Add upgrade tests for ACL

dgraph-io · Jun 12, 2023 · 1a1ac36 · 1a1ac36
1 parent 6ed8b5c
commit 1a1ac36
Show file tree

Hide file tree

Showing 11 changed files with 1,618 additions and 1,785 deletions.
diff --git a/dgraphtest/acl.go b/dgraphtest/acl.go
@@ -124,7 +124,6 @@ func (hc *HTTPClient) CreateGroup(name string) (string, error) {
 	if err != nil {
 		return "", nil
 	}
-
 	type Response struct {
 		AddGroup struct {
 			Group []struct {

diff --git a/dgraphtest/cluster.go b/dgraphtest/cluster.go
@@ -246,11 +246,27 @@ func (hc *HTTPClient) RunGraphqlQuery(params GraphQLParams, admin bool) ([]byte,
 		return nil, errors.Wrap(err, "error unmarshalling GQL response")
 	}
 	if len(gqlResp.Errors) > 0 {
-		return nil, errors.Wrapf(gqlResp.Errors, "error while running admin query")
+		return nil, errors.Wrapf(gqlResp.Errors, "error while running admin query, resp: %v", string(gqlResp.Data))
 	}
 	return gqlResp.Data, nil
 }
 
+func (hc *HTTPClient) HealthForInstance() ([]byte, error) {
+	const query = `query {
+		health {
+			instance
+			address
+			lastEcho
+			status
+			version
+			uptime
+			group
+		}
+	}`
+	params := GraphQLParams{Query: query}
+	return hc.RunGraphqlQuery(params, true)
+}
+
 // Backup creates a backup of dgraph at a given path
 func (hc *HTTPClient) Backup(c Cluster, forceFull bool, backupPath string) error {
 	// backup API was made async in the commit d3bf7b7b2786bcb99f02e1641f3b656d0a98f7f4
@@ -531,13 +547,12 @@ func (gc *GrpcClient) DropPredicate(pred string) error {
 }
 
 // Mutate performs a given mutation in a txn
-func (gc *GrpcClient) Mutate(rdfs string) (*api.Response, error) {
+func (gc *GrpcClient) Mutate(mu *api.Mutation) (*api.Response, error) {
 	txn := gc.NewTxn()
 	defer func() { _ = txn.Discard(context.Background()) }()
 
 	ctx, cancel := context.WithTimeout(context.Background(), requestTimeout)
 	defer cancel()
-	mu := &api.Mutation{SetNquads: []byte(rdfs), CommitNow: true}
 	return txn.Mutate(ctx, mu)
 }
 

diff --git a/dgraphtest/compose_cluster.go b/dgraphtest/compose_cluster.go
@@ -36,6 +36,7 @@ func (c *ComposeCluster) Client() (*GrpcClient, func(), error) {
 	return &GrpcClient{Dgraph: client}, func() {}, nil
 }
 
+// HTTPClient creates an HTTP client
 func (c *ComposeCluster) HTTPClient() (*HTTPClient, error) {
 	adminUrl := "http://" + testutil.SockAddrHttp + "/admin"
 	graphQLUrl := "http://" + testutil.SockAddrHttp + "/graphql"

diff --git a/dgraphtest/dgraph.go b/dgraphtest/dgraph.go
@@ -58,7 +58,7 @@ const (
 
 	localVersion       = "local"
 	waitDurBeforeRetry = time.Second
-	requestTimeout     = 90 * time.Second
+	requestTimeout     = 120 * time.Second
 )
 
 var (

diff --git a/ee/acl/acl_curl_test.go b/ee/acl/acl_curl_test.go
@@ -4,58 +4,64 @@
 /*
  * Copyright 2023 Dgraph Labs, Inc. and Contributors
  *
- * Licensed under the Dgraph Community License (the "License"); you
- * may not use this file except in compliance with the License. You
- * may obtain a copy of the License at
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- *     https://github.com/dgraph-io/dgraph/blob/main/licenses/DCL.txt
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 package acl
 
 import (
+	"context"
 	"fmt"
 	"testing"
 	"time"
 
 	"github.com/golang/glog"
 	"github.com/stretchr/testify/require"
 
+	"github.com/dgraph-io/dgraph/dgraphtest"
 	"github.com/dgraph-io/dgraph/testutil"
 	"github.com/dgraph-io/dgraph/x"
 )
 
-var adminEndpoint string
-
-func TestCurlAuthorization(t *testing.T) {
+func (suite *AclTestSuite) TestCurlAuthorization() {
+	t := suite.T()
 	if testing.Short() {
 		t.Skip("skipping because -short=true")
 	}
-
-	glog.Infof("testing with port %s", testutil.SockAddr)
-	dg, err := testutil.DgraphClientWithGroot(testutil.SockAddr)
-	if err != nil {
-		t.Fatalf("Error while getting a dgraph client: %v", err)
-	}
-	createAccountAndData(t, dg)
+	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Second)
+	defer cancel()
+	gc, cleanup, err := suite.dc.Client()
+	require.NoError(t, err)
+	defer cleanup()
+	require.NoError(t, gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser,
+		dgraphtest.DefaultPassword, x.GalaxyNamespace))
+
+	hc, err := suite.dc.HTTPClient()
+	require.NoError(t, err)
+	require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser,
+		dgraphtest.DefaultPassword, x.GalaxyNamespace))
+	createAccountAndData(t, gc, hc)
 
 	// test query through curl
-	token, err := testutil.HttpLogin(&testutil.LoginParams{
-		Endpoint:  adminEndpoint,
-		UserID:    userid,
-		Passwd:    userpassword,
-		Namespace: x.GalaxyNamespace,
-	})
-	require.NoError(t, err, "login failed")
-
+	require.NoError(t, hc.LoginIntoNamespace(userid, userpassword, x.GalaxyNamespace))
 	// No ACL rules are specified, so query should return empty response,
 	// alter and mutate should fail.
 	queryArgs := func(jwt string) []string {
 		return []string{"-H", fmt.Sprintf("X-Dgraph-AccessToken:%s", jwt),
 			"-H", "Content-Type: application/dql",
 			"-d", query, testutil.SockAddrHttp + "/query"}
 	}
-	testutil.VerifyCurlCmd(t, queryArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, queryArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail: false,
 	})
 
@@ -68,7 +74,7 @@ func TestCurlAuthorization(t *testing.T) {
 
 	}
 
-	testutil.VerifyCurlCmd(t, mutateArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, mutateArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail:   true,
 		DgraphErrMsg: "PermissionDenied",
 	})
@@ -77,7 +83,7 @@ func TestCurlAuthorization(t *testing.T) {
 		return []string{"-H", fmt.Sprintf("X-Dgraph-AccessToken:%s", jwt),
 			"-d", fmt.Sprintf(`%s: int .`, predicateToAlter), testutil.SockAddrHttp + "/alter"}
 	}
-	testutil.VerifyCurlCmd(t, alterArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, alterArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail:   true,
 		DgraphErrMsg: "PermissionDenied",
 	})
@@ -87,68 +93,64 @@ func TestCurlAuthorization(t *testing.T) {
 	// JWT
 	glog.Infof("Sleeping for accessJwt to expire")
 	time.Sleep(expireJwtSleep)
-	testutil.VerifyCurlCmd(t, queryArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, queryArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail:   true,
 		DgraphErrMsg: "Token is expired",
 	})
-	testutil.VerifyCurlCmd(t, mutateArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, mutateArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail:   true,
 		DgraphErrMsg: "Token is expired",
 	})
-	testutil.VerifyCurlCmd(t, alterArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, alterArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail:   true,
 		DgraphErrMsg: "Token is expired",
 	})
 	// login again using the refreshJwt
-	token, err = testutil.HttpLogin(&testutil.LoginParams{
-		Endpoint:   adminEndpoint,
-		RefreshJwt: token.RefreshToken,
-		Namespace:  x.GalaxyNamespace,
-	})
+	require.NoError(t, hc.LoginUsingToken(x.GalaxyNamespace))
 	require.NoError(t, err, fmt.Sprintf("login through refresh httpToken failed: %v", err))
-
-	createGroupAndAcls(t, unusedGroup, false)
+	hcWithGroot, err := suite.dc.HTTPClient()
+	require.NoError(t, err)
+	require.NoError(t, hcWithGroot.LoginIntoNamespace(dgraphtest.DefaultUser,
+		dgraphtest.DefaultPassword, x.GalaxyNamespace))
+	createGroupAndAcls(t, unusedGroup, false, hcWithGroot)
 	time.Sleep(expireJwtSleep)
-	testutil.VerifyCurlCmd(t, queryArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, queryArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail:   true,
 		DgraphErrMsg: "Token is expired",
 	})
 	// refresh the jwts again
-	token, err = testutil.HttpLogin(&testutil.LoginParams{
-		Endpoint:   adminEndpoint,
-		RefreshJwt: token.RefreshToken,
-	})
+	require.NoError(t, hc.LoginUsingToken(x.GalaxyNamespace))
+
 	require.NoError(t, err, fmt.Sprintf("login through refresh httpToken failed: %v", err))
 	// verify that with an ACL rule defined, all the operations except query should
 	// does not have the required permissions be denied when the acsess JWT
-	testutil.VerifyCurlCmd(t, queryArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, queryArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail: false,
 	})
-	testutil.VerifyCurlCmd(t, mutateArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, mutateArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail:   true,
 		DgraphErrMsg: "PermissionDenied",
 	})
-	testutil.VerifyCurlCmd(t, alterArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, alterArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail:   true,
 		DgraphErrMsg: "PermissionDenied",
 	})
-
-	createGroupAndAcls(t, devGroup, true)
+	require.NoError(t, hcWithGroot.LoginIntoNamespace(dgraphtest.DefaultUser,
+		dgraphtest.DefaultPassword, x.GalaxyNamespace))
+	createGroupAndAcls(t, devGroup, true, hcWithGroot)
 	time.Sleep(defaultTimeToSleep)
 	// refresh the jwts again
-	token, err = testutil.HttpLogin(&testutil.LoginParams{
-		Endpoint:   adminEndpoint,
-		RefreshJwt: token.RefreshToken,
-	})
+	require.NoError(t, hc.LoginUsingToken(x.GalaxyNamespace))
+
 	require.NoError(t, err, fmt.Sprintf("login through refresh httpToken failed: %v", err))
 	// verify that the operations should be allowed again through the dev group
-	testutil.VerifyCurlCmd(t, queryArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, queryArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail: false,
 	})
-	testutil.VerifyCurlCmd(t, mutateArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, mutateArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail: false,
 	})
-	testutil.VerifyCurlCmd(t, alterArgs(token.AccessJwt), &testutil.CurlFailureConfig{
+	testutil.VerifyCurlCmd(t, alterArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
 		ShouldFail: false,
 	})
 }