(ctx context.Context, er *query.ExecutionResult)
| 1047 | } |
| 1048 | |
| 1049 | func authorizeSchemaQuery(ctx context.Context, er *query.ExecutionResult) error { |
| 1050 | if worker.Config.AclSecretKey == nil { |
| 1051 | // the user has not turned on the acl feature |
| 1052 | return nil |
| 1053 | } |
| 1054 | |
| 1055 | // find the predicates being sent in response |
| 1056 | preds := make([]string, 0) |
| 1057 | predsMap := make(map[string]struct{}) |
| 1058 | for _, predNode := range er.SchemaNode { |
| 1059 | preds = append(preds, predNode.Predicate) |
| 1060 | predsMap[predNode.Predicate] = struct{}{} |
| 1061 | } |
| 1062 | for _, typeNode := range er.Types { |
| 1063 | for _, field := range typeNode.Fields { |
| 1064 | if _, ok := predsMap[field.Predicate]; !ok { |
| 1065 | preds = append(preds, field.Predicate) |
| 1066 | } |
| 1067 | } |
| 1068 | } |
| 1069 | |
| 1070 | doAuthorizeSchemaQuery := func() (map[string]struct{}, error) { |
| 1071 | userData, err := extractUserAndGroups(ctx) |
| 1072 | if err != nil { |
| 1073 | return nil, status.Error(codes.Unauthenticated, err.Error()) |
| 1074 | } |
| 1075 | |
| 1076 | groupIds := userData.groupIds |
| 1077 | if x.IsSuperAdmin(groupIds) { |
| 1078 | if shouldAllowAcls(userData.namespace) { |
| 1079 | // Members of guardian groups are allowed to query anything. |
| 1080 | return nil, nil |
| 1081 | } |
| 1082 | return blockedPreds(preds), nil |
| 1083 | } |
| 1084 | result := authorizePreds(ctx, userData, preds, acl.Read) |
| 1085 | return result.blocked, nil |
| 1086 | } |
| 1087 | |
| 1088 | // find the predicates which are blocked for the schema query |
| 1089 | blockedPreds, err := doAuthorizeSchemaQuery() |
| 1090 | if err != nil { |
| 1091 | return err |
| 1092 | } |
| 1093 | |
| 1094 | // remove those predicates from response |
| 1095 | if len(blockedPreds) > 0 { |
| 1096 | respPreds := make([]*pb.SchemaNode, 0) |
| 1097 | for _, predNode := range er.SchemaNode { |
| 1098 | if _, ok := blockedPreds[predNode.Predicate]; !ok { |
| 1099 | respPreds = append(respPreds, predNode) |
| 1100 | } |
| 1101 | } |
| 1102 | er.SchemaNode = respPreds |
| 1103 | |
| 1104 | for _, typeNode := range er.Types { |
| 1105 | respFields := make([]*pb.SchemaUpdate, 0) |
| 1106 | for _, field := range typeNode.Fields { |
no test coverage detected