hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2024-10-06 14:58:09 +03:00
Code Issues Projects Releases Wiki Activity
1913f6c763
graphql-engine/server/tests-py/test_jwt.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

607 lines
25 KiB
Python
Raw Normal View History

server: accept new config `allowed_skew` in JWT config to provide leeway in JWT expiry fixes https://github.com/hasura/graphql-engine/issues/2109 This PR accepts a new config `allowed_skew` in the JWT config to provide for some leeway while comparing the JWT expiry time. GitOrigin-RevId: ef50cf77d8e2780478685096ed13794b5c4c9de4
2021-01-13 11:38:13 +03:00
from datetime import datetime, timedelta, timezone
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
import math
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
import json
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
import time
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
Test result ordering, add `--accept` test mode to automatically accept changed test cases We add a new pytest flag `--accept` that will automatically write back yaml files with updated responses. This makes it much easier and less error-prone to update test cases when we expect output to change, or when authoring new tests. Second we make sure to test that we actually preserve the order of the selection set when returning results. This is a "SHOULD" part of the spec but seems pretty important and something that users will rely on. To support both of the above we use ruamel.yaml which preserves a certain amount of formatting and comments (so that --accept can work in a failry ergonomic way), as well as ordering (so that when we write yaml the order of keys has meaning that's preserved during parsing). Use ruamel.yaml everywhere for consistency (since both libraries have different quirks). Quirks of ruamel.yaml: - trailing whitespace in multiline strings in yaml files isn't written back out as we'd like: https://bitbucket.org/ruamel/yaml/issues/47/multiline-strings-being-changed-if-they - formatting is only sort of preserved; ruamel e.g. normalizes indentation. Normally the diff is pretty clean though, and you can always just check in portions of your test file after --accept fixup
2019-09-04 18:02:35 +03:00
import ruamel.yaml as yaml
adds basic support for remote schemas/schema stitching (#952)
2018-11-23 16:02:46 +03:00
import pytest
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
import jwt
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
from test_subscriptions import init_ws_conn
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
from validate import check_query, mk_claims_with_namespace_path
remove usage of deprecated 'pytest.config' (#3434) pytest is now at version 5.3
2019-11-29 08:14:26 +03:00
from context import PytestConf
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
remove usage of deprecated 'pytest.config' (#3434) pytest is now at version 5.3
2019-11-29 08:14:26 +03:00
if not PytestConf.config.getoption('--hge-jwt-key-file'):
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
pytest.skip('--hge-jwt-key-file is missing, skipping JWT tests', allow_module_level=True)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
remove usage of deprecated 'pytest.config' (#3434) pytest is now at version 5.3
2019-11-29 08:14:26 +03:00
if not PytestConf.config.getoption('--hge-jwt-conf'):
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
pytest.skip('--hge-jwt-key-conf is missing, skipping JWT tests', allow_module_level=True)
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
def get_claims_fmt(raw_conf):
conf = json.loads(raw_conf)
try:
claims_fmt = conf['claims_format']
except KeyError:
claims_fmt = 'json'
return claims_fmt
def mk_claims(conf, claims):
claims_fmt = get_claims_fmt(conf)
if claims_fmt == 'json':
return claims
elif claims_fmt == 'stringified_json':
return json.dumps(claims)
else:
return claims
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
def get_header_fmt(raw_conf):
conf = json.loads(raw_conf)
try:
hdr_fmt = conf['header']['type']
if hdr_fmt == 'Authorization':
return (hdr_fmt, None)
elif hdr_fmt == 'Cookie':
return (hdr_fmt, conf['header']['name'])
else:
raise Exception('Invalid JWT header format: %s' % conf)
except KeyError:
print('header conf not found in JWT conf, defaulting to Authorization')
hdr_fmt = ('Authorization', None)
return hdr_fmt
def mk_authz_header(conf, token):
(header, name) = get_header_fmt(conf)
if header == 'Authorization':
return {'Authorization': 'Bearer ' + token}
elif header == 'Cookie':
return {'Cookie': name + '=' + token}
else:
raise Exception('Invalid JWT header format')
server: accept new config `allowed_skew` in JWT config to provide leeway in JWT expiry fixes https://github.com/hasura/graphql-engine/issues/2109 This PR accepts a new config `allowed_skew` in the JWT config to provide for some leeway while comparing the JWT expiry time. GitOrigin-RevId: ef50cf77d8e2780478685096ed13794b5c4c9de4
2021-01-13 11:38:13 +03:00
@pytest.mark.parametrize('endpoint', ['/v1/graphql', '/v1alpha1/graphql'])
class TestJWTExpirySkew():
def test_jwt_expiry_leeway(self, hge_ctx, endpoint):
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
if not 'allowed_skew' in hge_ctx.hge_jwt_conf_dict:
pytest.skip("This test expects 'allowed_skew' to be set in the JWT config" )
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
exp = datetime.now(timezone.utc) - timedelta(seconds = 30)
self.claims['exp'] = round(exp.timestamp())
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
server: accept new config `allowed_skew` in JWT config to provide leeway in JWT expiry fixes https://github.com/hasura/graphql-engine/issues/2109 This PR accepts a new config `allowed_skew` in the JWT config to provide for some leeway while comparing the JWT expiry time. GitOrigin-RevId: ef50cf77d8e2780478685096ed13794b5c4c9de4
2021-01-13 11:38:13 +03:00
self.conf['headers']['Authorization'] = 'Bearer ' + token
self.conf['response'] = {
'data': {
'article': [{
'id': 1,
'title': 'Article 1',
'content': 'Sample article content 1',
'is_published': False,
'author': {
'id': 1,
'name': 'Author 1'
}
}]
}
}
self.conf['url'] = endpoint
self.conf['status'] = 200
print ("conf is ", self.conf)
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
@pytest.fixture(autouse=True)
def transact(self, setup):
self.dir = 'queries/graphql_query/permissions'
with open(self.dir + '/user_select_query_unpublished_articles.yaml') as c:
self.conf = yaml.safe_load(c)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
curr_time = datetime.now()
server: accept new config `allowed_skew` in JWT config to provide leeway in JWT expiry fixes https://github.com/hasura/graphql-engine/issues/2109 This PR accepts a new config `allowed_skew` in the JWT config to provide for some leeway while comparing the JWT expiry time. GitOrigin-RevId: ef50cf77d8e2780478685096ed13794b5c4c9de4
2021-01-13 11:38:13 +03:00
exp_time = curr_time + timedelta(hours=10)
self.claims = {
'sub': '1234567890',
'name': 'John Doe',
'iat': math.floor(curr_time.timestamp()),
'exp': math.floor(exp_time.timestamp())
}
@pytest.fixture(scope='class')
def setup(self, request, hge_ctx):
self.dir = 'queries/graphql_query/permissions'
st_code, resp = hge_ctx.v1q_f(self.dir + '/setup.yaml')
assert st_code == 200, resp
yield
st_code, resp = hge_ctx.v1q_f(self.dir + '/teardown.yaml')
assert st_code == 200, resp
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
@pytest.mark.parametrize('endpoint', ['/v1/graphql', '/v1alpha1/graphql'])
class TestJWTBasic():
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
def test_jwt_valid_claims_success(self, hge_ctx, endpoint):
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
'x-hasura-user-id': '1',
'x-hasura-allowed-roles': ['user', 'editor'],
'x-hasura-default-role': 'user'
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
authz_header = mk_authz_header(hge_ctx.hge_jwt_conf, token)
self.conf['headers'].update(authz_header)
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
self.conf['status'] = 200
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
def test_jwt_invalid_role_in_request_header(self, hge_ctx, endpoint):
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-user-id': '1',
'x-hasura-allowed-roles': ['contractor', 'editor'],
'x-hasura-default-role': 'contractor'
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
authz_header = mk_authz_header(hge_ctx.hge_jwt_conf, token)
self.conf['headers'].update(authz_header)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.conf['response'] = {
'errors': [{
conform to graphql subscription and error spec (close #1056, close #1059) (#1126)
2018-12-04 16:37:38 +03:00
'extensions': {
'code': 'access-denied',
'path': '$'
},
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
'message': 'Your requested role is not in allowed roles'
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
def test_jwt_no_allowed_roles_in_claim(self, hge_ctx, endpoint):
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user'
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
authz_header = mk_authz_header(hge_ctx.hge_jwt_conf, token)
self.conf['headers'].update(authz_header)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.conf['response'] = {
'errors': [{
conform to graphql subscription and error spec (close #1056, close #1059) (#1126)
2018-12-04 16:37:38 +03:00
'extensions': {
'code': 'jwt-missing-role-claims',
'path': '$'
},
'message': 'JWT claim does not contain x-hasura-allowed-roles'
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
def test_jwt_invalid_allowed_roles_in_claim(self, hge_ctx, endpoint):
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-user-id': '1',
'x-hasura-allowed-roles': 'user',
'x-hasura-default-role': 'user'
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
authz_header = mk_authz_header(hge_ctx.hge_jwt_conf, token)
self.conf['headers'].update(authz_header)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.conf['response'] = {
'errors': [{
conform to graphql subscription and error spec (close #1056, close #1059) (#1126)
2018-12-04 16:37:38 +03:00
'extensions': {
'code': 'jwt-invalid-claims',
'path': '$'
},
server: accept new config `allowed_skew` in JWT config to provide leeway in JWT expiry fixes https://github.com/hasura/graphql-engine/issues/2109 This PR accepts a new config `allowed_skew` in the JWT config to provide for some leeway while comparing the JWT expiry time. GitOrigin-RevId: ef50cf77d8e2780478685096ed13794b5c4c9de4
2021-01-13 11:38:13 +03:00
'message': 'invalid x-hasura-allowed-roles; should be a list of roles: parsing [] failed, expected Array, but encountered String'
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
def test_jwt_no_default_role(self, hge_ctx, endpoint):
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-user-id': '1',
'x-hasura-allowed-roles': ['user'],
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
authz_header = mk_authz_header(hge_ctx.hge_jwt_conf, token)
self.conf['headers'].update(authz_header)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.conf['response'] = {
'errors': [{
conform to graphql subscription and error spec (close #1056, close #1059) (#1126)
2018-12-04 16:37:38 +03:00
'extensions': {
'code': 'jwt-missing-role-claims',
'path': '$'
},
'message': 'JWT claim does not contain x-hasura-default-role'
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
def test_jwt_expired(self, hge_ctx, endpoint):
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
'x-hasura-user-id': '1',
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
exp = datetime.now() - timedelta(minutes=1)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
self.claims['exp'] = round(exp.timestamp())
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
authz_header = mk_authz_header(hge_ctx.hge_jwt_conf, token)
self.conf['headers'].update(authz_header)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
self.conf['response'] = {
'errors': [{
'extensions': {
'code': 'invalid-jwt',
'path': '$'
},
'message': 'Could not verify JWT: JWTExpired'
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
def test_jwt_invalid_signature(self, hge_ctx, endpoint):
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
'x-hasura-user-id': '1',
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
add config for stringified hasura claims in JWT (fix #1176) (#1538)
2019-02-05 15:04:16 +03:00
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
wrong_key = gen_rsa_key()
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
other_algo = 'HS256'
if hge_ctx.hge_jwt_algo == 'HS256':
other_algo = 'HS384'
token = jwt.encode(self.claims, wrong_key, algorithm=other_algo)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
authz_header = mk_authz_header(hge_ctx.hge_jwt_conf, token)
self.conf['headers'].update(authz_header)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
self.conf['response'] = {
'errors': [{
'extensions': {
'code': 'invalid-jwt',
'path': '$'
},
'message': 'Could not verify JWT: JWSError JWSInvalidSignature'
}]
}
fix non-200 response for authorization errors on /v1/graphql (#2173)
2019-05-14 14:20:55 +03:00
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
def test_jwt_no_audience_in_conf(self, hge_ctx, endpoint):
fix server tests (#2510)
2019-07-11 13:55:34 +03:00
jwt_conf = json.loads(hge_ctx.hge_jwt_conf)
if 'audience' in jwt_conf:
pytest.skip('audience present in conf, skipping testing no audience')
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.claims['aud'] = 'hasura-test-suite'
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
authz_header = mk_authz_header(hge_ctx.hge_jwt_conf, token)
self.conf['headers'].update(authz_header)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['url'] = endpoint
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
def test_jwt_no_issuer_in_conf(self, hge_ctx, endpoint):
fix server tests (#2510)
2019-07-11 13:55:34 +03:00
jwt_conf = json.loads(hge_ctx.hge_jwt_conf)
if 'issuer' in jwt_conf:
pytest.skip('issuer present in conf, skipping testing no issuer')
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.claims['iss'] = 'rubbish-issuer'
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
authz_header = mk_authz_header(hge_ctx.hge_jwt_conf, token)
self.conf['headers'].update(authz_header)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['url'] = endpoint
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
@pytest.fixture(autouse=True)
run graphql tests on both http and websocket; add parallelism (close #1868) (#1921) Examples 1) ` pytest --hge-urls "http://127.0.0.1:8080" --pg-urls "postgresql://admin@127.0.0.1:5432/hge_tests" -vv ` 2) `pytest --hge-urls "http://127.0.0.1:8080" "http://127.0.0.1:8081" --pg-urls "postgresql://admin@127.0.0.1:5432/hge_tests" "postgresql://admin@127.0.0.1:5432/hge_tests2" -vv ` ### Solution and Design <!-- How is this issue solved/fixed? What is the design? --> <!-- It's better if we elaborate --> #### Reducing execution time of tests - The Schema setup and teardown, which were earlier done per test method, usually takes around 1 sec. - For mutations, the model has now been changed to only do schema setup and teardown once per test class. - A data setup and teardown will be done once per test instead (usually takes ~10ms). - For the test class to get this behaviour, one can can extend the class `DefaultTestMutations`. - The function `dir()` should be define which returns the location of the configuration folder. - Inside the configuration folder, there should be - Files `<conf_dir>/schema_setup.yaml` and `<conf_dir>/schema_teardown.yaml`, which has the metadata query executed during schema setup and teardown respectively - Files named `<conf_dir>/values_setup.yaml` and `<conf_dir>/values_teardown.yaml`. These files are executed to setup and remove data from the tables respectively. #### Running Graphql queries on both http and websockets - Each GraphQL query/mutation is run on the both HTTP and websocket protocols - Pytests test parameterisation is used to achieve this - The errors over websockets are slightly different from that on HTTP - The code takes care of converting the errors in HTTP to errors in websockets #### Parallel executation of tests. - The plugin pytest-xdist helps in running tests on parallel workers. - We are using this plugin to group tests by file and run on different workers. - Parallel test worker processes operate on separate postgres databases(and separate graphql-engines connected to these databases). Thus tests on one worker will not affect the tests on the other worker. - With two workers, this decreases execution times by half, as the tests on event triggers usually takes a long time, but does not consume much CPU.
2019-04-08 10:22:38 +03:00
def transact(self, setup):
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.dir = 'queries/graphql_query/permissions'
with open(self.dir + '/user_select_query_unpublished_articles.yaml') as c:
self.conf = yaml.safe_load(c)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
curr_time = datetime.now()
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
exp_time = curr_time + timedelta(hours=10)
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
self.claims = {
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
'sub': '1234567890',
'name': 'John Doe',
'iat': math.floor(curr_time.timestamp()),
'exp': math.floor(exp_time.timestamp())
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
}
run graphql tests on both http and websocket; add parallelism (close #1868) (#1921) Examples 1) ` pytest --hge-urls "http://127.0.0.1:8080" --pg-urls "postgresql://admin@127.0.0.1:5432/hge_tests" -vv ` 2) `pytest --hge-urls "http://127.0.0.1:8080" "http://127.0.0.1:8081" --pg-urls "postgresql://admin@127.0.0.1:5432/hge_tests" "postgresql://admin@127.0.0.1:5432/hge_tests2" -vv ` ### Solution and Design <!-- How is this issue solved/fixed? What is the design? --> <!-- It's better if we elaborate --> #### Reducing execution time of tests - The Schema setup and teardown, which were earlier done per test method, usually takes around 1 sec. - For mutations, the model has now been changed to only do schema setup and teardown once per test class. - A data setup and teardown will be done once per test instead (usually takes ~10ms). - For the test class to get this behaviour, one can can extend the class `DefaultTestMutations`. - The function `dir()` should be define which returns the location of the configuration folder. - Inside the configuration folder, there should be - Files `<conf_dir>/schema_setup.yaml` and `<conf_dir>/schema_teardown.yaml`, which has the metadata query executed during schema setup and teardown respectively - Files named `<conf_dir>/values_setup.yaml` and `<conf_dir>/values_teardown.yaml`. These files are executed to setup and remove data from the tables respectively. #### Running Graphql queries on both http and websockets - Each GraphQL query/mutation is run on the both HTTP and websocket protocols - Pytests test parameterisation is used to achieve this - The errors over websockets are slightly different from that on HTTP - The code takes care of converting the errors in HTTP to errors in websockets #### Parallel executation of tests. - The plugin pytest-xdist helps in running tests on parallel workers. - We are using this plugin to group tests by file and run on different workers. - Parallel test worker processes operate on separate postgres databases(and separate graphql-engines connected to these databases). Thus tests on one worker will not affect the tests on the other worker. - With two workers, this decreases execution times by half, as the tests on event triggers usually takes a long time, but does not consume much CPU.
2019-04-08 10:22:38 +03:00
@pytest.fixture(scope='class')
def setup(self, request, hge_ctx):
self.dir = 'queries/graphql_query/permissions'
st_code, resp = hge_ctx.v1q_f(self.dir + '/setup.yaml')
assert st_code == 200, resp
Tests for server with access control, and some more tests (#710) * 1) Tests for creating permissions 2) Test for constraint_on with GraphQL insert on_conflict * Run tests with access key and webhook * Tests for GraphQL query with quoted columns * Rewrite test-server.sh so that it can be run locally * JWT based tests * Tests with various postgres types * For tests on select queries, run setup only once per class * Tests for v1 count queries * Skip teardown for tests that does not modify data * Workaround for hpc 'parse error when reading .tix file' * Move GeoJson tests to the new structure * Basic tests for v1 queries * Tests for column, table or operator not found error cases on GraphQL queries * Skip test teardown for mutation tests which does not change database state, even when it returns 200.
2018-10-28 21:27:49 +03:00
yield
st_code, resp = hge_ctx.v1q_f(self.dir + '/teardown.yaml')
assert st_code == 200, resp
test jwt with invalid signtaure and expired token (#1492)
2019-01-28 19:52:43 +03:00
def gen_rsa_key():
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()
)
return pem
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
class TestSubscriptionJwtExpiry(object):
def test_jwt_expiry(self, hge_ctx, ws_client):
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
curr_time = datetime.now()
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
self.claims = {
'sub': '1234567890',
'name': 'John Doe',
'iat': math.floor(curr_time.timestamp())
}
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
allow altering type of a column whose permissions defined only with session variables (close #2070) (#2683) * allow altering type of a column iff session vars are defined in permissions * use a sum type to define dependency reason * set jwt expiry test's expiry time to 4 seconds * derive Data instance for necessary types to simplify 'hasStaticExp'
2019-08-17 00:35:22 +03:00
exp = curr_time + timedelta(seconds=4)
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
self.claims['exp'] = round(exp.timestamp())
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
authz_header = mk_authz_header(hge_ctx.hge_jwt_conf, token)
payload = dict()
payload['headers'] = authz_header
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
init_ws_conn(hge_ctx, ws_client, payload)
support optional parameters in database url (close #1709) (#2344)
2019-09-06 01:59:26 +03:00
time.sleep(6)
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
assert ws_client.remote_closed == True, ws_client.remote_closed
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
@pytest.mark.parametrize('endpoint', ['/v1/graphql', '/v1alpha1/graphql'])
class TestJwtAudienceCheck():
def test_jwt_valid_audience(self, hge_ctx, endpoint):
jwt_conf = json.loads(hge_ctx.hge_jwt_conf)
if 'audience' not in jwt_conf:
pytest.skip('audience not present in conf, skipping testing audience')
audience = jwt_conf['audience']
audience = audience if isinstance(audience, str) else audience[0]
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
self.claims['aud'] = audience
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['headers']['Authorization'] = 'Bearer ' + token
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
def test_jwt_invalid_audience(self, hge_ctx, endpoint):
jwt_conf = json.loads(hge_ctx.hge_jwt_conf)
if 'audience' not in jwt_conf:
pytest.skip('audience not present in conf, skipping testing audience')
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.claims['aud'] = 'rubbish_audience'
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['headers']['Authorization'] = 'Bearer ' + token
self.conf['response'] = {
'errors': [{
'extensions': {
'code': 'invalid-jwt',
'path': '$'
},
'message': 'Could not verify JWT: JWTNotInAudience'
}]
}
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
@pytest.fixture(autouse=True)
def transact(self, setup):
self.dir = 'queries/graphql_query/permissions'
with open(self.dir + '/user_select_query_unpublished_articles.yaml') as c:
self.conf = yaml.safe_load(c)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
curr_time = datetime.now()
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
exp_time = curr_time + timedelta(hours=1)
self.claims = {
'sub': '1234567890',
'name': 'John Doe',
'iat': math.floor(curr_time.timestamp()),
'exp': math.floor(exp_time.timestamp())
}
@pytest.fixture(scope='class')
def setup(self, request, hge_ctx):
self.dir = 'queries/graphql_query/permissions'
st_code, resp = hge_ctx.v1q_f(self.dir + '/setup.yaml')
assert st_code == 200, resp
yield
st_code, resp = hge_ctx.v1q_f(self.dir + '/teardown.yaml')
assert st_code == 200, resp
@pytest.mark.parametrize('endpoint', ['/v1/graphql', '/v1alpha1/graphql'])
class TestJwtIssuerCheck():
def test_jwt_valid_issuer(self, hge_ctx, endpoint):
jwt_conf = json.loads(hge_ctx.hge_jwt_conf)
if 'issuer' not in jwt_conf:
pytest.skip('issuer not present in conf, skipping testing issuer')
issuer = jwt_conf['issuer']
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.claims['iss'] = issuer
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['headers']['Authorization'] = 'Bearer ' + token
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
def test_jwt_invalid_issuer(self, hge_ctx, endpoint):
jwt_conf = json.loads(hge_ctx.hge_jwt_conf)
if 'issuer' not in jwt_conf:
pytest.skip('issuer not present in conf, skipping testing issuer')
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
hasura_claims = mk_claims(hge_ctx.hge_jwt_conf, {
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
'x-hasura-user-id': '1',
'x-hasura-default-role': 'user',
'x-hasura-allowed-roles': ['user'],
})
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
claims_namespace_path = None
if 'claims_namespace_path' in hge_ctx.hge_jwt_conf_dict:
claims_namespace_path = hge_ctx.hge_jwt_conf_dict['claims_namespace_path']
self.claims = mk_claims_with_namespace_path(self.claims,hasura_claims,claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.claims['iss'] = 'rubbish_issuer'
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
token = jwt.encode(self.claims, hge_ctx.hge_jwt_key, algorithm=hge_ctx.hge_jwt_algo)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
self.conf['headers']['Authorization'] = 'Bearer ' + token
self.conf['response'] = {
'errors': [{
'extensions': {
'code': 'invalid-jwt',
'path': '$'
},
'message': 'Could not verify JWT: JWTNotInIssuer'
}]
}
self.conf['url'] = endpoint
if endpoint == '/v1/graphql':
self.conf['status'] = 200
if endpoint == '/v1alpha1/graphql':
self.conf['status'] = 400
accept a new argument `claims_namespace_path` in JWT config (#4365) * add new optional field `claims_namespace_path` in JWT config * return value when empty array is found in executeJSONPath * update the docs related to claims_namespace_path * improve encodeJSONPath, add property tests for parseJSONPath * throw error if both claims_namespace_path and claims_namespace are set * refactor the Data.Parser.JsonPath to Data.Parser.JSONPathSpec * update the JWT docs Co-Authored-By: Marion Schleifer <marion@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: rakeshkky <12475069+rakeshkky@users.noreply.github.com> Co-authored-by: Tirumarai Selvan <tirumarai.selvan@gmail.com>
2020-04-16 09:45:21 +03:00
check_query(hge_ctx, self.conf, add_auth=False,claims_namespace_path=claims_namespace_path)
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
@pytest.fixture(autouse=True)
def transact(self, setup):
self.dir = 'queries/graphql_query/permissions'
with open(self.dir + '/user_select_query_unpublished_articles.yaml') as c:
self.conf = yaml.safe_load(c)
server: support EdDSA keys for JWT https://github.com/hasura/graphql-engine-mono/pull/1818 Co-authored-by: paritosh-08 <85472423+paritosh-08@users.noreply.github.com> Co-authored-by: Puru Gupta <32328846+purugupta99@users.noreply.github.com> Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: aae87d34cd19c97e66721a2bd7602d907aeb90b3
2021-08-12 04:53:13 +03:00
curr_time = datetime.now()
Merge pull request from GHSA-2j98-fw5g-j43v * fix bug in audience check while verifying JWT - previously the check was converting the audience type into a string and then comparing with the conf value. all audience types (as it is a string or URI) will convert to plain strings - use the Audience type from the jose library for comparing * add docs for audience * add issuer check as well * docs minor syntax fix * skip audience check if not given in conf * minor docs update * qualify import jose library
2019-07-11 12:58:39 +03:00
exp_time = curr_time + timedelta(hours=1)
self.claims = {
'sub': '1234567890',
'name': 'John Doe',
'iat': math.floor(curr_time.timestamp()),
'exp': math.floor(exp_time.timestamp())
}
@pytest.fixture(scope='class')
def setup(self, request, hge_ctx):
self.dir = 'queries/graphql_query/permissions'
st_code, resp = hge_ctx.v1q_f(self.dir + '/setup.yaml')
assert st_code == 200, resp
yield
st_code, resp = hge_ctx.v1q_f(self.dir + '/teardown.yaml')
assert st_code == 200, resp
Reference in New Issue Copy Permalink