2019-10-28 20:06:10 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2019-03-27 16:02:25 -04:00
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
describe 'GitlabSchema configurations' do
|
|
|
|
include GraphqlHelpers
|
|
|
|
|
2020-02-17 10:09:01 -05:00
|
|
|
let_it_be(:project) { create(:project) }
|
2019-03-27 16:02:25 -04:00
|
|
|
|
2019-05-09 05:27:07 -04:00
|
|
|
shared_examples 'imposing query limits' do
|
2020-01-02 16:07:38 -05:00
|
|
|
describe 'timeouts' do
|
|
|
|
context 'when timeout is reached' do
|
|
|
|
it 'shows an error' do
|
2020-03-10 20:09:09 -04:00
|
|
|
allow_any_instance_of(Gitlab::Graphql::Timeout).to receive(:max_seconds).and_return(0)
|
2020-01-02 16:07:38 -05:00
|
|
|
|
2020-03-10 20:09:09 -04:00
|
|
|
subject
|
|
|
|
|
|
|
|
expect_graphql_errors_to_include /Timeout/
|
2020-01-02 16:07:38 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-05-09 05:27:07 -04:00
|
|
|
describe '#max_complexity' do
|
|
|
|
context 'when complexity is too high' do
|
|
|
|
it 'shows an error' do
|
|
|
|
allow(GitlabSchema).to receive(:max_query_complexity).and_return 1
|
2019-03-27 16:02:25 -04:00
|
|
|
|
2019-05-09 05:27:07 -04:00
|
|
|
subject
|
2019-03-27 16:02:25 -04:00
|
|
|
|
2019-08-22 10:17:38 -04:00
|
|
|
expect_graphql_errors_to_include /which exceeds max complexity of 1/
|
2019-05-09 05:27:07 -04:00
|
|
|
end
|
2019-05-06 10:00:03 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-05-09 05:27:07 -04:00
|
|
|
describe '#max_depth' do
|
|
|
|
context 'when query depth is too high' do
|
|
|
|
it 'shows error' do
|
|
|
|
allow(GitlabSchema).to receive(:max_query_depth).and_return 1
|
2019-05-06 10:00:03 -04:00
|
|
|
|
2019-05-09 05:27:07 -04:00
|
|
|
subject
|
2019-05-06 10:00:03 -04:00
|
|
|
|
2019-08-22 10:17:38 -04:00
|
|
|
expect_graphql_errors_to_include /exceeds max depth/
|
2019-05-09 05:27:07 -04:00
|
|
|
end
|
2019-05-06 10:00:03 -04:00
|
|
|
end
|
2019-05-09 05:27:07 -04:00
|
|
|
|
|
|
|
context 'when query depth is within range' do
|
|
|
|
it 'has no error' do
|
|
|
|
allow(GitlabSchema).to receive(:max_query_depth).and_return 5
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
2019-08-22 10:17:38 -04:00
|
|
|
expect_graphql_errors_to_be_empty
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'depth, complexity and recursion checking' do
|
|
|
|
context 'unauthenticated recursive queries' do
|
|
|
|
context 'a not-quite-recursive-enough introspective query' do
|
|
|
|
it 'succeeds' do
|
|
|
|
query = File.read(Rails.root.join('spec/fixtures/api/graphql/small-recursive-introspection.graphql'))
|
|
|
|
|
|
|
|
post_graphql(query, current_user: nil)
|
|
|
|
|
|
|
|
expect_graphql_errors_to_be_empty
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-02-03 19:09:04 -05:00
|
|
|
context 'failing queries' do
|
|
|
|
before do
|
|
|
|
allow(GitlabSchema).to receive(:max_query_recursion).and_return 1
|
|
|
|
end
|
2019-08-22 10:17:38 -04:00
|
|
|
|
2020-02-03 19:09:04 -05:00
|
|
|
context 'a recursive introspective query' do
|
|
|
|
it 'fails due to recursion' do
|
|
|
|
query = File.read(Rails.root.join('spec/fixtures/api/graphql/recursive-introspection.graphql'))
|
2019-08-22 10:17:38 -04:00
|
|
|
|
2020-02-03 19:09:04 -05:00
|
|
|
post_graphql(query, current_user: nil)
|
|
|
|
|
|
|
|
expect_graphql_errors_to_include [/Recursive query/]
|
|
|
|
end
|
2019-08-22 10:17:38 -04:00
|
|
|
end
|
|
|
|
|
2020-02-03 19:09:04 -05:00
|
|
|
context 'a recursive non-introspective query' do
|
|
|
|
before do
|
|
|
|
allow(GitlabSchema).to receive(:max_query_complexity).and_return 1
|
|
|
|
allow(GitlabSchema).to receive(:max_query_depth).and_return 1
|
|
|
|
allow(GitlabSchema).to receive(:max_query_complexity).and_return 1
|
|
|
|
end
|
2019-08-22 10:17:38 -04:00
|
|
|
|
2020-02-03 19:09:04 -05:00
|
|
|
shared_examples 'fails due to recursion, complexity and depth' do |fixture_file|
|
|
|
|
it 'fails due to recursion, complexity and depth' do
|
|
|
|
query = File.read(Rails.root.join(fixture_file))
|
|
|
|
|
|
|
|
post_graphql(query, current_user: nil)
|
|
|
|
|
|
|
|
expect_graphql_errors_to_include [/Recursive query/, /exceeds max complexity/, /exceeds max depth/]
|
|
|
|
end
|
|
|
|
end
|
2019-08-22 10:17:38 -04:00
|
|
|
|
2020-02-03 19:09:04 -05:00
|
|
|
context 'using `nodes` notation' do
|
|
|
|
it_behaves_like 'fails due to recursion, complexity and depth', 'spec/fixtures/api/graphql/recursive-query-nodes.graphql'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'using `edges -> node` notation' do
|
|
|
|
it_behaves_like 'fails due to recursion, complexity and depth', 'spec/fixtures/api/graphql/recursive-query-edges-node.graphql'
|
|
|
|
end
|
2019-05-09 05:27:07 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'regular queries' do
|
|
|
|
subject do
|
|
|
|
query = graphql_query_for('project', { 'fullPath' => project.full_path }, %w(id name description))
|
|
|
|
post_graphql(query)
|
2019-05-06 10:00:03 -04:00
|
|
|
end
|
|
|
|
|
2019-05-09 05:27:07 -04:00
|
|
|
it_behaves_like 'imposing query limits'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'multiplexed queries' do
|
2019-05-29 09:23:08 -04:00
|
|
|
let(:current_user) { nil }
|
|
|
|
|
2019-05-09 05:27:07 -04:00
|
|
|
subject do
|
|
|
|
queries = [
|
2019-05-29 09:23:08 -04:00
|
|
|
{ query: graphql_query_for('project', { 'fullPath' => '$fullPath' }, %w(id name description)) },
|
|
|
|
{ query: graphql_query_for('echo', { 'text' => "$test" }, []), variables: { "test" => "Hello world" } },
|
|
|
|
{ query: graphql_query_for('project', { 'fullPath' => project.full_path }, "userPermissions { createIssue }") }
|
2019-05-09 05:27:07 -04:00
|
|
|
]
|
|
|
|
|
2019-05-29 09:23:08 -04:00
|
|
|
post_multiplex(queries, current_user: current_user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not authenticate all queries' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(json_response.last['data']['project']).to be_nil
|
2019-05-09 05:27:07 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'imposing query limits' do
|
2020-03-10 20:09:09 -04:00
|
|
|
it 'fails all queries when only one of the queries is too complex' do
|
2019-05-09 05:27:07 -04:00
|
|
|
# The `project` query above has a complexity of 5
|
|
|
|
allow(GitlabSchema).to receive(:max_query_complexity).and_return 4
|
|
|
|
|
|
|
|
subject
|
2019-05-06 10:00:03 -04:00
|
|
|
|
2019-05-09 05:27:07 -04:00
|
|
|
# Expect a response for each query, even though it will be empty
|
2019-05-29 09:23:08 -04:00
|
|
|
expect(json_response.size).to eq(3)
|
2019-05-09 05:27:07 -04:00
|
|
|
json_response.each do |single_query_response|
|
|
|
|
expect(single_query_response).not_to have_key('data')
|
|
|
|
end
|
2019-05-06 10:00:03 -04:00
|
|
|
|
2019-05-09 05:27:07 -04:00
|
|
|
# Expect errors for each query
|
2019-05-29 09:23:08 -04:00
|
|
|
expect(graphql_errors.size).to eq(3)
|
2019-05-09 05:27:07 -04:00
|
|
|
graphql_errors.each do |single_query_errors|
|
2019-08-22 10:17:38 -04:00
|
|
|
expect_graphql_errors_to_include(/which exceeds max complexity of 4/)
|
2019-05-09 05:27:07 -04:00
|
|
|
end
|
2019-05-06 10:00:03 -04:00
|
|
|
end
|
|
|
|
end
|
2019-05-29 09:23:08 -04:00
|
|
|
|
|
|
|
context 'authentication' do
|
|
|
|
let(:current_user) { project.owner }
|
|
|
|
|
|
|
|
it 'authenticates all queries' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(json_response.last['data']['project']['userPermissions']['createIssue']).to be(true)
|
|
|
|
end
|
|
|
|
end
|
2019-03-27 16:02:25 -04:00
|
|
|
end
|
2019-04-05 13:30:10 -04:00
|
|
|
|
|
|
|
context 'when IntrospectionQuery' do
|
2019-08-22 10:17:38 -04:00
|
|
|
it 'is not too complex nor recursive' do
|
2019-04-05 13:30:10 -04:00
|
|
|
query = File.read(Rails.root.join('spec/fixtures/api/graphql/introspection.graphql'))
|
|
|
|
|
|
|
|
post_graphql(query, current_user: nil)
|
|
|
|
|
2019-08-22 10:17:38 -04:00
|
|
|
expect_graphql_errors_to_be_empty
|
2019-04-05 13:30:10 -04:00
|
|
|
end
|
|
|
|
end
|
2019-05-23 18:43:47 -04:00
|
|
|
|
2019-04-30 04:30:15 -04:00
|
|
|
context 'logging' do
|
2019-05-22 01:13:06 -04:00
|
|
|
let(:query) { File.read(Rails.root.join('spec/fixtures/api/graphql/introspection.graphql')) }
|
|
|
|
|
2019-05-23 18:43:47 -04:00
|
|
|
it 'logs the query complexity and depth' do
|
2019-05-22 01:13:06 -04:00
|
|
|
analyzer_memo = {
|
2019-05-23 18:43:47 -04:00
|
|
|
query_string: query,
|
|
|
|
variables: {}.to_s,
|
|
|
|
complexity: 181,
|
2019-09-04 17:57:37 -04:00
|
|
|
depth: 13,
|
2020-05-13 17:08:55 -04:00
|
|
|
duration_s: 7
|
2019-05-22 01:13:06 -04:00
|
|
|
}
|
2019-05-23 18:43:47 -04:00
|
|
|
|
2019-05-22 01:13:06 -04:00
|
|
|
expect_any_instance_of(Gitlab::Graphql::QueryAnalyzers::LoggerAnalyzer).to receive(:duration).and_return(7)
|
|
|
|
expect(Gitlab::GraphqlLogger).to receive(:info).with(analyzer_memo)
|
2019-04-30 04:30:15 -04:00
|
|
|
|
|
|
|
post_graphql(query, current_user: nil)
|
|
|
|
end
|
|
|
|
|
2019-05-23 18:43:47 -04:00
|
|
|
it 'logs using `format_message`' do
|
|
|
|
expect_any_instance_of(Gitlab::GraphqlLogger).to receive(:format_message)
|
2019-04-05 13:30:10 -04:00
|
|
|
|
|
|
|
post_graphql(query, current_user: nil)
|
|
|
|
end
|
|
|
|
end
|
2019-06-03 13:38:16 -04:00
|
|
|
|
|
|
|
context "global id's" do
|
|
|
|
it 'uses GlobalID to expose ids' do
|
|
|
|
post_graphql(graphql_query_for('project', { 'fullPath' => project.full_path }, %w(id)),
|
|
|
|
current_user: project.owner)
|
|
|
|
|
|
|
|
parsed_id = GlobalID.parse(graphql_data['project']['id'])
|
|
|
|
|
|
|
|
expect(parsed_id).to eq(project.to_global_id)
|
|
|
|
end
|
|
|
|
end
|
2019-03-27 16:02:25 -04:00
|
|
|
end
|