Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove unauthorized predicates from query #4479

Merged
merged 12 commits into from
Jan 9, 2020
167 changes: 96 additions & 71 deletions edgraph/access_ee.go
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,10 @@ func extractUserAndGroups(ctx context.Context) ([]string, error) {
return validateToken(accessJwt[0])
}

func authorizePreds(userId string, groupIds, preds []string, aclOp *acl.Operation) error {
func authorizePreds(userId string, groupIds, preds []string,
aclOp *acl.Operation) map[string]struct{} {

blockedPreds := make(map[string]struct{})
for _, pred := range preds {
if err := aclCachePtr.authorizePredicate(groupIds, pred, aclOp); err != nil {
logAccess(&accessEntry{
Expand All @@ -471,21 +474,10 @@ func authorizePreds(userId string, groupIds, preds []string, aclOp *acl.Operatio
allowed: false,
})

var op string
switch aclOp.Name {
case acl.OpModify:
op = "alter"
case acl.OpWrite:
op = "mutate"
case acl.OpRead:
op = "query"
}

return status.Errorf(codes.PermissionDenied,
"unauthorized to %s the predicate: %v", op, err)
blockedPreds[pred] = struct{}{}
}
}
return nil
return blockedPreds
}

// authorizeAlter parses the Schema in the operation and authorizes the operation
Expand Down Expand Up @@ -521,30 +513,36 @@ func authorizeAlter(ctx context.Context, op *api.Operation) error {
// as a byproduct, it also sets the userId, groups variables
doAuthorizeAlter := func() error {
userData, err := extractUserAndGroups(ctx)
switch {
case err == errNoJwt:
// treat the user as an anonymous guest who has not joined any group yet
// such a user can still get access to predicates that have no ACL rule defined, per the
// fail open approach
case err != nil:
if err != nil {
// We don't follow fail open approach anymore.
return status.Error(codes.Unauthenticated, err.Error())
default:
userId = userData[0]
groupIds = userData[1:]
}

if x.IsGuardian(groupIds) {
// Members of guardian group are allowed to alter anything.
return nil
}
userId = userData[0]
groupIds = userData[1:]

if x.IsGuardian(groupIds) {
// Members of guardian group are allowed to alter anything.
return nil
}

// if we get here, we know the user is not Groot.
// if we get here, we know the user is not a guardian.
if isDropAll(op) || op.DropOp == api.Operation_DATA {
return errors.Errorf(
"only Groot is allowed to drop all data, but the current user is %s", userId)
"only guardians are allowed to drop all data, but the current user is %s", userId)
}

return authorizePreds(userId, groupIds, preds, acl.Modify)
unAuthPreds := authorizePreds(userId, groupIds, preds, acl.Modify)
if len(unAuthPreds) > 0 {
var preds []string
for key := range unAuthPreds {
preds = append(preds, key)
}
return status.Errorf(codes.PermissionDenied,
"unauthorized to alter following predicates: %s\n",
strings.Join(preds, ","))
}
return nil
}

err := doAuthorizeAlter()
Expand Down Expand Up @@ -621,33 +619,42 @@ func authorizeMutation(ctx context.Context, gmu *gql.Mutation) error {
// as a byproduct, it also sets the userId and groups
doAuthorizeMutation := func() error {
userData, err := extractUserAndGroups(ctx)
switch {
case err == errNoJwt:
// treat the user as an anonymous guest who has not joined any group yet
// such a user can still get access to predicates that have no ACL rule defined
case err != nil:
if err != nil {
// We don't follow fail open approach anymore.
return status.Error(codes.Unauthenticated, err.Error())
default:
userId = userData[0]
groupIds = userData[1:]

if x.IsGuardian(groupIds) {
// Members of guardians group are allowed to mutate anything
// (including delete) except the permission of the acl predicates.
switch {
case isAclPredMutation(gmu.Set):
return errors.Errorf("the permission of ACL predicates can not be changed")
case isAclPredMutation(gmu.Del):
return errors.Errorf("ACL predicates can't be deleted")
}
return nil
}

userId = userData[0]
groupIds = userData[1:]

if x.IsGuardian(groupIds) {
// Members of guardians group are allowed to mutate anything
// (including delete) except the permission of the acl predicates.
switch {
case isAclPredMutation(gmu.Set):
return errors.Errorf("the permission of ACL predicates can not be changed")
case isAclPredMutation(gmu.Del):
return errors.Errorf("ACL predicates can't be deleted")
}
return nil
}

unAuthPreds := authorizePreds(userId, groupIds, preds, acl.Write)
if len(unAuthPreds) > 0 {
var preds []string
for key := range unAuthPreds {
preds = append(preds, key)
}
return status.Errorf(codes.PermissionDenied,
"unauthorized to mutate following predicates: %s\n",
strings.Join(preds, ","))
}

return authorizePreds(userId, groupIds, preds, acl.Write)
return nil
}

err := doAuthorizeMutation()

span := otrace.FromContext(ctx)
if span != nil {
span.Annotatef(nil, (&accessEntry{
Expand Down Expand Up @@ -714,35 +721,29 @@ func authorizeQuery(ctx context.Context, parsedReq *gql.Result) error {
var userId string
var groupIds []string
preds := parsePredsFromQuery(parsedReq.Query)
isSchemaQuery := parsedReq != nil && parsedReq.Schema != nil

doAuthorizeQuery := func() error {
doAuthorizeQuery := func() (map[string]struct{}, error) {
userData, err := extractUserAndGroups(ctx)
switch {
case err == errNoJwt:
// Do not allow schema queries unless the user has logged in.
if isSchemaQuery {
return status.Error(codes.Unauthenticated, err.Error())
}
if err != nil {
return nil, status.Error(codes.Unauthenticated, err.Error())
}

// Treat the user as an anonymous guest who has not joined any group yet
// such a user can still get access to predicates that have no ACL rule defined.
case err != nil:
return status.Error(codes.Unauthenticated, err.Error())
default:
userId = userData[0]
groupIds = userData[1:]
userId = userData[0]
groupIds = userData[1:]

if x.IsGuardian(groupIds) {
// Members of guardian groups are allowed to query anything.
return nil
}
if x.IsGuardian(groupIds) {
// Members of guardian groups are allowed to query anything.
return nil, nil
}

return authorizePreds(userId, groupIds, preds, acl.Read)
return authorizePreds(userId, groupIds, preds, acl.Read), nil
}

unAuthPreds, err := doAuthorizeQuery()
if len(unAuthPreds) != 0 {
parsedReq.Query = removePredsFromQuery(parsedReq.Query, unAuthPreds)
}

err := doAuthorizeQuery()
if span := otrace.FromContext(ctx); span != nil {
span.Annotatef(nil, (&accessEntry{
userId: userId,
Expand Down Expand Up @@ -785,3 +786,27 @@ func authorizeState(ctx context.Context) error {

return doAuthorizeState()
}

func removePredsFromQuery(gqls []*gql.GraphQuery,
unAuthPreds map[string]struct{}) []*gql.GraphQuery {

filter := gqls[:0]
for _, gq := range gqls {
if gq.Func != nil && len(gq.Func.Attr) > 0 {
if _, ok := unAuthPreds[gq.Func.Attr]; ok {
continue
}
}

if len(gq.Attr) > 0 {
if _, ok := unAuthPreds[gq.Attr]; ok {
continue
}
}

gq.Children = removePredsFromQuery(gq.Children, unAuthPreds)
filter = append(filter, gq)
}

return filter
}
13 changes: 6 additions & 7 deletions ee/acl/acl_curl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,15 +44,15 @@ func TestCurlAuthorization(t *testing.T) {
})
require.NoError(t, err, "login failed")

// No ACL rules are specified, so everything should fail.
// No ACL rules are specified, so query should return empty response,
// alter and mutate should fail.
queryArgs := func(jwt string) []string {
return []string{"-H", fmt.Sprintf("X-Dgraph-AccessToken:%s", jwt),
"-H", "Content-Type: application/graphql+-",
"-d", query, curlQueryEndpoint}
}
testutil.VerifyCurlCmd(t, queryArgs(accessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
DgraphErrMsg: "PermissionDenied",
ShouldFail: false,
})

mutateArgs := func(jwt string) []string {
Expand Down Expand Up @@ -116,11 +116,10 @@ func TestCurlAuthorization(t *testing.T) {
RefreshJwt: refreshJwt,
})
require.NoError(t, err, fmt.Sprintf("login through refresh token failed: %v", err))
// verify that with an ACL rule defined, all the operations should be denied when the acsess JWT
// does not have the required permissions
// verify that with an ACL rule defined, all the operations except query should
// does not have the required permissions be denied when the acsess JWT
testutil.VerifyCurlCmd(t, queryArgs(accessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
DgraphErrMsg: "PermissionDenied",
ShouldFail: false,
})
testutil.VerifyCurlCmd(t, mutateArgs(accessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
Expand Down
93 changes: 82 additions & 11 deletions ee/acl/acl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,18 +135,19 @@ func testAuthorization(t *testing.T, dg *dgo.Dgraph) {
t.Fatalf("unable to login using the account %v", userid)
}

// initially the query, mutate and alter operations should all fail
// when there are no rules defined on the predicates
queryPredicateWithUserAccount(t, dg, true)
// initially the query should return empty result, mutate and alter
// operations should all fail when there are no rules defined on the predicates
queryPredicateWithUserAccount(t, dg, false)
mutatePredicateWithUserAccount(t, dg, true)
alterPredicateWithUserAccount(t, dg, true)
createGroupAndAcls(t, unusedGroup, false)
// wait for 6 seconds to ensure the new acl have reached all acl caches
glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
time.Sleep(6 * time.Second)

// now all these operations should fail since there are rules defined on the unusedGroup
queryPredicateWithUserAccount(t, dg, true)
// now all these operations except query should fail since
// there are rules defined on the unusedGroup
queryPredicateWithUserAccount(t, dg, false)
mutatePredicateWithUserAccount(t, dg, true)
alterPredicateWithUserAccount(t, dg, true)
// create the dev group and add the user to it
Expand Down Expand Up @@ -219,7 +220,6 @@ func queryPredicateWithUserAccount(t *testing.T, dg *dgo.Dgraph, shouldFail bool
ctx := context.Background()
txn := dg.NewTxn()
_, err := txn.Query(ctx, query)

if shouldFail {
require.Error(t, err, "the query should have failed")
} else {
Expand Down Expand Up @@ -380,18 +380,19 @@ func TestPredicatePermission(t *testing.T) {
// Schema query is allowed to all logged in users.
querySchemaWithUserAccount(t, dg, false)

// The operations should be blocked when no rule is defined.
queryPredicateWithUserAccount(t, dg, true)
// The query should return emptry response, alter and mutation
// should be blocked when no rule is defined.
queryPredicateWithUserAccount(t, dg, false)
mutatePredicateWithUserAccount(t, dg, true)
alterPredicateWithUserAccount(t, dg, true)
createGroupAndAcls(t, unusedGroup, false)

// Wait for 6 seconds to ensure the new acl have reached all acl caches.
glog.Infof("Sleeping for 6 seconds for acl caches to be refreshed")
time.Sleep(6 * time.Second)
// The operations should all fail when there is a rule defined, but the current user
// is not allowed.
queryPredicateWithUserAccount(t, dg, true)
// The operations except query should fail when there is a rule defined, but the
// current user is not allowed.
queryPredicateWithUserAccount(t, dg, false)
mutatePredicateWithUserAccount(t, dg, true)
alterPredicateWithUserAccount(t, dg, true)
// Schema queries should still succeed since they are not tied to specific predicates.
Expand Down Expand Up @@ -553,3 +554,73 @@ func removeUserFromGroups(userName string) error {
"-l", "", "-x", "password")
return removeUser.Run()
}

func TestQueryRemoveUnauthorizedPred(t *testing.T) {
ctx, _ := context.WithTimeout(context.Background(), 100*time.Second)

dg, err := testutil.DgraphClientWithGroot(testutil.SockAddr)
require.NoError(t, err)

testutil.DropAll(t, dg)
op := api.Operation{Schema: `
name: string @index(exact) .
age: int .
`}
require.NoError(t, dg.Alter(ctx, &op))

resetUser(t)
createDevGroup := exec.Command("dgraph", "acl", "add", "-a", dgraphEndpoint,
"-g", devGroup, "-x", "password")
require.NoError(t, createDevGroup.Run())

addUserToDev := exec.Command("dgraph", "acl", "mod", "-a", dgraphEndpoint, "-u", userid,
"-l", devGroup, "-x", "password")
require.NoError(t, addUserToDev.Run())

txn := dg.NewTxn()
mutation := &api.Mutation{
SetNquads: []byte(`
_:a <name> "RandomGuy" .
_:a <age> "23" .
`),
CommitNow: true,
}
_, err = txn.Mutate(ctx, mutation)
require.NoError(t, err)

// give read access of <name> to alice
setPermissionCmd := exec.Command("dgraph", "acl", "mod", "-a", dgraphEndpoint, "-g",
devGroup, "-p", "name", "-m", "4", "-x", "password")
require.NoError(t, setPermissionCmd.Run())

userClient, err := testutil.DgraphClient(testutil.SockAddr)
require.NoError(t, err)
time.Sleep(6 * time.Second)

err = userClient.Login(ctx, userid, userpassword)
require.NoError(t, err)
query := `
{
me(func: has(name)) {
name
age
}
}
`
resp, err := userClient.NewTxn().Query(ctx, query)
require.NoError(t, err)
require.Equal(t, []byte("{\"me\":[{\"name\":\"RandomGuy\"}]}"), resp.Json)

query = `
{
me(func: has(age)) {
name
age
}
}
`
resp, err = userClient.NewTxn().Query(ctx, query)
require.NoError(t, err)
// alice doesn't have read access of <age>
require.Equal(t, []byte("{}"), resp.Json)
}
Loading