fix(acl): fix duplicate groot user creation (#51)

This PR adds the unique directive to the 'dgraph.xid' predicate. Prior to this change, users could create duplicate users leading to misconfiguration of ACL.
dgraph-io · May 27, 2024 · a868ace · a868ace
1 parent fffeecd
commit a868ace
Show file tree

Hide file tree

Showing 48 changed files with 1,398 additions and 755 deletions.
diff --git a/check_upgrade/check_upgrade.go b/check_upgrade/check_upgrade.go
@@ -0,0 +1,250 @@
+/*
+ * Copyright 2024 Dgraph Labs, Inc. and Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package checkupgrade
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/dgraph-io/dgo/v230"
+	"github.com/dgraph-io/dgo/v230/protos/api"
+	"github.com/dgraph-io/dgraph/dgraphapi"
+	"github.com/dgraph-io/dgraph/x"
+)
+
+var (
+	CheckUpgrade x.SubCommand
+)
+
+const (
+	alphaGrpc = "grpc_port"
+	alphaHttp = "http_port"
+	dgUser    = "dgUser"
+	password  = "password"
+)
+
+type commandInput struct {
+	alphaGrpc string
+	alphaHttp string
+	dgUser    string
+	password  string
+}
+
+type aclNode struct {
+	UID        string   `json:"uid"`
+	DgraphXID  string   `json:"dgraph.xid"`
+	DgraphType []string `json:"dgraph.type"`
+}
+
+func setupClients(alphaGrpc, alphaHttp string) (*dgo.Dgraph, *dgraphapi.HTTPClient, error) {
+	d, err := grpc.Dial(alphaGrpc, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		return nil, nil, errors.Wrapf(err, "while dialing gRPC server")
+	}
+
+	httpClient, err := dgraphapi.GetHttpClient(alphaHttp, "")
+	if err != nil {
+		return nil, nil, errors.Wrapf(err, "while getting HTTP client")
+	}
+	return dgo.NewDgraphClient(api.NewDgraphClient(d)), httpClient, nil
+}
+
+func contains(slice []string, value string) bool {
+	for _, v := range slice {
+		if v == value {
+			return true
+		}
+	}
+	return false
+}
+
+func findDuplicateNodes(aclNodes []aclNode) []map[string][]string {
+	du := make(map[string][]string)
+	dg := make(map[string][]string)
+	dug := make(map[string][]string)
+
+	var duplicates []map[string][]string
+
+	for i, node1 := range aclNodes {
+		for j := i + 1; j < len(aclNodes); j++ {
+			node2 := aclNodes[j]
+			if node1.DgraphXID == node2.DgraphXID {
+				if node1.DgraphType[0] == "dgraph.type.User" && node1.DgraphType[0] == node2.DgraphType[0] {
+					if _, exists := du[node1.DgraphXID]; !exists {
+						du[node1.DgraphXID] = []string{}
+					}
+					if !contains(du[node1.DgraphXID], node1.UID) {
+						du[node1.DgraphXID] = append(du[node1.DgraphXID], node1.UID)
+					}
+					if !contains(du[node1.DgraphXID], node2.UID) {
+						du[node1.DgraphXID] = append(du[node1.DgraphXID], node2.UID)
+					}
+				} else if node1.DgraphType[0] == "dgraph.type.Group" && node1.DgraphType[0] == node2.DgraphType[0] {
+					if _, exists := dg[node1.DgraphXID]; !exists {
+						dg[node1.DgraphXID] = []string{}
+					}
+					if !contains(dg[node1.DgraphXID], node1.UID) {
+						dg[node1.DgraphXID] = append(dg[node1.DgraphXID], node1.UID)
+					}
+					if !contains(dg[node1.DgraphXID], node2.UID) {
+						dg[node1.DgraphXID] = append(dg[node1.DgraphXID], node2.UID)
+					}
+				} else {
+					if _, exists := dug[node1.DgraphXID]; !exists {
+						dug[node1.DgraphXID] = []string{}
+					}
+					if !contains(dug[node1.DgraphXID], node1.UID) {
+						dug[node1.DgraphXID] = append(dug[node1.DgraphXID], node1.UID)
+					}
+					if !contains(dug[node1.DgraphXID], node2.UID) {
+						dug[node1.DgraphXID] = append(dug[node1.DgraphXID], node2.UID)
+					}
+				}
+			}
+		}
+	}
+
+	duplicates = append(duplicates, du, dg, dug)
+	return duplicates
+}
+
+func queryACLNodes(ctx context.Context, dg *dgo.Dgraph) ([]map[string][]string, error) {
+	query := `{ 
+		nodes(func: has(dgraph.xid)) {
+			       uid
+			       dgraph.xid
+                   dgraph.type
+		        }
+	}`
+
+	resp, err := dg.NewTxn().Query(ctx, query)
+	if err != nil {
+		return nil, errors.Wrapf(err, "while querying dgraph for duplicate nodes")
+	}
+
+	type Nodes struct {
+		Nodes []aclNode `json:"nodes"`
+	}
+	var result Nodes
+	if err := json.Unmarshal(resp.Json, &result); err != nil {
+		return nil, errors.Wrapf(err, "while unmarshalling response: %v", string(resp.Json))
+
+	}
+	return findDuplicateNodes(result.Nodes), nil
+}
+
+func printDuplicates(entityType string, ns uint64, nodesmap map[string][]string) {
+	if len(nodesmap) == 0 {
+		return
+	}
+
+	fmt.Printf("Found duplicate %ss in namespace: #%v\n", entityType, ns)
+	for key, node := range nodesmap {
+		fmt.Printf("dgraph.xid %v , Uids: %v\n", key, node)
+	}
+	fmt.Println("")
+}
+
+func init() {
+	CheckUpgrade.Cmd = &cobra.Command{
+		Use:   "checkupgrade",
+		Short: "Run the checkupgrade tool",
+		Long:  "The checkupgrade tool is used to check for duplicate dgraph.xid's in the Dgraph database before upgrade.",
+		Run: func(cmd *cobra.Command, args []string) {
+			run()
+		},
+		Annotations: map[string]string{"group": "tool"},
+	}
+	CheckUpgrade.Cmd.SetHelpTemplate(x.NonRootTemplate)
+	flag := CheckUpgrade.Cmd.Flags()
+	flag.String(alphaGrpc, "127.0.0.1:9080", "Dgraph Alpha gRPC server address")
+	flag.String(alphaHttp, "127.0.0.1:8080", "Dgraph Alpha Http server address")
+	flag.String(dgUser, "groot", "Username of galaxy namespace's user")
+	flag.String(password, "password", "Password of galaxy namespace's user")
+}
+
+func run() {
+	if err := checkUpgrade(); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+	}
+}
+
+func checkUpgrade() error {
+	fmt.Println("Running check-upgrade tool")
+
+	cmdInput := parseInput()
+	gc, hc, err := setupClients(cmdInput.alphaGrpc, cmdInput.alphaHttp)
+	if err != nil {
+		return errors.Wrapf(err, "while setting up clients")
+	}
+
+	if err = hc.LoginIntoNamespace(cmdInput.dgUser, cmdInput.password, x.GalaxyNamespace); err != nil {
+		return errors.Wrapf(err, "while logging into namespace: %v", x.GalaxyNamespace)
+	}
+
+	namespaces, err := hc.ListNamespaces()
+	if err != nil {
+		return err
+	}
+
+	ctx := context.Background()
+	for _, ns := range namespaces {
+		if err := gc.LoginIntoNamespace(ctx, cmdInput.dgUser, cmdInput.password, ns); err != nil {
+			return errors.Wrapf(err, "while logging into namespace: %v", ns)
+		}
+
+		duplicates, err := queryACLNodes(ctx, gc)
+		if err != nil {
+			return err
+		}
+
+		printDuplicates("user", ns, duplicates[0])
+		// example output:
+		//	Found duplicate users in namespace: #0
+		// dgraph.xid user1 , Uids: [0x4 0x3]
+		printDuplicates("group", ns, duplicates[1])
+		// Found duplicate groups in namespace: #1
+		// dgraph.xid group1 , Uids: [0x2714 0x2711]
+		printDuplicates("groups and user", ns, duplicates[2])
+		// Found duplicate groups and users in namespace: #0
+		// dgraph.xid userGroup1 , Uids: [0x7532 0x7531]
+	}
+
+	fmt.Println("To delete duplicate nodes use following mutation: ")
+	deleteMut := `
+	{
+		delete {
+			<UID> * * .
+		}
+	}`
+	fmt.Fprint(os.Stderr, deleteMut)
+
+	return nil
+}
+
+func parseInput() *commandInput {
+	return &commandInput{alphaGrpc: CheckUpgrade.Conf.GetString(alphaGrpc),
+		alphaHttp: CheckUpgrade.Conf.GetString(alphaHttp), dgUser: CheckUpgrade.Conf.GetString(dgUser),
+		password: CheckUpgrade.Conf.GetString(password)}
+}
diff --git a/check_upgrade/check_upgrade_test.go b/check_upgrade/check_upgrade_test.go
@@ -0,0 +1,108 @@
+//go:build integration
+
+/*
+ * Copyright 2024 Dgraph Labs, Inc. and Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package checkupgrade
+
+import (
+	"context"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+	"testing"
+	"time"
+
+	"github.com/dgraph-io/dgo/v230/protos/api"
+	"github.com/dgraph-io/dgraph/dgraphapi"
+	"github.com/dgraph-io/dgraph/dgraphtest"
+	"github.com/dgraph-io/dgraph/x"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCheckUpgrade(t *testing.T) {
+	conf := dgraphtest.NewClusterConfig().WithNumAlphas(1).WithNumZeros(1).WithReplicas(1).
+		WithACL(time.Hour).WithVersion("57aa5c4ac")
+	c, err := dgraphtest.NewLocalCluster(conf)
+	require.NoError(t, err)
+	defer func() { c.Cleanup(t.Failed()) }()
+	require.NoError(t, c.Start())
+
+	gc, cleanup, err := c.Client()
+	require.NoError(t, err)
+	defer cleanup()
+	require.NoError(t, gc.LoginIntoNamespace(context.Background(),
+		dgraphapi.DefaultUser, dgraphapi.DefaultPassword, x.GalaxyNamespace))
+
+	hc, err := c.HTTPClient()
+	require.NoError(t, err)
+	require.NoError(t, hc.LoginIntoNamespace(dgraphapi.DefaultUser,
+		dgraphapi.DefaultPassword, x.GalaxyNamespace))
+
+	rdfs := ` 
+		_:a <dgraph.xid> "user1" .
+	    _:a <dgraph.type> "dgraph.type.User"  .
+		_:b <dgraph.xid> "user1" .
+		_:b <dgraph.type> "dgraph.type.User"  .`
+
+	mu := &api.Mutation{SetNquads: []byte(rdfs), CommitNow: true}
+	_, err = gc.Mutate(mu)
+	require.NoError(t, err)
+
+	var nss []uint64
+	for i := 0; i < 5; i++ {
+		ns, err := hc.AddNamespace()
+		require.NoError(t, err)
+		require.NoError(t, gc.LoginIntoNamespace(context.Background(), "groot", "password", ns))
+		mu = &api.Mutation{SetNquads: []byte(rdfs), CommitNow: true}
+		_, err = gc.Mutate(mu)
+		require.NoError(t, err)
+		nss = append(nss, ns)
+	}
+
+	conf1 := dgraphtest.NewClusterConfig().WithNumAlphas(1).WithNumZeros(1).WithReplicas(1).WithACL(time.Hour)
+	c1, err := dgraphtest.NewLocalCluster(conf1)
+	require.NoError(t, err)
+	defer func() { c1.Cleanup(t.Failed()) }()
+	require.NoError(t, c1.Start())
+	alphaHttp, err := c.GetAlphaHttpPublicPort()
+	require.NoError(t, err)
+
+	alphaGrpc, err := c.GetAlphaGrpcPublicPort()
+	require.NoError(t, err)
+
+	args := []string{
+		"checkupgrade",
+		"--grpc_port", "localhost:" + alphaGrpc,
+		"--http_port", "localhost:" + alphaHttp,
+		"--dgUser", "groot",
+		"--password", "password",
+	}
+
+	cmd := exec.Command(filepath.Join(c1.GetTempDir(), "dgraph"), args...)
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, err)
+	actualOutput := string(out)
+
+	expectedOutputPattern := `Found duplicate users in namespace: #\d+\ndgraph\.xid user1 , Uids: \[\d+x\d+ \d+x\d+\]\n`
+	match, err := regexp.MatchString(expectedOutputPattern, actualOutput)
+	require.NoError(t, err)
+
+	if !match {
+		t.Errorf("Output does not match expected pattern.\nExpected pattern:\n%s\n\nGot:\n%s",
+			expectedOutputPattern, actualOutput)
+	}
+}
diff --git a/dgraph/cmd/root.go b/dgraph/cmd/root.go
@@ -32,6 +32,7 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
+	checkupgrade "github.com/dgraph-io/dgraph/check_upgrade"
 	"github.com/dgraph-io/dgraph/dgraph/cmd/alpha"
 	"github.com/dgraph-io/dgraph/dgraph/cmd/bulk"
 	"github.com/dgraph-io/dgraph/dgraph/cmd/cert"
@@ -84,6 +85,7 @@ var rootConf = viper.New()
 var subcommands = []*x.SubCommand{
 	&bulk.Bulk, &cert.Cert, &conv.Conv, &live.Live, &alpha.Alpha, &zero.Zero, &version.Version,
 	&debug.Debug, &migrate.Migrate, &debuginfo.DebugInfo, &upgrade.Upgrade, &decrypt.Decrypt, &increment.Increment,
+	&checkupgrade.CheckUpgrade,
 }
 
 func initCmds() {