hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2024-09-11 10:46:25 +03:00
Code Issues Projects Releases Wiki Activity

server: enable inherited roles by default

Browse Source 
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2325
Co-authored-by: Nicolas Beaussart <7281023+beaussan@users.noreply.github.com>
GitOrigin-RevId: 8ad6fe25a3788892128c1d56b8fa0e8feed2caca
This commit is contained in:
Karthikeyan Chinnakonda 2021-10-05 17:58:38 +05:30 committed by hasura-bot
parent 8ca962ab91
commit 64e2201179
10 changed files with 91 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
.circleci/test-server.sh
View File

@ -233,8 +233,6 @@ export WEBHOOK_FROM_ENV="http://127.0.0.1:5592"
export SCHEDULED_TRIGGERS_WEBHOOK_DOMAIN="http://127.0.0.1:5594"
export HASURA_GRAPHQL_STRINGIFY_NUMERIC_TYPES=true
export REMOTE_SCHEMAS_WEBHOOK_DOMAIN="http://127.0.0.1:5000"
export HASURA_GRAPHQL_EXPERIMENTAL_FEATURES="inherited_roles"
HGE_PIDS=""
WH_PID=""
@ -289,8 +287,8 @@ case "$SERVER_TEST_TO_RUN" in
admin-secret)
echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET #####################################>\n"
TEST_TYPE="admin-secret"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
start_multiple_hge_servers
@ -331,7 +329,7 @@ case "$SERVER_TEST_TO_RUN" in
run_pytest_parallel --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" --hge-jwt-key-file="$OUTPUT_FOLDER/ssl/jwt_private.key" --hge-jwt-conf="$HASURA_GRAPHQL_JWT_SECRET"
kill_hge_servers
# Ed25519 test
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key }')"
@ -358,9 +356,9 @@ case "$SERVER_TEST_TO_RUN" in
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_format: "stringified_json"}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
# unset HASURA_GRAPHQL_JWT_SECRET
;;
@ -377,7 +375,7 @@ case "$SERVER_TEST_TO_RUN" in
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , audience: "myapp-1234"}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
#unset HASURA_GRAPHQL_JWT_SECRET
@ -391,11 +389,11 @@ case "$SERVER_TEST_TO_RUN" in
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , audience: ["myapp-1234", "myapp-9876"]}')"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , audience: ["myapp-1234", "myapp-9876"]}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
unset HASURA_GRAPHQL_JWT_SECRET
@ -412,7 +410,7 @@ case "$SERVER_TEST_TO_RUN" in
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , issuer: "https://hasura.com"}')"
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , issuer: "https://hasura.com"}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
@ -431,11 +429,11 @@ case "$SERVER_TEST_TO_RUN" in
# hasura claims at one level of nesting
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura_claims"}')"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_namespace_path: "$.hasura_claims"}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
unset HASURA_GRAPHQL_JWT_SECRET
@ -447,7 +445,7 @@ case "$SERVER_TEST_TO_RUN" in
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_namespace_path: "$.hasura['\''claims%'\'']"}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
unset HASURA_GRAPHQL_JWT_SECRET
@ -455,11 +453,11 @@ case "$SERVER_TEST_TO_RUN" in
# hasura claims at the root of the JWT token
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$"}')"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_namespace_path: "$"}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
unset HASURA_GRAPHQL_JWT_SECRET
@ -474,12 +472,12 @@ case "$SERVER_TEST_TO_RUN" in
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id"}, "x-hasura-allowed-roles": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.allowed"}, "x-hasura-default-role": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.default"}}}')"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id"}, "x-hasura-allowed-roles": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.allowed"}, "x-hasura-default-role": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.default"}}}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
unset HASURA_GRAPHQL_JWT_SECRET
@ -489,11 +487,11 @@ case "$SERVER_TEST_TO_RUN" in
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id", "default":"1"}, "x-hasura-allowed-roles": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.allowed", "default":["user","editor"]}, "x-hasura-default-role": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.default","default":"user"}}}')"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id", "default":"1"}, "x-hasura-allowed-roles": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.allowed", "default":["user","editor"]}, "x-hasura-default-role": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.default","default":"user"}}}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
@ -509,9 +507,9 @@ case "$SERVER_TEST_TO_RUN" in
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py::TestJWTExpirySkew
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , allowed_skew: 60}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py::TestJWTExpirySkew
unset HASURA_GRAPHQL_JWT_SECRET
@ -526,12 +524,12 @@ case "$SERVER_TEST_TO_RUN" in
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id"}, "x-hasura-allowed-roles": ["user","editor"], "x-hasura-default-role": "user","x-hasura-custom-header":"custom-value"}}')"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapWithStaticHasuraClaimsMapValues
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id"}, "x-hasura-allowed-roles": ["user","editor"], "x-hasura-default-role": "user","x-hasura-custom-header":"custom-value"}}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapWithStaticHasuraClaimsMapValues
unset HASURA_GRAPHQL_JWT_SECRET
@ -546,11 +544,11 @@ case "$SERVER_TEST_TO_RUN" in
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , header: {"type": "Cookie", "name": "hasura_user"}}')"
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , header: {"type": "Cookie", "name": "hasura_user"}}')"
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
unset HASURA_GRAPHQL_JWT_SECRET
@ -742,9 +740,8 @@ case "$SERVER_TEST_TO_RUN" in
run_hge_with_args serve
wait_for_port 8080
pytest -n 1 --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" -k TestGraphQLInheritedRolesSchema
pytest -n 1 --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" -k TestGraphQLInheritedRolesPostgres
pytest --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" --enable-remote-schema-permissions --test-function-permissions test_roles_inheritance.py
pytest --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" --enable-remote-schema-permissions --test-function-permissions test_roles_inheritance.py
unset HASURA_GRAPHQL_ADMIN_SECRET
unset HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS
@ -1175,7 +1172,7 @@ admin_users = postgres' > pgbouncer/pgbouncer.ini
# start inherited roles test
echo -e "\n$(time_elapsed): <########## TEST INHERITED-ROLES WITH SQL SERVER BACKEND ###########################################>\n"
pytest -n 1 --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" -k TestGraphQLInheritedRolesMSSQL --backend mssql
pytest -n 1 --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" -k TestGraphQLInheritedRolesMSSQL --backend mssql
# end inherited roles test

1
CHANGELOG.md
View File

@ -3,6 +3,7 @@
## Next release
(Add entries below in the order of server, console, cli, docs, others)
- server: enable inherited roles by default in the graphql-engine
- server: support MSSQL insert mutations
## v2.1.0-beta.1

2
console/cypress/integration/data/template-gallery/test.ts
View File

@ -15,7 +15,7 @@ const setup = () => {
export const runSchemaSharingTests = () => {
describe('template gallery', () => {
it('display content', () => {
cy.contains('default').click();
cy.get('[data-test=table-links]').contains('default').click();
const oneToOne = cy.get('table').contains('Relationships: One-to-One');
oneToOne.click();
cy.contains('Install Template').click();

18
docs/graphql/core/auth/authorization/inherited-roles.rst
View File

@ -41,19 +41,15 @@ it will override the inherited permission, if any.
The above setup won't work because ``inherited_role1`` and ``inherited_role2`` form a cycle.
.. note::
This feature is currently accessible as an experimental feature and must be
explicitly toggled on in order to be enabled.
This can be done either by setting the env var ``HASURA_GRAPHQL_EXPERIMENTAL_FEATURES``
to ``inherited_roles`` or by providing the server flag ``--experimental-features``
to ``inherited_roles``.
See :ref:`server config reference <server_flag_reference>` for info on setting the flag/env var.
.. admonition:: Supported from
Inherited roles are supported for versions ``v2.0.0-alpha.4`` and above.
Inherited roles will be supported for versions ``v2.0.0-alpha.4`` and above. The inherited roles feature
is an experimental feature from the ``v2.0.0-alpha.4`` till the ``v2.1.0-beta.1`` version i.e it must be
explicitly toggled in order to be enabled. This can be done either by setting the env
var ``HASURA_GRAPHQL_EXPERIMENTAL_FEATURES`` or the server flag ``--experimental-features`` to ``inherited_roles``.
After the ``v2.1.0-beta.1`` version, inherited roles will be enabled by default in the graphql-engine.
Creating inherited roles
------------------------

9
server/src-lib/Hasura/RQL/DDL/InheritedRoles.hs
View File

@ -13,23 +13,16 @@ import Hasura.Base.Error
import Hasura.EncJSON
import Hasura.Prelude
import Hasura.RQL.Types
import Hasura.Server.Types (ExperimentalFeature (..))
import Hasura.Session
runAddInheritedRole ::
( MonadError QErr m,
CacheRWM m,
MetadataM m,
HasServerConfigCtx m
MetadataM m
) =>
InheritedRole ->
m EncJSON
runAddInheritedRole addInheritedRoleQ@(Role inheritedRoleName (ParentRoles parentRoles)) = do
experimentalFeatures <- _sccExperimentalFeatures <$> askServerConfigCtx
unless (EFInheritedRoles `elem` experimentalFeatures) $
throw400 ConstraintViolation $
"inherited role can only be added when inherited_roles enabled"
<> " in the experimental features"
when (inheritedRoleName `elem` parentRoles) $
throw400 InvalidParams "an inherited role name cannot be in the role combination"
buildSchemaCacheFor (MOInheritedRole inheritedRoleName) $

34
server/src-lib/Hasura/RQL/DDL/Metadata.hs
View File

@ -51,14 +51,12 @@ import Hasura.RQL.DDL.Schema
import Hasura.RQL.Types
import Hasura.RQL.Types.Eventing.Backend (BackendEventTrigger (..))
import Hasura.SQL.AnyBackend qualified as AB
import Hasura.Server.Types (ExperimentalFeature (..))
import Network.HTTP.Client.Transformable qualified as HTTP
runClearMetadata ::
( MonadIO m,
CacheRWM m,
MetadataM m,
HasServerConfigCtx m,
MonadMetadataStorageQueryAPI m,
MonadReader r m,
Has (HL.Logger HL.Hasura) r
@ -103,7 +101,6 @@ runReplaceMetadata ::
MetadataM m,
MonadIO m,
MonadMetadataStorageQueryAPI m,
HasServerConfigCtx m,
MonadReader r m,
Has (HL.Logger HL.Hasura) r
) =>
@ -119,7 +116,6 @@ runReplaceMetadataV1 ::
MetadataM m,
MonadIO m,
MonadMetadataStorageQueryAPI m,
HasServerConfigCtx m,
MonadReader r m,
Has (HL.Logger HL.Hasura) r
) =>
@ -134,7 +130,6 @@ runReplaceMetadataV2 ::
CacheRWM m,
MetadataM m,
MonadIO m,
HasServerConfigCtx m,
MonadMetadataStorageQueryAPI m,
MonadReader r m,
Has (HL.Logger HL.Hasura) r
@ -145,18 +140,10 @@ runReplaceMetadataV2 ReplaceMetadataV2 {..} = do
logger :: (HL.Logger HL.Hasura) <- asks getter
-- we drop all the future cron trigger events before inserting the new metadata
-- and re-populating future cron events below
experimentalFeatures <- _sccExperimentalFeatures <$> askServerConfigCtx
let inheritedRoles =
case _rmv2Metadata of
RMWithSources Metadata {_metaInheritedRoles} -> _metaInheritedRoles
RMWithoutSources _ -> mempty
introspectionDisabledRoles =
let introspectionDisabledRoles =
case _rmv2Metadata of
RMWithSources m -> _metaSetGraphqlIntrospectionOptions m
RMWithoutSources _ -> mempty
when (inheritedRoles /= mempty && EFInheritedRoles `notElem` experimentalFeatures) $
throw400 ConstraintViolation "inherited_roles can only be added when it's enabled in the experimental features"
oldMetadata <- getMetadata
(cronTriggersMetadata, cronTriggersToBeAdded) <- processCronTriggers oldMetadata
@ -310,39 +297,28 @@ runReplaceMetadataV2 ReplaceMetadataV2 {..} = do
m ()
compose sourceName x y f = AB.composeAnyBackend @BackendEventTrigger f x y (logger $ HL.UnstructuredLog HL.LevelInfo $ TBS.fromText $ "Event trigger clean up couldn't be done on the source " <> sourceName <<> " because it has changed its type")
processExperimentalFeatures :: HasServerConfigCtx m => Metadata -> m Metadata
processExperimentalFeatures metadata = do
experimentalFeatures <- _sccExperimentalFeatures <$> askServerConfigCtx
let isInheritedRolesSet = EFInheritedRoles `elem` experimentalFeatures
-- export inherited roles only when inherited_roles is set in the experimental features
pure $ bool (metadata {_metaInheritedRoles = mempty}) metadata isInheritedRolesSet
-- | Only includes the cron triggers with `included_in_metadata` set to `True`
processCronTriggersMetadata :: Metadata -> Metadata
processCronTriggersMetadata metadata =
let cronTriggersIncludedInMetadata = OMap.filter ctIncludeInMetadata $ _metaCronTriggers metadata
in metadata {_metaCronTriggers = cronTriggersIncludedInMetadata}
processMetadata :: HasServerConfigCtx m => Metadata -> m Metadata
processMetadata metadata =
processCronTriggersMetadata <$> processExperimentalFeatures metadata
runExportMetadata ::
forall m.
(QErrM m, MetadataM m, HasServerConfigCtx m) =>
(QErrM m, MetadataM m) =>
ExportMetadata ->
m EncJSON
runExportMetadata ExportMetadata {} =
encJFromOrderedValue . metadataToOrdJSON <$> (getMetadata >>= processMetadata)
encJFromOrderedValue . metadataToOrdJSON <$> (processCronTriggersMetadata <$> getMetadata)
runExportMetadataV2 ::
forall m.
(QErrM m, MetadataM m, HasServerConfigCtx m) =>
(QErrM m, MetadataM m) =>
MetadataResourceVersion ->
ExportMetadata ->
m EncJSON
runExportMetadataV2 currentResourceVersion ExportMetadata {} = do
exportMetadata <- processMetadata =<< getMetadata
exportMetadata <- processCronTriggersMetadata <$> getMetadata
pure $
encJFromOrderedValue $
AO.object

37
server/src-lib/Hasura/RQL/DDL/Schema/Cache.hs
View File

@ -69,8 +69,7 @@ import Hasura.SQL.AnyBackend qualified as AB
import Hasura.SQL.Tag
import Hasura.SQL.Tag qualified as Tag
import Hasura.Server.Types
( ExperimentalFeature (..),
MaintenanceMode (..),
( MaintenanceMode (..),
)
import Hasura.Server.Version (HasVersion)
import Hasura.Session
@ -615,8 +614,6 @@ buildSchemaCacheRule env = proc (metadata, invalidationKeys) -> do
orderedRoles <- bindA -< orderRoles $ M.elems allRoles
isInheritedRolesEnabled <- bindA -< (EFInheritedRoles `elem`) . _sccExperimentalFeatures <$> askServerConfigCtx
-- remote schemas
let remoteSchemaInvalidationKeys = Inc.selectD #_ikRemoteSchemas invalidationKeys
remoteSchemaMap <- buildRemoteSchemas -< (remoteSchemaInvalidationKeys, OMap.elems remoteSchemas)
@ -640,23 +637,20 @@ buildSchemaCacheRule env = proc (metadata, invalidationKeys) -> do
allRolesUnresolvedPermissionsMap <-
bindA
-<
if isInheritedRolesEnabled
then
foldM
( \accumulatedRolePermMap (Role roleName (ParentRoles parentRoles)) -> do
rolePermission <- onNothing (M.lookup roleName accumulatedRolePermMap) $ do
parentRolePermissions <-
for (toList parentRoles) $ \role ->
onNothing (M.lookup role accumulatedRolePermMap) $
throw500 $
"remote schema permissions: bad ordering of roles, could not find the permission of role: " <>> role
let combinedPermission = sconcat <$> nonEmpty parentRolePermissions
pure $ fromMaybe CPUndefined combinedPermission
pure $ M.insert roleName rolePermission accumulatedRolePermMap
)
metadataCheckPermissionsMap
(_unOrderedRoles orderedRoles)
else pure metadataCheckPermissionsMap
foldM
( \accumulatedRolePermMap (Role roleName (ParentRoles parentRoles)) -> do
rolePermission <- onNothing (M.lookup roleName accumulatedRolePermMap) $ do
parentRolePermissions <-
for (toList parentRoles) $ \role ->
onNothing (M.lookup role accumulatedRolePermMap) $
throw500 $
"remote schema permissions: bad ordering of roles, could not find the permission of role: " <>> role
let combinedPermission = sconcat <$> nonEmpty parentRolePermissions
pure $ fromMaybe CPUndefined combinedPermission
pure $ M.insert roleName rolePermission accumulatedRolePermMap
)
metadataCheckPermissionsMap
(_unOrderedRoles orderedRoles)
-- traverse through `allRolesUnresolvedPermissionsMap` to record any inconsistencies (if exists)
resolvedPermissions <-
(|
@ -676,7 +670,6 @@ buildSchemaCacheRule env = proc (metadata, invalidationKeys) -> do
)
)
|)
let remoteSchemaCtxMap = M.map fst remoteSchemaMap
-- sources are build in two steps

59
server/src-lib/Hasura/RQL/DDL/Schema/Cache/Permission.hs
View File

@ -31,7 +31,6 @@ import Hasura.RQL.Types.Roles.Internal
rolePermInfoToCombineRolePermInfo,
)
import Hasura.SQL.AnyBackend qualified as AB
import Hasura.Server.Types
import Hasura.Session
{- Note: [Inherited roles architecture for read queries]
@ -199,7 +198,6 @@ buildTablePermissions ::
Inc.ArrowCache m arr,
MonadError QErr m,
ArrowWriter (Seq CollectedInfo) arr,
HasServerConfigCtx m,
BackendMetadata b,
Inc.Cacheable (Proxy b)
) =>
@ -214,8 +212,6 @@ buildTablePermissions ::
buildTablePermissions = Inc.cache proc (proxy, source, tableCache, tableFields, tablePermissions, orderedRoles) -> do
let alignedPermissions = alignPermissions tablePermissions
table = _tpiTable tablePermissions
experimentalFeatures <- bindA -< _sccExperimentalFeatures <$> askServerConfigCtx
let isInheritedRolesEnabled = EFInheritedRoles `elem` experimentalFeatures
metadataRolePermissions <-
(|
Inc.keyed
@ -227,35 +223,32 @@ buildTablePermissions = Inc.cache proc (proxy, source, tableCache, tableFields,
returnA -< RolePermInfo insert select update delete
)
|) alignedPermissions
if isInheritedRolesEnabled
then
(|
foldlA'
( \accumulatedRolePermMap (Role roleName (ParentRoles parentRoles)) -> do
parentRolePermissions <-
bindA
-< for (toList parentRoles) $ \role ->
onNothing (M.lookup role accumulatedRolePermMap) $
throw500 $
-- this error will ideally never be thrown, but if it's thrown then
-- it's possible that the permissions for the role do exist, but it's
-- not yet built due to wrong ordering of the roles, check `orderRoles`
"buildTablePermissions: table role permissions for role: " <> role <<> " not found"
let combinedParentRolePermInfo = mconcat $ fmap rolePermInfoToCombineRolePermInfo parentRolePermissions
selectPermissionsCount = length $ filter (isJust . _permSel) parentRolePermissions
let accumulatedRolePermission = M.lookup roleName accumulatedRolePermMap
let roleSelectPermission =
case (_permSel =<< accumulatedRolePermission) of
Just metadataSelectPerm -> Just metadataSelectPerm
Nothing -> combinedSelPermInfoToSelPermInfo selectPermissionsCount <$> (crpiSelPerm combinedParentRolePermInfo)
roleInsertPermission <- resolveCheckTablePermission -< (crpiInsPerm combinedParentRolePermInfo, accumulatedRolePermission, _permIns, roleName, source, table, PTInsert)
roleUpdatePermission <- resolveCheckTablePermission -< (crpiUpdPerm combinedParentRolePermInfo, accumulatedRolePermission, _permUpd, roleName, source, table, PTUpdate)
roleDeletePermission <- resolveCheckTablePermission -< (crpiDelPerm combinedParentRolePermInfo, accumulatedRolePermission, _permDel, roleName, source, table, PTDelete)
let rolePermInfo = RolePermInfo roleInsertPermission roleSelectPermission roleUpdatePermission roleDeletePermission
returnA -< M.insert roleName rolePermInfo accumulatedRolePermMap
)
|) metadataRolePermissions (_unOrderedRoles orderedRoles)
else returnA -< metadataRolePermissions
(|
foldlA'
( \accumulatedRolePermMap (Role roleName (ParentRoles parentRoles)) -> do
parentRolePermissions <-
bindA
-< for (toList parentRoles) $ \role ->
onNothing (M.lookup role accumulatedRolePermMap) $
throw500 $
-- this error will ideally never be thrown, but if it's thrown then
-- it's possible that the permissions for the role do exist, but it's
-- not yet built due to wrong ordering of the roles, check `orderRoles`
"buildTablePermissions: table role permissions for role: " <> role <<> " not found"
let combinedParentRolePermInfo = mconcat $ fmap rolePermInfoToCombineRolePermInfo parentRolePermissions
selectPermissionsCount = length $ filter (isJust . _permSel) parentRolePermissions
let accumulatedRolePermission = M.lookup roleName accumulatedRolePermMap
let roleSelectPermission =
case (_permSel =<< accumulatedRolePermission) of
Just metadataSelectPerm -> Just metadataSelectPerm
Nothing -> combinedSelPermInfoToSelPermInfo selectPermissionsCount <$> (crpiSelPerm combinedParentRolePermInfo)
roleInsertPermission <- resolveCheckTablePermission -< (crpiInsPerm combinedParentRolePermInfo, accumulatedRolePermission, _permIns, roleName, source, table, PTInsert)
roleUpdatePermission <- resolveCheckTablePermission -< (crpiUpdPerm combinedParentRolePermInfo, accumulatedRolePermission, _permUpd, roleName, source, table, PTUpdate)
roleDeletePermission <- resolveCheckTablePermission -< (crpiDelPerm combinedParentRolePermInfo, accumulatedRolePermission, _permDel, roleName, source, table, PTDelete)
let rolePermInfo = RolePermInfo roleInsertPermission roleSelectPermission roleUpdatePermission roleDeletePermission
returnA -< M.insert roleName rolePermInfo accumulatedRolePermMap
)
|) metadataRolePermissions (_unOrderedRoles orderedRoles)
where
mkMap :: [PermDef e] -> HashMap RoleName (PermDef e)
mkMap = mapFromL _pdRole

1
server/src-lib/Hasura/Server/API/Metadata.hs
View File

@ -493,7 +493,6 @@ runMetadataQueryV2M ::
CacheRWM m,
MetadataM m,
MonadMetadataStorageQueryAPI m,
HasServerConfigCtx m,
MonadReader r m,
Has (L.Logger L.Hasura) r
) =>

6
server/tests-py/context.py
View File

@ -280,7 +280,7 @@ class GraphQLWSClient():
new_msg['type'] = 'pong'
self.send(json.dumps(new_msg))
return
if 'id' in json_msg:
query_id = json_msg['id']
if json_msg.get('type') == 'complete':
@ -290,14 +290,14 @@ class GraphQLWSClient():
self.ws_id_query_queues[json_msg['id']] = queue.Queue(maxsize=-1)
#Put event in the correponding query_queue
self.ws_id_query_queues[query_id].put(json_msg)
if json_msg['type'] != 'ping':
self.ws_queue.put(json_msg)
def _on_close(self):
self.remote_closed = True
self.init_done = False
def get_conn_close_state(self):
return self.remote_closed or self.is_closing