graphql-engine/server/src-lib/Hasura/RQL/DDL/Network.hs

module Hasura.RQL.DDL.Network
  ( checkForHostnameInAllowlistObject,
    dropHostFromAllowList,
    runAddHostToTLSAllowlist,
    runDropHostFromTLSAllowlist,
  )
where

import Data.Text (pack)
import Data.Text.Extended
import Hasura.Base.Error
import Hasura.EncJSON
import Hasura.Metadata.Class ()
import Hasura.Prelude
import Hasura.RQL.Types.Common
import Hasura.RQL.Types.Metadata
import Hasura.RQL.Types.Network
import Hasura.RQL.Types.SchemaCache.Build

runAddHostToTLSAllowlist ::
  (QErrM m, CacheRWM m, MetadataM m) =>
  TlsAllow ->
  m EncJSON
runAddHostToTLSAllowlist tlsAllowListEntry@TlsAllow {..} = do
  networkMetadata <- _metaNetwork <$> getMetadata

  when (null taHost) $ do
    throw400 BadRequest $ "key \"host\" cannot be empty"

  when (checkForHostInTLSAllowlist taHost (tlsList networkMetadata)) $ do
    throw400 AlreadyExists $
      "the host " <> dquote (pack taHost) <> " already exists in the allowlist"

  withNewInconsistentObjsCheck $
    buildSchemaCache $
      addHostToTLSAllowList tlsAllowListEntry

  pure successMsg
  where
    tlsList nm = networkTlsAllowlist nm

runDropHostFromTLSAllowlist ::
  (QErrM m, CacheRWM m, MetadataM m) =>
  DropHostFromTLSAllowlist ->
  m EncJSON
runDropHostFromTLSAllowlist (DropHostFromTLSAllowlist hostname) = do
  networkMetadata <- _metaNetwork <$> getMetadata

  when (null hostname) $ do
    throw400 BadRequest $ "hostname cannot be empty"

  unless (checkForHostInTLSAllowlist hostname (networkTlsAllowlist networkMetadata)) $ do
    throw400 NotExists $
      "the host " <> dquote (pack hostname) <> " isn't present in the allowlist"

  withNewInconsistentObjsCheck $
    buildSchemaCache $
      dropHostFromAllowList hostname

  pure successMsg

addHostToTLSAllowList :: TlsAllow -> MetadataModifier
addHostToTLSAllowList tlsaObj = MetadataModifier $ \m ->
  m {_metaNetwork = Network $ (tlsList m) ++ [tlsaObj]}
  where
    tlsList md = networkTlsAllowlist (_metaNetwork md)

dropHostFromAllowList :: String -> MetadataModifier
dropHostFromAllowList host = MetadataModifier $ \m ->
  m {_metaNetwork = Network $ filteredList m}
  where
    tlsList md = networkTlsAllowlist (_metaNetwork md)

    filteredList md = filter (not . checkForHostnameInAllowlistObject host) (tlsList md)

checkForHostnameInAllowlistObject :: String -> TlsAllow -> Bool
checkForHostnameInAllowlistObject host tlsa = host == (taHost tlsa)

checkForHostInTLSAllowlist :: String -> [TlsAllow] -> Bool
checkForHostInTLSAllowlist host tlsAllowList =
  any (checkForHostnameInAllowlistObject host) tlsAllowList
server: add explicit export lists in OSS server and enforce with warning We'll see if this improves compile times at all, but I think it's worth doing as at least the most minimal form of module documentation. This was accomplished by first compiling everything with -ddump-minimal-imports, and then a bunch of scripting (with help from ormolu) EDIT it doesn't seem to improve CI compile times but the noise floor is high as it looks like we're not caching library dependencies anymore PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2730 GitOrigin-RevId: 667eb8de1e0f1af70420cbec90402922b8b84cb4 2021-11-04 19:08:33 +03:00			`module Hasura.RQL.DDL.Network`
			`( checkForHostnameInAllowlistObject,`
			`dropHostFromAllowList,`
			`runAddHostToTLSAllowlist,`
			`runDropHostFromTLSAllowlist,`
			`)`
			`where`
server: Adding support for TLS allowlist by domain and service id (port) https://github.com/hasura/graphql-engine-mono/pull/2153 Co-authored-by: Sameer Kolhar <6604943+kolharsam@users.noreply.github.com> GitOrigin-RevId: 473a29af97236fc879ae178b0c2a6c31c1f12563 2021-08-24 10:36:32 +03:00
			`import Data.Text (pack)`
			`import Data.Text.Extended`
			`import Hasura.Base.Error`
			`import Hasura.EncJSON`
			`import Hasura.Metadata.Class ()`
			`import Hasura.Prelude`
Remove `RQL/Types.hs` ## Description This PR removes `RQL.Types`, which was now only re-exporting a bunch of unrelated modules. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4363 GitOrigin-RevId: 894f29a19bff70b3dad8abc5d9858434d5065417 2022-04-27 16:57:28 +03:00			`import Hasura.RQL.Types.Common`
			`import Hasura.RQL.Types.Metadata`
			`import Hasura.RQL.Types.Network`
			`import Hasura.RQL.Types.SchemaCache.Build`
server, pro: actually reformat the code-base using ormolu This commit applies ormolu to the whole Haskell code base by running `make format`. For in-flight branches, simply merging changes from `main` will result in merge conflicts. To avoid this, update your branch using the following instructions. Replace `<format-commit>` by the hash of this commit. $ git checkout my-feature-branch $ git merge <format-commit>^ # and resolve conflicts normally $ make format $ git commit -a -m "reformat with ormolu" $ git merge -s ours post-ormolu https://github.com/hasura/graphql-engine-mono/pull/2404 GitOrigin-RevId: 75049f5c12f430c615eafb4c6b8e83e371e01c8e 2021-09-24 01:56:37 +03:00
server: Adding support for TLS allowlist by domain and service id (port) https://github.com/hasura/graphql-engine-mono/pull/2153 Co-authored-by: Sameer Kolhar <6604943+kolharsam@users.noreply.github.com> GitOrigin-RevId: 473a29af97236fc879ae178b0c2a6c31c1f12563 2021-08-24 10:36:32 +03:00			`runAddHostToTLSAllowlist ::`
			`(QErrM m, CacheRWM m, MetadataM m) =>`
			`TlsAllow ->`
			`m EncJSON`
			`runAddHostToTLSAllowlist tlsAllowListEntry@TlsAllow {..} = do`
			`networkMetadata <- _metaNetwork <$> getMetadata`

			`when (null taHost) $ do`
			`throw400 BadRequest $ "key \"host\" cannot be empty"`

			`when (checkForHostInTLSAllowlist taHost (tlsList networkMetadata)) $ do`
			`throw400 AlreadyExists $`
			`"the host " <> dquote (pack taHost) <> " already exists in the allowlist"`

			`withNewInconsistentObjsCheck $`
server: Simplify `BuildOutputs` A bunch of configurations are retrieved from the Metadata, then stored in the `BuildOutputs` structure, only to then be forwarded to the `SchemaCache`, with extremely little processing in between. So this simplifies the build pipeline for some parts of the metadata: just construct those things from `Metadata` directly, and store them in the `SchemaCache` without any intermediate container. Why did we have the detour via `BuildOutputs` in the first place? Parts of the Metadata (codified by `MetadataObjId`) can generate _metadata inconsistencies_ and/or _schema dependencies_, which are related. - Metadata inconsistencies are warnings that we show to the user, indicating that there's something wrong with their configuration, and they have to fix it. - Schema dependencies are an internal mechanism that allow us to build a consistent view of the world. For instance, if we have a relationship from DB tables `books` to `authors`, but the `authors` table is inconsistent (e.g. it doesn't exist in the DB), then we have schema dependencies indicating that. The job of `resolveDependencies` is to then drop the relationship, so that we can at least generate a legal GraphQL schema for `books`. If we never generate a schema dependency for a certain fragment of Metadata, then there is no reason to call `resolveDependencies` on it, and so there is no reason to store it in `BuildOutputs`. --- The starting point that allows this refactor is to apply Metadata defaults before it reaches `buildAndCollectInfo`, so that metadata-with-defaults can be used elsewhere. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6609 GitOrigin-RevId: df0c4a7ff9451e10e02a40bf26304b26584ba483 2022-11-15 15:02:55 +03:00			`buildSchemaCache $`
server: Adding support for TLS allowlist by domain and service id (port) https://github.com/hasura/graphql-engine-mono/pull/2153 Co-authored-by: Sameer Kolhar <6604943+kolharsam@users.noreply.github.com> GitOrigin-RevId: 473a29af97236fc879ae178b0c2a6c31c1f12563 2021-08-24 10:36:32 +03:00			`addHostToTLSAllowList tlsAllowListEntry`

			`pure successMsg`
			`where`
			`tlsList nm = networkTlsAllowlist nm`

			`runDropHostFromTLSAllowlist ::`
			`(QErrM m, CacheRWM m, MetadataM m) =>`
			`DropHostFromTLSAllowlist ->`
			`m EncJSON`
			`runDropHostFromTLSAllowlist (DropHostFromTLSAllowlist hostname) = do`
			`networkMetadata <- _metaNetwork <$> getMetadata`

			`when (null hostname) $ do`
			`throw400 BadRequest $ "hostname cannot be empty"`

			`unless (checkForHostInTLSAllowlist hostname (networkTlsAllowlist networkMetadata)) $ do`
			`throw400 NotExists $`
			`"the host " <> dquote (pack hostname) <> " isn't present in the allowlist"`

			`withNewInconsistentObjsCheck $`
			`buildSchemaCache $`
			`dropHostFromAllowList hostname`

			`pure successMsg`

			`addHostToTLSAllowList :: TlsAllow -> MetadataModifier`
			`addHostToTLSAllowList tlsaObj = MetadataModifier $ \m ->`
			`m {_metaNetwork = Network $ (tlsList m) ++ [tlsaObj]}`
			`where`
			`tlsList md = networkTlsAllowlist (_metaNetwork md)`

			`dropHostFromAllowList :: String -> MetadataModifier`
			`dropHostFromAllowList host = MetadataModifier $ \m ->`
			`m {_metaNetwork = Network $ filteredList m}`
			`where`
			`tlsList md = networkTlsAllowlist (_metaNetwork md)`

			`filteredList md = filter (not . checkForHostnameInAllowlistObject host) (tlsList md)`

			`checkForHostnameInAllowlistObject :: String -> TlsAllow -> Bool`
			`checkForHostnameInAllowlistObject host tlsa = host == (taHost tlsa)`

			`checkForHostInTLSAllowlist :: String -> [TlsAllow] -> Bool`
			`checkForHostInTLSAllowlist host tlsAllowList =`
			`any (checkForHostnameInAllowlistObject host) tlsAllowList`