2018-06-27 16:11:32 +03:00
|
|
|
module Hasura.Server.Init where
|
|
|
|
|
|
|
|
|
|
import qualified Database.PG.Query as Q
|
|
|
|
|
|
|
|
|
|
import Options.Applicative
|
|
|
|
|
import System.Exit (exitFailure)
|
|
|
|
|
|
|
|
|
|
import qualified Data.Text as T
|
|
|
|
|
|
|
|
|
|
import Hasura.Prelude
|
|
|
|
|
import Hasura.RQL.DDL.Utils
|
2018-10-25 21:16:25 +03:00
|
|
|
import Hasura.RQL.Types (RoleName (..))
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
import Hasura.Server.Auth
|
2018-06-28 13:49:40 +03:00
|
|
|
import Hasura.Server.Utils
|
2018-06-27 16:11:32 +03:00
|
|
|
|
2018-12-03 14:19:08 +03:00
|
|
|
newtype InitError
|
|
|
|
|
= InitError String
|
2018-06-27 16:11:32 +03:00
|
|
|
deriving (Show, Eq)
|
|
|
|
|
|
|
|
|
|
instance Q.FromPGConnErr InitError where
|
|
|
|
|
fromPGConnErr = InitError . show
|
|
|
|
|
|
|
|
|
|
instance Q.FromPGTxErr InitError where
|
|
|
|
|
fromPGTxErr = InitError . show
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
initErrExit :: (Show e) => e -> IO a
|
|
|
|
|
initErrExit e = print e >> exitFailure
|
|
|
|
|
|
|
|
|
|
-- clear the hdb_views schema
|
|
|
|
|
initStateTx :: Q.Tx ()
|
2018-09-05 14:26:46 +03:00
|
|
|
initStateTx = clearHdbViews
|
2018-06-27 16:11:32 +03:00
|
|
|
|
|
|
|
|
data RawConnInfo =
|
|
|
|
|
RawConnInfo
|
|
|
|
|
{ connHost :: !(Maybe String)
|
|
|
|
|
, connPort :: !(Maybe Int)
|
|
|
|
|
, connUser :: !(Maybe String)
|
|
|
|
|
, connPassword :: !String
|
|
|
|
|
, connUrl :: !(Maybe String)
|
|
|
|
|
, connDatabase :: !(Maybe String)
|
|
|
|
|
, connOptions :: !(Maybe String)
|
|
|
|
|
} deriving (Eq, Read, Show)
|
|
|
|
|
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
data CorsConfigG a
|
|
|
|
|
= CorsConfigG
|
|
|
|
|
{ ccDomain :: !a
|
|
|
|
|
, ccDisabled :: !Bool
|
|
|
|
|
} deriving (Show, Eq)
|
|
|
|
|
|
|
|
|
|
type CorsConfigFlags = CorsConfigG (Maybe T.Text)
|
|
|
|
|
type CorsConfig = CorsConfigG T.Text
|
|
|
|
|
|
|
|
|
|
|
2018-06-27 16:11:32 +03:00
|
|
|
parseRawConnInfo :: Parser RawConnInfo
|
|
|
|
|
parseRawConnInfo =
|
|
|
|
|
RawConnInfo
|
|
|
|
|
<$> optional (strOption ( long "host" <>
|
|
|
|
|
metavar "HOST" <>
|
|
|
|
|
help "Postgres server host" ))
|
|
|
|
|
<*> optional (option auto ( long "port" <>
|
|
|
|
|
short 'p' <>
|
|
|
|
|
metavar "PORT" <>
|
|
|
|
|
help "Postgres server port" ))
|
|
|
|
|
<*> optional (strOption ( long "user" <>
|
|
|
|
|
short 'u' <>
|
|
|
|
|
metavar "USER" <>
|
|
|
|
|
help "Database user name" ))
|
|
|
|
|
<*> strOption ( long "password" <>
|
|
|
|
|
short 'p' <>
|
|
|
|
|
metavar "PASSWORD" <>
|
|
|
|
|
value "" <>
|
|
|
|
|
help "Password of the user" )
|
|
|
|
|
<*> optional (strOption ( long "database-url" <>
|
2018-06-28 13:49:40 +03:00
|
|
|
metavar "DATABASE-URL" <>
|
|
|
|
|
help "Postgres database URL. Example postgres://foo:bar@example.com:2345/database"))
|
2018-06-27 16:11:32 +03:00
|
|
|
<*> optional (strOption ( long "dbname" <>
|
|
|
|
|
short 'd' <>
|
|
|
|
|
metavar "NAME" <>
|
|
|
|
|
help "Database name to connect to" ))
|
|
|
|
|
<*> pure Nothing
|
|
|
|
|
|
|
|
|
|
connInfoErrModifier :: String -> String
|
|
|
|
|
connInfoErrModifier s = "Fatal Error : " ++ s
|
|
|
|
|
|
2018-07-06 08:13:46 +03:00
|
|
|
mkConnInfo :: Maybe String -> RawConnInfo -> Either String Q.ConnInfo
|
|
|
|
|
mkConnInfo mEnvDbUrl (RawConnInfo mHost mPort mUser pass mURL mDB opts) = do
|
|
|
|
|
let mFinalDBUrl = ifNothingTakeEnv mURL
|
|
|
|
|
case (mHost, mPort, mUser, mDB, mFinalDBUrl) of
|
2018-06-28 13:49:40 +03:00
|
|
|
|
2018-06-27 16:11:32 +03:00
|
|
|
(Just host, Just port, Just user, Just db, Nothing) ->
|
|
|
|
|
return $ Q.ConnInfo host port user pass db opts
|
2018-06-28 13:49:40 +03:00
|
|
|
|
|
|
|
|
(_, _, _, _, Just dbURL) -> maybe (throwError invalidUrlMsg)
|
|
|
|
|
return $ parseDatabaseUrl dbURL opts
|
|
|
|
|
_ -> throwError $ "Invalid options. "
|
|
|
|
|
++ "Expecting all database connection params "
|
|
|
|
|
++ "(host, port, user, dbname, password) or "
|
2018-07-06 08:13:46 +03:00
|
|
|
++ "database-url (HASURA_GRAPHQL_DATABASE_URL)"
|
2018-06-28 13:49:40 +03:00
|
|
|
where
|
2018-07-06 08:13:46 +03:00
|
|
|
invalidUrlMsg = "Invalid database-url (HASURA_GRAPHQL_DATABASE_URL). "
|
2018-06-28 13:49:40 +03:00
|
|
|
++ "Example postgres://foo:bar@example.com:2345/database"
|
2018-07-06 08:13:46 +03:00
|
|
|
ifNothingTakeEnv Nothing = mEnvDbUrl
|
|
|
|
|
ifNothingTakeEnv t = t
|
2018-06-27 16:11:32 +03:00
|
|
|
|
|
|
|
|
readIsoLevel :: String -> Either String Q.TxIsolation
|
|
|
|
|
readIsoLevel isoS =
|
|
|
|
|
case isoS of
|
|
|
|
|
"read-comitted" -> return Q.ReadCommitted
|
|
|
|
|
"repeatable-read" -> return Q.RepeatableRead
|
|
|
|
|
"serializable" -> return Q.ReadCommitted
|
|
|
|
|
_ -> Left "Only expecting read-comitted / repeatable-read / serializable"
|
|
|
|
|
|
|
|
|
|
parseTxIsolation :: Parser Q.TxIsolation
|
|
|
|
|
parseTxIsolation =
|
|
|
|
|
option (eitherReader readIsoLevel) ( long "tx-iso" <>
|
|
|
|
|
short 'i' <>
|
|
|
|
|
value Q.ReadCommitted <>
|
|
|
|
|
metavar "TXISO" <>
|
|
|
|
|
help "transaction isolation. read-committed / repeatable-read / serializable" )
|
|
|
|
|
|
|
|
|
|
parseRootDir :: Parser (Maybe String)
|
|
|
|
|
parseRootDir =
|
|
|
|
|
optional $ strOption ( long "root-dir" <>
|
|
|
|
|
metavar "STATIC-DIR" <>
|
|
|
|
|
help "this static dir is served at / and takes precedence over all routes" )
|
|
|
|
|
|
|
|
|
|
parseConnParams :: Parser Q.ConnParams
|
|
|
|
|
parseConnParams =
|
|
|
|
|
Q.ConnParams
|
|
|
|
|
<$> option auto ( long "stripes" <>
|
|
|
|
|
short 's' <>
|
|
|
|
|
metavar "NO OF STRIPES" <>
|
|
|
|
|
value 1 <>
|
|
|
|
|
help "Number of stripes" )
|
|
|
|
|
<*> option auto ( long "connections" <>
|
|
|
|
|
short 'c' <>
|
|
|
|
|
metavar "NO OF CONNS" <>
|
|
|
|
|
value 50 <>
|
|
|
|
|
help "Number of conns that need to be opened to Postgres" )
|
|
|
|
|
<*> option auto ( long "timeout" <>
|
|
|
|
|
short 'c' <>
|
|
|
|
|
metavar "SECONDS" <>
|
|
|
|
|
value 180 <>
|
|
|
|
|
help "Each connection's idle time before it is closed" )
|
|
|
|
|
|
2018-11-15 07:55:39 +03:00
|
|
|
parseServerPort :: Parser (Maybe Int)
|
|
|
|
|
parseServerPort = optional $
|
2018-06-27 16:11:32 +03:00
|
|
|
option auto ( long "server-port" <>
|
2018-11-15 07:55:39 +03:00
|
|
|
metavar "PORT" <>
|
|
|
|
|
help "Port on which graphql-engine should be served (default: 8080)"
|
|
|
|
|
)
|
2018-06-27 16:11:32 +03:00
|
|
|
|
|
|
|
|
parseAccessKey :: Parser (Maybe AccessKey)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
parseAccessKey =
|
|
|
|
|
optional $ AccessKey <$>
|
|
|
|
|
strOption ( long "access-key" <>
|
|
|
|
|
metavar "SECRET ACCESS KEY" <>
|
|
|
|
|
help "Secret access key, required to access this instance"
|
|
|
|
|
)
|
|
|
|
|
|
2018-12-03 14:19:08 +03:00
|
|
|
readHookType :: String -> Either String AuthHookType
|
|
|
|
|
readHookType tyS =
|
|
|
|
|
case tyS of
|
|
|
|
|
"GET" -> Right AHTGet
|
|
|
|
|
"POST" -> Right AHTPost
|
|
|
|
|
_ -> Left "Only expecting GET / POST"
|
|
|
|
|
|
|
|
|
|
parseWebHook :: Parser AuthHookConf
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
parseWebHook =
|
2018-12-03 14:19:08 +03:00
|
|
|
AuthHookG <$> parseUrl <*> parseEnablePost
|
|
|
|
|
where
|
|
|
|
|
parseUrl =
|
|
|
|
|
optional $ strOption ( long "auth-hook" <>
|
|
|
|
|
metavar "AUTHENTICATION WEB HOOK" <>
|
|
|
|
|
help "The authentication webhook, required to authenticate requests"
|
|
|
|
|
)
|
|
|
|
|
parseEnablePost = optional $
|
|
|
|
|
option (eitherReader readHookType)
|
|
|
|
|
( long "auth-hook-mode" <>
|
|
|
|
|
metavar "GET|POST" <>
|
|
|
|
|
help "The authentication webhook type (default: GET)"
|
|
|
|
|
)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
|
|
|
|
|
|
parseJwtSecret :: Parser (Maybe Text)
|
|
|
|
|
parseJwtSecret =
|
|
|
|
|
optional $ strOption ( long "jwt-secret" <>
|
|
|
|
|
metavar "JWK" <>
|
|
|
|
|
help jwtSecretHelp
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
jwtSecretHelp :: String
|
|
|
|
|
jwtSecretHelp = "The JSON containing type and the JWK used for verifying. e.g: "
|
2018-09-07 09:00:50 +03:00
|
|
|
<> "`{\"type\": \"HS256\", \"key\": \"<your-hmac-shared-secret>\", \"claims_namespace\": \"<optional-custom-claims-key-name>\"}`,"
|
|
|
|
|
<> "`{\"type\": \"RS256\", \"key\": \"<your-PEM-RSA-public-key>\", \"claims_namespace\": \"<optional-custom-claims-key-name>\"}`"
|
2018-06-27 16:11:32 +03:00
|
|
|
|
2018-10-25 21:16:25 +03:00
|
|
|
parseUnAuthRole :: Parser (Maybe RoleName)
|
|
|
|
|
parseUnAuthRole =
|
|
|
|
|
optional $ RoleName <$>
|
|
|
|
|
strOption ( long "unauthorized-role" <>
|
|
|
|
|
metavar "UNAUTHORIZED ROLE" <>
|
|
|
|
|
help ( "Unauthorized role, used when access-key is not sent in access-key only mode "
|
|
|
|
|
++ "or \"Authorization\" header is absent in JWT mode"
|
|
|
|
|
)
|
|
|
|
|
)
|
2018-07-06 08:13:46 +03:00
|
|
|
|
|
|
|
|
parseCorsConfig :: Parser CorsConfigFlags
|
2018-06-27 16:11:32 +03:00
|
|
|
parseCorsConfig =
|
2018-07-06 08:13:46 +03:00
|
|
|
CorsConfigG
|
|
|
|
|
<$> optional (strOption ( long "cors-domain" <>
|
2018-06-27 16:11:32 +03:00
|
|
|
metavar "CORS DOMAIN" <>
|
|
|
|
|
help "The domain, including scheme and port, to allow CORS for"
|
2018-07-06 08:13:46 +03:00
|
|
|
))
|
2018-06-27 16:11:32 +03:00
|
|
|
<*> switch ( long "disable-cors" <>
|
|
|
|
|
help "Disable CORS handling"
|
|
|
|
|
)
|
|
|
|
|
|
2018-06-29 14:05:09 +03:00
|
|
|
parseEnableConsole :: Parser Bool
|
|
|
|
|
parseEnableConsole = switch ( long "enable-console" <>
|
|
|
|
|
help "Enable API Console"
|
|
|
|
|
)
|
