Adding unit tests for new security features

Author: moufmouf

Tests/Fixtures/Entities/Contact.php

@@ -66,4 +66,12 @@ public function prefetchData(iterable $iterable, stdClass $someOtherService = nu
         }
         return 'OK';
     }
+
+    /**
+     * @Field()
+     */
+    public function getManager(): ?Contact
+    {
+        return null;
+    }
 }

Tests/Fixtures/Entities/Product.php

@@ -4,6 +4,8 @@
 namespace TheCodingMachine\Graphqlite\Bundle\Tests\Fixtures\Entities;
 
 
+use TheCodingMachine\GraphQLite\Annotations\Field;
+
 class Product
 {
     /**
@@ -36,6 +38,4 @@ public function getPrice(): float
     {
         return $this->price;
     }
-
-
-}
+}

Tests/Fixtures/Types/ProductType.php

@@ -3,8 +3,10 @@
 
 namespace TheCodingMachine\Graphqlite\Bundle\Tests\Fixtures\Types;
 
+use TheCodingMachine\GraphQLite\Annotations\Field;
 use TheCodingMachine\GraphQLite\Annotations\SourceField;
 use TheCodingMachine\GraphQLite\Annotations\Type;
+use TheCodingMachine\Graphqlite\Bundle\Tests\Fixtures\Entities\Contact;
 use TheCodingMachine\Graphqlite\Bundle\Tests\Fixtures\Entities\Product;
 
 
@@ -15,5 +17,12 @@
  */
 class ProductType
 {
+    /**
+     * @Field()
+     */
+    public function getSeller(Product $product): ?Contact
+    {
+        return null;
+    }
 
-}
+}

Tests/FunctionalTest.php

@@ -422,6 +422,110 @@ public function testValidation(): void
         $this->assertSame('Validate', $errors[0]['extensions']['category']);
     }
 
+    public function testWithIntrospection(): void
+    {
+        $kernel = new GraphqliteTestingKernel(true, null, true, null);
+        $kernel->boot();
+
+        $request = Request::create('/graphql', 'POST', ['query' => '
+        {
+          __schema {
+            queryType {
+              name
+            }
+          }
+        }
+        ']);
+
+        $response = $kernel->handle($request);
+
+        $result = json_decode($response->getContent(), true);
+        $data = $result['data'];
+
+        $this->assertArrayHasKey('__schema', $data);
+    }
+
+    public function testDisableIntrospection(): void
+    {
+        $kernel = new GraphqliteTestingKernel(true, null, true, null, false, 2, 2);
+        $kernel->boot();
+
+        $request = Request::create('/graphql', 'POST', ['query' => '
+        {
+          __schema {
+            queryType {
+              name
+            }
+          }
+        }
+        ']);
+
+        $response = $kernel->handle($request);
+
+        $result = json_decode($response->getContent(), true);
+        $errors = $result['errors'];
+
+        $this->assertSame('GraphQL introspection is not allowed, but the query contained __schema or __type', $errors[0]['message']);
+    }
+
+    public function testMaxQueryComplexity(): void
+    {
+        $kernel = new GraphqliteTestingKernel(true, null, true, null, false, 2, null);
+        $kernel->boot();
+
+        $request = Request::create('/graphql', 'POST', ['query' => '
+        { 
+          products 
+          { 
+            name,
+            price,
+            seller {
+              name
+            }
+          }
+        }
+        ']);
+
+        $response = $kernel->handle($request);
+
+        $result = json_decode($response->getContent(), true);
+        $errors = $result['errors'];
+
+        $this->assertSame('Max query complexity should be 2 but got 5.', $errors[0]['message']);
+    }
+
+    public function testMaxQueryDepth(): void
+    {
+        $kernel = new GraphqliteTestingKernel(true, null, true, null, false, null, 1);
+        $kernel->boot();
+
+        $request = Request::create('/graphql', 'POST', ['query' => '
+        { 
+          products 
+          { 
+            name,
+            price,
+            seller {
+              name
+              manager {
+                name
+                manager {
+                  name
+                }
+              }
+            }
+          }
+        }
+        ']);
+
+        $response = $kernel->handle($request);
+
+        $result = json_decode($response->getContent(), true);
+        $errors = $result['errors'];
+
+        $this->assertSame('Max query depth should be 1 but got 3.', $errors[0]['message']);
+    }
+
     private function logIn(ContainerInterface $container)
     {
         // put a token into the storage so the final calls can function

Tests/GraphqliteTestingKernel.php

@@ -37,14 +37,29 @@ class GraphqliteTestingKernel extends Kernel
      * @var string|null
      */
     private $enableMe;
+    /**
+     * @var bool
+     */
+    private $introspection;
+    /**
+     * @var int|null
+     */
+    private $maximumQueryComplexity;
+    /**
+     * @var int|null
+     */
+    private $maximumQueryDepth;
 
-    public function __construct(bool $enableSession = true, ?string $enableLogin = null, bool $enableSecurity = true, ?string $enableMe = null)
+    public function __construct(bool $enableSession = true, ?string $enableLogin = null, bool $enableSecurity = true, ?string $enableMe = null, bool $introspection = true, ?int $maximumQueryComplexity = null, ?int $maximumQueryDepth = null)
     {
         parent::__construct('test', true);
         $this->enableSession = $enableSession;
         $this->enableLogin = $enableLogin;
         $this->enableSecurity = $enableSecurity;
         $this->enableMe = $enableMe;
+        $this->introspection = $introspection;
+        $this->maximumQueryComplexity = $maximumQueryComplexity;
+        $this->maximumQueryDepth = $maximumQueryDepth;
     }
 
     public function registerBundles()
@@ -126,6 +141,18 @@ public function configureContainer(ContainerBuilder $c, LoaderInterface $loader)
                 $graphqliteConf['security']['enable_me'] = $this->enableMe;
             }
 
+            if ($this->introspection === false) {
+                $graphqliteConf['security']['introspection'] = false;
+            }
+
+            if ($this->maximumQueryComplexity !== null) {
+                $graphqliteConf['security']['maximum_query_complexity'] = $this->maximumQueryComplexity;
+            }
+
+            if ($this->maximumQueryDepth !== null) {
+                $graphqliteConf['security']['maximum_query_depth'] = $this->maximumQueryDepth;
+            }
+
             $container->loadFromExtension('graphqlite', $graphqliteConf);
         });
         $confDir = $this->getProjectDir().'/Tests/Fixtures/config';
@@ -143,6 +170,6 @@ protected function configureRoutes(RouteCollectionBuilder $routes)
 
     public function getCacheDir()
     {
-        return __DIR__.'/../cache/'.($this->enableSession?'withSession':'withoutSession').$this->enableLogin.($this->enableSecurity?'withSecurity':'withoutSecurity').$this->enableMe;
+        return __DIR__.'/../cache/'.($this->enableSession?'withSession':'withoutSession').$this->enableLogin.($this->enableSecurity?'withSecurity':'withoutSecurity').$this->enableMe.'_'.($this->introspection?'withIntrospection':'withoutIntrospection').'_'.$this->maximumQueryComplexity.'_'.$this->maximumQueryDepth;
     }
 }