Merge branch '58404-set-default-max-depth-for-GraphQL' into 'master'

58404 - setup max depth for graphql

Closes #58404

See merge request gitlab-org/gitlab-ce!25737

3 files changed, 100 insertions, 32 deletions

diff --git a/spec/graphql/gitlab_schema_spec.rb b/spec/graphql/gitlab_schema_spec.rb
index 05f10fb40f0..c138c87c4ac 100644
--- a/spec/graphql/gitlab_schema_spec.rb
+++ b/spec/graphql/gitlab_schema_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 describe GitlabSchema do
+  let(:user) { build :user }
+
   it 'uses batch loading' do
     expect(field_instrumenters).to include(BatchLoader::GraphQL)
   end
@@ -33,43 +35,75 @@ describe GitlabSchema do
     expect(connection).to eq(Gitlab::Graphql::Connections::KeysetConnection)
   end
 
-  context 'for different types of users' do
-    it 'returns DEFAULT_MAX_COMPLEXITY for no context' do
-      expect(GraphQL::Schema)
-        .to receive(:execute)
-        .with('query', hash_including(max_complexity: GitlabSchema::DEFAULT_MAX_COMPLEXITY))
+  describe '.execute' do
+    context 'for different types of users' do
+      context 'when no context' do
+        it 'returns DEFAULT_MAX_COMPLEXITY' do
+          expect(GraphQL::Schema)
+            .to receive(:execute)
+            .with('query', hash_including(max_complexity: GitlabSchema::DEFAULT_MAX_COMPLEXITY))
 
-      described_class.execute('query')
-    end
+          described_class.execute('query')
+        end
+      end
 
-    it 'returns DEFAULT_MAX_COMPLEXITY for no user' do
-      expect(GraphQL::Schema)
-        .to receive(:execute)
-        .with('query', hash_including(max_complexity: GitlabSchema::DEFAULT_MAX_COMPLEXITY))
+      context 'when no user' do
+        it 'returns DEFAULT_MAX_COMPLEXITY' do
+          expect(GraphQL::Schema)
+            .to receive(:execute)
+            .with('query', hash_including(max_complexity: GitlabSchema::DEFAULT_MAX_COMPLEXITY))
 
-      described_class.execute('query', context: {})
-    end
+          described_class.execute('query', context: {})
+        end
 
-    it 'returns AUTHENTICATED_COMPLEXITY for a logged in user' do
-      user = build :user
+        it 'returns ANONYMOUS_MAX_DEPTH' do
+          expect(GraphQL::Schema)
+            .to receive(:execute)
+            .with('query', hash_including(max_depth: GitlabSchema::ANONYMOUS_MAX_DEPTH))
 
-      expect(GraphQL::Schema).to receive(:execute).with('query', hash_including(max_complexity: GitlabSchema::AUTHENTICATED_COMPLEXITY))
+          described_class.execute('query', context: {})
+        end
+      end
 
-      described_class.execute('query', context: { current_user: user })
-    end
+      context 'when a logged in user' do
+        it 'returns AUTHENTICATED_COMPLEXITY' do
+          expect(GraphQL::Schema).to receive(:execute).with('query', hash_including(max_complexity: GitlabSchema::AUTHENTICATED_COMPLEXITY))
 
-    it 'returns ADMIN_COMPLEXITY for an admin user' do
-      user = build :user, :admin
+          described_class.execute('query', context: { current_user: user })
+        end
 
-      expect(GraphQL::Schema).to receive(:execute).with('query', hash_including(max_complexity: GitlabSchema::ADMIN_COMPLEXITY))
+        it 'returns AUTHENTICATED_MAX_DEPTH' do
+          expect(GraphQL::Schema).to receive(:execute).with('query', hash_including(max_depth: GitlabSchema::AUTHENTICATED_MAX_DEPTH))
 
-      described_class.execute('query', context: { current_user: user })
-    end
+          described_class.execute('query', context: { current_user: user })
+        end
+      end
+
+      context 'when an admin user' do
+        it 'returns ADMIN_COMPLEXITY' do
+          user = build :user, :admin
+
+          expect(GraphQL::Schema).to receive(:execute).with('query', hash_including(max_complexity: GitlabSchema::ADMIN_COMPLEXITY))
+
+          described_class.execute('query', context: { current_user: user })
+        end
+      end
+
+      context 'when max_complexity passed on the query' do
+        it 'returns what was passed on the query' do
+          expect(GraphQL::Schema).to receive(:execute).with('query', hash_including(max_complexity: 1234))
+
+          described_class.execute('query', max_complexity: 1234)
+        end
+      end
 
-    it 'returns what was passed on the query' do
-      expect(GraphQL::Schema).to receive(:execute).with('query', { max_complexity: 1234 })
+      context 'when max_depth passed on the query' do
+        it 'returns what was passed on the query' do
+          expect(GraphQL::Schema).to receive(:execute).with('query', hash_including(max_depth: 1234))
 
-      described_class.execute('query', max_complexity: 1234)
+          described_class.execute('query', max_depth: 1234)
+        end
+      end
     end
   end
 
diff --git a/spec/requests/api/graphql/gitlab_schema_spec.rb b/spec/requests/api/graphql/gitlab_schema_spec.rb
index b63b4fb34df..dd518274f82 100644
--- a/spec/requests/api/graphql/gitlab_schema_spec.rb
+++ b/spec/requests/api/graphql/gitlab_schema_spec.rb
@@ -3,15 +3,43 @@ require 'spec_helper'
 describe 'GitlabSchema configurations' do
   include GraphqlHelpers
 
-  it 'shows an error if complexity is too high' do
-    project = create(:project, :repository)
-    query   = graphql_query_for('project', { 'fullPath' => project.full_path }, %w(id name description))
+  let(:project) { create(:project, :repository) }
+  let(:query) { graphql_query_for('project', { 'fullPath' => project.full_path }, %w(id name description)) }
+  let(:current_user) { create(:user) }
 
-    allow(GitlabSchema).to receive(:max_query_complexity).and_return 1
+  describe '#max_complexity' do
+    context 'when complexity is too high' do
+      it 'shows an error' do
+        allow(GitlabSchema).to receive(:max_query_complexity).and_return 1
 
-    post_graphql(query, current_user: nil)
+        post_graphql(query, current_user: nil)
 
-    expect(graphql_errors.first['message']).to include('which exceeds max complexity of 1')
+        expect(graphql_errors.first['message']).to include('which exceeds max complexity of 1')
+      end
+    end
+  end
+
+  describe '#max_depth' do
+    context 'when query depth is too high' do
+      it 'shows error' do
+        errors = [{ "message" => "Query has depth of 2, which exceeds max depth of 1" }]
+        allow(GitlabSchema).to receive(:max_query_depth).and_return 1
+
+        post_graphql(query)
+
+        expect(graphql_errors).to eq(errors)
+      end
+    end
+
+    context 'when query depth is within range' do
+      it 'has no error' do
+        allow(GitlabSchema).to receive(:max_query_depth).and_return 5
+
+        post_graphql(query)
+
+        expect(graphql_errors).to be_nil
+      end
+    end
   end
 
   context 'when IntrospectionQuery' do
diff --git a/spec/support/helpers/graphql_helpers.rb b/spec/support/helpers/graphql_helpers.rb
index b49d743fb9a..f15944652fd 100644
--- a/spec/support/helpers/graphql_helpers.rb
+++ b/spec/support/helpers/graphql_helpers.rb
@@ -102,6 +102,7 @@ module GraphqlHelpers
 
   def all_graphql_fields_for(class_name, parent_types = Set.new)
     allow_unlimited_graphql_complexity
+    allow_unlimited_graphql_depth
 
     type = GitlabSchema.types[class_name.to_s]
     return "" unless type
@@ -190,4 +191,9 @@ module GraphqlHelpers
     allow_any_instance_of(GitlabSchema).to receive(:max_complexity).and_return nil
     allow(GitlabSchema).to receive(:max_query_complexity).with(any_args).and_return nil
   end
+
+  def allow_unlimited_graphql_depth
+    allow_any_instance_of(GitlabSchema).to receive(:max_depth).and_return nil
+    allow(GitlabSchema).to receive(:max_query_depth).with(any_args).and_return nil
+  end
 end