2018-06-27 16:11:32 +03:00
|
|
|
module Hasura.Server.Init where
|
|
|
|
|
2018-12-14 06:21:41 +03:00
|
|
|
import qualified Database.PG.Query as Q
|
2018-06-27 16:11:32 +03:00
|
|
|
|
|
|
|
import Options.Applicative
|
2018-12-14 06:21:41 +03:00
|
|
|
import System.Exit (exitFailure)
|
2018-06-27 16:11:32 +03:00
|
|
|
|
2018-12-14 06:21:41 +03:00
|
|
|
import qualified Data.Text as T
|
|
|
|
import qualified Text.PrettyPrint.ANSI.Leijen as PP
|
2018-06-27 16:11:32 +03:00
|
|
|
|
|
|
|
import Hasura.Prelude
|
|
|
|
import Hasura.RQL.DDL.Utils
|
2018-12-14 06:21:41 +03:00
|
|
|
import Hasura.RQL.Types (RoleName (..))
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
import Hasura.Server.Auth
|
2018-06-28 13:49:40 +03:00
|
|
|
import Hasura.Server.Utils
|
2018-06-27 16:11:32 +03:00
|
|
|
|
|
|
|
initErrExit :: (Show e) => e -> IO a
|
|
|
|
initErrExit e = print e >> exitFailure
|
|
|
|
|
|
|
|
-- clear the hdb_views schema
|
|
|
|
initStateTx :: Q.Tx ()
|
2018-09-05 14:26:46 +03:00
|
|
|
initStateTx = clearHdbViews
|
2018-06-27 16:11:32 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
data RawConnParams
|
|
|
|
= RawConnParams
|
|
|
|
{ rcpStripes :: !(Maybe Int)
|
|
|
|
, rcpConns :: !(Maybe Int)
|
|
|
|
, rcpIdleTime :: !(Maybe Int)
|
|
|
|
} deriving (Show, Eq)
|
|
|
|
|
|
|
|
type RawAuthHook = AuthHookG (Maybe T.Text) (Maybe AuthHookType)
|
|
|
|
|
|
|
|
data RawServeOptions
|
|
|
|
= RawServeOptions
|
|
|
|
{ rsoPort :: !(Maybe Int)
|
|
|
|
, rsoConnParams :: !RawConnParams
|
|
|
|
, rsoTxIso :: !(Maybe Q.TxIsolation)
|
|
|
|
, rsoAccessKey :: !(Maybe AccessKey)
|
|
|
|
, rsoAuthHook :: !RawAuthHook
|
|
|
|
, rsoJwtSecret :: !(Maybe Text)
|
|
|
|
, rsoUnAuthRole :: !(Maybe RoleName)
|
|
|
|
, rsoCorsConfig :: !RawCorsConfig
|
|
|
|
, rsoEnableConsole :: !Bool
|
|
|
|
} deriving (Show, Eq)
|
|
|
|
|
|
|
|
data CorsConfigG a
|
|
|
|
= CorsConfigG
|
|
|
|
{ ccDomain :: !a
|
|
|
|
, ccDisabled :: !Bool
|
|
|
|
} deriving (Show, Eq)
|
|
|
|
|
|
|
|
type RawCorsConfig = CorsConfigG (Maybe T.Text)
|
|
|
|
type CorsConfig = CorsConfigG T.Text
|
|
|
|
|
|
|
|
data ServeOptions
|
|
|
|
= ServeOptions
|
|
|
|
{ soPort :: !Int
|
|
|
|
, soConnParams :: !Q.ConnParams
|
|
|
|
, soTxIso :: !Q.TxIsolation
|
|
|
|
, soAccessKey :: !(Maybe AccessKey)
|
|
|
|
, soAuthHook :: !(Maybe AuthHook)
|
|
|
|
, soJwtSecret :: !(Maybe Text)
|
|
|
|
, soUnAuthRole :: !(Maybe RoleName)
|
|
|
|
, soCorsConfig :: !CorsConfig
|
|
|
|
, soEnableConsole :: !Bool
|
|
|
|
} deriving (Show, Eq)
|
|
|
|
|
2018-06-27 16:11:32 +03:00
|
|
|
data RawConnInfo =
|
|
|
|
RawConnInfo
|
|
|
|
{ connHost :: !(Maybe String)
|
|
|
|
, connPort :: !(Maybe Int)
|
|
|
|
, connUser :: !(Maybe String)
|
|
|
|
, connPassword :: !String
|
|
|
|
, connUrl :: !(Maybe String)
|
|
|
|
, connDatabase :: !(Maybe String)
|
|
|
|
, connOptions :: !(Maybe String)
|
|
|
|
} deriving (Eq, Read, Show)
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
data HGECommandG a
|
|
|
|
= HCServe !a
|
|
|
|
| HCExport
|
|
|
|
| HCClean
|
|
|
|
| HCExecute
|
|
|
|
| HCVersion
|
|
|
|
deriving (Show, Eq)
|
|
|
|
|
|
|
|
type HGECommand = HGECommandG ServeOptions
|
|
|
|
type RawHGECommand = HGECommandG RawServeOptions
|
|
|
|
|
|
|
|
data HGEOptionsG a
|
|
|
|
= HGEOptionsG
|
|
|
|
{ hoConnInfo :: !RawConnInfo
|
|
|
|
, hoCommand :: !(HGECommandG a)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
} deriving (Show, Eq)
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
type RawHGEOptions = HGEOptionsG RawServeOptions
|
|
|
|
type HGEOptions = HGEOptionsG ServeOptions
|
|
|
|
|
2018-12-14 06:21:41 +03:00
|
|
|
type Env = [(String, String)]
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
class FromEnv a where
|
|
|
|
fromEnv :: String -> Either String a
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
instance FromEnv String where
|
|
|
|
fromEnv = Right
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
instance FromEnv Text where
|
|
|
|
fromEnv = Right . T.pack
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
instance FromEnv AuthHookType where
|
|
|
|
fromEnv = readHookType
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
instance FromEnv Int where
|
|
|
|
fromEnv = maybe (Left "Expecting Int value") Right . readMaybe
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
instance FromEnv AccessKey where
|
|
|
|
fromEnv = Right . AccessKey . T.pack
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
instance FromEnv RoleName where
|
|
|
|
fromEnv = Right . RoleName . T.pack
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
instance FromEnv Bool where
|
|
|
|
fromEnv = parseStrAsBool
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
instance FromEnv Q.TxIsolation where
|
|
|
|
fromEnv = readIsoLevel
|
2018-12-14 06:21:41 +03:00
|
|
|
|
|
|
|
parseStrAsBool :: String -> Either String Bool
|
|
|
|
parseStrAsBool t
|
|
|
|
| t `elem` truthVals = Right True
|
|
|
|
| t `elem` falseVals = Right False
|
|
|
|
| otherwise = Left errMsg
|
|
|
|
where
|
|
|
|
truthVals = ["true", "t", "yes", "y"]
|
|
|
|
falseVals = ["false", "f", "no", "n"]
|
|
|
|
|
|
|
|
errMsg = " Not a valid boolean text. " ++ "True values are "
|
|
|
|
++ show truthVals ++ " and False values are " ++ show falseVals
|
|
|
|
++ ". All values are case insensitive"
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
readIsoLevel :: String -> Either String Q.TxIsolation
|
|
|
|
readIsoLevel isoS =
|
|
|
|
case isoS of
|
|
|
|
"read-comitted" -> return Q.ReadCommitted
|
|
|
|
"repeatable-read" -> return Q.RepeatableRead
|
|
|
|
"serializable" -> return Q.ReadCommitted
|
|
|
|
_ -> Left "Only expecting read-comitted / repeatable-read / serializable"
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
type WithEnv a = ReaderT Env (ExceptT String Identity) a
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
runWithEnv :: Env -> WithEnv a -> Either String a
|
|
|
|
runWithEnv env m = runIdentity $ runExceptT $ runReaderT m env
|
2018-12-14 06:21:41 +03:00
|
|
|
|
|
|
|
returnJust :: Monad m => a -> m (Maybe a)
|
|
|
|
returnJust = return . Just
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
considerEnv :: FromEnv a => String -> WithEnv (Maybe a)
|
2018-12-14 06:21:41 +03:00
|
|
|
considerEnv envVar = do
|
|
|
|
env <- ask
|
2018-12-19 14:38:33 +03:00
|
|
|
case lookup envVar env of
|
2018-12-14 06:21:41 +03:00
|
|
|
Nothing -> return Nothing
|
2018-12-19 14:38:33 +03:00
|
|
|
Just val -> either throwErr returnJust $ fromEnv val
|
2018-12-14 06:21:41 +03:00
|
|
|
where
|
|
|
|
throwErr s = throwError $
|
2018-12-19 14:38:33 +03:00
|
|
|
"Fatal Error:- Environment variable " ++ envVar ++ ": " ++ s
|
|
|
|
|
|
|
|
withEnv :: FromEnv a => Maybe a -> String -> WithEnv (Maybe a)
|
|
|
|
withEnv mVal envVar =
|
|
|
|
maybe (considerEnv envVar) returnJust mVal
|
|
|
|
|
|
|
|
withEnvBool :: Bool -> String -> WithEnv Bool
|
|
|
|
withEnvBool bVal envVar =
|
|
|
|
bool considerEnv' (return True) bVal
|
|
|
|
where
|
|
|
|
considerEnv' = do
|
|
|
|
mEnvVal <- considerEnv envVar
|
|
|
|
maybe (return False) return mEnvVal
|
|
|
|
|
|
|
|
mkHGEOptions :: RawHGEOptions -> WithEnv HGEOptions
|
|
|
|
mkHGEOptions (HGEOptionsG rawConnInfo rawCmd) =
|
|
|
|
HGEOptionsG <$> connInfo <*> cmd
|
|
|
|
where
|
|
|
|
connInfo = mkRawConnInfo rawConnInfo
|
|
|
|
cmd = case rawCmd of
|
|
|
|
HCServe rso -> HCServe <$> mkServeOptions rso
|
|
|
|
HCExport -> return HCExport
|
|
|
|
HCClean -> return HCClean
|
|
|
|
HCExecute -> return HCExecute
|
|
|
|
HCVersion -> return HCVersion
|
|
|
|
|
|
|
|
mkRawConnInfo :: RawConnInfo -> WithEnv RawConnInfo
|
|
|
|
mkRawConnInfo rawConnInfo = do
|
|
|
|
withEnvUrl <- withEnv rawDBUrl $ fst databaseUrlEnv
|
|
|
|
return $ rawConnInfo {connUrl = withEnvUrl}
|
|
|
|
where
|
|
|
|
rawDBUrl = connUrl rawConnInfo
|
|
|
|
|
|
|
|
mkServeOptions :: RawServeOptions -> WithEnv ServeOptions
|
|
|
|
mkServeOptions rso = do
|
|
|
|
port <- fromMaybe 8080 <$>
|
|
|
|
withEnv (rsoPort rso) (fst servePortEnv)
|
|
|
|
connParams <- mkConnParams $ rsoConnParams rso
|
|
|
|
txIso <- fromMaybe Q.ReadCommitted <$>
|
|
|
|
withEnv (rsoTxIso rso) (fst txIsoEnv)
|
|
|
|
accKey <- withEnv (rsoAccessKey rso) $ fst accessKeyEnv
|
|
|
|
authHook <- mkAuthHook $ rsoAuthHook rso
|
|
|
|
jwtSecr <- withEnv (rsoJwtSecret rso) $ fst jwtSecretEnv
|
|
|
|
unAuthRole <- withEnv (rsoUnAuthRole rso) $ fst unAuthRoleEnv
|
|
|
|
corsCfg <- mkCorsConfig $ rsoCorsConfig rso
|
|
|
|
enableConsole <- withEnvBool (rsoEnableConsole rso) $
|
|
|
|
fst enableConsoleEnv
|
2018-12-21 10:51:02 +03:00
|
|
|
return $ ServeOptions port connParams txIso accKey authHook
|
2018-12-19 14:38:33 +03:00
|
|
|
jwtSecr unAuthRole corsCfg enableConsole
|
|
|
|
where
|
|
|
|
mkConnParams (RawConnParams s c i) = do
|
|
|
|
stripes <- fromMaybe 1 <$> withEnv s (fst pgStripesEnv)
|
|
|
|
conns <- fromMaybe 50 <$> withEnv c (fst pgConnsEnv)
|
|
|
|
iTime <- fromMaybe 180 <$> withEnv i (fst pgTimeoutEnv)
|
|
|
|
return $ Q.ConnParams stripes conns iTime
|
|
|
|
|
|
|
|
mkAuthHook (AuthHookG mUrl mType) = do
|
|
|
|
mUrlEnv <- withEnv mUrl $ fst authHookEnv
|
|
|
|
ty <- fromMaybe AHTGet <$> withEnv mType (fst authHookTypeEnv)
|
|
|
|
return (flip AuthHookG ty <$> mUrlEnv)
|
|
|
|
|
|
|
|
mkCorsConfig (CorsConfigG mDom isDis) = do
|
|
|
|
domEnv <- fromMaybe "*" <$> withEnv mDom (fst corsDomainEnv)
|
|
|
|
return $ CorsConfigG domEnv isDis
|
2018-12-14 06:21:41 +03:00
|
|
|
|
|
|
|
mkExamplesDoc :: [[String]] -> PP.Doc
|
|
|
|
mkExamplesDoc exampleLines =
|
|
|
|
PP.text "Examples: " PP.<$> PP.indent 2 (PP.vsep examples)
|
|
|
|
where
|
|
|
|
examples = map PP.text $ intercalate [""] exampleLines
|
|
|
|
|
|
|
|
mkEnvVarDoc :: [(String, String)] -> PP.Doc
|
|
|
|
mkEnvVarDoc envVars =
|
|
|
|
PP.text "Environment variables: " PP.<$>
|
|
|
|
PP.indent 2 (PP.vsep $ map mkEnvVarLine envVars)
|
|
|
|
where
|
|
|
|
mkEnvVarLine (var, desc) =
|
|
|
|
(PP.fillBreak 30 (PP.text var) PP.<+> prettifyDesc desc) <> PP.hardline
|
|
|
|
prettifyDesc = PP.align . PP.fillSep . map PP.text . words
|
|
|
|
|
|
|
|
mainCmdFooter :: PP.Doc
|
|
|
|
mainCmdFooter =
|
|
|
|
examplesDoc PP.<$> PP.text "" PP.<$> envVarDoc
|
|
|
|
where
|
|
|
|
examplesDoc = mkExamplesDoc examples
|
|
|
|
examples =
|
|
|
|
[
|
|
|
|
[ "# Serve GraphQL Engine on default port (8080) with console disabled"
|
|
|
|
, "graphql-engine --database-url <database-url> serve"
|
|
|
|
]
|
|
|
|
, [ "# For more options, checkout"
|
|
|
|
, "graphql-engine serve --help"
|
|
|
|
]
|
|
|
|
]
|
|
|
|
|
|
|
|
envVarDoc = mkEnvVarDoc [databaseUrlEnv]
|
|
|
|
|
|
|
|
databaseUrlEnv :: (String, String)
|
|
|
|
databaseUrlEnv =
|
|
|
|
( "HASURA_GRAPHQL_DATABASE_URL"
|
|
|
|
, "Postgres database URL. Example postgres://foo:bar@example.com:2345/database"
|
|
|
|
)
|
|
|
|
|
|
|
|
serveCmdFooter :: PP.Doc
|
|
|
|
serveCmdFooter =
|
|
|
|
examplesDoc PP.<$> PP.text "" PP.<$> envVarDoc
|
|
|
|
where
|
|
|
|
examplesDoc = mkExamplesDoc examples
|
|
|
|
examples =
|
|
|
|
[
|
|
|
|
[ "# Start GraphQL Engine on default port (8080) with console enabled"
|
|
|
|
, "graphql-engine --database-url <database-url> serve --enable-console"
|
|
|
|
]
|
|
|
|
, [ "# Start GraphQL Engine on default port (8080) with console disabled"
|
|
|
|
, "graphql-engine --database-url <database-url> serve"
|
|
|
|
]
|
|
|
|
, [ "# Start GraphQL Engine on a different port (say 9090) with console disabled"
|
|
|
|
, "graphql-engine --database-url <database-url> serve --server-port 9090"
|
|
|
|
]
|
|
|
|
, [ "# Start GraphQL Engine with access key"
|
|
|
|
, "graphql-engine --database-url <database-url> serve --access-key <secretaccesskey>"
|
|
|
|
]
|
|
|
|
, [ "# Start GraphQL Engine with restrictive CORS policy (only allow https://example.com:8080)"
|
|
|
|
, "graphql-engine --database-url <database-url> serve --cors-domain https://example.com:8080"
|
|
|
|
]
|
|
|
|
, [ "# Start GraphQL Engine with Authentication Webhook (GET)"
|
|
|
|
, "graphql-engine --database-url <database-url> serve --access-key <secretaccesskey>"
|
|
|
|
<> " --auth-hook https://mywebhook.com/get"
|
|
|
|
]
|
|
|
|
, [ "# Start GraphQL Engine with Authentication Webhook (POST)"
|
|
|
|
, "graphql-engine --database-url <database-url> serve --access-key <secretaccesskey>"
|
|
|
|
<> " --auth-hook https://mywebhook.com/post --auth-hook-mode POST"
|
|
|
|
]
|
|
|
|
]
|
|
|
|
|
|
|
|
envVarDoc = mkEnvVarDoc $ envVars <> eventEnvs
|
|
|
|
envVars =
|
|
|
|
[ servePortEnv, pgStripesEnv, pgConnsEnv, pgTimeoutEnv
|
2018-12-21 10:51:02 +03:00
|
|
|
, txIsoEnv, accessKeyEnv, authHookEnv , authHookTypeEnv
|
2018-12-14 06:21:41 +03:00
|
|
|
, jwtSecretEnv , unAuthRoleEnv, corsDomainEnv , enableConsoleEnv
|
|
|
|
]
|
|
|
|
|
|
|
|
eventEnvs =
|
|
|
|
[ ( "HASURA_GRAPHQL_EVENTS_HTTP_POOL_SIZE"
|
|
|
|
, "Max event threads"
|
|
|
|
)
|
|
|
|
, ( "HASURA_GRAPHQL_EVENTS_FETCH_INTERVAL"
|
|
|
|
, "Postgres events polling interval"
|
|
|
|
)
|
|
|
|
]
|
|
|
|
|
|
|
|
servePortEnv :: (String, String)
|
|
|
|
servePortEnv =
|
|
|
|
( "HASURA_GRAPHQL_SERVER_PORT"
|
|
|
|
, "Port on which graphql-engine should be served (default: 8080)"
|
|
|
|
)
|
|
|
|
|
|
|
|
pgConnsEnv :: (String, String)
|
|
|
|
pgConnsEnv =
|
|
|
|
( "HASURA_GRAPHQL_PG_CONNECTIONS"
|
|
|
|
, "Number of conns that need to be opened to Postgres (default: 50)"
|
|
|
|
)
|
|
|
|
|
|
|
|
pgStripesEnv :: (String, String)
|
|
|
|
pgStripesEnv =
|
|
|
|
( "HASURA_GRAPHQL_PG_STRIPES"
|
|
|
|
, "Number of conns that need to be opened to Postgres (default: 1)")
|
|
|
|
|
|
|
|
pgTimeoutEnv :: (String, String)
|
|
|
|
pgTimeoutEnv =
|
|
|
|
( "HASURA_GRAPHQL_PG_TIMEOUT"
|
|
|
|
, "Each connection's idle time before it is closed (default: 180 sec)"
|
|
|
|
)
|
|
|
|
|
|
|
|
txIsoEnv :: (String, String)
|
|
|
|
txIsoEnv =
|
|
|
|
( "HASURA_GRAPHQL_TX_ISOLATION"
|
|
|
|
, "transaction isolation. read-committed / repeatable-read / serializable (default: read-commited)"
|
|
|
|
)
|
|
|
|
|
|
|
|
accessKeyEnv :: (String, String)
|
|
|
|
accessKeyEnv =
|
|
|
|
( "HASURA_GRAPHQL_ACCESS_KEY"
|
|
|
|
, "Secret access key, required to access this instance"
|
|
|
|
)
|
|
|
|
|
|
|
|
authHookEnv :: (String, String)
|
|
|
|
authHookEnv =
|
|
|
|
( "HASURA_GRAPHQL_AUTH_HOOK"
|
|
|
|
, "The authentication webhook, required to authenticate requests"
|
|
|
|
)
|
|
|
|
|
|
|
|
authHookTypeEnv :: (String, String)
|
|
|
|
authHookTypeEnv =
|
|
|
|
( "HASURA_GRAPHQL_AUTH_HOOK_TYPE"
|
|
|
|
, "The authentication webhook type (default: GET)"
|
|
|
|
)
|
|
|
|
|
|
|
|
jwtSecretEnv :: (String, String)
|
|
|
|
jwtSecretEnv =
|
|
|
|
( "HASURA_GRAPHQL_JWT_SECRET"
|
|
|
|
, jwtSecretHelp
|
|
|
|
)
|
|
|
|
|
|
|
|
unAuthRoleEnv :: (String, String)
|
|
|
|
unAuthRoleEnv =
|
|
|
|
( "HASURA_GRAPHQL_UNAUTHORIZED_ROLE"
|
|
|
|
, "Unauthorized role, used when access-key is not sent in access-key only mode "
|
|
|
|
++ "or \"Authorization\" header is absent in JWT mode"
|
|
|
|
)
|
|
|
|
|
|
|
|
corsDomainEnv :: (String, String)
|
|
|
|
corsDomainEnv =
|
|
|
|
( "HASURA_GRAPHQL_CORS_DOMAIN"
|
|
|
|
, "The domain, including scheme and port, to allow CORS for"
|
|
|
|
)
|
|
|
|
|
|
|
|
enableConsoleEnv :: (String, String)
|
|
|
|
enableConsoleEnv =
|
|
|
|
( "HASURA_GRAPHQL_ENABLE_CONSOLE"
|
|
|
|
, "Enable API Console"
|
|
|
|
)
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
parseRawConnInfo :: Parser RawConnInfo
|
|
|
|
parseRawConnInfo =
|
2018-12-14 06:21:41 +03:00
|
|
|
RawConnInfo <$> host <*> port <*> user <*> password
|
|
|
|
<*> dbUrl <*> dbName <*> pure Nothing
|
|
|
|
where
|
2018-12-19 14:38:33 +03:00
|
|
|
host = optional $
|
|
|
|
strOption ( long "host" <>
|
2018-06-27 16:11:32 +03:00
|
|
|
metavar "HOST" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help "Postgres server host" )
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
port = optional $
|
|
|
|
option auto ( long "port" <>
|
2018-06-27 16:11:32 +03:00
|
|
|
short 'p' <>
|
|
|
|
metavar "PORT" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help "Postgres server port" )
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
user = optional $
|
|
|
|
strOption ( long "user" <>
|
2018-06-27 16:11:32 +03:00
|
|
|
short 'u' <>
|
|
|
|
metavar "USER" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help "Database user name" )
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
password =
|
2018-12-14 06:21:41 +03:00
|
|
|
strOption ( long "password" <>
|
2018-06-27 16:11:32 +03:00
|
|
|
metavar "PASSWORD" <>
|
|
|
|
value "" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help "Password of the user"
|
|
|
|
)
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
dbUrl = optional $
|
|
|
|
strOption
|
|
|
|
( long "database-url" <>
|
|
|
|
metavar "DATABASE-URL" <>
|
|
|
|
help (snd databaseUrlEnv)
|
|
|
|
)
|
2018-12-14 06:21:41 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
dbName = optional $
|
|
|
|
strOption ( long "dbname" <>
|
2018-06-27 16:11:32 +03:00
|
|
|
short 'd' <>
|
|
|
|
metavar "NAME" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help "Database name to connect to"
|
|
|
|
)
|
2018-06-27 16:11:32 +03:00
|
|
|
|
|
|
|
connInfoErrModifier :: String -> String
|
|
|
|
connInfoErrModifier s = "Fatal Error : " ++ s
|
|
|
|
|
2018-12-14 06:21:41 +03:00
|
|
|
mkConnInfo ::RawConnInfo -> Either String Q.ConnInfo
|
|
|
|
mkConnInfo (RawConnInfo mHost mPort mUser pass mURL mDB opts) =
|
|
|
|
case (mHost, mPort, mUser, mDB, mURL) of
|
2018-06-28 13:49:40 +03:00
|
|
|
|
2018-06-27 16:11:32 +03:00
|
|
|
(Just host, Just port, Just user, Just db, Nothing) ->
|
|
|
|
return $ Q.ConnInfo host port user pass db opts
|
2018-06-28 13:49:40 +03:00
|
|
|
|
|
|
|
(_, _, _, _, Just dbURL) -> maybe (throwError invalidUrlMsg)
|
|
|
|
return $ parseDatabaseUrl dbURL opts
|
|
|
|
_ -> throwError $ "Invalid options. "
|
|
|
|
++ "Expecting all database connection params "
|
|
|
|
++ "(host, port, user, dbname, password) or "
|
2018-07-06 08:13:46 +03:00
|
|
|
++ "database-url (HASURA_GRAPHQL_DATABASE_URL)"
|
2018-06-28 13:49:40 +03:00
|
|
|
where
|
2018-07-06 08:13:46 +03:00
|
|
|
invalidUrlMsg = "Invalid database-url (HASURA_GRAPHQL_DATABASE_URL). "
|
2018-06-28 13:49:40 +03:00
|
|
|
++ "Example postgres://foo:bar@example.com:2345/database"
|
2018-06-27 16:11:32 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
parseTxIsolation :: Parser (Maybe Q.TxIsolation)
|
|
|
|
parseTxIsolation = optional $
|
|
|
|
option (eitherReader readIsoLevel)
|
|
|
|
( long "tx-iso" <>
|
|
|
|
short 'i' <>
|
|
|
|
metavar "TXISO" <>
|
|
|
|
help (snd txIsoEnv)
|
|
|
|
)
|
|
|
|
|
|
|
|
parseConnParams :: Parser RawConnParams
|
|
|
|
parseConnParams =
|
|
|
|
RawConnParams <$> stripes <*> conns <*> timeout
|
2018-12-14 06:21:41 +03:00
|
|
|
where
|
2018-12-19 14:38:33 +03:00
|
|
|
stripes = optional $
|
|
|
|
option auto
|
2018-12-14 06:21:41 +03:00
|
|
|
( long "stripes" <>
|
|
|
|
short 's' <>
|
|
|
|
metavar "NO OF STRIPES" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help (snd pgStripesEnv)
|
2018-12-14 06:21:41 +03:00
|
|
|
)
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
conns = optional $
|
|
|
|
option auto
|
2018-12-14 06:21:41 +03:00
|
|
|
( long "connections" <>
|
2018-06-27 16:11:32 +03:00
|
|
|
short 'c' <>
|
|
|
|
metavar "NO OF CONNS" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help (snd pgConnsEnv)
|
2018-12-14 06:21:41 +03:00
|
|
|
)
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
timeout = optional $
|
|
|
|
option auto
|
2018-12-14 06:21:41 +03:00
|
|
|
( long "timeout" <>
|
|
|
|
metavar "SECONDS" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help (snd pgTimeoutEnv)
|
2018-11-15 07:55:39 +03:00
|
|
|
)
|
2018-06-27 16:11:32 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
parseServerPort :: Parser (Maybe Int)
|
|
|
|
parseServerPort = optional $
|
|
|
|
option auto
|
2018-12-14 06:21:41 +03:00
|
|
|
( long "server-port" <>
|
|
|
|
metavar "PORT" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help (snd servePortEnv)
|
2018-12-14 06:21:41 +03:00
|
|
|
)
|
2018-12-19 14:38:33 +03:00
|
|
|
|
|
|
|
parseAccessKey :: Parser (Maybe AccessKey)
|
|
|
|
parseAccessKey =
|
|
|
|
optional $ AccessKey <$>
|
|
|
|
strOption ( long "access-key" <>
|
|
|
|
metavar "SECRET ACCESS KEY" <>
|
|
|
|
help (snd accessKeyEnv)
|
|
|
|
)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
2018-12-03 14:19:08 +03:00
|
|
|
readHookType :: String -> Either String AuthHookType
|
|
|
|
readHookType tyS =
|
|
|
|
case tyS of
|
|
|
|
"GET" -> Right AHTGet
|
|
|
|
"POST" -> Right AHTPost
|
|
|
|
_ -> Left "Only expecting GET / POST"
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
parseWebHook :: Parser RawAuthHook
|
|
|
|
parseWebHook =
|
|
|
|
AuthHookG <$> url <*> urlType
|
2018-12-14 06:21:41 +03:00
|
|
|
where
|
2018-12-19 14:38:33 +03:00
|
|
|
url = optional $
|
|
|
|
strOption ( long "auth-hook" <>
|
|
|
|
metavar "AUTHENTICATION WEB HOOK" <>
|
|
|
|
help (snd authHookEnv)
|
|
|
|
)
|
|
|
|
urlType = optional $
|
|
|
|
option (eitherReader readHookType)
|
2018-12-14 06:21:41 +03:00
|
|
|
( long "auth-hook-mode" <>
|
|
|
|
metavar "GET|POST" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help (snd authHookTypeEnv)
|
2018-12-14 06:21:41 +03:00
|
|
|
)
|
|
|
|
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
parseJwtSecret :: Parser (Maybe Text)
|
|
|
|
parseJwtSecret =
|
|
|
|
optional $ strOption
|
2018-12-14 06:21:41 +03:00
|
|
|
( long "jwt-secret" <>
|
|
|
|
metavar "JWK" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help (snd jwtSecretEnv)
|
2018-12-14 06:21:41 +03:00
|
|
|
)
|
add support for jwt authorization (close #186) (#255)
The API:
1. HGE has `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var. The value of which is a JSON.
2. The structure of this JSON is: `{"type": "<standard-JWT-algorithms>", "key": "<the-key>"}`
`type` : Standard JWT algos : `HS256`, `RS256`, `RS512` etc. (see jwt.io).
`key`:
i. Incase of symmetric key, the key as it is.
ii. Incase of asymmetric keys, only the public key, in a PEM encoded string or as a X509 certificate.
3. The claims in the JWT token must contain the following:
i. `x-hasura-default-role` field: default role of that user
ii. `x-hasura-allowed-roles` : A list of allowed roles for the user. The default role is overriden by `x-hasura-role` header.
4. The claims in the JWT token, can have other `x-hasura-*` fields where their values can only be strings.
5. The JWT tokens are sent as `Authorization: Bearer <token>` headers.
---
To test:
1. Generate a shared secret (for HMAC-SHA256) or RSA key pair.
2. Goto https://jwt.io/ , add the keys
3. Edit the claims to have `x-hasura-role` (mandatory) and other `x-hasura-*` fields. Add permissions related to the claims to test permissions.
4. Start HGE with `--jwt-secret` flag or `HASURA_GRAPHQL_JWT_SECRET` env var, which takes a JSON string: `{"type": "HS256", "key": "mylongsharedsecret"}` or `{"type":"RS256", "key": "<PEM-encoded-public-key>"}`
5. Copy the JWT token from jwt.io and use it in the `Authorization: Bearer <token>` header.
---
TODO: Support EC public keys. It is blocked on frasertweedale/hs-jose#61
2018-08-30 13:32:09 +03:00
|
|
|
|
|
|
|
jwtSecretHelp :: String
|
|
|
|
jwtSecretHelp = "The JSON containing type and the JWK used for verifying. e.g: "
|
2018-09-07 09:00:50 +03:00
|
|
|
<> "`{\"type\": \"HS256\", \"key\": \"<your-hmac-shared-secret>\", \"claims_namespace\": \"<optional-custom-claims-key-name>\"}`,"
|
|
|
|
<> "`{\"type\": \"RS256\", \"key\": \"<your-PEM-RSA-public-key>\", \"claims_namespace\": \"<optional-custom-claims-key-name>\"}`"
|
2018-06-27 16:11:32 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
parseUnAuthRole :: Parser (Maybe RoleName)
|
|
|
|
parseUnAuthRole = optional $
|
|
|
|
RoleName <$> strOption ( long "unauthorized-role" <>
|
2018-12-14 06:21:41 +03:00
|
|
|
metavar "UNAUTHORIZED ROLE" <>
|
2018-12-19 14:38:33 +03:00
|
|
|
help (snd unAuthRoleEnv)
|
2018-12-14 06:21:41 +03:00
|
|
|
)
|
2018-07-06 08:13:46 +03:00
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
parseCorsConfig :: Parser RawCorsConfig
|
|
|
|
parseCorsConfig =
|
|
|
|
CorsConfigG <$> corsDomain <*> disableCors
|
2018-12-14 06:21:41 +03:00
|
|
|
where
|
2018-12-19 14:38:33 +03:00
|
|
|
corsDomain =
|
|
|
|
optional (strOption
|
|
|
|
( long "cors-domain" <>
|
|
|
|
metavar "CORS DOMAIN" <>
|
|
|
|
help (snd corsDomainEnv)
|
|
|
|
)
|
|
|
|
)
|
|
|
|
disableCors =
|
2018-12-14 06:21:41 +03:00
|
|
|
switch ( long "disable-cors" <>
|
2018-06-27 16:11:32 +03:00
|
|
|
help "Disable CORS handling"
|
|
|
|
)
|
|
|
|
|
2018-12-19 14:38:33 +03:00
|
|
|
parseEnableConsole :: Parser Bool
|
|
|
|
parseEnableConsole =
|
|
|
|
switch ( long "enable-console" <>
|
|
|
|
help (snd enableConsoleEnv)
|
|
|
|
)
|