From d063e0a39b8d05ba9da5f0c6bcc1be60a5903a7a Mon Sep 17 00:00:00 2001 From: Nico Virkki Date: Tue, 7 May 2024 14:08:32 +0300 Subject: [PATCH] feat: add feature flag for checking allowed data fields Adds setting for allowed data field check named as: ENABLE_ALLOWED_DATA_FIELDS_RESTRICTION The setting defaults False. When False, app logs a warning message when there is a query trying to access a field which is not in service's allowed_data_fields Refs HP-2319 --- open_city_profile/graphene.py | 20 ++++++- open_city_profile/settings.py | 3 + open_city_profile/tests/conftest.py | 5 ++ ...est_allowed_data_field_restriction_flag.py | 59 +++++++++++++++++++ 4 files changed, 84 insertions(+), 3 deletions(-) create mode 100644 profiles/tests/test_allowed_data_field_restriction_flag.py diff --git a/open_city_profile/graphene.py b/open_city_profile/graphene.py index 27b4c2dc..05dd65f8 100644 --- a/open_city_profile/graphene.py +++ b/open_city_profile/graphene.py @@ -1,3 +1,4 @@ +import logging import uuid from functools import partial @@ -189,11 +190,24 @@ def resolve(self, next, root, info, **kwargs): field_name = to_snake_case(getattr(info, "field_name", "")) if not getattr(info.context, "service", False): - raise ServiceNotIdentifiedError("Service not identified") + if settings.ENABLE_ALLOWED_DATA_FIELDS_RESTRICTION: + raise ServiceNotIdentifiedError("Service not identified") + + logging.warning( + "Allowed data field exception would occur: Service not identified. Field name: %s", + field_name, + ) if not root.is_field_allowed_for_service(field_name, info.context.service): - raise FieldNotAllowedError( - "Field is not allowed for service.", field_name=field_name + if settings.ENABLE_ALLOWED_DATA_FIELDS_RESTRICTION: + raise FieldNotAllowedError( + "Field is not allowed for service.", field_name=field_name + ) + + logging.warning( + "Allowed data field exception would occur. Field (%s) is not allowed for service %s.", + field_name, + info.context.service, ) return next(root, info, **kwargs) diff --git a/open_city_profile/settings.py b/open_city_profile/settings.py index 96f7cbc5..8786baf4 100644 --- a/open_city_profile/settings.py +++ b/open_city_profile/settings.py @@ -51,6 +51,7 @@ AUDIT_LOG_LOGGER_FILENAME=(str, ""), AUDIT_LOG_TO_DB_ENABLED=(bool, False), OPEN_CITY_PROFILE_LOG_LEVEL=(str, None), + ENABLE_ALLOWED_DATA_FIELDS_RESTRICTION=(bool, False), ENABLE_GRAPHIQL=(bool, False), ENABLE_GRAPHQL_INTROSPECTION=(bool, False), GRAPHQL_QUERY_DEPTH_LIMIT=(int, 12), @@ -174,6 +175,8 @@ GRAPHQL_QUERY_DEPTH_LIMIT = env("GRAPHQL_QUERY_DEPTH_LIMIT") +ENABLE_ALLOWED_DATA_FIELDS_RESTRICTION = env("ENABLE_ALLOWED_DATA_FIELDS_RESTRICTION") + INSTALLED_APPS = [ "helusers.apps.HelusersConfig", "open_city_profile.apps.OpenCityProfileAdminConfig", diff --git a/open_city_profile/tests/conftest.py b/open_city_profile/tests/conftest.py index d7f81563..644a0b4e 100644 --- a/open_city_profile/tests/conftest.py +++ b/open_city_profile/tests/conftest.py @@ -220,3 +220,8 @@ def unix_timestamp_now(): @pytest.fixture(params=[None, ""]) def empty_string_value(request): return request.param + + +@pytest.fixture(autouse=True) +def enable_allowed_data_fields_restriction(settings): + settings.ENABLE_ALLOWED_DATA_FIELDS_RESTRICTION = True diff --git a/profiles/tests/test_allowed_data_field_restriction_flag.py b/profiles/tests/test_allowed_data_field_restriction_flag.py new file mode 100644 index 00000000..4cc1fe5d --- /dev/null +++ b/profiles/tests/test_allowed_data_field_restriction_flag.py @@ -0,0 +1,59 @@ +from unittest import mock + +from profiles.tests.factories import ProfileFactory, SensitiveDataFactory +from services.tests.factories import AllowedDataFieldFactory, ServiceConnectionFactory + + +def test_enable_allowed_data_fields_restriction_flag_false_shows_data( + user_gql_client, service, settings +): + settings.ENABLE_ALLOWED_DATA_FIELDS_RESTRICTION = False + profile = ProfileFactory(user=user_gql_client.user) + ServiceConnectionFactory(profile=profile, service=service) + service.allowed_data_fields.add(AllowedDataFieldFactory(field_name="name")) + SensitiveDataFactory(profile=profile) + + query = """ + { + myProfile { + firstName + sensitivedata { + ssn + } + } + } + """ + + executed = user_gql_client.execute(query, service=service) + + assert executed["data"]["myProfile"]["firstName"] == profile.first_name + assert ( + executed["data"]["myProfile"]["sensitivedata"]["ssn"] + == profile.sensitivedata.ssn + ) + + +@mock.patch("logging.warning") +def test_enable_allowed_data_fields_restriction_flag_logs_warning_if_access_to_restricted_field( + mock_log, user_gql_client, service, settings +): + settings.ENABLE_ALLOWED_DATA_FIELDS_RESTRICTION = False + profile = ProfileFactory(user=user_gql_client.user) + ServiceConnectionFactory(profile=profile, service=service) + service.allowed_data_fields.add(AllowedDataFieldFactory(field_name="name")) + SensitiveDataFactory(profile=profile) + + query = """ + { + myProfile { + firstName + sensitivedata { + ssn + } + } + } + """ + + user_gql_client.execute(query, service=service) + + assert mock_log.call_count == 1