From 6244a6213c9ded89a4dfc1af26d08410d0ab335d Mon Sep 17 00:00:00 2001 From: Karthikeyan Chinnakonda Date: Mon, 20 Apr 2020 14:01:53 +0530 Subject: [PATCH 1/5] add additional tests for testing claims_namespace_path in JWT tokens - add tests for at root level and at a nested level --- .circleci/test-server.sh | 27 ++++++++++++++++++++++++++- server/tests-py/validate.py | 12 ++++++++---- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/.circleci/test-server.sh b/.circleci/test-server.sh index 2c31a49c12217..ae7d0e27c267c 100755 --- a/.circleci/test-server.sh +++ b/.circleci/test-server.sh @@ -322,7 +322,32 @@ unset HASURA_GRAPHQL_JWT_SECRET echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path) #####################################>\n" TEST_TYPE="jwt-with-claims-namespace-path" -export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasuraClaims"}')" +# hasura claims at the root of the JWT token +export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$"}')" + +run_hge_with_args serve +wait_for_port 8080 + +pytest -n 1 -vv --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" --hge-jwt-key-file="$OUTPUT_FOLDER/ssl/jwt_private.key" --hge-jwt-conf="$HASURA_GRAPHQL_JWT_SECRET" test_jwt.py + +kill_hge_servers + +unset HASURA_GRAPHQL_JWT_SECRET + +# hasura claims at one level of nesting +export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura_claims"}')" + +run_hge_with_args serve +wait_for_port 8080 + +pytest -n 1 -vv --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" --hge-jwt-key-file="$OUTPUT_FOLDER/ssl/jwt_private.key" --hge-jwt-conf="$HASURA_GRAPHQL_JWT_SECRET" test_jwt.py + +kill_hge_servers + +unset HASURA_GRAPHQL_JWT_SECRET + +# hasura claims at two levels of nesting +export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura.claims"}')" run_hge_with_args serve wait_for_port 8080 diff --git a/server/tests-py/validate.py b/server/tests-py/validate.py index 080103a60a410..e6dc2c84d7b4c 100644 --- a/server/tests-py/validate.py +++ b/server/tests-py/validate.py @@ -122,16 +122,20 @@ def test_forbidden_webhook(hge_ctx, conf): 'request id': resp_hdrs.get('x-request-id') }) - def mk_claims_with_namespace_path(claims,hasura_claims,namespace_path): if namespace_path is None: claims['https://hasura.io/jwt/claims'] = hasura_claims - elif namespace_path == "$.hasuraClaims": - claims['hasuraClaims'] = hasura_claims + elif namespace_path == "$": + claims.update(hasura_claims) + elif namespace_path == "$.hasura_claims": + claims['hasura_claims'] = hasura_claims + elif namespace_path == "$.hasura.claims": + claims['hasura'] = {} + claims['hasura']['claims'] = hasura_claims else: raise Exception( '''claims_namespace_path should not be anything - other than $.hasuraClaims for testing. The + other than $.hasura_claims, $.hasura.claims or $ for testing. The value of claims_namespace_path was {}'''.format(namespace_path)) return claims From 73d387dc5db679643d25d30124eae8158e98ad98 Mon Sep 17 00:00:00 2001 From: Karthikeyan Chinnakonda Date: Mon, 20 Apr 2020 15:48:39 +0530 Subject: [PATCH 2/5] modify the JWT tests --- .circleci/test-server.sh | 13 +++++++++---- server/src-lib/Data/Parser/JSONPath.hs | 1 - server/tests-py/validate.py | 26 +++++++++++++------------- 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/.circleci/test-server.sh b/.circleci/test-server.sh index ae7d0e27c267c..c2ed78ef653e5 100755 --- a/.circleci/test-server.sh +++ b/.circleci/test-server.sh @@ -318,9 +318,8 @@ kill_hge_servers unset HASURA_GRAPHQL_JWT_SECRET -########## -echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path) #####################################>\n" -TEST_TYPE="jwt-with-claims-namespace-path" +echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path = '$') #####################################>\n" +TEST_TYPE="jwt-with-claims-namespace-path-root" # hasura claims at the root of the JWT token export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$"}')" @@ -334,6 +333,9 @@ kill_hge_servers unset HASURA_GRAPHQL_JWT_SECRET +echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path = '$.hasura_claims') #####################################>\n" +TEST_TYPE="jwt-with-claims-namespace-path-one-level-nest" + # hasura claims at one level of nesting export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura_claims"}')" @@ -346,8 +348,11 @@ kill_hge_servers unset HASURA_GRAPHQL_JWT_SECRET +echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path = '$.hasura['claims%']') #####################################>\n" +TEST_TYPE="jwt-with-claims-namespace-path-two-level-nest-with-special-chars" + # hasura claims at two levels of nesting -export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura.claims"}')" +export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura['\''claims%'\'']"}')" run_hge_with_args serve wait_for_port 8080 diff --git a/server/src-lib/Data/Parser/JSONPath.hs b/server/src-lib/Data/Parser/JSONPath.hs index 552964dbbcc79..78658c93b5688 100644 --- a/server/src-lib/Data/Parser/JSONPath.hs +++ b/server/src-lib/Data/Parser/JSONPath.hs @@ -53,4 +53,3 @@ bracketElement = do pure result charOrEscape delimiter = (char '\\' *> anyChar) <|> notChar delimiter - diff --git a/server/tests-py/validate.py b/server/tests-py/validate.py index e6dc2c84d7b4c..efcb9592fae34 100644 --- a/server/tests-py/validate.py +++ b/server/tests-py/validate.py @@ -123,21 +123,21 @@ def test_forbidden_webhook(hge_ctx, conf): }) def mk_claims_with_namespace_path(claims,hasura_claims,namespace_path): - if namespace_path is None: - claims['https://hasura.io/jwt/claims'] = hasura_claims - elif namespace_path == "$": - claims.update(hasura_claims) - elif namespace_path == "$.hasura_claims": - claims['hasura_claims'] = hasura_claims - elif namespace_path == "$.hasura.claims": - claims['hasura'] = {} - claims['hasura']['claims'] = hasura_claims - else: - raise Exception( + if namespace_path is None: + claims['https://hasura.io/jwt/claims'] = hasura_claims + elif namespace_path == "$": + claims.update(hasura_claims) + elif namespace_path == "$.hasura_claims": + claims['hasura_claims'] = hasura_claims + elif namespace_path == "$.hasura['claims%']": + claims['hasura'] = {} + claims['hasura']['claims%'] = hasura_claims + else: + raise Exception( '''claims_namespace_path should not be anything - other than $.hasura_claims, $.hasura.claims or $ for testing. The + other than $.hasura_claims, $.hasura['claims%'] or $ for testing. The value of claims_namespace_path was {}'''.format(namespace_path)) - return claims + return claims # Returns the response received and a bool indicating whether the test passed # or not (this will always be True unless we are `--accepting`) From e24df7305ad940894acea52a3afae1a482508ec8 Mon Sep 17 00:00:00 2001 From: Karthikeyan Chinnakonda Date: Mon, 20 Apr 2020 16:28:56 +0530 Subject: [PATCH 3/5] combine the claims_namespace_path tests together in test-server.sh --- .circleci/test-server.sh | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.circleci/test-server.sh b/.circleci/test-server.sh index c2ed78ef653e5..56cd5da724109 100755 --- a/.circleci/test-server.sh +++ b/.circleci/test-server.sh @@ -318,8 +318,9 @@ kill_hge_servers unset HASURA_GRAPHQL_JWT_SECRET -echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path = '$') #####################################>\n" -TEST_TYPE="jwt-with-claims-namespace-path-root" +########## +echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path) #####################################>\n" +TEST_TYPE="jwt-with-claims-namespace-path" # hasura claims at the root of the JWT token export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$"}')" @@ -333,9 +334,6 @@ kill_hge_servers unset HASURA_GRAPHQL_JWT_SECRET -echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path = '$.hasura_claims') #####################################>\n" -TEST_TYPE="jwt-with-claims-namespace-path-one-level-nest" - # hasura claims at one level of nesting export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura_claims"}')" @@ -348,10 +346,7 @@ kill_hge_servers unset HASURA_GRAPHQL_JWT_SECRET -echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path = '$.hasura['claims%']') #####################################>\n" -TEST_TYPE="jwt-with-claims-namespace-path-two-level-nest-with-special-chars" - -# hasura claims at two levels of nesting +# hasura claims at two levels of nesting with claims_namespace_path containing special character export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura['\''claims%'\'']"}')" run_hge_with_args serve From 3bd8e4c42a98e86e5c3396b479126ca93122728c Mon Sep 17 00:00:00 2001 From: Karthikeyan Chinnakonda Date: Mon, 20 Apr 2020 16:34:43 +0530 Subject: [PATCH 4/5] change the order of the claims_namespace_path tests --- .circleci/test-server.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/test-server.sh b/.circleci/test-server.sh index 56cd5da724109..4a9e40439b33d 100755 --- a/.circleci/test-server.sh +++ b/.circleci/test-server.sh @@ -322,8 +322,8 @@ unset HASURA_GRAPHQL_JWT_SECRET echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET AND JWT (with claims_namespace_path) #####################################>\n" TEST_TYPE="jwt-with-claims-namespace-path" -# hasura claims at the root of the JWT token -export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$"}')" +# hasura claims at one level of nesting +export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura_claims"}')" run_hge_with_args serve wait_for_port 8080 @@ -334,8 +334,8 @@ kill_hge_servers unset HASURA_GRAPHQL_JWT_SECRET -# hasura claims at one level of nesting -export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura_claims"}')" +# hasura claims at the root of the JWT token +export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$"}')" run_hge_with_args serve wait_for_port 8080 From 71753f6d1741cc72de3951f1776462a82df1d3e0 Mon Sep 17 00:00:00 2001 From: Karthikeyan Chinnakonda Date: Mon, 20 Apr 2020 17:14:54 +0530 Subject: [PATCH 5/5] change the order of the claims_namespace_path tests --- .circleci/test-server.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/test-server.sh b/.circleci/test-server.sh index 4a9e40439b33d..e91fe60dfd568 100755 --- a/.circleci/test-server.sh +++ b/.circleci/test-server.sh @@ -334,8 +334,8 @@ kill_hge_servers unset HASURA_GRAPHQL_JWT_SECRET -# hasura claims at the root of the JWT token -export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$"}')" +# hasura claims at two levels of nesting with claims_namespace_path containing special character +export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura['\''claims%'\'']"}')" run_hge_with_args serve wait_for_port 8080 @@ -346,8 +346,8 @@ kill_hge_servers unset HASURA_GRAPHQL_JWT_SECRET -# hasura claims at two levels of nesting with claims_namespace_path containing special character -export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura['\''claims%'\'']"}')" +# hasura claims at the root of the JWT token +export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$"}')" run_hge_with_args serve wait_for_port 8080