hypermodeinc · abhimanyusinghgaur · Jul 8, 2020 · Jul 3, 2020 · Jul 6, 2020 · Jul 6, 2020
diff --git a/dgraph/cmd/alpha/http.go b/dgraph/cmd/alpha/http.go
@@ -568,6 +568,7 @@ func alterHandler(w http.ResponseWriter, r *http.Request) {
 	md.Append("auth-token", r.Header.Get("X-Dgraph-AuthToken"))
 	ctx := metadata.NewIncomingContext(context.Background(), md)
 	ctx = x.AttachAccessJwt(ctx, r)
+	ctx = x.AttachRemoteIP(ctx, r)
 	if _, err := (&edgraph.Server{}).Alter(ctx, op); err != nil {
 		x.SetStatus(w, x.Error, err.Error())
 		return

diff --git a/dgraph/cmd/alpha/login_ee.go b/dgraph/cmd/alpha/login_ee.go
@@ -21,34 +21,20 @@ package alpha
 import (
 	"context"
 	"encoding/json"
-	"net"
 	"net/http"
-	"strconv"
 
 	"github.com/dgraph-io/dgo/v200/protos/api"
 	"github.com/dgraph-io/dgraph/edgraph"
 	"github.com/dgraph-io/dgraph/x"
 	"github.com/golang/glog"
-	"google.golang.org/grpc/peer"
 )
 
 func loginHandler(w http.ResponseWriter, r *http.Request) {
 	if commonHandler(w, r) {
 		return
 	}
 
-	ctx := context.Background()
-	if ip, port, err := net.SplitHostPort(r.RemoteAddr); err == nil {
-		// add remote addr as peer info so that the remote address can be logged inside Server.Login
-		if intPort, convErr := strconv.Atoi(port); convErr == nil {
-			ctx = peer.NewContext(ctx, &peer.Peer{
-				Addr: &net.TCPAddr{
-					IP:   net.ParseIP(ip),
-					Port: intPort,
-				},
-			})
-		}
-	}
+	ctx := x.AttachRemoteIP(context.Background(), r)
 
 	body := readRequest(w, r)
 	loginReq := api.LoginRequest{}

diff --git a/dgraph/cmd/alpha/mutations_mode/docker-compose.yml b/dgraph/cmd/alpha/mutations_mode/docker-compose.yml
@@ -65,7 +65,8 @@ services:
       - 9180:9180
     labels:
       cluster: test
-    command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5180 -o 100 --logtostderr --mutations=disallow
+    command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5180 -o 100
+      --logtostderr --mutations=disallow --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
 
   dg2:
     image: dgraph/dgraph:latest
@@ -83,7 +84,8 @@ services:
       - 9182:9182
     labels:
       cluster: test
-    command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5180 -o 102 --logtostderr --mutations=strict
+    command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5180 -o 102
+      --logtostderr --mutations=strict --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
 
   dg3:
     image: dgraph/dgraph:latest
@@ -101,4 +103,5 @@ services:
       - 9183:9183
     labels:
       cluster: test
-    command: /gobin/dgraph alpha --my=dg3:7183 --lru_mb=1024 --zero=zero1:5180 -o 103 --logtostderr --mutations=strict
+    command: /gobin/dgraph alpha --my=dg3:7183 --lru_mb=1024 --zero=zero1:5180 -o 103
+      --logtostderr --mutations=strict --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
diff --git a/dgraph/cmd/bulk/systest/docker-compose.yml b/dgraph/cmd/bulk/systest/docker-compose.yml
@@ -17,7 +17,7 @@ services:
       target: /gobin
       read_only: true
     command: /gobin/dgraph alpha -o 100 --my=alpha1:7180 --lru_mb=1024 --zero=zero1:5180
-      --logtostderr -v=2 --idx=1
+      --logtostderr -v=2 --idx=1 --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
   zero1:
     image: dgraph/dgraph:latest
     container_name: zero1

diff --git a/edgraph/access.go b/edgraph/access.go
@@ -24,6 +24,7 @@ import (
 	"github.com/dgraph-io/badger/v2/y"
 	"github.com/dgraph-io/dgo/v200/protos/api"
 	"github.com/dgraph-io/dgraph/gql"
+	"github.com/dgraph-io/dgraph/query"
 	"github.com/dgraph-io/dgraph/x"
 	"github.com/golang/glog"
 )
@@ -65,6 +66,11 @@ func authorizeQuery(ctx context.Context, parsedReq *gql.Result, graphql bool) er
 	return nil
 }
 
+func authorizeSchemaQuery(ctx context.Context, er *query.ExecutionResult) error {
+	// always allow schema access
+	return nil
+}
+
 func AuthorizeGuardians(ctx context.Context) error {
 	// always allow access
 	return nil

diff --git a/edgraph/access_ee.go b/edgraph/access_ee.go
@@ -19,6 +19,10 @@ import (
 	"strings"
 	"time"
 
+	"github.com/dgraph-io/dgraph/protos/pb"
+
+	"github.com/dgraph-io/dgraph/query"
+
 	"github.com/pkg/errors"
 
 	"github.com/dgraph-io/badger/v2/y"
@@ -33,7 +37,6 @@ import (
 	"github.com/golang/glog"
 	otrace "go.opencensus.io/trace"
 	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
 )
 
@@ -55,9 +58,10 @@ func (s *Server) Login(ctx context.Context,
 
 	// record the client ip for this login request
 	var addr string
-	if peerInfo, ok := peer.FromContext(ctx); ok {
-		addr = peerInfo.Addr.String()
-		glog.Infof("Login request from: %s", addr)
+	if ipAddr, err := hasAdminAuth(ctx, "Login"); err != nil {
+		return nil, err
+	} else {
+		addr = ipAddr.String()
 		span.Annotate([]otrace.Attribute{
 			otrace.StringAttribute("client_ip", addr),
 		}, "client ip for login")
@@ -794,6 +798,74 @@ func authorizeQuery(ctx context.Context, parsedReq *gql.Result, graphql bool) er
 	return nil
 }
 
+func authorizeSchemaQuery(ctx context.Context, er *query.ExecutionResult) error {
+	if len(worker.Config.HmacSecret) == 0 {
+		// the user has not turned on the acl feature
+		return nil
+	}
+
+	// find the predicates being sent in response
+	preds := make([]string, 0)
+	predsMap := make(map[string]struct{})
+	for _, predNode := range er.SchemaNode {
+		preds = append(preds, predNode.Predicate)
+		predsMap[predNode.Predicate] = struct{}{}
+	}
+	for _, typeNode := range er.Types {
+		for _, field := range typeNode.Fields {
+			if _, ok := predsMap[field.Predicate]; !ok {
+				preds = append(preds, field.Predicate)
+			}
+		}
+	}
+
+	doAuthorizeSchemaQuery := func() (map[string]struct{}, error) {
+		userData, err := extractUserAndGroups(ctx)
+		if err != nil {
+			return nil, status.Error(codes.Unauthenticated, err.Error())
+		}
+
+		userId := userData[0]
+		groupIds := userData[1:]
+
+		if x.IsGuardian(groupIds) {
+			// Members of guardian groups are allowed to query anything.
+			return nil, nil
+		}
+
+		return authorizePreds(userId, groupIds, preds, acl.Read), nil
+	}
+
+	// find the predicates which are blocked for the schema query
+	blockedPreds, err := doAuthorizeSchemaQuery()
+	if err != nil {
+		return err
+	}
+
+	// remove those predicates from response
+	if len(blockedPreds) > 0 {
+		respPreds := make([]*pb.SchemaNode, 0)
+		for _, predNode := range er.SchemaNode {
+			if _, ok := blockedPreds[predNode.Predicate]; !ok {
+				respPreds = append(respPreds, predNode)
+			}
+		}
+		er.SchemaNode = respPreds
+
+		for _, typeNode := range er.Types {
+			respFields := make([]*pb.SchemaUpdate, 0)
+			for _, field := range typeNode.Fields {
+				if _, ok := blockedPreds[field.Predicate]; !ok {
+					respFields = append(respFields, field)
+				}
+			}
+			typeNode.Fields = respFields
+		}
+	}
+
+	return nil
+}
+
 // AuthorizeGuardians authorizes the operation for users which belong to Guardians group.
 func AuthorizeGuardians(ctx context.Context) error {
 	if len(worker.Config.HmacSecret) == 0 {

diff --git a/edgraph/server.go b/edgraph/server.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"encoding/json"
 	"math"
+	"net"
 	"sort"
 	"strconv"
 	"strings"
@@ -37,7 +38,6 @@ import (
 	otrace "go.opencensus.io/trace"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
-	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
 
 	"github.com/dgraph-io/dgo/v200"
@@ -174,7 +174,7 @@ func validateAlterOperation(ctx context.Context, op *api.Operation) error {
 	if !isMutationAllowed(ctx) {
 		return errors.Errorf("No mutations allowed by server.")
 	}
-	if err := isAlterAllowed(ctx); err != nil {
+	if _, err := hasAdminAuth(ctx, "Alter"); err != nil {
 		glog.Warningf("Alter denied with error: %v\n", err)
 		return err
 	}
@@ -998,6 +998,9 @@ func processQuery(ctx context.Context, qc *queryContext) (*api.Response, error)
 	}
 
 	if len(er.SchemaNode) > 0 || len(er.Types) > 0 {
+		if err = authorizeSchemaQuery(ctx, &er); err != nil {
+			return resp, err
+		}
 		sort.Slice(er.SchemaNode, func(i, j int) bool {
 			return er.SchemaNode[i].Predicate < er.SchemaNode[j].Predicate
 		})
@@ -1200,11 +1203,19 @@ func isMutationAllowed(ctx context.Context) bool {
 
 var errNoAuth = errors.Errorf("No Auth Token found. Token needed for Alter operations.")
 
-func isAlterAllowed(ctx context.Context) error {
-	p, ok := peer.FromContext(ctx)
-	if ok {
-		glog.Infof("Got Alter request from %q\n", p.Addr)
+func hasAdminAuth(ctx context.Context, tag string) (net.Addr, error) {
+	ipAddr, err := x.HasWhitelistedIP(ctx)
+	if err != nil {
+		return nil, err
 	}
+	glog.Infof("Got %s request from: %q\n", tag, ipAddr)
+	if err = hasPoormansAuth(ctx); err != nil {
+		return nil, err
+	}
+	return ipAddr, nil
+}
+
+func hasPoormansAuth(ctx context.Context) error {
 	if len(worker.Config.AuthToken) == 0 {
 		return nil
 	}