hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2024-12-14 17:02:49 +03:00
Code Issues Projects Releases Wiki Activity
38595d0536
graphql-engine/server/tests-py/test_allowlist_queries.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

572 lines
17 KiB
Python
Raw Normal View History

server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
#!/usr/bin/env python3
support allow-list for graphql queries (closes #989) (#2075)
2019-05-16 09:13:25 +03:00
import pytest
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
from validate import check_query, check_query_f
remove usage of deprecated 'pytest.config' (#3434) pytest is now at version 5.3
2019-11-29 08:14:26 +03:00
run default tests in test_server_upgrade (#3718) * run basic tests after upgrade * terminate before specifying file in pytest cmd * Move fixture definitions out of test classes Previously we had abstract classes with the fixtures defined in them. The test classes then inherits these super classes. This is creating inheritence problems, especially when you want to just inherit the tests in class, but not the fixtures. We have now moved all those fixture definitions outside of the class (in conftest.py). These fixtures are now used by the test classes when and where they are required. * Run pytests on server upgrade Server upgrade tests are run by 1) Run pytest with schema/metadata setup but do not do schema/metadata teardown 2) Upgrade the server 3) Run pytest using the above schema and teardown at the end of the tests 4) Cleanup hasura metadata and start again with next set of tests We have added options --skip-schema-setup and --skip-schema-teardown to help running server upgrade tests. While running the tests, we noticed that error codes and messages for some of the tests have changed. So we have added another option to pytest `--avoid-error-message-checks`. If this flag is set, and if comparing expected and response message fails, and if the expected response has an error message, Pytest will throw warnings instead of an error. * Use marks to specify server-upgrade tests Not all tests can be run as serve upgrade tests, particularly those which themselves change the schema. We introduce two pytest markers. Marker allow_server_upgrade_test will add the test into the list of server upgrade tests that can be run. skip_server_upgrade_test removes it from the list. With this we have added tests for queries, mutations, and selected event trigger and remote schema tests to the list of server upgrade tests. * Remove components not needed anymore * Install curl * Fix error in query validation * Fix error in test_v1_queries.py * install procps for server upgrade tests * Use postgres image which has postgis installed * set pager off with psql * quote the bash variable WORKTREE_DIR Co-authored-by: nizar-m <19857260+nizar-m@users.noreply.github.com> Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-02-13 12:14:02 +03:00
usefixtures = pytest.mark.usefixtures
server/tests-py: Run the auth hook inside the test harness. This teaches `hge_server` how to run more tests, thanks to `hge_env`. It also simplifies the logic a bit more. I have also modified _run.sh_ and _docker-compose.yml_ so we can run multiple test suites, one after another. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6105 GitOrigin-RevId: eff009362eb6bb90c07cedaf96dfe6ec9336ff32
2022-09-29 13:42:47 +03:00
pytestmark = [
pytest.mark.hge_env('HASURA_GRAPHQL_ENABLE_ALLOWLIST', 'true')
]
support allow-list for graphql queries (closes #989) (#2075)
2019-05-16 09:13:25 +03:00
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
@pytest.mark.parametrize("transport", ['http', 'websocket'])
run default tests in test_server_upgrade (#3718) * run basic tests after upgrade * terminate before specifying file in pytest cmd * Move fixture definitions out of test classes Previously we had abstract classes with the fixtures defined in them. The test classes then inherits these super classes. This is creating inheritence problems, especially when you want to just inherit the tests in class, but not the fixtures. We have now moved all those fixture definitions outside of the class (in conftest.py). These fixtures are now used by the test classes when and where they are required. * Run pytests on server upgrade Server upgrade tests are run by 1) Run pytest with schema/metadata setup but do not do schema/metadata teardown 2) Upgrade the server 3) Run pytest using the above schema and teardown at the end of the tests 4) Cleanup hasura metadata and start again with next set of tests We have added options --skip-schema-setup and --skip-schema-teardown to help running server upgrade tests. While running the tests, we noticed that error codes and messages for some of the tests have changed. So we have added another option to pytest `--avoid-error-message-checks`. If this flag is set, and if comparing expected and response message fails, and if the expected response has an error message, Pytest will throw warnings instead of an error. * Use marks to specify server-upgrade tests Not all tests can be run as serve upgrade tests, particularly those which themselves change the schema. We introduce two pytest markers. Marker allow_server_upgrade_test will add the test into the list of server upgrade tests that can be run. skip_server_upgrade_test removes it from the list. With this we have added tests for queries, mutations, and selected event trigger and remote schema tests to the list of server upgrade tests. * Remove components not needed anymore * Install curl * Fix error in query validation * Fix error in test_v1_queries.py * install procps for server upgrade tests * Use postgres image which has postgis installed * set pager off with psql * quote the bash variable WORKTREE_DIR Co-authored-by: nizar-m <19857260+nizar-m@users.noreply.github.com> Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-02-13 12:14:02 +03:00
@usefixtures('per_class_tests_db_state')
class TestAllowlistQueries:
support allow-list for graphql queries (closes #989) (#2075)
2019-05-16 09:13:25 +03:00
def test_query_user(self, hge_ctx, transport):
check_query_f(hge_ctx, self.dir() + '/query_user.yaml', transport)
def test_query_user_by_pk(self, hge_ctx, transport):
check_query_f(hge_ctx, self.dir() + '/query_user_by_pk.yaml', transport)
def test_query_user_with_typename(self, hge_ctx, transport):
check_query_f(hge_ctx, self.dir() + '/query_user_with_typename.yaml', transport)
def test_query_non_allowlist(self, hge_ctx, transport):
check_query_f(hge_ctx, self.dir() + '/query_non_allowlist.yaml', transport)
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
server: validate top level fragments in GQL query PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4299 GitOrigin-RevId: 70925779d41c5a9fe66577b941c674577a4a9a13
2022-04-20 10:32:19 +03:00
def test_query_user_fragment(self, hge_ctx, transport):
check_query_f(hge_ctx, self.dir() + '/query_user_fragment.yaml', transport)
support allow-list for graphql queries (closes #989) (#2075)
2019-05-16 09:13:25 +03:00
def test_query_as_admin(self, hge_ctx, transport):
check_query_f(hge_ctx, self.dir() + '/query_as_admin.yaml', transport)
keep allowed queries in sync when collections are changed, fix #2221 (#2230)
2019-05-20 13:29:32 +03:00
def test_update_query(self, hge_ctx, transport):
# test only for http
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
if transport != 'http':
pytest.skip("http-only")
keep allowed queries in sync when collections are changed, fix #2221 (#2230)
2019-05-20 13:29:32 +03:00
check_query_f(hge_ctx, self.dir() + '/update_query.yaml', transport)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
check_query_f(hge_ctx, self.dir() + '/add_duplicate_query.yaml', transport)
keep allowed queries in sync when collections are changed, fix #2221 (#2230)
2019-05-20 13:29:32 +03:00
support allow-list for graphql queries (closes #989) (#2075)
2019-05-16 09:13:25 +03:00
@classmethod
def dir(cls):
return 'queries/graphql_query/allowlist'
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def export_metadata(hge_ctx):
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
resp = hge_ctx.v1metadataq({
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
'type': 'export_metadata',
'version': 2,
'args': {}
})
return resp["metadata"]
def assert_allowlist_metadata(hge_ctx, expected):
metadata = export_metadata(hge_ctx)
assert metadata.get("allowlist") == expected
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
def replace_allowlist_metadata_with_check(hge_ctx, base_metadata, allowlist, expected_status_code):
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
metadata = dict(base_metadata)
metadata["allowlist"] = allowlist
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
return hge_ctx.v1metadataq({
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
'type': 'replace_metadata',
'version': 2,
'args': {
'metadata': metadata
}
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
}, expected_status_code = expected_status_code)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def replace_allowlist_metadata(hge_ctx, base_metadata, allowlist):
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
return replace_allowlist_metadata_with_check(hge_ctx, base_metadata, allowlist, expected_status_code = 200)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def fail_replace_allowlist_metadata(hge_ctx, base_metadata, allowlist, expected_error):
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
resp = replace_allowlist_metadata_with_check(hge_ctx, base_metadata, allowlist, expected_status_code = 400)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
assert resp == expected_error
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
def add_collection_to_allowlist_with_check(hge_ctx, args, expected_status_code):
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
payload = {
"type": "add_collection_to_allowlist",
"args": args,
}
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
return hge_ctx.v1metadataq(payload, expected_status_code = expected_status_code)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def add_collection_to_allowlist(hge_ctx, args):
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
return add_collection_to_allowlist_with_check(hge_ctx, args, expected_status_code = 200)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def fail_add_collection_to_allowlist(hge_ctx, args, expected_error):
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
resp = add_collection_to_allowlist_with_check(hge_ctx, args, expected_status_code = 400)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
assert resp == expected_error
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
def update_scope_of_collection_in_allowlist_with_check(hge_ctx, args, expected_status_code):
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
payload = {
"type": "update_scope_of_collection_in_allowlist",
"args": args,
}
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
return hge_ctx.v1metadataq(payload, expected_status_code = expected_status_code)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def update_scope_of_collection_in_allowlist(hge_ctx, args):
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
update_scope_of_collection_in_allowlist_with_check(hge_ctx, args, expected_status_code = 200)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def fail_update_scope_of_collection_in_allowlist(hge_ctx, args, expected_error):
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
resp = update_scope_of_collection_in_allowlist_with_check(hge_ctx, args, expected_status_code = 400)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
assert resp == expected_error
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
def drop_collection_from_allowlist_with_check(hge_ctx, args, expected_status_code):
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
payload = {
"type": "drop_collection_from_allowlist",
"args": args
}
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
return hge_ctx.v1metadataq(payload, expected_status_code = expected_status_code)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def drop_collection_from_allowlist(hge_ctx, args):
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
return drop_collection_from_allowlist_with_check(hge_ctx, args, expected_status_code = 200)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def fail_drop_collection_from_allowlist(hge_ctx, args, expected_error):
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
resp = drop_collection_from_allowlist_with_check(hge_ctx, args, expected_status_code = 400)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
assert resp == expected_error
@pytest.fixture(scope="function")
def clean_allowlist(hge_ctx):
yield
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
drop_collection_from_allowlist_with_check(hge_ctx, {"collection": "collection_1"}, expected_status_code = None)
drop_collection_from_allowlist_with_check(hge_ctx, {"collection": "collection_2"}, expected_status_code = None)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
@usefixtures('clean_allowlist', 'per_class_tests_db_state')
class TestAllowlistMetadata:
@classmethod
def dir(cls):
return 'queries/graphql_query/allowlist_role_based'
server: add `rename_query_collection` metadata API PR-URL: https://github.com/hasura/graphql-engine-mono/pull/5533 GitOrigin-RevId: d9c322034c4be01f87ecf05415dac1f90e906c8c
2022-08-19 16:36:02 +03:00
def test_rename_query_collection(self, hge_ctx):
check_query_f(hge_ctx, self.dir() + '/rename_query_collection.yaml')
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def test_add_update_drop(self, hge_ctx):
# Cycle through add_collection_to_allowlist,
# update_scope_of_collection_in_allowlist and
# drop_collection_from_allowlist, verifying
# state of metadata after each step.
assert_allowlist_metadata(hge_ctx, None)
add_collection_to_allowlist(hge_ctx, {
"collection": "collection_1",
"scope": {
"global": True
}
})
assert_allowlist_metadata(hge_ctx, [{
"collection": "collection_1",
"scope": {
"global": True
}
}])
add_collection_to_allowlist(hge_ctx, {
"collection": "collection_2",
"scope": {
"global": False,
"roles": ["foo", "bar"]
}
})
assert_allowlist_metadata(hge_ctx, [{
"collection": "collection_1",
"scope": {
"global": True
}
}, {
"collection": "collection_2",
"scope": {
"global": False,
"roles": ["foo", "bar"]
}
}])
update_scope_of_collection_in_allowlist(hge_ctx, {
"collection": "collection_1",
"scope": {
"global": False,
"roles": ["baz"]
}
})
update_scope_of_collection_in_allowlist(hge_ctx, {
"collection": "collection_2",
"scope": {
"global": True
}
})
assert_allowlist_metadata(hge_ctx, [{
"collection": "collection_1",
"scope": {
"global": False,
"roles": ["baz"]
}
}, {
"collection": "collection_2",
"scope": {
"global": True
}
}])
drop_collection_from_allowlist(hge_ctx, {"collection": "collection_1"})
assert_allowlist_metadata(hge_ctx, [{
"collection": "collection_2",
"scope": {
"global": True
}
}])
drop_collection_from_allowlist(hge_ctx, {"collection": "collection_2"})
assert_allowlist_metadata(hge_ctx, None)
def test_add_validation(self, hge_ctx, request):
# collection required
fail_add_collection_to_allowlist(hge_ctx, {
"scope": {
"global": True,
}
}, {
"path": "$.args",
"error": 'key "collection" not found',
"code": "parse-failed",
})
# when global is false, roles needs to be present
fail_add_collection_to_allowlist(hge_ctx, {
"collection": "collection_1",
"scope": {
"global": False,
}
}, {
"path": "$.args.scope",
"error": 'key "roles" not found',
"code": "parse-failed",
})
# when global is false, roles needs to be non-empty
fail_add_collection_to_allowlist(hge_ctx, {
"collection": "collection_1",
"scope": {
"global": False,
"roles": []
}
}, {
"path": "$.args.scope.roles",
"error": "parsing NonEmpty failed, unexpected empty list",
"code": "parse-failed",
})
# when global is true, there can't be roles
fail_add_collection_to_allowlist(hge_ctx, {
"collection": "collection_1",
"scope": {
"global": True,
"roles": ["foo", "bar"],
}
}, {
"path": "$.args.scope",
"error": "roles are not allowed when global is true",
"code": "parse-failed",
})
# if scope is given, global is required
fail_add_collection_to_allowlist(hge_ctx, {
"collection": "collection_1",
"scope": {}
}, {
"path": "$.args.scope",
"error": 'key "global" not found',
"code": "parse-failed",
})
def test_update_validation(self, hge_ctx):
# collection required
fail_update_scope_of_collection_in_allowlist(hge_ctx, {
"scope": {
"global": True,
}
}, {
"path": "$.args",
"error": 'key "collection" not found',
"code": "parse-failed",
})
# scope required
fail_update_scope_of_collection_in_allowlist(hge_ctx, {
"collection": "collection_1"
}, {
"path": "$.args",
"error": 'key "scope" not found',
"code": "parse-failed",
})
# we could cover most of the failure cases from test_add_validation
def test_drop_validation(self, hge_ctx):
# collection required
fail_drop_collection_from_allowlist(hge_ctx, {
}, {
"path": "$.args",
Remove `TemplateHaskell` Aeson instances from `RQL.Types` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8997 GitOrigin-RevId: 741318f65281af7b26a616260baf3a9953707007
2023-05-05 17:36:16 +03:00
"error": "parsing Hasura.RQL.Types.Allowlist.DropCollectionFromAllowlist(DropCollectionFromAllowlist) failed, key \"collection\" not found",
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
"code": "parse-failed",
})
def test_replace_validation(self, hge_ctx):
base_metadata = export_metadata(hge_ctx)
# duplicate collections aren't allowed
fail_replace_allowlist_metadata(hge_ctx, base_metadata, [{
"collection": "collection_1",
}, {
"collection": "collection_1",
"scope": {
"global": True
}
}], {
"path": "$.args.metadata",
"error": 'multiple declarations exist for the following allowlist entries: collection_1',
"code": "parse-failed",
})
def test_add_scope_defaults_to_global(self, hge_ctx):
add_collection_to_allowlist(hge_ctx, {
"collection": "collection_1",
})
assert_allowlist_metadata(hge_ctx, [{
"collection": "collection_1",
"scope": {
"global": True
}
}])
def test_drop_fail_when_missing(self, hge_ctx):
fail_drop_collection_from_allowlist(hge_ctx, {
"collection": "collection_1"
}, {
'path': '$.args',
'error': 'collection "collection_1" doesn\'t exist in the allowlist',
'code': 'not-found'
})
def test_update_fail_if_missing(self, hge_ctx):
fail_update_scope_of_collection_in_allowlist(hge_ctx, {
"collection": "collection_1",
"scope": {
"global": True
}
}, {
'path': '$.args',
'error': 'collection "collection_1" doesn\'t exist in the allowlist',
'code': 'not-found'
})
def test_add_again(self, hge_ctx):
# re-adding doesn't fail (compare RFC), instead points at change scope
orig = {
"collection": "collection_1",
"scope": {
"global": True
}
}
add_collection_to_allowlist(hge_ctx, orig)
assert_allowlist_metadata(hge_ctx, [orig])
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
resp = add_collection_to_allowlist(hge_ctx, {
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
"collection": "collection_1",
"scope": {
"global": False,
"roles": ["foo"]
}
})
assert resp == {
"message": 'collection "collection_1" already exists in the allowlist, scope ignored; to change scope, use update_scope_of_collection_in_allowlist'
}
assert_allowlist_metadata(hge_ctx, [orig])
orig2 = {
"collection": "collection_2",
"scope": {
"global": False,
"roles": ["foo"]
}
}
add_collection_to_allowlist(hge_ctx, orig2)
assert_allowlist_metadata(hge_ctx, [orig, orig2])
server/tests-py: Reduce the number of locations we check the status code. We have a lot of `assert st_code == 200` scattered about. This is a problem because (a) it makes the code harder to parse and (b) the error message is lacking; I have seen a few flaky tests which were impossible to diagnose because I didn't know what the response _should_ be. This reduces the number of places in which we perform this assertion (moving most of them to `HGECtx.execute_query`), so that we can have a better chance of seeing a useful error message on test failure. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4957 GitOrigin-RevId: 3ff388bccf49f96569aa6b7db85266a0c5ee27ea
2022-07-05 21:00:08 +03:00
resp = add_collection_to_allowlist(hge_ctx, {
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
"collection": "collection_2",
"scope": {
"global": True
}
})
assert resp == {
"message": 'collection "collection_2" already exists in the allowlist, scope ignored; to change scope, use update_scope_of_collection_in_allowlist'
}
assert_allowlist_metadata(hge_ctx, [orig, orig2])
# query_0 is in no collection
query_0 = """
query {
author {
first_name
}
}
"""
response_0 = {
"data": {
"author": [
{"first_name": "George"},
{"first_name": "Paulo"},
],
},
}
# query_1 is only in collection_1
query_1 = """
query {
author {
first_name
last_name
}
}
"""
response_1 = {
"data": {
"author": [
{"first_name": "George", "last_name": "Martin"},
{"first_name": "Paulo", "last_name": "Coelho"},
],
},
}
# query_2 is in both collections
query_2 = """
query {
author {
__typename
last_name
}
}
"""
response_2 = {
"data": {
"author": [
{"__typename": "author", "last_name": "Martin"},
{"__typename": "author", "last_name": "Coelho"}
]
}
}
# query_3 is only in collection_2
CI: Pass `--pro-tests` to pytests when testing HGE Pro. This runs additional tests which only pass against HGE Pro. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10841 GitOrigin-RevId: c79681d31514ce83d73210777d8fd1c99f61291d
2024-05-30 09:36:33 +03:00
query_3_pro_only = """
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
query {
author {
id
}
}
"""
response_3 = {
"data": {
"author": [
{"id": 1},
{"id": 2}
],
},
}
response_not_allowed = {
"errors": [
{
"extensions": {
"path": "$",
"code": "validation-failed",
},
"message": "query is not allowed",
},
],
}
def assert_query_allowed(hge_ctx, role, query, response):
check_query(hge_ctx, {
"url": "/v1/graphql",
"status": 200,
"headers": {"x-hasura-role": role},
"response": response,
"query": {"query": query},
})
def assert_query_not_allowed(hge_ctx, role, query):
check_query(hge_ctx, {
"url": "/v1/graphql",
"status": 200,
"headers": {"x-hasura-role": role},
"response": response_not_allowed,
"query": {"query": query},
})
@usefixtures('clean_allowlist', 'per_class_tests_db_state')
CI: Pass `--pro-tests` to pytests when testing HGE Pro. This runs additional tests which only pass against HGE Pro. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10841 GitOrigin-RevId: c79681d31514ce83d73210777d8fd1c99f61291d
2024-05-30 09:36:33 +03:00
class TestRoleBasedAllowlistQueriesCE:
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
@classmethod
def dir(cls):
return 'queries/graphql_query/allowlist_role_based'
def test_baseline(self, hge_ctx):
for role in ["user", "guest"]:
assert_query_not_allowed(hge_ctx, role, query_0)
assert_query_not_allowed(hge_ctx, role, query_1)
assert_query_not_allowed(hge_ctx, role, query_2)
CI: Pass `--pro-tests` to pytests when testing HGE Pro. This runs additional tests which only pass against HGE Pro. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10841 GitOrigin-RevId: c79681d31514ce83d73210777d8fd1c99f61291d
2024-05-30 09:36:33 +03:00
assert_query_not_allowed(hge_ctx, role, query_3_pro_only)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
assert_query_allowed(hge_ctx, "admin", query_0, response_0)
assert_query_allowed(hge_ctx, "admin", query_1, response_1)
assert_query_allowed(hge_ctx, "admin", query_2, response_2)
CI: Pass `--pro-tests` to pytests when testing HGE Pro. This runs additional tests which only pass against HGE Pro. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10841 GitOrigin-RevId: c79681d31514ce83d73210777d8fd1c99f61291d
2024-05-30 09:36:33 +03:00
assert_query_allowed(hge_ctx, "admin", query_3_pro_only, response_3)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
def test_allowlists(self, hge_ctx):
add_collection_to_allowlist(hge_ctx, {
"collection": "collection_1",
"scope": {
"global": True,
}
})
add_collection_to_allowlist(hge_ctx, {
"collection": "collection_2",
"scope": {
"global": False,
"roles": [
"user",
"editor"
]
}
})
for role in ["user", "guest"]:
assert_query_not_allowed(hge_ctx, role, query_0)
assert_query_allowed(hge_ctx, role, query_1, response_1)
assert_query_allowed(hge_ctx, role, query_2, response_2)
CI: Pass `--pro-tests` to pytests when testing HGE Pro. This runs additional tests which only pass against HGE Pro. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10841 GitOrigin-RevId: c79681d31514ce83d73210777d8fd1c99f61291d
2024-05-30 09:36:33 +03:00
if not hge_ctx.pro_tests:
assert_query_not_allowed(hge_ctx, "user", query_3_pro_only)
server, pro: add support for per-role allowlists spec: https://github.com/hasura/graphql-engine-mono/pull/2278 Briefly: - extend metadata so that allowlist entries get a new scope field - update `add_collection_to_allowlist` to accept this new scope field, and adds `update_scope_of_collection_in_allowlist` to change the scope - scope can be global or role-based; a collection is available for every role if it is global, and available to every listed role if it is role-based - graphql-engine-oss is aware of role-based allowlist metadata; collections with non-global scope are treated as if they weren't in the allowlist To run the tests: - `cabal run graphql-engine-tests -- unit --match Allowlist` - py-tests against pro: - launch `graphql-engine-pro` with `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ENABLE_ALLOWLIST` - `pytest test_allowlist_queries.py --hge-urls=... --pg-urls=... --hge-key=... --test-allowlist-queries --pro-tests` PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2477 Co-authored-by: Anon Ray <616387+ecthiender@users.noreply.github.com> Co-authored-by: Robert <132113+robx@users.noreply.github.com> GitOrigin-RevId: 01f8026fbe59d8701e2de30986511a452fce1a99
2022-02-08 19:53:30 +03:00
CI: Pass `--pro-tests` to pytests when testing HGE Pro. This runs additional tests which only pass against HGE Pro. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10841 GitOrigin-RevId: c79681d31514ce83d73210777d8fd1c99f61291d
2024-05-30 09:36:33 +03:00
@pytest.mark.admin_secret
@usefixtures('clean_allowlist', 'pro_tests_fixtures', 'enterprise_edition', 'per_class_tests_db_state')
class TestRoleBasedAllowlistQueriesPro:
@classmethod
def dir(cls):
return 'queries/graphql_query/allowlist_role_based'
def test_allowlists(self, hge_ctx):
add_collection_to_allowlist(hge_ctx, {
"collection": "collection_1",
"scope": {
"global": True,
}
})
add_collection_to_allowlist(hge_ctx, {
"collection": "collection_2",
"scope": {
"global": False,
"roles": [
"user",
"editor"
]
}
})
assert_query_allowed(hge_ctx, "user", query_3_pro_only, response_3)
Reference in New Issue Copy Permalink