From 6737d8a38d315b9f86b830bdf00f40d08fa7fcd4 Mon Sep 17 00:00:00 2001 From: Abhimanyu Singh Gaur <12651351+abhimanyusinghgaur@users.noreply.github.com> Date: Tue, 5 Jan 2021 17:38:10 +0530 Subject: [PATCH] fix(GraphQL): Fix auth-token propagation for HTTP endpoints resolved through GraphQL (GRAPHQL-946) (#7245) Fixes [Discuss Issue](https://discuss.dgraph.io/t/alpha-problems-with-auth-token/12136). (cherry picked from commit 146c4f18524f1133fc5f52bffc47a03eaf982a5e) --- dgraph/cmd/alpha/http.go | 1 + .../poorman_auth/admin_auth_test.go | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/dgraph/cmd/alpha/http.go b/dgraph/cmd/alpha/http.go index afd6dbb43ab..5978479bfcd 100644 --- a/dgraph/cmd/alpha/http.go +++ b/dgraph/cmd/alpha/http.go @@ -642,6 +642,7 @@ func resolveWithAdminServer(gqlReq *schema.Request, r *http.Request, ctx := metadata.NewIncomingContext(context.Background(), md) ctx = x.AttachAccessJwt(ctx, r) ctx = x.AttachRemoteIP(ctx, r) + ctx = x.AttachAuthToken(ctx, r) return adminServer.Resolve(ctx, gqlReq) } diff --git a/graphql/e2e/admin_auth/poorman_auth/admin_auth_test.go b/graphql/e2e/admin_auth/poorman_auth/admin_auth_test.go index 9dc1479e5a3..658b5bc0a25 100644 --- a/graphql/e2e/admin_auth/poorman_auth/admin_auth_test.go +++ b/graphql/e2e/admin_auth/poorman_auth/admin_auth_test.go @@ -17,7 +17,9 @@ package admin_auth import ( + "io/ioutil" "net/http" + "strings" "testing" "github.com/dgraph-io/dgraph/x" @@ -51,6 +53,20 @@ func TestAdminOnlyPoorManAuth(t *testing.T) { common.SafelyUpdateGQLSchema(t, common.Alpha1HTTP, schema, headers) } +func TestPoorManAuthOnAdminSchemaHttpEndpoint(t *testing.T) { + // without X-Dgraph-AuthToken should give error + require.Contains(t, makeAdminSchemaRequest(t, ""), "Invalid X-Dgraph-AuthToken") + + // setting a wrong value for the token should still give error + require.Contains(t, makeAdminSchemaRequest(t, wrongAuthToken), "Invalid X-Dgraph-AuthToken") + + // setting correct value for the token should successfully update the schema + oldCounter := common.RetryProbeGraphQL(t, common.Alpha1HTTP).SchemaUpdateCounter + require.JSONEq(t, `{"data":{"code":"Success","message":"Done"}}`, makeAdminSchemaRequest(t, + authToken)) + common.AssertSchemaUpdateCounterIncrement(t, common.Alpha1HTTP, oldCounter) +} + func assertAuthTokenError(t *testing.T, schema string, headers http.Header) { resp := common.RetryUpdateGQLSchema(t, common.Alpha1HTTP, schema, headers) require.Equal(t, x.GqlErrorList{{ @@ -59,3 +75,24 @@ func assertAuthTokenError(t *testing.T, schema string, headers http.Header) { }}, resp.Errors) require.Nil(t, resp.Data) } + +func makeAdminSchemaRequest(t *testing.T, authTokenValue string) string { + schema := `type Person { + id: ID! + name: String! @id + }` + req, err := http.NewRequest(http.MethodPost, common.GraphqlAdminURL+"/schema", + strings.NewReader(schema)) + require.NoError(t, err) + if authTokenValue != "" { + req.Header.Set(authTokenHeader, authTokenValue) + } + + resp, err := (&http.Client{}).Do(req) + require.NoError(t, err) + defer resp.Body.Close() + b, err := ioutil.ReadAll(resp.Body) + require.NoError(t, err) + + return string(b) +}