hypermodeinc
diff --git a/‎edgraph/access_ee.go
Lines changed: 107 additions & 16 deletions b/‎edgraph/access_ee.go
Lines changed: 107 additions & 16 deletions
diff --git a/‎edgraph/acl_cache.go
Lines changed: 42 additions & 6 deletions b/‎edgraph/acl_cache.go
Lines changed: 42 additions & 6 deletions
@@ -40,6 +40,11 @@ import (
 	"google.golang.org/grpc/status"
 )
 
+type predsAndvars struct {
+	preds []string
+	vars  map[string]string
+}
+
 // Login handles login requests from clients.
 func (s *Server) Login(ctx context.Context,
 	request *api.LoginRequest) (*api.Response, error) {
@@ -172,6 +177,7 @@ func validateToken(jwtStr string) ([]string, error) {
 		return nil, errors.Errorf("unable to parse jwt token:%v", err)
 	}
 
+	// TODO(arijit): Upgrade the jwt library to v4.0
 	claims, ok := token.Claims.(jwt.MapClaims)
 	if !ok || !token.Valid {
 		return nil, errors.Errorf("claims in jwt token is not map claims")
@@ -354,6 +360,9 @@ const queryAcls = `
 		dgraph.rule.predicate
 		dgraph.rule.permission
 	}
+	~dgraph.user.group{
+		dgraph.xid
+	}
   }
 }
 `
@@ -459,7 +468,7 @@ func extractUserAndGroups(ctx context.Context) ([]string, error) {
 }
 
 func authorizePreds(userId string, groupIds, preds []string,
-	aclOp *acl.Operation) map[string]struct{} {
+	aclOp *acl.Operation) (map[string]struct{}, []string) {
 
 	blockedPreds := make(map[string]struct{})
 	for _, pred := range preds {
@@ -475,7 +484,17 @@ func authorizePreds(userId string, groupIds, preds []string,
 			blockedPreds[pred] = struct{}{}
 		}
 	}
-	return blockedPreds
+	aclCachePtr.RLock()
+	allowedPreds := make([]string, len(aclCachePtr.userPredPerms[userId]))
+	// User can have multiple permission for same predicate, add predicate
+	// only if the acl.Op is covered in the set of permissions for the user
+	for predicate, perm := range aclCachePtr.userPredPerms[userId] {
+		if (perm & aclOp.Code) > 0 {
+			allowedPreds = append(allowedPreds, predicate)
+		}
+	}
+	aclCachePtr.RUnlock()
+	return blockedPreds, allowedPreds
 }
 
 // authorizeAlter parses the Schema in the operation and authorizes the operation
@@ -531,7 +550,7 @@ func authorizeAlter(ctx context.Context, op *api.Operation) error {
 				"only guardians are allowed to drop all data, but the current user is %s", userId)
 		}
 
-		blockedPreds := authorizePreds(userId, groupIds, preds, acl.Modify)
+		blockedPreds, _ := authorizePreds(userId, groupIds, preds, acl.Modify)
 		if len(blockedPreds) > 0 {
 			var msg strings.Builder
 			for key := range blockedPreds {
@@ -639,7 +658,7 @@ func authorizeMutation(ctx context.Context, gmu *gql.Mutation) error {
 			return nil
 		}
 
-		blockedPreds := authorizePreds(userId, groupIds, preds, acl.Write)
+		blockedPreds, _ := authorizePreds(userId, groupIds, preds, acl.Write)
 		if len(blockedPreds) > 0 {
 			var msg strings.Builder
 			for key := range blockedPreds {
@@ -669,14 +688,19 @@ func authorizeMutation(ctx context.Context, gmu *gql.Mutation) error {
 	return err
 }
 
-func parsePredsFromQuery(gqls []*gql.GraphQuery) []string {
+func parsePredsFromQuery(gqls []*gql.GraphQuery) predsAndvars {
 	predsMap := make(map[string]struct{})
+	varsMap := make(map[string]string)
 	for _, gq := range gqls {
 		if gq.Func != nil {
 			predsMap[gq.Func.Attr] = struct{}{}
 		}
-		if len(gq.Attr) > 0 && gq.Attr != "uid" {
+		if len(gq.Var) > 0 {
+			varsMap[gq.Var] = gq.Attr
+		}
+		if len(gq.Attr) > 0 && gq.Attr != "uid" && gq.Attr != "expand" && gq.Attr != "val" {
 			predsMap[gq.Attr] = struct{}{}
+
 		}
 		for _, ord := range gq.Order {
 			predsMap[ord.Attr] = struct{}{}
@@ -687,15 +711,23 @@ func parsePredsFromQuery(gqls []*gql.GraphQuery) []string {
 		for _, pred := range parsePredsFromFilter(gq.Filter) {
 			predsMap[pred] = struct{}{}
 		}
-		for _, childPred := range parsePredsFromQuery(gq.Children) {
+		childPredandVars := parsePredsFromQuery(gq.Children)
+		for _, childPred := range childPredandVars.preds {
 			predsMap[childPred] = struct{}{}
 		}
+		for childVar := range childPredandVars.vars {
+			varsMap[childVar] = childPredandVars.vars[childVar]
+		}
 	}
 	preds := make([]string, 0, len(predsMap))
 	for pred := range predsMap {
-		preds = append(preds, pred)
+		if _, found := varsMap[pred]; !found {
+			preds = append(preds, pred)
+		}
 	}
-	return preds
+
+	pv := predsAndvars{preds: preds, vars: varsMap}
+	return pv
 }
 
 func parsePredsFromFilter(f *gql.FilterTree) []string {
@@ -742,26 +774,36 @@ func authorizeQuery(ctx context.Context, parsedReq *gql.Result, graphql bool) er
 
 	var userId string
 	var groupIds []string
-	preds := parsePredsFromQuery(parsedReq.Query)
+	predsAndvars := parsePredsFromQuery(parsedReq.Query)
+	preds := predsAndvars.preds
+	varsToPredMap := predsAndvars.vars
+
+	// Need this to efficiently identify blocked variables from the
+	// list of blocked predicates
+	predToVarsMap := make(map[string]string)
+	for k, v := range varsToPredMap {
+		predToVarsMap[v] = k
+	}
 
-	doAuthorizeQuery := func() (map[string]struct{}, error) {
+	doAuthorizeQuery := func() (map[string]struct{}, []string, error) {
 		userData, err := extractUserAndGroups(ctx)
 		if err != nil {
-			return nil, status.Error(codes.Unauthenticated, err.Error())
+			return nil, nil, status.Error(codes.Unauthenticated, err.Error())
 		}
 
 		userId = userData[0]
 		groupIds = userData[1:]
 
 		if x.IsGuardian(groupIds) {
 			// Members of guardian groups are allowed to query anything.
-			return nil, nil
+			return nil, nil, nil
 		}
 
-		return authorizePreds(userId, groupIds, preds, acl.Read), nil
+		blockedPreds, allowedPreds := authorizePreds(userId, groupIds, preds, acl.Read)
+		return blockedPreds, allowedPreds, nil
 	}
 
-	blockedPreds, err := doAuthorizeQuery()
+	blockedPreds, allowedPreds, err := doAuthorizeQuery()
 
 	if span := otrace.FromContext(ctx); span != nil {
 		span.Annotatef(nil, (&accessEntry{
@@ -792,7 +834,21 @@ func authorizeQuery(ctx context.Context, parsedReq *gql.Result, graphql bool) er
 			// In query context ~predicate and predicate are considered different.
 			delete(blockedPreds, "~dgraph.user.group")
 		}
+
+		blockedVars := make(map[string]struct{})
+		for predicate := range blockedPreds {
+			if variable, found := predToVarsMap[predicate]; found {
+				// Add variables to blockedPreds to delete from Query
+				blockedPreds[variable] = struct{}{}
+				// Collect blocked Variables to remove from QueryVars
+				blockedVars[variable] = struct{}{}
+			}
+		}
 		parsedReq.Query = removePredsFromQuery(parsedReq.Query, blockedPreds)
+		parsedReq.QueryVars = removeVarsFromQueryVars(parsedReq.QueryVars, blockedVars)
+	}
+	for i := range parsedReq.Query {
+		parsedReq.Query[i].AllowedPreds = allowedPreds
 	}
 
 	return nil
@@ -832,8 +888,9 @@ func authorizeSchemaQuery(ctx context.Context, er *query.ExecutionResult) error
 			// Members of guardian groups are allowed to query anything.
 			return nil, nil
 		}
+		blockedPreds, _ := authorizePreds(userId, groupIds, preds, acl.Read)
 
-		return authorizePreds(userId, groupIds, preds, acl.Read), nil
+		return blockedPreds, nil
 	}
 
 	// find the predicates which are blocked for the schema query
@@ -1039,6 +1096,7 @@ func removePredsFromQuery(gqs []*gql.GraphQuery,
 	blockedPreds map[string]struct{}) []*gql.GraphQuery {
 
 	filteredGQs := gqs[:0]
+L:
 	for _, gq := range gqs {
 		if gq.Func != nil && len(gq.Func.Attr) > 0 {
 			if _, ok := blockedPreds[gq.Func.Attr]; ok {
@@ -1049,6 +1107,15 @@ func removePredsFromQuery(gqs []*gql.GraphQuery,
 			if _, ok := blockedPreds[gq.Attr]; ok {
 				continue
 			}
+			if gq.Attr == "val" {
+				// TODO (Anurag): If val supports multiple variables, this would
+				// need an upgrade
+				for _, variable := range gq.NeedsVar {
+					if _, ok := blockedPreds[variable.Name]; ok {
+						continue L
+					}
+				}
+			}
 		}
 
 		order := gq.Order[:0]
@@ -1069,6 +1136,30 @@ func removePredsFromQuery(gqs []*gql.GraphQuery,
 	return filteredGQs
 }
 
+func removeVarsFromQueryVars(gqs []*gql.Vars,
+	blockedVars map[string]struct{}) []*gql.Vars {
+
+	filteredGQs := gqs[:0]
+	for _, gq := range gqs {
+		var defines []string
+		var needs []string
+		for _, variable := range gq.Defines {
+			if _, ok := blockedVars[variable]; !ok {
+				defines = append(defines, variable)
+			}
+		}
+		for _, variable := range gq.Needs {
+			if _, ok := blockedVars[variable]; !ok {
+				needs = append(needs, variable)
+			}
+		}
+		gq.Defines = defines
+		gq.Needs = needs
+		filteredGQs = append(filteredGQs, gq)
+	}
+	return filteredGQs
+}
+
 func removeFilters(f *gql.FilterTree, blockedPreds map[string]struct{}) *gql.FilterTree {
 	if f == nil {
 		return nil
 
@@ -23,19 +23,23 @@ import (
 // aclCache is the cache mapping group names to the corresponding group acls
 type aclCache struct {
 	sync.RWMutex
-	predPerms map[string]map[string]int32
+	predPerms     map[string]map[string]int32
+	userPredPerms map[string]map[string]int32
 }
 
 var aclCachePtr = &aclCache{
-	predPerms: make(map[string]map[string]int32),
+	predPerms:     make(map[string]map[string]int32),
+	userPredPerms: make(map[string]map[string]int32),
 }
 
 func (cache *aclCache) update(groups []acl.Group) {
 	// In dgraph, acl rules are divided by groups, e.g.
 	// the dev group has the following blob representing its ACL rules
 	// [friend, 4], [name, 7] where friend and name are predicates,
-	// However in the aclCachePtr in memory, we need to change the structure so
-	// that ACL rules are divided by predicates, e.g.
+	// However in the aclCachePtr in memory, we need to change the structure and store
+	// the information in two formats for efficient look-ups.
+	//
+	// First in which ACL rules are divided by predicates, e.g.
 	// friend ->
 	//     dev -> 4
 	//     sre -> 6
@@ -44,12 +48,27 @@ func (cache *aclCache) update(groups []acl.Group) {
 	// the reason is that we want to efficiently determine if any ACL rule has been defined
 	// for a given predicate, and allow the operation if none is defined, per the fail open
 	// approach
-
-	// predPerms is the map descriebed above that maps a single
+	//
+	// Second in which ACL rules are divided by users, e.g.
+	// user-alice ->
+	//          friend  -> 4
+	//          name    -> 6
+	// user-bob  ->
+	//          friend  -> 7
+	// the reason is so that we can efficiently determine a list of predicates (allowedPreds)
+	// to which user has access for their queries
+
+	// predPerms is the map, described above in First, that maps a single
 	// predicate to a submap, and the submap maps a group to a permission
+
+	// userPredPerms is the map, described above in Second, that maps a single
+	// user to a submap, and the submap maps a predicate to a permission
+
 	predPerms := make(map[string]map[string]int32)
+	userPredPerms := make(map[string]map[string]int32)
 	for _, group := range groups {
 		acls := group.Rules
+		users := group.Users
 
 		for _, acl := range acls {
 			if len(acl.Predicate) > 0 {
@@ -62,11 +81,28 @@ func (cache *aclCache) update(groups []acl.Group) {
 				}
 			}
 		}
+
+		for _, user := range users {
+			if _, found := userPredPerms[user.UserID]; !found {
+				userPredPerms[user.UserID] = make(map[string]int32)
+			}
+			// For each user we store all the permissions available to that user
+			// via different groups. Therefore we take OR if the user already has
+			// a permission for a predicate
+			for _, acl := range acls {
+				if _, found := userPredPerms[user.UserID][acl.Predicate]; found {
+					userPredPerms[user.UserID][acl.Predicate] |= acl.Perm
+				} else {
+					userPredPerms[user.UserID][acl.Predicate] = acl.Perm
+				}
+			}
+		}
 	}
 
 	aclCachePtr.Lock()
 	defer aclCachePtr.Unlock()
 	aclCachePtr.predPerms = predPerms
+	aclCachePtr.userPredPerms = userPredPerms
 }
 
 func (cache *aclCache) authorizePredicate(groups []string, predicate string,