# frozen_string_literal: true require 'spec_helper' RSpec.describe GraphqlController do include GraphqlHelpers # two days is enough to make timezones irrelevant let_it_be(:last_activity_on) { 2.days.ago.to_date } describe 'rescue_from' do let_it_be(:message) { 'green ideas sleep furiously' } it 'handles ArgumentError' do allow(subject).to receive(:execute) do raise Gitlab::Graphql::Errors::ArgumentError, message end post :execute expect(json_response).to include( 'errors' => include(a_hash_including('message' => message)) ) end it 'handles a timeout nicely' do allow(subject).to receive(:execute) do raise ActiveRecord::QueryCanceled, '**taps wristwatch**' end post :execute expect(json_response).to include( 'errors' => include(a_hash_including('message' => /Request timed out/)) ) end it 'handles StandardError' do allow(subject).to receive(:execute) do raise StandardError, message end post :execute expect(json_response).to include( 'errors' => include(a_hash_including('message' => /Internal server error/, 'raisedAt' => /graphql_controller_spec.rb/)) ) end it 'handles Gitlab::Auth::TooManyIps', :aggregate_failures do allow(controller).to receive(:execute) do raise Gitlab::Auth::TooManyIps.new(150, '123.123.123.123', 10) end expect(controller).to receive(:log_exception).and_call_original post :execute expect(json_response).to include( 'errors' => include( a_hash_including('message' => 'User 150 from IP: 123.123.123.123 tried logging from too many ips: 10') ) ) expect(response).to have_gitlab_http_status(:forbidden) end end describe 'POST #execute' do context 'when user is logged in' do let(:user) { create(:user, last_activity_on: last_activity_on) } before do sign_in(user) end it 'sets feature category in ApplicationContext from request' do request.headers["HTTP_X_GITLAB_FEATURE_CATEGORY"] = "web_ide" post :execute expect(::Gitlab::ApplicationContext.current_context_attribute(:feature_category)).to eq('web_ide') end it 'returns 200 when user can access API' do post :execute expect(response).to have_gitlab_http_status(:ok) end it 'executes a simple query with no errors' do post :execute, params: { query: '{ __typename }' } expect(response).to have_gitlab_http_status(:ok) expect(json_response).to eq({ 'data' => { '__typename' => 'Query' } }) end it 'executes a simple multiplexed query with no errors' do multiplex = [{ query: '{ __typename }' }] * 2 post :execute, params: { _json: multiplex } expect(response).to have_gitlab_http_status(:ok) expect(json_response).to eq( [ { 'data' => { '__typename' => 'Query' } }, { 'data' => { '__typename' => 'Query' } } ]) end it 'sets a limit on the total query size' do graphql_query = "{#{(['__typename'] * 1000).join(' ')}}" post :execute, params: { query: graphql_query } expect(response).to have_gitlab_http_status(:unprocessable_entity) expect(json_response).to eq({ 'errors' => [{ 'message' => 'Query too large' }] }) end it 'sets a limit on the total query size for multiplex queries' do graphql_query = "{#{(['__typename'] * 200).join(' ')}}" multiplex = [{ query: graphql_query }] * 5 post :execute, params: { _json: multiplex } expect(response).to have_gitlab_http_status(:unprocessable_entity) expect(json_response).to eq({ 'errors' => [{ 'message' => 'Query too large' }] }) end it 'returns forbidden when user cannot access API' do # User cannot access API in a couple of cases # * When user is internal(like ghost users) # * When user is blocked expect(Ability).to receive(:allowed?).with(user, :log_in, :global).and_call_original expect(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false) post :execute expect(response).to have_gitlab_http_status(:forbidden) expect(json_response).to include( 'errors' => include(a_hash_including('message' => /API not accessible/)) ) end it 'updates the users last_activity_on field' do expect { post :execute }.to change { user.reload.last_activity_on } end it "sets context's sessionless value as false" do post :execute expect(assigns(:context)[:is_sessionless_user]).to be false end it 'calls the track api when trackable method' do agent = 'vs-code-gitlab-workflow/3.11.1 VSCode/1.52.1 Node.js/12.14.1 (darwin; x64)' request.env['HTTP_USER_AGENT'] = agent expect(Gitlab::UsageDataCounters::VSCodeExtensionActivityUniqueCounter) .to receive(:track_api_request_when_trackable).with(user_agent: agent, user: user) post :execute end it 'calls the track jetbrains api when trackable method' do agent = 'gitlab-jetbrains-plugin/0.0.1 intellij-idea/2021.2.4 java/11.0.13 mac-os-x/aarch64/12.1' request.env['HTTP_USER_AGENT'] = agent expect(Gitlab::UsageDataCounters::JetBrainsPluginActivityUniqueCounter) .to receive(:track_api_request_when_trackable).with(user_agent: agent, user: user) post :execute end it 'calls the track gitlab cli when trackable method' do agent = 'GLab - GitLab CLI' request.env['HTTP_USER_AGENT'] = agent expect(Gitlab::UsageDataCounters::GitLabCliActivityUniqueCounter) .to receive(:track_api_request_when_trackable).with(user_agent: agent, user: user) post :execute end it "assigns username in ApplicationContext" do post :execute expect(Gitlab::ApplicationContext.current).to include('meta.user' => user.username) end end context 'when 2FA is required for the user' do let(:user) { create(:user, last_activity_on: last_activity_on) } before do group = create(:group, require_two_factor_authentication: true) group.add_developer(user) sign_in(user) end it 'does not redirect if 2FA is enabled' do expect(controller).not_to receive(:redirect_to) post :execute expect(response).to have_gitlab_http_status(:unauthorized) expected_message = "Authentication error: " \ "enable 2FA in your profile settings to continue using GitLab: %{mfa_help_page}" % { mfa_help_page: controller.mfa_help_page_url } expect(json_response).to eq({ 'errors' => [{ 'message' => expected_message }] }) end end context 'when user uses an API token' do let(:user) { create(:user, last_activity_on: last_activity_on) } let(:token) { create(:personal_access_token, user: user, scopes: [:api]) } let(:query) { '{ __typename }' } subject { post :execute, params: { query: query, access_token: token.token } } context 'when the user is a project bot' do let(:user) { create(:user, :project_bot, last_activity_on: last_activity_on) } it 'updates the users last_activity_on field' do expect { subject }.to change { user.reload.last_activity_on } end it "sets context's sessionless value as true" do subject expect(assigns(:context)[:is_sessionless_user]).to be true end it 'executes a simple query with no errors' do subject expect(response).to have_gitlab_http_status(:ok) expect(json_response).to eq({ 'data' => { '__typename' => 'Query' } }) end it 'can access resources the project_bot has access to' do project_a, project_b = create_list(:project, 2, :private) project_a.add_developer(user) post :execute, params: { query: <<~GQL, access_token: token.token } query { a: project(fullPath: "#{project_a.full_path}") { name } b: project(fullPath: "#{project_b.full_path}") { name } } GQL expect(response).to have_gitlab_http_status(:ok) expect(json_response).to eq({ 'data' => { 'a' => { 'name' => project_a.name }, 'b' => nil } }) end end it 'updates the users last_activity_on field' do expect { subject }.to change { user.reload.last_activity_on } end it "sets context's sessionless value as true" do subject expect(assigns(:context)[:is_sessionless_user]).to be true end it "assigns username in ApplicationContext" do subject expect(Gitlab::ApplicationContext.current).to include('meta.user' => user.username) end it 'calls the track api when trackable method' do agent = 'vs-code-gitlab-workflow/3.11.1 VSCode/1.52.1 Node.js/12.14.1 (darwin; x64)' request.env['HTTP_USER_AGENT'] = agent expect(Gitlab::UsageDataCounters::VSCodeExtensionActivityUniqueCounter) .to receive(:track_api_request_when_trackable).with(user_agent: agent, user: user) subject end it 'calls the track jetbrains api when trackable method' do agent = 'gitlab-jetbrains-plugin/0.0.1 intellij-idea/2021.2.4 java/11.0.13 mac-os-x/aarch64/12.1' request.env['HTTP_USER_AGENT'] = agent expect(Gitlab::UsageDataCounters::JetBrainsPluginActivityUniqueCounter) .to receive(:track_api_request_when_trackable).with(user_agent: agent, user: user) subject end it 'calls the track gitlab cli when trackable method' do agent = 'GLab - GitLab CLI' request.env['HTTP_USER_AGENT'] = agent expect(Gitlab::UsageDataCounters::GitLabCliActivityUniqueCounter) .to receive(:track_api_request_when_trackable).with(user_agent: agent, user: user) subject end end context 'when user is not logged in' do it 'returns 200' do post :execute expect(response).to have_gitlab_http_status(:ok) end it "sets context's sessionless value as false" do post :execute expect(assigns(:context)[:is_sessionless_user]).to be false end it "does not assign a username in ApplicationContext" do subject expect(Gitlab::ApplicationContext.current.key?('meta.user')).to be false end end it 'includes request object in context' do post :execute expect(assigns(:context)[:request]).to eq request end end describe 'Admin Mode' do let(:admin) { create(:admin) } let(:project) { create(:project) } let(:graphql_query) { graphql_query_for('project', { 'fullPath' => project.full_path }, %w(id name)) } before do sign_in(admin) end context 'when admin mode enabled' do before do Gitlab::Session.with_session(controller.session) do controller.current_user_mode.request_admin_mode! controller.current_user_mode.enable_admin_mode!(password: admin.password) end end it 'can query project data' do post :execute, params: { query: graphql_query } expect(controller.current_user_mode.admin_mode?).to be(true) expect(json_response['data']['project']['name']).to eq(project.name) end end context 'when admin mode disabled' do it 'cannot query project data' do post :execute, params: { query: graphql_query } expect(controller.current_user_mode.admin_mode?).to be(false) expect(json_response['data']['project']).to be_nil end context 'when admin is member of the project' do before do project.add_developer(admin) end it 'can query project data' do post :execute, params: { query: graphql_query } expect(controller.current_user_mode.admin_mode?).to be(false) expect(json_response['data']['project']['name']).to eq(project.name) end end end end describe '#append_info_to_payload' do let(:query_1) { { query: graphql_query_for('project', { 'fullPath' => 'foo' }, %w(id name), 'getProject_1') } } let(:query_2) { { query: graphql_query_for('project', { 'fullPath' => 'bar' }, %w(id), 'getProject_2') } } let(:graphql_queries) { [query_1, query_2] } let(:log_payload) { {} } let(:expected_logs) do [ { operation_name: 'getProject_1', complexity: 3, depth: 2, used_deprecated_fields: [], used_fields: ['Project.id', 'Project.name', 'Query.project'], variables: '{}' }, { operation_name: 'getProject_2', complexity: 2, depth: 2, used_deprecated_fields: [], used_fields: ['Project.id', 'Query.project'], variables: '{}' } ] end before do RequestStore.clear! allow(controller).to receive(:append_info_to_payload).and_wrap_original do |method, *| method.call(log_payload) end end it 'appends metadata for logging' do post :execute, params: { _json: graphql_queries } expect(controller).to have_received(:append_info_to_payload) expect(log_payload.dig(:metadata, :graphql)).to match_array(expected_logs) end it 'appends the exception in case of errors' do exception = StandardError.new('boom') expect(controller).to receive(:execute).and_raise(exception) post :execute, params: { _json: graphql_queries } expect(controller).to have_received(:append_info_to_payload) expect(log_payload.dig(:exception_object)).to eq(exception) end end describe 'removal of deprecated items' do let(:mock_schema) do Class.new(GraphQL::Schema) do lazy_resolve ::Gitlab::Graphql::Lazy, :force query(Class.new(::Types::BaseObject) do graphql_name 'Query' field :foo, GraphQL::Types::Boolean, deprecated: { milestone: '0.1', reason: :renamed } field :bar, (Class.new(::Types::BaseEnum) do graphql_name 'BarEnum' value 'FOOBAR', value: 'foobar', deprecated: { milestone: '0.1', reason: :renamed } end) field :baz, GraphQL::Types::Boolean do argument :arg, String, required: false, deprecated: { milestone: '0.1', reason: :renamed } end def foo false end def bar 'foobar' end def baz(arg:) false end end) end end before do allow(GitlabSchema).to receive(:execute).and_wrap_original do |method, *args| mock_schema.execute(*args) end end context 'without `remove_deprecated` param' do let(:params) { { query: '{ foo bar baz(arg: "test") }' } } subject { post :execute, params: params } it "sets context's `remove_deprecated` value to false" do subject expect(assigns(:context)[:remove_deprecated]).to be false end it 'returns deprecated items in response' do subject expect(json_response).to include('data' => { 'foo' => false, 'bar' => 'FOOBAR', 'baz' => false }) end end context 'with `remove_deprecated` param' do let(:params) { { remove_deprecated: 'true' } } subject { post :execute, params: params } it "sets context's `remove_deprecated` value to true" do subject expect(assigns(:context)[:remove_deprecated]).to be true end it 'does not allow deprecated field' do params[:query] = '{ foo }' subject expect(json_response).not_to include('data' => { 'foo' => false }) expect(json_response).to include( 'errors' => include(a_hash_including('message' => /Field 'foo' doesn't exist on type 'Query'/)) ) end it 'does not allow deprecated enum value' do params[:query] = '{ bar }' subject expect(json_response).not_to include('data' => { 'bar' => 'FOOBAR' }) expect(json_response).to include( 'errors' => include( a_hash_including( 'message' => /`Query.bar` returned `"foobar"` at `bar`, but this isn't a valid value for `BarEnum`/ ) ) ) end it 'does not allow deprecated argument' do params[:query] = '{ baz(arg: "test") }' subject expect(json_response).not_to include('data' => { 'bar' => 'FOOBAR' }) expect(json_response).to include( 'errors' => include(a_hash_including('message' => /Field 'baz' doesn't accept argument 'arg'/)) ) end end end end