feat(GraphQL): Support auth with custom DQL (#7775)

Fixes GRAPHQL-1171.
This PR adds support for @auth on custom DQL queries.
This PR also adds the parsing step to the DQL query.
The Algorithm tries to figure out the `queried type` at the root of the query either from the `root func` or `filters`.
Suppose if the root func is `func: type(Person)` or `func: has(Person.name)` or `func: eq(Person.age, 10)` then 
it infers that the queried type is `Person`. 
However, there are certain DQL queries on which @auth rules are not added currently since the queried type is not clear. 
for eg: 
```
me(func: uid(0x1, 0x2)) {
 ...
}
```
or the query:
```
me(func: has(name@en) {
 ...
}
```

Author: minhaj-shakeel

graphql/dgraph/graphquery.go

@@ -21,6 +21,7 @@ import (
 	"strings"
 
 	"github.com/dgraph-io/dgraph/gql"
+	"github.com/dgraph-io/dgraph/graphql/schema"
 	"github.com/dgraph-io/dgraph/x"
 )
 
@@ -65,10 +66,24 @@ func writeQuery(b *strings.Builder, query *gql.GraphQuery, prefix string) {
 		x.Check2(b.WriteString(query.Alias))
 		x.Check2(b.WriteString(" : "))
 	}
-	x.Check2(b.WriteString(query.Attr))
+
+	if query.IsCount {
+		x.Check2(b.WriteString(fmt.Sprintf("count(%s)", query.Attr)))
+	} else if query.Attr != "val" {
+		x.Check2(b.WriteString(query.Attr))
+	} else if isAggregateFn(query.Func) {
+		x.Check2(b.WriteString("sum(val("))
+		writeNeedVar(b, query)
+		x.Check2(b.WriteRune(')'))
+	} else {
+		x.Check2(b.WriteString("val("))
+		writeNeedVar(b, query)
+		x.Check2(b.WriteRune(')'))
+	}
 
 	if query.Func != nil {
 		writeRoot(b, query)
+		x.Check2(b.WriteRune(')'))
 	}
 
 	if query.Filter != nil {
@@ -93,6 +108,12 @@ func writeQuery(b *strings.Builder, query *gql.GraphQuery, prefix string) {
 		}
 	}
 
+	if query.IsGroupby {
+		x.Check2(b.WriteString(" @groupby("))
+		writeGroupByAttributes(b, query.GroupbyAttrs)
+		x.Check2(b.WriteRune(')'))
+	}
+
 	switch {
 	case len(query.Children) > 0:
 		prefixAdd := ""
@@ -112,7 +133,43 @@ func writeQuery(b *strings.Builder, query *gql.GraphQuery, prefix string) {
 	}
 }
 
-func writeUIDFunc(b *strings.Builder, uids []uint64, args []gql.Arg) {
+// writeNeedVar writes the NeedsVar of the query. For eg :-
+// `userFollowerCount as sum(val(followers))` has `followers`
+// as NeedsVar.
+func writeNeedVar(b *strings.Builder, query *gql.GraphQuery) {
+	for i, v := range query.NeedsVar {
+		if i != 0 {
+			x.Check2(b.WriteString(", "))
+		}
+		x.Check2(b.WriteString(v.Name))
+	}
+}
+
+func isAggregateFn(f *gql.Function) bool {
+	if f == nil {
+		return false
+	}
+	switch f.Name {
+	case "min", "max", "avg", "sum":
+		return true
+	}
+	return false
+}
+
+func writeGroupByAttributes(b *strings.Builder, attrList []gql.GroupByAttr) {
+	for i, attr := range attrList {
+		if i != 0 {
+			x.Check2(b.WriteString(", "))
+		}
+		if attr.Alias != "" {
+			x.Check2(b.WriteString(attr.Alias))
+			x.Check2(b.WriteString(" : "))
+		}
+		x.Check2(b.WriteString(attr.Attr))
+	}
+}
+
+func writeUIDFunc(b *strings.Builder, uids []uint64, args []gql.Arg, needVar []gql.VarContext) {
 	x.Check2(b.WriteString("uid("))
 	if len(uids) > 0 {
 		// uid function with uint64 - uid(0x123, 0x456, ...)
@@ -122,14 +179,21 @@ func writeUIDFunc(b *strings.Builder, uids []uint64, args []gql.Arg) {
 			}
 			x.Check2(b.WriteString(fmt.Sprintf("%#x", uid)))
 		}
-	} else {
+	} else if len(args) > 0 {
 		// uid function with a Dgraph query variable - uid(Post1)
 		for i, arg := range args {
 			if i != 0 {
 				x.Check2(b.WriteString(", "))
 			}
 			x.Check2(b.WriteString(arg.Value))
 		}
+	} else {
+		for i, v := range needVar {
+			if i != 0 {
+				x.Check2(b.WriteString(", "))
+			}
+			x.Check2(b.WriteString(v.Name))
+		}
 	}
 	x.Check2(b.WriteString(")"))
 }
@@ -145,25 +209,38 @@ func writeRoot(b *strings.Builder, q *gql.GraphQuery) {
 	}
 
 	switch {
+	case q.Func.Name == "has":
+		x.Check2(b.WriteString(fmt.Sprintf("(func: has(%s)", q.Func.Attr)))
 	case q.Func.Name == "uid":
 		x.Check2(b.WriteString("(func: "))
-		writeUIDFunc(b, q.Func.UID, q.Func.Args)
+		writeUIDFunc(b, q.Func.UID, q.Func.Args, q.Func.NeedsVar)
 	case q.Func.Name == "type" && len(q.Func.Args) == 1:
 		x.Check2(b.WriteString(fmt.Sprintf("(func: type(%s)", q.Func.Args[0].Value)))
 	case q.Func.Name == "eq":
 		x.Check2(b.WriteString("(func: eq("))
-		writeFilterArguments(b, q.Func.Args)
+		writeFilterArguments(b, q.Func)
 		x.Check2(b.WriteRune(')'))
 	}
 	writeOrderAndPage(b, q, true)
-	x.Check2(b.WriteRune(')'))
 }
 
-func writeFilterArguments(b *strings.Builder, args []gql.Arg) {
-	for i, arg := range args {
-		if i != 0 {
+// writeFilterArguments writes the filter arguments. If the filter
+// is constructed in graphql query rewriting then `Attr` is an empty
+// string since we add Attr in the argument itself.
+func writeFilterArguments(b *strings.Builder, q *gql.Function) {
+	if q.Attr != "" {
+		x.Check2(b.WriteString(q.Attr))
+	}
+
+	for i, arg := range q.Args {
+		if i != 0 || q.Attr != "" {
 			x.Check2(b.WriteString(", "))
 		}
+		if q.Attr != "" {
+			// quote the arguments since this is the case of
+			// @custom DQL string.
+			arg.Value = schema.MaybeQuoteArg(q.Name, arg.Value)
+		}
 		x.Check2(b.WriteString(arg.Value))
 	}
 }
@@ -175,10 +252,10 @@ func writeFilterFunction(b *strings.Builder, f *gql.Function) {
 
 	switch {
 	case f.Name == "uid":
-		writeUIDFunc(b, f.UID, f.Args)
+		writeUIDFunc(b, f.UID, f.Args, f.NeedsVar)
 	default:
 		x.Check2(b.WriteString(fmt.Sprintf("%s(", f.Name)))
-		writeFilterArguments(b, f.Args)
+		writeFilterArguments(b, f)
 		x.Check2(b.WriteRune(')'))
 	}
 }
@@ -215,6 +292,15 @@ func hasOrderOrPage(q *gql.GraphQuery) bool {
 	return len(q.Order) > 0 || hasFirst || hasOffset
 }
 
+func IsValueVar(attr string, q *gql.GraphQuery) bool {
+	for _, vars := range q.NeedsVar {
+		if attr == vars.Name && vars.Typ == 2 {
+			return true
+		}
+	}
+	return false
+}
+
 func writeOrderAndPage(b *strings.Builder, query *gql.GraphQuery, root bool) {
 	var wroteOrder, wroteFirst bool
 
@@ -227,7 +313,13 @@ func writeOrderAndPage(b *strings.Builder, query *gql.GraphQuery, root bool) {
 		} else {
 			x.Check2(b.WriteString("orderasc: "))
 		}
-		x.Check2(b.WriteString(ord.Attr))
+		if IsValueVar(ord.Attr, query) {
+			x.Check2(b.WriteString("val("))
+			x.Check2(b.WriteString(ord.Attr))
+			x.Check2(b.WriteRune(')'))
+		} else {
+			x.Check2(b.WriteString(ord.Attr))
+		}
 		wroteOrder = true
 	}
 

graphql/e2e/auth/auth_test.go

@@ -322,6 +322,159 @@ func (s Student) add(t *testing.T) {
 	require.JSONEq(t, result, string(gqlResponse.Data))
 }
 
+func TestAuthWithCustomDQL(t *testing.T) {
+	TestCases := []TestCase{
+		{
+			name: "RBAC OR filter query; RBAC Pass",
+			query: `
+			query{
+				queryProjectsOrderByName{
+					name
+				}
+			}
+			`,
+			role:   "ADMIN",
+			result: `{"queryProjectsOrderByName":[{"name": "Project1"},{"name": "Project2"}]}`,
+		},
+		{
+			name: "RBAC OR filter query; RBAC false OR `user1` projects",
+			query: `
+			query{
+				queryProjectsOrderByName{
+					name
+				}
+			}
+			`,
+			role:   "USER",
+			user:   "user1",
+			result: `{"queryProjectsOrderByName":[{"name": "Project1"}]}`,
+		},
+		{
+			name: "RBAC OR filter query; missing jwt",
+			query: `
+			query{
+				queryProjectsOrderByName{
+					name
+				}
+			}
+			`,
+			result: `{"queryProjectsOrderByName":[]}`,
+		},
+		{
+			name: "var query; RBAC AND filter query; RBAC pass",
+			query: `
+			query{
+				queryIssueSortedByOwnerAge{
+					msg
+				}
+			}
+			`,
+			role:   "ADMIN",
+			user:   "user2",
+			result: `{"queryIssueSortedByOwnerAge": [{"msg": "Issue2"}]}`,
+		},
+		{
+			name: "var query; RBAC AND filter query; RBAC fail",
+			query: `
+			query{
+				queryIssueSortedByOwnerAge{
+					msg
+				}
+			}
+			`,
+			role:   "USER",
+			user:   "user2",
+			result: `{"queryIssueSortedByOwnerAge": []}`,
+		},
+		{
+			name: "DQL query with @cascade and pagination",
+			query: `
+			query{
+				queryFirstTwoMovieWithNonNullRegion{
+					content
+					code
+					regionsAvailable{
+						name
+					}
+				}
+			}
+			`,
+			role: "ADMIN",
+			user: "user1",
+			result: `{"queryFirstTwoMovieWithNonNullRegion": [
+				{
+				  "content": "Movie3",
+				  "code": "m3",
+				  "regionsAvailable": [
+					{
+					  "name": "Region1"
+					}
+				  ]
+				},
+				{
+				  "content": "Movie4",
+				  "code": "m4",
+				  "regionsAvailable": [
+					{
+					  "name": "Region5"
+					}
+				  ]
+				}
+			  ]
+			}`,
+		},
+		{
+			name: "query interface; auth rules pass for all the implementing types",
+			query: `
+			query{
+				queryQuestionAndAnswer{
+					text
+				}
+			}
+			`,
+			ans:    true,
+			user:   "user1@dgraph.io",
+			result: `{"queryQuestionAndAnswer": [{"text": "A Answer"},{"text": "A Question"}]}`,
+		},
+		{
+			name: "query interface; auth rules fail for some implementing types",
+			query: `
+			query{
+				queryQuestionAndAnswer{
+					text
+				}
+			}
+			`,
+			user:   "user2@dgraph.io",
+			result: `{"queryQuestionAndAnswer": [{"text": "B Answer"}]}`,
+		},
+		{
+			name: "query interface; auth rules fail for the interface",
+			query: `
+			query{
+				queryQuestionAndAnswer{
+					text
+				}
+			}
+			`,
+			ans:    true,
+			result: `{"queryQuestionAndAnswer": []}`,
+		},
+	}
+
+	for _, tcase := range TestCases {
+		t.Run(tcase.name, func(t *testing.T) {
+			getUserParams := &common.GraphQLParams{
+				Headers: common.GetJWTForInterfaceAuth(t, tcase.user, tcase.role, tcase.ans, metaInfo),
+				Query:   tcase.query,
+			}
+			gqlResponse := getUserParams.ExecuteAsPost(t, common.GraphqlURL)
+			common.RequireNoGQLErrors(t, gqlResponse)
+			require.JSONEq(t, tcase.result, string(gqlResponse.Data))
+		})
+	}
+}
+
 func TestAddMutationWithXid(t *testing.T) {
 	mutation := `
 	mutation addTweets($tweet: AddTweetsInput!){