Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(graphql): granular permissions #1022

Merged
merged 8 commits into from
Aug 4, 2022
Merged

feat(graphql): granular permissions #1022

merged 8 commits into from
Aug 4, 2022

Conversation

andrewazores
Copy link
Member

Fixes #1021

  • chore(permissions): extract PermissionedAction interface
  • chore(graphql): mark all fetchers/mutators with resource actions
  • feat(graphql): implement permissions check for each graphql fetcher/mutator
  • fix(graphql): ensure GraphQLContext is not null by copying DataFetchingEnvironment
  • chore(graphql): apply spotless formatting

This implements granular permissions for each fetcher/mutator within the GraphQL endpoint implementation. This is achieved by removing the endpoint-level resource actions set union - by default, only a basic "token is valid" check will be performed - and delegating further permissions checks to each subsequent or nested fetcher/mutator that is executed afterward. In this implementation, each such subquery that is performed will result in a permissions check being performed, checking that the contextual user has the required permissions for the subquery's action. For complex GraphQL queries with deep nesting, this might add noticeable overall request latency since there is an authentication server request round-trip-time at each level of nested query. This might be something to optimize in the future by pre-computing the set union by recursing through the nested queries up front and performing a single permissions check all at once before actually executing the queries, but this needs either some deeper knowledge of GraphQL to pull off or a more complex implementation of AbstractPermissionedDataFetcher that encodes the nested query relationships.

Overall this ends up implementing something very similar to how our HTTP API permissions checks work with the AbstractAuthenticatedRequestHandler/AbstractV2RequestHandler, but on the DataFetchers.

Unit tests are still overall sorely lacking - see #947. There is some basic integration test coverage, at least, which caught an error during implementation where the DataFetchingEnvironment passed to subqueries contained a null GraphQLContext.

@andrewazores andrewazores added the feat New feature or request label Jul 12, 2022
@andrewazores andrewazores requested a review from ebaron July 12, 2022 23:43
@andrewazores andrewazores marked this pull request as ready for review July 12, 2022 23:52
@andrewazores andrewazores force-pushed the graphql-permissions branch 4 times, most recently from c762b62 to e45033b Compare July 29, 2022 20:52
@andrewazores
Copy link
Member Author

@ebaron ping

@ebaron
Copy link
Member

ebaron commented Aug 3, 2022

@ebaron ping

Hey Andrew, sorry I completely missed this PR. I'll take a look today.

ebaron
ebaron approved these changes Aug 3, 2022
View reviewed changes
Copy link
Member

@ebaron ebaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@andrewazores andrewazores merged commit 9119967 into cryostatio:main Aug 4, 2022
@andrewazores andrewazores deleted the graphql-permissions branch August 4, 2022 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebaron ebaron ebaron approved these changes

Assignees
No one assigned
Labels
feat New feature or request
Projects
No open projects
2.2.0 Release
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Task] Implement per-subquery permissions for GraphQL
2 participants
@andrewazores @ebaron