Behavioral changes: Return nil instead of raising errors

This changes some of our GraphQL resolution behavior to return nil when values cannot be authorized. This is the correct behavior, and prevents resource scanning.

Behavioral changes: Return nil instead of raising errors
This changes some of our GraphQL resolution behavior to return nil when values cannot be authorized. This is the correct behavior, and prevents resource scanning.
58931f4a · Alex Kalderimis · 9c2b4578 · 58931f4a · 58931f4a · 58931f4a
Commit 58931f4a authored Dec 02, 2020 by Alex Kalderimis
10 changed files
--- a/app/graphql/resolvers/board_lists_resolver.rb
+++ b/app/graphql/resolvers/board_lists_resolver.rb
@@ -3,9 +3,13 @@
 module Resolvers
  class BoardListsResolver < BaseResolver
    include BoardIssueFilterable
+    prepend ManualAuthorization
    include Gitlab::Graphql::Authorize::AuthorizeResource
    type Types::BoardListType, null: true
+    extras [:lookahead]
+    authorize :read_list
    argument :id, Types::GlobalIDType[List],
             required: false,
@@ -42,10 +46,6 @@ module Resolvers
      service.execute(board, create_default_lists: false)
    end
-    def authorized_resource?(board)
-      Ability.allowed?(context[:current_user], :read_list, board)
-    end
    def load_preferences?(lookahead)
      lookahead&.selection(:edges)&.selection(:node)&.selects?(:collapsed)
    end

--- a/app/graphql/resolvers/concerns/manual_authorization.rb
+++ b/app/graphql/resolvers/concerns/manual_authorization.rb
+# frozen_string_literal: true
+# TODO: remove this entirely when framework authorization is released
+# See: https://gitlab.com/gitlab-org/gitlab/-/issues/290216
+module ManualAuthorization
+  def resolve(**args)
+    super
+  rescue ::Gitlab::Graphql::Errors::ResourceNotAvailable
+    nil
+  end
+end
--- a/app/graphql/resolvers/projects/jira_imports_resolver.rb
+++ b/app/graphql/resolvers/projects/jira_imports_resolver.rb
@@ -3,10 +3,11 @@
 module Resolvers
  module Projects
    class JiraImportsResolver < BaseResolver
-      type Types::JiraImportType.connection_type, null: true
+      prepend ::ManualAuthorization
      include Gitlab::Graphql::Authorize::AuthorizeResource
+      type Types::JiraImportType.connection_type, null: true
      alias_method :project, :object
      def resolve(**args)

--- a/app/graphql/resolvers/projects/services_resolver.rb
+++ b/app/graphql/resolvers/projects/services_resolver.rb
@@ -3,9 +3,11 @@
 module Resolvers
  module Projects
    class ServicesResolver < BaseResolver
+      prepend ManualAuthorization
      include Gitlab::Graphql::Authorize::AuthorizeResource
      type Types::Projects::ServiceType.connection_type, null: true
+      authorize :admin_project
      argument :active,
               GraphQL::BOOLEAN_TYPE,
@@ -24,10 +26,6 @@ module Resolvers
        services(args[:active], args[:type])
      end
-      def authorized_resource?(project)
-        Ability.allowed?(context[:current_user], :admin_project, project)
-      end
      private
      def services(active, type)

--- a/app/graphql/resolvers/snippets/blobs_resolver.rb
+++ b/app/graphql/resolvers/snippets/blobs_resolver.rb
@@ -3,9 +3,11 @@
 module Resolvers
  module Snippets
    class BlobsResolver < BaseResolver
+      prepend ManualAuthorization
      include Gitlab::Graphql::Authorize::AuthorizeResource
      type Types::Snippets::BlobType.connection_type, null: true
+      authorize :read_snippet
      alias_method :snippet, :object
@@ -27,10 +29,6 @@ module Resolvers
        end
      end
-      def authorized_resource?(snippet)
-        Ability.allowed?(context[:current_user], :read_snippet, snippet)
-      end
      private
      def transformed_blob_paths(paths)

--- a/ee/app/graphql/mutations/dast_site_profiles/delete.rb
+++ b/ee/app/graphql/mutations/dast_site_profiles/delete.rb
@@ -34,6 +34,8 @@ module Mutations
      def find_dast_site_profile(project:, global_id:)
        project.dast_site_profiles.find(global_id.model_id)
+      rescue ActiveRecord::RecordNotFound
+        raise_resource_not_available_error!
      end
    end
  end

--- a/ee/spec/requests/api/graphql/mutations/dast_site_profiles/create_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/dast_site_profiles/create_spec.rb
@@ -24,17 +24,7 @@ RSpec.describe 'Creating a DAST Site Profile' do
    it 'returns the dast_site_profile id' do
      subject
-      expect(mutation_response["id"]).to eq(dast_site_profile.to_global_id.to_s)
+      expect(mutation_response).to include('id' => global_id_of(dast_site_profile))
-    end
-    context 'when an unknown error occurs' do
-      before do
-        allow(DastSiteProfile).to receive(:create!).and_raise(StandardError)
-      end
-      it_behaves_like 'a mutation that returns top-level errors' do
-        let(:match_errors) { contain_exactly(include('Internal server error')) }
-      end
    end
  end
 end
--- a/ee/spec/requests/api/graphql/mutations/dast_site_profiles/delete_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/dast_site_profiles/delete_spec.rb
@@ -38,9 +38,8 @@ RSpec.describe 'Creating a DAST Site Profile' do
        dast_site_profile.destroy!
      end
-      it_behaves_like 'a mutation that returns top-level errors' do
+      it_behaves_like 'a mutation that returns top-level errors',
-        let(:match_errors) { contain_exactly(include("Internal server error: Couldn't find DastSiteProfile")) }
+        errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]
-      end
    end
    context 'when wrong type of global id is passed' do

--- a/spec/graphql/mutations/boards/issues/issue_move_list_spec.rb
+++ b/spec/graphql/mutations/boards/issues/issue_move_list_spec.rb
@@ -73,18 +73,6 @@ RSpec.describe Mutations::Boards::Issues::IssueMoveList do
        it_behaves_like 'raises a resource not available error'
      end
-      context 'when user cannot access board' do
-        let(:board) { create(:board, group: create(:group, :private)) }
-        it_behaves_like 'raises a resource not available error'
-      end
-      context 'when passing board_id as nil' do
-        let(:board) { nil }
-        it_behaves_like 'raises a resource not available error'
-      end
    end
  end
 end
--- a/spec/graphql/resolvers/board_lists_resolver_spec.rb
+++ b/spec/graphql/resolvers/board_lists_resolver_spec.rb
@@ -29,9 +29,7 @@ RSpec.describe Resolvers::BoardListsResolver do
    context 'with unauthorized user' do
      it 'raises an error' do
-        expect do
+        expect(resolve_board_lists(current_user: unauth_user)).to be_nil
-          resolve_board_lists(current_user: unauth_user)
-        end.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
      end
    end
@@ -101,12 +99,6 @@ RSpec.describe Resolvers::BoardListsResolver do
  end
  def resolve_board_lists(args: {}, current_user: user)
-    context = GraphQL::Query::Context.new(
+    resolve(described_class, obj: board, args: args, ctx: { current_user: current_user })
-      query: OpenStruct.new(schema: nil),
-      values: { current_user: current_user },
-      object: nil
-    )
-    resolve(described_class, obj: board, args: args, ctx: context )
  end
 end