implement authentication and authorization (#6778)

* implement authentication and authorization

* refactor auth in nested update

* improve after subqueries for auth in update

---------

Co-authored-by: angrykoala <[email protected]>

Author: a-alle

packages/graphql/src/translate/queryAST/ast/filters/authorization-filters/AuthorizationFilters.ts

@@ -62,10 +62,30 @@ export class AuthorizationFilters extends QueryASTNode {
         return;
     }
 
+    public getValidationPredicate(
+        context: QueryASTContext,
+        when: ValidateWhen = "BEFORE"
+    ): Cypher.Predicate | undefined {
+        const validationPredicate = Cypher.or(
+            ...this.getValidations(when).flatMap((validationRule) => validationRule.getPredicate(context))
+        );
+        return validationPredicate;
+    }
+
     public getSubqueries(context: QueryASTContext): Cypher.Clause[] {
         return [...this.validations, ...this.filters].flatMap((c) => c.getSubqueries(context));
     }
 
+    public getSubqueriesBefore(context: QueryASTContext): Cypher.Clause[] {
+        return [...this.validations.filter((v) => v.when === "BEFORE"), ...this.filters].flatMap((c) =>
+            c.getSubqueries(context)
+        );
+    }
+
+    public getSubqueriesAfter(context: QueryASTContext): Cypher.Clause[] {
+        return [...this.validations.filter((v) => v.when === "AFTER")].flatMap((c) => c.getSubqueries(context));
+    }
+
     public getSelection(context: QueryASTContext): Array<Cypher.Match | Cypher.With> {
         return [...this.validations, ...this.filters].flatMap((c) => c.getSelection(context));
     }

packages/graphql/src/translate/queryAST/ast/operations/ConnectOperation.ts

@@ -21,13 +21,16 @@ import Cypher from "@neo4j/cypher-builder";
 import type { ConcreteEntityAdapter } from "../../../../schema-model/entity/model-adapters/ConcreteEntityAdapter";
 import type { RelationshipAdapter } from "../../../../schema-model/relationship/model-adapters/RelationshipAdapter";
 import { filterTruthy } from "../../../../utils/utils";
+import { checkEntityAuthentication } from "../../../authorization/check-authentication";
 import { getEntityLabels } from "../../utils/create-node-from-entity";
+import { isConcreteEntity } from "../../utils/is-concrete-entity";
 import { wrapSubqueriesInCypherCalls } from "../../utils/wrap-subquery-in-calls";
 import type { QueryASTContext } from "../QueryASTContext";
 import type { QueryASTNode } from "../QueryASTNode";
 import type { Filter } from "../filters/Filter";
 import type { AuthorizationFilters } from "../filters/authorization-filters/AuthorizationFilters";
 import type { InputField } from "../input-fields/InputField";
+import { ParamInputField } from "../input-fields/ParamInputField";
 import type { SelectionPattern } from "../selection/SelectionPattern/SelectionPattern";
 import { MutationOperation, type OperationTranspileResult } from "./operations";
 
@@ -37,6 +40,7 @@ export class ConnectOperation extends MutationOperation {
 
     private selectionPattern: SelectionPattern;
     protected readonly authFilters: AuthorizationFilters[] = [];
+    protected readonly sourceAuthFilters: AuthorizationFilters[] = [];
 
     public readonly inputFields: Map<string, InputField> = new Map();
     private filters: Filter[] = [];
@@ -74,6 +78,9 @@ export class ConnectOperation extends MutationOperation {
     public addAuthFilters(...filter: AuthorizationFilters[]) {
         this.authFilters.push(...filter);
     }
+    public addSourceAuthFilters(...filter: AuthorizationFilters[]) {
+        this.sourceAuthFilters.push(...filter);
+    }
 
     /**
      * Get and set field methods are utilities to remove duplicate fields between separate inputs
@@ -115,6 +122,29 @@ export class ConnectOperation extends MutationOperation {
         const { nestedContext } = this.selectionPattern.apply(context);
         this.nestedContext = nestedContext;
 
+        checkEntityAuthentication({
+            context: nestedContext.neo4jGraphQLContext,
+            entity: this.target.entity,
+            targetOperations: ["CREATE_RELATIONSHIP"],
+        });
+        if (isConcreteEntity(this.relationship.source)) {
+            checkEntityAuthentication({
+                context: nestedContext.neo4jGraphQLContext,
+                entity: this.relationship.source.entity,
+                targetOperations: ["CREATE_RELATIONSHIP"],
+            });
+        }
+        this.inputFields.forEach((field) => {
+            if (field.attachedTo === "node" && field instanceof ParamInputField) {
+                checkEntityAuthentication({
+                    context: nestedContext.neo4jGraphQLContext,
+                    entity: this.target.entity,
+                    targetOperations: ["CREATE_RELATIONSHIP"],
+                    field: field.name,
+                });
+            }
+        });
+
         const matchPattern = new Cypher.Pattern(nestedContext.target, {
             labels: getEntityLabels(this.target, context.neo4jGraphQLContext),
         });
@@ -157,17 +187,35 @@ export class ConnectOperation extends MutationOperation {
             return input.getSubqueries(connectContext);
         });
 
+        const authClausesBefore = this.getAuthorizationClauses(nestedContext);
+        const sourceAuthClausesBefore = this.getSourceAuthorizationClausesBefore(context);
+        const bothAuthClausesBefore: Cypher.Clause[] = [];
+        if (authClausesBefore.length === 0 && sourceAuthClausesBefore.length > 0) {
+            bothAuthClausesBefore.push(new Cypher.With("*"), ...sourceAuthClausesBefore);
+        } else {
+            bothAuthClausesBefore.push(Cypher.utils.concat(...authClausesBefore, ...sourceAuthClausesBefore));
+        }
+
         const clauses = Cypher.utils.concat(
             matchClause,
-            ...this.getAuthorizationClauses(nestedContext), // THESE ARE "BEFORE" AUTH
+            ...bothAuthClausesBefore, // THESE ARE "BEFORE" AUTH
             ...mutationSubqueries,
-            connectClause,
-            ...this.getAuthorizationClausesAfter(nestedContext) // THESE ARE "AFTER" AUTH
+            connectClause
         );
 
+        const authClausesAfter = this.getAuthorizationClausesAfter(nestedContext);
+        const sourceAuthClausesAfter = this.getSourceAuthorizationClausesAfter(context);
+
         const callClause = new Cypher.Call(clauses, [context.target]);
+        const authClauses: Cypher.Clause[] = [];
+        if (authClausesAfter.length > 0 || sourceAuthClausesAfter.length > 0) {
+            authClauses.push(Cypher.utils.concat(...authClausesAfter, ...sourceAuthClausesAfter));
+        }
 
-        return { projectionExpr: context.returnVariable, clauses: [callClause] };
+        return {
+            projectionExpr: context.returnVariable,
+            clauses: [callClause, ...authClauses],
+        };
     }
 
     private getAuthorizationClauses(context: QueryASTContext): Cypher.Clause[] {
@@ -201,6 +249,36 @@ export class ConnectOperation extends MutationOperation {
         return [];
     }
 
+    private getSourceAuthorizationClausesAfter(context: QueryASTContext): Cypher.Clause[] {
+        const validationsAfter: Cypher.VoidProcedure[] = [];
+        for (const authFilter of this.sourceAuthFilters) {
+            const validationAfter = authFilter.getValidation(context, "AFTER");
+            if (validationAfter) {
+                validationsAfter.push(validationAfter);
+            }
+        }
+
+        if (validationsAfter.length > 0) {
+            return [new Cypher.With("*"), ...validationsAfter];
+        }
+        return [];
+    }
+
+    private getSourceAuthorizationClausesBefore(context: QueryASTContext): Cypher.Clause[] {
+        const validationsAfter: Cypher.VoidProcedure[] = [];
+        for (const authFilter of this.sourceAuthFilters) {
+            const validationAfter = authFilter.getValidation(context, "BEFORE");
+            if (validationAfter) {
+                validationsAfter.push(validationAfter);
+            }
+        }
+
+        if (validationsAfter.length > 0) {
+            return [new Cypher.With("*"), ...validationsAfter];
+        }
+        return [];
+    }
+
     private transpileAuthClauses(context: QueryASTContext): {
         selections: (Cypher.With | Cypher.Match)[];
         subqueries: Cypher.Clause[];

packages/graphql/src/translate/queryAST/ast/operations/DisconnectOperation.ts

@@ -21,15 +21,16 @@ import Cypher from "@neo4j/cypher-builder";
 import type { ConcreteEntityAdapter } from "../../../../schema-model/entity/model-adapters/ConcreteEntityAdapter";
 import type { RelationshipAdapter } from "../../../../schema-model/relationship/model-adapters/RelationshipAdapter";
 import { filterTruthy } from "../../../../utils/utils";
-import { getEntityLabels } from "../../utils/create-node-from-entity";
+import { checkEntityAuthentication } from "../../../authorization/check-authentication";
+import { isConcreteEntity } from "../../utils/is-concrete-entity";
 import { wrapSubqueriesInCypherCalls } from "../../utils/wrap-subquery-in-calls";
 import type { QueryASTContext } from "../QueryASTContext";
 import type { QueryASTNode } from "../QueryASTNode";
 import type { Filter } from "../filters/Filter";
 import type { AuthorizationFilters } from "../filters/authorization-filters/AuthorizationFilters";
 import type { InputField } from "../input-fields/InputField";
+import { ParamInputField } from "../input-fields/ParamInputField";
 import type { SelectionPattern } from "../selection/SelectionPattern/SelectionPattern";
-import type { ReadOperation } from "./ReadOperation";
 import { MutationOperation, type OperationTranspileResult } from "./operations";
 
 export class DisconnectOperation extends MutationOperation {
@@ -38,6 +39,7 @@ export class DisconnectOperation extends MutationOperation {
 
     private selectionPattern: SelectionPattern;
     protected readonly authFilters: AuthorizationFilters[] = [];
+    protected readonly sourceAuthFilters: AuthorizationFilters[] = [];
 
     public readonly inputFields: Map<string, InputField> = new Map();
     private filters: Filter[] = [];
@@ -75,6 +77,9 @@ export class DisconnectOperation extends MutationOperation {
     public addAuthFilters(...filter: AuthorizationFilters[]) {
         this.authFilters.push(...filter);
     }
+    public addSourceAuthFilters(...filter: AuthorizationFilters[]) {
+        this.sourceAuthFilters.push(...filter);
+    }
 
     /**
      * Get and set field methods are utilities to remove duplicate fields between separate inputs
@@ -116,6 +121,29 @@ export class DisconnectOperation extends MutationOperation {
         const { nestedContext, pattern: matchPattern } = this.selectionPattern.apply(context);
         this.nestedContext = nestedContext;
 
+        checkEntityAuthentication({
+            context: nestedContext.neo4jGraphQLContext,
+            entity: this.target.entity,
+            targetOperations: ["DELETE_RELATIONSHIP"],
+        });
+        if (isConcreteEntity(this.relationship.source)) {
+            checkEntityAuthentication({
+                context: nestedContext.neo4jGraphQLContext,
+                entity: this.relationship.source.entity,
+                targetOperations: ["DELETE_RELATIONSHIP"],
+            });
+        }
+        this.inputFields.forEach((field) => {
+            if (field.attachedTo === "node" && field instanceof ParamInputField) {
+                checkEntityAuthentication({
+                    context: nestedContext.neo4jGraphQLContext,
+                    entity: this.target.entity,
+                    targetOperations: ["DELETE_RELATIONSHIP"],
+                    field: field.name,
+                });
+            }
+        });
+
         const allFilters = [...this.authFilters, ...this.filters];
 
         const filterSubqueries = wrapSubqueriesInCypherCalls(nestedContext, allFilters, [nestedContext.target]);
@@ -124,13 +152,13 @@ export class DisconnectOperation extends MutationOperation {
         if (filterSubqueries.length > 0) {
             const predicate = Cypher.and(...allFilters.map((f) => f.getPredicate(nestedContext)));
             matchClause = Cypher.utils.concat(
-                new Cypher.Match(matchPattern),
+                new Cypher.OptionalMatch(matchPattern),
                 ...filterSubqueries,
                 new Cypher.With("*").where(predicate)
             );
         } else {
             const predicate = Cypher.and(...allFilters.map((f) => f.getPredicate(nestedContext)));
-            matchClause = new Cypher.Match(matchPattern).where(predicate);
+            matchClause = new Cypher.OptionalMatch(matchPattern).where(predicate);
         }
 
         const relVar = new Cypher.Relationship();
@@ -145,15 +173,33 @@ export class DisconnectOperation extends MutationOperation {
 
         const deleteClause = new Cypher.With(nestedContext.relationship!).delete(nestedContext.relationship!);
 
-        const clauses = Cypher.utils.concat(
-            matchClause,
-            ...this.getAuthorizationClauses(nestedContext), // THESE ARE "BEFORE" AUTH
-            ...mutationSubqueries,
-            deleteClause,
-            ...this.getAuthorizationClausesAfter(nestedContext) // THESE ARE "AFTER" AUTH
-        );
+        const authClausesBefore = this.getAuthorizationClauses(nestedContext);
+        const sourceAuthClausesBefore = this.getSourceAuthorizationClausesBefore(context);
+
+        const bothAuthClausesBefore: Cypher.Clause[] = [];
+        if (authClausesBefore.length === 0 && sourceAuthClausesBefore.length > 0) {
+            bothAuthClausesBefore.push(new Cypher.With("*"), ...sourceAuthClausesBefore);
+        } else {
+            bothAuthClausesBefore.push(Cypher.utils.concat(...authClausesBefore, ...sourceAuthClausesBefore));
+        }
+
+        const clauses = Cypher.utils.concat(matchClause, ...bothAuthClausesBefore, ...mutationSubqueries, deleteClause);
 
-        return { projectionExpr: context.returnVariable, clauses: [clauses] };
+        const authClausesAfter = this.getAuthorizationClausesAfter(nestedContext);
+        const sourceAuthClausesAfter = this.getSourceAuthorizationClausesAfter(context);
+
+        const callClause = new Cypher.Call(clauses, [context.target]);
+        const authClauses: Cypher.Clause[] = [];
+        if (authClausesAfter.length > 0 || sourceAuthClausesAfter.length > 0) {
+            authClauses.push(Cypher.utils.concat(...authClausesAfter, ...sourceAuthClausesAfter));
+        }
+
+        return {
+            projectionExpr: context.returnVariable,
+            clauses: [callClause, ...authClauses],
+        };
+
+        // return { projectionExpr: context.returnVariable, clauses: [clauses] };
     }
 
     private getAuthorizationClauses(context: QueryASTContext): Cypher.Clause[] {
@@ -187,6 +233,35 @@ export class DisconnectOperation extends MutationOperation {
         return [];
     }
 
+    private getSourceAuthorizationClausesAfter(context: QueryASTContext): Cypher.Clause[] {
+        const validationsAfter: Cypher.VoidProcedure[] = [];
+        for (const authFilter of this.sourceAuthFilters) {
+            const validationAfter = authFilter.getValidation(context, "AFTER");
+            if (validationAfter) {
+                validationsAfter.push(validationAfter);
+            }
+        }
+
+        if (validationsAfter.length > 0) {
+            return [new Cypher.With("*"), ...validationsAfter];
+        }
+        return [];
+    }
+    private getSourceAuthorizationClausesBefore(context: QueryASTContext): Cypher.Clause[] {
+        const validationsAfter: Cypher.VoidProcedure[] = [];
+        for (const authFilter of this.sourceAuthFilters) {
+            const validationAfter = authFilter.getValidation(context, "BEFORE");
+            if (validationAfter) {
+                validationsAfter.push(validationAfter);
+            }
+        }
+
+        if (validationsAfter.length > 0) {
+            return [new Cypher.With("*"), ...validationsAfter];
+        }
+        return [];
+    }
+
     private transpileAuthClauses(context: QueryASTContext): {
         selections: (Cypher.With | Cypher.Match)[];
         subqueries: Cypher.Clause[];