Merge branch 'ajk-13984-resolver-behavior-changes' into 'master'

Prepare GraphQL resolvers for authorization framework changes See merge request gitlab-org/gitlab!48993

Merge branch 'ajk-13984-resolver-behavior-changes' into 'master'
Prepare GraphQL resolvers for authorization framework changes See merge request gitlab-org/gitlab!48993
78397f0f · Bob Van Landuyt · 0ca19086 · 29e98cc2 · 78397f0f · 78397f0f
Commit 78397f0f authored Dec 09, 2020 by Bob Van Landuyt
12 changed files
--- a/app/graphql/resolvers/board_lists_resolver.rb
+++ b/app/graphql/resolvers/board_lists_resolver.rb
@@ -3,9 +3,13 @@
 module Resolvers
  class BoardListsResolver < BaseResolver
    include BoardIssueFilterable
+    prepend ManualAuthorization
    include Gitlab::Graphql::Authorize::AuthorizeResource

    type Types::BoardListType, null: true
+    extras [:lookahead]
+
+    authorize :read_list

    argument :id, Types::GlobalIDType[List],
             required: false,
@@ -42,10 +46,6 @@ module Resolvers
      service.execute(board, create_default_lists: false)
    end

-    def authorized_resource?(board)
-      Ability.allowed?(context[:current_user], :read_list, board)
-    end
-
    def load_preferences?(lookahead)
      lookahead&.selection(:edges)&.selection(:node)&.selects?(:collapsed)
    end

--- a/app/graphql/resolvers/concerns/manual_authorization.rb
+++ b/app/graphql/resolvers/concerns/manual_authorization.rb
+# frozen_string_literal: true
+
+# TODO: remove this entirely when framework authorization is released
+# See: https://gitlab.com/gitlab-org/gitlab/-/issues/290216
+module ManualAuthorization
+  def resolve(**args)
+    super
+  rescue ::Gitlab::Graphql::Errors::ResourceNotAvailable
+    nil
+  end
+end
--- a/app/graphql/resolvers/projects/jira_imports_resolver.rb
+++ b/app/graphql/resolvers/projects/jira_imports_resolver.rb
@@ -3,10 +3,11 @@
 module Resolvers
  module Projects
    class JiraImportsResolver < BaseResolver
-      type Types::JiraImportType.connection_type, null: true
-
+      prepend ::ManualAuthorization
      include Gitlab::Graphql::Authorize::AuthorizeResource

+      type Types::JiraImportType.connection_type, null: true
+
      alias_method :project, :object

      def resolve(**args)

--- a/app/graphql/resolvers/projects/services_resolver.rb
+++ b/app/graphql/resolvers/projects/services_resolver.rb
@@ -3,9 +3,11 @@
 module Resolvers
  module Projects
    class ServicesResolver < BaseResolver
+      prepend ManualAuthorization
      include Gitlab::Graphql::Authorize::AuthorizeResource

      type Types::Projects::ServiceType.connection_type, null: true
+      authorize :admin_project

      argument :active,
               GraphQL::BOOLEAN_TYPE,
@@ -24,10 +26,6 @@ module Resolvers
        services(args[:active], args[:type])
      end

-      def authorized_resource?(project)
-        Ability.allowed?(context[:current_user], :admin_project, project)
-      end
-
      private

      def services(active, type)

--- a/app/graphql/resolvers/snippets/blobs_resolver.rb
+++ b/app/graphql/resolvers/snippets/blobs_resolver.rb
@@ -3,9 +3,11 @@
 module Resolvers
  module Snippets
    class BlobsResolver < BaseResolver
+      prepend ManualAuthorization
      include Gitlab::Graphql::Authorize::AuthorizeResource

      type Types::Snippets::BlobType.connection_type, null: true
+      authorize :read_snippet

      alias_method :snippet, :object

@@ -27,10 +29,6 @@ module Resolvers
        end
      end

-      def authorized_resource?(snippet)
-        Ability.allowed?(context[:current_user], :read_snippet, snippet)
-      end
-
      private

      def transformed_blob_paths(paths)

--- a/ee/app/graphql/mutations/dast_site_profiles/delete.rb
+++ b/ee/app/graphql/mutations/dast_site_profiles/delete.rb
@@ -34,6 +34,8 @@ module Mutations

      def find_dast_site_profile(project:, global_id:)
        project.dast_site_profiles.find(global_id.model_id)
+      rescue ActiveRecord::RecordNotFound
+        raise_resource_not_available_error!
      end
    end
  end

--- a/ee/spec/requests/api/graphql/mutations/dast_site_profiles/create_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/dast_site_profiles/create_spec.rb
@@ -24,17 +24,7 @@ RSpec.describe 'Creating a DAST Site Profile' do
    it 'returns the dast_site_profile id' do
      subject

-      expect(mutation_response["id"]).to eq(dast_site_profile.to_global_id.to_s)
-    end
-
-    context 'when an unknown error occurs' do
-      before do
-        allow(DastSiteProfile).to receive(:create!).and_raise(StandardError)
-      end
-
-      it_behaves_like 'a mutation that returns top-level errors' do
-        let(:match_errors) { contain_exactly(include('Internal server error')) }
-      end
+      expect(mutation_response).to include('id' => global_id_of(dast_site_profile))
    end
  end
 end
--- a/ee/spec/requests/api/graphql/mutations/dast_site_profiles/delete_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/dast_site_profiles/delete_spec.rb
@@ -38,9 +38,8 @@ RSpec.describe 'Creating a DAST Site Profile' do
        dast_site_profile.destroy!
      end

-      it_behaves_like 'a mutation that returns top-level errors' do
-        let(:match_errors) { contain_exactly(include("Internal server error: Couldn't find DastSiteProfile")) }
-      end
+      it_behaves_like 'a mutation that returns top-level errors',
+        errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]
    end

    context 'when wrong type of global id is passed' do

--- a/spec/graphql/mutations/boards/issues/issue_move_list_spec.rb
+++ b/spec/graphql/mutations/boards/issues/issue_move_list_spec.rb
@@ -73,18 +73,6 @@ RSpec.describe Mutations::Boards::Issues::IssueMoveList do

        it_behaves_like 'raises a resource not available error'
      end
-
-      context 'when user cannot access board' do
-        let(:board) { create(:board, group: create(:group, :private)) }
-
-        it_behaves_like 'raises a resource not available error'
-      end
-
-      context 'when passing board_id as nil' do
-        let(:board) { nil }
-
-        it_behaves_like 'raises a resource not available error'
-      end
    end
  end
 end
--- a/spec/graphql/resolvers/board_lists_resolver_spec.rb
+++ b/spec/graphql/resolvers/board_lists_resolver_spec.rb
@@ -29,9 +29,7 @@ RSpec.describe Resolvers::BoardListsResolver do

    context 'with unauthorized user' do
      it 'raises an error' do
-        expect do
-          resolve_board_lists(current_user: unauth_user)
-        end.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+        expect(resolve_board_lists(current_user: unauth_user)).to be_nil
      end
    end

@@ -101,12 +99,6 @@ RSpec.describe Resolvers::BoardListsResolver do
  end

  def resolve_board_lists(args: {}, current_user: user)
-    context = GraphQL::Query::Context.new(
-      query: OpenStruct.new(schema: nil),
-      values: { current_user: current_user },
-      object: nil
-    )
-
-    resolve(described_class, obj: board, args: args, ctx: context )
+    resolve(described_class, obj: board, args: args, ctx: { current_user: current_user })
  end
 end
--- a/spec/graphql/resolvers/snippets/blobs_resolver_spec.rb
+++ b/spec/graphql/resolvers/snippets/blobs_resolver_spec.rb
@@ -16,16 +16,18 @@ RSpec.describe Resolvers::Snippets::BlobsResolver do
    context 'when user is not authorized' do
      let(:other_user) { create(:user) }

-      it 'raises an error' do
-        expect do
-          resolve_blobs(snippet, user: other_user)
-        end.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      it 'redacts the field' do
+        expect(resolve_blobs(snippet, user: other_user)).to be_nil
      end
    end

    context 'when using no filter' do
      it 'returns all snippet blobs' do
-        expect(resolve_blobs(snippet).map(&:path)).to contain_exactly(*snippet.list_files)
+        result = resolve_blobs(snippet, args: {})
+
+        expect(result).to match_array(snippet.list_files.map do |file|
+          have_attributes(path: file)
+        end)
      end
    end

@@ -34,7 +36,13 @@ RSpec.describe Resolvers::Snippets::BlobsResolver do
        it 'returns an array of files' do
          path = 'CHANGELOG'

-          expect(resolve_blobs(snippet, args: { paths: path }).first.path).to eq(path)
+          expect(resolve_blobs(snippet, paths: [path])).to contain_exactly(have_attributes(path: path))
+        end
+      end
+
+      context 'the argument does not match anything' do
+        it 'returns an empty result' do
+          expect(resolve_blobs(snippet, paths: ['does not exist'])).to be_empty
        end
      end

@@ -42,13 +50,15 @@ RSpec.describe Resolvers::Snippets::BlobsResolver do
        it 'returns an array of files' do
          paths = ['CHANGELOG', 'README.md']

-          expect(resolve_blobs(snippet, args: { paths: paths }).map(&:path)).to contain_exactly(*paths)
+          expect(resolve_blobs(snippet, paths: paths)).to match_array(paths.map do |file|
+            have_attributes(path: file)
+          end)
        end
      end
    end
  end

-  def resolve_blobs(snippet, user: current_user, args: {})
+  def resolve_blobs(snippet, user: current_user, paths: [], args: { paths: paths })
    resolve(described_class, args: args, ctx: { current_user: user }, obj: snippet)
  end
 end
--- a/spec/support/shared_examples/graphql/projects/services_resolver_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/projects/services_resolver_shared_examples.rb
@@ -8,8 +8,6 @@ end

 RSpec.shared_examples 'cannot access project services' do
  it 'raises error' do
-    expect do
-      resolve_services
-    end.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+    expect(resolve_services).to be_nil
  end
 end