chore(tests): backfill missing @Policy tests

Author: aaronArinder

apollo-router/src/plugins/authorization/policy.rs

@@ -144,7 +144,6 @@ impl traverse::Visitor for PolicyExtractionVisitor<'_> {
         node: &executable::Field,
     ) -> Result<(), BoxError> {
         self.get_policies_from_field(field_def);
-
         traverse::field(self, field_def, node)
     }
 
@@ -1334,6 +1333,140 @@ mod tests {
     }
     "#;
 
+    #[test]
+    fn interface_with_implementor_not_defining_field_level_policy() {
+        static SCHEMA: &str = r#"
+        schema
+          @link(url: "https://specs.apollo.dev/link/v1.0")
+          @link(url: "https://specs.apollo.dev/join/v0.3", for: EXECUTION)
+          @link(url: "https://specs.apollo.dev/policy/v0.1", for: SECURITY)
+        {
+          query: Query
+        }
+        directive @link(url: String, as: String, for: link__Purpose, import: [link__Import]) repeatable on SCHEMA
+        directive @policy(policies: [[String!]!]!) on OBJECT | FIELD_DEFINITION | INTERFACE | SCALAR | ENUM
+        scalar link__Import
+        enum link__Purpose {
+          """
+          `SECURITY` features provide metadata necessary to securely resolve fields.
+          """
+          SECURITY
+        
+          """
+          `EXECUTION` features provide metadata necessary for operation execution.
+          """
+          EXECUTION
+        }
+        type Query {
+          idList(id: ID!): IList
+        }
+        interface IList {
+          activeId: Int @policy(policies: [["read"]])
+        }
+
+        type BidList implements IList {
+          activeId: Int @policy(policies: [["read"]])
+        }
+
+        type PublisherList implements IList {
+          activeId: Int @policy(policies: [["read"]])
+        }
+
+        # NOTE: this doesn't have a field-level @policy
+        type FrequencyBidList implements IList {
+          activeId: Int 
+        }
+    "#;
+
+        static QUERY: &str = r#"
+        query TestIssue {
+          idList(id: "1") {
+            activeId 
+          }
+        }
+    "#;
+        let extracted_policies = extract(SCHEMA, QUERY);
+        // should have a duplicate test that provides the `read` policy instead of `HashSet::new()`,
+        // which should result in `successful_policies` to contain `read` as well
+        let read_policy: HashSet<String> = ["read".to_string()].into_iter().collect();
+        let (doc, paths) = filter(SCHEMA, QUERY, read_policy);
+        insta::assert_snapshot!(TestResult {
+            query: QUERY,
+            // this should have `read` as the extracted policy
+            extracted_policies: &extracted_policies,
+            successful_policies: vec!["read".to_string()],
+            result: doc,
+            paths
+        });
+    }
+
+    #[test]
+    fn interface_with_implementor_not_defining_type_level_policy() {
+        static SCHEMA: &str = r#"
+        schema
+          @link(url: "https://specs.apollo.dev/link/v1.0")
+          @link(url: "https://specs.apollo.dev/join/v0.3", for: EXECUTION)
+          @link(url: "https://specs.apollo.dev/policy/v0.1", for: SECURITY)
+        {
+          query: Query
+        }
+        directive @link(url: String, as: String, for: link__Purpose, import: [link__Import]) repeatable on SCHEMA
+        directive @policy(policies: [[String!]!]!) on OBJECT | FIELD_DEFINITION | INTERFACE | SCALAR | ENUM
+        scalar link__Import
+        enum link__Purpose {
+          """
+          `SECURITY` features provide metadata necessary to securely resolve fields.
+          """
+          SECURITY
+        
+          """
+          `EXECUTION` features provide metadata necessary for operation execution.
+          """
+          EXECUTION
+        }
+        type Query {
+          idList(id: ID!): IList
+        }
+        interface IList {
+          activeId: Int @policy(policies: [["read"]])
+        }
+
+        type BidList implements IList @policy(policies: [["read"]]){
+          activeId: Int @policy(policies: [["read"]])
+        }
+
+        type PublisherList implements IList @policy(policies: [["read"]]){
+          activeId: Int @policy(policies: [["read"]])
+        }
+
+        # NOTE: this doesn't have a type-level @policy
+        type FrequencyBidList implements IList {
+          activeId: Int 
+        }
+    "#;
+
+        static QUERY: &str = r#"
+        query TestIssue {
+          idList(id: "1") {
+            activeId 
+          }
+        }
+    "#;
+        let extracted_policies = extract(SCHEMA, QUERY);
+        // should have a duplicate test that provides the `read` policy instead of `HashSet::new()`,
+        // which should result in `successful_policies` to contain `read` as well
+        let read_policy: HashSet<String> = ["read".to_string()].into_iter().collect();
+        let (doc, paths) = filter(SCHEMA, QUERY, read_policy);
+        insta::assert_snapshot!(TestResult {
+            query: QUERY,
+            // this should have `read` as the extracted policy
+            extracted_policies: &extracted_policies,
+            successful_policies: vec!["read".to_string()],
+            result: doc,
+            paths
+        });
+    }
+
     #[test]
     fn interface_field() {
         static QUERY: &str = r#"

apollo-router/src/plugins/authorization/snapshots/apollo_router__plugins__authorization__policy__tests__interface_with_implementor_not_defining_field_level_policy.snap

@@ -0,0 +1,17 @@
+---
+source: apollo-router/src/plugins/authorization/policy.rs
+expression: "TestResult\n{\n    query: QUERY, extracted_policies: &extracted_policies,\n    successful_policies: vec![\"read\".to_string()], result: doc, paths\n}"
+---
+query:
+
+        query TestIssue {
+          idList(id: "1") {
+            activeId 
+          }
+        }
+    
+extracted_policies: {"read"}
+successful policies: ["read"]
+filtered:
+
+paths: ["/idList/activeId"]

apollo-router/src/plugins/authorization/snapshots/apollo_router__plugins__authorization__policy__tests__interface_with_implementor_not_defining_type_level_policy.snap

@@ -0,0 +1,17 @@
+---
+source: apollo-router/src/plugins/authorization/policy.rs
+expression: "TestResult\n{\n    query: QUERY, extracted_policies: &extracted_policies,\n    successful_policies: vec![\"read\".to_string()], result: doc, paths\n}"
+---
+query:
+
+        query TestIssue {
+          idList(id: "1") {
+            activeId 
+          }
+        }
+    
+extracted_policies: {"read"}
+successful policies: ["read"]
+filtered:
+
+paths: ["/idList"]

apollo-router/tests/fixtures/directives/policy/policy_basic_schema.graphql

@@ -0,0 +1,60 @@
+schema
+  @link(url: "https://specs.apollo.dev/link/v1.0")
+  @link(url: "https://specs.apollo.dev/join/v0.3", for: EXECUTION)
+  @link(url: "https://specs.apollo.dev/policy/v0.1", for: SECURITY)
+{
+  query: Query
+}
+
+directive @join__graph(name: String!, url: String!) on ENUM_VALUE
+directive @link(url: String, as: String, for: link__Purpose, import: [link__Import]) repeatable on SCHEMA
+directive @join__field(graph: join__Graph!, requires: join__FieldSet, provides: join__FieldSet, type: String, external: Boolean) repeatable on FIELD_DEFINITION | INPUT_FIELD_DEFINITION
+directive @join__type(graph: join__Graph!, key: join__FieldSet) repeatable on OBJECT | INTERFACE
+directive @join__owner(graph: join__Graph!) on OBJECT | INTERFACE
+directive @join__implements(graph: join__Graph!, interface: String!) repeatable on OBJECT | INTERFACE
+directive @join__unionMember(graph: join__Graph!, member: String!) repeatable on UNION
+directive @join__enumValue(graph: join__Graph!) repeatable on ENUM_VALUE
+directive @tag(name: String!) repeatable on FIELD_DEFINITION | INTERFACE | OBJECT | UNION
+directive @inaccessible on OBJECT | FIELD_DEFINITION | INTERFACE | UNION
+
+directive @policy(policies: [[String]]) on OBJECT | FIELD_DEFINITION | INTERFACE | SCALAR | ENUM
+
+enum join__Graph {
+  SUBGRAPH_A @join__graph(name: "subgraph_a", url: "http://localhost:4001/")
+}
+
+enum link__Purpose {
+    """
+    `SECURITY` features provide metadata necessary to securely resolve fields.
+    """
+    SECURITY
+  
+    """
+    `EXECUTION` features provide metadata necessary for operation execution.
+    """
+    EXECUTION
+}
+
+scalar federation__Scope
+scalar join__FieldSet
+scalar link__Import
+
+type Query 
+    @join__type(graph: SUBGRAPH_A)
+{  
+    private: Private @join__field(graph: SUBGRAPH_A) @policy(policies: [["admin"]])
+    public: Public @join__field(graph: SUBGRAPH_A)
+}
+
+type Private
+    @join__type(graph: SUBGRAPH_A)
+{
+    id: ID @join__field(graph: SUBGRAPH_A)
+}
+
+type Public 
+    @join__type(graph: SUBGRAPH_A)
+{
+    id: ID @join__field(graph: SUBGRAPH_A)
+}
+

apollo-router/tests/fixtures/directives/policy/policy_schema_with_interfaces.graphql

@@ -0,0 +1,78 @@
+schema
+  @link(url: "https://specs.apollo.dev/link/v1.0")
+  @link(url: "https://specs.apollo.dev/join/v0.3", for: EXECUTION)
+  @link(url: "https://specs.apollo.dev/policy/v0.1", for: SECURITY)
+{
+  query: Query
+}
+
+directive @join__graph(name: String!, url: String!) on ENUM_VALUE
+directive @link(url: String, as: String, for: link__Purpose, import: [link__Import]) repeatable on SCHEMA
+directive @join__field(graph: join__Graph!, requires: join__FieldSet, provides: join__FieldSet, type: String, external: Boolean) repeatable on FIELD_DEFINITION | INPUT_FIELD_DEFINITION
+directive @join__type(graph: join__Graph!, key: join__FieldSet) repeatable on OBJECT | INTERFACE
+directive @join__owner(graph: join__Graph!) on OBJECT | INTERFACE
+directive @join__implements(graph: join__Graph!, interface: String!) repeatable on OBJECT | INTERFACE
+directive @join__unionMember(graph: join__Graph!, member: String!) repeatable on UNION
+directive @join__enumValue(graph: join__Graph!) repeatable on ENUM_VALUE
+directive @tag(name: String!) repeatable on FIELD_DEFINITION | INTERFACE | OBJECT | UNION
+directive @inaccessible on OBJECT | FIELD_DEFINITION | INTERFACE | UNION
+
+directive @policy(policies: [[String]]) on OBJECT | FIELD_DEFINITION | INTERFACE | SCALAR | ENUM
+
+enum join__Graph {
+  SUBGRAPH_A @join__graph(name: "subgraph_a", url: "http://localhost:4001/")
+}
+
+enum link__Purpose {
+    """
+    `SECURITY` features provide metadata necessary to securely resolve fields.
+    """
+    SECURITY
+  
+    """
+    `EXECUTION` features provide metadata necessary for operation execution.
+    """
+    EXECUTION
+}
+
+scalar federation__Scope
+scalar join__FieldSet
+scalar link__Import
+
+type Query 
+    @join__type(graph: SUBGRAPH_A)
+{  
+    private: Private @join__field(graph: SUBGRAPH_A) @policy(policies: [["admin"]])
+    public: Public @join__field(graph: SUBGRAPH_A)
+    opensecret: OpenSecret @join__field(graph: SUBGRAPH_A)
+    secure: Secure @join__field(graph: SUBGRAPH_A)
+}
+
+interface Secure 
+    @join__type(graph: SUBGRAPH_A)
+{
+    id: ID @join__field(graph: SUBGRAPH_A) @policy(policies: [["admin"]])
+}
+
+
+type Private implements Secure 
+    @join__type(graph: SUBGRAPH_A)
+    @join__implements(graph: SUBGRAPH_A, interface: "Secure")
+{
+    id: ID @policy(policies: [["admin"]]) @join__field(graph: SUBGRAPH_A)
+}
+
+# NOTE: despite its name, this _doesn't_ have the `admin` policy
+type OpenSecret implements Secure 
+    @join__type(graph: SUBGRAPH_A)
+    @join__implements(graph: SUBGRAPH_A, interface: "Secure")
+{
+    id: ID @join__field(graph: SUBGRAPH_A)
+}
+
+type Public 
+    @join__type(graph: SUBGRAPH_A)
+{
+    id: ID @join__field(graph: SUBGRAPH_A)
+}
+

apollo-router/tests/integration/directives/mod.rs

@@ -0,0 +1 @@
+mod policy;