hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2024-12-17 12:31:52 +03:00
Code Issues Projects Releases Wiki Activity
1b378ae6e8
graphql-engine/server/src-lib/Hasura/Server/Auth.hs

255 lines
9.9 KiB
Haskell
Raw Normal View History

server: move Hasura.SQL to Hasura.Backends.Postgres (#6053) https://github.com/hasura/graphql-engine/pull/6053
2020-10-27 16:53:49 +03:00
{-# LANGUAGE DerivingStrategies #-}
server: add support for webhook connection expiration (#4196) * add expiry time to webhook user info This also adds an optional message to webhook errors: if we fail to parse an expiry time, we will log a warning with the parse error. * refactored Auth This change had one main goal: put in common all expiry time extraction code between the JWT and WebHook parts of the code. Furthermore, this change also moves all WebHook specific code to its own module, similarly to what is done for JWT. * Remove dependency on string-conversions in favor of text-conversions string-conversions silently uses UTF8 instead of being explicit about it, and it uses lenientDecode when decoding ByteStrings when it’s usually better to reject invalid UTF8 input outright. text-conversions solves both those problems. Co-authored-by: Alexis King <lexi.lambda@gmail.com>
2020-04-03 03:00:13 +03:00
initial support for livequeries (#176) fix #59
2018-07-20 10:22:46 +03:00
module Hasura.Server.Auth
[Preview] Inherited roles for postgres read queries fixes #3868 docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de` Note: To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`. Introduction ------------ This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`. How are select permissions of different roles are combined? ------------------------------------------------------------ A select permission includes 5 things: 1. Columns accessible to the role 2. Row selection filter 3. Limit 4. Allow aggregation 5. Scalar computed fields accessible to the role Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`. Let's say the following GraphQL query is queried with the `combined_roles` role. ```graphql query { employees { address phone } } ``` This will translate to the following SQL query: ```sql select (case when (P1 or P2) then address else null end) as address, (case when P2 then phone else null end) as phone from employee where (P1 or P2) ``` The other parameters of the select permission will be combined in the following manner: 1. Limit - Minimum of the limits will be the limit of the inherited role 2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation 3. Scalar computed fields - same as table column fields, as in the above example APIs for inherited roles: ---------------------- 1. `add_inherited_role` `add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments `role_name`: the name of the inherited role to be added (String) `role_set`: list of roles that need to be combined (Array of Strings) Example: ```json { "type": "add_inherited_role", "args": { "role_name":"combined_user", "role_set":[ "user", "user1" ] } } ``` After adding the inherited role, the inherited role can be used like single roles like earlier Note: An inherited role can only be created with non-inherited/singular roles. 2. `drop_inherited_role` The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument: `role_name`: name of the inherited role to be dropped Example: ```json { "type": "drop_inherited_role", "args": { "role_name":"combined_user" } } ``` Metadata --------- The derived roles metadata will be included under the `experimental_features` key while exporting the metadata. ```json { "experimental_features": { "derived_roles": [ { "role_name": "manager_is_employee_too", "role_set": [ "employee", "manager" ] } ] } } ``` Scope ------ Only postgres queries and subscriptions are supported in this PR. Important points: ----------------- 1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done. TODOs ------- - [ ] Tests - [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features - [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?) - [ ] Introspection test with a inherited role (nullability changes in a inherited role) - [ ] Docs - [ ] Changelog Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com> GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
( getUserInfoWithExpTime
server: add support for webhook connection expiration (#4196) * add expiry time to webhook user info This also adds an optional message to webhook errors: if we fail to parse an expiry time, we will log a warning with the parse error. * refactored Auth This change had one main goal: put in common all expiry time extraction code between the JWT and WebHook parts of the code. Furthermore, this change also moves all WebHook specific code to its own module, similarly to what is done for JWT. * Remove dependency on string-conversions in favor of text-conversions string-conversions silently uses UTF8 instead of being explicit about it, and it uses lenientDecode when decoding ByteStrings when it’s usually better to reject invalid UTF8 input outright. text-conversions solves both those problems. Co-authored-by: Alexis King <lexi.lambda@gmail.com>
2020-04-03 03:00:13 +03:00
, AuthMode (..)
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
, setupAuthMode
, AdminSecretHash
, hashAdminSecret
-- * WebHook related
server: add support for webhook connection expiration (#4196) * add expiry time to webhook user info This also adds an optional message to webhook errors: if we fail to parse an expiry time, we will log a warning with the parse error. * refactored Auth This change had one main goal: put in common all expiry time extraction code between the JWT and WebHook parts of the code. Furthermore, this change also moves all WebHook specific code to its own module, similarly to what is done for JWT. * Remove dependency on string-conversions in favor of text-conversions string-conversions silently uses UTF8 instead of being explicit about it, and it uses lenientDecode when decoding ByteStrings when it’s usually better to reject invalid UTF8 input outright. text-conversions solves both those problems. Co-authored-by: Alexis King <lexi.lambda@gmail.com>
2020-04-03 03:00:13 +03:00
, AuthHookType (..)
revert back to older cli options parser type (#1231)
2018-12-19 14:38:33 +03:00
, AuthHookG (..)
, AuthHook
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
-- * JWT related
add support for jwt authorization (close #186) (#255) The API: 1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON. 2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}` `type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io). `key`: i. Incase of symmetric key, the key as it is. ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate. 3. The claims in the JWT token must contain the following: i. `x-hasura-default-role` field: default role of that user ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header. 4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings. 5. The JWT tokens are sent as `Authorization: Bearer <token>` headers. --- To test: 1. Generate a shared secret (for HMAC-SHA256) or RSA key pair. 2. Goto https://jwt.io/ , add the keys 3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions. 4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}` 5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header. --- TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
, RawJWT
, JWTConfig (..)
jwt config now takes a jwk url (close #465) (#527) JWT config now takes an optional jwk_url parameter (which points to published JWK Set). This is useful for providers who rotate their JWK Set. Optional jwk_url parameter is taken. The published JWK set under that URL should be in standard JWK format (tools.ietf.org/html/rfc7517#section-4.8). If the response contains an Expires header, the JWK set is automatically refreshed.
2018-09-27 14:22:49 +03:00
, JWTCtx (..)
, JWKSet (..)
add support for jwt authorization (close #186) (#255) The API: 1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON. 2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}` `type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io). `key`: i. Incase of symmetric key, the key as it is. ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate. 3. The claims in the JWT token must contain the following: i. `x-hasura-default-role` field: default role of that user ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header. 4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings. 5. The JWT tokens are sent as `Authorization: Bearer <token>` headers. --- To test: 1. Generate a shared secret (for HMAC-SHA256) or RSA key pair. 2. Goto https://jwt.io/ , add the keys 3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions. 4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}` 5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header. --- TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
, processJwt
jwt config now takes a jwk url (close #465) (#527) JWT config now takes an optional jwk_url parameter (which points to published JWK Set). This is useful for providers who rotate their JWK Set. Optional jwk_url parameter is taken. The published JWK set under that URL should be in standard JWK format (tools.ietf.org/html/rfc7517#section-4.8). If the response contains an Expires header, the JWK set is automatically refreshed.
2018-09-27 14:22:49 +03:00
, updateJwkRef
refactor some internal components (#3414)
2019-11-26 15:14:21 +03:00
, UserAuthentication (..)
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
-- * Exposed for testing
, getUserInfoWithExpTime_
initial support for livequeries (#176) fix #59
2018-07-20 10:22:46 +03:00
) where
server: move Hasura.SQL to Hasura.Backends.Postgres (#6053) https://github.com/hasura/graphql-engine/pull/6053
2020-10-27 16:53:49 +03:00
import Hasura.Prelude
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
import qualified Crypto.Hash as Crypto
import qualified Data.Text.Encoding as T
import qualified Network.HTTP.Client as H
import qualified Network.HTTP.Types as N
server: move Hasura.SQL to Hasura.Backends.Postgres (#6053) https://github.com/hasura/graphql-engine/pull/6053
2020-10-27 16:53:49 +03:00
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
import Control.Concurrent.Extended (ForkableMonadIO, forkManagedT)
import Control.Monad.Morph (hoist)
import Control.Monad.Trans.Control (MonadBaseControl)
import Control.Monad.Trans.Managed (ManagedT)
import Data.IORef (newIORef)
import Data.Time.Clock (UTCTime)
few actions' fixes and improvements (fix #3977, #4061 & close #4021) (#4109) * add 'ID' to default scalars for custom types, fix #4061 * preserve cookie headers from sync action webhook, close #4021 * validate action webhook response to conform to output type, fix #3977 * fix tests, don't run actions' tests on PG version < 10 * update CHANGELOG.md * no-op refactor, use types from http-network more Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-03-20 09:46:45 +03:00
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
import qualified Hasura.Tracing as Tracing
allow unauthorized role in accesskey and JWT modes (closes #595) (#856)
2018-10-25 21:16:25 +03:00
import Hasura.Logging
initial support for livequeries (#176) fix #59
2018-07-20 10:22:46 +03:00
import Hasura.RQL.Types
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
import Hasura.Server.Auth.JWT hiding (processJwt_)
server: add support for webhook connection expiration (#4196) * add expiry time to webhook user info This also adds an optional message to webhook errors: if we fail to parse an expiry time, we will log a warning with the parse error. * refactored Auth This change had one main goal: put in common all expiry time extraction code between the JWT and WebHook parts of the code. Furthermore, this change also moves all WebHook specific code to its own module, similarly to what is done for JWT. * Remove dependency on string-conversions in favor of text-conversions string-conversions silently uses UTF8 instead of being explicit about it, and it uses lenientDecode when decoding ByteStrings when it’s usually better to reject invalid UTF8 input outright. text-conversions solves both those problems. Co-authored-by: Alexis King <lexi.lambda@gmail.com>
2020-04-03 03:00:13 +03:00
import Hasura.Server.Auth.WebHook
add support for jwt authorization (close #186) (#255) The API: 1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON. 2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}` `type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io). `key`: i. Incase of symmetric key, the key as it is. ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate. 3. The claims in the JWT token must contain the following: i. `x-hasura-default-role` field: default role of that user ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header. 4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings. 5. The JWT tokens are sent as `Authorization: Bearer <token>` headers. --- To test: 1. Generate a shared secret (for HMAC-SHA256) or RSA key pair. 2. Goto https://jwt.io/ , add the keys 3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions. 4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}` 5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header. --- TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
import Hasura.Server.Utils
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
import Hasura.Server.Version (HasVersion)
backend only insert permissions (rfc #4120) (#4224) * move user info related code to Hasura.User module * the RFC #4120 implementation; insert permissions with admin secret * revert back to old RoleName based schema maps An attempt made to avoid duplication of schema contexts in types if any role doesn't possess any admin secret specific schema * fix compile errors in haskell test * keep 'user_vars' for session variables in http-logs * no-op refacto * tests for admin only inserts * update docs for admin only inserts * updated CHANGELOG.md * default behaviour when admin secret is not set * fix x-hasura-role to X-Hasura-Role in pytests * introduce effective timeout in actions async tests * update docs for admin-secret not configured case * Update docs/graphql/manual/api-reference/schema-metadata-api/permission.rst Co-Authored-By: Marion Schleifer <marion@hasura.io> * Apply suggestions from code review Co-Authored-By: Marion Schleifer <marion@hasura.io> * a complete iteration backend insert permissions accessable via 'x-hasura-backend-privilege' session variable * console changes for backend-only permissions * provide tooltip id; update labels and tooltips; * requested changes * requested changes - remove className from Toggle component - use appropriate function name (capitalizeFirstChar -> capitalize) * use toggle props from definitelyTyped * fix accidental commit * Revert "introduce effective timeout in actions async tests" This reverts commit b7a59c19d643520cfde6af579889e1038038438a. * generate complete schema for both 'default' and 'backend' sessions * Apply suggestions from code review Co-Authored-By: Marion Schleifer <marion@hasura.io> * remove unnecessary import, export Toggle as is * update session variable in tooltip * 'x-hasura-use-backend-only-permissions' variable to switch * update help texts * update docs * update docs * update console help text * regenerate package-lock * serve no backend schema when backend_only: false and header set to true - Few type name refactor as suggested by @0x777 * update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * fix a merge bug where a certain entity didn't get removed Co-authored-by: Marion Schleifer <marion@hasura.io> Co-authored-by: Rishichandra Wawhal <rishi@hasura.io> Co-authored-by: rikinsk <rikin.kachhia@gmail.com> Co-authored-by: Tirumarai Selvan <tiru@hasura.io>
2020-04-24 12:10:53 +03:00
import Hasura.Session
server: move Hasura.SQL to Hasura.Backends.Postgres (#6053) https://github.com/hasura/graphql-engine/pull/6053
2020-10-27 16:53:49 +03:00
refactor some internal components (#3414)
2019-11-26 15:14:21 +03:00
-- | Typeclass representing the @UserInfo@ authorization and resolving effect
class (Monad m) => UserAuthentication m where
resolveUserInfo
server: add support for webhook connection expiration (#4196) * add expiry time to webhook user info This also adds an optional message to webhook errors: if we fail to parse an expiry time, we will log a warning with the parse error. * refactored Auth This change had one main goal: put in common all expiry time extraction code between the JWT and WebHook parts of the code. Furthermore, this change also moves all WebHook specific code to its own module, similarly to what is done for JWT. * Remove dependency on string-conversions in favor of text-conversions string-conversions silently uses UTF8 instead of being explicit about it, and it uses lenientDecode when decoding ByteStrings when it’s usually better to reject invalid UTF8 input outright. text-conversions solves both those problems. Co-authored-by: Alexis King <lexi.lambda@gmail.com>
2020-04-03 03:00:13 +03:00
:: HasVersion
server: Parameterize the graphql-engine library over the version (#3668)
2020-01-23 00:55:55 +03:00
=> Logger Hasura
refactor some internal components (#3414)
2019-11-26 15:14:21 +03:00
-> H.Manager
-> [N.Header]
-- ^ request headers
-> AuthMode
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
-> Maybe ReqsText
fix resolving user info in websocket transport (#3509) The connection handler in websocket transport was not using the 'UserAuthentication' interface to resolve user info. Fix resolving user info in websocket transport to use the common 'UserAuthentication' interface
2019-12-11 04:04:49 +03:00
-> m (Either QErr (UserInfo, Maybe UTCTime))
initial support for livequeries (#176) fix #59
2018-07-20 10:22:46 +03:00
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
-- | The hashed admin password. 'hashAdminSecret' is our public interface for
Pass environment variables around as a data structure, via @sordina (#5374) * Pass environment variables around as a data structure, via @sordina * Resolving build error * Adding Environment passing note to changelog * Removing references to ILTPollerLog as this seems to have been reintroduced from a bad merge * removing commented-out imports * Language pragmas already set by project * Linking async thread * Apply suggestions from code review Use `runQueryTx` instead of `runLazyTx` for queries. * remove the non-user facing entry in the changelog Co-authored-by: Phil Freeman <paf31@cantab.net> Co-authored-by: Phil Freeman <phil@hasura.io> Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-07-14 22:00:58 +03:00
-- constructing the secret.
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
--
-- To prevent misuse and leaking we keep this opaque and don't provide
-- instances that could leak information. Likewise for 'AuthMode'.
--
-- Although this exists only in memory we store only a hash of the admin secret
-- primarily in order to:
Pass environment variables around as a data structure, via @sordina (#5374) * Pass environment variables around as a data structure, via @sordina * Resolving build error * Adding Environment passing note to changelog * Removing references to ILTPollerLog as this seems to have been reintroduced from a bad merge * removing commented-out imports * Language pragmas already set by project * Linking async thread * Apply suggestions from code review Use `runQueryTx` instead of `runLazyTx` for queries. * remove the non-user facing entry in the changelog Co-authored-by: Phil Freeman <paf31@cantab.net> Co-authored-by: Phil Freeman <phil@hasura.io> Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-07-14 22:00:58 +03:00
--
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
-- - prevent theoretical timing attacks from a naive `==` check
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
-- - prevent misuse or inadvertent leaking of the secret
--
newtype AdminSecretHash = AdminSecretHash (Crypto.Digest Crypto.SHA512)
deriving (Ord, Eq)
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
-- We don't want to be able to leak the secret hash. This is a dummy instance
-- to support 'Show AuthMode' which we want for testing.
instance Show AdminSecretHash where
show _ = "(error \"AdminSecretHash hidden\")"
server: move Hasura.SQL to Hasura.Backends.Postgres (#6053) https://github.com/hasura/graphql-engine/pull/6053
2020-10-27 16:53:49 +03:00
hashAdminSecret :: Text -> AdminSecretHash
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
hashAdminSecret = AdminSecretHash . Crypto.hash . T.encodeUtf8
-- | The methods we'll use to derive roles for authenticating requests.
--
-- @Maybe RoleName@ below is the optionally-defined role for the
Pass environment variables around as a data structure, via @sordina (#5374) * Pass environment variables around as a data structure, via @sordina * Resolving build error * Adding Environment passing note to changelog * Removing references to ILTPollerLog as this seems to have been reintroduced from a bad merge * removing commented-out imports * Language pragmas already set by project * Linking async thread * Apply suggestions from code review Use `runQueryTx` instead of `runLazyTx` for queries. * remove the non-user facing entry in the changelog Co-authored-by: Phil Freeman <paf31@cantab.net> Co-authored-by: Phil Freeman <phil@hasura.io> Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-07-14 22:00:58 +03:00
-- unauthenticated (anonymous) user.
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
--
update docs link to avoid redirects GitOrigin-RevId: 1f2a1d21bfb9b2908d56305fa2dfb69270deafdf
2021-03-01 21:50:24 +03:00
-- See: https://hasura.io/docs/latest/graphql/core/auth/authentication/unauthenticated-access.html
Pass environment variables around as a data structure, via @sordina (#5374) * Pass environment variables around as a data structure, via @sordina * Resolving build error * Adding Environment passing note to changelog * Removing references to ILTPollerLog as this seems to have been reintroduced from a bad merge * removing commented-out imports * Language pragmas already set by project * Linking async thread * Apply suggestions from code review Use `runQueryTx` instead of `runLazyTx` for queries. * remove the non-user facing entry in the changelog Co-authored-by: Phil Freeman <paf31@cantab.net> Co-authored-by: Phil Freeman <phil@hasura.io> Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-07-14 22:00:58 +03:00
initial support for livequeries (#176) fix #59
2018-07-20 10:22:46 +03:00
data AuthMode
= AMNoAuth
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
| AMAdminSecret !AdminSecretHash !(Maybe RoleName)
| AMAdminSecretAndHook !AdminSecretHash !AuthHook
| AMAdminSecretAndJWT !AdminSecretHash !JWTCtx !(Maybe RoleName)
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
deriving (Show, Eq)
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
-- | Validate the user's requested authentication configuration, launching any
-- required maintenance threads for JWT etc.
--
-- This must only be run once, on launch.
setupAuthMode
server: Parameterize the graphql-engine library over the version (#3668)
2020-01-23 00:55:55 +03:00
:: ( HasVersion
server: simplify shutdown logic, improve resource management (#218) (#195) * Remove unused ExitCode constructors * Simplify shutdown logic * Update server/src-lib/Hasura/App.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * WIP: fix zombie thread issue * Use forkCodensity for the schema sync thread * Use forkCodensity for the oauthTokenUpdateWorker * Use forkCodensity for the schema update processor thread * Add deprecation notice * Logger threads use Codensity * Add the MonadFix instance for Codensity to get log-sender thread logs * Move outIdleGC out to the top level, WIP * Update forkImmortal fuction for more logging info * add back the idle GC to Pro * setupAuth * use ImmortalThreadLog * Fix tests * Add another finally block * loud warnings * Change log level * hlint * Finalize the logger in the correct place * Add ManagedT * Update server/src-lib/Hasura/Server/Auth.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * Comments etc. Co-authored-by: Brandon Simmons <brandon@hasura.io> Co-authored-by: Naveen Naidu <naveennaidu479@gmail.com> GitOrigin-RevId: 156065c5c3ace0e13d1997daef6921cc2e9f641c
2020-12-21 21:56:00 +03:00
, ForkableMonadIO m
Add MonadTrace and MonadExecuteQuery abstractions (#5383) Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-07-15 13:40:48 +03:00
, Tracing.HasReporter m
allow unauthorized role in accesskey and JWT modes (closes #595) (#856)
2018-10-25 21:16:25 +03:00
)
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
=> Maybe AdminSecretHash
allow authentication webhook with POST (close #1138) (#1147)
2018-12-03 14:19:08 +03:00
-> Maybe AuthHook
breaking: server logging changes (close #507, close #2171) (#1835)
2019-07-11 08:37:06 +03:00
-> Maybe JWTConfig
allow unauthorized role in accesskey and JWT modes (closes #595) (#856)
2018-10-25 21:16:25 +03:00
-> Maybe RoleName
-> H.Manager
fix various functions to not create their own logger (#3439)
2019-11-28 12:03:14 +03:00
-> Logger Hasura
server: simplify shutdown logic, improve resource management (#218) (#195) * Remove unused ExitCode constructors * Simplify shutdown logic * Update server/src-lib/Hasura/App.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * WIP: fix zombie thread issue * Use forkCodensity for the schema sync thread * Use forkCodensity for the oauthTokenUpdateWorker * Use forkCodensity for the schema update processor thread * Add deprecation notice * Logger threads use Codensity * Add the MonadFix instance for Codensity to get log-sender thread logs * Move outIdleGC out to the top level, WIP * Update forkImmortal fuction for more logging info * add back the idle GC to Pro * setupAuth * use ImmortalThreadLog * Fix tests * Add another finally block * loud warnings * Change log level * hlint * Finalize the logger in the correct place * Add ManagedT * Update server/src-lib/Hasura/Server/Auth.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * Comments etc. Co-authored-by: Brandon Simmons <brandon@hasura.io> Co-authored-by: Naveen Naidu <naveennaidu479@gmail.com> GitOrigin-RevId: 156065c5c3ace0e13d1997daef6921cc2e9f641c
2020-12-21 21:56:00 +03:00
-> ExceptT Text (ManagedT m) AuthMode
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
setupAuthMode mAdminSecretHash mWebHook mJwtSecret mUnAuthRole httpManager logger =
case (mAdminSecretHash, mWebHook, mJwtSecret) of
(Just hash, Nothing, Nothing) -> return $ AMAdminSecret hash mUnAuthRole
(Just hash, Nothing, Just jwtConf) -> do
jwtCtx <- mkJwtCtx jwtConf
return $ AMAdminSecretAndJWT hash jwtCtx mUnAuthRole
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
-- Nothing below this case uses unauth role. Throw a fatal error if we would otherwise ignore
-- that parameter, lest users misunderstand their auth configuration:
Pass environment variables around as a data structure, via @sordina (#5374) * Pass environment variables around as a data structure, via @sordina * Resolving build error * Adding Environment passing note to changelog * Removing references to ILTPollerLog as this seems to have been reintroduced from a bad merge * removing commented-out imports * Language pragmas already set by project * Linking async thread * Apply suggestions from code review Use `runQueryTx` instead of `runLazyTx` for queries. * remove the non-user facing entry in the changelog Co-authored-by: Phil Freeman <paf31@cantab.net> Co-authored-by: Phil Freeman <phil@hasura.io> Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-07-14 22:00:58 +03:00
_ | isJust mUnAuthRole -> throwError $
"Fatal Error: --unauthorized-role (HASURA_GRAPHQL_UNAUTHORIZED_ROLE)"
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
<> requiresAdminScrtMsg
<> " and is not allowed when --auth-hook (HASURA_GRAPHQL_AUTH_HOOK) is set"
(Nothing, Nothing, Nothing) -> return AMNoAuth
(Just hash, Just hook, Nothing) -> return $ AMAdminSecretAndHook hash hook
allow unauthorized role in accesskey and JWT modes (closes #595) (#856)
2018-10-25 21:16:25 +03:00
server: add support for webhook connection expiration (#4196) * add expiry time to webhook user info This also adds an optional message to webhook errors: if we fail to parse an expiry time, we will log a warning with the parse error. * refactored Auth This change had one main goal: put in common all expiry time extraction code between the JWT and WebHook parts of the code. Furthermore, this change also moves all WebHook specific code to its own module, similarly to what is done for JWT. * Remove dependency on string-conversions in favor of text-conversions string-conversions silently uses UTF8 instead of being explicit about it, and it uses lenientDecode when decoding ByteStrings when it’s usually better to reject invalid UTF8 input outright. text-conversions solves both those problems. Co-authored-by: Alexis King <lexi.lambda@gmail.com>
2020-04-03 03:00:13 +03:00
(Nothing, Just _, Nothing) -> throwError $
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated.
2019-02-14 12:37:47 +03:00
"Fatal Error : --auth-hook (HASURA_GRAPHQL_AUTH_HOOK)" <> requiresAdminScrtMsg
server: add support for webhook connection expiration (#4196) * add expiry time to webhook user info This also adds an optional message to webhook errors: if we fail to parse an expiry time, we will log a warning with the parse error. * refactored Auth This change had one main goal: put in common all expiry time extraction code between the JWT and WebHook parts of the code. Furthermore, this change also moves all WebHook specific code to its own module, similarly to what is done for JWT. * Remove dependency on string-conversions in favor of text-conversions string-conversions silently uses UTF8 instead of being explicit about it, and it uses lenientDecode when decoding ByteStrings when it’s usually better to reject invalid UTF8 input outright. text-conversions solves both those problems. Co-authored-by: Alexis King <lexi.lambda@gmail.com>
2020-04-03 03:00:13 +03:00
(Nothing, Nothing, Just _) -> throwError $
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated.
2019-02-14 12:37:47 +03:00
"Fatal Error : --jwt-secret (HASURA_GRAPHQL_JWT_SECRET)" <> requiresAdminScrtMsg
server: add support for webhook connection expiration (#4196) * add expiry time to webhook user info This also adds an optional message to webhook errors: if we fail to parse an expiry time, we will log a warning with the parse error. * refactored Auth This change had one main goal: put in common all expiry time extraction code between the JWT and WebHook parts of the code. Furthermore, this change also moves all WebHook specific code to its own module, similarly to what is done for JWT. * Remove dependency on string-conversions in favor of text-conversions string-conversions silently uses UTF8 instead of being explicit about it, and it uses lenientDecode when decoding ByteStrings when it’s usually better to reject invalid UTF8 input outright. text-conversions solves both those problems. Co-authored-by: Alexis King <lexi.lambda@gmail.com>
2020-04-03 03:00:13 +03:00
(Nothing, Just _, Just _) -> throwError
allow unauthorized role in accesskey and JWT modes (closes #595) (#856)
2018-10-25 21:16:25 +03:00
"Fatal Error: Both webhook and JWT mode cannot be enabled at the same time"
server: add support for webhook connection expiration (#4196) * add expiry time to webhook user info This also adds an optional message to webhook errors: if we fail to parse an expiry time, we will log a warning with the parse error. * refactored Auth This change had one main goal: put in common all expiry time extraction code between the JWT and WebHook parts of the code. Furthermore, this change also moves all WebHook specific code to its own module, similarly to what is done for JWT. * Remove dependency on string-conversions in favor of text-conversions string-conversions silently uses UTF8 instead of being explicit about it, and it uses lenientDecode when decoding ByteStrings when it’s usually better to reject invalid UTF8 input outright. text-conversions solves both those problems. Co-authored-by: Alexis King <lexi.lambda@gmail.com>
2020-04-03 03:00:13 +03:00
(Just _, Just _, Just _) -> throwError
allow unauthorized role in accesskey and JWT modes (closes #595) (#856)
2018-10-25 21:16:25 +03:00
"Fatal Error: Both webhook and JWT mode cannot be enabled at the same time"
where
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
requiresAdminScrtMsg =
" requires --admin-secret (HASURA_GRAPHQL_ADMIN_SECRET) or "
<> " --access-key (HASURA_GRAPHQL_ACCESS_KEY) to be set"
allow unauthorized role in accesskey and JWT modes (closes #595) (#856)
2018-10-25 21:16:25 +03:00
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
-- | Given the 'JWTConfig' (the user input of JWT configuration), create
-- the 'JWTCtx' (the runtime JWT config used)
Pass environment variables around as a data structure, via @sordina (#5374) * Pass environment variables around as a data structure, via @sordina * Resolving build error * Adding Environment passing note to changelog * Removing references to ILTPollerLog as this seems to have been reintroduced from a bad merge * removing commented-out imports * Language pragmas already set by project * Linking async thread * Apply suggestions from code review Use `runQueryTx` instead of `runLazyTx` for queries. * remove the non-user facing entry in the changelog Co-authored-by: Phil Freeman <paf31@cantab.net> Co-authored-by: Phil Freeman <phil@hasura.io> Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-07-14 22:00:58 +03:00
-- mkJwtCtx :: HasVersion => JWTConfig -> m JWTCtx
mkJwtCtx
:: ( HasVersion
server: simplify shutdown logic, improve resource management (#218) (#195) * Remove unused ExitCode constructors * Simplify shutdown logic * Update server/src-lib/Hasura/App.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * WIP: fix zombie thread issue * Use forkCodensity for the schema sync thread * Use forkCodensity for the oauthTokenUpdateWorker * Use forkCodensity for the schema update processor thread * Add deprecation notice * Logger threads use Codensity * Add the MonadFix instance for Codensity to get log-sender thread logs * Move outIdleGC out to the top level, WIP * Update forkImmortal fuction for more logging info * add back the idle GC to Pro * setupAuth * use ImmortalThreadLog * Fix tests * Add another finally block * loud warnings * Change log level * hlint * Finalize the logger in the correct place * Add ManagedT * Update server/src-lib/Hasura/Server/Auth.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * Comments etc. Co-authored-by: Brandon Simmons <brandon@hasura.io> Co-authored-by: Naveen Naidu <naveennaidu479@gmail.com> GitOrigin-RevId: 156065c5c3ace0e13d1997daef6921cc2e9f641c
2020-12-21 21:56:00 +03:00
, ForkableMonadIO m
Add MonadTrace and MonadExecuteQuery abstractions (#5383) Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-07-15 13:40:48 +03:00
, Tracing.HasReporter m
Pass environment variables around as a data structure, via @sordina (#5374) * Pass environment variables around as a data structure, via @sordina * Resolving build error * Adding Environment passing note to changelog * Removing references to ILTPollerLog as this seems to have been reintroduced from a bad merge * removing commented-out imports * Language pragmas already set by project * Linking async thread * Apply suggestions from code review Use `runQueryTx` instead of `runLazyTx` for queries. * remove the non-user facing entry in the changelog Co-authored-by: Phil Freeman <paf31@cantab.net> Co-authored-by: Phil Freeman <phil@hasura.io> Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-07-14 22:00:58 +03:00
)
=> JWTConfig
server: simplify shutdown logic, improve resource management (#218) (#195) * Remove unused ExitCode constructors * Simplify shutdown logic * Update server/src-lib/Hasura/App.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * WIP: fix zombie thread issue * Use forkCodensity for the schema sync thread * Use forkCodensity for the oauthTokenUpdateWorker * Use forkCodensity for the schema update processor thread * Add deprecation notice * Logger threads use Codensity * Add the MonadFix instance for Codensity to get log-sender thread logs * Move outIdleGC out to the top level, WIP * Update forkImmortal fuction for more logging info * add back the idle GC to Pro * setupAuth * use ImmortalThreadLog * Fix tests * Add another finally block * loud warnings * Change log level * hlint * Finalize the logger in the correct place * Add ManagedT * Update server/src-lib/Hasura/Server/Auth.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * Comments etc. Co-authored-by: Brandon Simmons <brandon@hasura.io> Co-authored-by: Naveen Naidu <naveennaidu479@gmail.com> GitOrigin-RevId: 156065c5c3ace0e13d1997daef6921cc2e9f641c
2020-12-21 21:56:00 +03:00
-> ExceptT Text (ManagedT m) JWTCtx
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
mkJwtCtx JWTConfig{..} = do
jwkRef <- case jcKeyOrUrl of
Left jwk -> liftIO $ newIORef (JWKSet [jwk])
Right url -> getJwkFromUrl url
server: support reading JWT from Cookie header GitOrigin-RevId: 1de90242d3c000361f87256c2dddce1677863231
2021-02-25 12:02:43 +03:00
let jwtHeader = fromMaybe JHAuthorization jcHeader
return $ JWTCtx jwkRef jcAudience jcIssuer jcClaims jcAllowedSkew jwtHeader
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
where
-- if we can't find any expiry time for the JWK (either in @Expires@ header or @Cache-Control@
-- header), do not start a background thread for refreshing the JWK
getJwkFromUrl url = do
ref <- liftIO $ newIORef $ JWKSet []
server: simplify shutdown logic, improve resource management (#218) (#195) * Remove unused ExitCode constructors * Simplify shutdown logic * Update server/src-lib/Hasura/App.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * WIP: fix zombie thread issue * Use forkCodensity for the schema sync thread * Use forkCodensity for the oauthTokenUpdateWorker * Use forkCodensity for the schema update processor thread * Add deprecation notice * Logger threads use Codensity * Add the MonadFix instance for Codensity to get log-sender thread logs * Move outIdleGC out to the top level, WIP * Update forkImmortal fuction for more logging info * add back the idle GC to Pro * setupAuth * use ImmortalThreadLog * Fix tests * Add another finally block * loud warnings * Change log level * hlint * Finalize the logger in the correct place * Add ManagedT * Update server/src-lib/Hasura/Server/Auth.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * Comments etc. Co-authored-by: Brandon Simmons <brandon@hasura.io> Co-authored-by: Naveen Naidu <naveennaidu479@gmail.com> GitOrigin-RevId: 156065c5c3ace0e13d1997daef6921cc2e9f641c
2020-12-21 21:56:00 +03:00
maybeExpiry <- hoist lift $ withJwkError $ Tracing.runTraceT "jwk init" $ updateJwkRef logger httpManager url ref
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
case maybeExpiry of
Nothing -> return ref
Just time -> do
server: simplify shutdown logic, improve resource management (#218) (#195) * Remove unused ExitCode constructors * Simplify shutdown logic * Update server/src-lib/Hasura/App.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * WIP: fix zombie thread issue * Use forkCodensity for the schema sync thread * Use forkCodensity for the oauthTokenUpdateWorker * Use forkCodensity for the schema update processor thread * Add deprecation notice * Logger threads use Codensity * Add the MonadFix instance for Codensity to get log-sender thread logs * Move outIdleGC out to the top level, WIP * Update forkImmortal fuction for more logging info * add back the idle GC to Pro * setupAuth * use ImmortalThreadLog * Fix tests * Add another finally block * loud warnings * Change log level * hlint * Finalize the logger in the correct place * Add ManagedT * Update server/src-lib/Hasura/Server/Auth.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * Comments etc. Co-authored-by: Brandon Simmons <brandon@hasura.io> Co-authored-by: Naveen Naidu <naveennaidu479@gmail.com> GitOrigin-RevId: 156065c5c3ace0e13d1997daef6921cc2e9f641c
2020-12-21 21:56:00 +03:00
void . lift $ forkManagedT "jwkRefreshCtrl" logger $
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
jwkRefreshCtrl logger httpManager url ref (convertDuration time)
return ref
withJwkError act = do
res <- runExceptT act
server: simplify shutdown logic, improve resource management (#218) (#195) * Remove unused ExitCode constructors * Simplify shutdown logic * Update server/src-lib/Hasura/App.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * WIP: fix zombie thread issue * Use forkCodensity for the schema sync thread * Use forkCodensity for the oauthTokenUpdateWorker * Use forkCodensity for the schema update processor thread * Add deprecation notice * Logger threads use Codensity * Add the MonadFix instance for Codensity to get log-sender thread logs * Move outIdleGC out to the top level, WIP * Update forkImmortal fuction for more logging info * add back the idle GC to Pro * setupAuth * use ImmortalThreadLog * Fix tests * Add another finally block * loud warnings * Change log level * hlint * Finalize the logger in the correct place * Add ManagedT * Update server/src-lib/Hasura/Server/Auth.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * Comments etc. Co-authored-by: Brandon Simmons <brandon@hasura.io> Co-authored-by: Naveen Naidu <naveennaidu479@gmail.com> GitOrigin-RevId: 156065c5c3ace0e13d1997daef6921cc2e9f641c
2020-12-21 21:56:00 +03:00
onLeft res $ \case
-- when fetching JWK initially, except expiry parsing error, all errors are critical
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
JFEHttpException _ msg -> throwError msg
JFEHttpError _ _ _ e -> throwError e
JFEJwkParseError _ e -> throwError e
server: simplify shutdown logic, improve resource management (#218) (#195) * Remove unused ExitCode constructors * Simplify shutdown logic * Update server/src-lib/Hasura/App.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * WIP: fix zombie thread issue * Use forkCodensity for the schema sync thread * Use forkCodensity for the oauthTokenUpdateWorker * Use forkCodensity for the schema update processor thread * Add deprecation notice * Logger threads use Codensity * Add the MonadFix instance for Codensity to get log-sender thread logs * Move outIdleGC out to the top level, WIP * Update forkImmortal fuction for more logging info * add back the idle GC to Pro * setupAuth * use ImmortalThreadLog * Fix tests * Add another finally block * loud warnings * Change log level * hlint * Finalize the logger in the correct place * Add ManagedT * Update server/src-lib/Hasura/Server/Auth.hs Co-authored-by: Brandon Simmons <brandon@hasura.io> * Comments etc. Co-authored-by: Brandon Simmons <brandon@hasura.io> Co-authored-by: Naveen Naidu <naveennaidu479@gmail.com> GitOrigin-RevId: 156065c5c3ace0e13d1997daef6921cc2e9f641c
2020-12-21 21:56:00 +03:00
JFEExpiryParseError _ _ -> return Nothing
fix parsing JWK expiry time from headers on startup (fix #3655) (#3779)
2020-02-05 10:07:31 +03:00
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
-- | Authenticate the request using the headers and the configured 'AuthMode'.
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
getUserInfoWithExpTime
Add MonadTrace and MonadExecuteQuery abstractions (#5383) Co-authored-by: Vamshi Surabhi <0x777@users.noreply.github.com>
2020-07-15 13:40:48 +03:00
:: forall m. (HasVersion, MonadIO m, MonadBaseControl IO m, MonadError QErr m, Tracing.MonadTrace m)
refactor some internal components (#3414)
2019-11-26 15:14:21 +03:00
=> Logger Hasura
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
-> H.Manager
-> [N.Header]
-> AuthMode
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
-> Maybe ReqsText
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
-> m (UserInfo, Maybe UTCTime)
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
getUserInfoWithExpTime = getUserInfoWithExpTime_ userInfoFromAuthHook processJwt
-- Broken out for testing with mocks:
getUserInfoWithExpTime_
:: forall m _Manager _Logger_Hasura. (MonadIO m, MonadError QErr m)
[Preview] Inherited roles for postgres read queries fixes #3868 docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de` Note: To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`. Introduction ------------ This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`. How are select permissions of different roles are combined? ------------------------------------------------------------ A select permission includes 5 things: 1. Columns accessible to the role 2. Row selection filter 3. Limit 4. Allow aggregation 5. Scalar computed fields accessible to the role Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`. Let's say the following GraphQL query is queried with the `combined_roles` role. ```graphql query { employees { address phone } } ``` This will translate to the following SQL query: ```sql select (case when (P1 or P2) then address else null end) as address, (case when P2 then phone else null end) as phone from employee where (P1 or P2) ``` The other parameters of the select permission will be combined in the following manner: 1. Limit - Minimum of the limits will be the limit of the inherited role 2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation 3. Scalar computed fields - same as table column fields, as in the above example APIs for inherited roles: ---------------------- 1. `add_inherited_role` `add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments `role_name`: the name of the inherited role to be added (String) `role_set`: list of roles that need to be combined (Array of Strings) Example: ```json { "type": "add_inherited_role", "args": { "role_name":"combined_user", "role_set":[ "user", "user1" ] } } ``` After adding the inherited role, the inherited role can be used like single roles like earlier Note: An inherited role can only be created with non-inherited/singular roles. 2. `drop_inherited_role` The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument: `role_name`: name of the inherited role to be dropped Example: ```json { "type": "drop_inherited_role", "args": { "role_name":"combined_user" } } ``` Metadata --------- The derived roles metadata will be included under the `experimental_features` key while exporting the metadata. ```json { "experimental_features": { "derived_roles": [ { "role_name": "manager_is_employee_too", "role_set": [ "employee", "manager" ] } ] } } ``` Scope ------ Only postgres queries and subscriptions are supported in this PR. Important points: ----------------- 1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done. TODOs ------- - [ ] Tests - [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features - [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?) - [ ] Introspection test with a inherited role (nullability changes in a inherited role) - [ ] Docs - [ ] Changelog Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com> GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
=> (_Logger_Hasura -> _Manager -> AuthHook -> [N.Header]
-> Maybe ReqsText -> m (UserInfo, Maybe UTCTime))
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
-- ^ mock 'userInfoFromAuthHook'
-> (JWTCtx -> [N.Header] -> Maybe RoleName -> m (UserInfo, Maybe UTCTime))
-- ^ mock 'processJwt'
-> _Logger_Hasura
-> _Manager
-> [N.Header]
-> AuthMode
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
-> Maybe ReqsText
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
-> m (UserInfo, Maybe UTCTime)
[Preview] Inherited roles for postgres read queries fixes #3868 docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de` Note: To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`. Introduction ------------ This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`. How are select permissions of different roles are combined? ------------------------------------------------------------ A select permission includes 5 things: 1. Columns accessible to the role 2. Row selection filter 3. Limit 4. Allow aggregation 5. Scalar computed fields accessible to the role Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`. Let's say the following GraphQL query is queried with the `combined_roles` role. ```graphql query { employees { address phone } } ``` This will translate to the following SQL query: ```sql select (case when (P1 or P2) then address else null end) as address, (case when P2 then phone else null end) as phone from employee where (P1 or P2) ``` The other parameters of the select permission will be combined in the following manner: 1. Limit - Minimum of the limits will be the limit of the inherited role 2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation 3. Scalar computed fields - same as table column fields, as in the above example APIs for inherited roles: ---------------------- 1. `add_inherited_role` `add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments `role_name`: the name of the inherited role to be added (String) `role_set`: list of roles that need to be combined (Array of Strings) Example: ```json { "type": "add_inherited_role", "args": { "role_name":"combined_user", "role_set":[ "user", "user1" ] } } ``` After adding the inherited role, the inherited role can be used like single roles like earlier Note: An inherited role can only be created with non-inherited/singular roles. 2. `drop_inherited_role` The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument: `role_name`: name of the inherited role to be dropped Example: ```json { "type": "drop_inherited_role", "args": { "role_name":"combined_user" } } ``` Metadata --------- The derived roles metadata will be included under the `experimental_features` key while exporting the metadata. ```json { "experimental_features": { "derived_roles": [ { "role_name": "manager_is_employee_too", "role_set": [ "employee", "manager" ] } ] } } ``` Scope ------ Only postgres queries and subscriptions are supported in this PR. Important points: ----------------- 1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done. TODOs ------- - [ ] Tests - [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features - [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?) - [ ] Introspection test with a inherited role (nullability changes in a inherited role) - [ ] Docs - [ ] Changelog Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com> GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
getUserInfoWithExpTime_ userInfoFromAuthHook_ processJwt_ logger manager rawHeaders authMode reqs = case authMode of
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
fix a security issue with 1.2
2020-05-05 22:57:17 +03:00
AMNoAuth -> withNoExpTime $ mkUserInfoFallbackAdminRole UAuthNotSet
initial support for livequeries (#176) fix #59
2018-07-20 10:22:46 +03:00
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
-- If hasura was started with an admin secret we:
-- - check if a secret was sent in the request
-- - if so, check it and authorize as admin else fail
-- - if not proceed with either webhook or JWT auth if configured
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
AMAdminSecret realAdminSecretHash maybeUnauthRole ->
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
checkingSecretIfSent realAdminSecretHash $ withNoExpTime $
fix a security issue with 1.2
2020-05-05 22:57:17 +03:00
-- Consider unauthorized role, if not found raise admin secret header required exception
case maybeUnauthRole of
Nothing -> throw401 $ adminSecretHeader <> "/"
<> deprecatedAccessKeyHeader <> " required, but not found"
Just unAuthRole ->
mkUserInfo (URBPreDetermined unAuthRole) UAdminSecretNotSent sessionVariables
initial support for livequeries (#176) fix #59
2018-07-20 10:22:46 +03:00
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
-- this is the case that actually ends up consuming the request AST
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
AMAdminSecretAndHook realAdminSecretHash hook ->
pass gql requests into auth webhook POST body (#149) * fix arg order in UserAuthentication instance [force ci] * change the constructor name to AHGraphQLRequest Co-authored-by: Stylish Haskell Bot <stylish-haskell@users.noreply.github.com> Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> GitOrigin-RevId: fb3258f4a84efc6c730b0c6222ebd8cea1b91081
2021-02-03 10:10:39 +03:00
checkingSecretIfSent realAdminSecretHash $ userInfoFromAuthHook_ logger manager hook rawHeaders reqs
add support for jwt authorization (close #186) (#255) The API: 1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON. 2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}` `type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io). `key`: i. Incase of symmetric key, the key as it is. ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate. 3. The claims in the JWT token must contain the following: i. `x-hasura-default-role` field: default role of that user ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header. 4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings. 5. The JWT tokens are sent as `Authorization: Bearer <token>` headers. --- To test: 1. Generate a shared secret (for HMAC-SHA256) or RSA key pair. 2. Goto https://jwt.io/ , add the keys 3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions. 4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}` 5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header. --- TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
AMAdminSecretAndJWT realAdminSecretHash jwtSecret unAuthRole ->
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
checkingSecretIfSent realAdminSecretHash $ processJwt_ jwtSecret rawHeaders unAuthRole
initial support for livequeries (#176) fix #59
2018-07-20 10:22:46 +03:00
where
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
-- CAREFUL!:
fix a security issue with 1.2
2020-05-05 22:57:17 +03:00
mkUserInfoFallbackAdminRole adminSecretState =
mkUserInfo (URBFromSessionVariablesFallback adminRoleName)
adminSecretState sessionVariables
initial support for livequeries (#176) fix #59
2018-07-20 10:22:46 +03:00
support customizing JWT claims (close #3485) (#3575) * improve jsonpath parser to accept special characters and property tests for the same * make the JWTClaimsMapValueG parametrizable * add documentation in the JWT file * modify processAuthZHeader Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io>
2020-08-31 19:40:01 +03:00
sessionVariables = mkSessionVariablesHeaders rawHeaders
initial support for livequeries (#176) fix #59
2018-07-20 10:22:46 +03:00
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
checkingSecretIfSent
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
:: AdminSecretHash -> m (UserInfo, Maybe UTCTime) -> m (UserInfo, Maybe UTCTime)
Refactor and unit test authentication code paths (closes #4736) The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
2020-05-28 19:18:26 +03:00
checkingSecretIfSent realAdminSecretHash actionIfNoAdminSecret = do
fix a security issue with 1.2
2020-05-05 22:57:17 +03:00
let maybeRequestAdminSecret =
foldl1 (<|>) $ map (`getSessionVariableValue` sessionVariables)
[adminSecretHeader, deprecatedAccessKeyHeader]
-- when admin secret is absent, run the action to retrieve UserInfo
case maybeRequestAdminSecret of
Nothing -> actionIfNoAdminSecret
Just requestAdminSecret -> do
Tighten up handling of admin secret, more docs Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing #4736
2020-05-19 17:48:49 +03:00
when (hashAdminSecret requestAdminSecret /= realAdminSecretHash) $ throw401 $
fix a security issue with 1.2
2020-05-05 22:57:17 +03:00
"invalid " <> adminSecretHeader <> "/" <> deprecatedAccessKeyHeader
withNoExpTime $ mkUserInfoFallbackAdminRole UAdminSecretSent
close websocket connection on JWT expiry (fix #578) (#2156)
2019-05-14 09:24:46 +03:00
withNoExpTime a = (, Nothing) <$> a
Reference in New Issue Copy Permalink