2020-10-27 16:53:49 +03:00
|
|
|
{-# LANGUAGE DerivingStrategies #-}
|
2020-04-03 03:00:13 +03:00
|
|
|
|
2018-07-20 10:22:46 +03:00
|
|
|
module Hasura.Server.Auth
|
2021-09-24 01:56:37 +03:00
|
|
|
( getUserInfoWithExpTime,
|
|
|
|
AuthMode (..),
|
|
|
|
setupAuthMode,
|
|
|
|
AdminSecretHash,
|
|
|
|
hashAdminSecret,
|
2020-05-28 19:18:26 +03:00
|
|
|
|
2021-09-24 01:56:37 +03:00
|
|
|
-- * WebHook related
|
|
|
|
AuthHookType (..),
|
|
|
|
AuthHookG (..),
|
|
|
|
AuthHook,
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2021-09-24 01:56:37 +03:00
|
|
|
-- * JWT related
|
|
|
|
RawJWT,
|
|
|
|
JWTConfig (..),
|
|
|
|
JWTCtx (..),
|
|
|
|
JWKSet (..),
|
|
|
|
processJwt,
|
|
|
|
updateJwkRef,
|
|
|
|
UserAuthentication (..),
|
2020-10-27 16:53:49 +03:00
|
|
|
|
2021-09-24 01:56:37 +03:00
|
|
|
-- * Exposed for testing
|
|
|
|
getUserInfoWithExpTime_,
|
|
|
|
)
|
|
|
|
where
|
2020-10-27 16:53:49 +03:00
|
|
|
|
2021-09-24 01:56:37 +03:00
|
|
|
import Control.Concurrent.Extended (ForkableMonadIO, forkManagedT)
|
|
|
|
import Control.Monad.Morph (hoist)
|
|
|
|
import Control.Monad.Trans.Control (MonadBaseControl)
|
|
|
|
import Control.Monad.Trans.Managed (ManagedT)
|
|
|
|
import Crypto.Hash qualified as Crypto
|
2021-11-17 10:32:24 +03:00
|
|
|
import Data.ByteArray qualified as BA
|
|
|
|
import Data.ByteString (ByteString)
|
|
|
|
import Data.HashSet qualified as Set
|
|
|
|
import Data.Hashable qualified as Hash
|
2021-09-24 01:56:37 +03:00
|
|
|
import Data.IORef (newIORef)
|
|
|
|
import Data.Text.Encoding qualified as T
|
|
|
|
import Data.Time.Clock (UTCTime)
|
|
|
|
import Hasura.Base.Error
|
|
|
|
import Hasura.GraphQL.Transport.HTTP.Protocol (ReqsText)
|
|
|
|
import Hasura.Logging
|
|
|
|
import Hasura.Prelude
|
|
|
|
import Hasura.Server.Auth.JWT hiding (processJwt_)
|
|
|
|
import Hasura.Server.Auth.WebHook
|
|
|
|
import Hasura.Server.Utils
|
|
|
|
import Hasura.Session
|
|
|
|
import Hasura.Tracing qualified as Tracing
|
|
|
|
import Network.HTTP.Client qualified as H
|
|
|
|
import Network.HTTP.Types qualified as N
|
2021-05-11 18:18:31 +03:00
|
|
|
|
2019-11-26 15:14:21 +03:00
|
|
|
-- | Typeclass representing the @UserInfo@ authorization and resolving effect
|
|
|
|
class (Monad m) => UserAuthentication m where
|
2021-09-24 01:56:37 +03:00
|
|
|
resolveUserInfo ::
|
|
|
|
Logger Hasura ->
|
|
|
|
H.Manager ->
|
|
|
|
-- | request headers
|
|
|
|
[N.Header] ->
|
|
|
|
AuthMode ->
|
|
|
|
Maybe ReqsText ->
|
2021-11-09 15:00:21 +03:00
|
|
|
m (Either QErr (UserInfo, Maybe UTCTime, [N.Header]))
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2020-05-19 17:48:49 +03:00
|
|
|
-- | The hashed admin password. 'hashAdminSecret' is our public interface for
|
2020-07-14 22:00:58 +03:00
|
|
|
-- constructing the secret.
|
2020-05-19 17:48:49 +03:00
|
|
|
--
|
|
|
|
-- To prevent misuse and leaking we keep this opaque and don't provide
|
|
|
|
-- instances that could leak information. Likewise for 'AuthMode'.
|
|
|
|
--
|
|
|
|
-- Although this exists only in memory we store only a hash of the admin secret
|
|
|
|
-- primarily in order to:
|
2020-07-14 22:00:58 +03:00
|
|
|
--
|
2020-05-28 19:18:26 +03:00
|
|
|
-- - prevent theoretical timing attacks from a naive `==` check
|
2020-05-19 17:48:49 +03:00
|
|
|
-- - prevent misuse or inadvertent leaking of the secret
|
|
|
|
newtype AdminSecretHash = AdminSecretHash (Crypto.Digest Crypto.SHA512)
|
|
|
|
deriving (Ord, Eq)
|
|
|
|
|
2021-11-17 10:32:24 +03:00
|
|
|
instance Hash.Hashable AdminSecretHash where
|
|
|
|
hashWithSalt salt (AdminSecretHash h) = Hash.hashWithSalt @ByteString salt $ BA.convert h
|
|
|
|
|
2020-05-28 19:18:26 +03:00
|
|
|
-- We don't want to be able to leak the secret hash. This is a dummy instance
|
|
|
|
-- to support 'Show AuthMode' which we want for testing.
|
|
|
|
instance Show AdminSecretHash where
|
|
|
|
show _ = "(error \"AdminSecretHash hidden\")"
|
|
|
|
|
2020-10-27 16:53:49 +03:00
|
|
|
hashAdminSecret :: Text -> AdminSecretHash
|
2020-05-19 17:48:49 +03:00
|
|
|
hashAdminSecret = AdminSecretHash . Crypto.hash . T.encodeUtf8
|
|
|
|
|
|
|
|
-- | The methods we'll use to derive roles for authenticating requests.
|
|
|
|
--
|
|
|
|
-- @Maybe RoleName@ below is the optionally-defined role for the
|
2020-07-14 22:00:58 +03:00
|
|
|
-- unauthenticated (anonymous) user.
|
2020-05-19 17:48:49 +03:00
|
|
|
--
|
2021-03-01 21:50:24 +03:00
|
|
|
-- See: https://hasura.io/docs/latest/graphql/core/auth/authentication/unauthenticated-access.html
|
2018-07-20 10:22:46 +03:00
|
|
|
data AuthMode
|
|
|
|
= AMNoAuth
|
2021-11-17 10:32:24 +03:00
|
|
|
| AMAdminSecret !(Set.HashSet AdminSecretHash) !(Maybe RoleName)
|
|
|
|
| AMAdminSecretAndHook !(Set.HashSet AdminSecretHash) !AuthHook
|
2021-12-14 17:28:50 +03:00
|
|
|
| AMAdminSecretAndJWT !(Set.HashSet AdminSecretHash) !JWTCtx !(Maybe RoleName)
|
2020-05-28 19:18:26 +03:00
|
|
|
deriving (Show, Eq)
|
2020-05-19 17:48:49 +03:00
|
|
|
|
|
|
|
-- | Validate the user's requested authentication configuration, launching any
|
|
|
|
-- required maintenance threads for JWT etc.
|
|
|
|
--
|
|
|
|
-- This must only be run once, on launch.
|
2021-09-24 01:56:37 +03:00
|
|
|
setupAuthMode ::
|
2021-10-13 19:38:56 +03:00
|
|
|
( ForkableMonadIO m,
|
2021-09-24 01:56:37 +03:00
|
|
|
Tracing.HasReporter m
|
|
|
|
) =>
|
2021-11-17 10:32:24 +03:00
|
|
|
Set.HashSet AdminSecretHash ->
|
2021-09-24 01:56:37 +03:00
|
|
|
Maybe AuthHook ->
|
2021-12-14 17:28:50 +03:00
|
|
|
Maybe JWTConfig ->
|
2021-09-24 01:56:37 +03:00
|
|
|
Maybe RoleName ->
|
|
|
|
H.Manager ->
|
|
|
|
Logger Hasura ->
|
|
|
|
ExceptT Text (ManagedT m) AuthMode
|
2021-12-14 17:28:50 +03:00
|
|
|
setupAuthMode adminSecretHashSet mWebHook mJwtSecret mUnAuthRole httpManager logger =
|
|
|
|
case (not (Set.null adminSecretHashSet), mWebHook, mJwtSecret) of
|
|
|
|
(True, Nothing, Nothing) -> return $ AMAdminSecret adminSecretHashSet mUnAuthRole
|
|
|
|
(True, Nothing, Just jwtConf) -> do
|
|
|
|
jwtCtx <- mkJwtCtx jwtConf
|
|
|
|
return $ AMAdminSecretAndJWT adminSecretHashSet jwtCtx mUnAuthRole
|
2020-05-28 19:18:26 +03:00
|
|
|
-- Nothing below this case uses unauth role. Throw a fatal error if we would otherwise ignore
|
|
|
|
-- that parameter, lest users misunderstand their auth configuration:
|
2021-09-24 01:56:37 +03:00
|
|
|
_
|
|
|
|
| isJust mUnAuthRole ->
|
|
|
|
throwError $
|
|
|
|
"Fatal Error: --unauthorized-role (HASURA_GRAPHQL_UNAUTHORIZED_ROLE)"
|
|
|
|
<> requiresAdminScrtMsg
|
|
|
|
<> " and is not allowed when --auth-hook (HASURA_GRAPHQL_AUTH_HOOK) is set"
|
2021-12-14 17:28:50 +03:00
|
|
|
(False, Nothing, Nothing) -> return AMNoAuth
|
|
|
|
(True, Just hook, Nothing) -> return $ AMAdminSecretAndHook adminSecretHashSet hook
|
|
|
|
(False, Just _, Nothing) ->
|
2021-09-24 01:56:37 +03:00
|
|
|
throwError $
|
|
|
|
"Fatal Error : --auth-hook (HASURA_GRAPHQL_AUTH_HOOK)" <> requiresAdminScrtMsg
|
2021-12-14 17:28:50 +03:00
|
|
|
(False, Nothing, Just _) ->
|
2021-09-24 01:56:37 +03:00
|
|
|
throwError $
|
|
|
|
"Fatal Error : --jwt-secret (HASURA_GRAPHQL_JWT_SECRET)" <> requiresAdminScrtMsg
|
2021-12-14 17:28:50 +03:00
|
|
|
(_, Just _, Just _) ->
|
2021-09-24 01:56:37 +03:00
|
|
|
throwError
|
|
|
|
"Fatal Error: Both webhook and JWT mode cannot be enabled at the same time"
|
2018-10-25 21:16:25 +03:00
|
|
|
where
|
2019-05-14 09:24:46 +03:00
|
|
|
requiresAdminScrtMsg =
|
|
|
|
" requires --admin-secret (HASURA_GRAPHQL_ADMIN_SECRET) or "
|
2021-09-24 01:56:37 +03:00
|
|
|
<> " --access-key (HASURA_GRAPHQL_ACCESS_KEY) to be set"
|
2018-10-25 21:16:25 +03:00
|
|
|
|
2021-09-24 01:56:37 +03:00
|
|
|
mkJwtCtx ::
|
2021-10-13 19:38:56 +03:00
|
|
|
( ForkableMonadIO m,
|
2021-09-24 01:56:37 +03:00
|
|
|
Tracing.HasReporter m
|
|
|
|
) =>
|
|
|
|
JWTConfig ->
|
|
|
|
ExceptT Text (ManagedT m) JWTCtx
|
|
|
|
mkJwtCtx JWTConfig {..} = do
|
2020-05-19 17:48:49 +03:00
|
|
|
jwkRef <- case jcKeyOrUrl of
|
2021-09-24 01:56:37 +03:00
|
|
|
Left jwk -> liftIO $ newIORef (JWKSet [jwk])
|
2020-05-19 17:48:49 +03:00
|
|
|
Right url -> getJwkFromUrl url
|
2021-02-25 12:02:43 +03:00
|
|
|
let jwtHeader = fromMaybe JHAuthorization jcHeader
|
|
|
|
return $ JWTCtx jwkRef jcAudience jcIssuer jcClaims jcAllowedSkew jwtHeader
|
2020-05-19 17:48:49 +03:00
|
|
|
where
|
|
|
|
-- if we can't find any expiry time for the JWK (either in @Expires@ header or @Cache-Control@
|
|
|
|
-- header), do not start a background thread for refreshing the JWK
|
|
|
|
getJwkFromUrl url = do
|
|
|
|
ref <- liftIO $ newIORef $ JWKSet []
|
2020-12-21 21:56:00 +03:00
|
|
|
maybeExpiry <- hoist lift $ withJwkError $ Tracing.runTraceT "jwk init" $ updateJwkRef logger httpManager url ref
|
2020-05-19 17:48:49 +03:00
|
|
|
case maybeExpiry of
|
2021-09-24 01:56:37 +03:00
|
|
|
Nothing -> return ref
|
2020-05-19 17:48:49 +03:00
|
|
|
Just time -> do
|
2021-09-24 01:56:37 +03:00
|
|
|
void . lift $
|
|
|
|
forkManagedT "jwkRefreshCtrl" logger $
|
|
|
|
jwkRefreshCtrl logger httpManager url ref (convertDuration time)
|
2020-05-19 17:48:49 +03:00
|
|
|
return ref
|
|
|
|
|
|
|
|
withJwkError act = do
|
|
|
|
res <- runExceptT act
|
2020-12-21 21:56:00 +03:00
|
|
|
onLeft res $ \case
|
|
|
|
-- when fetching JWK initially, except expiry parsing error, all errors are critical
|
2021-09-24 01:56:37 +03:00
|
|
|
JFEHttpException _ msg -> throwError msg
|
|
|
|
JFEHttpError _ _ _ e -> throwError e
|
|
|
|
JFEJwkParseError _ e -> throwError e
|
2020-12-21 21:56:00 +03:00
|
|
|
JFEExpiryParseError _ _ -> return Nothing
|
2020-02-05 10:07:31 +03:00
|
|
|
|
2020-05-19 17:48:49 +03:00
|
|
|
-- | Authenticate the request using the headers and the configured 'AuthMode'.
|
2021-09-24 01:56:37 +03:00
|
|
|
getUserInfoWithExpTime ::
|
|
|
|
forall m.
|
2021-10-13 19:38:56 +03:00
|
|
|
(MonadIO m, MonadBaseControl IO m, MonadError QErr m, Tracing.MonadTrace m) =>
|
2021-09-24 01:56:37 +03:00
|
|
|
Logger Hasura ->
|
|
|
|
H.Manager ->
|
|
|
|
[N.Header] ->
|
|
|
|
AuthMode ->
|
|
|
|
Maybe ReqsText ->
|
2021-11-09 15:00:21 +03:00
|
|
|
m (UserInfo, Maybe UTCTime, [N.Header])
|
2020-05-28 19:18:26 +03:00
|
|
|
getUserInfoWithExpTime = getUserInfoWithExpTime_ userInfoFromAuthHook processJwt
|
|
|
|
|
|
|
|
-- Broken out for testing with mocks:
|
2021-09-24 01:56:37 +03:00
|
|
|
getUserInfoWithExpTime_ ::
|
|
|
|
forall m _Manager _Logger_Hasura.
|
|
|
|
(MonadIO m, MonadError QErr m) =>
|
|
|
|
-- | mock 'userInfoFromAuthHook'
|
|
|
|
( _Logger_Hasura ->
|
|
|
|
_Manager ->
|
|
|
|
AuthHook ->
|
|
|
|
[N.Header] ->
|
|
|
|
Maybe ReqsText ->
|
2021-11-09 15:00:21 +03:00
|
|
|
m (UserInfo, Maybe UTCTime, [N.Header])
|
2021-09-24 01:56:37 +03:00
|
|
|
) ->
|
|
|
|
-- | mock 'processJwt'
|
2021-12-14 17:28:50 +03:00
|
|
|
(JWTCtx -> [N.Header] -> Maybe RoleName -> m (UserInfo, Maybe UTCTime, [N.Header])) ->
|
2021-09-24 01:56:37 +03:00
|
|
|
_Logger_Hasura ->
|
|
|
|
_Manager ->
|
|
|
|
[N.Header] ->
|
|
|
|
AuthMode ->
|
|
|
|
Maybe ReqsText ->
|
2021-11-09 15:00:21 +03:00
|
|
|
m (UserInfo, Maybe UTCTime, [N.Header])
|
2021-09-24 01:56:37 +03:00
|
|
|
getUserInfoWithExpTime_ userInfoFromAuthHook_ processJwt_ logger manager rawHeaders authMode reqs = case authMode of
|
2020-05-05 22:57:17 +03:00
|
|
|
AMNoAuth -> withNoExpTime $ mkUserInfoFallbackAdminRole UAuthNotSet
|
2020-05-28 19:18:26 +03:00
|
|
|
-- If hasura was started with an admin secret we:
|
|
|
|
-- - check if a secret was sent in the request
|
|
|
|
-- - if so, check it and authorize as admin else fail
|
|
|
|
-- - if not proceed with either webhook or JWT auth if configured
|
2021-11-17 10:32:24 +03:00
|
|
|
AMAdminSecret adminSecretHashSet maybeUnauthRole ->
|
|
|
|
checkingSecretIfSent adminSecretHashSet $
|
2021-11-09 15:00:21 +03:00
|
|
|
withNoExpTime
|
2021-09-24 01:56:37 +03:00
|
|
|
-- Consider unauthorized role, if not found raise admin secret header required exception
|
|
|
|
case maybeUnauthRole of
|
|
|
|
Nothing ->
|
|
|
|
throw401 $
|
|
|
|
adminSecretHeader <> "/"
|
|
|
|
<> deprecatedAccessKeyHeader
|
|
|
|
<> " required, but not found"
|
|
|
|
Just unAuthRole ->
|
|
|
|
mkUserInfo (URBPreDetermined unAuthRole) UAdminSecretNotSent sessionVariables
|
2021-02-03 10:10:39 +03:00
|
|
|
-- this is the case that actually ends up consuming the request AST
|
2021-11-17 10:32:24 +03:00
|
|
|
AMAdminSecretAndHook adminSecretHashSet hook ->
|
|
|
|
checkingSecretIfSent adminSecretHashSet $ userInfoFromAuthHook_ logger manager hook rawHeaders reqs
|
2021-12-14 17:28:50 +03:00
|
|
|
AMAdminSecretAndJWT adminSecretHashSet jwtSecret unAuthRole ->
|
|
|
|
checkingSecretIfSent adminSecretHashSet $ processJwt_ jwtSecret rawHeaders unAuthRole
|
2018-07-20 10:22:46 +03:00
|
|
|
where
|
2020-05-28 19:18:26 +03:00
|
|
|
-- CAREFUL!:
|
2020-05-05 22:57:17 +03:00
|
|
|
mkUserInfoFallbackAdminRole adminSecretState =
|
2021-09-24 01:56:37 +03:00
|
|
|
mkUserInfo
|
|
|
|
(URBFromSessionVariablesFallback adminRoleName)
|
|
|
|
adminSecretState
|
|
|
|
sessionVariables
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2020-08-31 19:40:01 +03:00
|
|
|
sessionVariables = mkSessionVariablesHeaders rawHeaders
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2021-09-24 01:56:37 +03:00
|
|
|
checkingSecretIfSent ::
|
2021-11-17 10:32:24 +03:00
|
|
|
Set.HashSet AdminSecretHash -> m (UserInfo, Maybe UTCTime, [N.Header]) -> m (UserInfo, Maybe UTCTime, [N.Header])
|
|
|
|
checkingSecretIfSent adminSecretHashSet actionIfNoAdminSecret = do
|
2020-05-05 22:57:17 +03:00
|
|
|
let maybeRequestAdminSecret =
|
2021-09-24 01:56:37 +03:00
|
|
|
foldl1 (<|>) $
|
|
|
|
map
|
|
|
|
(`getSessionVariableValue` sessionVariables)
|
|
|
|
[adminSecretHeader, deprecatedAccessKeyHeader]
|
2020-05-05 22:57:17 +03:00
|
|
|
|
|
|
|
-- when admin secret is absent, run the action to retrieve UserInfo
|
|
|
|
case maybeRequestAdminSecret of
|
2021-09-24 01:56:37 +03:00
|
|
|
Nothing -> actionIfNoAdminSecret
|
2020-05-05 22:57:17 +03:00
|
|
|
Just requestAdminSecret -> do
|
2021-11-17 10:32:24 +03:00
|
|
|
unless (Set.member (hashAdminSecret requestAdminSecret) adminSecretHashSet) $
|
2021-09-24 01:56:37 +03:00
|
|
|
throw401 $
|
|
|
|
"invalid " <> adminSecretHeader <> "/" <> deprecatedAccessKeyHeader
|
2020-05-05 22:57:17 +03:00
|
|
|
withNoExpTime $ mkUserInfoFallbackAdminRole UAdminSecretSent
|
2019-05-14 09:24:46 +03:00
|
|
|
|
2021-11-09 15:00:21 +03:00
|
|
|
withNoExpTime a = (,Nothing,[]) <$> a
|