Skip to content

Commit

Permalink
Add support for GraphQL WebSocket authorization
Browse files Browse the repository at this point in the history
  • Loading branch information
rubik-cube-man committed Nov 15, 2023
1 parent c8c2e05 commit 8099553
Show file tree
Hide file tree
Showing 16 changed files with 807 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .github/native-tests.json
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@
{
"category": "Misc3",
"timeout": 80,
"test-modules": "kubernetes-client, openshift-client, kubernetes-service-binding-jdbc, smallrye-config, smallrye-graphql, smallrye-graphql-client, smallrye-metrics",
"test-modules": "kubernetes-client, openshift-client, kubernetes-service-binding-jdbc, smallrye-config, smallrye-graphql, smallrye-graphql-client, smallrye-graphql-client-keycloak, smallrye-metrics",
"os-name": "ubuntu-latest"
},
{
Expand Down
10 changes: 10 additions & 0 deletions extensions/smallrye-graphql-client/deployment/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,16 @@
<artifactId>stork-service-discovery-static-list</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-elytron-security-deployment</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-elytron-security-properties-file-deployment</artifactId>
<scope>test</scope>
</dependency>
</dependencies>

<build>
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,207 @@
package io.quarkus.smallrye.graphql.client.deployment;

import static org.awaitility.Awaitility.await;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertTrue;

import java.util.concurrent.atomic.AtomicBoolean;

import jakarta.annotation.security.RolesAllowed;
import jakarta.json.JsonValue;

import org.eclipse.microprofile.graphql.GraphQLApi;
import org.eclipse.microprofile.graphql.Query;
import org.jboss.shrinkwrap.api.asset.EmptyAsset;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;

import io.quarkus.test.QuarkusUnitTest;
import io.smallrye.common.annotation.NonBlocking;
import io.smallrye.graphql.api.Subscription;
import io.smallrye.graphql.client.Response;
import io.smallrye.graphql.client.dynamic.api.DynamicGraphQLClient;
import io.smallrye.graphql.client.dynamic.api.DynamicGraphQLClientBuilder;
import io.smallrye.mutiny.Multi;

/**
* Due to the complexity of establishing a WebSocket, WebSocket/Subscription testing of the GraphQL server is done here,
* as the client framework comes in very useful for establishing the connection to the server.
* <br>
* This test establishes connections to the server, and ensures that the connected user has the necessary permissions to
* execute the operation.
*/
public class DynamicGraphQLClientWebSocketAuthenticationTest {

static String url = "http://" + System.getProperty("quarkus.http.host", "localhost") + ":" +
System.getProperty("quarkus.http.test-port", "8081") + "/graphql";

@RegisterExtension
static QuarkusUnitTest test = new QuarkusUnitTest()
.withApplicationRoot((jar) -> jar
.addClasses(SecuredApi.class, Foo.class)
.addAsResource("application-secured.properties", "application.properties")
.addAsResource("users.properties")
.addAsResource("roles.properties")
.addAsManifestResource(EmptyAsset.INSTANCE, "beans.xml"));

@Test
public void testAuthenticatedUserForSubscription() throws Exception {
DynamicGraphQLClientBuilder clientBuilder = DynamicGraphQLClientBuilder.newBuilder()
.url(url)
.header("Authorization", "Basic ZGF2aWQ6cXdlcnR5MTIz");
try (DynamicGraphQLClient client = clientBuilder.build()) {
Multi<Response> subscription = client
.subscription("subscription fooSub { fooSub { message } }");

assertNotNull(subscription);

AtomicBoolean hasData = new AtomicBoolean(false);
AtomicBoolean hasCompleted = new AtomicBoolean(false);

subscription.subscribe().with(item -> {
assertFalse(hasData.get());
assertTrue(item.hasData());
assertEquals(JsonValue.ValueType.OBJECT, item.getData().get("fooSub").getValueType());
assertEquals("foo", item.getData().getJsonObject("fooSub").getString("message"));
hasData.set(true);
}, Assertions::fail, () -> {
hasCompleted.set(true);
});

await().untilTrue(hasCompleted);
assertTrue(hasData.get());
}
}

@Test
public void testAuthenticatedUserForQueryWebSocket() throws Exception {
DynamicGraphQLClientBuilder clientBuilder = DynamicGraphQLClientBuilder.newBuilder()
.url(url)
.header("Authorization", "Basic ZGF2aWQ6cXdlcnR5MTIz")
.executeSingleOperationsOverWebsocket(true);
try (DynamicGraphQLClient client = clientBuilder.build()) {
Response response = client.executeSync("{ foo { message} }");
assertTrue(response.hasData());
assertEquals("foo", response.getData().getJsonObject("foo").getString("message"));
}
}

@Test
public void testAuthorizedAndUnauthorizedForQueryWebSocket() throws Exception {
DynamicGraphQLClientBuilder clientBuilder = DynamicGraphQLClientBuilder.newBuilder()
.url(url)
.header("Authorization", "Basic ZGF2aWQ6cXdlcnR5MTIz")
.executeSingleOperationsOverWebsocket(true);
try (DynamicGraphQLClient client = clientBuilder.build()) {
Response response = client.executeSync("{ foo { message} }");
assertTrue(response.hasData());
assertEquals("foo", response.getData().getJsonObject("foo").getString("message"));

// Run a second query with a different result to validate that the result of the first query isn't being cached at all.
response = client.executeSync("{ bar { message} }");
assertEquals(JsonValue.ValueType.NULL, response.getData().get("bar").getValueType());
}
}

@Test
public void testUnauthorizedUserForSubscription() throws Exception {
DynamicGraphQLClientBuilder clientBuilder = DynamicGraphQLClientBuilder.newBuilder()
.url(url)
.header("Authorization", "Basic ZGF2aWQ6cXdlcnR5MTIz");
try (DynamicGraphQLClient client = clientBuilder.build()) {
Multi<Response> subscription = client
.subscription("subscription barSub { barSub { message } }");

assertNotNull(subscription);

AtomicBoolean returned = new AtomicBoolean(false);

subscription.subscribe().with(item -> {
assertEquals(JsonValue.ValueType.NULL, item.getData().get("barSub").getValueType());
returned.set(true);
}, throwable -> Assertions.fail(throwable));

await().untilTrue(returned);
}
}

@Test
public void testUnauthorizedUserForQueryWebSocket() throws Exception {
DynamicGraphQLClientBuilder clientBuilder = DynamicGraphQLClientBuilder.newBuilder()
.url(url)
.header("Authorization", "Basic ZGF2aWQ6cXdlcnR5MTIz")
.executeSingleOperationsOverWebsocket(true);
try (DynamicGraphQLClient client = clientBuilder.build()) {
Response response = client.executeSync("{ bar { message } }");
assertEquals(JsonValue.ValueType.NULL, response.getData().get("bar").getValueType());
}
}

@Test
public void testUnauthenticatedForQueryWebSocket() throws Exception {
DynamicGraphQLClientBuilder clientBuilder = DynamicGraphQLClientBuilder.newBuilder()
.url(url)
.executeSingleOperationsOverWebsocket(true);
try (DynamicGraphQLClient client = clientBuilder.build()) {
Response response = client.executeSync("{ foo { message} }");
assertEquals(JsonValue.ValueType.NULL, response.getData().get("foo").getValueType());
}
}

public static class Foo {

private String message;

public Foo(String foo) {
this.message = foo;
}

public String getMessage() {
return message;
}

public void setMessage(String message) {
this.message = message;
}

}

@GraphQLApi
public static class SecuredApi {

@Query
@RolesAllowed("fooRole")
@NonBlocking
public Foo foo() {
return new Foo("foo");
}

@Query
@RolesAllowed("barRole")
public Foo bar() {
return new Foo("bar");
}

@Subscription
@RolesAllowed("fooRole")
public Multi<Foo> fooSub() {
return Multi.createFrom().emitter(emitter -> {
emitter.emit(new Foo("foo"));
emitter.complete();
});
}

@Subscription
@RolesAllowed("barRole")
public Multi<Foo> barSub() {
return Multi.createFrom().emitter(emitter -> {
emitter.emit(new Foo("bar"));
emitter.complete();
});
}

}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
quarkus.security.users.file.enabled=true
quarkus.security.users.file.plain-text=true
quarkus.security.users.file.users=users.properties
quarkus.security.users.file.roles=roles.properties
quarkus.http.auth.basic=true

quarkus.smallrye-graphql.log-payload=queryAndVariables
quarkus.smallrye-graphql.print-data-fetcher-exception=true
quarkus.smallrye-graphql.error-extension-fields=exception,classification,code,description,validationErrorType,queryPath
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
david=fooRole
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
david=qwerty123
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@
import io.quarkus.smallrye.graphql.runtime.SmallRyeGraphQLRecorder;
import io.quarkus.smallrye.graphql.runtime.SmallRyeGraphQLRuntimeConfig;
import io.quarkus.vertx.http.deployment.BodyHandlerBuildItem;
import io.quarkus.vertx.http.deployment.FilterBuildItem;
import io.quarkus.vertx.http.deployment.HttpRootPathBuildItem;
import io.quarkus.vertx.http.deployment.NonApplicationRootPathBuildItem;
import io.quarkus.vertx.http.deployment.RouteBuildItem;
Expand Down Expand Up @@ -149,7 +150,7 @@ public class SmallRyeGraphQLProcessor {
private static final List<String> SUPPORTED_WEBSOCKET_SUBPROTOCOLS = List.of(SUBPROTOCOL_GRAPHQL_WS,
SUBPROTOCOL_GRAPHQL_TRANSPORT_WS);

private static final int GRAPHQL_WEBSOCKET_HANDLER_ORDER = -10000;
private static final int GRAPHQL_WEBSOCKET_HANDLER_ORDER = (-1 * FilterBuildItem.AUTHORIZATION) + 1;

private static final String GRAPHQL_MEDIA_TYPE = "application/graphql+json";

Expand Down
Original file line number Diff line number Diff line change
@@ -1,17 +1,21 @@
package io.quarkus.smallrye.graphql.runtime;

import java.util.Map;
import java.util.concurrent.TimeUnit;

import org.jboss.logging.Logger;

import io.netty.util.concurrent.ScheduledFuture;
import io.quarkus.security.identity.CurrentIdentityAssociation;
import io.quarkus.vertx.http.runtime.CurrentVertxRequest;
import io.quarkus.vertx.http.runtime.security.QuarkusHttpUser;
import io.smallrye.graphql.websocket.GraphQLWebSocketSession;
import io.smallrye.graphql.websocket.GraphQLWebsocketHandler;
import io.smallrye.graphql.websocket.graphqltransportws.GraphQLTransportWSSubprotocolHandler;
import io.smallrye.graphql.websocket.graphqlws.GraphQLWSSubprotocolHandler;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.ServerWebSocket;
import io.vertx.core.net.impl.ConnectionBase;
import io.vertx.ext.web.RoutingContext;

/**
Expand Down Expand Up @@ -54,9 +58,31 @@ protected void doHandle(final RoutingContext ctx) {
serverWebSocket.close();
return;
}

QuarkusHttpUser user = (QuarkusHttpUser) ctx.user();
ScheduledFuture<?> authExpiryFuture = null;
if (user != null) {
//close the connection when the identity expires
Long expire = user.getSecurityIdentity().getAttribute("quarkus.identity.expire-time");
if (expire != null) {
authExpiryFuture = ((ConnectionBase) ctx.request().connection()).channel().eventLoop()
.schedule(() -> {
if (!serverWebSocket.isClosed()) {
serverWebSocket.close((short) 1008, "Authentication expired");
}
}, (expire * 1000) - System.currentTimeMillis(), TimeUnit.MILLISECONDS);
}
}

log.debugf("Starting websocket with subprotocol = %s", subprotocol);
GraphQLWebsocketHandler finalHandler = handler;
serverWebSocket.closeHandler(v -> finalHandler.onClose());
ScheduledFuture<?> finalAuthExpiryFuture = authExpiryFuture;
serverWebSocket.closeHandler(v -> {
finalHandler.onClose();
if (finalAuthExpiryFuture != null) {
finalAuthExpiryFuture.cancel(false);
}
});
serverWebSocket.endHandler(v -> finalHandler.onEnd());
serverWebSocket.exceptionHandler(finalHandler::onThrowable);
serverWebSocket.textMessageHandler(finalHandler::onMessage);
Expand Down
1 change: 1 addition & 0 deletions integration-tests/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,7 @@
<module>smallrye-metrics</module>
<module>smallrye-graphql</module>
<module>smallrye-graphql-client</module>
<module>smallrye-graphql-client-keycloak</module>
<module>smallrye-stork-registration</module>
<module>jpa-without-entity</module>
<module>quartz</module>
Expand Down
Loading

0 comments on commit 8099553

Please sign in to comment.