Skip to content

Commit

Permalink
Addressed review comments
Browse files Browse the repository at this point in the history
  • Loading branch information
shivaji-kharse committed Apr 19, 2023
1 parent 67f998d commit 2508c69
Show file tree
Hide file tree
Showing 5 changed files with 120 additions and 125 deletions.
4 changes: 2 additions & 2 deletions dgraphtest/cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,9 @@ type GraphQLResponse struct {
Extensions map[string]interface{} `json:"extensions,omitempty"`
}

func (hc *HTTPClient) LoginIntoNamespace(user, password string, ns uint64) error {
func (hc *HTTPClient) LoginIntoNamespace(user, password string, ns uint64, refreshToken string) error {
q := `mutation login($userId: String, $password: String, $namespace: Int) {
login(userId: $userId, password: $password, namespace: $namespace) {
login(userId: $userId, password: $password, namespace: $namespace ,refreshToken: $refreshToken) {
response {
accessJWT
refreshJWT
Expand Down
68 changes: 29 additions & 39 deletions ee/acl/acl_curl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,41 +24,40 @@ import (

"github.com/dgraph-io/dgraph/dgraphtest"
"github.com/dgraph-io/dgraph/testutil"
"github.com/dgraph-io/dgraph/x"
)

var adminEndpoint string

func (suite *AclTestSuite) TestCurlAuthorization() {
t := suite.T()
ctx, cancel := context.WithTimeout(context.Background(), 100*time.Second)
defer cancel()
if testing.Short() {
t.Skip("skipping because -short=true")
}

glog.Infof("testing with port %s", testutil.SockAddr)
ctx, cancel := context.WithTimeout(context.Background(), 100*time.Second)
defer cancel()
// glog.Infof("testing with port %s", testutil.SockAddr)
gc, cleanup, err := suite.dc.Client()
require.NoError(t, err)
defer cleanup()
require.NoError(t, gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0))
require.NoError(t, gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser,
dgraphtest.DefaultPassword, dgraphtest.GalaxyNamespace))

hc, err := suite.dc.HTTPClient()
require.NoError(t, err)
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0))
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser,
dgraphtest.DefaultPassword, dgraphtest.GalaxyNamespace, ""))
createAccountAndData(t, gc, hc)

// test query through curl

require.NoError(t, hc.LoginIntoNamespace(userid, userpassword, 0))

require.NoError(t, hc.LoginIntoNamespace(userid, userpassword, dgraphtest.GalaxyNamespace, ""))
// No ACL rules are specified, so query should return empty response,
// alter and mutate should fail.
queryArgs := func(jwt string) []string {
return []string{"-H", fmt.Sprintf("X-Dgraph-AccessToken:%s", jwt),
"-H", "Content-Type: application/dql",
"-d", query, testutil.SockAddrHttp + "/query"}
}
testutil.VerifyCurlCmd(t, queryArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, queryArgs(hc.HttpToken.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: false,
})

Expand All @@ -71,7 +70,7 @@ func (suite *AclTestSuite) TestCurlAuthorization() {

}

testutil.VerifyCurlCmd(t, mutateArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, mutateArgs(hc.HttpToken.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
DgraphErrMsg: "PermissionDenied",
})
Expand All @@ -80,7 +79,7 @@ func (suite *AclTestSuite) TestCurlAuthorization() {
return []string{"-H", fmt.Sprintf("X-Dgraph-AccessToken:%s", jwt),
"-d", fmt.Sprintf(`%s: int .`, predicateToAlter), testutil.SockAddrHttp + "/alter"}
}
testutil.VerifyCurlCmd(t, alterArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, alterArgs(hc.HttpToken.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
DgraphErrMsg: "PermissionDenied",
})
Expand All @@ -90,69 +89,60 @@ func (suite *AclTestSuite) TestCurlAuthorization() {
// JWT
glog.Infof("Sleeping for accessJwt to expire")
time.Sleep(expireJwtSleep)
testutil.VerifyCurlCmd(t, queryArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, queryArgs(hc.HttpToken.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
DgraphErrMsg: "Token is expired",
})
testutil.VerifyCurlCmd(t, mutateArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, mutateArgs(hc.HttpToken.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
DgraphErrMsg: "Token is expired",
})
testutil.VerifyCurlCmd(t, alterArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, alterArgs(hc.HttpToken.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
DgraphErrMsg: "Token is expired",
})
// login again using the refreshJwt
token, err = testutil.HttpLogin(&testutil.LoginParams{
Endpoint: adminEndpoint,
RefreshJwt: token.RefreshToken,
Namespace: x.GalaxyNamespace,
})
require.No
require.NoError(t, hc.LoginIntoNamespace("", "", dgraphtest.GalaxyNamespace, hc.HttpToken.RefreshToken))
require.NoError(t, err, fmt.Sprintf("login through refresh httpToken failed: %v", err))

createGroupAndAcls(t, unusedGroup, false)
createGroupAndAcls(t, unusedGroup, false, hc)
time.Sleep(expireJwtSleep)
testutil.VerifyCurlCmd(t, queryArgs(token.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, queryArgs(hc.HttpToken.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
DgraphErrMsg: "Token is expired",
})
// refresh the jwts again
token, err = testutil.HttpLogin(&testutil.LoginParams{
Endpoint: adminEndpoint,
RefreshJwt: token.RefreshToken,
})
require.NoError(t, hc.LoginIntoNamespace("", "", dgraphtest.GalaxyNamespace, hc.HttpToken.RefreshToken))

require.NoError(t, err, fmt.Sprintf("login through refresh httpToken failed: %v", err))
// verify that with an ACL rule defined, all the operations except query should
// does not have the required permissions be denied when the acsess JWT
testutil.VerifyCurlCmd(t, queryArgs(token.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, queryArgs(hc.HttpToken.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: false,
})
testutil.VerifyCurlCmd(t, mutateArgs(token.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, mutateArgs(hc.HttpToken.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
DgraphErrMsg: "PermissionDenied",
})
testutil.VerifyCurlCmd(t, alterArgs(token.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, alterArgs(hc.HttpToken.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: true,
DgraphErrMsg: "PermissionDenied",
})

createGroupAndAcls(t, devGroup, true)
createGroupAndAcls(t, devGroup, true, hc)
time.Sleep(defaultTimeToSleep)
// refresh the jwts again
token, err = testutil.HttpLogin(&testutil.LoginParams{
Endpoint: adminEndpoint,
RefreshJwt: token.RefreshToken,
})
require.NoError(t, hc.LoginIntoNamespace("", "", dgraphtest.GalaxyNamespace, hc.HttpToken.RefreshToken))

require.NoError(t, err, fmt.Sprintf("login through refresh httpToken failed: %v", err))
// verify that the operations should be allowed again through the dev group
testutil.VerifyCurlCmd(t, queryArgs(token.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, queryArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: false,
})
testutil.VerifyCurlCmd(t, mutateArgs(token.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, mutateArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: false,
})
testutil.VerifyCurlCmd(t, alterArgs(token.AccessJwt), &testutil.CurlFailureConfig{
testutil.VerifyCurlCmd(t, alterArgs(hc.AccessJwt), &testutil.CurlFailureConfig{
ShouldFail: false,
})
}
53 changes: 29 additions & 24 deletions ee/acl/acl_integration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (

"github.com/stretchr/testify/require"

"github.com/dgraph-io/dgo/v210/protos/api"
"github.com/dgraph-io/dgraph/dgraphtest"
"github.com/dgraph-io/dgraph/x"
)
Expand All @@ -42,7 +43,8 @@ func (suite *AclTestSuite) TestPasswordReturn() {
t := suite.T()
hc, err := suite.dc.HTTPClient()
require.NoError(t, err)
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0))
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser,
dgraphtest.DefaultPassword, dgraphtest.GalaxyNamespace, ""))
query := `
query {
getCurrentUser {
Expand All @@ -66,7 +68,8 @@ func (suite *AclTestSuite) TestHealthForAcl() {
t := suite.T()
hc, err := suite.dc.HTTPClient()
require.NoError(t, err)
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0))
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser,
dgraphtest.DefaultPassword, dgraphtest.GalaxyNamespace, ""))

params := dgraphtest.GraphQLParams{
Query: `
Expand All @@ -87,7 +90,8 @@ func (suite *AclTestSuite) TestHealthForAcl() {
assertNonGuardianFailure(t, "health", false, params, hc)

// assert data for guardians
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0))
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser,
dgraphtest.DefaultPassword, dgraphtest.GalaxyNamespace, ""))

resp, err := hc.RunGraphqlQuery(dgraphtest.GraphQLParams{Query: query}, true)
var guardianResp struct {
Expand Down Expand Up @@ -347,13 +351,15 @@ func (suite *AclTestSuite) TestGuardianOnlyAccessForAdminEndpoints() {
params := dgraphtest.GraphQLParams{Query: tcase.query}
hc, err := suite.dc.HTTPClient()
require.NoError(t, err)
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0))
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser,
dgraphtest.DefaultPassword, dgraphtest.GalaxyNamespace, ""))
// assert ACL error for non-guardians
assertNonGuardianFailure(t, tcase.queryName, !tcase.respIsArray, params, hc)

// for guardians, assert non-ACL error or success
if tcase.testGuardianAccess {
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0))
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser,
dgraphtest.DefaultPassword, dgraphtest.GalaxyNamespace, ""))

resp, err := hc.RunGraphqlQuery(params, true)
if tcase.guardianErr == "" {
Expand Down Expand Up @@ -383,7 +389,8 @@ func (suite *AclTestSuite) TestFailedLogin() {

hc, err := suite.dc.HTTPClient()
require.NoError(t, err)
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0))
require.NoError(t, hc.LoginIntoNamespace(dgraphtest.DefaultUser,
dgraphtest.DefaultPassword, dgraphtest.GalaxyNamespace, ""))

require.NoError(t, gc.DropAll())
require.NoError(t, err)
Expand Down Expand Up @@ -411,28 +418,26 @@ func (suite *AclTestSuite) TestWrongPermission() {
defer cleanup()
require.NoError(t, gc.LoginIntoNamespace(ctx, dgraphtest.DefaultUser, dgraphtest.DefaultPassword, 0))

ruleMutation := `
_:dev <dgraph.type> "dgraph.type.Group" .
_:dev <dgraph.xid> "dev" .
_:dev <dgraph.acl.rule> _:rule1 .
_:rule1 <dgraph.rule.predicate> "name" .
_:rule1 <dgraph.rule.permission> "9" .
`

_, err = gc.Mutate(ruleMutation, true)
mu := &api.Mutation{SetNquads: []byte(`
_:dev <dgraph.type> "dgraph.type.Group" .
_:dev <dgraph.xid> "dev" .
_:dev <dgraph.acl.rule> _:rule1 .
_:rule1 <dgraph.rule.predicate> "name" .
_:rule1 <dgraph.rule.permission> "9" .
`), CommitNow: true}
_, err = gc.Mutate(mu)

require.Error(t, err, "Setting permission to 9 should have returned error")
require.Contains(t, err.Error(), "Value for this predicate should be between 0 and 7")

ruleMutation = `
_:dev <dgraph.type> "dgraph.type.Group" .
_:dev <dgraph.xid> "dev" .
_:dev <dgraph.acl.rule> _:rule1 .
_:rule1 <dgraph.rule.predicate> "name" .
_:rule1 <dgraph.rule.permission> "-1" .
`

_, err = gc.Mutate(ruleMutation, true)
mu = &api.Mutation{SetNquads: []byte(`
_:dev <dgraph.type> "dgraph.type.Group" .
_:dev <dgraph.xid> "dev" .
_:dev <dgraph.acl.rule> _:rule1 .
_:rule1 <dgraph.rule.predicate> "name" .
_:rule1 <dgraph.rule.permission> "-1" .
`), CommitNow: true}
_, err = gc.Mutate(mu)

require.Error(t, err, "Setting permission to -1 should have returned error")
require.Contains(t, err.Error(), "Value for this predicate should be between 0 and 7")
Expand Down
Loading

0 comments on commit 2508c69

Please sign in to comment.