Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GraphQL policy merging with field permissions does not work #3166

Closed
buger opened this issue Jun 22, 2020 · 2 comments · Fixed by #3226
Closed

GraphQL policy merging with field permissions does not work #3166

buger opened this issue Jun 22, 2020 · 2 comments · Fixed by #3226
Assignees
@furkansenharputlu
Labels
bug patch

Comments

@buger
Copy link
Member

buger commented Jun 22, 2020

Branch/Environment/Version

  • Branch/Version: master
  • Environment: on-prem

Describe the bug
If you have a policy that allows you to read type "A", and a second policy that allows you to read field "B", and you try to create a token that has both policies, all fields will be restricted.

Expected behavior
It should properly merge policies together on the field level.
@buger buger added the bug label Jun 22, 2020
@furkansenharputlu furkansenharputlu self-assigned this Jul 20, 2020
@furkansenharputlu furkansenharputlu mentioned this issue Jul 22, 2020
Merged
@lghiur lghiur added the patch label Aug 11, 2020
@ilijabojanovic
Copy link
Member

On latest release-3-lts

This fix does not work as expected.

Policy A: Has restrictions for Email and Comment
Policy B: Has restriction for ID

When we generate token and try to access Comments filed, gateway will return results

e.g

query{
  user(id: 5){
    name
    email
    id
    posts{
      comments {
        id
      }
      body
      title
    }
  }
}

Response

{
    "data": {
        "user": {
            "name": "Chelsey Dietrich",
            "email": "Lucio_Hettinger@annie.ca",
            "id": 5,
            "posts": [
                {
                    "comments": [
                        {
                            "id": 201
                        },
                        {
                            "id": 202
                        },
                        {
                            "id": 203
                        },
                        {
                            "id": 204
                        },
                        {
                            "id": 205
                        }
                    ],
                    "body": "molestias id nostrum\nexcepturi molestiae dolore omnis repellendus quaerat saepe\nconsectetur iste quaerat tenetur asperiores accusamus ex ut\nnam quidem est ducimus sunt debitis saepe",
                    "title": "non est facere"
                },
                {
                    "comments": [
                        {
                            "id": 206
                        },
                        {
                            "id": 207
                        },
                        {
                            "id": 208
                        },
                        {
                            "id": 209
                        },
                        {
                            "id": 210
                        }
                    ],
                    "body": "odio fugit voluptatum ducimus earum autem est incidunt voluptatem\nodit reiciendis aliquam sunt sequi nulla dolorem\nnon facere repellendus voluptates quia\nratione harum vitae ut",
                    "title": "commodi ullam sint et excepturi error explicabo praesentium voluptas"
                },
                {
                    "comments": [
                        {
                            "id": 211
                        },
                        {
                            "id": 212
                        },
                        {
                            "id": 213
                        },
                        {
                            "id": 214
                        },
                        {
                            "id": 215
                        }
                    ],
                    "body": "similique fugit est\nillum et dolorum harum et voluptate eaque quidem\nexercitationem quos nam commodi possimus cum odio nihil nulla\ndolorum exercitationem magnam ex et a et distinctio debitis",
                    "title": "eligendi iste nostrum consequuntur adipisci praesentium sit beatae perferendis"
                },
                {
                    "comments": [
                        {
                            "id": 216
                        },
                        {
                            "id": 217
                        },
                        {
                            "id": 218
                        },
                        {
                            "id": 219
                        },
                        {
                            "id": 220
                        }
                    ],
                    "body": "temporibus est consectetur dolore\net libero debitis vel velit laboriosam quia\nipsum quibusdam qui itaque fuga rem aut\nea et iure quam sed maxime ut distinctio quae",
                    "title": "optio dolor molestias sit"
                },
                {
                    "comments": [
                        {
                            "id": 221
                        },
                        {
                            "id": 222
                        },
                        {
                            "id": 223
                        },
                        {
                            "id": 224
                        },
                        {
                            "id": 225
                        }
                    ],
                    "body": "est natus reiciendis nihil possimus aut provident\nex et dolor\nrepellat pariatur est\nnobis rerum repellendus dolorem autem",
                    "title": "ut numquam possimus omnis eius suscipit laudantium iure"
                },
                {
                    "comments": [
                        {
                            "id": 226
                        },
                        {
                            "id": 227
                        },
                        {
                            "id": 228
                        },
                        {
                            "id": 229
                        },
                        {
                            "id": 230
                        }
                    ],
                    "body": "voluptatem quisquam iste\nvoluptatibus natus officiis facilis dolorem\nquis quas ipsam\nvel et voluptatum in aliquid",
                    "title": "aut quo modi neque nostrum ducimus"
                },
                {
                    "comments": [
                        {
                            "id": 231
                        },
                        {
                            "id": 232
                        },
                        {
                            "id": 233
                        },
                        {
                            "id": 234
                        },
                        {
                            "id": 235
                        }
                    ],
                    "body": "voluptatem assumenda ut qui ut cupiditate aut impedit veniam\noccaecati nemo illum voluptatem laudantium\nmolestiae beatae rerum ea iure soluta nostrum\neligendi et voluptate",
                    "title": "quibusdam cumque rem aut deserunt"
                },
                {
                    "comments": [
                        {
                            "id": 236
                        },
                        {
                            "id": 237
                        },
                        {
                            "id": 238
                        },
                        {
                            "id": 239
                        },
                        {
                            "id": 240
                        }
                    ],
                    "body": "voluptates quo voluptatem facilis iure occaecati\nvel assumenda rerum officia et\nillum perspiciatis ab deleniti\nlaudantium repellat ad ut et autem reprehenderit",
                    "title": "ut voluptatem illum ea doloribus itaque eos"
                },
                {
                    "comments": [
                        {
                            "id": 241
                        },
                        {
                            "id": 242
                        },
                        {
                            "id": 243
                        },
                        {
                            "id": 244
                        },
                        {
                            "id": 245
                        }
                    ],
                    "body": "inventore ab sint\nnatus fugit id nulla sequi architecto nihil quaerat\neos tenetur in in eum veritatis non\nquibusdam officiis aspernatur cumque aut commodi aut",
                    "title": "laborum non sunt aut ut assumenda perspiciatis voluptas"
                },
                {
                    "comments": [
                        {
                            "id": 246
                        },
                        {
                            "id": 247
                        },
                        {
                            "id": 248
                        },
                        {
                            "id": 249
                        },
                        {
                            "id": 250
                        }
                    ],
                    "body": "error suscipit maxime adipisci consequuntur recusandae\nvoluptas eligendi et est et voluptates\nquia distinctio ab amet quaerat molestiae et vitae\nadipisci impedit sequi nesciunt quis consectetur",
                    "title": "repellendus qui recusandae incidunt voluptates tenetur qui omnis exercitationem"
                }
            ]
        }
    }
}

Policy A:

{
    "_id" : ObjectId("5f3bfe04cce9f30603387f7a"),
    "id" : "5f3bfe04cce9f30603387f7a",
    "name" : "Policy - Email",
    "org_id" : "5f33dec0cce9f33429b05710",
    "rate" : 1000.0,
    "per" : 60.0,
    "quota_max" : NumberLong(-1),
    "quota_renewal_rate" : NumberLong(-1),
    "throttle_interval" : -1.0,
    "throttle_retry_limit" : -1,
    "max_query_depth" : -1,
    "access_rights" : {
        "427290acc45040dd6eb330739519f6d9" : {
            "apiname" : "ssg demo",
            "apiid" : "427290acc45040dd6eb330739519f6d9",
            "versions" : [ 
                "Default"
            ],
            "allowed_urls" : [],
            "restricted_types" : [ 
                {
                    "name" : "User",
                    "fields" : [ 
                        "email"
                    ]
                }, 
                {
                    "name" : "Comment",
                    "fields" : [ 
                        "id", 
                        "name", 
                        "email", 
                        "body"
                    ]
                }
            ],
            "limit" : null,
            "allowance_scope" : ""
        }
    },
    "hmac_enabled" : false,
    "active" : true,
    "is_inactive" : false,
    "date_created" : ISODate("2020-08-18T16:12:52.417Z"),
    "tags" : [],
    "key_expires_in" : NumberLong(3600),
    "partitions" : {
        "quota" : true,
        "rate_limit" : true,
        "complexity" : true,
        "acl" : true,
        "per_api" : false
    },
    "last_updated" : "1597768872",
    "meta_data" : {}
}

Policy B:

    "_id" : ObjectId("5f3bfe29cce9f30603387f7b"),
    "name" : "Policy - ID",
    "org_id" : "5f33dec0cce9f33429b05710",
    "rate" : 1000.0,
    "per" : 60.0,
    "quota_max" : NumberLong(-1),
    "quota_renewal_rate" : NumberLong(-1),
    "throttle_interval" : -1.0,
    "throttle_retry_limit" : -1,
    "max_query_depth" : -1,
    "access_rights" : {
        "427290acc45040dd6eb330739519f6d9" : {
            "apiname" : "ssg demo",
            "apiid" : "427290acc45040dd6eb330739519f6d9",
            "versions" : [ 
                "Default"
            ],
            "allowed_urls" : [],
            "restricted_types" : [ 
                {
                    "name" : "User",
                    "fields" : [ 
                        "id"
                    ]
                }
            ],
            "limit" : null,
            "allowance_scope" : ""
        }
    },
    "hmac_enabled" : false,
    "active" : true,
    "is_inactive" : false,
    "date_created" : ISODate("2020-08-18T16:13:29.818Z"),
    "tags" : [],
    "key_expires_in" : NumberLong(3600),
    "partitions" : {
        "quota" : true,
        "rate_limit" : true,
        "complexity" : true,
        "acl" : true,
        "per_api" : false
    },
    "last_updated" : "1597767209",
    "meta_data" : {}
}

Token:

{
    "last_check": 0,
    "allowance": 1000,
    "rate": 1000,
    "per": 60,
    "throttle_interval": -1,
    "throttle_retry_limit": -1,
    "max_query_depth": -1,
    "date_created": "2020-08-18T18:52:18.751262+02:00",
    "expires": 1597773138,
    "quota_max": -1,
    "quota_renews": 0,
    "quota_remaining": 0,
    "quota_renewal_rate": 0,
    "access_rights": {
        "427290acc45040dd6eb330739519f6d9": {
            "api_name": "ssg demo",
            "api_id": "427290acc45040dd6eb330739519f6d9",
            "versions": [
                "Default",
                "Default"
            ],
            "allowed_urls": [],
            "restricted_types": [
                {
                    "name": "User",
                    "fields": null
                },
                {
                    "name": "Comment",
                    "fields": [
                        "id",
                        "name",
                        "email",
                        "body"
                    ]
                }
            ],
            "limit": {
                "rate": 1000,
                "per": 60,
                "throttle_interval": 0,
                "throttle_retry_limit": 0,
                "max_query_depth": -1,
                "quota_max": -1,
                "quota_renews": 0,
                "quota_remaining": 0,
                "quota_renewal_rate": 0
            },
            "allowance_scope": ""
        }
    },
    "org_id": "5f33dec0cce9f33429b05710",
    "oauth_client_id": "",
    "oauth_keys": null,
    "certificate": "",
    "basic_auth_data": {
        "password": "",
        "hash_type": ""
    },
    "jwt_data": {
        "secret": ""
    },
    "hmac_enabled": false,
    "enable_http_signature_validation": false,
    "hmac_string": "",
    "rsa_certificate_id": "",
    "is_inactive": false,
    "apply_policy_id": "",
    "apply_policies": [
        "5f3bfe04cce9f30603387f7a",
        "5f3bfe29cce9f30603387f7b"
    ],
    "data_expires": 0,
    "monitor": {
        "trigger_limits": null
    },
    "enable_detail_recording": false,
    "enable_detailed_recording": false,
    "meta_data": {},
    "tags": [],
    "alias": "",
    "last_updated": "1597769538",
    "id_extractor_deadline": 0,
    "session_lifetime": 0
}

@furkansenharputlu
Copy link
Contributor

@ilijabojanovic Actually this is the expected behavior when we look at the description. The idea is to merge allowed fields. If you want to restrict a field, you should unselect for both policy A and B.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@furkansenharputlu furkansenharputlu

Labels
bug patch
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Intersect restricted types when two policies are applied on same key TykTechnologies/tyk
4 participants
@buger @lghiur @ilijabojanovic @furkansenharputlu