graphql-shield-node23 7.6.5

package/tests/logic.test.ts

@@ -0,0 +1,530 @@
+import { graphql, GraphQLResolveInfo } from 'graphql'
+import { applyMiddleware } from 'graphql-middleware'
+import { makeExecutableSchema } from '@graphql-tools/schema'
+
+import { shield, rule, allow, deny, and, or, not } from '../src'
+import { LogicRule } from '../src/rules'
+import { chain, race } from '../src/constructors'
+
+describe('logic rules', () => {
+  test('allow, deny work as expeted', async () => {
+    const typeDefs = `
+      type Query {
+        allow: String
+        deny: String
+      }
+    `
+
+    const resolvers = {
+      Query: {
+        allow: () => 'allow',
+        deny: () => 'deny',
+      },
+    }
+
+    const schema = makeExecutableSchema({ typeDefs, resolvers })
+
+    // Permissions
+    const permissions = shield({
+      Query: {
+        allow: allow,
+        deny: deny,
+      },
+    })
+
+    const schemaWithPermissions = applyMiddleware(schema, permissions)
+
+    /* Execution */
+
+    const query = `
+      query {
+        allow
+        deny
+      }
+    `
+    const res = await graphql({
+      schema: schemaWithPermissions,
+      source: query,
+    })
+
+    /* Tests */
+
+    expect(res.data).toEqual({
+      allow: 'allow',
+      deny: null,
+    })
+    expect(res.errors?.length).toBe(1)
+  })
+
+  test('and works as expected', async () => {
+    const typeDefs = `
+      type Query {
+        allow: String
+        deny: String
+        ruleError: String
+      }
+    `
+
+    const resolvers = {
+      Query: {
+        allow: () => 'allow',
+        deny: () => 'deny',
+        ruleError: () => 'ruleError',
+      },
+    }
+
+    const schema = makeExecutableSchema({ typeDefs, resolvers })
+
+    /* Permissions */
+
+    const ruleWithError = rule()(async () => {
+      throw new Error()
+    })
+
+    const permissions = shield({
+      Query: {
+        allow: and(allow, allow),
+        deny: and(allow, deny),
+        ruleError: and(allow, ruleWithError),
+      },
+    })
+
+    const schemaWithPermissions = applyMiddleware(schema, permissions)
+
+    /* Execution */
+
+    const query = `
+      query {
+        allow
+        deny
+        ruleError
+      }
+    `
+    const res = await graphql({
+      schema: schemaWithPermissions,
+      source: query,
+    })
+
+    /* Tests */
+
+    expect(res.data).toEqual({
+      allow: 'allow',
+      deny: null,
+      ruleError: null,
+    })
+    expect(res.errors?.length).toBe(2)
+  })
+
+  test('chain works as expected', async () => {
+    const typeDefs = `
+      type Query {
+        allow: String
+        deny: String
+        ruleError: String
+      }
+    `
+
+    const resolvers = {
+      Query: {
+        allow: () => 'allow',
+        deny: () => 'deny',
+        ruleError: () => 'error',
+      },
+    }
+
+    const schema = makeExecutableSchema({ typeDefs, resolvers })
+
+    /* Permissions */
+
+    let allowRuleSequence: string[] = []
+    const allowRuleA = rule()(() => {
+      allowRuleSequence.push('A')
+      return true
+    })
+    const allowRuleB = rule()(() => {
+      allowRuleSequence.push('B')
+      return true
+    })
+    const allowRuleC = rule()(() => {
+      allowRuleSequence.push('C')
+      return true
+    })
+    let denyRuleCount = 0
+    const denyRule = rule({})(() => {
+      denyRuleCount += 1
+      return false
+    })
+    let ruleWithErrorCount = 0
+    const ruleWithError = rule()(() => {
+      ruleWithErrorCount += 1
+      throw new Error('error')
+    })
+
+    const permissions = shield({
+      Query: {
+        allow: chain(allowRuleA, allowRuleB, allowRuleC),
+        deny: chain(denyRule, denyRule, denyRule),
+        ruleError: chain(ruleWithError, ruleWithError, ruleWithError),
+      },
+    })
+
+    const schemaWithPermissions = applyMiddleware(schema, permissions)
+
+    /* Execution */
+
+    const query = `
+      query {
+        allow
+        deny
+        ruleError
+      }
+    `
+    const res = await graphql({
+      schema: schemaWithPermissions,
+      source: query,
+    })
+
+    /* Tests */
+
+    expect(res.data).toEqual({
+      allow: 'allow',
+      deny: null,
+      ruleError: null,
+    })
+    expect(allowRuleSequence.toString()).toEqual(['A', 'B', 'C'].toString())
+    expect(denyRuleCount).toEqual(1)
+    expect(ruleWithErrorCount).toEqual(1)
+    expect(res.errors?.length).toBe(2)
+  })
+
+  test('race chain works as expected', async () => {
+    const typeDefs = `
+      type Query {
+        allow: String
+        deny: String
+        ruleError: String
+      }
+    `
+
+    const resolvers = {
+      Query: {
+        allow: () => 'allow',
+        deny: () => 'deny',
+        ruleError: () => 'error',
+      },
+    }
+
+    const schema = makeExecutableSchema({ typeDefs, resolvers })
+
+    /* Permissions */
+
+    let allowRuleSequence: string[] = []
+    const denyRuleA = rule()(() => {
+      allowRuleSequence.push('A')
+      return false
+    })
+    const allowRuleB = rule()(() => {
+      allowRuleSequence.push('B')
+      return true
+    })
+    const allowRuleC = rule()(() => {
+      allowRuleSequence.push('C')
+      return true
+    })
+    let denyRuleCount = 0
+    const denyRule = rule({})(() => {
+      denyRuleCount += 1
+      return false
+    })
+    let ruleWithErrorCount = 0
+    const ruleWithError = rule()(() => {
+      ruleWithErrorCount += 1
+      throw new Error('error')
+    })
+
+    const permissions = shield({
+      Query: {
+        allow: race(denyRuleA, allowRuleB, allowRuleC),
+        deny: race(denyRule, denyRule, denyRule),
+        ruleError: race(ruleWithError, ruleWithError, ruleWithError),
+      },
+    })
+
+    const schemaWithPermissions = applyMiddleware(schema, permissions)
+
+    /* Execution */
+
+    const query = `
+      query {
+        allow
+        deny
+        ruleError
+      }
+    `
+    const res = await graphql({
+      schema: schemaWithPermissions,
+      source: query,
+    })
+
+    /* Tests */
+
+    expect(res.data).toEqual({
+      allow: 'allow',
+      deny: null,
+      ruleError: null,
+    })
+    expect(allowRuleSequence.toString()).toEqual(['A', 'B'].toString())
+    expect(denyRuleCount).toEqual(3)
+    expect(ruleWithErrorCount).toEqual(3)
+    expect(res.errors?.length).toBe(2)
+  })
+
+  test('or works as expected', async () => {
+    const typeDefs = `
+      type Query {
+        allow: String
+        deny: String
+      }
+    `
+
+    const resolvers = {
+      Query: {
+        allow: () => 'allow',
+        deny: () => 'deny',
+      },
+    }
+
+    const schema = makeExecutableSchema({ typeDefs, resolvers })
+
+    /* Permissions */
+
+    const permissions = shield({
+      Query: {
+        allow: or(allow, deny),
+        deny: or(deny, deny),
+      },
+    })
+
+    const schemaWithPermissions = applyMiddleware(schema, permissions)
+
+    /* Execution */
+
+    const query = `
+      query {
+        allow
+        deny
+      }
+    `
+    const res = await graphql({
+      schema: schemaWithPermissions,
+      source: query,
+    })
+
+    /* Tests */
+
+    expect(res.data).toEqual({
+      allow: 'allow',
+      deny: null,
+    })
+    expect(res.errors?.length).toBe(1)
+  })
+
+  test('not works as expected', async () => {
+    const typeDefs = `
+      type Query {
+        allow: String
+        deny: String
+        ruleError: String
+        resolverError: String
+        customRuleError: String
+        customRuleErrorString: String
+      }
+    `
+
+    const resolvers = {
+      Query: {
+        allow: () => 'allow',
+        deny: () => 'deny',
+        ruleError: () => 'ruleError',
+        resolverError: () => {
+          throw new Error()
+        },
+        customRuleError: () => 'customRuleError',
+        customRuleErrorString: () => 'customRuleErrorString',
+      },
+    }
+
+    const schema = makeExecutableSchema({ typeDefs, resolvers })
+
+    /* Permissions */
+
+    const ruleWithError = rule()(async () => {
+      throw new Error()
+    })
+
+    const ruleWithCustomError = rule()(async () => {
+      return new Error('error_pass')
+    })
+
+    const ruleWithCustomErrorString = rule()(async () => {
+      return 'error_string_pass'
+    })
+
+    const permissions = shield({
+      Query: {
+        allow: not(deny),
+        deny: not(allow),
+        ruleError: not(ruleWithError),
+        resolverError: not(allow),
+        customRuleError: not(ruleWithCustomError),
+        customRuleErrorString: not(ruleWithCustomErrorString),
+      },
+    })
+
+    const schemaWithPermissions = applyMiddleware(schema, permissions)
+
+    /* Execution */
+
+    const query = `
+      query {
+        allow
+        deny
+        ruleError
+        resolverError
+        customRuleError
+        customRuleErrorString
+      }
+    `
+    const res = await graphql({
+      schema: schemaWithPermissions,
+      source: query,
+    })
+
+    expect(res.data).toEqual({
+      allow: 'allow',
+      deny: null,
+      ruleError: 'ruleError',
+      resolverError: null,
+      customRuleError: 'customRuleError',
+      customRuleErrorString: 'customRuleErrorString',
+    })
+    expect(res.errors?.map((err) => err.message)).toEqual([
+      'Not Authorised!',
+      'Not Authorised!',
+    ])
+  })
+
+  test('not returns custom error', async () => {
+    const typeDefs = `
+      type Query {
+        not: String
+      }
+    `
+
+    const resolvers = {
+      Query: {
+        not: () => 'not',
+      },
+    }
+
+    const schema = makeExecutableSchema({ typeDefs, resolvers })
+
+    /* Permissions */
+
+    const permissions = shield({
+      Query: {
+        not: not(allow, 'This is a custom not message.'),
+      },
+    })
+
+    const schemaWithPermissions = applyMiddleware(schema, permissions)
+
+    /* Execution */
+
+    const query = `
+      query {
+        not
+      }
+    `
+    const res = await graphql({
+      schema: schemaWithPermissions,
+      source: query,
+    })
+
+    expect(res.data).toEqual({
+      not: null,
+    })
+    expect(res.errors?.map((err) => err.message)).toEqual([
+      'This is a custom not message.',
+    ])
+  })
+})
+
+describe('internal execution', () => {
+  test('logic rule by default resolves to false', async () => {
+    const rule = new LogicRule([])
+
+    const res = await rule.resolve(
+      {},
+      {},
+      { _shield: { cache: {} } },
+      {} as GraphQLResolveInfo,
+      {
+        allowExternalErrors: false,
+        debug: false,
+        fallbackRule: allow,
+        fallbackError: new Error(),
+        hashFunction: () => `${Math.random()}`,
+      },
+    )
+
+    expect(res).toBeFalsy()
+  })
+
+  test('rule prevents access when access not permited', async () => {
+    const typeDefs = `
+      type Query {
+        deny: String
+      }
+    `
+
+    const resolvers = {
+      Query: {
+        deny: () => 'deny',
+      },
+    }
+
+    const schema = makeExecutableSchema({ typeDefs, resolvers })
+
+    /* Permissions */
+
+    const ruleDeny = rule()(() => false)
+
+    const permissions = shield({
+      Query: {
+        deny: ruleDeny,
+      },
+    })
+
+    const schemaWithPermissions = applyMiddleware(schema, permissions)
+
+    /* Execution */
+
+    const query = `
+      query {
+        deny
+      }
+    `
+    const res = await graphql({
+      schema: schemaWithPermissions,
+      source: query,
+    })
+
+    /* Tests */
+
+    expect(res.data).toEqual({
+      deny: null,
+    })
+    expect(res.errors?.length).toBe(1)
+  })
+})

package/tests/utils.test.ts

@@ -0,0 +1,55 @@
+import {
+  isRule,
+  isLogicRule,
+  isRuleFieldMap,
+  isRuleFunction,
+  withDefault,
+} from '../src/utils'
+import { rule, and } from '../src/constructors'
+
+import { testSimpleRule, testLogicRule } from 'graphql-shield-rules'
+
+describe('type identifiers', () => {
+  test('isRuleFunction finds rule function.', async () => {
+    expect(isRuleFunction(rule()(() => true))).toBeTruthy()
+    expect(isRuleFunction(and())).toBeTruthy()
+    expect(isRuleFunction(false)).toBeFalsy()
+  })
+
+  test('isRule finds rule.', async () => {
+    expect(isRule(rule()(() => true))).toBeTruthy()
+    expect(isRule(and())).toBeFalsy()
+    expect(isRule(false)).toBeFalsy()
+    expect(isRule(testSimpleRule)).toBeTruthy()
+  })
+
+  test('isLogicRule finds logic rule.', async () => {
+    expect(isLogicRule(and())).toBeTruthy()
+    expect(isLogicRule(rule()(() => true))).toBeFalsy()
+    expect(isLogicRule(false)).toBeFalsy()
+    expect(isLogicRule(testLogicRule)).toBeTruthy()
+  })
+
+  test('isRuleFieldMap finds rule field map.', async () => {
+    expect(
+      isRuleFieldMap({
+        foo: rule()(() => true),
+        bar: and(),
+      }),
+    ).toBeTruthy()
+
+    expect(
+      isRuleFieldMap({
+        foo: rule()(() => true),
+        bar: false,
+      }),
+    ).toBeFalsy()
+  })
+})
+
+describe('helper functions', () => {
+  test('withDefault returns correct value', async () => {
+    expect(withDefault('pass')(undefined)).toBe('pass')
+    expect(withDefault('fail')('pass')).toBe('pass')
+  })
+})

package/tests/validation.test.ts

@@ -0,0 +1,139 @@
+import { applyMiddleware } from 'graphql-middleware'
+import { makeExecutableSchema } from '@graphql-tools/schema'
+import { validateRuleTree } from '../src/validation'
+import { shield, rule, allow } from '../src/'
+import { and } from '../src/constructors'
+
+describe('correctly helps developer', () => {
+  test('Finds a type missing in schema and warns developer.', async () => {
+    /* Schema */
+
+    const typeDefs = `
+     type Query {
+       a: String!
+     }
+   `
+
+    const schema = makeExecutableSchema({
+      typeDefs,
+      resolvers: {},
+    })
+
+    // Permissions
+
+    const permissions = shield({
+      Query: allow,
+      Fail1: allow,
+      Fail2: allow,
+    })
+
+    expect(() => {
+      applyMiddleware(schema, permissions)
+    }).toThrow(
+      `It seems like you have applied rules to Fail1, Fail2 types but Shield cannot find them in your schema.`,
+    )
+  })
+
+  test('Finds the fields missing in schema and warns developer.', async () => {
+    // Schema
+    const typeDefs = `
+     type Query {
+       a: String!
+     }
+   `
+
+    const schema = makeExecutableSchema({
+      typeDefs,
+      resolvers: {},
+    })
+
+    // Permissions
+
+    const permissions = shield({
+      Query: {
+        a: allow,
+        b: allow,
+        c: allow,
+      },
+    })
+
+    expect(() => {
+      applyMiddleware(schema, permissions)
+    }).toThrow(
+      'It seems like you have applied rules to Query.b, Query.c fields but Shield cannot find them in your schema.',
+    )
+  })
+})
+
+describe('rule tree validation', () => {
+  test('validates rules correctly', async () => {
+    /* Rules */
+
+    const rule1 = rule('one')(() => true)
+    const rule12 = rule('one')(() => true)
+    const rule2 = rule('two')(() => true)
+    const rule22 = rule('two')(() => true)
+    const rule3 = rule()(() => true)
+    const rule4 = rule()(() => true)
+
+    const correctRuleTree = {
+      Query: {
+        foo: rule1,
+        bar: rule2,
+      },
+      Mutation: rule3,
+      Bar: rule4,
+    }
+
+    const incorrectRuleTree = {
+      Query: {
+        foo: rule1,
+        bar: rule12,
+        qux: rule2,
+        foobarqux: rule22,
+        quxbarfoo: and(rule1, rule12),
+      },
+      Mutation: rule3,
+      Bar: rule4,
+    }
+
+    /* Tests */
+
+    expect(validateRuleTree(correctRuleTree)).toEqual({ status: 'ok' })
+    expect(validateRuleTree(incorrectRuleTree)).toEqual({
+      status: 'err',
+      message: `There seem to be multiple definitions of these rules: one, two`,
+    })
+  })
+})
+
+describe('shield works as expected', () => {
+  test('throws an error on invalid schema', async () => {
+    /* Rules */
+
+    const rule1 = rule('one')(() => true)
+    const rule12 = rule('one')(() => true)
+    const rule2 = rule('two')(() => true)
+    const rule22 = rule('two')(() => true)
+    const rule3 = rule()(() => true)
+    const rule4 = rule()(() => true)
+
+    const incorrectRuleTree = {
+      Query: {
+        foo: rule1,
+        bar: rule12,
+        qux: rule2,
+        foobarqux: rule22,
+        quxbarfoo: and(rule1, rule12),
+      },
+      Mutation: rule3,
+      Bar: rule4,
+    }
+
+    /* Tests */
+
+    expect(() => {
+      shield(incorrectRuleTree)
+    }).toThrow(`There seem to be multiple definitions of these rules: one, two`)
+  })
+})