add auth rules on children

hypermodeinc · minhaj-shakeel · May 26, 2021 · May 3, 2021 · May 3, 2021 · May 4, 2021
commit 2afba2a6bbcae84d8dfa6127a81fd581a0c0da19
diff --git a/graphql/e2e/auth/schema.graphql b/graphql/e2e/auth/schema.graphql
@@ -1026,6 +1026,18 @@ type Query {
         }
     }"""
     )
+
+   queryUsers: [User] @custom(dql: """
+    query {
+      queryUsers(func: type(User)) {
+        username: User.username
+        tickets: User.tickets {
+          id: uid
+          title: Ticket.title
+        }
+      }
+    }"""
+    )
 }
 
 ## custom DQL testing end
diff --git a/graphql/resolve/custom_auth_query_test.yaml b/graphql/resolve/custom_auth_query_test.yaml
@@ -79,3 +79,61 @@
         random : Issue.random
       }
     }
+- name : "Auth Rules with deep filter"
+  gqlquery: |
+    query {
+      queryUsers {
+        username
+        tickets {
+          id
+          title
+        }
+      }
+    }
+  jwtvar:
+    USER: "user1"
+  dgquery: |-
+    query {
+      queryUsers(func: uid(UserRoot)) {
+        username : User.username
+        tickets : User.tickets @filter(uid(Ticket_1)) {
+          id : uid
+          title : Ticket.title
+        }
+      }
+      UserRoot as var(func: uid(User_4))
+      User_4 as var(func: type(User))
+      var(func: uid(UserRoot)) {
+        Ticket_2 as User.tickets
+      }
+      Ticket_1 as var(func: uid(Ticket_2)) @filter(uid(Ticket_Auth3))
+      Ticket_Auth3 as var(func: uid(Ticket_2)) @cascade {
+        Ticket.onColumn : Ticket.onColumn {
+          Column.inProject : Column.inProject {
+            Project.roles : Project.roles @filter(eq(Role.permission, "VIEW")) {
+              Role.assignedTo : Role.assignedTo @filter(eq(User.username, "user1"))
+            }
+          }
+        }
+      }
+    }
+
+- name : "Auth rules with deep filter failed"
+  gqlquery: |
+    query{
+      queryUsers{
+        username
+        tickets {
+          id
+          title
+        }
+      }
+    }
+  dgquery: |-
+    query {
+      queryUsers(func: uid(UserRoot)) {
+        username : User.username
+      }
+      UserRoot as var(func: uid(User_3))
+      User_3 as var(func: type(User))
+    }
diff --git a/graphql/resolve/query_rewriter.go b/graphql/resolve/query_rewriter.go
@@ -697,6 +697,11 @@ func rewriteWithAuth(
 			dgQueries = append(dgQueries, qry)
 			continue
 		}
+
+		authRw.hasAuthRules = dqlHasAuthRules(qry, typ, authRw)
+
+		fldAuthQueries := addAuthQueriesOnSelectionSet(qry, typ, authRw)
+
 		rbac := authRw.evaluateStaticRules(typ)
 		if rbac == schema.Negative {
 			if qry.Attr == "var" {
@@ -708,7 +713,11 @@ func rewriteWithAuth(
 			}
 			continue
 		}
+
 		dgQueries = append(dgQueries, authRw.addAuthQueries(typ, []*gql.GraphQuery{qry}, rbac)...)
+		if len(fldAuthQueries) > 0 {
+			dgQueries = append(dgQueries, fldAuthQueries...)
+		}
 	}
 	return dgQueries, nil
 }
@@ -1614,6 +1623,137 @@ func addSelectionSetFrom(
 	return authQueries
 }
 
+func dqlHasAuthRules(q *gql.GraphQuery, typ schema.Type, authRw *authRewriter) bool {
+	if q == nil {
+		return false
+	}
+	rn := authRw.selector(typ)
+	if rn != nil {
+		return true
+	}
+	for _, fld := range q.Children {
+		var fldName string
+		fldSplit := strings.Split(fld.Attr, ".")
+		if len(fldSplit) > 1 {
+			fldName = fldSplit[1]
+		} else {
+			continue
+		}
+		if authRules := dqlHasAuthRules(fld, typ.Field(fldName).Type(), authRw); authRules {
+			return true
+		}
+	}
+	return false
+}
+
+func addAuthQueriesOnSelectionSet(
+	q *gql.GraphQuery,
+	typ schema.Type,
+	auth *authRewriter) []*gql.GraphQuery {
+
+	var authQueries []*gql.GraphQuery
+	var children []*gql.GraphQuery
+	for _, f := range q.Children {
+		var fldName string
+
+		fldSplit := strings.Split(f.Attr, ".")
+
+		// field must of the type User.tickets or "uid".
+		if len(fldSplit) > 1 {
+			fldName = fldSplit[1]
+		} else {
+			children = append(children, f)
+			continue
+		}
+		fldType := typ.Field(fldName).Type()
+
+		rbac := auth.evaluateStaticRules(fldType)
+
+		// Since the recursion processes the query in bottom up way, we store the state of the so
+		// that we can restore it later.
+		var parentVarName, parentQryName string
+		if len(f.Children) > 0 && !auth.isWritingAuth && auth.hasAuthRules {
+			parentVarName = auth.parentVarName
+			parentQryName = auth.varName
+			auth.parentVarName = auth.varGen.Next(fldType, "", "", auth.isWritingAuth)
+			auth.varName = auth.varGen.Next(fldType, "", "", auth.isWritingAuth)
+		}
+
+		selectionAuth := addAuthQueriesOnSelectionSet(f, fldType, auth)
+
+		restoreAuthState := func() {
+			if len(f.Children) > 0 && !auth.isWritingAuth && auth.hasAuthRules {
+				// Restore the auth state after processing is done.
+				auth.parentVarName = parentVarName
+				auth.varName = parentQryName
+			}
+		}
+
+		//If RBAC rules are evaluated to `Uncertain` then we add the Auth rules.
+		var fieldAuth []*gql.GraphQuery
+		var authFilter *gql.FilterTree
+
+		if rbac == schema.Positive || rbac == schema.Uncertain {
+			children = append(children, f)
+		}
+
+		if rbac == schema.Negative {
+			restoreAuthState()
+			continue
+		}
+
+		if rbac == schema.Uncertain {
+			fieldAuth, authFilter = auth.rewriteAuthQueries(fldType)
+		}
+
+		if len(f.Children) > 0 && !auth.isWritingAuth && auth.hasAuthRules {
+
+			parentQry := &gql.GraphQuery{
+				Func: &gql.Function{
+					Name: "uid",
+					Args: []gql.Arg{{Value: parentVarName}},
+				},
+				Attr:     "var",
+				Children: []*gql.GraphQuery{{Attr: f.Attr, Var: auth.varName}},
+			}
+
+			// This query aggregates all filters and auth rules and is used by root query to filter
+			// the final nodes for the current level.
+			// User3 as var(func: uid(User4)) @filter((eq(User.username, "User1") AND (...Auth Filter))))
+			selectionQry := &gql.GraphQuery{
+				Var:  auth.parentVarName,
+				Attr: "var",
+				Func: &gql.Function{
+					Name: "uid",
+					Args: []gql.Arg{{Value: auth.varName}},
+				},
+			}
+
+			commonAuthQueryVars := commonAuthQueryVars{
+				parentQry:    parentQry,
+				selectionQry: selectionQry,
+			}
+
+			// add child filter to parent query, auth filters to selection query and
+			// selection query as a filter to child
+			commonAuthQueryVars.parentQry.Children[0].Filter = f.Filter
+			commonAuthQueryVars.selectionQry.Filter = authFilter
+			f.Filter = &gql.FilterTree{
+				Func: &gql.Function{
+					Name: "uid",
+					Args: []gql.Arg{{Value: commonAuthQueryVars.selectionQry.Var}},
+				},
+			}
+			authQueries = append(authQueries, commonAuthQueryVars.parentQry, commonAuthQueryVars.selectionQry)
+		}
+		authQueries = append(authQueries, selectionAuth...)
+		authQueries = append(authQueries, fieldAuth...)
+		restoreAuthState()
+	}
+	q.Children = children
+	return authQueries
+}
+
 func addOrder(q *gql.GraphQuery, field schema.Field) {
 	orderArg := field.ArgValue("order")
 	order, ok := orderArg.(map[string]interface{})