add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
module Hasura.Server.Auth.JWT
|
|
|
|
( processJwt
|
|
|
|
, RawJWT
|
|
|
|
, JWTConfig (..)
|
2018-09-27 14:22:49 +03:00
|
|
|
, JWTCtx (..)
|
2019-07-11 12:58:39 +03:00
|
|
|
, Jose.JWKSet (..)
|
2019-02-05 15:04:16 +03:00
|
|
|
, JWTClaimsFormat (..)
|
2020-02-05 10:07:31 +03:00
|
|
|
, JwkFetchError (..)
|
2020-04-16 09:45:21 +03:00
|
|
|
, JWTConfigClaims (..)
|
2018-09-27 14:22:49 +03:00
|
|
|
, updateJwkRef
|
|
|
|
, jwkRefreshCtrl
|
2019-06-11 16:29:03 +03:00
|
|
|
, defaultClaimNs
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
) where
|
|
|
|
|
2018-09-27 14:22:49 +03:00
|
|
|
import Control.Exception (try)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
import Control.Lens
|
2020-04-03 03:00:13 +03:00
|
|
|
import Control.Monad.Trans.Maybe
|
2020-02-05 10:07:31 +03:00
|
|
|
import Data.IORef (IORef, readIORef, writeIORef)
|
2019-12-13 00:46:33 +03:00
|
|
|
import Data.Time.Clock (NominalDiffTime, UTCTime, diffUTCTime,
|
|
|
|
getCurrentTime)
|
2020-03-18 04:31:22 +03:00
|
|
|
import GHC.AssertNF
|
2018-11-23 16:02:46 +03:00
|
|
|
import Network.URI (URI)
|
2018-09-27 14:22:49 +03:00
|
|
|
|
2020-04-16 09:45:21 +03:00
|
|
|
import Data.Aeson.Internal (JSONPath)
|
2020-04-03 03:00:13 +03:00
|
|
|
import Data.Parser.CacheControl
|
|
|
|
import Data.Parser.Expires
|
2018-12-13 10:26:15 +03:00
|
|
|
import Hasura.HTTP
|
2019-12-13 00:46:33 +03:00
|
|
|
import Hasura.Logging (Hasura, LogLevel (..), Logger (..))
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
import Hasura.Prelude
|
|
|
|
import Hasura.RQL.Types
|
2018-09-27 14:22:49 +03:00
|
|
|
import Hasura.Server.Auth.JWT.Internal (parseHmacKey, parseRsaKey)
|
|
|
|
import Hasura.Server.Auth.JWT.Logging
|
2020-04-24 12:10:53 +03:00
|
|
|
import Hasura.Server.Utils (executeJSONPath, getRequestHeader,
|
|
|
|
isSessionVariable, userRoleHeader)
|
2020-01-23 00:55:55 +03:00
|
|
|
import Hasura.Server.Version (HasVersion)
|
2020-04-24 12:10:53 +03:00
|
|
|
import Hasura.Session
|
2018-09-27 14:22:49 +03:00
|
|
|
|
2020-01-16 04:56:57 +03:00
|
|
|
import qualified Control.Concurrent.Extended as C
|
2019-07-11 12:58:39 +03:00
|
|
|
import qualified Crypto.JWT as Jose
|
2020-02-05 10:07:31 +03:00
|
|
|
import qualified Data.Aeson as J
|
|
|
|
import qualified Data.Aeson.Casing as J
|
2020-04-16 09:45:21 +03:00
|
|
|
import qualified Data.Aeson.Internal as J
|
2020-04-24 12:10:53 +03:00
|
|
|
import qualified Data.Aeson.TH as J
|
2018-09-27 14:22:49 +03:00
|
|
|
import qualified Data.ByteString.Lazy as BL
|
|
|
|
import qualified Data.ByteString.Lazy.Char8 as BLC
|
|
|
|
import qualified Data.CaseInsensitive as CI
|
|
|
|
import qualified Data.HashMap.Strict as Map
|
2020-04-24 12:10:53 +03:00
|
|
|
import qualified Data.Parser.JSONPath as JSONPath
|
2018-09-27 14:22:49 +03:00
|
|
|
import qualified Data.Text as T
|
2019-02-05 15:04:16 +03:00
|
|
|
import qualified Data.Text.Encoding as T
|
2018-09-27 14:22:49 +03:00
|
|
|
import qualified Network.HTTP.Client as HTTP
|
|
|
|
import qualified Network.HTTP.Types as HTTP
|
|
|
|
import qualified Network.Wreq as Wreq
|
|
|
|
|
|
|
|
newtype RawJWT = RawJWT BL.ByteString
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2019-02-05 15:04:16 +03:00
|
|
|
data JWTClaimsFormat
|
|
|
|
= JCFJson
|
|
|
|
| JCFStringifiedJson
|
|
|
|
deriving (Show, Eq)
|
|
|
|
|
2020-02-05 10:07:31 +03:00
|
|
|
$(J.deriveJSON J.defaultOptions { J.sumEncoding = J.ObjectWithSingleField
|
|
|
|
, J.constructorTagModifier = J.snakeCase . drop 3 } ''JWTClaimsFormat)
|
2019-02-05 15:04:16 +03:00
|
|
|
|
2020-04-16 09:45:21 +03:00
|
|
|
data JWTConfigClaims
|
|
|
|
= ClaimNsPath JSONPath
|
|
|
|
| ClaimNs T.Text
|
|
|
|
deriving (Show, Eq)
|
|
|
|
|
|
|
|
instance J.ToJSON JWTConfigClaims where
|
|
|
|
toJSON (ClaimNsPath nsPath) = J.String . T.pack $ encodeJSONPath nsPath
|
2020-04-24 12:10:53 +03:00
|
|
|
toJSON (ClaimNs ns) = J.String ns
|
2020-04-16 09:45:21 +03:00
|
|
|
|
2018-09-27 14:22:49 +03:00
|
|
|
data JWTConfig
|
|
|
|
= JWTConfig
|
2020-04-10 16:55:59 +03:00
|
|
|
{ jcKeyOrUrl :: !(Either Jose.JWK URI)
|
2020-04-16 09:45:21 +03:00
|
|
|
, jcClaimNs :: !JWTConfigClaims
|
2019-07-11 12:58:39 +03:00
|
|
|
, jcAudience :: !(Maybe Jose.Audience)
|
2019-02-05 15:04:16 +03:00
|
|
|
, jcClaimsFormat :: !(Maybe JWTClaimsFormat)
|
2019-07-11 12:58:39 +03:00
|
|
|
, jcIssuer :: !(Maybe Jose.StringOrURI)
|
2018-09-27 14:22:49 +03:00
|
|
|
} deriving (Show, Eq)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2018-09-27 14:22:49 +03:00
|
|
|
data JWTCtx
|
|
|
|
= JWTCtx
|
2019-07-11 12:58:39 +03:00
|
|
|
{ jcxKey :: !(IORef Jose.JWKSet)
|
2020-04-16 09:45:21 +03:00
|
|
|
, jcxClaimNs :: !JWTConfigClaims
|
2019-07-11 12:58:39 +03:00
|
|
|
, jcxAudience :: !(Maybe Jose.Audience)
|
2019-02-05 15:04:16 +03:00
|
|
|
, jcxClaimsFormat :: !JWTClaimsFormat
|
2019-07-11 12:58:39 +03:00
|
|
|
, jcxIssuer :: !(Maybe Jose.StringOrURI)
|
2018-11-16 15:40:23 +03:00
|
|
|
} deriving (Eq)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2018-11-16 15:40:23 +03:00
|
|
|
instance Show JWTCtx where
|
2019-07-11 12:58:39 +03:00
|
|
|
show (JWTCtx _ nsM audM cf iss) =
|
2020-04-16 09:45:21 +03:00
|
|
|
show ["<IORef JWKSet>", show nsM,show audM, show cf, show iss]
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
data HasuraClaims
|
|
|
|
= HasuraClaims
|
|
|
|
{ _cmAllowedRoles :: ![RoleName]
|
|
|
|
, _cmDefaultRole :: !RoleName
|
|
|
|
} deriving (Show, Eq)
|
2020-02-05 10:07:31 +03:00
|
|
|
$(J.deriveJSON (J.aesonDrop 3 J.snakeCase) ''HasuraClaims)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
allowedRolesClaim :: T.Text
|
|
|
|
allowedRolesClaim = "x-hasura-allowed-roles"
|
|
|
|
|
|
|
|
defaultRoleClaim :: T.Text
|
|
|
|
defaultRoleClaim = "x-hasura-default-role"
|
|
|
|
|
2018-09-07 09:00:50 +03:00
|
|
|
defaultClaimNs :: T.Text
|
|
|
|
defaultClaimNs = "https://hasura.io/jwt/claims"
|
|
|
|
|
2020-03-05 20:59:26 +03:00
|
|
|
|
|
|
|
-- | An action that refreshes the JWK at intervals in an infinite loop.
|
2018-09-27 14:22:49 +03:00
|
|
|
jwkRefreshCtrl
|
2020-04-03 03:00:13 +03:00
|
|
|
:: HasVersion
|
2019-11-26 15:14:21 +03:00
|
|
|
=> Logger Hasura
|
2018-09-27 14:22:49 +03:00
|
|
|
-> HTTP.Manager
|
2018-11-23 16:02:46 +03:00
|
|
|
-> URI
|
2019-07-11 12:58:39 +03:00
|
|
|
-> IORef Jose.JWKSet
|
2020-01-16 04:56:57 +03:00
|
|
|
-> DiffTime
|
2020-03-05 20:59:26 +03:00
|
|
|
-> IO void
|
|
|
|
jwkRefreshCtrl logger manager url ref time = liftIO $ do
|
2020-01-16 04:56:57 +03:00
|
|
|
C.sleep time
|
2018-09-27 14:22:49 +03:00
|
|
|
forever $ do
|
2019-12-03 23:56:59 +03:00
|
|
|
res <- runExceptT $ updateJwkRef logger manager url ref
|
|
|
|
mTime <- either (const $ logNotice >> return Nothing) return res
|
2019-08-01 13:51:59 +03:00
|
|
|
-- if can't parse time from header, defaults to 1 min
|
2020-05-13 15:33:16 +03:00
|
|
|
let delay = maybe (minutes 1) (convertDuration) mTime
|
2020-01-16 04:56:57 +03:00
|
|
|
C.sleep delay
|
2018-09-27 14:22:49 +03:00
|
|
|
where
|
2019-12-03 23:56:59 +03:00
|
|
|
logNotice = do
|
2020-02-05 10:07:31 +03:00
|
|
|
let err = JwkRefreshLog LevelInfo (Just "retrying again in 60 secs") Nothing
|
2019-12-03 23:56:59 +03:00
|
|
|
liftIO $ unLogger logger err
|
2018-09-27 14:22:49 +03:00
|
|
|
|
|
|
|
-- | Given a JWK url, fetch JWK from it and update the IORef
|
|
|
|
updateJwkRef
|
2020-01-23 00:55:55 +03:00
|
|
|
:: ( HasVersion
|
|
|
|
, MonadIO m
|
2020-02-05 10:07:31 +03:00
|
|
|
, MonadError JwkFetchError m
|
2019-11-26 15:14:21 +03:00
|
|
|
)
|
|
|
|
=> Logger Hasura
|
2018-09-27 14:22:49 +03:00
|
|
|
-> HTTP.Manager
|
2018-11-23 16:02:46 +03:00
|
|
|
-> URI
|
2019-07-11 12:58:39 +03:00
|
|
|
-> IORef Jose.JWKSet
|
2018-09-27 14:22:49 +03:00
|
|
|
-> m (Maybe NominalDiffTime)
|
|
|
|
updateJwkRef (Logger logger) manager url jwkRef = do
|
2018-11-23 16:02:46 +03:00
|
|
|
let options = wreqOptions manager []
|
2019-07-11 08:37:06 +03:00
|
|
|
urlT = T.pack $ show url
|
2020-02-05 10:07:31 +03:00
|
|
|
infoMsg = "refreshing JWK from endpoint: " <> urlT
|
|
|
|
liftIO $ logger $ JwkRefreshLog LevelInfo (Just infoMsg) Nothing
|
2018-09-27 14:22:49 +03:00
|
|
|
res <- liftIO $ try $ Wreq.getWith options $ show url
|
|
|
|
resp <- either logAndThrowHttp return res
|
|
|
|
let status = resp ^. Wreq.responseStatus
|
|
|
|
respBody = resp ^. Wreq.responseBody
|
2020-02-05 10:07:31 +03:00
|
|
|
statusCode = status ^. Wreq.statusCode
|
2018-09-27 14:22:49 +03:00
|
|
|
|
2020-02-05 10:07:31 +03:00
|
|
|
unless (statusCode >= 200 && statusCode < 300) $ do
|
|
|
|
let errMsg = "Non-2xx response on fetching JWK from: " <> urlT
|
|
|
|
err = JFEHttpError url status respBody errMsg
|
|
|
|
logAndThrow err
|
2018-09-27 14:22:49 +03:00
|
|
|
|
2020-02-05 10:07:31 +03:00
|
|
|
let parseErr e = JFEJwkParseError (T.pack e) $ "Error parsing JWK from url: " <> urlT
|
2020-03-18 04:31:22 +03:00
|
|
|
!jwkset <- either (logAndThrow . parseErr) return $ J.eitherDecode' respBody
|
|
|
|
liftIO $ do
|
|
|
|
$assertNFHere jwkset -- so we don't write thunks to mutable vars
|
|
|
|
writeIORef jwkRef jwkset
|
2018-09-27 14:22:49 +03:00
|
|
|
|
2019-12-03 23:56:59 +03:00
|
|
|
-- first check for Cache-Control header to get max-age, if not found, look for Expires header
|
2020-04-03 03:00:13 +03:00
|
|
|
runMaybeT $ timeFromCacheControl resp <|> timeFromExpires resp
|
2018-09-27 14:22:49 +03:00
|
|
|
|
|
|
|
where
|
2020-02-05 10:07:31 +03:00
|
|
|
parseCacheControlErr e =
|
|
|
|
JFEExpiryParseError (Just e)
|
2019-12-03 23:56:59 +03:00
|
|
|
"Failed parsing Cache-Control header from JWK response. Could not find max-age or s-maxage"
|
|
|
|
parseTimeErr =
|
2020-02-05 10:07:31 +03:00
|
|
|
JFEExpiryParseError Nothing
|
2019-12-03 23:56:59 +03:00
|
|
|
"Failed parsing Expires header from JWK response. Value of header is not a valid timestamp"
|
|
|
|
|
2020-04-03 03:00:13 +03:00
|
|
|
timeFromCacheControl resp = do
|
|
|
|
header <- afold $ bsToTxt <$> resp ^? Wreq.responseHeader "Cache-Control"
|
|
|
|
fromInteger <$> parseMaxAge header `onLeft` \err -> logAndThrowInfo $ parseCacheControlErr $ T.pack err
|
|
|
|
timeFromExpires resp = do
|
|
|
|
header <- afold $ bsToTxt <$> resp ^? Wreq.responseHeader "Expires"
|
|
|
|
expiry <- parseExpirationTime header `onLeft` const (logAndThrowInfo parseTimeErr)
|
|
|
|
diffUTCTime expiry <$> liftIO getCurrentTime
|
2020-02-05 10:07:31 +03:00
|
|
|
|
|
|
|
logAndThrowInfo :: (MonadIO m, MonadError JwkFetchError m) => JwkFetchError -> m a
|
|
|
|
logAndThrowInfo err = do
|
|
|
|
liftIO $ logger $ JwkRefreshLog LevelInfo Nothing (Just err)
|
2018-09-27 14:22:49 +03:00
|
|
|
throwError err
|
|
|
|
|
2020-02-05 10:07:31 +03:00
|
|
|
logAndThrow :: (MonadIO m, MonadError JwkFetchError m) => JwkFetchError -> m a
|
|
|
|
logAndThrow err = do
|
|
|
|
liftIO $ logger $ JwkRefreshLog (LevelOther "critical") Nothing (Just err)
|
|
|
|
throwError err
|
|
|
|
|
|
|
|
logAndThrowHttp :: (MonadIO m, MonadError JwkFetchError m) => HTTP.HttpException -> m a
|
|
|
|
logAndThrowHttp httpEx = do
|
|
|
|
let errMsg = "Error fetching JWK: " <> T.pack (getHttpExceptionMsg httpEx)
|
|
|
|
err = JFEHttpException (HttpException httpEx) errMsg
|
|
|
|
logAndThrow err
|
2018-09-27 14:22:49 +03:00
|
|
|
|
2019-08-01 13:51:59 +03:00
|
|
|
getHttpExceptionMsg = \case
|
|
|
|
HTTP.HttpExceptionRequest _ reason -> show reason
|
|
|
|
HTTP.InvalidUrlException _ reason -> show reason
|
|
|
|
|
2018-09-27 14:22:49 +03:00
|
|
|
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
-- | Process the request headers to verify the JWT and extract UserInfo from it
|
|
|
|
processJwt
|
|
|
|
:: ( MonadIO m
|
|
|
|
, MonadError QErr m)
|
2018-09-27 14:22:49 +03:00
|
|
|
=> JWTCtx
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
-> HTTP.RequestHeaders
|
2018-10-25 21:16:25 +03:00
|
|
|
-> Maybe RoleName
|
2019-05-14 09:24:46 +03:00
|
|
|
-> m (UserInfo, Maybe UTCTime)
|
2018-10-25 21:16:25 +03:00
|
|
|
processJwt jwtCtx headers mUnAuthRole =
|
|
|
|
maybe withoutAuthZHeader withAuthZHeader mAuthZHeader
|
|
|
|
where
|
|
|
|
mAuthZHeader = find (\h -> fst h == CI.mk "Authorization") headers
|
|
|
|
|
|
|
|
withAuthZHeader (_, authzHeader) =
|
|
|
|
processAuthZHeader jwtCtx headers $ BL.fromStrict authzHeader
|
|
|
|
|
|
|
|
withoutAuthZHeader = do
|
|
|
|
unAuthRole <- maybe missingAuthzHeader return mUnAuthRole
|
2020-04-24 12:10:53 +03:00
|
|
|
userInfo <- mkUserInfo UAdminSecretNotSent (mkSessionVariables headers) $ Just unAuthRole
|
|
|
|
pure (userInfo, Nothing)
|
2019-03-05 15:24:47 +03:00
|
|
|
|
2018-10-25 21:16:25 +03:00
|
|
|
missingAuthzHeader =
|
|
|
|
throw400 InvalidHeaders "Missing Authorization header in JWT authentication mode"
|
|
|
|
|
|
|
|
processAuthZHeader
|
|
|
|
:: ( MonadIO m
|
|
|
|
, MonadError QErr m)
|
|
|
|
=> JWTCtx
|
|
|
|
-> HTTP.RequestHeaders
|
|
|
|
-> BLC.ByteString
|
2019-05-14 09:24:46 +03:00
|
|
|
-> m (UserInfo, Maybe UTCTime)
|
2018-10-25 21:16:25 +03:00
|
|
|
processAuthZHeader jwtCtx headers authzHeader = do
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
-- try to parse JWT token from Authorization header
|
|
|
|
jwt <- parseAuthzHeader
|
|
|
|
|
|
|
|
-- verify the JWT
|
2018-09-27 14:22:49 +03:00
|
|
|
claims <- liftJWTError invalidJWTError $ verifyJwt jwtCtx $ RawJWT jwt
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2020-04-16 09:45:21 +03:00
|
|
|
let claimsFmt = jcxClaimsFormat jwtCtx
|
2019-07-11 12:58:39 +03:00
|
|
|
expTimeM = fmap (\(Jose.NumericDate t) -> t) $ claims ^. Jose.claimExp
|
2018-09-07 09:00:50 +03:00
|
|
|
|
2020-04-16 09:45:21 +03:00
|
|
|
-- see if the hasura claims key exists in the claims map
|
|
|
|
let mHasuraClaims =
|
|
|
|
case jcxClaimNs jwtCtx of
|
|
|
|
ClaimNs k -> Map.lookup k $ claims ^. Jose.unregisteredClaims
|
|
|
|
ClaimNsPath path -> parseIValueJsonValue $ executeJSONPath path (J.toJSON $ claims ^. Jose.unregisteredClaims)
|
|
|
|
|
2018-09-07 09:00:50 +03:00
|
|
|
hasuraClaimsV <- maybe claimsNotFound return mHasuraClaims
|
2019-02-05 15:04:16 +03:00
|
|
|
|
|
|
|
-- get hasura claims value as an object. parse from string possibly
|
|
|
|
hasuraClaims <- parseObjectFromString claimsFmt hasuraClaimsV
|
2018-09-07 09:00:50 +03:00
|
|
|
|
2018-09-13 16:04:50 +03:00
|
|
|
-- filter only x-hasura claims and convert to lower-case
|
2020-04-24 12:10:53 +03:00
|
|
|
let claimsMap = Map.filterWithKey (\k _ -> isSessionVariable k)
|
2018-10-25 21:16:25 +03:00
|
|
|
$ Map.fromList $ map (first T.toLower)
|
2018-09-13 16:04:50 +03:00
|
|
|
$ Map.toList hasuraClaims
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
HasuraClaims allowedRoles defaultRole <- parseHasuraClaims claimsMap
|
2020-04-24 12:10:53 +03:00
|
|
|
let roleName = getCurrentRole defaultRole
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2020-04-24 12:10:53 +03:00
|
|
|
when (roleName `notElem` allowedRoles) currRoleNotAllowed
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
let finalClaims =
|
|
|
|
Map.delete defaultRoleClaim . Map.delete allowedRolesClaim $ claimsMap
|
|
|
|
|
|
|
|
-- transform the map of text:aeson-value -> text:text
|
2020-02-05 10:07:31 +03:00
|
|
|
metadata <- decodeJSON $ J.Object finalClaims
|
2020-04-24 12:10:53 +03:00
|
|
|
userInfo <- mkUserInfo UAdminSecretNotSent
|
|
|
|
(mkSessionVariablesText $ Map.toList metadata) $ Just roleName
|
|
|
|
pure (userInfo, expTimeM)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
where
|
|
|
|
parseAuthzHeader = do
|
2018-10-25 21:16:25 +03:00
|
|
|
let tokenParts = BLC.words authzHeader
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
case tokenParts of
|
|
|
|
["Bearer", jwt] -> return jwt
|
|
|
|
_ -> malformedAuthzHeader
|
|
|
|
|
2019-02-05 15:04:16 +03:00
|
|
|
parseObjectFromString claimsFmt jVal =
|
|
|
|
case (claimsFmt, jVal) of
|
2020-02-05 10:07:31 +03:00
|
|
|
(JCFStringifiedJson, J.String v) ->
|
2019-02-05 15:04:16 +03:00
|
|
|
either (const $ claimsErr $ strngfyErr v) return
|
2020-02-05 10:07:31 +03:00
|
|
|
$ J.eitherDecodeStrict $ T.encodeUtf8 v
|
2019-02-05 15:04:16 +03:00
|
|
|
(JCFStringifiedJson, _) ->
|
|
|
|
claimsErr "expecting a string when claims_format is stringified_json"
|
2020-02-05 10:07:31 +03:00
|
|
|
(JCFJson, J.Object o) -> return o
|
2019-02-05 15:04:16 +03:00
|
|
|
(JCFJson, _) ->
|
|
|
|
claimsErr "expecting a json object when claims_format is json"
|
|
|
|
|
2020-04-16 09:45:21 +03:00
|
|
|
strngfyErr v =
|
|
|
|
"expecting stringified json at: '"
|
|
|
|
<> claimsLocation
|
|
|
|
<> "', but found: " <> v
|
|
|
|
where
|
|
|
|
claimsLocation :: Text
|
|
|
|
claimsLocation =
|
|
|
|
case jcxClaimNs jwtCtx of
|
|
|
|
ClaimNsPath path -> T.pack $ "claims_namespace_path " <> encodeJSONPath path
|
2020-04-24 12:10:53 +03:00
|
|
|
ClaimNs ns -> "claims_namespace " <> ns
|
2019-02-05 15:04:16 +03:00
|
|
|
|
|
|
|
claimsErr = throw400 JWTInvalidClaims
|
2018-09-07 09:00:50 +03:00
|
|
|
|
2020-04-16 09:45:21 +03:00
|
|
|
parseIValueJsonValue (J.IError _ _) = Nothing
|
|
|
|
parseIValueJsonValue (J.ISuccess v) = Just v
|
|
|
|
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
-- see if there is a x-hasura-role header, or else pick the default role
|
|
|
|
getCurrentRole defaultRole =
|
2020-03-20 09:46:45 +03:00
|
|
|
let mUserRole = getRequestHeader userRoleHeader headers
|
2020-04-24 12:10:53 +03:00
|
|
|
in fromMaybe defaultRole $ mUserRole >>= mkRoleName . bsToTxt
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2020-02-05 10:07:31 +03:00
|
|
|
decodeJSON val = case J.fromJSON val of
|
|
|
|
J.Error e -> throw400 JWTInvalidClaims ("x-hasura-* claims: " <> T.pack e)
|
|
|
|
J.Success a -> return a
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
liftJWTError :: (MonadError e' m) => (e -> e') -> ExceptT e m a -> m a
|
|
|
|
liftJWTError ef action = do
|
|
|
|
res <- runExceptT action
|
|
|
|
either (throwError . ef) return res
|
|
|
|
|
|
|
|
invalidJWTError e =
|
|
|
|
err400 JWTInvalid $ "Could not verify JWT: " <> T.pack (show e)
|
|
|
|
|
|
|
|
malformedAuthzHeader =
|
|
|
|
throw400 InvalidHeaders "Malformed Authorization header"
|
|
|
|
currRoleNotAllowed =
|
|
|
|
throw400 AccessDenied "Your current role is not in allowed roles"
|
2018-09-07 09:00:50 +03:00
|
|
|
claimsNotFound = do
|
2020-04-16 09:45:21 +03:00
|
|
|
let claimsNsError = case jcxClaimNs jwtCtx of
|
2020-04-24 12:10:53 +03:00
|
|
|
ClaimNsPath path -> T.pack $ "claims not found at claims_namespace_path: '"
|
|
|
|
<> encodeJSONPath path <> "'"
|
2020-04-16 09:45:21 +03:00
|
|
|
ClaimNs ns -> "claims key: '" <> ns <> "' not found"
|
2020-04-24 12:10:53 +03:00
|
|
|
throw400 JWTInvalidClaims claimsNsError
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
|
|
|
|
-- parse x-hasura-allowed-roles, x-hasura-default-role from JWT claims
|
|
|
|
parseHasuraClaims
|
|
|
|
:: (MonadError QErr m)
|
2020-02-05 10:07:31 +03:00
|
|
|
=> J.Object -> m HasuraClaims
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
parseHasuraClaims claimsMap = do
|
|
|
|
let mAllowedRolesV = Map.lookup allowedRolesClaim claimsMap
|
|
|
|
allowedRolesV <- maybe missingAllowedRolesClaim return mAllowedRolesV
|
2020-02-05 10:07:31 +03:00
|
|
|
allowedRoles <- parseJwtClaim (J.fromJSON allowedRolesV) errMsg
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
let mDefaultRoleV = Map.lookup defaultRoleClaim claimsMap
|
|
|
|
defaultRoleV <- maybe missingDefaultRoleClaim return mDefaultRoleV
|
2020-02-05 10:07:31 +03:00
|
|
|
defaultRole <- parseJwtClaim (J.fromJSON defaultRoleV) errMsg
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
return $ HasuraClaims allowedRoles defaultRole
|
|
|
|
|
|
|
|
where
|
|
|
|
missingAllowedRolesClaim =
|
|
|
|
let msg = "JWT claim does not contain " <> allowedRolesClaim
|
|
|
|
in throw400 JWTRoleClaimMissing msg
|
|
|
|
|
|
|
|
missingDefaultRoleClaim =
|
|
|
|
let msg = "JWT claim does not contain " <> defaultRoleClaim
|
|
|
|
in throw400 JWTRoleClaimMissing msg
|
|
|
|
|
|
|
|
errMsg _ = "invalid " <> allowedRolesClaim <> "; should be a list of roles"
|
|
|
|
|
2020-02-05 10:07:31 +03:00
|
|
|
parseJwtClaim :: (MonadError QErr m) => J.Result a -> (String -> Text) -> m a
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
parseJwtClaim res errFn =
|
|
|
|
case res of
|
2020-02-05 10:07:31 +03:00
|
|
|
J.Success val -> return val
|
|
|
|
J.Error e -> throw400 JWTInvalidClaims $ errFn e
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
|
|
|
|
-- | Verify the JWT against given JWK
|
|
|
|
verifyJwt
|
2019-07-11 12:58:39 +03:00
|
|
|
:: ( MonadError Jose.JWTError m
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
, MonadIO m
|
|
|
|
)
|
2018-09-27 14:22:49 +03:00
|
|
|
=> JWTCtx
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
-> RawJWT
|
2019-07-11 12:58:39 +03:00
|
|
|
-> m Jose.ClaimsSet
|
2018-09-27 14:22:49 +03:00
|
|
|
verifyJwt ctx (RawJWT rawJWT) = do
|
|
|
|
key <- liftIO $ readIORef $ jcxKey ctx
|
2019-07-11 12:58:39 +03:00
|
|
|
jwt <- Jose.decodeCompact rawJWT
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
t <- liftIO getCurrentTime
|
2019-07-11 12:58:39 +03:00
|
|
|
Jose.verifyClaimsAt config key t jwt
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
where
|
2019-07-11 12:58:39 +03:00
|
|
|
config = case jcxIssuer ctx of
|
|
|
|
Nothing -> Jose.defaultJWTValidationSettings audCheck
|
|
|
|
Just iss -> Jose.defaultJWTValidationSettings audCheck
|
|
|
|
& set Jose.issuerPredicate (== iss)
|
|
|
|
audCheck audience =
|
|
|
|
-- dont perform the check if there are no audiences in the conf
|
|
|
|
case jcxAudience ctx of
|
|
|
|
Nothing -> True
|
|
|
|
Just (Jose.Audience audiences) -> audience `elem` audiences
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
|
2020-02-05 10:07:31 +03:00
|
|
|
instance J.ToJSON JWTConfig where
|
2020-04-10 16:55:59 +03:00
|
|
|
toJSON (JWTConfig keyOrUrl claimNs aud claimsFmt iss) =
|
2020-04-16 09:45:21 +03:00
|
|
|
J.object (jwkFields ++ sharedFields ++ claimsNsFields)
|
2019-07-11 08:37:06 +03:00
|
|
|
where
|
2020-04-10 16:55:59 +03:00
|
|
|
jwkFields = case keyOrUrl of
|
|
|
|
Left _ -> [ "type" J..= J.String "<TYPE REDACTED>"
|
|
|
|
, "key" J..= J.String "<JWK REDACTED>" ]
|
|
|
|
Right url -> [ "jwk_url" J..= url ]
|
2020-04-16 09:45:21 +03:00
|
|
|
|
|
|
|
claimsNsFields = case claimNs of
|
|
|
|
ClaimNsPath nsPath ->
|
2020-04-24 12:10:53 +03:00
|
|
|
["claims_namespace_path" J..= encodeJSONPath nsPath]
|
2020-04-16 09:45:21 +03:00
|
|
|
ClaimNs ns -> ["claims_namespace" J..= J.String ns]
|
|
|
|
|
|
|
|
sharedFields = [ "claims_format" J..= claimsFmt
|
2020-04-10 16:55:59 +03:00
|
|
|
, "audience" J..= aud
|
|
|
|
, "issuer" J..= iss
|
|
|
|
]
|
2019-07-11 08:37:06 +03:00
|
|
|
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
-- | Parse from a json string like:
|
|
|
|
-- | `{"type": "RS256", "key": "<PEM-encoded-public-key-or-X509-cert>"}`
|
|
|
|
-- | to JWTConfig
|
2020-02-05 10:07:31 +03:00
|
|
|
instance J.FromJSON JWTConfig where
|
|
|
|
|
|
|
|
parseJSON = J.withObject "JWTConfig" $ \o -> do
|
|
|
|
mRawKey <- o J..:? "key"
|
2020-04-16 09:45:21 +03:00
|
|
|
claimsNs <- o J..:? "claims_namespace"
|
|
|
|
claimsNsPath <- o J..:? "claims_namespace_path"
|
2020-02-05 10:07:31 +03:00
|
|
|
aud <- o J..:? "audience"
|
|
|
|
iss <- o J..:? "issuer"
|
|
|
|
jwkUrl <- o J..:? "jwk_url"
|
|
|
|
isStrngfd <- o J..:? "claims_format"
|
2018-09-27 14:22:49 +03:00
|
|
|
|
2020-04-16 09:45:21 +03:00
|
|
|
|
|
|
|
hasuraClaimsNs <-
|
|
|
|
case (claimsNsPath,claimsNs) of
|
|
|
|
(Nothing, Nothing) -> return $ ClaimNs defaultClaimNs
|
|
|
|
(Just nsPath, Nothing) -> either failJSONPathParsing (return . ClaimNsPath) . JSONPath.parseJSONPath $ nsPath
|
|
|
|
(Nothing, Just ns) -> return $ ClaimNs ns
|
|
|
|
(Just _, Just _) -> fail "claims_namespace and claims_namespace_path both cannot be set"
|
|
|
|
|
2018-09-27 14:22:49 +03:00
|
|
|
case (mRawKey, jwkUrl) of
|
|
|
|
(Nothing, Nothing) -> fail "key and jwk_url both cannot be empty"
|
|
|
|
(Just _, Just _) -> fail "key, jwk_url both cannot be present"
|
|
|
|
(Just rawKey, Nothing) -> do
|
2020-04-10 16:55:59 +03:00
|
|
|
keyType <- o J..: "type"
|
2020-04-16 09:45:21 +03:00
|
|
|
key <- parseKey keyType rawKey
|
|
|
|
return $ JWTConfig (Left key) hasuraClaimsNs aud isStrngfd iss
|
2018-09-27 14:22:49 +03:00
|
|
|
(Nothing, Just url) ->
|
2020-04-16 09:45:21 +03:00
|
|
|
return $ JWTConfig (Right url) hasuraClaimsNs aud isStrngfd iss
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2018-09-27 14:22:49 +03:00
|
|
|
where
|
2020-04-16 09:45:21 +03:00
|
|
|
parseKey keyType rawKey =
|
2018-09-27 14:22:49 +03:00
|
|
|
case keyType of
|
|
|
|
"HS256" -> runEither $ parseHmacKey rawKey 256
|
|
|
|
"HS384" -> runEither $ parseHmacKey rawKey 384
|
|
|
|
"HS512" -> runEither $ parseHmacKey rawKey 512
|
|
|
|
"RS256" -> runEither $ parseRsaKey rawKey
|
|
|
|
"RS384" -> runEither $ parseRsaKey rawKey
|
|
|
|
"RS512" -> runEither $ parseRsaKey rawKey
|
|
|
|
-- TODO: support ES256, ES384, ES512, PS256, PS384
|
|
|
|
_ -> invalidJwk ("Key type: " <> T.unpack keyType <> " is not supported")
|
|
|
|
|
|
|
|
runEither = either (invalidJwk . T.unpack) return
|
2020-04-16 09:45:21 +03:00
|
|
|
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
invalidJwk msg = fail ("Invalid JWK: " <> msg)
|
2020-04-16 09:45:21 +03:00
|
|
|
|
|
|
|
failJSONPathParsing err = fail $ "invalid JSON path claims_namespace_path error: " ++ err
|