squash me

Author: aaronArinder

apollo-router/src/plugins/authorization/policy.rs

@@ -144,7 +144,6 @@ impl traverse::Visitor for PolicyExtractionVisitor<'_> {
         node: &executable::Field,
     ) -> Result<(), BoxError> {
         self.get_policies_from_field(field_def);
-
         traverse::field(self, field_def, node)
     }
 
@@ -363,9 +362,6 @@ impl<'a> PolicyFilteringVisitor<'a> {
                     None => policies_sets = Some(ty_policies_sets),
                     Some(other_policies) => {
                         if ty_policies_sets != *other_policies {
-                            println!(
-                                "AWA :: different TYPE policies -> type policies: {ty_policies_sets:?}, other policies: {other_policies:?}"
-                            );
                             return true;
                         }
                     }
@@ -411,9 +407,6 @@ impl<'a> PolicyFilteringVisitor<'a> {
                         None => policies_sets = Some(field_policies),
                         Some(other_policies) => {
                             if field_policies != *other_policies {
-                                println!(
-                                    "AWA :: different FIELD policies -> field policies: {field_policies:?}, other policies: {other_policies:?}"
-                                );
                                 return true;
                             }
                         }
@@ -1400,9 +1393,6 @@ mod tests {
         // which should result in `successful_policies` to contain `read` as well
         let read_policy: HashSet<String> = ["read".to_string()].into_iter().collect();
         let (doc, paths) = filter(SCHEMA, QUERY, read_policy);
-        // NOTE: paths ==> unauthorized paths
-        //
-        println!("AWA :: unauthorized paths: {paths:?}");
         insta::assert_snapshot!(TestResult {
             query: QUERY,
             // this should have `read` as the extracted policy
@@ -1470,7 +1460,6 @@ mod tests {
         // which should result in `successful_policies` to contain `read` as well
         let read_policy: HashSet<String> = ["read".to_string()].into_iter().collect();
         let (doc, paths) = filter(SCHEMA, QUERY, read_policy);
-        println!("AWA :: unauthorized paths: {paths:?}");
         insta::assert_snapshot!(TestResult {
             query: QUERY,
             // this should have `read` as the extracted policy

apollo-router/tests/fixtures/directives/policy/policy_schema_with_interfaces.graphql

@@ -45,6 +45,7 @@ type Query
     private: Private @join__field(graph: SUBGRAPH_A) @policy(policies: [["admin"]])
     public: Public @join__field(graph: SUBGRAPH_A)
     opensecret: OpenSecret @join__field(graph: SUBGRAPH_A)
+    secure: Secure @join__field(graph: SUBGRAPH_A)
 }
 
 interface Secure 

apollo-router/tests/integration/directives/policy.rs

@@ -367,3 +367,256 @@ async fn policy_directive_interfaces_with_different_implementors_without_policy_
 
     Ok(())
 }
+
+#[tokio::test(flavor = "multi_thread")]
+async fn policy_directive_interfaces_with_different_implementors_disallowed() -> Result<(), BoxError>
+{
+    // GIVEN
+    //   * a schema with @policy
+    //   * an interface using the @policy with implementors that have different policies
+    //     * see the fixture for notes
+    //   * requesting the interface directly, not one of its implementors
+    //   * a mock coprocessor that marks the admin policy as false (unused, see note above)
+    //   * a mock subgraph serving both public and private data
+    //   * a context object with the admin policy set to false
+    //   * the supergraph service layer
+    //   * a request for a policy-gated field
+
+    let mock_coprocessor = MockServer::start().await;
+    let coprocessor_address = mock_coprocessor.uri();
+
+    Mock::given(method("POST"))
+        .and(path("/"))
+        .respond_with(ResponseTemplate::new(200).set_body_json(serde_json::json!({
+            "version": 1,
+            "stage": "SupergraphRequest",
+            "control": "continue",
+            "context": {
+                "entries": {
+                    "apollo::authorization::required_policies": {
+                        // NOTE: see the note above, but this shouldn't govern how the test
+                        // behaves; it's the context object that does the dirt for the TestHarness.
+                        // Change this value if you use it with the IntegrationTest builder
+                        "admin": false
+                    }
+                }
+            }
+        })))
+        .mount(&mock_coprocessor)
+        .await;
+
+    let mut subgraphs = MockedSubgraphs::default();
+    subgraphs.insert(
+        "subgraph_a",
+        MockSubgraph::builder()
+            .with_json(
+                serde_json::json!({"query": "{private{id}}"}),
+                serde_json::json!({"data": {"private": {"id": "123"}}}),
+            )
+            .with_json(
+                serde_json::json!({"query": "{public{id}}"}),
+                serde_json::json!({"data": {"public": {"id": "456"}}}),
+            )
+            .with_json(
+                serde_json::json!({"query": "{opensecret{id}}"}),
+                serde_json::json!({"data": {"opensecret": {"id": "789"}}}),
+            )
+            .with_json(
+                serde_json::json!({"query": "{secure{id}}"}),
+                serde_json::json!({"data": {"secure": {"id": "000"}}}),
+            )
+            .build(),
+    );
+
+    let supergraph_harness = TestHarness::builder()
+        .configuration_json(serde_json::json!({
+            "coprocessor": {
+                "url": coprocessor_address,
+                "supergraph": {
+                    "request": {
+                        "context": "all"
+                    }
+                }
+            },
+            "include_subgraph_errors": {
+                "all": true
+            }
+        }))
+        .unwrap()
+        .schema(include_str!(
+            "../../fixtures/directives/policy/policy_schema_with_interfaces.graphql"
+        ))
+        .extra_plugin(subgraphs)
+        .build_supergraph()
+        .await
+        .unwrap();
+
+    let context = Context::new();
+    context
+        // NOTE: there is no `admin` policy in the context
+        .insert("apollo::authorization::required_policies", json! { [] })
+        .unwrap();
+
+    // WHEN
+    //   * we make a request with the interface itself off of Query
+    let request = supergraph::Request::fake_builder()
+        .query(r#"{ secure { id } }"#)
+        .context(context)
+        .method(Method::POST)
+        .build()
+        .unwrap();
+
+    // THEN
+    //   * we don't get data
+
+    let response = supergraph_harness
+        .oneshot(request)
+        .await
+        .unwrap()
+        .next_response()
+        .await
+        .unwrap()
+        .data
+        .unwrap();
+
+    let response = response.as_object().unwrap();
+
+    assert!(response.is_empty());
+    Ok(())
+}
+
+// NOTE: this is the test to pay attention to for a recent customer question
+#[tokio::test(flavor = "multi_thread")]
+async fn policy_directive_interfaces_with_different_implementors_open_question()
+-> Result<(), BoxError> {
+    // GIVEN
+    //   * a schema with @policy
+    //   * an interface using the @policy with implementors that have different policies
+    //     * see the fixture for notes
+    //   * requesting the interface directly, not one of its implementors
+    //   * a mock coprocessor that marks the admin policy as true (unused, see note above)
+    //   * a mock subgraph serving both public and private data
+    //   * a context object with the admin policy set to true
+    //   * the supergraph service layer
+    //   * a request for a policy-gated field
+
+    let mock_coprocessor = MockServer::start().await;
+    let coprocessor_address = mock_coprocessor.uri();
+
+    Mock::given(method("POST"))
+        .and(path("/"))
+        .respond_with(ResponseTemplate::new(200).set_body_json(serde_json::json!({
+            "version": 1,
+            "stage": "SupergraphRequest",
+            "control": "continue",
+            "context": {
+                "entries": {
+                    "apollo::authorization::required_policies": {
+                        // NOTE: see the note above, but this shouldn't govern how the test
+                        // behaves; it's the context object that does the dirt for the TestHarness.
+                        // Change this value if you use it with the IntegrationTest builder
+                        "admin": true
+                    }
+                }
+            }
+        })))
+        .mount(&mock_coprocessor)
+        .await;
+
+    let mut subgraphs = MockedSubgraphs::default();
+    subgraphs.insert(
+        "subgraph_a",
+        MockSubgraph::builder()
+            .with_json(
+                serde_json::json!({"query": "{private{id}}"}),
+                serde_json::json!({"data": {"private": {"id": "123"}}}),
+            )
+            .with_json(
+                serde_json::json!({"query": "{public{id}}"}),
+                serde_json::json!({"data": {"public": {"id": "456"}}}),
+            )
+            .with_json(
+                serde_json::json!({"query": "{opensecret{id}}"}),
+                serde_json::json!({"data": {"opensecret": {"id": "789"}}}),
+            )
+            .with_json(
+                serde_json::json!({"query": "{secure{id}}"}),
+                serde_json::json!({"data": {"secure": {"id": "000"}}}),
+            )
+            .build(),
+    );
+
+    let supergraph_harness = TestHarness::builder()
+        .configuration_json(serde_json::json!({
+            "coprocessor": {
+                "url": coprocessor_address,
+                "supergraph": {
+                    "request": {
+                        "context": "all"
+                    }
+                }
+            },
+            "include_subgraph_errors": {
+                "all": true
+            }
+        }))
+        .unwrap()
+        .schema(include_str!(
+            "../../fixtures/directives/policy/policy_schema_with_interfaces.graphql"
+        ))
+        .extra_plugin(subgraphs)
+        .build_supergraph()
+        .await
+        .unwrap();
+
+    let context = Context::new();
+    context
+        .insert(
+            "apollo::authorization::required_policies",
+            json! {[ "admin" ]},
+        )
+        .unwrap();
+
+    // WHEN
+    //   * we make a request with the interface itself off of Query
+    let request = supergraph::Request::fake_builder()
+        .query(r#"{ secure { id } }"#)
+        .context(context)
+        .method(Method::POST)
+        .build()
+        .unwrap();
+
+    // THEN
+    //   * we... get the data? expected? not sure
+
+    let response = supergraph_harness
+        .oneshot(request)
+        .await
+        .unwrap()
+        .next_response()
+        .await
+        .unwrap()
+        .data
+        .unwrap();
+
+    // NOTE: we're failing here; the response is null, and the expectations for this test are
+    // unclear: should there be data returned if an interface is queried that has a policy when
+    // that policy is in the context and the coprocessor returns `true` for it?
+    println!("AWA :: response: {response:?}");
+
+    let response = response
+        .as_object()
+        .unwrap()
+        .get_key_value("secure")
+        .unwrap()
+        .1
+        .as_object()
+        .unwrap()
+        .get_key_value("id")
+        .unwrap()
+        .1;
+
+    assert_eq!(response, "000");
+
+    Ok(())
+}