MCPcopy
hub / github.com/dgraph-io/dgraph / authorizeQuery

Function authorizeQuery

edgraph/access.go:957–1047  ·  view source on GitHub ↗

authorizeQuery authorizes the query using the aclCachePtr. It will silently drop all unauthorized predicates from query. At this stage, namespace is not attached in the predicates.

(ctx context.Context, parsedReq *dql.Result, graphql bool)

Source from the content-addressed store, hash-verified

955// unauthorized predicates from query.
956// At this stage, namespace is not attached in the predicates.
957func authorizeQuery(ctx context.Context, parsedReq *dql.Result, graphql bool) error {
958 if worker.Config.AclSecretKey == nil {
959 // the user has not turned on the acl feature
960 return nil
961 }
962
963 var userId string
964 var groupIds []string
965 var namespace uint64
966 predsAndvars := parsePredsFromQuery(parsedReq.Query)
967 preds := predsAndvars.preds
968 varsToPredMap := predsAndvars.vars
969
970 // Need this to efficiently identify blocked variables from the
971 // list of blocked predicates
972 predToVarsMap := make(map[string]string)
973 for k, v := range varsToPredMap {
974 predToVarsMap[v] = k
975 }
976
977 doAuthorizeQuery := func() (map[string]struct{}, []string, error) {
978 userData, err := extractUserAndGroups(ctx)
979 if err != nil {
980 return nil, nil, status.Error(codes.Unauthenticated, err.Error())
981 }
982
983 userId = userData.userId
984 groupIds = userData.groupIds
985 namespace = userData.namespace
986
987 if x.IsSuperAdmin(groupIds) {
988 if shouldAllowAcls(userData.namespace) {
989 // Members of guardian groups are allowed to query anything.
990 return nil, nil, nil
991 }
992 return blockedPreds(preds), nil, nil
993 }
994
995 result := authorizePreds(ctx, userData, preds, acl.Read)
996 return result.blocked, result.allowed, nil
997 }
998
999 blockedPreds, allowedPreds, err := doAuthorizeQuery()
1000 if err != nil {
1001 return err
1002 }
1003
1004 if span := otrace.FromContext(ctx); span != nil {
1005 span.Annotatef(nil, (&accessEntry{
1006 userId: userId,
1007 groups: groupIds,
1008 preds: preds,
1009 operation: acl.Read,
1010 allowed: err == nil,
1011 }).String())
1012 }
1013
1014 if len(blockedPreds) != 0 {

Callers 1

authorizeRequestFunction · 0.85

Calls 12

IsSuperAdminFunction · 0.92
AllACLPredicatesFunction · 0.92
parsePredsFromQueryFunction · 0.85
extractUserAndGroupsFunction · 0.85
shouldAllowAclsFunction · 0.85
blockedPredsFunction · 0.85
authorizePredsFunction · 0.85
addUserFilterToQueryFunction · 0.85
removePredsFromQueryFunction · 0.85
removeVarsFromQueryVarsFunction · 0.85
ErrorMethod · 0.45
StringMethod · 0.45

Tested by

no test coverage detected