From e83d72645b7ae64aa87db8e0e4022070d1e8e610 Mon Sep 17 00:00:00 2001 From: minhaj-shakeel Date: Fri, 25 Jun 2021 19:35:15 +0530 Subject: [PATCH] fix(GraphQL): Nested Auth Rules not working properly. (#7915) (cherry picked from commit e7a19317a16214761e0db1f838ba48a0a382f0df) --- graphql/e2e/auth/auth_test.go | 38 ++++++++++++++++++++++++++++ graphql/resolve/auth_query_test.yaml | 6 ++--- graphql/resolve/query_rewriter.go | 5 ++++ 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/graphql/e2e/auth/auth_test.go b/graphql/e2e/auth/auth_test.go index 908e8f2110d..8d15f201bd7 100644 --- a/graphql/e2e/auth/auth_test.go +++ b/graphql/e2e/auth/auth_test.go @@ -513,6 +513,44 @@ func TestAuthOnInterfaces(t *testing.T) { } } +func TestNestedAndAuthRulesWithMissingJWT(t *testing.T) { + addParams := &common.GraphQLParams{ + Query: ` + mutation($user1: String!, $user2: String!){ + addGroup(input: [{users: {username: $user1}, createdBy: {username: $user2}}, {users: {username: $user2}, createdBy: {username: $user1}}]){ + numUids + } + } + `, + Variables: map[string]interface{}{"user1": "user1", "user2": "user2"}, + } + gqlResponse := addParams.ExecuteAsPost(t, common.GraphqlURL) + common.RequireNoGQLErrors(t, gqlResponse) + require.JSONEq(t, `{"addGroup": {"numUids": 2}}`, string(gqlResponse.Data)) + + queryParams := &common.GraphQLParams{ + Query: ` + query{ + queryGroup{ + users{ + username + } + } + } + `, + Headers: common.GetJWT(t, "user1", nil, metaInfo), + } + + expectedJSON := `{"queryGroup": [{"users": [{"username": "user1"}]}]}` + + gqlResponse = queryParams.ExecuteAsPost(t, common.GraphqlURL) + common.RequireNoGQLErrors(t, gqlResponse) + require.JSONEq(t, expectedJSON, string(gqlResponse.Data)) + + deleteFilter := map[string]interface{}{"has": "users"} + common.DeleteGqlType(t, "Group", deleteFilter, 2, nil) +} + func TestAuthRulesWithNullValuesInJWT(t *testing.T) { testCases := []TestCase{ { diff --git a/graphql/resolve/auth_query_test.yaml b/graphql/resolve/auth_query_test.yaml index 0faa82fb162..666243da052 100644 --- a/graphql/resolve/auth_query_test.yaml +++ b/graphql/resolve/auth_query_test.yaml @@ -644,14 +644,11 @@ queryGroup(func: uid(GroupRoot)) { Group.id : uid } - GroupRoot as var(func: uid(Group_1)) @filter((uid(Group_Auth2) OR uid(Group_Auth3))) + GroupRoot as var(func: uid(Group_1)) @filter(uid(Group_Auth2)) Group_1 as var(func: type(Group)) Group_Auth2 as var(func: uid(Group_1)) @cascade { Group.users : Group.users @filter(eq(User.username, "user1")) } - Group_Auth3 as var(func: uid(Group_1)) @cascade { - Group.createdBy : Group.createdBy @filter(eq(User.username, "user1")) - } } - name: "Auth with top level OR rbac false" @@ -2103,3 +2100,4 @@ } } } + diff --git a/graphql/resolve/query_rewriter.go b/graphql/resolve/query_rewriter.go index 0caea143f81..c5d18825398 100644 --- a/graphql/resolve/query_rewriter.go +++ b/graphql/resolve/query_rewriter.go @@ -971,6 +971,11 @@ func (authRw *authRewriter) rewriteRuleNode( switch { case len(rn.And) > 0: + // if there is atleast one RBAC rule which is false, then this + // whole And block needs to be ignored. + if rn.EvaluateStatic(authRw.authVariables) == schema.Negative { + return nil, nil + } qrys, filts := nodeList(typ, rn.And) if len(filts) == 0 { return qrys, nil