Skip to content

Commit

Permalink
fix(GraphQL): Nested Auth Rules not working properly. (#7915) (#8084) (
Browse files Browse the repository at this point in the history
…#8571)

Improves nested auth rule implementation in graphql.

(cherry picked from commit e7a1931)

Co-authored-by: minhaj-shakeel <[email protected]>
(cherry picked from commit 26845c4)

Co-authored-by: Naman Jain <[email protected]>
  • Loading branch information
all-seeing-code and NamanJain8 authored Jan 6, 2023
1 parent 412cfc3 commit d09d679
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 4 deletions.
38 changes: 38 additions & 0 deletions graphql/e2e/auth/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,44 @@ func TestAuthOnInterfaces(t *testing.T) {
}
}

func TestNestedAndAuthRulesWithMissingJWT(t *testing.T) {
addParams := &common.GraphQLParams{
Query: `
mutation($user1: String!, $user2: String!){
addGroup(input: [{users: {username: $user1}, createdBy: {username: $user2}}, {users: {username: $user2}, createdBy: {username: $user1}}]){
numUids
}
}
`,
Variables: map[string]interface{}{"user1": "user1", "user2": "user2"},
}
gqlResponse := addParams.ExecuteAsPost(t, common.GraphqlURL)
common.RequireNoGQLErrors(t, gqlResponse)
require.JSONEq(t, `{"addGroup": {"numUids": 2}}`, string(gqlResponse.Data))

queryParams := &common.GraphQLParams{
Query: `
query{
queryGroup{
users{
username
}
}
}
`,
Headers: common.GetJWT(t, "user1", nil, metaInfo),
}

expectedJSON := `{"queryGroup": [{"users": [{"username": "user1"}]}]}`

gqlResponse = queryParams.ExecuteAsPost(t, common.GraphqlURL)
common.RequireNoGQLErrors(t, gqlResponse)
require.JSONEq(t, expectedJSON, string(gqlResponse.Data))

deleteFilter := map[string]interface{}{"has": "users"}
common.DeleteGqlType(t, "Group", deleteFilter, 2, nil)
}

func TestAuthRulesWithNullValuesInJWT(t *testing.T) {
testCases := []TestCase{
{
Expand Down
5 changes: 1 addition & 4 deletions graphql/resolve/auth_query_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -644,14 +644,11 @@
queryGroup(func: uid(GroupRoot)) {
Group.id : uid
}
GroupRoot as var(func: uid(Group_1)) @filter((uid(Group_Auth2) OR uid(Group_Auth3)))
GroupRoot as var(func: uid(Group_1)) @filter(uid(Group_Auth2))
Group_1 as var(func: type(Group))
Group_Auth2 as var(func: uid(Group_1)) @cascade {
Group.users : Group.users @filter(eq(User.username, "user1"))
}
Group_Auth3 as var(func: uid(Group_1)) @cascade {
Group.createdBy : Group.createdBy @filter(eq(User.username, "user1"))
}
}
- name: "Auth with top level OR rbac false"
Expand Down
5 changes: 5 additions & 0 deletions graphql/resolve/query_rewriter.go
Original file line number Diff line number Diff line change
Expand Up @@ -978,6 +978,11 @@ func (authRw *authRewriter) rewriteRuleNode(

switch {
case len(rn.And) > 0:
// if there is atleast one RBAC rule which is false, then this
// whole And block needs to be ignored.
if rn.EvaluateStatic(authRw.authVariables) == schema.Negative {
return nil, nil
}
qrys, filts := nodeList(typ, rn.And)
if len(filts) == 0 {
return qrys, nil
Expand Down

0 comments on commit d09d679

Please sign in to comment.