feat(acl): support more JWT algorithms for ACL

dgraph/cmd/alpha/run.go

@@ -656,9 +656,10 @@ func run() {
 	keys, err := ee.GetKeys(Alpha.Conf)
 	x.Check(err)
 
-	if keys.AclKey != nil {
-		opts.HmacSecret = keys.AclKey
-		opts.UsePublicKey = keys.UsePublicKey
+	if keys.AclSecretKey != nil {
+		opts.AclJwtAlg = keys.AclJwtAlg
+		opts.AclSecretKey = keys.AclSecretKey
+		opts.AclSecretKeyBytes = keys.AclSecretKeyBytes
 		opts.AccessJwtTtl = keys.AclAccessTtl
 		opts.RefreshJwtTtl = keys.AclRefreshTtl
 		glog.Info("ACL secret key loaded successfully.")
@@ -697,14 +698,14 @@ func run() {
 		Raft:                raft,
 		WhiteListedIPRanges: ips,
 		StrictMutations:     opts.MutationsMode == worker.StrictMutations,
-		AclEnabled:          keys.AclKey != nil,
+		AclEnabled:          keys.AclSecretKey != nil,
 		AbortOlderThan:      abortDur,
 		StartTime:           startTime,
 		Security:            security,
 		TLSClientConfig:     tlsClientConf,
 		TLSServerConfig:     tlsServerConf,
-		HmacSecret:          opts.HmacSecret,
-		UsePublicKey:        opts.UsePublicKey,
+		AclJwtAlg:           keys.AclJwtAlg,
+		AclPublicKey:        keys.AclPublicKey,
 		Audit:               opts.Audit != nil,
 		Badger:              bopts,
 	}

dgraph/cmd/zero/zero_test.go

@@ -21,7 +21,7 @@ package zero
 import (
 	"context"
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"math"
 	"net/http"
 	"net/url"
@@ -136,7 +136,7 @@ func TestZeroHealth(t *testing.T) {
 	require.NoError(t, err)
 	defer resp.Body.Close()
 
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	require.NoError(t, err)
 
 	var r map[string]interface{}
@@ -158,7 +158,7 @@ func TestZeroHealth(t *testing.T) {
 	require.NoError(t, err)
 	defer resp.Body.Close()
 
-	body, err = ioutil.ReadAll(resp.Body)
+	body, err = io.ReadAll(resp.Body)
 	require.NoError(t, err)
 	require.Equal(t, string(body), "OK")
 }

dgraphtest/.gitignore

@@ -1,2 +1,4 @@
 repo
 binaries
+data
+secrets

dgraphtest/config.go

@@ -21,14 +21,19 @@ import (
 	"math/rand"
 	"os"
 	"time"
+
+	"github.com/golang-jwt/jwt/v5"
 )
 
+// UpgradeCombo represents a version combination before and
+// after the upgrade, and the strategy for upgrading
 type UpgradeCombo struct {
 	Before   string
 	After    string
 	Strategy UpgradeStrategy
 }
 
+// AllUpgradeCombos returns all possible upgrade combinations for which tests need to run
 func AllUpgradeCombos() []UpgradeCombo {
 	fixedVersionCombos := []UpgradeCombo{
 		// OPEN SOURCE RELEASES
@@ -78,6 +83,7 @@ func AllUpgradeCombos() []UpgradeCombo {
 	}
 }
 
+// ClusterConfig stores all config for setting up a dgraph cluster
 type ClusterConfig struct {
 	prefix         string
 	numAlphas      int
@@ -86,18 +92,19 @@ type ClusterConfig struct {
 	verbosity      int
 	acl            bool
 	aclTTL         time.Duration
+	aclAlg         jwt.SigningMethod
 	encryption     bool
 	version        string
 	volumes        map[string]string
 	refillInterval time.Duration
 	uidLease       int
-	// exposed port offset for grpc/http port for both alpha/zero
-	portOffset   int
-	bulkOutDir   string
-	lambdaURL    string
-	featureFlags []string
+	portOffset     int // exposed port offset for grpc/http port for both alpha/zero
+	bulkOutDir     string
+	lambdaURL      string
+	featureFlags   []string
 }
 
+// NewClusterConfig generates a default ClusterConfig
 func NewClusterConfig() ClusterConfig {
 	prefix := fmt.Sprintf("dgraphtest-%d", rand.NewSource(time.Now().UnixNano()).Int63()%1000000)
 	defaultBackupVol := fmt.Sprintf("%v_backup", prefix)
@@ -116,37 +123,51 @@ func NewClusterConfig() ClusterConfig {
 	}
 }
 
+// WithNAlphas sets the number of alphas in the cluster
 func (cc ClusterConfig) WithNumAlphas(n int) ClusterConfig {
 	cc.numAlphas = n
 	return cc
 }
 
+// WithNumZeros sets the number of zero nodes in the Dgraph cluster
 func (cc ClusterConfig) WithNumZeros(n int) ClusterConfig {
 	cc.numZeros = n
 	return cc
 }
 
+// WithReplicas sets the number of replicas in each alpha group
 func (cc ClusterConfig) WithReplicas(n int) ClusterConfig {
 	cc.replicas = n
 	return cc
 }
 
+// WithVerbsity sets the verbosity level for the logs
 func (cc ClusterConfig) WithVerbosity(v int) ClusterConfig {
 	cc.verbosity = v
 	return cc
 }
 
+// WithAcl enables ACL feature for Dgraph cluster
 func (cc ClusterConfig) WithACL(aclTTL time.Duration) ClusterConfig {
 	cc.acl = true
 	cc.aclTTL = aclTTL
 	return cc
 }
 
+// WithAclAlg sets the JWT signing algorithm for dgraph ACLs
+func (cc ClusterConfig) WithAclAlg(alg jwt.SigningMethod) ClusterConfig {
+	cc.acl = true
+	cc.aclAlg = alg
+	return cc
+}
+
+// WithEncryption enables encryption for the cluster
 func (cc ClusterConfig) WithEncryption() ClusterConfig {
 	cc.encryption = true
 	return cc
 }
 
+// WithVersion sets the Dgraph version for the cluster
 func (cc ClusterConfig) WithVersion(version string) ClusterConfig {
 	cc.version = version
 	return cc
@@ -159,11 +180,13 @@ func (cc ClusterConfig) WithAlphaVolume(volname, dir string) ClusterConfig {
 	return cc
 }
 
+// WithRefillInterval sets the refill interval for replenishing UIDs
 func (cc ClusterConfig) WithRefillInterval(interval time.Duration) ClusterConfig {
 	cc.refillInterval = interval * time.Second
 	return cc
 }
 
+// WithUidLease sets the number of UIDs to replenish after refill interval
 func (cc ClusterConfig) WithUidLease(uidLease int) ClusterConfig {
 	cc.uidLease = uidLease
 	return cc

dgraphtest/dgraph.go

@@ -51,7 +51,7 @@ const (
 	DefaultBackupDir = "/data/backups"
 	DefaultExportDir = "/data/exports"
 
-	aclSecretMountPath = "/dgraph-acl/hmac-secret"
+	aclSecretMountPath = "/dgraph-acl/secret-key"
 	encKeyMountPath    = "/dgraph-enc/enc-key"
 
 	DefaultUser     = "groot"
@@ -231,7 +231,14 @@ func (a *alpha) cmd(c *LocalCluster) []string {
 		`--security=whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16`}
 
 	if c.conf.acl {
-		acmd = append(acmd, fmt.Sprintf(`--acl=secret-file=%s;access-ttl=%s`, aclSecretMountPath, c.conf.aclTTL))
+		aclPart := "--acl="
+		if c.conf.aclTTL > 0 {
+			aclPart += fmt.Sprintf(`secret-file=%s;access-ttl=%s;`, aclSecretMountPath, c.conf.aclTTL)
+		}
+		if c.conf.aclAlg != nil {
+			aclPart += fmt.Sprintf(`jwt-alg=%s`, c.conf.aclAlg.Alg())
+		}
+		acmd = append(acmd, aclPart)
 	}
 	if c.conf.encryption {
 		acmd = append(acmd, fmt.Sprintf(`--encryption=key-file=%v`, encKeyMountPath))

dgraphtest/acl.go → dgraphtest/ee.go

@@ -19,6 +19,7 @@ package dgraphtest
 import (
 	"encoding/json"
 	"fmt"
+	"strings"
 
 	"github.com/pkg/errors"
 )
@@ -390,3 +391,65 @@ func (hc *HTTPClient) UpdateGroup(name string, setRules []AclRule, removeRules [
 	}
 	return &result.UpdateGroup.Group[0], nil
 }
+
+func (hc *HTTPClient) AddNamespace() (uint64, error) {
+	const createNs = `mutation {
+		addNamespace {
+			namespaceId
+			message
+		}
+	}`
+
+	params := GraphQLParams{Query: createNs}
+	resp, err := hc.RunGraphqlQuery(params, true)
+	if err != nil {
+		return 0, err
+	}
+
+	var result struct {
+		AddNamespace struct {
+			NamespaceId uint64 `json:"namespaceId"`
+			Message     string `json:"message"`
+		}
+	}
+	if err := json.Unmarshal(resp, &result); err != nil {
+		return 0, errors.Wrap(err, "error unmarshalling response")
+	}
+	if strings.Contains(result.AddNamespace.Message, "Created namespace successfully") {
+		return result.AddNamespace.NamespaceId, nil
+	}
+	return 0, errors.New(result.AddNamespace.Message)
+}
+
+func (hc *HTTPClient) DeleteNamespace(nsID uint64) (uint64, error) {
+	const deleteReq = `mutation deleteNamespace($namespaceId: Int!) {
+		deleteNamespace(input: {namespaceId: $namespaceId}) {
+			namespaceId
+			message
+		}
+	}`
+
+	params := GraphQLParams{
+		Query:     deleteReq,
+		Variables: map[string]interface{}{"namespaceId": nsID},
+	}
+	resp, err := hc.RunGraphqlQuery(params, true)
+	if err != nil {
+		return 0, err
+	}
+
+	var result struct {
+		DeleteNamespace struct {
+			NamespaceId uint64 `json:"namespaceId"`
+			Message     string `json:"message"`
+		}
+	}
+
+	if err := json.Unmarshal(resp, &result); err != nil {
+		return 0, errors.Wrap(err, "error unmarshalling CreateNamespaceWithRetry() response")
+	}
+	if strings.Contains(result.DeleteNamespace.Message, "Deleted namespace successfully") {
+		return result.DeleteNamespace.NamespaceId, nil
+	}
+	return 0, errors.New(result.DeleteNamespace.Message)
+}

dgraphtest/image.go

@@ -38,21 +38,21 @@ func (c *LocalCluster) setupBinary() error {
 		return copyBinary(fromDir, c.tempBinDir, c.conf.version)
 	}
 
-	isFileThere, err := fileExists(filepath.Join(binDir, fmt.Sprintf(binaryNameFmt, c.conf.version)))
+	isFileThere, err := fileExists(filepath.Join(binariesPath, fmt.Sprintf(binaryNameFmt, c.conf.version)))
 	if err != nil {
 		return err
 	}
 	if isFileThere {
-		return copyBinary(binDir, c.tempBinDir, c.conf.version)
+		return copyBinary(binariesPath, c.tempBinDir, c.conf.version)
 	}
 
 	if err := runGitCheckout(c.conf.version); err != nil {
 		return err
 	}
-	if err := buildDgraphBinary(repoDir, binDir, c.conf.version); err != nil {
+	if err := buildDgraphBinary(repoDir, binariesPath, c.conf.version); err != nil {
 		return err
 	}
-	return copyBinary(binDir, c.tempBinDir, c.conf.version)
+	return copyBinary(binariesPath, c.tempBinDir, c.conf.version)
 }
 
 func ensureDgraphClone() error {