diff --git a/config/allow.list b/config/allow.list index 5a989a9..6731938 100644 --- a/config/allow.list +++ b/config/allow.list @@ -1,5 +1,30 @@ # http://localhost:8080/ +query { + customers { + id + email + payments { + customer_id + amount + billing_details + } + } +} + +query { + products(id: $PRODUCT_ID) { + name + } +} + +query { + products(id: $PRODUCT_ID) { + name + image + } +} + variables { "update": { "name": "Hellooooo", @@ -20,8 +45,8 @@ mutation { variables { "update": { - "name": "Hellooooo", - "description": "World !!!!!" + "name": "Helloo", + "description": "World \u003c\u003e" }, "user": 123 } @@ -34,18 +59,6 @@ mutation { } } -variables { - "id": 5 -} - -{ - products(id: $ID) { - id - name - description - } -} - variables { "update": { @@ -70,28 +83,3 @@ query { } } -query { - customers { - id - email - payments { - customer_id - amount - billing_details - } - } -} - -query { - products(id: $PRODUCT_ID) { - name - } -} - -query { - products(id: $PRODUCT_ID) { - name - image - } -} - diff --git a/config/dev.yml b/config/dev.yml index f8296ca..adf721f 100644 --- a/config/dev.yml +++ b/config/dev.yml @@ -93,7 +93,7 @@ database: # filter: ["{ user_id: { eq: $user_id } }"] # Field and table names that you wish to block - blacklist: + blocklist: - ar_internal_metadata - schema_migrations - secret diff --git a/config/prod.yml b/config/prod.yml index 2336bc2..06affae 100644 --- a/config/prod.yml +++ b/config/prod.yml @@ -91,7 +91,7 @@ database: filter: ["{ user_id: { eq: $user_id } }"] # Field and table names that you wish to block - blacklist: + blocklist: - ar_internal_metadata - schema_migrations - secret diff --git a/fresh.conf b/fresh.conf index 6f5b6c9..42d8d83 100644 --- a/fresh.conf +++ b/fresh.conf @@ -4,7 +4,7 @@ build_name: runner-build build_log: runner-build-errors.log valid_ext: .go, .tpl, .tmpl, .html, .yml, *.list no_rebuild_ext: .tpl, .tmpl, .html -ignored: web, tmp, vendor, rails-app, docs +ignored: web, tmp, vendor, rails-app, docs, slides, bench, corpus build_delay: 600 colors: 1 log_color_main: cyan diff --git a/psql/select_test.go b/psql/select_test.go index 77b83a8..47c99c8 100644 --- a/psql/select_test.go +++ b/psql/select_test.go @@ -38,7 +38,7 @@ func TestMain(m *testing.M) { "{ id: { eq: $user_id } }", }, }, - Blacklist: []string{ + Blocklist: []string{ "secret", "password", "token", diff --git a/qcode/qcode.go b/qcode/qcode.go index 78538ff..b5b9d89 100644 --- a/qcode/qcode.go +++ b/qcode/qcode.go @@ -147,7 +147,7 @@ const ( type Config struct { DefaultFilter []string FilterMap map[string][]string - Blacklist []string + Blocklist []string KeepArgs bool } @@ -168,10 +168,10 @@ var expPool = sync.Pool{ } func NewCompiler(c Config) (*Compiler, error) { - bl := make(map[string]struct{}, len(c.Blacklist)) + bl := make(map[string]struct{}, len(c.Blocklist)) - for i := range c.Blacklist { - bl[c.Blacklist[i]] = struct{}{} + for i := range c.Blocklist { + bl[c.Blocklist[i]] = struct{}{} } fl, err := compileFilter(c.DefaultFilter) @@ -669,6 +669,9 @@ func (com *Compiler) compileArgAction(sel *Select, arg *Arg) error { if arg.Val.Type != nodeBool { return fmt.Errorf("value for argument '%s' must be a boolean", arg.Name) } + if arg.Val.Val == "false" { + sel.Action = 0 + } default: if arg.Val.Type != nodeVar { diff --git a/serv/config.go b/serv/config.go index cbdb7de..2398dd5 100644 --- a/serv/config.go +++ b/serv/config.go @@ -60,10 +60,9 @@ type config struct { Defaults struct { Filter []string - Blacklist []string + Blocklist []string } - Fields []configTable Tables []configTable } `mapstructure:"database"` } @@ -72,7 +71,7 @@ type configTable struct { Name string Filter []string Table string - Blacklist []string + Blocklist []string Remotes []configRemote } diff --git a/serv/core.go b/serv/core.go index a8e114a..ff120c1 100644 --- a/serv/core.go +++ b/serv/core.go @@ -262,10 +262,30 @@ func (c *coreContext) resolvePreparedSQL(gql string) ([]byte, *preparedItem, err var root json.RawMessage vars := varList(c, ps.args) - _, err := ps.stmt.QueryOne(pg.Scan(&root), vars...) + tx, err := db.Begin() if err != nil { return nil, nil, err } + defer tx.Rollback() + + if v := c.Value(userIDKey); v != nil { + _, err = tx.Exec(`SET LOCAL SESSION "user.id" = ?`, v) + + if err != nil { + return nil, nil, err + } + } + + _, err = tx.Stmt(ps.stmt).QueryOne(pg.Scan(&root), vars...) + if err != nil { + return nil, nil, err + } + + if err := tx.Commit(); err != nil { + return nil, nil, err + } + + // w.WriteString(`SET LOCAL SESSION "user.id" = '{{user_id}}'; `) fmt.Printf("PRE: %v\n", ps.stmt) @@ -314,15 +334,33 @@ func (c *coreContext) resolveSQL(qc *qcode.QCode) ( st = time.Now() } + tx, err := db.Begin() + if err != nil { + return nil, 0, err + } + defer tx.Rollback() + + if v := c.Value(userIDKey); v != nil { + _, err = tx.Exec(`SET LOCAL SESSION "user.id" = ?`, v) + + if err != nil { + return nil, 0, err + } + } + fmt.Printf("RAW: %#v\n", finalSQL) var root json.RawMessage - _, err = db.QueryOne(pg.Scan(&root), finalSQL) + _, err = tx.QueryOne(pg.Scan(&root), finalSQL) if err != nil { return nil, 0, err } + if err := tx.Commit(); err != nil { + return nil, 0, err + } + if conf.EnableTracing && len(qc.Selects) != 0 { c.addTrace( qc.Selects, diff --git a/serv/serv.go b/serv/serv.go index 1ab287a..2ad41ce 100644 --- a/serv/serv.go +++ b/serv/serv.go @@ -99,10 +99,6 @@ func initConf(path string) (*config, error) { flect.AddPlural(k, v) } - if len(c.DB.Tables) == 0 { - c.DB.Tables = c.DB.Fields - } - for i := range c.DB.Tables { t := c.DB.Tables[i] t.Name = flect.Pluralize(strings.ToLower(t.Name)) @@ -159,7 +155,7 @@ func initCompilers(c *config) (*qcode.Compiler, *psql.Compiler, error) { qc, err := qcode.NewCompiler(qcode.Config{ DefaultFilter: c.DB.Defaults.Filter, FilterMap: c.getFilterMap(), - Blacklist: c.DB.Defaults.Blacklist, + Blocklist: c.DB.Defaults.Blocklist, KeepArgs: false, })