-
Notifications
You must be signed in to change notification settings - Fork 1
/
limit_operation_amount_test.go
108 lines (81 loc) · 3.2 KB
/
limit_operation_amount_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
package graphql_test
import (
"net/http"
"net/http/httptest"
"strings"
"testing"
"github.com/99designs/gqlgen/graphql/handler/testserver"
"github.com/99designs/gqlgen/graphql/handler/transport"
"github.com/stretchr/testify/assert"
"flamingo.me/graphql"
)
func Test_LimitOperationAmountMiddleware(t *testing.T) {
t.Parallel()
t.Run("deny when there is too many same operations called", func(t *testing.T) {
t.Parallel()
srv := testserver.New()
srv.AddTransport(transport.GET{})
srv.AddTransport(transport.POST{})
srv.AroundOperations(graphql.LimitOperationAmountMiddleware(
&struct {
SameOperationLimit int `inject:"config:graphql.security.limitOperationAmount.sameOperationLimit,optional"`
TotalOperationLimit int `inject:"config:graphql.security.limitOperationAmount.totalOperationLimit,optional"`
}{
SameOperationLimit: 2,
TotalOperationLimit: 10,
}))
body := `{
"query": "query { user1: name user2: name user3: name user4: name user5: name }"
}`
resp := doRequest(srv, "POST", "/graphql", body)
assert.Equal(t, http.StatusOK, resp.Code, resp.Body.String())
assert.Equal(t, `{"errors":[{"message":"request not allowed"}],"data":null}`, resp.Body.String())
})
t.Run("deny when there are too many different operations invoked in one query", func(t *testing.T) {
t.Parallel()
srv := testserver.New()
srv.AddTransport(transport.GET{})
srv.AddTransport(transport.POST{})
srv.AroundOperations(graphql.LimitOperationAmountMiddleware(
&struct {
SameOperationLimit int `inject:"config:graphql.security.limitOperationAmount.sameOperationLimit,optional"`
TotalOperationLimit int `inject:"config:graphql.security.limitOperationAmount.totalOperationLimit,optional"`
}{
SameOperationLimit: 27,
TotalOperationLimit: 0,
}))
body := `{
"query": "query { user1: name user2: name user3: name user4: name user5: name }"
}`
resp := doRequest(srv, "POST", "/graphql", body)
assert.Equal(t, http.StatusOK, resp.Code, resp.Body.String())
assert.Equal(t, `{"errors":[{"message":"request not allowed"}],"data":null}`, resp.Body.String())
})
t.Run("allow when request is below both thresholds", func(t *testing.T) {
t.Parallel()
srv := testserver.New()
srv.AddTransport(transport.GET{})
srv.AddTransport(transport.POST{})
srv.AroundOperations(graphql.LimitOperationAmountMiddleware(
&struct {
SameOperationLimit int `inject:"config:graphql.security.limitOperationAmount.sameOperationLimit,optional"`
TotalOperationLimit int `inject:"config:graphql.security.limitOperationAmount.totalOperationLimit,optional"`
}{
SameOperationLimit: 10,
TotalOperationLimit: 10,
}))
body := `{
"query": "query { user1: name user2: name }"
}`
resp := doRequest(srv, "POST", "/graphql", body)
assert.Equal(t, http.StatusOK, resp.Code, resp.Body.String())
assert.Equal(t, `{"data":{"name":"test"}}`, resp.Body.String())
})
}
func doRequest(handler http.Handler, method string, target string, body string) *httptest.ResponseRecorder {
r := httptest.NewRequest(method, target, strings.NewReader(body))
r.Header.Set("Content-Type", "application/json")
w := httptest.NewRecorder()
handler.ServeHTTP(w, r)
return w
}