2018-10-28 21:27:49 +03:00
#!/usr/bin/env bash
set -euo pipefail
2021-01-25 11:23:12 +03:00
echo " Running tests on node $CIRCLE_NODE_INDEX of $CIRCLE_NODE_TOTAL "
if [ -z " $SERVER_TEST_TO_RUN " ] ; then
2022-09-28 19:06:54 +03:00
# shellcheck disable=SC2016
2022-01-11 14:21:49 +03:00
echo 'Please specify $SERVER_TEST_TO_RUN'
exit 1
2021-01-29 08:48:17 +03:00
else
2022-01-11 14:21:49 +03:00
echo " Running test $SERVER_TEST_TO_RUN "
2021-01-25 11:23:12 +03:00
fi
2018-10-28 21:27:49 +03:00
### Functions
2022-09-28 19:06:54 +03:00
# Disable the following warning:
# > Note that A && B || C is not if-then-else. C may run when A is true.
# We want this behavior, as we want to continue even if `kill` fails.
# shellcheck disable=SC2015
2018-10-28 21:27:49 +03:00
stop_services( ) {
2022-01-20 21:27:55 +03:00
echo "killing and waiting for spawned services"
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
[ [ -n " ${ HGE_PIDS [*] } " ] ] && {
kill -s INT " ${ HGE_PIDS [@] } "
wait " ${ HGE_PIDS [@] } "
} || true
2019-04-08 10:22:38 +03:00
}
2022-01-11 14:21:49 +03:00
time_elapsed( ) {
printf "(%02d:%02d)" $(( SECONDS / 60 )) $(( SECONDS % 60 ))
2019-04-08 10:22:38 +03:00
}
fail_if_port_busy( ) {
2022-09-28 19:06:54 +03:00
local PORT = " $1 "
if nc -z localhost " $PORT " ; then
2022-10-12 16:26:35 +03:00
echo "ERROR:"
echo " Port $PORT is busy. "
echo " Output of \`lsof -i : $PORT \`: "
lsof -i " : $PORT "
echo
echo 'Exiting immediately.'
2022-01-11 14:21:49 +03:00
exit 1
fi
2018-10-28 21:27:49 +03:00
}
wait_for_port( ) {
2022-09-28 19:06:54 +03:00
local PORT = " $1 "
2022-01-11 14:21:49 +03:00
echo " waiting for $PORT "
for _ in $( seq 1 60) ; do
2022-09-28 19:06:54 +03:00
nc -z localhost " $PORT " && echo " port $PORT is ready " && return
2022-01-11 14:21:49 +03:00
echo -n .
sleep 0.25
done
echo " Failed waiting for $PORT " && exit 1
2018-10-28 21:27:49 +03:00
}
init_jwt( ) {
CUR_DIR = " $PWD "
mkdir -p " $OUTPUT_FOLDER /ssl "
cd " $OUTPUT_FOLDER /ssl "
openssl genrsa -out jwt_private.key 2048
2022-01-11 14:21:49 +03:00
openssl rsa -pubout -in jwt_private.key -out jwt_public.key
openssl genpkey -algorithm ed25519 -outform PEM -out ed25519_jwt_private.key
openssl pkey -pubout -in ed25519_jwt_private.key -out ed25519_jwt_public.key
2018-10-28 21:27:49 +03:00
cd " $CUR_DIR "
}
2021-08-12 04:53:13 +03:00
# init_hge_and_test_jwt function will run the hge server using the environment varibles and run the pytest which is sent as argument
# The first argument is the relative path of the jwt-key-file. the jwt-key-file can be RSA or EdDSA
# The second argument is the test to run, eg. test_jwt_claims_map.py::TestJWTClaimsMapBasic, test_jwt.py, etc.
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt( ) {
2022-08-22 08:11:43 +03:00
local key_file
key_file = " ${ OUTPUT_FOLDER } / ${ 1 } "
shift
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-09-29 20:18:49 +03:00
--hge-jwt-key-file= " $key_file " --hge-jwt-conf= " $HASURA_GRAPHQL_JWT_SECRET " \
2022-08-22 08:11:43 +03:00
" $@ "
2022-01-11 14:21:49 +03:00
kill_hge_servers
2021-08-12 04:53:13 +03:00
}
2018-10-28 21:27:49 +03:00
init_ssl( ) {
mkdir -p " $OUTPUT_FOLDER /ssl "
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
(
cd " $OUTPUT_FOLDER /ssl "
openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -days 10 -out ca.pem -subj "/CN=webhook-ca"
cp ca.pem /usr/local/share/ca-certificates/hge-tests-ca.crt
update-ca-certificates
)
2018-10-28 21:27:49 +03:00
}
2022-01-11 18:28:36 +03:00
webhook_tests_check_root( ) {
if [ $EUID != 0 ] ; then
echo -e "webhook tests require root (in order to trust certificate authority)."
exit 1
fi
}
2019-04-08 10:22:38 +03:00
kill_hge_servers( ) {
2022-09-28 19:06:54 +03:00
kill -s INT " ${ HGE_PIDS [@] } " || true
wait " ${ HGE_PIDS [@] } " || true
HGE_PIDS = ( )
2018-10-28 21:27:49 +03:00
}
2022-01-18 06:18:10 +03:00
HGE_INDEX = 1
2019-04-08 10:22:38 +03:00
run_hge_with_args( ) {
2022-01-18 06:18:10 +03:00
i = $(( HGE_INDEX++))
2019-04-08 10:22:38 +03:00
set -x
2022-09-28 19:06:54 +03:00
" $GRAPHQL_ENGINE " " $@ " >" $OUTPUT_FOLDER /graphql-engine- ${ i } .log " 2>& 1 &
HGE_PIDS = ( " ${ HGE_PIDS [@] } " $! )
2019-04-08 10:22:38 +03:00
set +x
2019-02-28 16:53:03 +03:00
}
2019-04-08 10:22:38 +03:00
start_multiple_hge_servers( ) {
2022-01-11 14:21:49 +03:00
run_hge_with_args --database-url " $HASURA_GRAPHQL_DATABASE_URL " serve
if [ -n " ${ HASURA_GRAPHQL_DATABASE_URL_2 :- } " ] ; then
run_hge_with_args --database-url " $HASURA_GRAPHQL_DATABASE_URL_2 " serve --server-port 8081
wait_for_port 8081
fi
wait_for_port 8080
2019-04-08 10:22:38 +03:00
}
2021-07-01 17:40:05 +03:00
source_data_sources_utils( ) {
2022-01-11 14:21:49 +03:00
# Only source this file in the $SERVER_TEST_TO_RUN case branch it's used,
# to avoid sourcing for every server job & test.
# https://github.com/hasura/graphql-engine-mono/pull/1526#discussion_r661411538
SCRIPTS_SOURCE = $CIRCLECI_FOLDER /../scripts
2022-09-28 19:06:54 +03:00
# shellcheck source=../scripts/data-sources-util.sh
2022-01-11 14:21:49 +03:00
source " $SCRIPTS_SOURCE /data-sources-util.sh "
2021-07-01 17:40:05 +03:00
}
2019-04-08 10:22:38 +03:00
2022-01-11 14:21:49 +03:00
if [ -z " ${ HASURA_GRAPHQL_DATABASE_URL :- } " ] ; then
2018-10-28 21:27:49 +03:00
echo "Env var HASURA_GRAPHQL_DATABASE_URL is not set"
exit 1
fi
2022-01-11 14:21:49 +03:00
if [ -z " ${ HASURA_GRAPHQL_DATABASE_URL_2 :- } " ] ; then
2019-04-08 10:22:38 +03:00
echo "Env var HASURA_GRAPHQL_DATABASE_URL_2 is not set"
exit 1
fi
2018-10-28 21:27:49 +03:00
CIRCLECI_FOLDER = " ${ BASH_SOURCE [0]%/* } "
2022-09-28 19:06:54 +03:00
cd " $CIRCLECI_FOLDER "
2018-10-28 21:27:49 +03:00
CIRCLECI_FOLDER = " $PWD "
PYTEST_ROOT = " $CIRCLECI_FOLDER /../server/tests-py "
OUTPUT_FOLDER = ${ OUTPUT_FOLDER :- " $CIRCLECI_FOLDER /test-server-output " }
mkdir -p " $OUTPUT_FOLDER "
2022-09-28 19:06:54 +03:00
cd " $PYTEST_ROOT "
2018-10-28 21:27:49 +03:00
2022-05-23 14:12:45 +03:00
for port in 8080 8081 9876 5592 5000 5001 5593 5594; do
2019-04-08 10:22:38 +03:00
fail_if_port_busy $port
done
2018-10-28 21:27:49 +03:00
echo -e " \nINFO: GraphQL Executable : $GRAPHQL_ENGINE "
echo -e " INFO: Logs Folder : $OUTPUT_FOLDER \n "
2022-09-07 17:27:54 +03:00
# Copy the node_modules directory installed in the Docker image here.
cp -R /deps/node_modules .
2020-05-27 18:02:58 +03:00
2018-10-28 21:27:49 +03:00
export EVENT_WEBHOOK_HEADER = "MyEnvValue"
2020-05-13 15:33:16 +03:00
2022-08-15 17:57:55 +03:00
export HASURA_GRAPHQL_STRINGIFY_NUMERIC_TYPES = true
export DEFAULT_HASURA_EXPERIMENTAL_FEATURES = streaming_subscriptions
export HASURA_GRAPHQL_EXPERIMENTAL_FEATURES = $DEFAULT_HASURA_EXPERIMENTAL_FEATURES
2018-10-28 21:27:49 +03:00
export HGE_URL = "http://localhost:8080"
2019-04-08 10:22:38 +03:00
export HGE_URL_2 = ""
2022-01-28 03:17:53 +03:00
if [ -n " ${ HASURA_GRAPHQL_DATABASE_URL_2 :- } " ] ; then
2019-04-08 10:22:38 +03:00
HGE_URL_2 = "http://localhost:8081"
fi
2022-08-15 17:57:55 +03:00
export EVENT_WEBHOOK_HEADER = "MyEnvValue"
export EVENT_WEBHOOK_HANDLER = "http://localhost:5592"
export ACTION_WEBHOOK_HANDLER = "http://localhost:5593"
export SCHEDULED_TRIGGERS_WEBHOOK_DOMAIN = "http://localhost:5594"
export REMOTE_SCHEMAS_WEBHOOK_DOMAIN = "http://localhost:5000"
export GRAPHQL_SERVICE_HANDLER = "http://localhost:4001"
export GRAPHQL_SERVICE_1 = "http://localhost:4020"
export GRAPHQL_SERVICE_2 = "http://localhost:4021"
export GRAPHQL_SERVICE_3 = "http://localhost:4022"
2021-07-16 19:08:23 +03:00
2022-08-22 08:11:43 +03:00
PYTEST_REPORTING_ARGS = (
'-vv' # show all passes and the full assertion text
'-r' 'a' # show extra test summary info for every test except passes
)
PYTEST_COMMON_ARGS = (
" ${ PYTEST_REPORTING_ARGS [@] } "
--hge-urls= " $HGE_URL "
--pg-urls= " $HASURA_GRAPHQL_DATABASE_URL "
)
PYTEST_PARALLEL_ARGS = (
" ${ PYTEST_REPORTING_ARGS [@] } "
-n 2
--hge-urls " $HGE_URL " " ${ HGE_URL_2 :- } "
--pg-urls " $HASURA_GRAPHQL_DATABASE_URL " " ${ HASURA_GRAPHQL_DATABASE_URL_2 } "
)
2022-09-28 19:06:54 +03:00
HGE_PIDS = ( )
2019-03-12 08:46:27 +03:00
2018-10-28 21:27:49 +03:00
trap stop_services ERR
trap stop_services INT
2022-01-20 21:27:55 +03:00
trap stop_services EXIT
2018-10-28 21:27:49 +03:00
2019-04-08 10:22:38 +03:00
run_pytest_parallel( ) {
trap stop_services ERR
2022-01-11 14:21:49 +03:00
if [ -n " ${ HASURA_GRAPHQL_DATABASE_URL_2 :- } " ] ; then
2019-04-08 10:22:38 +03:00
set -x
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_PARALLEL_ARGS [@] } " " $@ "
2019-04-08 10:22:38 +03:00
set +x
else
set -x
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " " $@ "
2019-04-08 10:22:38 +03:00
set +x
fi
}
2018-10-28 21:27:49 +03:00
2021-01-25 11:23:12 +03:00
case " $SERVER_TEST_TO_RUN " in
2022-01-11 14:21:49 +03:00
no-auth)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITHOUT ADMIN SECRET ###########################################>\n "
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
start_multiple_hge_servers
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
run_pytest_parallel
2019-02-05 15:04:16 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2021-08-03 14:11:01 +03:00
2022-01-11 14:21:49 +03:00
admin-secret)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET #####################################>\n "
2019-02-05 15:04:16 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2019-04-08 10:22:38 +03:00
2022-01-11 14:21:49 +03:00
start_multiple_hge_servers
2019-02-05 15:04:16 +03:00
2022-09-29 20:18:49 +03:00
run_pytest_parallel
2019-02-05 15:04:16 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2019-02-05 15:04:16 +03:00
2022-01-11 14:21:49 +03:00
admin-secret-unauthorized-role)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND UNAUTHORIZED ROLE #####################################>\n "
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
export HASURA_GRAPHQL_UNAUTHORIZED_ROLE = "anonymous"
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
wait_for_port 8080
2019-07-11 12:58:39 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--test-unauthorized-role \
test_graphql_queries.py::TestUnauthorizedRolePermission
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
#unset HASURA_GRAPHQL_UNAUTHORIZED_ROLE
; ;
2021-12-23 12:17:39 +03:00
2022-01-11 14:21:49 +03:00
jwt-rs512)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (RS512) #####################################>\n "
2021-08-12 04:53:13 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2021-08-12 04:53:13 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key }' ) "
export HASURA_GRAPHQL_ADMIN_SECRET HASURA_GRAPHQL_JWT_SECRET
2021-08-12 04:53:13 +03:00
2022-01-11 14:21:49 +03:00
start_multiple_hge_servers
2021-08-12 04:53:13 +03:00
2022-09-29 20:18:49 +03:00
run_pytest_parallel --hge-jwt-key-file= " $OUTPUT_FOLDER /ssl/jwt_private.key " --hge-jwt-conf= " $HASURA_GRAPHQL_JWT_SECRET "
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
#unset HASURA_GRAPHQL_JWT_SECRET
; ;
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
jwt-ed25519)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (Ed25519) #####################################>\n "
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2021-08-03 14:11:01 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key }' ) "
export HASURA_GRAPHQL_ADMIN_SECRET HASURA_GRAPHQL_JWT_SECRET
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
start_multiple_hge_servers
2019-07-11 12:58:39 +03:00
2022-09-29 20:18:49 +03:00
run_pytest_parallel --hge-jwt-key-file= " $OUTPUT_FOLDER /ssl/ed25519_jwt_private.key " --hge-jwt-conf= " $HASURA_GRAPHQL_JWT_SECRET "
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
#unset HASURA_GRAPHQL_JWT_SECRET
; ;
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
jwt-stringified)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (in stringified mode) #####################################>\n "
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-08-03 14:11:01 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , claims_format: "stringified_json"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
2019-07-11 12:58:39 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , claims_format: "stringified_json"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
# unset HASURA_GRAPHQL_JWT_SECRET
; ;
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
jwt-audience-check-single-string)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with audience check - string) #####################################>\n "
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2019-07-11 12:58:39 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-10-05 15:28:38 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , audience: "myapp-1234"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2021-08-03 14:11:01 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
2021-10-05 15:28:38 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , audience: "myapp-1234"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2020-04-21 12:24:35 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
2020-04-21 12:24:35 +03:00
2022-01-11 14:21:49 +03:00
#unset HASURA_GRAPHQL_JWT_SECRET
; ;
2020-04-21 12:24:35 +03:00
2022-01-11 14:21:49 +03:00
jwt-audience-check-list-string)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with audience check - list of strings) #################################>\n "
2020-04-21 12:24:35 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2021-08-03 14:11:01 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2020-04-21 12:24:35 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , audience: ["myapp-1234", "myapp-9876"]}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
2021-10-05 15:28:38 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , audience: ["myapp-1234", "myapp-9876"]}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2020-04-21 12:24:35 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
2020-04-21 12:24:35 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
; ;
2020-04-16 09:45:21 +03:00
2022-01-11 14:21:49 +03:00
jwt-issuer-check)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with issuer check) #####################################>\n "
2020-04-16 09:45:21 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2020-04-16 09:45:21 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-10-05 15:28:38 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , issuer: "https://hasura.com"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2021-08-03 14:11:01 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
2021-10-05 15:28:38 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , issuer: "https://hasura.com"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2020-08-31 19:40:01 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
2020-08-31 19:40:01 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
; ;
2021-08-03 14:11:01 +03:00
2022-01-11 14:21:49 +03:00
jwt-with-claims-namespace-path)
##########
# TODO(swann): should these not be run in parallel?
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path) #####################################>\n "
2020-08-31 19:40:01 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
# hasura claims at one level of nesting
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2020-08-31 19:40:01 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura_claims"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
2020-08-31 19:40:01 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , claims_namespace_path: "$.hasura_claims"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
# hasura claims at two levels of nesting with claims_namespace_path containing special character
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2020-08-31 19:40:01 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura[' \' 'claims%' \' ']"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
2020-08-31 19:40:01 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , claims_namespace_path: "$.hasura[' \' 'claims%' \' ']"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2020-08-31 19:40:01 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
2020-08-31 19:40:01 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
2020-08-31 19:40:01 +03:00
2022-01-11 14:21:49 +03:00
# hasura claims at the root of the JWT token
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2020-08-31 19:40:01 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , claims_namespace_path: "$"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
2021-10-05 15:28:38 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , claims_namespace_path: "$"}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
2020-08-31 19:40:01 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
; ;
2021-01-13 11:38:13 +03:00
2022-01-11 14:21:49 +03:00
jwt-claims-map-with-json-path-values)
# test JWT with Claims map
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_map and values are json path) #####################################>\n "
2021-01-13 11:38:13 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-10-05 15:28:38 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].user.id"}, "x-hasura-allowed-roles": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].role.allowed"}, "x-hasura-default-role": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].role.default"}}}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
2021-08-03 14:11:01 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].user.id"}, "x-hasura-allowed-roles": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].role.allowed"}, "x-hasura-default-role": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].role.default"}}}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2021-01-13 11:38:13 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
2021-01-13 11:38:13 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
2020-08-31 19:40:01 +03:00
2022-01-11 14:21:49 +03:00
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_map and values are json path with default values set) #####################################>\n "
2021-08-03 14:11:01 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-10-05 15:28:38 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].user.id", "default":"1"}, "x-hasura-allowed-roles": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].role.allowed", "default":["user","editor"]}, "x-hasura-default-role": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].role.default","default":"user"}}}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
2021-10-05 15:28:38 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].user.id", "default":"1"}, "x-hasura-allowed-roles": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].role.allowed", "default":["user","editor"]}, "x-hasura-default-role": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].role.default","default":"user"}}}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2019-02-14 08:58:38 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
; ;
2019-02-14 08:58:38 +03:00
2022-01-11 14:21:49 +03:00
jwt-with-expiry-time-leeway)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with JWT config allowing for leeway) #####################################>\n "
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2022-09-28 19:06:54 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2019-03-04 10:46:53 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , allowed_skew: 60}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py::TestJWTExpirySkew
2019-03-04 10:46:53 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , allowed_skew: 60}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py::TestJWTExpirySkew
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
; ;
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
jwt-claims-map-with-literal-values)
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_map and values are literal values) #####################################>\n "
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2021-02-25 12:02:43 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-02-25 12:02:43 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].user.id"}, "x-hasura-allowed-roles": ["user","editor"], "x-hasura-default-role": "user","x-hasura-custom-header":"custom-value"}}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapWithStaticHasuraClaimsMapValues
2021-10-05 15:28:38 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.[' "'" 'https://myapp.com/jwt/claims' "'" '].user.id"}, "x-hasura-allowed-roles": ["user","editor"], "x-hasura-default-role": "user","x-hasura-custom-header":"custom-value"}}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapWithStaticHasuraClaimsMapValues
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
; ;
2021-02-25 12:02:43 +03:00
2022-01-11 14:21:49 +03:00
jwt-cookie)
2021-02-25 12:02:43 +03:00
2022-01-11 14:21:49 +03:00
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (in cookie mode) #####################################>\n "
2021-12-08 21:28:36 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2021-12-08 21:28:36 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-12-08 21:28:36 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , header: {"type": "Cookie", "name": "hasura_user"}}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
2021-12-08 21:28:36 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/ed25519_jwt_public.key " ) " '{ type: "Ed25519", key: $key , header: {"type": "Cookie", "name": "hasura_user"}}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2021-12-08 21:28:36 +03:00
2022-01-11 14:21:49 +03:00
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
2021-12-08 21:28:36 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
; ;
2021-12-08 21:28:36 +03:00
2022-01-11 14:21:49 +03:00
jwt-cookie-unauthorized-role)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH JWT (in cookie mode) AND UNAUTHORIZED ROLE #####################################>\n "
2021-12-08 21:28:36 +03:00
2022-01-11 14:21:49 +03:00
init_jwt
2021-12-08 21:28:36 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
export HASURA_GRAPHQL_UNAUTHORIZED_ROLE = "anonymous"
2021-12-08 21:28:36 +03:00
2022-09-28 19:06:54 +03:00
HASURA_GRAPHQL_JWT_SECRET = " $( jq -n --arg key " $( cat " $OUTPUT_FOLDER /ssl/jwt_public.key " ) " '{ type: "RS512", key: $key , header: {"type": "Cookie", "name": "hasura_user"}}' ) "
export HASURA_GRAPHQL_JWT_SECRET
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
2021-08-03 14:11:01 +03:00
2022-01-11 14:21:49 +03:00
wait_for_port 8080
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-09-29 20:18:49 +03:00
--hge-jwt-key-file= " $OUTPUT_FOLDER /ssl/jwt_private.key " --hge-jwt-conf= " $HASURA_GRAPHQL_JWT_SECRET " \
2022-08-22 08:11:43 +03:00
--test-unauthorized-role \
test_graphql_queries.py::TestFallbackUnauthorizedRoleCookie
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_UNAUTHORIZED_ROLE
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
wait_for_port 8080
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-09-29 20:18:49 +03:00
--hge-jwt-key-file= " $OUTPUT_FOLDER /ssl/jwt_private.key " --hge-jwt-conf= " $HASURA_GRAPHQL_JWT_SECRET " \
2022-08-22 08:11:43 +03:00
--test-no-cookie-and-unauth-role \
test_graphql_queries.py::TestMissingUnauthorizedRoleAndCookie
2021-01-29 08:48:17 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
2021-11-09 15:00:21 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
; ;
2021-11-09 15:00:21 +03:00
2022-01-11 14:21:49 +03:00
# test with CORS modes
cors-domains)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH CORS DOMAINS ########>\n "
export HASURA_GRAPHQL_CORS_DOMAIN = "http://*.localhost, http://localhost:3000, https://*.foo.bar.com"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-11-09 15:00:21 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2021-11-09 15:00:21 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_cors.py
2021-11-09 15:00:21 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_CORS_DOMAIN
; ;
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
auth-webhook-cookie)
# test auth webhook set-cookie forwarding on response
2019-04-08 10:22:38 +03:00
2022-01-11 14:21:49 +03:00
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH SET-COOKIE HEADER IN AUTH WEBHOOK ########>\n "
export HASURA_GRAPHQL_AUTH_HOOK = "http://localhost:9876/auth"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2019-02-28 16:53:03 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_auth_webhook_cookie.py
2021-08-03 14:11:01 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
ws-init-cookie-read-cors-enabled)
# test websocket transport with initial cookie header
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH COOKIE IN WEBSOCKET INIT ########>\n "
export HASURA_GRAPHQL_AUTH_HOOK = "http://localhost:9876/auth"
export HASURA_GRAPHQL_AUTH_HOOK_MODE = "POST"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
echo " $( time_elapsed) : testcase 1: read cookie, cors enabled "
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--test-ws-init-cookie= read \
test_websocket_init_cookie.py
2021-08-03 14:11:01 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
ws-init-cookie-noread)
echo " $( time_elapsed) : testcase 2: no read cookie, cors disabled "
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_AUTH_HOOK = "http://localhost:9876/auth"
export HASURA_GRAPHQL_AUTH_HOOK_MODE = "POST"
run_hge_with_args serve --disable-cors
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
wait_for_port 8080
2019-02-28 16:53:03 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--test-ws-init-cookie= noread \
test_websocket_init_cookie.py
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
ws-init-cookie-read-cors-disabled)
echo " $( time_elapsed) : testcase 3: read cookie, cors disabled and ws-read-cookie "
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2019-02-28 16:53:03 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_AUTH_HOOK = "http://localhost:9876/auth"
export HASURA_GRAPHQL_AUTH_HOOK_MODE = "POST"
export HASURA_GRAPHQL_WS_READ_COOKIE = "true"
run_hge_with_args serve --disable-cors
wait_for_port 8080
2019-02-14 08:58:38 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-09-29 13:42:47 +03:00
--test-ws-init-cookie= read \
test_websocket_init_cookie.py
2020-12-21 12:11:37 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2020-12-21 12:11:37 +03:00
2022-01-11 14:21:49 +03:00
ws-graphql-api-disabled)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH GRAPHQL DISABLED ########>\n "
export HASURA_GRAPHQL_ENABLED_APIS = "metadata"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
export HASURA_GRAPHQL_AUTH_HOOK = "http://localhost:9876/auth"
export HASURA_GRAPHQL_AUTH_HOOK_MODE = "POST"
2019-10-16 17:33:34 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2019-10-16 17:33:34 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_apis_disabled.py
2019-07-11 08:37:06 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2019-03-04 10:46:53 +03:00
2022-01-11 14:21:49 +03:00
ws-metadata-api-disabled)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH METADATA DISABLED ########>\n "
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ENABLED_APIS = "graphql"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
export HASURA_GRAPHQL_AUTH_HOOK = "http://localhost:9876/auth"
export HASURA_GRAPHQL_AUTH_HOOK_MODE = "POST"
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2018-10-28 21:27:49 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_apis_disabled.py
2021-01-29 08:48:17 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2021-01-29 08:48:17 +03:00
2022-01-11 14:21:49 +03:00
remote-schema-permissions)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH REMOTE SCHEMA PERMISSIONS ENABLED ########>\n "
export HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS = true
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-01-29 08:48:17 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2021-01-29 08:48:17 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_remote_schema_permissions.py
2021-08-09 13:20:04 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS
[Preview] Inherited roles for postgres read queries
fixes #3868
docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de`
Note:
To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`.
Introduction
------------
This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`.
How are select permissions of different roles are combined?
------------------------------------------------------------
A select permission includes 5 things:
1. Columns accessible to the role
2. Row selection filter
3. Limit
4. Allow aggregation
5. Scalar computed fields accessible to the role
Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`.
Let's say the following GraphQL query is queried with the `combined_roles` role.
```graphql
query {
employees {
address
phone
}
}
```
This will translate to the following SQL query:
```sql
select
(case when (P1 or P2) then address else null end) as address,
(case when P2 then phone else null end) as phone
from employee
where (P1 or P2)
```
The other parameters of the select permission will be combined in the following manner:
1. Limit - Minimum of the limits will be the limit of the inherited role
2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation
3. Scalar computed fields - same as table column fields, as in the above example
APIs for inherited roles:
----------------------
1. `add_inherited_role`
`add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments
`role_name`: the name of the inherited role to be added (String)
`role_set`: list of roles that need to be combined (Array of Strings)
Example:
```json
{
"type": "add_inherited_role",
"args": {
"role_name":"combined_user",
"role_set":[
"user",
"user1"
]
}
}
```
After adding the inherited role, the inherited role can be used like single roles like earlier
Note:
An inherited role can only be created with non-inherited/singular roles.
2. `drop_inherited_role`
The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument:
`role_name`: name of the inherited role to be dropped
Example:
```json
{
"type": "drop_inherited_role",
"args": {
"role_name":"combined_user"
}
}
```
Metadata
---------
The derived roles metadata will be included under the `experimental_features` key while exporting the metadata.
```json
{
"experimental_features": {
"derived_roles": [
{
"role_name": "manager_is_employee_too",
"role_set": [
"employee",
"manager"
]
}
]
}
}
```
Scope
------
Only postgres queries and subscriptions are supported in this PR.
Important points:
-----------------
1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done.
TODOs
-------
- [ ] Tests
- [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features
- [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?)
- [ ] Introspection test with a inherited role (nullability changes in a inherited role)
- [ ] Docs
- [ ] Changelog
Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com>
GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
[Preview] Inherited roles for postgres read queries
fixes #3868
docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de`
Note:
To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`.
Introduction
------------
This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`.
How are select permissions of different roles are combined?
------------------------------------------------------------
A select permission includes 5 things:
1. Columns accessible to the role
2. Row selection filter
3. Limit
4. Allow aggregation
5. Scalar computed fields accessible to the role
Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`.
Let's say the following GraphQL query is queried with the `combined_roles` role.
```graphql
query {
employees {
address
phone
}
}
```
This will translate to the following SQL query:
```sql
select
(case when (P1 or P2) then address else null end) as address,
(case when P2 then phone else null end) as phone
from employee
where (P1 or P2)
```
The other parameters of the select permission will be combined in the following manner:
1. Limit - Minimum of the limits will be the limit of the inherited role
2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation
3. Scalar computed fields - same as table column fields, as in the above example
APIs for inherited roles:
----------------------
1. `add_inherited_role`
`add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments
`role_name`: the name of the inherited role to be added (String)
`role_set`: list of roles that need to be combined (Array of Strings)
Example:
```json
{
"type": "add_inherited_role",
"args": {
"role_name":"combined_user",
"role_set":[
"user",
"user1"
]
}
}
```
After adding the inherited role, the inherited role can be used like single roles like earlier
Note:
An inherited role can only be created with non-inherited/singular roles.
2. `drop_inherited_role`
The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument:
`role_name`: name of the inherited role to be dropped
Example:
```json
{
"type": "drop_inherited_role",
"args": {
"role_name":"combined_user"
}
}
```
Metadata
---------
The derived roles metadata will be included under the `experimental_features` key while exporting the metadata.
```json
{
"experimental_features": {
"derived_roles": [
{
"role_name": "manager_is_employee_too",
"role_set": [
"employee",
"manager"
]
}
]
}
}
```
Scope
------
Only postgres queries and subscriptions are supported in this PR.
Important points:
-----------------
1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done.
TODOs
-------
- [ ] Tests
- [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features
- [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?)
- [ ] Introspection test with a inherited role (nullability changes in a inherited role)
- [ ] Docs
- [ ] Changelog
Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com>
GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
2022-01-11 14:21:49 +03:00
function -permissions)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH FUNCTION PERMISSIONS ENABLED ########>\n "
export HASURA_GRAPHQL_INFER_FUNCTION_PERMISSIONS = false
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-10-05 15:28:38 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
[Preview] Inherited roles for postgres read queries
fixes #3868
docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de`
Note:
To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`.
Introduction
------------
This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`.
How are select permissions of different roles are combined?
------------------------------------------------------------
A select permission includes 5 things:
1. Columns accessible to the role
2. Row selection filter
3. Limit
4. Allow aggregation
5. Scalar computed fields accessible to the role
Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`.
Let's say the following GraphQL query is queried with the `combined_roles` role.
```graphql
query {
employees {
address
phone
}
}
```
This will translate to the following SQL query:
```sql
select
(case when (P1 or P2) then address else null end) as address,
(case when P2 then phone else null end) as phone
from employee
where (P1 or P2)
```
The other parameters of the select permission will be combined in the following manner:
1. Limit - Minimum of the limits will be the limit of the inherited role
2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation
3. Scalar computed fields - same as table column fields, as in the above example
APIs for inherited roles:
----------------------
1. `add_inherited_role`
`add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments
`role_name`: the name of the inherited role to be added (String)
`role_set`: list of roles that need to be combined (Array of Strings)
Example:
```json
{
"type": "add_inherited_role",
"args": {
"role_name":"combined_user",
"role_set":[
"user",
"user1"
]
}
}
```
After adding the inherited role, the inherited role can be used like single roles like earlier
Note:
An inherited role can only be created with non-inherited/singular roles.
2. `drop_inherited_role`
The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument:
`role_name`: name of the inherited role to be dropped
Example:
```json
{
"type": "drop_inherited_role",
"args": {
"role_name":"combined_user"
}
}
```
Metadata
---------
The derived roles metadata will be included under the `experimental_features` key while exporting the metadata.
```json
{
"experimental_features": {
"derived_roles": [
{
"role_name": "manager_is_employee_too",
"role_set": [
"employee",
"manager"
]
}
]
}
}
```
Scope
------
Only postgres queries and subscriptions are supported in this PR.
Important points:
-----------------
1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done.
TODOs
-------
- [ ] Tests
- [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features
- [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?)
- [ ] Introspection test with a inherited role (nullability changes in a inherited role)
- [ ] Docs
- [ ] Changelog
Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com>
GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_graphql_queries.py::TestGraphQLQueryFunctionPermissions
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_graphql_mutations.py::TestGraphQLMutationFunctions
[Preview] Inherited roles for postgres read queries
fixes #3868
docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de`
Note:
To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`.
Introduction
------------
This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`.
How are select permissions of different roles are combined?
------------------------------------------------------------
A select permission includes 5 things:
1. Columns accessible to the role
2. Row selection filter
3. Limit
4. Allow aggregation
5. Scalar computed fields accessible to the role
Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`.
Let's say the following GraphQL query is queried with the `combined_roles` role.
```graphql
query {
employees {
address
phone
}
}
```
This will translate to the following SQL query:
```sql
select
(case when (P1 or P2) then address else null end) as address,
(case when P2 then phone else null end) as phone
from employee
where (P1 or P2)
```
The other parameters of the select permission will be combined in the following manner:
1. Limit - Minimum of the limits will be the limit of the inherited role
2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation
3. Scalar computed fields - same as table column fields, as in the above example
APIs for inherited roles:
----------------------
1. `add_inherited_role`
`add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments
`role_name`: the name of the inherited role to be added (String)
`role_set`: list of roles that need to be combined (Array of Strings)
Example:
```json
{
"type": "add_inherited_role",
"args": {
"role_name":"combined_user",
"role_set":[
"user",
"user1"
]
}
}
```
After adding the inherited role, the inherited role can be used like single roles like earlier
Note:
An inherited role can only be created with non-inherited/singular roles.
2. `drop_inherited_role`
The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument:
`role_name`: name of the inherited role to be dropped
Example:
```json
{
"type": "drop_inherited_role",
"args": {
"role_name":"combined_user"
}
}
```
Metadata
---------
The derived roles metadata will be included under the `experimental_features` key while exporting the metadata.
```json
{
"experimental_features": {
"derived_roles": [
{
"role_name": "manager_is_employee_too",
"role_set": [
"employee",
"manager"
]
}
]
}
}
```
Scope
------
Only postgres queries and subscriptions are supported in this PR.
Important points:
-----------------
1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done.
TODOs
-------
- [ ] Tests
- [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features
- [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?)
- [ ] Introspection test with a inherited role (nullability changes in a inherited role)
- [ ] Docs
- [ ] Changelog
Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com>
GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_INFER_FUNCTION_PERMISSIONS
unset HASURA_GRAPHQL_ADMIN_SECRET
[Preview] Inherited roles for postgres read queries
fixes #3868
docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de`
Note:
To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`.
Introduction
------------
This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`.
How are select permissions of different roles are combined?
------------------------------------------------------------
A select permission includes 5 things:
1. Columns accessible to the role
2. Row selection filter
3. Limit
4. Allow aggregation
5. Scalar computed fields accessible to the role
Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`.
Let's say the following GraphQL query is queried with the `combined_roles` role.
```graphql
query {
employees {
address
phone
}
}
```
This will translate to the following SQL query:
```sql
select
(case when (P1 or P2) then address else null end) as address,
(case when P2 then phone else null end) as phone
from employee
where (P1 or P2)
```
The other parameters of the select permission will be combined in the following manner:
1. Limit - Minimum of the limits will be the limit of the inherited role
2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation
3. Scalar computed fields - same as table column fields, as in the above example
APIs for inherited roles:
----------------------
1. `add_inherited_role`
`add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments
`role_name`: the name of the inherited role to be added (String)
`role_set`: list of roles that need to be combined (Array of Strings)
Example:
```json
{
"type": "add_inherited_role",
"args": {
"role_name":"combined_user",
"role_set":[
"user",
"user1"
]
}
}
```
After adding the inherited role, the inherited role can be used like single roles like earlier
Note:
An inherited role can only be created with non-inherited/singular roles.
2. `drop_inherited_role`
The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument:
`role_name`: name of the inherited role to be dropped
Example:
```json
{
"type": "drop_inherited_role",
"args": {
"role_name":"combined_user"
}
}
```
Metadata
---------
The derived roles metadata will be included under the `experimental_features` key while exporting the metadata.
```json
{
"experimental_features": {
"derived_roles": [
{
"role_name": "manager_is_employee_too",
"role_set": [
"employee",
"manager"
]
}
]
}
}
```
Scope
------
Only postgres queries and subscriptions are supported in this PR.
Important points:
-----------------
1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done.
TODOs
-------
- [ ] Tests
- [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features
- [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?)
- [ ] Introspection test with a inherited role (nullability changes in a inherited role)
- [ ] Docs
- [ ] Changelog
Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com>
GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
roles-inheritance)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH EXPERIMENTAL FEATURE: ROLES INHERITANCE ########>\n "
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
export HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS = "true"
export HASURA_GRAPHQL_INFER_FUNCTION_PERMISSIONS = false
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2021-09-06 15:26:45 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_roles_inheritance.py
2018-12-03 14:19:08 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_ADMIN_SECRET
unset HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS
unset HASURA_GRAPHQL_INFER_FUNCTION_PERMISSIONS
2018-12-03 14:19:08 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2018-12-03 14:19:08 +03:00
2022-05-26 14:54:30 +03:00
naming-conventions)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH EXPERIMENTAL FEATURE: NAMING CONVENTIONS ########>\n "
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM "
2022-06-30 08:55:50 +03:00
run_hge_with_args serve
wait_for_port 8080
2022-09-28 12:19:47 +03:00
unset HASURA_GRAPHQL_EXPERIMENTAL_FEATURES
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_naming_conventions.py
2022-06-30 08:55:50 +03:00
kill_hge_servers
2022-07-06 15:12:55 +03:00
2022-05-27 08:55:45 +03:00
export HASURA_GRAPHQL_EXPERIMENTAL_FEATURES = naming_convention
2022-05-26 14:54:30 +03:00
run_hge_with_args serve
wait_for_port 8080
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_naming_conventions.py
2022-05-26 14:54:30 +03:00
kill_hge_servers
# We are now going to test by setting the default naming convention to
# graphql-default. So now we don't need to set the naming convention in
# source customisation
export HASURA_GRAPHQL_DEFAULT_NAMING_CONVENTION = "graphql-default"
run_hge_with_args serve
wait_for_port 8080
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_naming_conventions.py
2022-05-26 14:54:30 +03:00
unset HASURA_GRAPHQL_ADMIN_SECRET
2022-07-06 15:12:55 +03:00
export HASURA_GRAPHQL_EXPERIMENTAL_FEATURES = $DEFAULT_HASURA_EXPERIMENTAL_FEATURES
2022-05-26 14:54:30 +03:00
unset HASURA_GRAPHQL_DEFAULT_NAMING_CONVENTION
kill_hge_servers
; ;
2022-04-22 22:53:12 +03:00
streaming-subscriptions)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH STREAMING SUBSCRIPTIONS #########################>\n "
2022-10-13 12:32:33 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2022-04-22 22:53:12 +03:00
2022-10-13 12:32:33 +03:00
run_hge_with_args serve
wait_for_port 8080
2022-04-22 22:53:12 +03:00
2022-10-13 12:32:33 +03:00
# run all the subscriptions tests with streaming subscriptions enabled
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_subscriptions.py
2022-04-22 22:53:12 +03:00
2022-10-13 12:32:33 +03:00
# run test `TestSubscriptionBasicNoAuth` in case of no authentication for Apollo-ws protocol
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_subscriptions.py::TestSubscriptionBasicNoAuth
2022-10-20 08:56:11 +03:00
2022-10-13 12:32:33 +03:00
unset HASURA_GRAPHQL_ADMIN_SECRET
unset HASURA_GRAPHQL_EXPERIMENTAL_FEATURES
2022-04-22 22:53:12 +03:00
2022-10-13 12:32:33 +03:00
kill_hge_servers
; ;
2022-04-22 22:53:12 +03:00
2022-01-11 14:21:49 +03:00
query-caching)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE QUERY CACHING #####################################>\n "
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2018-12-03 14:19:08 +03:00
2022-01-11 14:21:49 +03:00
# use only one capability to disable cache striping
run_hge_with_args +RTS -N1 -RTS serve
wait_for_port 8080
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_graphql_queries.py::TestGraphQLQueryCaching
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
query-logs)
# verbose logging tests
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH QUERY LOG ########>\n "
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ENABLED_LOG_TYPES = " startup,http-log,webhook-log,websocket-log,query-log"
export HASURA_GRAPHQL_LOG_LEVEL = "debug"
2021-03-02 19:51:08 +03:00
2022-01-11 14:21:49 +03:00
#run_hge_with_args serve
# we are doing this instead of calling run_hge_with_args, because we want to save in a custom log file
set -x
export LOGGING_TEST_LOGFILE_PATH = " $OUTPUT_FOLDER /graphql-engine-verbose-logging.log "
2022-09-28 19:06:54 +03:00
" $GRAPHQL_ENGINE " serve >" $LOGGING_TEST_LOGFILE_PATH " 2>& 1 &
HGE_PIDS = ( " ${ HGE_PIDS [@] } " $! )
2022-01-11 14:21:49 +03:00
set +x
2021-03-02 19:51:08 +03:00
2022-01-11 14:21:49 +03:00
wait_for_port 8080
2021-03-02 19:51:08 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--test-logging \
test_logging.py
2021-03-02 19:51:08 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_ENABLED_LOG_TYPES
kill_hge_servers
2021-03-02 19:51:08 +03:00
2022-11-08 10:36:26 +03:00
# configurable jwk-refresh-log test
unset HASURA_GRAPHQL_AUTH_HOOK
unset HASURA_GRAPHQL_AUTH_HOOK_MODE
unset HASURA_GRAPHQL_JWT_SECRET
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH JWK REFRESH LOG ########> \n "
export JWK_SERVER_URL = 'http://localhost:5001'
# Start the JWK server.
# There is a fixture to do this, but when running in this fashion, we need to
# start the JWK server first so the HGE server can communicate with it.
python3 jwk_server.py >" $OUTPUT_FOLDER /configurable_log.log " 2>& 1 &
JWKS_PID = $!
wait_for_port 5001
2022-11-08 19:47:25 +03:00
echo "Test: jwk-refresh-log type logs is enabled by default"
2022-11-08 10:36:26 +03:00
export HASURA_GRAPHQL_JWT_SECRET = " {\"jwk_url\": \" ${ JWK_SERVER_URL } /jwk-cache-control?no-cache=true\"} "
#run_hge_with_args serve
# we are doing this instead of calling run_hge_with_args, because we want to save in a custom log file
set -x
export LOGGING_TEST_LOGFILE_PATH = " $OUTPUT_FOLDER /graphql-engine-verbose-logging.log "
" $GRAPHQL_ENGINE " serve >" $LOGGING_TEST_LOGFILE_PATH " 2>& 1 &
HGE_PIDS = ( " ${ HGE_PIDS [@] } " $! )
set +x
wait_for_port 8080
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--test-logging \
test_logging.py::TestConfiguragbleLogs
kill_hge_servers
echo "Test: no jwk-refresh-log type logs if it is not enabled"
export HASURA_GRAPHQL_ENABLED_LOG_TYPES = " startup,http-log,webhook-log,websocket-log,query-log"
#run_hge_with_args serve
# we are doing this instead of calling run_hge_with_args, because we want to save in a custom log file
set -x
export LOGGING_TEST_LOGFILE_PATH = " $OUTPUT_FOLDER /graphql-engine-verbose-logging.log "
" $GRAPHQL_ENGINE " serve >" $LOGGING_TEST_LOGFILE_PATH " 2>& 1 &
HGE_PIDS = ( " ${ HGE_PIDS [@] } " $! )
set +x
wait_for_port 8080
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--test-logging \
test_logging.py::TestConfiguragbleLogs
kill_hge_servers
unset HASURA_GRAPHQL_ENABLED_LOG_TYPES
unset HASURA_GRAPHQL_JWT_SECRET
unset JWK_SERVER_URL
kill $JWKS_PID
2022-01-11 14:21:49 +03:00
# end verbose logging tests
; ;
2021-03-02 19:51:08 +03:00
2022-02-09 08:13:32 +03:00
startup-db-calls)
# verbose logging tests
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE STARTUP DB CALLS ########>\n "
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
export HASURA_GRAPHQL_ENABLED_LOG_TYPES = " startup,http-log,webhook-log,websocket-log,query-log"
export HASURA_GRAPHQL_LOG_LEVEL = "debug"
#run_hge_with_args serve
# we are doing this instead of calling run_hge_with_args, because we want to save in a custom log file
set -x
export LOGGING_TEST_LOGFILE_PATH = " $OUTPUT_FOLDER /graphql-engine-verbose-logging-db.log "
2022-09-28 19:06:54 +03:00
" $GRAPHQL_ENGINE " serve >" $LOGGING_TEST_LOGFILE_PATH " 2>& 1 &
HGE_PIDS = ( " ${ HGE_PIDS [@] } " $! )
2022-02-09 08:13:32 +03:00
set +x
wait_for_port 8080
2022-02-28 08:15:21 +03:00
kill_hge_servers
# end verbose logging
2022-02-09 08:13:32 +03:00
2022-02-28 08:15:21 +03:00
# running HGE server again for pytest, the test will use the log generated from the previous run
# see https://github.com/hasura/graphql-engine-mono/pull/3813 for more information
run_hge_with_args serve
wait_for_port 8080
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--test-startup-db-calls \
test_startup_db_calls.py
2022-02-09 08:13:32 +03:00
kill_hge_servers
2022-02-28 08:15:21 +03:00
unset HASURA_GRAPHQL_ENABLED_LOG_TYPES
unset HASURA_GRAPHQL_LOG_LEVEL
unset HASURA_GRAPHQL_ADMIN_SECRET
unset LOGGING_TEST_LOGFILE_PATH
2022-02-09 08:13:32 +03:00
; ;
2022-02-21 12:59:02 +03:00
read-only-db)
## read-only DB tests; Hasura should start and run read queries against a read-only DB
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH READ-ONLY DATABASE ########>\n "
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
export HASURA_GRAPHQL_ENABLED_LOG_TYPES = "startup,http-log,webhook-log,websocket-log,query-log"
export HASURA_GRAPHQL_LOG_LEVEL = "debug"
export HASURA_GRAPHQL_DEV_MODE = "false"
export HASURA_GRAPHQL_ADMIN_INTERNAL_ERRORS = "false"
# setup the database for read-only access
# 'test_graphql_read_only_source.py' assumes 'HASURA_READONLY_DB_URL' is set
# Note: setting default_transaction_mode to read-only etc. doesn't work for
# DDL statements. To replicate read-only access even for DDLs, we need to
# create a read-only user
readonly_sql = $( cat <<EOF
CREATE USER hasuraro WITH PASSWORD 'passme' ;
GRANT CONNECT ON DATABASE pg_source_1 TO hasuraro;
GRANT USAGE ON SCHEMA public TO hasuraro;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO hasuraro;
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO hasuraro;
GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO hasuraro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO hasuraro;
EOF
)
psql " $HASURA_GRAPHQL_PG_SOURCE_URL_1 " -c " $readonly_sql "
2022-11-15 22:07:34 +03:00
PG_URL_HOST_PORT = " $( sed -E 's#^postgresql://.+?@([^/]+)/.*#\1#' <<< " $HASURA_GRAPHQL_PG_SOURCE_URL_1 " ) "
export HASURA_READONLY_DB_URL = " postgresql://hasuraro:passme@ ${ PG_URL_HOST_PORT } /pg_source_1 "
2022-02-21 12:59:02 +03:00
run_hge_with_args serve
wait_for_port 8080
# and then test graphql queries work
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_REPORTING_ARGS [@] } " \
--hge-urls " $HGE_URL " \
2022-02-21 12:59:02 +03:00
--pg-urls " $HASURA_GRAPHQL_PG_SOURCE_URL_1 " \
--test-read-only-source \
test_graphql_read_only_source.py
unset HASURA_GRAPHQL_ENABLED_LOG_TYPES
kill_hge_servers
# end read-only DB tests
; ;
2022-01-11 14:21:49 +03:00
remote-schema-https)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH SECURE REMOTE SCHEMA #########################>\n "
2021-03-02 19:51:08 +03:00
2022-08-15 17:57:55 +03:00
OLD_REMOTE_SCHEMAS_WEBHOOK_DOMAIN = " ${ REMOTE_SCHEMAS_WEBHOOK_DOMAIN } "
2022-10-13 18:43:59 +03:00
export REMOTE_SCHEMAS_WEBHOOK_DOMAIN = "https://localhost:5000"
2022-01-11 14:21:49 +03:00
init_ssl
2021-03-02 19:51:08 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2021-01-29 08:48:17 +03:00
2022-10-13 18:43:59 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
--tls-ca-cert= " $OUTPUT_FOLDER /ssl/ca.pem " --tls-ca-key= " $OUTPUT_FOLDER /ssl/ca-key.pem " \
2022-10-13 18:43:59 +03:00
test_schema_stitching.py::TestRemoteSchemaBasic
2021-01-29 08:48:17 +03:00
2022-08-15 17:57:55 +03:00
export REMOTE_SCHEMAS_WEBHOOK_DOMAIN = " ${ OLD_REMOTE_SCHEMAS_WEBHOOK_DOMAIN } "
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2018-12-03 14:19:08 +03:00
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
webhook-request-context)
2022-01-11 18:28:36 +03:00
webhook_tests_check_root
2021-02-03 10:10:39 +03:00
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
echo -e " \n $( time_elapsed) : <########## TEST WEBHOOK RECEIVES REQUEST DATA AS CONTEXT #########################>\n "
export HASURA_GRAPHQL_AUTH_HOOK = "http://localhost:5594/"
2022-01-11 18:28:36 +03:00
export HASURA_GRAPHQL_AUTH_HOOK_MODE = "POST"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-02-03 10:10:39 +03:00
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
run_hge_with_args serve
wait_for_port 8080
2021-02-03 10:10:39 +03:00
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_webhook_request_context.py
2022-01-11 18:28:36 +03:00
kill_hge_servers
2022-01-11 14:21:49 +03:00
; ;
2018-12-03 14:19:08 +03:00
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
post-webhook)
2022-01-11 18:28:36 +03:00
webhook_tests_check_root
2018-12-03 14:19:08 +03:00
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET & WEBHOOK (POST) #########################>\n "
export HASURA_GRAPHQL_AUTH_HOOK = "https://localhost:9090/"
2022-01-11 18:28:36 +03:00
export HASURA_GRAPHQL_AUTH_HOOK_MODE = "POST"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
init_ssl
2018-12-03 14:19:08 +03:00
2022-01-11 18:28:36 +03:00
run_hge_with_args serve
wait_for_port 8080
2018-12-03 14:19:08 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
--tls-ca-cert= " $OUTPUT_FOLDER /ssl/ca.pem " --tls-ca-key= " $OUTPUT_FOLDER /ssl/ca-key.pem " \
-- test_webhook.py
2022-01-11 18:28:36 +03:00
kill_hge_servers
2022-01-11 14:21:49 +03:00
; ;
2021-01-25 11:23:12 +03:00
2022-01-11 14:21:49 +03:00
get-webhook)
2022-01-11 18:28:36 +03:00
webhook_tests_check_root
2021-01-25 11:23:12 +03:00
2022-01-11 18:28:36 +03:00
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET & WEBHOOK (GET) #########################>\n "
export HASURA_GRAPHQL_AUTH_HOOK = "https://localhost:9090/"
export HASURA_GRAPHQL_AUTH_HOOK_MODE = "GET"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
init_ssl
2021-01-25 11:23:12 +03:00
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
run_hge_with_args serve
wait_for_port 8080
2021-01-25 11:23:12 +03:00
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--tls-ca-cert= " $OUTPUT_FOLDER /ssl/ca.pem " --tls-ca-key= " $OUTPUT_FOLDER /ssl/ca-key.pem " \
-- test_webhook.py
2022-01-11 18:28:36 +03:00
kill_hge_servers
2022-01-11 14:21:49 +03:00
; ;
insecure-webhook)
2022-01-11 18:28:36 +03:00
webhook_tests_check_root
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET & HTTPS INSECURE WEBHOOK (GET) ########>\n "
export HASURA_GRAPHQL_AUTH_HOOK = "https://localhost:9090/"
export HASURA_GRAPHQL_AUTH_HOOK_MODE = "GET"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
init_ssl
run_hge_with_args serve
wait_for_port 8080
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
--tls-ca-cert= " $OUTPUT_FOLDER /ssl/ca.pem " --tls-ca-key= " $OUTPUT_FOLDER /ssl/ca-key.pem " \
2022-08-22 08:11:43 +03:00
test_webhook_insecure.py
2022-01-11 18:28:36 +03:00
kill_hge_servers
2022-01-11 14:21:49 +03:00
; ;
2018-10-28 21:27:49 +03:00
2022-01-11 14:21:49 +03:00
insecure-webhook-with-admin-secret)
2022-01-11 18:28:36 +03:00
webhook_tests_check_root
2018-10-28 21:27:49 +03:00
2022-01-11 18:28:36 +03:00
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ADMIN_SECRET & HTTPS INSECURE WEBHOOK WITH ADMIN SECRET (POST) ########>\n "
export HASURA_GRAPHQL_AUTH_HOOK = "https://localhost:9090/"
export HASURA_GRAPHQL_AUTH_HOOK_MODE = "POST"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
init_ssl
2018-10-28 21:27:49 +03:00
2022-01-11 18:28:36 +03:00
run_hge_with_args serve
wait_for_port 8080
2018-10-28 21:27:49 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
server/tests-py: Start webhook.py inside the test harness.
We use a helper service to start a webhook-based authentication service for some tests. This moves the initialization of the service out of _test-server.sh_ and into the Python test harness, as a fixture.
In order to do this, I had to make a few changes. The main deviation is that we no longer run _all_ tests against an HGE with this authentication service, just a few (those in _test_webhook.py_). Because this reduced coverage, I have added some more tests there, which actually cover some areas not exacerbated elsewhere (mainly trying to use webhook credentials to talk to an admin-only endpoint).
The webhook service can run both with and without TLS, and decide whether it's necessary to skip one of these based on the arguments passed and how HGE is started, according to the following logic:
* If a TLS CA certificate is passed in, it will run with TLS, otherwise it will skip it.
* If HGE was started externally and a TLS certificate is provided, it will skip running without TLS, as it will assume that HGE was configured to talk to a webhook over HTTPS.
* Some tests should only be run with TLS; this is marked with a `tls_webhook_server` marker.
* Some tests should only be run _without_ TLS; this is marked with a `no_tls_webhook_server` marker.
The actual parameterization of the webhook service configuration is done through test subclasses, because normal pytest parameterization doesn't work with the `hge_fixture_env` hack that we use. Because `hge_fixture_env` is not a sanctioned way of conveying data between fixtures (and, unfortunately, there isn't a sanctioned way of doing this when the fixtures in question may not know about each other directly), parameterizing the `webhook_server` fixture doesn't actually parameterize `hge_server` properly. Subclassing forces this to work correctly.
The certificate generation is moved to a Python fixture, so that we don't have to revoke the CA certificate for _test_webhook_insecure.py_; we can just generate a bogus certificate instead. The CA certificate is still generated in the _test-server.sh_ script, as it needs to be installed into the OS certificate store.
Interestingly, the CA certificate installation wasn't actually working, because the certificates were written to the wrong location. This didn't cause any failures, as we weren't actually testing this behavior. This is now fixed with the other changes.
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6363
GitOrigin-RevId: 0f277d374daa64f657257ed2a4c2057c74b911db
2022-10-20 21:58:36 +03:00
--tls-ca-cert= " $OUTPUT_FOLDER /ssl/ca.pem " --tls-ca-key= " $OUTPUT_FOLDER /ssl/ca-key.pem " \
2022-08-22 08:11:43 +03:00
test_webhook_insecure.py
2019-02-14 08:58:38 +03:00
2022-01-11 18:28:36 +03:00
kill_hge_servers
2022-01-11 14:21:49 +03:00
; ;
2018-10-28 21:27:49 +03:00
2022-07-25 18:53:25 +03:00
apollo-federation)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH APOLLO FEDERATION ########>\n "
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM "
2023-03-15 11:14:20 +03:00
export HASURA_GRAPHQL_ENABLE_APOLLO_FEDERATION = true
2022-07-25 18:53:25 +03:00
run_hge_with_args serve
wait_for_port 8080
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_apollo_federation.py
2022-07-25 18:53:25 +03:00
2023-03-15 11:14:20 +03:00
unset HASURA_GRAPHQL_ENABLE_APOLLO_FEDERATION
2022-07-25 18:53:25 +03:00
unset HASURA_GRAPHQL_ADMIN_SECRET
kill_hge_servers
; ;
2022-01-11 14:21:49 +03:00
allowlist-queries)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH ALLOWLIST QUERIES ########> \n "
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
export HASURA_GRAPHQL_ENABLE_ALLOWLIST = true
2019-05-16 09:13:25 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2019-05-16 09:13:25 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
test_allowlist_queries.py
2019-05-16 09:13:25 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2021-08-03 14:11:01 +03:00
2022-01-11 14:21:49 +03:00
developer-api-tests)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH DEVELOPER API ENABLED ########>\n "
export HASURA_GRAPHQL_ENABLED_APIS = "metadata,graphql,developer,config,pgdump"
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
2021-07-16 19:08:23 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve --enabled-apis " $HASURA_GRAPHQL_ENABLED_APIS "
wait_for_port 8080
2021-07-16 19:08:23 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-09-29 13:42:47 +03:00
test_dev_endpoints.py
2021-07-16 19:08:23 +03:00
2022-01-11 14:21:49 +03:00
unset HASURA_GRAPHQL_ENABLED_APIS
2021-07-16 19:08:23 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2019-05-16 09:13:25 +03:00
2022-01-11 14:21:49 +03:00
jwk-url)
# TODO(swann): ditto, these have to be parallelised
2019-05-16 09:13:25 +03:00
2022-01-11 14:21:49 +03:00
# jwk test
unset HASURA_GRAPHQL_AUTH_HOOK
unset HASURA_GRAPHQL_AUTH_HOOK_MODE
unset HASURA_GRAPHQL_JWT_SECRET
2019-12-03 23:56:59 +03:00
2022-01-11 14:21:49 +03:00
export HASURA_GRAPHQL_ADMIN_SECRET = " HGE $RANDOM $RANDOM "
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH JWK URL ########> \n "
2019-12-03 23:56:59 +03:00
2022-10-13 18:43:59 +03:00
export JWK_SERVER_URL = 'http://localhost:5001'
# Start the JWK server.
# There is a fixture to do this, but when running in this fashion, we need to
# start the JWK server first so the HGE server can communicate with it.
2022-01-11 14:21:49 +03:00
python3 jwk_server.py >" $OUTPUT_FOLDER /jwk_server.log " 2>& 1 &
JWKS_PID = $!
wait_for_port 5001
2019-12-03 23:56:59 +03:00
2022-01-28 03:17:53 +03:00
echo "Test: Cache-Control with max-age=3"
2022-10-13 18:43:59 +03:00
export HASURA_GRAPHQL_JWT_SECRET = " {\"jwk_url\": \" ${ JWK_SERVER_URL } /jwk-cache-control?max-age=3\"} "
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2019-12-03 23:56:59 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-10-13 18:43:59 +03:00
-- 'test_jwk.py::test_cache_control_header_max_age'
2019-12-03 23:56:59 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
unset HASURA_GRAPHQL_JWT_SECRET
2019-12-03 23:56:59 +03:00
2022-03-15 10:35:26 +03:00
echo "Test: Cache-Control with must-revalidate, max-age=3"
2022-10-13 18:43:59 +03:00
export HASURA_GRAPHQL_JWT_SECRET = " {\"jwk_url\": \" ${ JWK_SERVER_URL } /jwk-cache-control?max-age=3&must-revalidate=true\"} "
2022-03-15 10:35:26 +03:00
run_hge_with_args serve
wait_for_port 8080
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-10-13 18:43:59 +03:00
-- 'test_jwk.py::test_cache_control_header_max_age_must_revalidate'
2022-03-15 10:35:26 +03:00
kill_hge_servers
unset HASURA_GRAPHQL_JWT_SECRET
2022-01-28 03:17:53 +03:00
echo "Test: Cache-Control with must-revalidate"
2022-10-13 18:43:59 +03:00
export HASURA_GRAPHQL_JWT_SECRET = " {\"jwk_url\": \" ${ JWK_SERVER_URL } /jwk-cache-control?must-revalidate=true\"} "
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2019-12-03 23:56:59 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-10-13 18:43:59 +03:00
-- 'test_jwk.py::test_cache_control_header_must_revalidate'
2019-12-03 23:56:59 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
unset HASURA_GRAPHQL_JWT_SECRET
2019-12-03 23:56:59 +03:00
2022-01-28 03:17:53 +03:00
echo "Test: Cache-Control with no-cache, public"
2022-10-13 18:43:59 +03:00
export HASURA_GRAPHQL_JWT_SECRET = " {\"jwk_url\": \" ${ JWK_SERVER_URL } /jwk-cache-control?no-cache=true&public=true\"} "
2022-01-28 03:17:53 +03:00
run_hge_with_args serve
2022-01-11 14:21:49 +03:00
wait_for_port 8080
2019-12-03 23:56:59 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-10-13 18:43:59 +03:00
-- 'test_jwk.py::test_cache_control_header_no_cache_public'
2019-12-03 23:56:59 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
2022-01-28 03:17:53 +03:00
unset HASURA_GRAPHQL_JWT_SECRET
2019-12-03 23:56:59 +03:00
2022-01-28 03:17:53 +03:00
echo "Test: Cache-Control with no-store, max-age=3"
2022-10-13 18:43:59 +03:00
export HASURA_GRAPHQL_JWT_SECRET = " {\"jwk_url\": \" ${ JWK_SERVER_URL } /jwk-cache-control?no-store=true&max-age=3\"} "
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2020-02-05 10:07:31 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-10-13 18:43:59 +03:00
-- 'test_jwk.py::test_cache_control_header_no_store_max_age'
2020-02-05 10:07:31 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
unset HASURA_GRAPHQL_JWT_SECRET
2020-02-05 10:07:31 +03:00
2022-01-28 03:17:53 +03:00
echo "Test: Expires with three second expiry"
2022-10-13 18:43:59 +03:00
export HASURA_GRAPHQL_JWT_SECRET = " {\"jwk_url\": \" ${ JWK_SERVER_URL } /jwk-expires?seconds=3\"} "
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2020-02-05 10:07:31 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
2022-10-13 18:43:59 +03:00
-- 'test_jwk.py::test_expires_header'
2020-02-05 10:07:31 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
unset HASURA_GRAPHQL_JWT_SECRET
2020-02-05 10:07:31 +03:00
2022-01-11 14:21:49 +03:00
kill $JWKS_PID
2019-12-03 23:56:59 +03:00
2022-01-11 14:21:49 +03:00
# end jwk url test
; ;
2019-12-03 23:56:59 +03:00
2022-01-11 14:21:49 +03:00
horizontal-scaling)
# horizontal scale test
unset HASURA_GRAPHQL_AUTH_HOOK
unset HASURA_GRAPHQL_AUTH_HOOK_MODE
unset HASURA_GRAPHQL_ADMIN_SECRET
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH HORIZONTAL SCALING ########>\n "
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
HASURA_HS_TEST_DB = 'postgresql://postgres:postgres@localhost:6543/hs_hge_test'
2019-04-08 10:22:38 +03:00
2022-01-11 14:21:49 +03:00
if ! psql " $HASURA_GRAPHQL_DATABASE_URL " -c "SELECT 1 FROM pg_database WHERE datname = 'hs_hge_test'" | grep -q -F '(1 row)' ; then
psql " $HASURA_GRAPHQL_DATABASE_URL " -c 'CREATE DATABASE hs_hge_test;'
fi
2019-04-08 10:22:38 +03:00
2022-01-11 14:21:49 +03:00
pgUserInfo = $( python3 -c '
2019-04-08 10:22:38 +03:00
import os
from urllib.parse import urlparse
uri = urlparse( os.environ[ "HASURA_GRAPHQL_DATABASE_URL" ] )
if uri.password:
print( "password=" +uri.password+" user=" +uri.username)
else :
2022-01-11 14:21:49 +03:00
print( "user=" +uri.username) ' )
2019-04-08 10:22:38 +03:00
2022-01-11 14:21:49 +03:00
pgDbInfo = $( psql " $HASURA_GRAPHQL_DATABASE_URL " -c "SELECT concat(' host=',inet_server_addr(),' port=', inet_server_port(),' dbname=',current_database())" | sed -n '3 p' )
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
# create pgbouncer user
id pgbouncer || useradd pgbouncer
2022-09-28 19:06:54 +03:00
cd " $CIRCLECI_FOLDER "
2022-01-11 14:21:49 +03:00
mkdir -p pgbouncer
chown -R pgbouncer:pgbouncer pgbouncer
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
echo ' [ databases]
2019-04-08 10:22:38 +03:00
hs_hge_test = '"$pgDbInfo" "$pgUserInfo"'
[ pgbouncer]
listen_port = 6543
listen_addr = 127.0.0.1
logfile = pgbouncer/pgbouncer.log
pidfile = pgbouncer/pgbouncer.pid
auth_type = md5
auth_file = pgbouncer/users.txt
2022-01-11 14:21:49 +03:00
admin_users = postgres' >pgbouncer/pgbouncer.ini
2019-04-08 10:22:38 +03:00
2022-01-11 14:21:49 +03:00
# start pgbouncer
pgbouncer -u pgbouncer -d pgbouncer/pgbouncer.ini
2019-03-12 08:46:27 +03:00
2022-09-28 19:06:54 +03:00
cd " $PYTEST_ROOT "
2022-01-11 14:21:49 +03:00
sleep 2
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
# start 1st server
run_hge_with_args --database-url " $HASURA_HS_TEST_DB " serve
wait_for_port 8080
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
# start 2nd server
run_hge_with_args --database-url " $HASURA_HS_TEST_DB " serve \
--server-port 8081
wait_for_port 8081
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
# run test
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--test-hge-scale-url= "http://localhost:8081" \
test_horizontal_scale.py
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
# Shutdown pgbouncer
psql "postgresql://postgres:postgres@localhost:6543/pgbouncer" -c "SHUTDOWN;" || true
2019-03-12 08:46:27 +03:00
2022-09-28 19:06:54 +03:00
cd " $CIRCLECI_FOLDER "
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
# start pgbouncer again
pgbouncer -u pgbouncer -d pgbouncer/pgbouncer.ini
2019-03-12 08:46:27 +03:00
2022-09-28 19:06:54 +03:00
cd " $PYTEST_ROOT "
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
# sleep for 20 seconds
sleep 20
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
# run test
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--test-hge-scale-url= "http://localhost:8081" \
test_horizontal_scale.py
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
# Shutdown pgbouncer
psql "postgresql://postgres:postgres@localhost:6543/pgbouncer" -c "SHUTDOWN;" || true
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
2019-04-08 10:22:38 +03:00
2022-01-11 14:21:49 +03:00
psql " $HASURA_GRAPHQL_DATABASE_URL " -c "drop database hs_hge_test;"
sleep 4
unset HASURA_HS_TEST_DB
2019-03-12 08:46:27 +03:00
2022-01-11 14:21:49 +03:00
# end horizontal scale test
; ;
#
# ###########################################
# the following backend-* tests are excluded from `server-test-names.txt`
# and are run via their respective `test_oss_server_*` jobs
#
# [Specifying Pytests with -k flag]
# tests are run with the -k flag to filter on common and
# backend-specific test classes using keyword expressions.
#
# this reduces the number of unrelated tests skipped, which
# avoids an increasingly negative impact on our test run
# time as we add more backends and tests.
#
2022-08-22 08:11:43 +03:00
# https://docs..org/en/6.2.x/usage.html#specifying-tests-selecting-tests
2022-01-13 17:28:03 +03:00
# https://github.com/hasura/graphql-engine/blob/master/server/py-tests/README.md#running-bigquery-tests
2022-01-11 14:21:49 +03:00
#
backend-mssql)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH SQL SERVER BACKEND ###########################################>\n "
2021-06-14 10:30:52 +03:00
2022-05-27 08:55:45 +03:00
export HASURA_GRAPHQL_EXPERIMENTAL_FEATURES = naming_convention
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2021-06-14 10:30:52 +03:00
2022-01-11 14:21:49 +03:00
source_data_sources_utils
add_mssql_source 8080 " $HASURA_GRAPHQL_MSSQL_SOURCE_URL "
2021-07-01 17:40:05 +03:00
2022-01-11 14:21:49 +03:00
# See note [Specifying Pytests with -k flag]
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--backend= mssql \
-k "MSSQL"
2021-07-01 17:40:05 +03:00
2022-01-11 14:21:49 +03:00
# start inherited roles test
echo -e " \n $( time_elapsed) : <########## TEST INHERITED-ROLES WITH SQL SERVER BACKEND ###########################################>\n "
2021-07-08 23:49:10 +03:00
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--backend= mssql \
-k TestGraphQLInheritedRolesMSSQL
2021-07-08 23:49:10 +03:00
2022-01-11 14:21:49 +03:00
# end inherited roles test
2021-07-08 23:49:10 +03:00
2022-05-26 14:54:30 +03:00
# start naming conventions test (failure for other than postgres backend)
echo -e " \n $( time_elapsed) : <########## TEST NAMING CONVENTIONS WITH SQL SERVER BACKEND ###########################################>\n "
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--backend mssql \
-k TestNamingConventionsFailure
2022-07-06 15:12:55 +03:00
export HASURA_GRAPHQL_EXPERIMENTAL_FEATURES = $DEFAULT_HASURA_EXPERIMENTAL_FEATURES
2022-05-26 14:54:30 +03:00
# end naming conventions test
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
backend-citus)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH CITUS BACKEND ###########################################>\n "
2021-07-01 17:40:05 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2021-07-01 17:40:05 +03:00
2022-01-11 14:21:49 +03:00
source_data_sources_utils
add_citus_source 8080 " $HASURA_GRAPHQL_CITUS_SOURCE_URL "
2021-06-14 10:30:52 +03:00
2022-01-11 14:21:49 +03:00
# See note [Specifying Pytests with -k flag]
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--backend= citus \
-k "Citus"
2021-08-12 19:47:33 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
backend-bigquery)
echo -e " \n $( time_elapsed) : <########## TEST GRAPHQL-ENGINE WITH BIGQUERY BACKEND ###########################################>\n "
2021-08-12 19:47:33 +03:00
2022-09-28 19:06:54 +03:00
# shellcheck source=../scripts/bigquery.sh
2022-01-25 11:26:32 +03:00
source " $CIRCLECI_FOLDER /../scripts/bigquery.sh " && verify_bigquery_pytest_env
2021-08-12 19:47:33 +03:00
2022-01-11 14:21:49 +03:00
run_hge_with_args serve
wait_for_port 8080
2021-08-12 19:47:33 +03:00
2022-01-25 11:26:32 +03:00
source_data_sources_utils
2022-01-11 14:21:49 +03:00
add_bigquery_source 8080
2021-10-12 20:58:46 +03:00
2022-01-11 14:21:49 +03:00
# See note [Specifying Pytests with -k flag]
2022-08-22 08:11:43 +03:00
pytest " ${ PYTEST_COMMON_ARGS [@] } " \
--backend= bigquery \
-k "Bigquery"
2021-06-14 10:30:52 +03:00
2022-01-11 14:21:49 +03:00
kill_hge_servers
; ;
2021-01-25 11:23:12 +03:00
esac
2019-03-12 08:46:27 +03:00
2021-01-25 11:23:12 +03:00
echo " Finished running tests on node $CIRCLE_NODE_INDEX of $CIRCLE_NODE_TOTAL "
2019-04-08 10:22:38 +03:00
echo -e " \n $( time_elapsed) : <########## DONE ########>\n "