Skip to content

Commit 3e3a53f

Browse files
author
Arijit Das
authored
fix(GraphQL): Fix auth rewriting for nested queries when RBAC rule is true. (#6053)
* Fix auth rewriting for nested queries when RBAC rule is true.
1 parent c51d007 commit 3e3a53f

File tree

8 files changed

+527
-90
lines changed

8 files changed

+527
-90
lines changed

graphql/e2e/auth/schema.graphql

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -522,3 +522,50 @@ query($USER: String!) {
522522
id: ID!
523523
email: String! @dgraph(pred: "IOw80vnV") @search(by: [hash])
524524
}
525+
526+
type Contact @auth(
527+
query: { rule: "{$ContactRole: { eq: \"ADMINISTRATOR\"}}" }
528+
) {
529+
id: ID!
530+
nickName: String @search(by: [exact, term, fulltext, regexp])
531+
adminTasks: [AdminTask] @hasInverse(field: forContact)
532+
tasks: [Task] @hasInverse(field: forContact)
533+
}
534+
535+
type AdminTask @auth(
536+
query: { rule: "{$TaskRole: { eq: \"ADMINISTRATOR\"}}" }
537+
) {
538+
id: ID!
539+
name: String @search(by: [exact, term, fulltext, regexp])
540+
occurrances: [TaskOccurance] @hasInverse(field: adminTask)
541+
forContact: Contact @hasInverse(field: adminTasks)
542+
}
543+
544+
type Task {
545+
id: ID!
546+
name: String @search(by: [exact, term, fulltext, regexp])
547+
occurrances: [TaskOccurance] @hasInverse(field: task)
548+
forContact: Contact @hasInverse(field: tasks)
549+
}
550+
551+
type TaskOccurance @auth(
552+
query: { and : [
553+
{rule: "{$TaskOccuranceRole: { eq: \"ADMINISTRATOR\"}}"},
554+
{rule: """
555+
query($TaskOccuranceRole: String!) {
556+
queryTaskOccurance(filter: {role: { eq: $TaskOccuranceRole}}) {
557+
__typename
558+
}
559+
}
560+
"""}
561+
] }
562+
) {
563+
id: ID!
564+
due: DateTime @search
565+
comp: DateTime @search
566+
task: Task @hasInverse(field: occurrances)
567+
adminTask: AdminTask @hasInverse(field: occurrances)
568+
isPublic: Boolean @search
569+
role: String @search(by: [exact, term, fulltext, regexp])
570+
}
571+

graphql/resolve/auth_add_test.yaml

Lines changed: 47 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@
77
}
88
}
99
}
10+
jwtvar:
11+
USER: "user1"
1012
variables: |
1113
{ "secret":
1214
{ "aSecret": "it is",
@@ -35,6 +37,8 @@
3537
}
3638
}
3739
}
40+
jwtvar:
41+
USER: "user1"
3842
variables: |
3943
{ "secrets":
4044
[
@@ -64,6 +68,8 @@
6468
}
6569
}
6670
}
71+
jwtvar:
72+
USER: "user1"
6773
variables: |
6874
{ "secret":
6975
{ "aSecret": "it is",
@@ -94,6 +100,8 @@
94100
}
95101
}
96102
}
103+
jwtvar:
104+
USER: "user1"
97105
variables: |
98106
{ "secrets":
99107
[
@@ -125,6 +133,8 @@
125133
}
126134
}
127135
}
136+
jwtvar:
137+
USER: "user1"
128138
variables: |
129139
{ "col":
130140
{ "inProject": { "projID": "0x123" },
@@ -191,6 +201,8 @@
191201
}
192202
}
193203
}
204+
jwtvar:
205+
USER: "user1"
194206
variables: |
195207
{ "col":
196208
{
@@ -257,6 +269,8 @@
257269
}
258270
}
259271
}
272+
jwtvar:
273+
USER: "user1"
260274
variables: |
261275
{ "col1":
262276
{ "inProject": { "projID": "0x123" },
@@ -334,6 +348,8 @@
334348
}
335349
}
336350
}
351+
jwtvar:
352+
USER: "user1"
337353
variables: |
338354
{ "col1":
339355
{ "inProject": { "projID": "0x123" },
@@ -418,6 +434,8 @@
418434
}
419435
}
420436
}
437+
jwtvar:
438+
USER: "user1"
421439
variables: |
422440
{ "col":
423441
{ "inProject": { "projID": "0x123" },
@@ -493,6 +511,8 @@
493511
}
494512
}
495513
}
514+
jwtvar:
515+
USER: "user1"
496516
variables: |
497517
{ "col":
498518
{ "inProject": { "projID": "0x123" },
@@ -569,6 +589,8 @@
569589
}
570590
}
571591
}
592+
jwtvar:
593+
USER: "user1"
572594
variables: |
573595
{
574596
"proj": {
@@ -658,6 +680,8 @@
658680
}
659681
}
660682
}
683+
jwtvar:
684+
USER: "user1"
661685
variables: |
662686
{
663687
"proj": {
@@ -748,6 +772,8 @@
748772
}
749773
}
750774
}
775+
jwtvar:
776+
USER: "user1"
751777
variables: |
752778
{ "log":
753779
{ "logs": "log123",
@@ -769,7 +795,9 @@
769795
}
770796
}
771797
}
772-
role: "ADMIN"
798+
jwtvar:
799+
ROLE: "ADMIN"
800+
USER: "user1"
773801
variables: |
774802
{ "log":
775803
{ "logs": "log123",
@@ -789,7 +817,9 @@
789817
}
790818
}
791819
}
792-
role: "ADMIN"
820+
jwtvar:
821+
ROLE: "ADMIN"
822+
USER: "user1"
793823
variables: |
794824
{
795825
"proj": {
@@ -811,7 +841,9 @@
811841
}
812842
}
813843
}
814-
role: "USER"
844+
jwtvar:
845+
ROLE: "USER"
846+
USER: "user1"
815847
variables: |
816848
{
817849
"proj": {
@@ -850,7 +882,9 @@
850882
}
851883
}
852884
}
853-
role: "ADMIN"
885+
jwtvar:
886+
ROLE: "ADMIN"
887+
USER: "user1"
854888
variables: |
855889
{ "issue":
856890
{ "msg": "log123",
@@ -900,7 +934,9 @@
900934
}
901935
}
902936
}
903-
role: "USER"
937+
jwtvar:
938+
ROLE: "USER"
939+
USER: "user1"
904940
variables: |
905941
{ "issue":
906942
{ "msg": "log123",
@@ -950,7 +986,9 @@
950986
}
951987
}
952988
}
953-
role: "USER"
989+
jwtvar:
990+
ROLE: "USER"
991+
USER: "user1"
954992
variables: |
955993
{ "log":
956994
{ "logs": "log123",
@@ -971,7 +1009,9 @@
9711009
}
9721010
}
9731011
}
974-
role: "ADMIN"
1012+
jwtvar:
1013+
ROLE: "ADMIN"
1014+
USER: "user1"
9751015
variables: |
9761016
{ "log":
9771017
{ "logs": "log123",

graphql/resolve/auth_delete_test.yaml

Lines changed: 39 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@
55
msg
66
}
77
}
8+
jwtvar:
9+
USER: "user1"
810
variables: |
911
{ "filter": { "aSecret": { "anyofterms": "auth is applied" } } }
1012
dgmutations:
@@ -29,6 +31,8 @@
2931
msg
3032
}
3133
}
34+
jwtvar:
35+
USER: "user1"
3236
variables: |
3337
{ "filter": { "title": { "anyofterms": "auth is applied" } } }
3438
dgmutations:
@@ -90,6 +94,8 @@
9094
}
9195
}
9296
}
97+
jwtvar:
98+
USER: "user1"
9399
variables: |
94100
{ "filter": { "title": { "anyofterms": "auth is applied" } } }
95101
dgmutations:
@@ -206,7 +212,9 @@
206212
{
207213
"projs" : ["0x01", "0x02"]
208214
}
209-
role: "ADMIN"
215+
jwtvar:
216+
ROLE: "ADMIN"
217+
USER: "user1"
210218
dgmutations:
211219
- deletejson: |
212220
[{
@@ -244,7 +252,9 @@
244252
"id": ["0x1", "0x2"]
245253
}
246254
}
247-
role: "USER"
255+
jwtvar:
256+
ROLE: "USER"
257+
USER: "user1"
248258
dgmutations:
249259
- deletejson: |
250260
[{
@@ -269,6 +279,8 @@
269279
"username": { "eq": "userxyz" }
270280
}
271281
}
282+
jwtvar:
283+
USER: "user1"
272284
dgmutations:
273285
- deletejson: |
274286
[
@@ -297,6 +309,8 @@
297309
msg
298310
}
299311
}
312+
jwtvar:
313+
USER: "user1"
300314
variables: |
301315
{ "filter":
302316
{
@@ -331,7 +345,9 @@
331345
"id": ["0x1", "0x2"]
332346
}
333347
}
334-
role: "USER"
348+
jwtvar:
349+
ROLE: "USER"
350+
USER: "user1"
335351
dgmutations:
336352
- deletejson: |
337353
[{
@@ -359,7 +375,9 @@
359375
"id": ["0x1", "0x2"]
360376
}
361377
}
362-
role: "ADMIN"
378+
jwtvar:
379+
ROLE: "ADMIN"
380+
USER: "user1"
363381
dgmutations:
364382
- deletejson: |
365383
[{
@@ -392,7 +410,9 @@
392410
{
393411
"ids" : ["0x01", "0x02"]
394412
}
395-
role: "ADMIN"
413+
jwtvar:
414+
ROLE: "ADMIN"
415+
USER: "user1"
396416
dgmutations:
397417
- deletejson: |
398418
[{ "uid": "uid(x)" }]
@@ -416,6 +436,8 @@
416436
{
417437
"ids" : ["0x01", "0x02"]
418438
}
439+
jwtvar:
440+
USER: "user1"
419441
dgmutations:
420442
- deletejson: |
421443
[{ "uid": "uid(x)" }]
@@ -442,7 +464,9 @@
442464
"id": ["0x1", "0x2"]
443465
}
444466
}
445-
role: "ADMIN"
467+
jwtvar:
468+
ROLE: "ADMIN"
469+
USER: "user1"
446470
dgmutations:
447471
- deletejson: |
448472
[{
@@ -474,7 +498,9 @@
474498
"id": ["0x1", "0x2"]
475499
}
476500
}
477-
role: "USER"
501+
jwtvar:
502+
ROLE: "USER"
503+
USER: "user1"
478504
dgmutations:
479505
- deletejson: |
480506
[{
@@ -498,7 +524,9 @@
498524
"id": ["0x1", "0x2"]
499525
}
500526
}
501-
role: "USER"
527+
jwtvar:
528+
ROLE: "USER"
529+
USER: "user1"
502530
dgmutations:
503531
- deletejson: |
504532
[{
@@ -522,7 +550,9 @@
522550
"id": ["0x1", "0x2"]
523551
}
524552
}
525-
role: "ADMIN"
553+
jwtvar:
554+
ROLE: "ADMIN"
555+
USER: "user1"
526556
dgmutations:
527557
- deletejson: |
528558
[{

0 commit comments

Comments
 (0)