more tests more better.

Author: gmac

lib/graphql/stitching/request.rb

@@ -77,12 +77,12 @@ def normalized_string
 
       # @return [String] a digest of the original document string. Generally faster but less consistent.
       def digest
-        @digest ||= Stitching.digest.call("#{Stitching::VERSION}/#{string}")
+        @digest ||= Stitching.digest.call(digest_base(string))
       end
 
       # @return [String] a digest of the normalized document string. Slower but more consistent.
       def normalized_digest
-        @normalized_digest ||= Stitching.digest.call("#{Stitching::VERSION}/#{normalized_string}")
+        @normalized_digest ||= Stitching.digest.call(digest_base(normalized_string))
       end
 
       # @return [GraphQL::Language::Nodes::OperationDefinition] The selected root operation for the request.
@@ -235,6 +235,13 @@ def add_subscription_update_handler
           result
         }
       end
+
+      def digest_base(content)
+        base = String.new(Stitching::VERSION)
+        base << "/" << content
+        @claims.each { |claim| base << "/" << claim } if @claims
+        base
+      end
     end
   end
 end

test/graphql/stitching/integration/authorizations_test.rb

@@ -119,4 +119,155 @@ def test_expected_results_with_proper_permissions
 
     assert_equal expected, result.to_h
   end
+
+  def test_errors_unauthorized_root_field_selections
+    query = %|{
+      a1: orderA(id: "1") { shippingAddress }
+      a2: productA(id: "1") { name }
+      ...on Query {
+        b1: orderA(id: "1") { shippingAddress }
+        b2: productA(id: "1") { description }
+        ... QueryAttrs
+      }
+    }
+    fragment QueryAttrs on Query {
+      c1: orderA(id: "1") { shippingAddress }
+      c2: productA(id: "1") { price }
+    }|
+
+    result = plan_and_execute(@supergraph, query)
+    expected = {
+      "data" => { 
+        "a1" => nil,
+        "a2" => nil,
+        "b1" => nil,
+        "b2" => { "description" => nil },
+        "c1" => nil,
+        "c2" => nil,
+      },
+      "errors" => [{
+        "message" => "Unauthorized access",
+        "path" => ["a1"],
+        "extensions" => { "code" => "unauthorized" },
+      }, {
+        "message" => "Unauthorized access",
+        "path" => ["b1"],
+        "extensions" => { "code" => "unauthorized" },
+      }, {
+        "message" => "Unauthorized access",
+        "path" => ["c1"],
+        "extensions" => { "code" => "unauthorized" },
+      }, {
+        "message" => "Unauthorized access",
+        "path" => ["a2", "name"],
+        "extensions" => { "code" => "unauthorized" },
+      }, {
+        "message" => "Unauthorized access",
+        "path" => ["b2", "description"],
+        "extensions" => { "code" => "unauthorized" },
+      }, {
+        "message" => "Unauthorized access",
+        "path" => ["c2", "price"],
+        "extensions" => { "code" => "unauthorized" },
+      }],
+    }
+
+    assert_equal expected, result.to_h
+  end
+
+  def test_stitches_around_unauthorized_access
+    query = %|{
+      orderA(id: "1") {
+        open
+        customer1 {
+          email
+        }
+        customer2 {
+          email
+        }
+        product {
+          description
+          open
+        }
+      }
+    }|
+
+    result = plan_and_execute(@supergraph, query, claims: ["orders"])
+    expected = {
+      "data" => { 
+        "orderA" => {
+          "open" => true,
+          "customer1" => nil,
+          "customer2" => nil,
+          "product" => {
+            "description" => nil,
+            "open" => true,
+          }
+        }
+      },
+      "errors" => [{
+        "message" => "Unauthorized access",
+        "path" => ["orderA", "customer1", "email"],
+        "extensions" => { "code" => "unauthorized" },
+      }, {
+        "message" => "Unauthorized access",
+        "path" => ["orderA", "customer2"],
+        "extensions" => { "code" => "unauthorized" },
+      }, {
+        "message" => "Unauthorized access",
+        "path" => ["orderA", "product", "description"],
+        "extensions" => { "code" => "unauthorized" },
+      }],
+    }
+
+    assert_equal expected, result.to_h
+  end
+
+  def test_stitches_around_unauthorized_access_from_opposing_entrypoint
+    query = %|{
+      orderB(id: "1") {
+        open
+        customer1 {
+          email
+        }
+        customer2 {
+          email
+        }
+        product {
+          description
+          open
+        }
+      }
+    }|
+
+    result = plan_and_execute(@supergraph, query, claims: ["orders"])
+    expected = {
+      "data" => { 
+        "orderB" => {
+          "open" => true,
+          "customer1" => nil,
+          "customer2" => nil,
+          "product" => {
+            "description" => nil,
+            "open" => true,
+          }
+        }
+      },
+      "errors" => [{
+        "message" => "Unauthorized access",
+        "path" => ["orderB", "customer2"],
+        "extensions" => { "code" => "unauthorized" },
+      }, {
+        "message" => "Unauthorized access",
+        "path" => ["orderB", "customer1", "email"],
+        "extensions" => { "code" => "unauthorized" },
+      }, {
+        "message" => "Unauthorized access",
+        "path" => ["orderB", "product", "description"],
+        "extensions" => { "code" => "unauthorized" },
+      }],
+    }
+
+    assert_equal expected, result.to_h
+  end
 end

test/schemas/authorizations.rb

@@ -53,7 +53,7 @@ def customer2
       end
 
       class Query < GraphQL::Schema::Object
-        field :product_a, Product, null: false do
+        field :product_a, Product, null: true do
           directive GraphQL::Stitching::Directives::Stitch, key: "id"
           argument :id, ID, required: true
         end
@@ -62,7 +62,7 @@ def product_a(id:)
           PRODUCTS.find { _1[:id] == id }
         end
 
-        field :order_a, Order, null: false do
+        field :order_a, Order, null: true do
           directive GraphQL::Stitching::Directives::Authorization, scopes: [["orders"]]
           directive GraphQL::Stitching::Directives::Stitch, key: "id"
           argument :id, ID, required: true