graphql 1.9.0.pre1 → 1.9.0.pre2

data/lib/graphql/tracing/new_relic_tracing.rb

@@ -17,8 +17,8 @@ module GraphQL
       # @param set_transaction_name [Boolean] If true, the GraphQL operation name will be used as the transaction name.
       #   This is not advised if you run more than one query per HTTP request, for example, with `graphql-client` or multiplexing.
       #   It can also be specified per-query with `context[:set_new_relic_transaction_name]`.
-      def initialize(set_transaction_name: false)
-        @set_transaction_name = set_transaction_name
+      def initialize(options = {})
+        @set_transaction_name = options.fetch(:set_transaction_name, false)
         super
       end
 

data/lib/graphql/tracing/skylight_tracing.rb

@@ -17,8 +17,8 @@ module GraphQL
       # @param set_endpoint_name [Boolean] If true, the GraphQL operation name will be used as the endpoint name.
       #   This is not advised if you run more than one query per HTTP request, for example, with `graphql-client` or multiplexing.
       #   It can also be specified per-query with `context[:set_skylight_endpoint_name]`.
-      def initialize(set_endpoint_name: false)
-        @set_endpoint_name = set_endpoint_name
+      def initialize(options = {})
+        @set_endpoint_name = options.fetch(:set_endpoint_name, false)
         super
       end
 

data/lib/graphql/unauthorized_field_error.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+module GraphQL
+  class UnauthorizedFieldError < GraphQL::UnauthorizedError
+    # @return [Field] the field that failed the authorization check
+    attr_reader :field
+
+    def initialize(message = nil, object: nil, type: nil, context: nil, field: nil)
+      if message.nil? && [field, type].any?(&:nil?)
+        raise ArgumentError, "#{self.class.name} requires either a message or keywords"
+      end
+
+      @field = field
+      message ||= begin
+        if object
+          "An instance of #{object.class} failed #{type.name}'s authorization check on field #{field.name}"
+        else
+          "Failed #{type.name}'s authorization check on field #{field.name}"
+        end
+      end
+      super(message, object: object, type: type, context: context)
+    end
+  end
+end

data/lib/graphql/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module GraphQL
-  VERSION = "1.9.0.pre1"
+  VERSION = "1.9.0.pre2"
 end

data/spec/graphql/analysis/ast_spec.rb

@@ -61,6 +61,16 @@ describe GraphQL::Analysis::AST do
     end
   end
 
+  class AstPreviousField < GraphQL::Analysis::AST::Analyzer
+    def on_enter_field(node, parent, visitor)
+      @previous_field = visitor.previous_field_definition
+    end
+
+    def result
+      @previous_field
+    end
+  end
+
   describe "using the AST analysis engine" do
     let(:schema) do
       query_type = Class.new(GraphQL::Schema::Object) do
@@ -77,6 +87,7 @@ describe GraphQL::Analysis::AST do
         query query_type
         use GraphQL::Analysis::AST
         query_analyzer AstErrorAnalyzer
+        use GraphQL::Execution::Interpreter
       end
     end
 
@@ -89,7 +100,26 @@ describe GraphQL::Analysis::AST do
     let(:query) { GraphQL::Query.new(schema, query_string, variables: {}) }
 
     it "runs the AST analyzers correctly" do
+      res = query.result
+      refute res.key?("data")
+      assert_equal ["An Error!"], res["errors"].map { |e| e["message"] }
+    end
+
+    it "skips rewrite" do
+      # Try running the query:
       query.result
+      # But the validation step doesn't build an irep_node tree
+      assert_nil query.irep_selection
+    end
+
+    describe "when validate: false" do
+      let(:query) { GraphQL::Query.new(schema, query_string, validate: false) }
+      it "Skips rewrite" do
+        # Try running the query:
+        query.result
+        # But the validation step doesn't build an irep_node tree
+        assert_nil query.irep_selection
+      end
     end
   end
 
@@ -127,6 +157,16 @@ describe GraphQL::Analysis::AST do
           assert_equal 2, reduce_result.size
         end
       end
+
+      describe "Visitor#previous_field_definition" do
+        let(:analyzers) { [AstPreviousField] }
+        let(:query) { GraphQL::Query.new(Dummy::Schema, "{ __schema { types { name } } }") }
+
+        it "it runs the analyzer" do
+          prev_field = reduce_result.first
+          assert_equal "__Schema.types", prev_field.metadata[:type_class].path
+        end
+      end
     end
 
     it "calls the defined analyzers" do

data/spec/graphql/authorization_spec.rb

@@ -48,7 +48,7 @@ describe GraphQL::Authorization do
       end
 
       def authorized?(object, context)
-        super && object != :hide
+        super && object != :hide && object != :replace
       end
     end
 
@@ -159,7 +159,7 @@ describe GraphQL::Authorization do
         super && value != "a"
       end
 
-      field :value, String, null: false, method: :object
+      field :value, String, null: false, method: :itself
     end
 
     module UnauthorizedInterface
@@ -186,7 +186,7 @@ describe GraphQL::Authorization do
         Box.new(value: Box.new(value: Box.new(value: Box.new(value: is_authed))))
       end
 
-      field :value, String, null: false, method: :object
+      field :value, String, null: false, method: :itself
     end
 
     class IntegerObject < BaseObject
@@ -197,7 +197,7 @@ describe GraphQL::Authorization do
         is_allowed = !(ctx[:unauthorized_relay] || obj == ctx[:exclude_integer])
         Box.new(value: Box.new(value: is_allowed))
       end
-      field :value, Integer, null: false, method: :object
+      field :value, Integer, null: false, method: :itself
     end
 
     class IntegerObjectEdge < GraphQL::Types::Relay::BaseEdge
@@ -237,7 +237,7 @@ describe GraphQL::Authorization do
 
     class Query < BaseObject
       field :hidden, Integer, null: false
-      field :unauthorized, Integer, null: true, method: :object
+      field :unauthorized, Integer, null: true, method: :itself
       field :int2, Integer, null: true do
         argument :int, Integer, required: false
         argument :hidden, Integer, required: false
@@ -268,22 +268,22 @@ describe GraphQL::Authorization do
       end
 
       def empty_array; []; end
-      field :hidden_object, HiddenObject, null: false, method: :itself
-      field :hidden_interface, HiddenInterface, null: false, method: :itself
-      field :hidden_default_interface, HiddenDefaultInterface, null: false, method: :itself
-      field :hidden_connection, RelayObject.connection_type, null: :false, method: :empty_array
-      field :hidden_edge, RelayObject.edge_type, null: :false, method: :edge_object
+      field :hidden_object, HiddenObject, null: false, resolver_method: :itself
+      field :hidden_interface, HiddenInterface, null: false, resolver_method: :itself
+      field :hidden_default_interface, HiddenDefaultInterface, null: false, resolver_method: :itself
+      field :hidden_connection, RelayObject.connection_type, null: :false, resolver_method: :empty_array
+      field :hidden_edge, RelayObject.edge_type, null: :false, resolver_method: :edge_object
 
       field :inaccessible, Integer, null: false, method: :object_id
-      field :inaccessible_object, InaccessibleObject, null: false, method: :itself
-      field :inaccessible_interface, InaccessibleInterface, null: false, method: :itself
-      field :inaccessible_default_interface, InaccessibleDefaultInterface, null: false, method: :itself
-      field :inaccessible_connection, RelayObject.connection_type, null: :false, method: :empty_array
-      field :inaccessible_edge, RelayObject.edge_type, null: :false, method: :edge_object
+      field :inaccessible_object, InaccessibleObject, null: false, resolver_method: :itself
+      field :inaccessible_interface, InaccessibleInterface, null: false, resolver_method: :itself
+      field :inaccessible_default_interface, InaccessibleDefaultInterface, null: false, resolver_method: :itself
+      field :inaccessible_connection, RelayObject.connection_type, null: :false, resolver_method: :empty_array
+      field :inaccessible_edge, RelayObject.edge_type, null: :false, resolver_method: :edge_object
 
-      field :unauthorized_object, UnauthorizedObject, null: true, method: :itself
-      field :unauthorized_connection, RelayObject.connection_type, null: false, method: :array_with_item
-      field :unauthorized_edge, RelayObject.edge_type, null: false, method: :edge_object
+      field :unauthorized_object, UnauthorizedObject, null: true, resolver_method: :itself
+      field :unauthorized_connection, RelayObject.connection_type, null: false, resolver_method: :array_with_item
+      field :unauthorized_edge, RelayObject.edge_type, null: false, resolver_method: :edge_object
 
       def edge_object
         OpenStruct.new(node: 100)
@@ -305,11 +305,11 @@ describe GraphQL::Authorization do
         [self, self]
       end
 
-      field :unauthorized_lazy_check_box, UnauthorizedCheckBox, null: true, method: :unauthorized_lazy_box do
+      field :unauthorized_lazy_check_box, UnauthorizedCheckBox, null: true, resolver_method: :unauthorized_lazy_box do
         argument :value, String, required: true
       end
 
-      field :unauthorized_interface, UnauthorizedInterface, null: true, method: :unauthorized_lazy_box do
+      field :unauthorized_interface, UnauthorizedInterface, null: true, resolver_method: :unauthorized_lazy_box do
         argument :value, String, required: true
       end
 
@@ -383,6 +383,8 @@ describe GraphQL::Authorization do
       def self.unauthorized_object(err)
         if err.object.respond_to?(:replacement)
           err.object.replacement
+        elsif err.object == :replace
+          33
         else
           raise GraphQL::ExecutionError, "Unauthorized #{err.type.graphql_name}: #{err.object}"
         end
@@ -390,6 +392,18 @@ describe GraphQL::Authorization do
 
       # use GraphQL::Backtrace
     end
+
+    class SchemaWithFieldHook < GraphQL::Schema
+      query(Query)
+
+      def self.unauthorized_field(err)
+        if err.object == :replace
+          42
+        else
+          raise GraphQL::ExecutionError, "Unauthorized field #{err.field.graphql_name} on #{err.type.graphql_name}: #{err.object}"
+        end
+      end
+    end
   end
 
   def auth_execute(*args)
@@ -621,6 +635,65 @@ describe GraphQL::Authorization do
       end
     end
 
+    describe "field level authorization" do
+      describe "unauthorized field" do
+        describe "with an unauthorized field hook configured" do
+          describe "when the hook returns a value" do
+            it "replaces the response with the return value of the unauthorized field hook" do
+              query = "{ unauthorized }"
+              response = AuthTest::SchemaWithFieldHook.execute(query, root_value: :replace)
+              assert_equal 42, response["data"].fetch("unauthorized")
+            end
+          end
+
+          describe "when the field hook raises an error" do
+            it "returns nil" do
+              query = "{ unauthorized }"
+              response = AuthTest::SchemaWithFieldHook.execute(query, root_value: :hide)
+              assert_nil response["data"].fetch("unauthorized")
+            end
+
+            it "adds the error to the errors key" do
+              query = "{ unauthorized }"
+              response = AuthTest::SchemaWithFieldHook.execute(query, root_value: :hide)
+              assert_equal ["Unauthorized field unauthorized on Query: hide"], response["errors"].map { |e| e["message"] }
+            end
+          end
+        end
+
+        describe "with an unauthorized field hook not configured" do
+          describe "When the object hook replaces the field" do
+            it "delegates to the unauthorized object hook, which replaces the object" do
+              query = "{ unauthorized }"
+              response = AuthTest::Schema.execute(query, root_value: :replace)
+              assert_equal 33, response["data"].fetch("unauthorized")
+            end
+          end
+          describe "When the object hook raises an error" do
+            it "returns nil" do
+              query = "{ unauthorized }"
+              response = AuthTest::Schema.execute(query, root_value: :hide)
+              assert_nil response["data"].fetch("unauthorized")
+            end
+
+            it "adds the error to the errors key" do
+              query = "{ unauthorized }"
+              response = AuthTest::Schema.execute(query, root_value: :hide)
+              assert_equal ["Unauthorized Query: hide"], response["errors"].map { |e| e["message"] }
+            end
+          end
+        end
+      end
+
+      describe "authorized field" do
+        it "returns the field data" do
+          query = "{ unauthorized }"
+          response = AuthTest::SchemaWithFieldHook.execute(query, root_value: 1)
+          assert_equal 1, response["data"].fetch("unauthorized")
+        end
+      end
+    end
+
     it "halts on unauthorized fields, using the parent object" do
       query = "{ unauthorized }"
       hidden_response = auth_execute(query, root_value: :hide)

data/spec/graphql/base_type_spec.rb

@@ -112,7 +112,9 @@ describe GraphQL::BaseType do
     schema = GraphQL::Schema.define(query: query_root)
 
     expected = <<TYPE
-# A blog post
+"""
+A blog post
+"""
 type Post {
   body: String!
   id: ID!

data/spec/graphql/execution/interpreter_spec.rb

@@ -4,10 +4,17 @@ require "spec_helper"
 describe GraphQL::Execution::Interpreter do
   module InterpreterTest
     class Box
-      attr_reader :value
-
-      def initialize(value:)
+      def initialize(value: nil, &block)
         @value = value
+        @block = block
+      end
+
+      def value
+        if @block
+          @value = @block.call
+          @block = nil
+        end
+        @value
       end
     end
 
@@ -17,12 +24,25 @@ describe GraphQL::Execution::Interpreter do
       field :name, String, null: false
       field :cards, ["InterpreterTest::Card"], null: false
 
+      def self.authorized?(expansion, ctx)
+        if expansion.sym == "NOPE"
+          false
+        else
+          true
+        end
+      end
+
       def cards
         Query::CARDS.select { |c| c.expansion_sym == @object.sym }
       end
 
       def lazy_sym
-        Box.new(value: sym)
+        Box.new(value: object.sym)
+      end
+
+      field :null_union_field_test, Integer, null: false
+      def null_union_field_test
+        1
       end
     end
 
@@ -34,6 +54,11 @@ describe GraphQL::Execution::Interpreter do
       def expansion
         Query::EXPANSIONS.find { |e| e.sym == @object.expansion_sym }
       end
+
+      field :null_union_field_test, Integer, null: true
+      def null_union_field_test
+        nil
+      end
     end
 
     class Color < GraphQL::Schema::Enum
@@ -59,6 +84,7 @@ describe GraphQL::Execution::Interpreter do
       field :calls, Integer, null: false do
         argument :expected, Integer, required: true
       end
+
       def calls(expected:)
         c = context[:calls] += 1
         if c != expected
@@ -67,9 +93,26 @@ describe GraphQL::Execution::Interpreter do
           c
         end
       end
+
+      field :runtime_info, String, null: false
+      def runtime_info
+        "#{context.namespace(:interpreter)[:current_path]} -> #{context.namespace(:interpreter)[:current_field].path}"
+      end
+
+      field :lazy_runtime_info, String, null: false
+      def lazy_runtime_info
+        Box.new {
+          "#{context.namespace(:interpreter)[:current_path]} -> #{context.namespace(:interpreter)[:current_field].path}"
+        }
+      end
     end
 
     class Query < GraphQL::Schema::Object
+      # Try a root-level authorized hook that returns a lazy value
+      def self.authorized?(obj, ctx)
+        Box.new(value: true)
+      end
+
       field :card, Card, null: true do
         argument :name, String, required: true
       end
@@ -99,6 +142,8 @@ describe GraphQL::Execution::Interpreter do
         OpenStruct.new(name: "Ravnica, City of Guilds", sym: "RAV"),
         # This data has an error, for testing null propagation
         OpenStruct.new(name: nil, sym: "XYZ"),
+        # This is not allowed by .authorized?,
+        OpenStruct.new(name: nil, sym: "NOPE"),
       ]
 
       field :find, [Entity], null: false do
@@ -112,12 +157,21 @@ describe GraphQL::Execution::Interpreter do
         end
       end
 
+      field :findMany, [Entity, null: true], null: false do
+        argument :ids, [ID], required: true
+      end
+
+      def find_many(ids:)
+        find(id: ids).map { |e| Box.new(value: e) }
+      end
+
       field :field_counter, FieldCounter, null: false
       def field_counter; :field_counter; end
     end
 
     class Schema < GraphQL::Schema
       use GraphQL::Execution::Interpreter
+      use GraphQL::Analysis::AST
       query(Query)
       lazy_resolve(Box, :value)
     end
@@ -201,6 +255,26 @@ describe GraphQL::Execution::Interpreter do
     end
   end
 
+  describe "runtime info in context" do
+    it "is available" do
+      res = InterpreterTest::Schema.execute <<-GRAPHQL
+      {
+        fieldCounter {
+          runtimeInfo
+          fieldCounter {
+            runtimeInfo
+            lazyRuntimeInfo
+          }
+        }
+      }
+      GRAPHQL
+
+      assert_equal '["fieldCounter", "runtimeInfo"] -> FieldCounter.runtimeInfo', res["data"]["fieldCounter"]["runtimeInfo"]
+      assert_equal '["fieldCounter", "fieldCounter", "runtimeInfo"] -> FieldCounter.runtimeInfo', res["data"]["fieldCounter"]["fieldCounter"]["runtimeInfo"]
+      assert_equal '["fieldCounter", "fieldCounter", "lazyRuntimeInfo"] -> FieldCounter.lazyRuntimeInfo', res["data"]["fieldCounter"]["fieldCounter"]["lazyRuntimeInfo"]
+    end
+  end
+
   describe "CI setup" do
     it "sets interpreter based on a constant" do
       if TESTING_INTERPRETER
@@ -228,6 +302,7 @@ describe GraphQL::Execution::Interpreter do
       # Although the expansion was found, its name of `nil`
       # propagated to here
       assert_nil res["data"].fetch("expansion")
+      assert_equal ["Cannot return null for non-nullable field Expansion.name"], res["errors"].map { |e| e["message"] }
     end
 
     it "propagates nulls in lists" do
@@ -245,6 +320,54 @@ describe GraphQL::Execution::Interpreter do
       # A null in one of the list items removed the whole list
       assert_nil(res["data"])
     end
+
+    it "works with unions that fail .authorized?" do
+      res = InterpreterTest::Schema.execute <<-GRAPHQL
+      {
+        find(id: "NOPE") {
+          ... on Expansion {
+            sym
+          }
+        }
+      }
+      GRAPHQL
+      assert_equal ["Cannot return null for non-nullable field Query.find"], res["errors"].map { |e| e["message"] }
+    end
+
+    it "works with lists of unions" do
+      res = InterpreterTest::Schema.execute <<-GRAPHQL
+      {
+        findMany(ids: ["RAV", "NOPE", "BOGUS"]) {
+          ... on Expansion {
+            sym
+          }
+        }
+      }
+      GRAPHQL
+
+      assert_equal 3, res["data"]["findMany"].size
+      assert_equal "RAV", res["data"]["findMany"][0]["sym"]
+      assert_equal nil, res["data"]["findMany"][1]
+      assert_equal nil, res["data"]["findMany"][2]
+      assert_equal false, res.key?("errors")
+    end
+
+    it "works with union lists that have members of different kinds, with different nullabilities" do
+      res = InterpreterTest::Schema.execute <<-GRAPHQL
+      {
+        findMany(ids: ["RAV", "Dark Confidant"]) {
+          ... on Expansion {
+            nullUnionFieldTest
+          }
+          ... on Card {
+            nullUnionFieldTest
+          }
+        }
+      }
+      GRAPHQL
+
+      assert_equal [1, nil], res["data"]["findMany"].map { |f| f["nullUnionFieldTest"] }
+    end
   end
 
   describe "duplicated fields" do