
 			},
@@ -275,6 +278,7 @@ func TestAuth_AddOnTypeWithGraphTraversalRuleOnInterface(t *testing.T) {
 		ans:  false,
 		variables: map[string]interface{}{"question": &Question{
 			Text: "A Question",
+			Pwd:  "password",
 			Author: &Author{
 				Name: "user1",
 			},
@@ -287,6 +291,7 @@ func TestAuth_AddOnTypeWithGraphTraversalRuleOnInterface(t *testing.T) {
 			ans:  true,
 			variables: map[string]interface{}{"question": &Question{
 				Text: "A Question",
+				Pwd:  "password",
 				Author: &Author{
 					Name: "user1",
 				},
@@ -361,6 +366,7 @@ func TestAddDeepFilter(t *testing.T) {
 			Name: "column_add_1",
 			InProject: &Project{
 				Name: "project_add_1",
+				Pwd:  "password1",
 			},
 		}},
 	}, {
@@ -372,10 +378,12 @@ func TestAddDeepFilter(t *testing.T) {
 			Name: "column_add_2",
 			InProject: &Project{
 				Name: "project_add_2",
+				Pwd:  "password2",
 				Roles: []*Role{{
 					Permission: "ADMIN",
 					AssignedTo: []*common.User{{
 						Username: "user2",
+						Password: "password",
 					}},
 				}},
 			},
@@ -388,15 +396,18 @@ func TestAddDeepFilter(t *testing.T) {
 			Name: "column_add_3",
 			InProject: &Project{
 				Name: "project_add_4",
+				Pwd:  "password4",
 				Roles: []*Role{{
 					Permission: "ADMIN",
 					AssignedTo: []*common.User{{
 						Username: "user6",
+						Password: "password",
 					}},
 				}, {
 					Permission: "VIEW",
 					AssignedTo: []*common.User{{
 						Username: "user6",
+						Password: "password",
 					}},
 				}},
 			},
@@ -468,6 +479,7 @@ func TestAddOrRBACFilter(t *testing.T) {
 		result: `{"addProject": {"project":[{"name":"project_add_1"}]}}`,
 		variables: map[string]interface{}{"project": &Project{
 			Name: "project_add_1",
+			Pwd:  "password1",
 		}},
 	}, {
 		// Test case fails as the role isn't assigned to the correct user
@@ -476,10 +488,12 @@ func TestAddOrRBACFilter(t *testing.T) {
 		result: ``,
 		variables: map[string]interface{}{"project": &Project{
 			Name: "project_add_2",
+			Pwd:  "password2",
 			Roles: []*Role{{
 				Permission: "ADMIN",
 				AssignedTo: []*common.User{{
 					Username: "user2",
+					Password: "password",
 				}},
 			}},
 		}},
@@ -489,15 +503,18 @@ func TestAddOrRBACFilter(t *testing.T) {
 		result: `{"addProject": {"project":[{"name":"project_add_3"}]}}`,
 		variables: map[string]interface{}{"project": &Project{
 			Name: "project_add_3",
+			Pwd:  "password3",
 			Roles: []*Role{{
 				Permission: "ADMIN",
 				AssignedTo: []*common.User{{
 					Username: "user7",
+					Password: "password",
 				}},
 			}, {
 				Permission: "VIEW",
 				AssignedTo: []*common.User{{
 					Username: "user7",
+					Password: "password",
 				}},
 			}},
 		}},
@@ -817,13 +834,15 @@ func TestAddRBACFilter(t *testing.T) {
 		result: `{"addLog": {"log":[{"logs":"log_add_1"}]}}`,
 		variables: map[string]interface{}{"issue": &Log{
 			Logs: "log_add_1",
+			Pwd:  "password1",
 		}},
 	}, {
 		user:   "user1",
 		role:   "USER",
 		result: ``,
 		variables: map[string]interface{}{"issue": &Log{
 			Logs: "log_add_2",
+			Pwd:  "password2",
 		}},
 	}}
 

graphql/e2e/auth/auth_test.go

@@ -24,6 +24,8 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-cmp/cmp/cmpopts"
+
 	"github.com/dgraph-io/dgraph/graphql/e2e/common"
 	"github.com/dgraph-io/dgraph/testutil"
 	"github.com/dgrijalva/jwt-go/v4"
@@ -76,6 +78,7 @@ type Question struct {
 	Text     string  `json:"text,omitempty"`
 	Answered bool    `json:"answered,omitempty"`
 	Author   *Author `json:"author,omitempty"`
+	Pwd      string  `json:"pwd,omitempty"`
 }
 
 type Answer struct {
@@ -91,12 +94,14 @@ type FbPost struct {
 	Sender    *Author `json:"sender,omitempty"`
 	Receiver  *Author `json:"receiver,omitempty"`
 	PostCount int     `json:"postCount,omitempty"`
+	Pwd       string  `json:"pwd,omitempty"`
 }
 
 type Log struct {
 	Id     string `json:"id,omitempty"`
 	Logs   string `json:"logs,omitempty"`
 	Random string `json:"random,omitempty"`
+	Pwd    string `json:"pwd,omitempty"`
 }
 
 type ComplexLog struct {
@@ -130,6 +135,7 @@ type Project struct {
 	Name    string    `json:"name,omitempty"`
 	Roles   []*Role   `json:"roles,omitempty"`
 	Columns []*Column `json:"columns,omitempty"`
+	Pwd     string    `json:"pwd,omitempty"`
 }
 
 type Student struct {
@@ -1615,3 +1621,152 @@ func TestChildCountQueryWithOtherFields(t *testing.T) {
 		})
 	}
 }
+
+func checkLogPassword(t *testing.T, logID, pwd, role string) *common.GraphQLResponse {
+	// Check Log Password for given logID, pwd, role
+	checkLogParamsFalse := &common.GraphQLParams{
+		Headers: common.GetJWT(t, "SomeUser", role, metaInfo),
+		Query: `query checkLogPassword($name: ID!, $pwd: String!) {
+			checkLogPassword(id: $name, pwd: $pwd) { id }
+		}`,
+		Variables: map[string]interface{}{
+			"name": logID,
+			"pwd":  pwd,
+		},
+	}
+
+	gqlResponse := checkLogParamsFalse.ExecuteAsPost(t, graphqlURL)
+	common.RequireNoGQLErrors(t, gqlResponse)
+	return gqlResponse
+}
+
+func deleteLog(t *testing.T, logID string) {
+	deleteLogParams := &common.GraphQLParams{
+		Query: `
+		mutation DelLog($logID: ID!) {
+		  deleteLog(filter:{id:[$logID]}) {
+			numUids
+		  }
+		}
+		`,
+		Variables: map[string]interface{}{"logID": logID},
+		Headers:   common.GetJWT(t, "SomeUser", "ADMIN", metaInfo),
+	}
+	gqlResponse := deleteLogParams.ExecuteAsPost(t, graphqlURL)
+	require.Nil(t, gqlResponse.Errors)
+}
+
+func deleteUser(t *testing.T, username string) {
+	deleteUserParams := &common.GraphQLParams{
+		Headers: common.GetJWT(t, username, "ADMIN", metaInfo),
+		Query: `
+		mutation DelUser($username: String!) {
+		  deleteUser(filter:{username: {eq: $username } } ) {
+			numUids
+		  }
+		}
+		`,
+		Variables: map[string]interface{}{"username": username},
+	}
+	gqlResponse := deleteUserParams.ExecuteAsPost(t, graphqlURL)
+	require.Nil(t, gqlResponse.Errors)
+}
+
+func TestAuthWithSecretDirective(t *testing.T) {
+
+	// Check that no auth rule is applied to checkUserPassword query.
+	newUser := &common.User{
+		Username: "Test User",
+		Password: "password",
+		IsPublic: true,
+	}
+
+	addUserParams := &common.GraphQLParams{
+		Query: `mutation addUser($user: [AddUserInput!]!) {
+			addUser(input: $user) {
+				user {
+					username
+				}
+			}
+		}`,
+		Variables: map[string]interface{}{"user": []*common.User{newUser}},
+	}
+
+	gqlResponse := addUserParams.ExecuteAsPost(t, graphqlURL)
+	require.Equal(t, `{"addUser":{"user":[{"username":"Test User"}]}}`,
+		string(gqlResponse.Data))
+
+	checkUserParams := &common.GraphQLParams{
+		Query: `query checkUserPassword($name: String!, $pwd: String!) {
+					checkUserPassword(username: $name, password: $pwd) { 
+						username
+						isPublic
+					}
+				}`,
+		Variables: map[string]interface{}{
+			"name": newUser.Username,
+			"pwd":  newUser.Password,
+		},
+	}
+
+	gqlResponse = checkUserParams.ExecuteAsPost(t, graphqlURL)
+	common.RequireNoGQLErrors(t, gqlResponse)
+
+	var result struct {
+		CheckUserPassword *common.User `json:"checkUserPassword,omitempty"`
+	}
+
+	err := json.Unmarshal([]byte(gqlResponse.Data), &result)
+	require.Nil(t, err)
+
+	opt := cmpopts.IgnoreFields(common.User{}, "Password")
+	if diff := cmp.Diff(newUser, result.CheckUserPassword, opt); diff != "" {
+		t.Errorf("result mismatch (-want +got):\n%s", diff)
+	}
+	deleteUser(t, newUser.Username)
+
+	// Check that checkLogPassword works with RBAC rule
+	newLog := &Log{
+		Pwd: "password",
+	}
+
+	addLogParams := &common.GraphQLParams{
+		Headers: common.GetJWT(t, "Random", "ADMIN", metaInfo),
+		Query: `mutation addLog($log: [AddLogInput!]!) {
+			addLog(input: $log) {
+				log {
+					id
+				}
+			}
+		}`,
+		Variables: map[string]interface{}{"log": []*Log{newLog}},
+	}
+
+	gqlResponse = addLogParams.ExecuteAsPost(t, graphqlURL)
+	var addLogResult struct {
+		AddLog struct {
+			Log []*Log
+		}
+	}
+
+	err = json.Unmarshal([]byte(gqlResponse.Data), &addLogResult)
+	require.Nil(t, err)
+	// Id of the created log
+	logID := addLogResult.AddLog.Log[0].Id
+
+	// checkLogPassword with RBAC rule true should work
+	gqlResponse = checkLogPassword(t, logID, newLog.Pwd, "Admin")
+	var resultLog struct {
+		CheckLogPassword *Log `json:"checkLogPassword,omitempty"`
+	}
+
+	err = json.Unmarshal([]byte(gqlResponse.Data), &resultLog)
+	require.Nil(t, err)
+
+	require.Equal(t, resultLog.CheckLogPassword.Id, logID)
+
+	// checkLogPassword with RBAC rule false should not work
+	gqlResponse = checkLogPassword(t, logID, newLog.Pwd, "USER")
+	require.JSONEq(t, `{"checkLogPassword": null}`, string(gqlResponse.Data))
+	deleteLog(t, logID)
+}

graphql/e2e/auth/delete_mutation_test.go

@@ -29,13 +29,13 @@ func (l *Log) add(t *testing.T, user, role string) {
 	getParams := &common.GraphQLParams{
 		Headers: common.GetJWT(t, user, role, metaInfo),
 		Query: `
-		mutation addLog($log: AddLogInput!) {
-		  addLog(input: [$log]) {
+		mutation addLog($pwd: String!, $logs: String, $random: String) {
+		  addLog(input: [{pwd: $pwd, logs: $logs, random: $random}]) {
 			numUids
 		  }
 		}
 		`,
-		Variables: map[string]interface{}{"log": l},
+		Variables: map[string]interface{}{"pwd": "password", "logs": l.Logs, "random": l.Random},
 	}
 	gqlResponse := getParams.ExecuteAsPost(t, graphqlURL)
 	require.Nil(t, gqlResponse.Errors)
@@ -93,13 +93,13 @@ func (q *Question) add(t *testing.T, user string, ans bool) {
 	getParams := &common.GraphQLParams{
 		Headers: common.GetJWTForInterfaceAuth(t, user, "", ans, metaInfo),
 		Query: `
-		mutation addQuestion($text: String!,$id: ID!, $ans: Boolean ){
-			addQuestion(input: [{text: $text, author: {id: $id}, answered: $ans }]){
+		mutation addQuestion($text: String!,$id: ID!, $ans: Boolean, $pwd: String! ){
+			addQuestion(input: [{text: $text, author: {id: $id}, answered: $ans, pwd: $pwd }]){
 			  numUids
 			}
 		  }
 		`,
-		Variables: map[string]interface{}{"text": q.Text, "ans": q.Answered, "id": q.Author.Id},
+		Variables: map[string]interface{}{"text": q.Text, "ans": q.Answered, "id": q.Author.Id, "pwd": "password"},
 	}
 	gqlResponse := getParams.ExecuteAsPost(t, graphqlURL)
 	require.Nil(t, gqlResponse.Errors)
@@ -109,13 +109,13 @@ func (a *Answer) add(t *testing.T, user string) {
 	getParams := &common.GraphQLParams{
 		Headers: common.GetJWT(t, user, "", metaInfo),
 		Query: `
-		mutation addAnswer($text: String!,$id: ID!){
-			addAnswer(input: [{text: $text, author: {id: $id}}]){
+		mutation addAnswer($text: String!,$id: ID!, $pwd: String!){
+			addAnswer(input: [{text: $text, pwd: $pwd, author: {id: $id}}]){
 			  numUids
 			}
 		  }
 		`,
-		Variables: map[string]interface{}{"text": a.Text, "id": a.Author.Id},
+		Variables: map[string]interface{}{"text": a.Text, "id": a.Author.Id, "pwd": "password"},
 	}
 	gqlResponse := getParams.ExecuteAsPost(t, graphqlURL)
 	require.Nil(t, gqlResponse.Errors)
@@ -125,13 +125,13 @@ func (f *FbPost) add(t *testing.T, user, role string) {
 	getParams := &common.GraphQLParams{
 		Headers: common.GetJWT(t, user, role, metaInfo),
 		Query: `
-		mutation addFbPost($text: String!,$id1: ID!,$id2:ID!, $id3: ID!, $postCount: Int! ){
-			addFbPost(input: [{text: $text, author: {id: $id1},sender: {id: $id2}, receiver: {id: $id3}, postCount: $postCount }]){
+		mutation addFbPost($text: String!,$id1: ID!,$id2:ID!, $id3: ID!, $postCount: Int!, $pwd: String! ){
+			addFbPost(input: [{text: $text, author: {id: $id1},sender: {id: $id2}, receiver: {id: $id3}, postCount: $postCount, pwd: $pwd }]){
 			  numUids
 			}
 		  }
 		`,
-		Variables: map[string]interface{}{"text": f.Text, "id1": f.Author.Id, "id2": f.Sender.Id, "id3": f.Receiver.Id, "postCount": f.PostCount},
+		Variables: map[string]interface{}{"text": f.Text, "id1": f.Author.Id, "id2": f.Sender.Id, "id3": f.Receiver.Id, "postCount": f.PostCount, "pwd": "password"},
 	}
 	gqlResponse := getParams.ExecuteAsPost(t, graphqlURL)
 	require.Nil(t, gqlResponse.Errors)