From 0e90aeae24ddad86fa18438fc6d0e0287b3b37d6 Mon Sep 17 00:00:00 2001
From: rakeshkky <rakesh.emmadi21c@gmail.com>
Date: Mon, 20 May 2019 14:14:23 +0530
Subject: [PATCH] update allowed queries in schema cache on add/drop queries to
 collection, fix #2221

---
 .../src-lib/Hasura/RQL/DDL/QueryCollection.hs | 22 ++++++---
 .../graphql_query/allowlist/update_query.yaml | 45 +++++++++++++++++++
 server/tests-py/test_allowlist_queries.py     |  5 +++
 3 files changed, 66 insertions(+), 6 deletions(-)
 create mode 100644 server/tests-py/queries/graphql_query/allowlist/update_query.yaml

diff --git a/server/src-lib/Hasura/RQL/DDL/QueryCollection.hs b/server/src-lib/Hasura/RQL/DDL/QueryCollection.hs
index 67eaf79cc1f35..eb94b12a49921 100644
--- a/server/src-lib/Hasura/RQL/DDL/QueryCollection.hs
+++ b/server/src-lib/Hasura/RQL/DDL/QueryCollection.hs
@@ -54,7 +54,7 @@ runCreateCollection cc = do
     CreateCollection collName def _ = cc
 
 runAddQueryToCollection
-  :: (QErrM m, UserInfoM m, MonadTx m)
+  :: (QErrM m, CacheRWM m, UserInfoM m, MonadTx m)
   => AddQueryToCollection -> m EncJSON
 runAddQueryToCollection (AddQueryToCollection collName queryName query) = do
   adminOnly
@@ -65,7 +65,8 @@ runAddQueryToCollection (AddQueryToCollection collName queryName query) = do
     <> queryName <<> " already exists in collection " <>> collName
 
   let collDef = CollectionDef $ qList <> pure listQ
-  liftTx $ updateCollectionDefCatalog collName collDef
+  collInAllowlist <- liftTx $ updateCollectionDefCatalog collName collDef
+  when collInAllowlist refreshAllowlist
   return successMsg
   where
     listQ = ListedQuery queryName query
@@ -91,7 +92,7 @@ runDropCollection (DropCollection collName cascade) = do
   return successMsg
 
 runDropQueryFromCollection
-  :: (QErrM m, UserInfoM m, MonadTx m)
+  :: (QErrM m, CacheRWM m, UserInfoM m, MonadTx m)
   => DropQueryFromCollection -> m EncJSON
 runDropQueryFromCollection (DropQueryFromCollection collName queryName) = do
   adminOnly
@@ -101,7 +102,8 @@ runDropQueryFromCollection (DropQueryFromCollection collName queryName) = do
     <> queryName <<> " not found in collection " <>> collName
   let collDef = CollectionDef $ flip filter qList $
                                 \q -> _lqName q /= queryName
-  liftTx $ updateCollectionDefCatalog collName collDef
+  collInAllowlist <- liftTx $ updateCollectionDefCatalog collName collDef
+  when collInAllowlist refreshAllowlist
   return successMsg
 
 runAddCollectionToAllowlist
@@ -193,8 +195,8 @@ delCollectionFromCatalog name =
   |] (Identity name) True
 
 updateCollectionDefCatalog
-  :: CollectionName -> CollectionDef -> Q.TxE QErr ()
-updateCollectionDefCatalog collName def =
+  :: CollectionName -> CollectionDef -> Q.TxE QErr Bool
+updateCollectionDefCatalog collName def = do
   -- Update definition
   Q.unitQE defaultTxErrorHandler [Q.sql|
     UPDATE hdb_catalog.hdb_query_collection
@@ -202,6 +204,14 @@ updateCollectionDefCatalog collName def =
      WHERE collection_name = $2
   |] (Q.AltJ def, collName) True
 
+  -- Check whether collection present in allowlist
+  runIdentity . Q.getRow <$> Q.withQE defaultTxErrorHandler
+    [Q.sql|
+       SELECT EXISTS (
+          SELECT 1 FROM hdb_catalog.hdb_allowlist WHERE collection_name = $1
+                     )
+    |] (Identity collName) True
+
 addCollectionToAllowlistCatalog :: CollectionName -> Q.TxE QErr ()
 addCollectionToAllowlistCatalog collName =
   Q.unitQE defaultTxErrorHandler [Q.sql|
diff --git a/server/tests-py/queries/graphql_query/allowlist/update_query.yaml b/server/tests-py/queries/graphql_query/allowlist/update_query.yaml
new file mode 100644
index 0000000000000..d074d051a1645
--- /dev/null
+++ b/server/tests-py/queries/graphql_query/allowlist/update_query.yaml
@@ -0,0 +1,45 @@
+- description: Delete query from collection
+  url: /v1/query
+  status: 200
+  query:
+    type: drop_query_from_collection
+    args:
+      collection_name: collection_1
+      query_name: query_1
+
+- description: Add query to collection
+  url: /v1/query
+  status: 200
+  query:
+    type: add_query_to_collection
+    args:
+      collection_name: collection_1
+      query_name: query_1
+      query: |
+        query {
+          user{
+            id
+            name
+          }
+        }
+
+- description: Query as user
+  url: /v1/graphql
+  status: 200
+  headers:
+    X-Hasura-Role: user
+  response:
+    data:
+      user:
+      - id: 1
+        name: clarke
+      - id: 2
+        name: reckler
+  query:
+    query: |
+      query {
+        user{
+          id
+          name
+        }
+      }
diff --git a/server/tests-py/test_allowlist_queries.py b/server/tests-py/test_allowlist_queries.py
index 607a0c91e6d43..3c8fe86276f0a 100644
--- a/server/tests-py/test_allowlist_queries.py
+++ b/server/tests-py/test_allowlist_queries.py
@@ -24,6 +24,11 @@ def test_query_non_allowlist(self, hge_ctx, transport):
     def test_query_as_admin(self, hge_ctx, transport):
         check_query_f(hge_ctx, self.dir() + '/query_as_admin.yaml', transport)
 
+    def test_update_query(self, hge_ctx, transport):
+        # test only for http
+        transport = 'http'
+        check_query_f(hge_ctx, self.dir() + '/update_query.yaml', transport)
+
     @classmethod
     def dir(cls):
         return 'queries/graphql_query/allowlist'