fix(GraphQL): Nested Auth Rules not working properly. (#7915) (#8084) (#8571)

all-seeing-code · NamanJain8 · web-flow · commit d09d679b85b8 · 2023-01-06T22:03:22.000Z
Improves nested auth rule implementation in graphql. (cherry picked from commit e7a1931) Co-authored-by: minhaj-shakeel <minhaj@dgraph.io> (cherry picked from commit 26845c4) Co-authored-by: Naman Jain <naman@dgraph.io>
diff --git a/graphql/e2e/auth/auth_test.go b/graphql/e2e/auth/auth_test.go
@@ -513,6 +513,44 @@ func TestAuthOnInterfaces(t *testing.T) {
 	}
 }
 
+func TestNestedAndAuthRulesWithMissingJWT(t *testing.T) {
+	addParams := &common.GraphQLParams{
+		Query: `
+		mutation($user1: String!, $user2: String!){
+			addGroup(input: [{users: {username: $user1}, createdBy: {username: $user2}}, {users: {username: $user2}, createdBy: {username: $user1}}]){
+			  numUids
+			}
+		  }
+		`,
+		Variables: map[string]interface{}{"user1": "user1", "user2": "user2"},
+	}
+	gqlResponse := addParams.ExecuteAsPost(t, common.GraphqlURL)
+	common.RequireNoGQLErrors(t, gqlResponse)
+	require.JSONEq(t, `{"addGroup": {"numUids": 2}}`, string(gqlResponse.Data))
+
+	queryParams := &common.GraphQLParams{
+		Query: `
+		query{
+			queryGroup{
+			  users{
+				username
+			  }
+			}
+		  }
+		`,
+		Headers: common.GetJWT(t, "user1", nil, metaInfo),
+	}
+
+	expectedJSON := `{"queryGroup": [{"users": [{"username": "user1"}]}]}`
+
+	gqlResponse = queryParams.ExecuteAsPost(t, common.GraphqlURL)
+	common.RequireNoGQLErrors(t, gqlResponse)
+	require.JSONEq(t, expectedJSON, string(gqlResponse.Data))
+
+	deleteFilter := map[string]interface{}{"has": "users"}
+	common.DeleteGqlType(t, "Group", deleteFilter, 2, nil)
+}
+
 func TestAuthRulesWithNullValuesInJWT(t *testing.T) {
 	testCases := []TestCase{
 		{
diff --git a/graphql/resolve/auth_query_test.yaml b/graphql/resolve/auth_query_test.yaml
@@ -644,14 +644,11 @@
       queryGroup(func: uid(GroupRoot)) {
         Group.id : uid
       }
-      GroupRoot as var(func: uid(Group_1)) @filter((uid(Group_Auth2) OR uid(Group_Auth3)))
+      GroupRoot as var(func: uid(Group_1)) @filter(uid(Group_Auth2))
       Group_1 as var(func: type(Group))
       Group_Auth2 as var(func: uid(Group_1)) @cascade {
         Group.users : Group.users @filter(eq(User.username, "user1"))
       }
-      Group_Auth3 as var(func: uid(Group_1)) @cascade {
-        Group.createdBy : Group.createdBy @filter(eq(User.username, "user1"))
-      }
     }
 
 - name: "Auth with top level OR rbac false"
diff --git a/graphql/resolve/query_rewriter.go b/graphql/resolve/query_rewriter.go
@@ -978,6 +978,11 @@ func (authRw *authRewriter) rewriteRuleNode(
 
 	switch {
 	case len(rn.And) > 0:
+		// if there is atleast one RBAC rule which is false, then this
+		// whole And block needs to be ignored.
+		if rn.EvaluateStatic(authRw.authVariables) == schema.Negative {
+			return nil, nil
+		}
 		qrys, filts := nodeList(typ, rn.And)
 		if len(filts) == 0 {
 			return qrys, nil

Original file line number	Diff line number	Diff line change
`@@ -644,14 +644,11 @@`
`644`	`644`	`queryGroup(func: uid(GroupRoot)) {`
`645`	`645`	`Group.id : uid`
`646`	`646`	`}`
`647`		`- GroupRoot as var(func: uid(Group_1)) @filter((uid(Group_Auth2) OR uid(Group_Auth3)))`
	`647`	`+ GroupRoot as var(func: uid(Group_1)) @filter(uid(Group_Auth2))`
`648`	`648`	`Group_1 as var(func: type(Group))`
`649`	`649`	`Group_Auth2 as var(func: uid(Group_1)) @cascade {`
`650`	`650`	`Group.users : Group.users @filter(eq(User.username, "user1"))`
`651`	`651`	`}`
`652`		`- Group_Auth3 as var(func: uid(Group_1)) @cascade {`
`653`		`- Group.createdBy : Group.createdBy @filter(eq(User.username, "user1"))`
`654`		`- }`
`655`	`652`	`}`
`656`	`653`
`657`	`654`	`- name: "Auth with top level OR rbac false"`