Behavioral changes: Return nil instead of raising errors

This changes some of our GraphQL resolution behavior to return nil when values cannot be authorized. This is the correct behavior, and prevents resource scanning.

Behavioral changes: Return nil instead of raising errors
This changes some of our GraphQL resolution behavior to return nil when values cannot be authorized. This is the correct behavior, and prevents resource scanning.
58931f4a · Alex Kalderimis · 9c2b4578 · 58931f4a · 58931f4a · 58931f4a
Commit 58931f4a authored Dec 02, 2020 by Alex Kalderimis
10 changed files
--- a/app/graphql/resolvers/board_lists_resolver.rb
+++ b/app/graphql/resolvers/board_lists_resolver.rb
@@ -3,9 +3,13 @@
 module Resolvers
  class BoardListsResolver < BaseResolver
    include BoardIssueFilterable
+    prepend ManualAuthorization
    include Gitlab::Graphql::Authorize::AuthorizeResource

    type Types::BoardListType, null: true
+    extras [:lookahead]
+
+    authorize :read_list

    argument :id, Types::GlobalIDType[List],
             required: false,
@@ -42,10 +46,6 @@ module Resolvers
      service.execute(board, create_default_lists: false)
    end

-    def authorized_resource?(board)
-      Ability.allowed?(context[:current_user], :read_list, board)
-    end
-
    def load_preferences?(lookahead)
      lookahead&.selection(:edges)&.selection(:node)&.selects?(:collapsed)
    end

--- a/app/graphql/resolvers/concerns/manual_authorization.rb
+++ b/app/graphql/resolvers/concerns/manual_authorization.rb
+# frozen_string_literal: true
+
+# TODO: remove this entirely when framework authorization is released
+# See: https://gitlab.com/gitlab-org/gitlab/-/issues/290216
+module ManualAuthorization
+  def resolve(**args)
+    super
+  rescue ::Gitlab::Graphql::Errors::ResourceNotAvailable
+    nil
+  end
+end
--- a/app/graphql/resolvers/projects/jira_imports_resolver.rb
+++ b/app/graphql/resolvers/projects/jira_imports_resolver.rb
@@ -3,10 +3,11 @@
 module Resolvers
  module Projects
    class JiraImportsResolver < BaseResolver
-      type Types::JiraImportType.connection_type, null: true
-
+      prepend ::ManualAuthorization
      include Gitlab::Graphql::Authorize::AuthorizeResource

+      type Types::JiraImportType.connection_type, null: true
+
      alias_method :project, :object

      def resolve(**args)

--- a/app/graphql/resolvers/projects/services_resolver.rb
+++ b/app/graphql/resolvers/projects/services_resolver.rb
@@ -3,9 +3,11 @@
 module Resolvers
  module Projects
    class ServicesResolver < BaseResolver
+      prepend ManualAuthorization
      include Gitlab::Graphql::Authorize::AuthorizeResource

      type Types::Projects::ServiceType.connection_type, null: true
+      authorize :admin_project

      argument :active,
               GraphQL::BOOLEAN_TYPE,
@@ -24,10 +26,6 @@ module Resolvers
        services(args[:active], args[:type])
      end

-      def authorized_resource?(project)
-        Ability.allowed?(context[:current_user], :admin_project, project)
-      end
-
      private

      def services(active, type)

--- a/app/graphql/resolvers/snippets/blobs_resolver.rb
+++ b/app/graphql/resolvers/snippets/blobs_resolver.rb
@@ -3,9 +3,11 @@
 module Resolvers
  module Snippets
    class BlobsResolver < BaseResolver
+      prepend ManualAuthorization
      include Gitlab::Graphql::Authorize::AuthorizeResource

      type Types::Snippets::BlobType.connection_type, null: true
+      authorize :read_snippet

      alias_method :snippet, :object

@@ -27,10 +29,6 @@ module Resolvers
        end
      end

-      def authorized_resource?(snippet)
-        Ability.allowed?(context[:current_user], :read_snippet, snippet)
-      end
-
      private

      def transformed_blob_paths(paths)

--- a/ee/app/graphql/mutations/dast_site_profiles/delete.rb
+++ b/ee/app/graphql/mutations/dast_site_profiles/delete.rb
@@ -34,6 +34,8 @@ module Mutations

      def find_dast_site_profile(project:, global_id:)
        project.dast_site_profiles.find(global_id.model_id)
+      rescue ActiveRecord::RecordNotFound
+        raise_resource_not_available_error!
      end
    end
  end

--- a/ee/spec/requests/api/graphql/mutations/dast_site_profiles/create_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/dast_site_profiles/create_spec.rb
@@ -24,17 +24,7 @@ RSpec.describe 'Creating a DAST Site Profile' do
    it 'returns the dast_site_profile id' do
      subject

-      expect(mutation_response["id"]).to eq(dast_site_profile.to_global_id.to_s)
-    end
-
-    context 'when an unknown error occurs' do
-      before do
-        allow(DastSiteProfile).to receive(:create!).and_raise(StandardError)
-      end
-
-      it_behaves_like 'a mutation that returns top-level errors' do
-        let(:match_errors) { contain_exactly(include('Internal server error')) }
-      end
+      expect(mutation_response).to include('id' => global_id_of(dast_site_profile))
    end
  end
 end
--- a/ee/spec/requests/api/graphql/mutations/dast_site_profiles/delete_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/dast_site_profiles/delete_spec.rb
@@ -38,9 +38,8 @@ RSpec.describe 'Creating a DAST Site Profile' do
        dast_site_profile.destroy!
      end

-      it_behaves_like 'a mutation that returns top-level errors' do
-        let(:match_errors) { contain_exactly(include("Internal server error: Couldn't find DastSiteProfile")) }
-      end
+      it_behaves_like 'a mutation that returns top-level errors',
+        errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]
    end

    context 'when wrong type of global id is passed' do

--- a/spec/graphql/mutations/boards/issues/issue_move_list_spec.rb
+++ b/spec/graphql/mutations/boards/issues/issue_move_list_spec.rb
@@ -73,18 +73,6 @@ RSpec.describe Mutations::Boards::Issues::IssueMoveList do

        it_behaves_like 'raises a resource not available error'
      end
-
-      context 'when user cannot access board' do
-        let(:board) { create(:board, group: create(:group, :private)) }
-
-        it_behaves_like 'raises a resource not available error'
-      end
-
-      context 'when passing board_id as nil' do
-        let(:board) { nil }
-
-        it_behaves_like 'raises a resource not available error'
-      end
    end
  end
 end
--- a/spec/graphql/resolvers/board_lists_resolver_spec.rb
+++ b/spec/graphql/resolvers/board_lists_resolver_spec.rb
@@ -29,9 +29,7 @@ RSpec.describe Resolvers::BoardListsResolver do

    context 'with unauthorized user' do
      it 'raises an error' do
-        expect do
-          resolve_board_lists(current_user: unauth_user)
-        end.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+        expect(resolve_board_lists(current_user: unauth_user)).to be_nil
      end
    end

@@ -101,12 +99,6 @@ RSpec.describe Resolvers::BoardListsResolver do
  end

  def resolve_board_lists(args: {}, current_user: user)
-    context = GraphQL::Query::Context.new(
-      query: OpenStruct.new(schema: nil),
-      values: { current_user: current_user },
-      object: nil
-    )
-
-    resolve(described_class, obj: board, args: args, ctx: context )
+    resolve(described_class, obj: board, args: args, ctx: { current_user: current_user })
  end
 end