2018-07-20 10:22:46 +03:00
|
|
|
module Hasura.Server.Auth
|
|
|
|
( getUserInfo
|
2019-05-14 09:24:46 +03:00
|
|
|
, getUserInfoWithExpTime
|
2018-07-20 10:22:46 +03:00
|
|
|
, AuthMode(..)
|
2018-10-25 21:16:25 +03:00
|
|
|
, mkAuthMode
|
2019-02-14 12:37:47 +03:00
|
|
|
, AdminSecret (..)
|
2018-12-03 14:19:08 +03:00
|
|
|
, AuthHookType(..)
|
2018-12-19 14:38:33 +03:00
|
|
|
, AuthHookG (..)
|
|
|
|
, AuthHook
|
2018-09-27 14:22:49 +03:00
|
|
|
-- JWT related
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
, RawJWT
|
|
|
|
, JWTConfig (..)
|
2018-09-27 14:22:49 +03:00
|
|
|
, JWTCtx (..)
|
|
|
|
, JWKSet (..)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
, processJwt
|
2018-09-27 14:22:49 +03:00
|
|
|
, updateJwkRef
|
|
|
|
, jwkRefreshCtrl
|
2019-11-26 15:14:21 +03:00
|
|
|
, UserAuthentication (..)
|
2018-07-20 10:22:46 +03:00
|
|
|
) where
|
|
|
|
|
2019-07-11 08:37:06 +03:00
|
|
|
import Control.Exception (try)
|
2018-07-20 10:22:46 +03:00
|
|
|
import Control.Lens
|
|
|
|
import Data.Aeson
|
2019-07-11 08:37:06 +03:00
|
|
|
import Data.IORef (newIORef)
|
|
|
|
import Data.Time.Clock (UTCTime)
|
2018-10-25 21:16:25 +03:00
|
|
|
|
2019-07-11 08:37:06 +03:00
|
|
|
import qualified Data.Aeson as J
|
|
|
|
import qualified Data.ByteString.Lazy as BL
|
|
|
|
import qualified Data.HashMap.Strict as Map
|
|
|
|
import qualified Data.Text as T
|
|
|
|
import qualified Network.HTTP.Client as H
|
|
|
|
import qualified Network.HTTP.Types as N
|
|
|
|
import qualified Network.Wreq as Wreq
|
2018-10-25 21:16:25 +03:00
|
|
|
|
2018-12-13 10:26:15 +03:00
|
|
|
import Hasura.HTTP
|
2018-10-25 21:16:25 +03:00
|
|
|
import Hasura.Logging
|
2018-07-20 10:22:46 +03:00
|
|
|
import Hasura.Prelude
|
|
|
|
import Hasura.RQL.Types
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
import Hasura.Server.Auth.JWT
|
2018-08-03 11:43:35 +03:00
|
|
|
import Hasura.Server.Logging
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
import Hasura.Server.Utils
|
|
|
|
|
2019-11-26 15:14:21 +03:00
|
|
|
-- | Typeclass representing the @UserInfo@ authorization and resolving effect
|
|
|
|
class (Monad m) => UserAuthentication m where
|
|
|
|
resolveUserInfo
|
|
|
|
:: Logger Hasura
|
|
|
|
-> H.Manager
|
|
|
|
-> [N.Header]
|
|
|
|
-- ^ request headers
|
|
|
|
-> AuthMode
|
2019-12-11 04:04:49 +03:00
|
|
|
-> m (Either QErr (UserInfo, Maybe UTCTime))
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2019-02-14 12:37:47 +03:00
|
|
|
newtype AdminSecret
|
|
|
|
= AdminSecret { getAdminSecret :: T.Text }
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
deriving (Show, Eq)
|
|
|
|
|
2018-12-03 14:19:08 +03:00
|
|
|
data AuthHookType
|
|
|
|
= AHTGet
|
|
|
|
| AHTPost
|
2019-01-02 14:24:17 +03:00
|
|
|
deriving (Eq)
|
|
|
|
|
|
|
|
instance Show AuthHookType where
|
|
|
|
show AHTGet = "GET"
|
|
|
|
show AHTPost = "POST"
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
data AuthHookG a b
|
|
|
|
= AuthHookG
|
|
|
|
{ ahUrl :: !a
|
|
|
|
, ahType :: !b
|
2018-12-03 14:19:08 +03:00
|
|
|
} deriving (Show, Eq)
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
type AuthHook = AuthHookG T.Text AuthHookType
|
|
|
|
|
2018-07-20 10:22:46 +03:00
|
|
|
data AuthMode
|
|
|
|
= AMNoAuth
|
2019-02-14 12:37:47 +03:00
|
|
|
| AMAdminSecret !AdminSecret !(Maybe RoleName)
|
|
|
|
| AMAdminSecretAndHook !AdminSecret !AuthHook
|
|
|
|
| AMAdminSecretAndJWT !AdminSecret !JWTCtx !(Maybe RoleName)
|
2018-07-20 10:22:46 +03:00
|
|
|
deriving (Show, Eq)
|
|
|
|
|
2018-10-25 21:16:25 +03:00
|
|
|
mkAuthMode
|
|
|
|
:: ( MonadIO m
|
|
|
|
, MonadError T.Text m
|
|
|
|
)
|
2019-02-14 12:37:47 +03:00
|
|
|
=> Maybe AdminSecret
|
2018-12-03 14:19:08 +03:00
|
|
|
-> Maybe AuthHook
|
2019-07-11 08:37:06 +03:00
|
|
|
-> Maybe JWTConfig
|
2018-10-25 21:16:25 +03:00
|
|
|
-> Maybe RoleName
|
|
|
|
-> H.Manager
|
2019-11-28 12:03:14 +03:00
|
|
|
-> Logger Hasura
|
2018-10-25 21:16:25 +03:00
|
|
|
-> m AuthMode
|
2019-11-28 12:03:14 +03:00
|
|
|
mkAuthMode mAdminSecret mWebHook mJwtSecret mUnAuthRole httpManager logger =
|
2019-02-14 12:37:47 +03:00
|
|
|
case (mAdminSecret, mWebHook, mJwtSecret) of
|
2018-10-25 21:16:25 +03:00
|
|
|
(Nothing, Nothing, Nothing) -> return AMNoAuth
|
2019-02-14 12:37:47 +03:00
|
|
|
(Just key, Nothing, Nothing) -> return $ AMAdminSecret key mUnAuthRole
|
2018-10-25 21:16:25 +03:00
|
|
|
(Just key, Just hook, Nothing) -> unAuthRoleNotReqForWebHook >>
|
2019-02-14 12:37:47 +03:00
|
|
|
return (AMAdminSecretAndHook key hook)
|
2018-10-25 21:16:25 +03:00
|
|
|
(Just key, Nothing, Just jwtConf) -> do
|
2019-11-28 12:03:14 +03:00
|
|
|
jwtCtx <- mkJwtCtx jwtConf httpManager logger
|
2019-02-14 12:37:47 +03:00
|
|
|
return $ AMAdminSecretAndJWT key jwtCtx mUnAuthRole
|
2018-10-25 21:16:25 +03:00
|
|
|
|
|
|
|
(Nothing, Just _, Nothing) -> throwError $
|
2019-02-14 12:37:47 +03:00
|
|
|
"Fatal Error : --auth-hook (HASURA_GRAPHQL_AUTH_HOOK)" <> requiresAdminScrtMsg
|
2018-10-25 21:16:25 +03:00
|
|
|
(Nothing, Nothing, Just _) -> throwError $
|
2019-02-14 12:37:47 +03:00
|
|
|
"Fatal Error : --jwt-secret (HASURA_GRAPHQL_JWT_SECRET)" <> requiresAdminScrtMsg
|
2018-10-25 21:16:25 +03:00
|
|
|
(Nothing, Just _, Just _) -> throwError
|
|
|
|
"Fatal Error: Both webhook and JWT mode cannot be enabled at the same time"
|
|
|
|
(Just _, Just _, Just _) -> throwError
|
|
|
|
"Fatal Error: Both webhook and JWT mode cannot be enabled at the same time"
|
|
|
|
where
|
2019-05-14 09:24:46 +03:00
|
|
|
requiresAdminScrtMsg =
|
|
|
|
" requires --admin-secret (HASURA_GRAPHQL_ADMIN_SECRET) or "
|
|
|
|
<> " --access-key (HASURA_GRAPHQL_ACCESS_KEY) to be set"
|
2018-10-25 21:16:25 +03:00
|
|
|
unAuthRoleNotReqForWebHook =
|
2019-05-14 09:24:46 +03:00
|
|
|
when (isJust mUnAuthRole) $ throwError $
|
|
|
|
"Fatal Error: --unauthorized-role (HASURA_GRAPHQL_UNAUTHORIZED_ROLE) is not allowed"
|
|
|
|
<> " when --auth-hook (HASURA_GRAPHQL_AUTH_HOOK) is set"
|
2018-10-25 21:16:25 +03:00
|
|
|
|
|
|
|
mkJwtCtx
|
|
|
|
:: ( MonadIO m
|
|
|
|
, MonadError T.Text m
|
|
|
|
)
|
2019-07-11 08:37:06 +03:00
|
|
|
=> JWTConfig
|
2018-10-25 21:16:25 +03:00
|
|
|
-> H.Manager
|
2019-11-28 12:03:14 +03:00
|
|
|
-> Logger Hasura
|
2018-10-25 21:16:25 +03:00
|
|
|
-> m JWTCtx
|
2019-11-28 12:03:14 +03:00
|
|
|
mkJwtCtx conf httpManager logger = do
|
2018-10-25 21:16:25 +03:00
|
|
|
jwkRef <- case jcKeyOrUrl conf of
|
|
|
|
Left jwk -> liftIO $ newIORef (JWKSet [jwk])
|
|
|
|
Right url -> do
|
|
|
|
ref <- liftIO $ newIORef $ JWKSet []
|
|
|
|
mTime <- updateJwkRef logger httpManager url ref
|
|
|
|
case mTime of
|
|
|
|
Nothing -> return ref
|
|
|
|
Just t -> do
|
|
|
|
jwkRefreshCtrl logger httpManager url ref t
|
|
|
|
return ref
|
2019-02-05 15:04:16 +03:00
|
|
|
let claimsFmt = fromMaybe JCFJson (jcClaimsFormat conf)
|
2019-07-11 12:58:39 +03:00
|
|
|
return $ JWTCtx jwkRef (jcClaimNs conf) (jcAudience conf) claimsFmt (jcIssuer conf)
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2018-08-03 11:43:35 +03:00
|
|
|
mkUserInfoFromResp
|
|
|
|
:: (MonadIO m, MonadError QErr m)
|
2019-11-26 15:14:21 +03:00
|
|
|
=> Logger Hasura
|
2018-08-03 11:43:35 +03:00
|
|
|
-> T.Text
|
2018-12-03 14:19:08 +03:00
|
|
|
-> N.StdMethod
|
2018-08-03 11:43:35 +03:00
|
|
|
-> N.Status
|
|
|
|
-> BL.ByteString
|
|
|
|
-> m UserInfo
|
2018-12-03 14:19:08 +03:00
|
|
|
mkUserInfoFromResp logger url method statusCode respBody
|
2018-08-03 11:43:35 +03:00
|
|
|
| statusCode == N.status200 =
|
|
|
|
case eitherDecode respBody of
|
|
|
|
Left e -> do
|
|
|
|
logError
|
|
|
|
throw500 $ "Invalid response from authorization hook: " <> T.pack e
|
|
|
|
Right rawHeaders -> getUserInfoFromHdrs rawHeaders
|
|
|
|
|
|
|
|
| statusCode == N.status401 = do
|
|
|
|
logError
|
|
|
|
throw401 "Authentication hook unauthorized this request"
|
|
|
|
|
|
|
|
| otherwise = do
|
|
|
|
logError
|
|
|
|
throw500 "Invalid response from authorization hook"
|
|
|
|
where
|
|
|
|
getUserInfoFromHdrs rawHeaders = do
|
2018-10-28 19:31:24 +03:00
|
|
|
let usrVars = mkUserVars $ Map.toList rawHeaders
|
2018-10-26 18:57:22 +03:00
|
|
|
case roleFromVars usrVars of
|
2018-08-03 11:43:35 +03:00
|
|
|
Nothing -> do
|
|
|
|
logError
|
|
|
|
throw500 "missing x-hasura-role key in webhook response"
|
2018-10-26 18:57:22 +03:00
|
|
|
Just rn -> do
|
2019-11-26 15:14:21 +03:00
|
|
|
logWebHookResp LevelInfo Nothing
|
2018-10-26 18:57:22 +03:00
|
|
|
return $ mkUserInfo rn usrVars
|
2018-08-03 11:43:35 +03:00
|
|
|
|
|
|
|
logError =
|
2019-11-26 15:14:21 +03:00
|
|
|
logWebHookResp LevelError $ Just respBody
|
2018-08-03 11:43:35 +03:00
|
|
|
|
|
|
|
logWebHookResp logLevel mResp =
|
2019-11-26 15:14:21 +03:00
|
|
|
unLogger logger $ WebHookLog logLevel (Just statusCode)
|
2018-12-03 14:19:08 +03:00
|
|
|
url method Nothing $ fmap (bsToTxt . BL.toStrict) mResp
|
2018-08-03 11:43:35 +03:00
|
|
|
|
2018-12-03 14:19:08 +03:00
|
|
|
userInfoFromAuthHook
|
2018-07-20 10:22:46 +03:00
|
|
|
:: (MonadIO m, MonadError QErr m)
|
2019-11-26 15:14:21 +03:00
|
|
|
=> Logger Hasura
|
2018-08-03 11:43:35 +03:00
|
|
|
-> H.Manager
|
2018-12-03 14:19:08 +03:00
|
|
|
-> AuthHook
|
2018-07-20 10:22:46 +03:00
|
|
|
-> [N.Header]
|
|
|
|
-> m UserInfo
|
2018-12-03 14:19:08 +03:00
|
|
|
userInfoFromAuthHook logger manager hook reqHeaders = do
|
|
|
|
res <- liftIO $ try $ bool withGET withPOST isPost
|
2018-08-03 11:43:35 +03:00
|
|
|
resp <- either logAndThrow return res
|
2018-07-20 10:22:46 +03:00
|
|
|
let status = resp ^. Wreq.responseStatus
|
2018-08-03 11:43:35 +03:00
|
|
|
respBody = resp ^. Wreq.responseBody
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2018-12-03 14:19:08 +03:00
|
|
|
mkUserInfoFromResp logger urlT method status respBody
|
2018-07-20 10:22:46 +03:00
|
|
|
where
|
2018-12-03 14:19:08 +03:00
|
|
|
mkOptions = wreqOptions manager
|
2018-12-19 14:38:33 +03:00
|
|
|
AuthHookG urlT ty = hook
|
2018-12-03 14:19:08 +03:00
|
|
|
isPost = case ty of
|
|
|
|
AHTPost -> True
|
|
|
|
AHTGet -> False
|
|
|
|
method = bool N.GET N.POST isPost
|
|
|
|
|
|
|
|
withGET = Wreq.getWith (mkOptions filteredHeaders) $
|
|
|
|
T.unpack urlT
|
|
|
|
|
|
|
|
contentType = ("Content-Type", "application/json")
|
|
|
|
postHdrsPayload = J.toJSON $ Map.fromList $ hdrsToText reqHeaders
|
|
|
|
withPOST = Wreq.postWith (mkOptions [contentType]) (T.unpack urlT) $
|
|
|
|
object ["headers" J..= postHdrsPayload]
|
|
|
|
|
2018-08-03 11:43:35 +03:00
|
|
|
logAndThrow err = do
|
2019-11-26 15:14:21 +03:00
|
|
|
unLogger logger $
|
|
|
|
WebHookLog LevelError Nothing urlT method
|
2018-12-13 10:26:15 +03:00
|
|
|
(Just $ HttpException err) Nothing
|
2018-08-03 11:43:35 +03:00
|
|
|
throw500 "Internal Server Error"
|
|
|
|
|
2019-02-28 14:50:56 +03:00
|
|
|
filteredHeaders = flip filter reqHeaders $ \(n, _) ->
|
2019-05-16 12:11:16 +03:00
|
|
|
n `notElem` commonClientHeadersIgnored
|
2018-07-20 10:22:46 +03:00
|
|
|
|
|
|
|
getUserInfo
|
|
|
|
:: (MonadIO m, MonadError QErr m)
|
2019-11-26 15:14:21 +03:00
|
|
|
=> Logger Hasura
|
2018-08-03 11:43:35 +03:00
|
|
|
-> H.Manager
|
2018-07-20 10:22:46 +03:00
|
|
|
-> [N.Header]
|
|
|
|
-> AuthMode
|
|
|
|
-> m UserInfo
|
2019-05-14 09:24:46 +03:00
|
|
|
getUserInfo l m r a = fst <$> getUserInfoWithExpTime l m r a
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2019-05-14 09:24:46 +03:00
|
|
|
getUserInfoWithExpTime
|
|
|
|
:: (MonadIO m, MonadError QErr m)
|
2019-11-26 15:14:21 +03:00
|
|
|
=> Logger Hasura
|
2019-05-14 09:24:46 +03:00
|
|
|
-> H.Manager
|
|
|
|
-> [N.Header]
|
|
|
|
-> AuthMode
|
|
|
|
-> m (UserInfo, Maybe UTCTime)
|
|
|
|
getUserInfoWithExpTime logger manager rawHeaders = \case
|
|
|
|
|
|
|
|
AMNoAuth -> return (userInfoFromHeaders, Nothing)
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2019-02-14 12:37:47 +03:00
|
|
|
AMAdminSecret adminScrt unAuthRole ->
|
|
|
|
case adminSecretM of
|
2019-05-14 09:24:46 +03:00
|
|
|
Just givenAdminScrt ->
|
|
|
|
withNoExpTime $ userInfoWhenAdminSecret adminScrt givenAdminScrt
|
|
|
|
Nothing ->
|
|
|
|
withNoExpTime $ userInfoWhenNoAdminSecret unAuthRole
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2019-02-14 12:37:47 +03:00
|
|
|
AMAdminSecretAndHook accKey hook ->
|
2019-05-14 09:24:46 +03:00
|
|
|
whenAdminSecretAbsent accKey $
|
|
|
|
withNoExpTime $ userInfoFromAuthHook logger manager hook rawHeaders
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2019-02-14 12:37:47 +03:00
|
|
|
AMAdminSecretAndJWT accKey jwtSecret unAuthRole ->
|
|
|
|
whenAdminSecretAbsent accKey (processJwt jwtSecret rawHeaders unAuthRole)
|
2018-07-20 10:22:46 +03:00
|
|
|
|
|
|
|
where
|
2019-02-14 12:37:47 +03:00
|
|
|
-- when admin secret is absent, run the action to retrieve UserInfo, otherwise
|
|
|
|
-- adminsecret override
|
|
|
|
whenAdminSecretAbsent ak action =
|
2019-05-14 09:24:46 +03:00
|
|
|
maybe action (withNoExpTime . userInfoWhenAdminSecret ak) adminSecretM
|
2019-02-14 12:37:47 +03:00
|
|
|
|
2019-05-14 09:24:46 +03:00
|
|
|
adminSecretM= foldl1 (<|>) $
|
|
|
|
map (`getVarVal` usrVars) [adminSecretHeader, deprecatedAccessKeyHeader]
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2018-12-03 14:19:08 +03:00
|
|
|
usrVars = mkUserVars $ hdrsToText rawHeaders
|
2018-07-20 10:22:46 +03:00
|
|
|
|
2019-02-14 12:37:47 +03:00
|
|
|
userInfoWhenAdminSecret key reqKey = do
|
2019-05-14 09:24:46 +03:00
|
|
|
when (reqKey /= getAdminSecret key) $ throw401 $
|
|
|
|
"invalid " <> adminSecretHeader <> "/" <> deprecatedAccessKeyHeader
|
2018-07-20 10:22:46 +03:00
|
|
|
return userInfoFromHeaders
|
2018-10-25 21:16:25 +03:00
|
|
|
|
2019-02-14 12:37:47 +03:00
|
|
|
userInfoWhenNoAdminSecret = \case
|
2019-05-14 09:24:46 +03:00
|
|
|
Nothing -> throw401 $ adminSecretHeader <> "/"
|
|
|
|
<> deprecatedAccessKeyHeader <> " required, but not found"
|
2018-10-26 18:57:22 +03:00
|
|
|
Just role -> return $ mkUserInfo role usrVars
|
2019-05-14 09:24:46 +03:00
|
|
|
|
|
|
|
withNoExpTime a = (, Nothing) <$> a
|
2019-11-26 15:14:21 +03:00
|
|
|
|
|
|
|
userInfoFromHeaders =
|
|
|
|
case roleFromVars usrVars of
|
|
|
|
Just rn -> mkUserInfo rn usrVars
|
|
|
|
Nothing -> mkUserInfo adminRole usrVars
|