mirror of
https://github.com/hasura/graphql-engine.git
synced 2024-09-17 13:37:26 +03:00
server: enable inherited roles by default
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/2325 Co-authored-by: Nicolas Beaussart <7281023+beaussan@users.noreply.github.com> GitOrigin-RevId: 8ad6fe25a3788892128c1d56b8fa0e8feed2caca
This commit is contained in:
parent
8ca962ab91
commit
64e2201179
@ -233,8 +233,6 @@ export WEBHOOK_FROM_ENV="http://127.0.0.1:5592"
|
||||
export SCHEDULED_TRIGGERS_WEBHOOK_DOMAIN="http://127.0.0.1:5594"
|
||||
export HASURA_GRAPHQL_STRINGIFY_NUMERIC_TYPES=true
|
||||
export REMOTE_SCHEMAS_WEBHOOK_DOMAIN="http://127.0.0.1:5000"
|
||||
export HASURA_GRAPHQL_EXPERIMENTAL_FEATURES="inherited_roles"
|
||||
|
||||
|
||||
HGE_PIDS=""
|
||||
WH_PID=""
|
||||
@ -289,8 +287,8 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
admin-secret)
|
||||
echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH ADMIN SECRET #####################################>\n"
|
||||
TEST_TYPE="admin-secret"
|
||||
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
|
||||
start_multiple_hge_servers
|
||||
|
||||
@ -331,7 +329,7 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
run_pytest_parallel --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" --hge-jwt-key-file="$OUTPUT_FOLDER/ssl/jwt_private.key" --hge-jwt-conf="$HASURA_GRAPHQL_JWT_SECRET"
|
||||
|
||||
kill_hge_servers
|
||||
|
||||
|
||||
# Ed25519 test
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key }')"
|
||||
@ -358,9 +356,9 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_format: "stringified_json"}')"
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
|
||||
|
||||
# unset HASURA_GRAPHQL_JWT_SECRET
|
||||
;;
|
||||
|
||||
@ -377,7 +375,7 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , audience: "myapp-1234"}')"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
|
||||
|
||||
#unset HASURA_GRAPHQL_JWT_SECRET
|
||||
@ -391,11 +389,11 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , audience: ["myapp-1234", "myapp-9876"]}')"
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , audience: ["myapp-1234", "myapp-9876"]}')"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
|
||||
|
||||
unset HASURA_GRAPHQL_JWT_SECRET
|
||||
@ -412,7 +410,7 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , issuer: "https://hasura.com"}')"
|
||||
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
|
||||
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , issuer: "https://hasura.com"}')"
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
|
||||
@ -431,11 +429,11 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
# hasura claims at one level of nesting
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$.hasura_claims"}')"
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_namespace_path: "$.hasura_claims"}')"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
|
||||
|
||||
unset HASURA_GRAPHQL_JWT_SECRET
|
||||
@ -447,7 +445,7 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_namespace_path: "$.hasura['\''claims%'\'']"}')"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
|
||||
|
||||
unset HASURA_GRAPHQL_JWT_SECRET
|
||||
@ -455,11 +453,11 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
# hasura claims at the root of the JWT token
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_namespace_path: "$"}')"
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
|
||||
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_namespace_path: "$"}')"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
|
||||
|
||||
unset HASURA_GRAPHQL_JWT_SECRET
|
||||
@ -474,12 +472,12 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id"}, "x-hasura-allowed-roles": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.allowed"}, "x-hasura-default-role": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.default"}}}')"
|
||||
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
|
||||
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id"}, "x-hasura-allowed-roles": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.allowed"}, "x-hasura-default-role": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.default"}}}')"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
|
||||
|
||||
unset HASURA_GRAPHQL_JWT_SECRET
|
||||
@ -489,11 +487,11 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id", "default":"1"}, "x-hasura-allowed-roles": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.allowed", "default":["user","editor"]}, "x-hasura-default-role": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.default","default":"user"}}}')"
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
|
||||
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id", "default":"1"}, "x-hasura-allowed-roles": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.allowed", "default":["user","editor"]}, "x-hasura-default-role": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].role.default","default":"user"}}}')"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapBasic
|
||||
|
||||
|
||||
@ -509,9 +507,9 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py::TestJWTExpirySkew
|
||||
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , allowed_skew: 60}')"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py::TestJWTExpirySkew
|
||||
|
||||
unset HASURA_GRAPHQL_JWT_SECRET
|
||||
@ -526,12 +524,12 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id"}, "x-hasura-allowed-roles": ["user","editor"], "x-hasura-default-role": "user","x-hasura-custom-header":"custom-value"}}')"
|
||||
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapWithStaticHasuraClaimsMapValues
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , claims_map: {"x-hasura-user-id": {"path":"$.['"'"'https://myapp.com/jwt/claims'"'"'].user.id"}, "x-hasura-allowed-roles": ["user","editor"], "x-hasura-default-role": "user","x-hasura-custom-header":"custom-value"}}')"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt_claims_map.py::TestJWTClaimsMapWithStaticHasuraClaimsMapValues
|
||||
|
||||
unset HASURA_GRAPHQL_JWT_SECRET
|
||||
@ -546,11 +544,11 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/jwt_public.key)" '{ type: "RS512", key: $key , header: {"type": "Cookie", "name": "hasura_user"}}')"
|
||||
export HASURA_GRAPHQL_ADMIN_SECRET="HGE$RANDOM$RANDOM"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/jwt_private.key" test_jwt.py
|
||||
|
||||
|
||||
export HASURA_GRAPHQL_JWT_SECRET="$(jq -n --arg key "$(cat $OUTPUT_FOLDER/ssl/ed25519_jwt_public.key)" '{ type: "Ed25519", key: $key , header: {"type": "Cookie", "name": "hasura_user"}}')"
|
||||
|
||||
|
||||
init_hge_and_test_jwt "ssl/ed25519_jwt_private.key" test_jwt.py
|
||||
|
||||
unset HASURA_GRAPHQL_JWT_SECRET
|
||||
@ -742,9 +740,8 @@ case "$SERVER_TEST_TO_RUN" in
|
||||
run_hge_with_args serve
|
||||
wait_for_port 8080
|
||||
|
||||
pytest -n 1 --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" -k TestGraphQLInheritedRolesSchema
|
||||
pytest -n 1 --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" -k TestGraphQLInheritedRolesPostgres
|
||||
pytest --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" --enable-remote-schema-permissions --test-function-permissions test_roles_inheritance.py
|
||||
pytest --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET" --enable-remote-schema-permissions --test-function-permissions test_roles_inheritance.py
|
||||
|
||||
|
||||
unset HASURA_GRAPHQL_ADMIN_SECRET
|
||||
unset HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS
|
||||
@ -1175,7 +1172,7 @@ admin_users = postgres' > pgbouncer/pgbouncer.ini
|
||||
# start inherited roles test
|
||||
echo -e "\n$(time_elapsed): <########## TEST INHERITED-ROLES WITH SQL SERVER BACKEND ###########################################>\n"
|
||||
|
||||
pytest -n 1 --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" -k TestGraphQLInheritedRolesMSSQL --backend mssql
|
||||
pytest -n 1 --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" -k TestGraphQLInheritedRolesMSSQL --backend mssql
|
||||
|
||||
# end inherited roles test
|
||||
|
||||
|
@ -3,6 +3,7 @@
|
||||
## Next release
|
||||
(Add entries below in the order of server, console, cli, docs, others)
|
||||
|
||||
- server: enable inherited roles by default in the graphql-engine
|
||||
- server: support MSSQL insert mutations
|
||||
|
||||
## v2.1.0-beta.1
|
||||
|
@ -15,7 +15,7 @@ const setup = () => {
|
||||
export const runSchemaSharingTests = () => {
|
||||
describe('template gallery', () => {
|
||||
it('display content', () => {
|
||||
cy.contains('default').click();
|
||||
cy.get('[data-test=table-links]').contains('default').click();
|
||||
const oneToOne = cy.get('table').contains('Relationships: One-to-One');
|
||||
oneToOne.click();
|
||||
cy.contains('Install Template').click();
|
||||
|
@ -41,19 +41,15 @@ it will override the inherited permission, if any.
|
||||
|
||||
The above setup won't work because ``inherited_role1`` and ``inherited_role2`` form a cycle.
|
||||
|
||||
.. note::
|
||||
|
||||
This feature is currently accessible as an experimental feature and must be
|
||||
explicitly toggled on in order to be enabled.
|
||||
This can be done either by setting the env var ``HASURA_GRAPHQL_EXPERIMENTAL_FEATURES``
|
||||
to ``inherited_roles`` or by providing the server flag ``--experimental-features``
|
||||
to ``inherited_roles``.
|
||||
|
||||
See :ref:`server config reference <server_flag_reference>` for info on setting the flag/env var.
|
||||
|
||||
.. admonition:: Supported from
|
||||
|
||||
Inherited roles are supported for versions ``v2.0.0-alpha.4`` and above.
|
||||
Inherited roles will be supported for versions ``v2.0.0-alpha.4`` and above. The inherited roles feature
|
||||
is an experimental feature from the ``v2.0.0-alpha.4`` till the ``v2.1.0-beta.1`` version i.e it must be
|
||||
explicitly toggled in order to be enabled. This can be done either by setting the env
|
||||
var ``HASURA_GRAPHQL_EXPERIMENTAL_FEATURES`` or the server flag ``--experimental-features`` to ``inherited_roles``.
|
||||
|
||||
After the ``v2.1.0-beta.1`` version, inherited roles will be enabled by default in the graphql-engine.
|
||||
|
||||
|
||||
Creating inherited roles
|
||||
------------------------
|
||||
|
@ -13,23 +13,16 @@ import Hasura.Base.Error
|
||||
import Hasura.EncJSON
|
||||
import Hasura.Prelude
|
||||
import Hasura.RQL.Types
|
||||
import Hasura.Server.Types (ExperimentalFeature (..))
|
||||
import Hasura.Session
|
||||
|
||||
runAddInheritedRole ::
|
||||
( MonadError QErr m,
|
||||
CacheRWM m,
|
||||
MetadataM m,
|
||||
HasServerConfigCtx m
|
||||
MetadataM m
|
||||
) =>
|
||||
InheritedRole ->
|
||||
m EncJSON
|
||||
runAddInheritedRole addInheritedRoleQ@(Role inheritedRoleName (ParentRoles parentRoles)) = do
|
||||
experimentalFeatures <- _sccExperimentalFeatures <$> askServerConfigCtx
|
||||
unless (EFInheritedRoles `elem` experimentalFeatures) $
|
||||
throw400 ConstraintViolation $
|
||||
"inherited role can only be added when inherited_roles enabled"
|
||||
<> " in the experimental features"
|
||||
when (inheritedRoleName `elem` parentRoles) $
|
||||
throw400 InvalidParams "an inherited role name cannot be in the role combination"
|
||||
buildSchemaCacheFor (MOInheritedRole inheritedRoleName) $
|
||||
|
@ -51,14 +51,12 @@ import Hasura.RQL.DDL.Schema
|
||||
import Hasura.RQL.Types
|
||||
import Hasura.RQL.Types.Eventing.Backend (BackendEventTrigger (..))
|
||||
import Hasura.SQL.AnyBackend qualified as AB
|
||||
import Hasura.Server.Types (ExperimentalFeature (..))
|
||||
import Network.HTTP.Client.Transformable qualified as HTTP
|
||||
|
||||
runClearMetadata ::
|
||||
( MonadIO m,
|
||||
CacheRWM m,
|
||||
MetadataM m,
|
||||
HasServerConfigCtx m,
|
||||
MonadMetadataStorageQueryAPI m,
|
||||
MonadReader r m,
|
||||
Has (HL.Logger HL.Hasura) r
|
||||
@ -103,7 +101,6 @@ runReplaceMetadata ::
|
||||
MetadataM m,
|
||||
MonadIO m,
|
||||
MonadMetadataStorageQueryAPI m,
|
||||
HasServerConfigCtx m,
|
||||
MonadReader r m,
|
||||
Has (HL.Logger HL.Hasura) r
|
||||
) =>
|
||||
@ -119,7 +116,6 @@ runReplaceMetadataV1 ::
|
||||
MetadataM m,
|
||||
MonadIO m,
|
||||
MonadMetadataStorageQueryAPI m,
|
||||
HasServerConfigCtx m,
|
||||
MonadReader r m,
|
||||
Has (HL.Logger HL.Hasura) r
|
||||
) =>
|
||||
@ -134,7 +130,6 @@ runReplaceMetadataV2 ::
|
||||
CacheRWM m,
|
||||
MetadataM m,
|
||||
MonadIO m,
|
||||
HasServerConfigCtx m,
|
||||
MonadMetadataStorageQueryAPI m,
|
||||
MonadReader r m,
|
||||
Has (HL.Logger HL.Hasura) r
|
||||
@ -145,18 +140,10 @@ runReplaceMetadataV2 ReplaceMetadataV2 {..} = do
|
||||
logger :: (HL.Logger HL.Hasura) <- asks getter
|
||||
-- we drop all the future cron trigger events before inserting the new metadata
|
||||
-- and re-populating future cron events below
|
||||
experimentalFeatures <- _sccExperimentalFeatures <$> askServerConfigCtx
|
||||
let inheritedRoles =
|
||||
case _rmv2Metadata of
|
||||
RMWithSources Metadata {_metaInheritedRoles} -> _metaInheritedRoles
|
||||
RMWithoutSources _ -> mempty
|
||||
introspectionDisabledRoles =
|
||||
let introspectionDisabledRoles =
|
||||
case _rmv2Metadata of
|
||||
RMWithSources m -> _metaSetGraphqlIntrospectionOptions m
|
||||
RMWithoutSources _ -> mempty
|
||||
when (inheritedRoles /= mempty && EFInheritedRoles `notElem` experimentalFeatures) $
|
||||
throw400 ConstraintViolation "inherited_roles can only be added when it's enabled in the experimental features"
|
||||
|
||||
oldMetadata <- getMetadata
|
||||
|
||||
(cronTriggersMetadata, cronTriggersToBeAdded) <- processCronTriggers oldMetadata
|
||||
@ -310,39 +297,28 @@ runReplaceMetadataV2 ReplaceMetadataV2 {..} = do
|
||||
m ()
|
||||
compose sourceName x y f = AB.composeAnyBackend @BackendEventTrigger f x y (logger $ HL.UnstructuredLog HL.LevelInfo $ TBS.fromText $ "Event trigger clean up couldn't be done on the source " <> sourceName <<> " because it has changed its type")
|
||||
|
||||
processExperimentalFeatures :: HasServerConfigCtx m => Metadata -> m Metadata
|
||||
processExperimentalFeatures metadata = do
|
||||
experimentalFeatures <- _sccExperimentalFeatures <$> askServerConfigCtx
|
||||
let isInheritedRolesSet = EFInheritedRoles `elem` experimentalFeatures
|
||||
-- export inherited roles only when inherited_roles is set in the experimental features
|
||||
pure $ bool (metadata {_metaInheritedRoles = mempty}) metadata isInheritedRolesSet
|
||||
|
||||
-- | Only includes the cron triggers with `included_in_metadata` set to `True`
|
||||
processCronTriggersMetadata :: Metadata -> Metadata
|
||||
processCronTriggersMetadata metadata =
|
||||
let cronTriggersIncludedInMetadata = OMap.filter ctIncludeInMetadata $ _metaCronTriggers metadata
|
||||
in metadata {_metaCronTriggers = cronTriggersIncludedInMetadata}
|
||||
|
||||
processMetadata :: HasServerConfigCtx m => Metadata -> m Metadata
|
||||
processMetadata metadata =
|
||||
processCronTriggersMetadata <$> processExperimentalFeatures metadata
|
||||
|
||||
runExportMetadata ::
|
||||
forall m.
|
||||
(QErrM m, MetadataM m, HasServerConfigCtx m) =>
|
||||
(QErrM m, MetadataM m) =>
|
||||
ExportMetadata ->
|
||||
m EncJSON
|
||||
runExportMetadata ExportMetadata {} =
|
||||
encJFromOrderedValue . metadataToOrdJSON <$> (getMetadata >>= processMetadata)
|
||||
encJFromOrderedValue . metadataToOrdJSON <$> (processCronTriggersMetadata <$> getMetadata)
|
||||
|
||||
runExportMetadataV2 ::
|
||||
forall m.
|
||||
(QErrM m, MetadataM m, HasServerConfigCtx m) =>
|
||||
(QErrM m, MetadataM m) =>
|
||||
MetadataResourceVersion ->
|
||||
ExportMetadata ->
|
||||
m EncJSON
|
||||
runExportMetadataV2 currentResourceVersion ExportMetadata {} = do
|
||||
exportMetadata <- processMetadata =<< getMetadata
|
||||
exportMetadata <- processCronTriggersMetadata <$> getMetadata
|
||||
pure $
|
||||
encJFromOrderedValue $
|
||||
AO.object
|
||||
|
@ -69,8 +69,7 @@ import Hasura.SQL.AnyBackend qualified as AB
|
||||
import Hasura.SQL.Tag
|
||||
import Hasura.SQL.Tag qualified as Tag
|
||||
import Hasura.Server.Types
|
||||
( ExperimentalFeature (..),
|
||||
MaintenanceMode (..),
|
||||
( MaintenanceMode (..),
|
||||
)
|
||||
import Hasura.Server.Version (HasVersion)
|
||||
import Hasura.Session
|
||||
@ -615,8 +614,6 @@ buildSchemaCacheRule env = proc (metadata, invalidationKeys) -> do
|
||||
|
||||
orderedRoles <- bindA -< orderRoles $ M.elems allRoles
|
||||
|
||||
isInheritedRolesEnabled <- bindA -< (EFInheritedRoles `elem`) . _sccExperimentalFeatures <$> askServerConfigCtx
|
||||
|
||||
-- remote schemas
|
||||
let remoteSchemaInvalidationKeys = Inc.selectD #_ikRemoteSchemas invalidationKeys
|
||||
remoteSchemaMap <- buildRemoteSchemas -< (remoteSchemaInvalidationKeys, OMap.elems remoteSchemas)
|
||||
@ -640,23 +637,20 @@ buildSchemaCacheRule env = proc (metadata, invalidationKeys) -> do
|
||||
allRolesUnresolvedPermissionsMap <-
|
||||
bindA
|
||||
-<
|
||||
if isInheritedRolesEnabled
|
||||
then
|
||||
foldM
|
||||
( \accumulatedRolePermMap (Role roleName (ParentRoles parentRoles)) -> do
|
||||
rolePermission <- onNothing (M.lookup roleName accumulatedRolePermMap) $ do
|
||||
parentRolePermissions <-
|
||||
for (toList parentRoles) $ \role ->
|
||||
onNothing (M.lookup role accumulatedRolePermMap) $
|
||||
throw500 $
|
||||
"remote schema permissions: bad ordering of roles, could not find the permission of role: " <>> role
|
||||
let combinedPermission = sconcat <$> nonEmpty parentRolePermissions
|
||||
pure $ fromMaybe CPUndefined combinedPermission
|
||||
pure $ M.insert roleName rolePermission accumulatedRolePermMap
|
||||
)
|
||||
metadataCheckPermissionsMap
|
||||
(_unOrderedRoles orderedRoles)
|
||||
else pure metadataCheckPermissionsMap
|
||||
foldM
|
||||
( \accumulatedRolePermMap (Role roleName (ParentRoles parentRoles)) -> do
|
||||
rolePermission <- onNothing (M.lookup roleName accumulatedRolePermMap) $ do
|
||||
parentRolePermissions <-
|
||||
for (toList parentRoles) $ \role ->
|
||||
onNothing (M.lookup role accumulatedRolePermMap) $
|
||||
throw500 $
|
||||
"remote schema permissions: bad ordering of roles, could not find the permission of role: " <>> role
|
||||
let combinedPermission = sconcat <$> nonEmpty parentRolePermissions
|
||||
pure $ fromMaybe CPUndefined combinedPermission
|
||||
pure $ M.insert roleName rolePermission accumulatedRolePermMap
|
||||
)
|
||||
metadataCheckPermissionsMap
|
||||
(_unOrderedRoles orderedRoles)
|
||||
-- traverse through `allRolesUnresolvedPermissionsMap` to record any inconsistencies (if exists)
|
||||
resolvedPermissions <-
|
||||
(|
|
||||
@ -676,7 +670,6 @@ buildSchemaCacheRule env = proc (metadata, invalidationKeys) -> do
|
||||
)
|
||||
)
|
||||
|)
|
||||
|
||||
let remoteSchemaCtxMap = M.map fst remoteSchemaMap
|
||||
|
||||
-- sources are build in two steps
|
||||
|
@ -31,7 +31,6 @@ import Hasura.RQL.Types.Roles.Internal
|
||||
rolePermInfoToCombineRolePermInfo,
|
||||
)
|
||||
import Hasura.SQL.AnyBackend qualified as AB
|
||||
import Hasura.Server.Types
|
||||
import Hasura.Session
|
||||
|
||||
{- Note: [Inherited roles architecture for read queries]
|
||||
@ -199,7 +198,6 @@ buildTablePermissions ::
|
||||
Inc.ArrowCache m arr,
|
||||
MonadError QErr m,
|
||||
ArrowWriter (Seq CollectedInfo) arr,
|
||||
HasServerConfigCtx m,
|
||||
BackendMetadata b,
|
||||
Inc.Cacheable (Proxy b)
|
||||
) =>
|
||||
@ -214,8 +212,6 @@ buildTablePermissions ::
|
||||
buildTablePermissions = Inc.cache proc (proxy, source, tableCache, tableFields, tablePermissions, orderedRoles) -> do
|
||||
let alignedPermissions = alignPermissions tablePermissions
|
||||
table = _tpiTable tablePermissions
|
||||
experimentalFeatures <- bindA -< _sccExperimentalFeatures <$> askServerConfigCtx
|
||||
let isInheritedRolesEnabled = EFInheritedRoles `elem` experimentalFeatures
|
||||
metadataRolePermissions <-
|
||||
(|
|
||||
Inc.keyed
|
||||
@ -227,35 +223,32 @@ buildTablePermissions = Inc.cache proc (proxy, source, tableCache, tableFields,
|
||||
returnA -< RolePermInfo insert select update delete
|
||||
)
|
||||
|) alignedPermissions
|
||||
if isInheritedRolesEnabled
|
||||
then
|
||||
(|
|
||||
foldlA'
|
||||
( \accumulatedRolePermMap (Role roleName (ParentRoles parentRoles)) -> do
|
||||
parentRolePermissions <-
|
||||
bindA
|
||||
-< for (toList parentRoles) $ \role ->
|
||||
onNothing (M.lookup role accumulatedRolePermMap) $
|
||||
throw500 $
|
||||
-- this error will ideally never be thrown, but if it's thrown then
|
||||
-- it's possible that the permissions for the role do exist, but it's
|
||||
-- not yet built due to wrong ordering of the roles, check `orderRoles`
|
||||
"buildTablePermissions: table role permissions for role: " <> role <<> " not found"
|
||||
let combinedParentRolePermInfo = mconcat $ fmap rolePermInfoToCombineRolePermInfo parentRolePermissions
|
||||
selectPermissionsCount = length $ filter (isJust . _permSel) parentRolePermissions
|
||||
let accumulatedRolePermission = M.lookup roleName accumulatedRolePermMap
|
||||
let roleSelectPermission =
|
||||
case (_permSel =<< accumulatedRolePermission) of
|
||||
Just metadataSelectPerm -> Just metadataSelectPerm
|
||||
Nothing -> combinedSelPermInfoToSelPermInfo selectPermissionsCount <$> (crpiSelPerm combinedParentRolePermInfo)
|
||||
roleInsertPermission <- resolveCheckTablePermission -< (crpiInsPerm combinedParentRolePermInfo, accumulatedRolePermission, _permIns, roleName, source, table, PTInsert)
|
||||
roleUpdatePermission <- resolveCheckTablePermission -< (crpiUpdPerm combinedParentRolePermInfo, accumulatedRolePermission, _permUpd, roleName, source, table, PTUpdate)
|
||||
roleDeletePermission <- resolveCheckTablePermission -< (crpiDelPerm combinedParentRolePermInfo, accumulatedRolePermission, _permDel, roleName, source, table, PTDelete)
|
||||
let rolePermInfo = RolePermInfo roleInsertPermission roleSelectPermission roleUpdatePermission roleDeletePermission
|
||||
returnA -< M.insert roleName rolePermInfo accumulatedRolePermMap
|
||||
)
|
||||
|) metadataRolePermissions (_unOrderedRoles orderedRoles)
|
||||
else returnA -< metadataRolePermissions
|
||||
(|
|
||||
foldlA'
|
||||
( \accumulatedRolePermMap (Role roleName (ParentRoles parentRoles)) -> do
|
||||
parentRolePermissions <-
|
||||
bindA
|
||||
-< for (toList parentRoles) $ \role ->
|
||||
onNothing (M.lookup role accumulatedRolePermMap) $
|
||||
throw500 $
|
||||
-- this error will ideally never be thrown, but if it's thrown then
|
||||
-- it's possible that the permissions for the role do exist, but it's
|
||||
-- not yet built due to wrong ordering of the roles, check `orderRoles`
|
||||
"buildTablePermissions: table role permissions for role: " <> role <<> " not found"
|
||||
let combinedParentRolePermInfo = mconcat $ fmap rolePermInfoToCombineRolePermInfo parentRolePermissions
|
||||
selectPermissionsCount = length $ filter (isJust . _permSel) parentRolePermissions
|
||||
let accumulatedRolePermission = M.lookup roleName accumulatedRolePermMap
|
||||
let roleSelectPermission =
|
||||
case (_permSel =<< accumulatedRolePermission) of
|
||||
Just metadataSelectPerm -> Just metadataSelectPerm
|
||||
Nothing -> combinedSelPermInfoToSelPermInfo selectPermissionsCount <$> (crpiSelPerm combinedParentRolePermInfo)
|
||||
roleInsertPermission <- resolveCheckTablePermission -< (crpiInsPerm combinedParentRolePermInfo, accumulatedRolePermission, _permIns, roleName, source, table, PTInsert)
|
||||
roleUpdatePermission <- resolveCheckTablePermission -< (crpiUpdPerm combinedParentRolePermInfo, accumulatedRolePermission, _permUpd, roleName, source, table, PTUpdate)
|
||||
roleDeletePermission <- resolveCheckTablePermission -< (crpiDelPerm combinedParentRolePermInfo, accumulatedRolePermission, _permDel, roleName, source, table, PTDelete)
|
||||
let rolePermInfo = RolePermInfo roleInsertPermission roleSelectPermission roleUpdatePermission roleDeletePermission
|
||||
returnA -< M.insert roleName rolePermInfo accumulatedRolePermMap
|
||||
)
|
||||
|) metadataRolePermissions (_unOrderedRoles orderedRoles)
|
||||
where
|
||||
mkMap :: [PermDef e] -> HashMap RoleName (PermDef e)
|
||||
mkMap = mapFromL _pdRole
|
||||
|
@ -493,7 +493,6 @@ runMetadataQueryV2M ::
|
||||
CacheRWM m,
|
||||
MetadataM m,
|
||||
MonadMetadataStorageQueryAPI m,
|
||||
HasServerConfigCtx m,
|
||||
MonadReader r m,
|
||||
Has (L.Logger L.Hasura) r
|
||||
) =>
|
||||
|
@ -280,7 +280,7 @@ class GraphQLWSClient():
|
||||
new_msg['type'] = 'pong'
|
||||
self.send(json.dumps(new_msg))
|
||||
return
|
||||
|
||||
|
||||
if 'id' in json_msg:
|
||||
query_id = json_msg['id']
|
||||
if json_msg.get('type') == 'complete':
|
||||
@ -290,14 +290,14 @@ class GraphQLWSClient():
|
||||
self.ws_id_query_queues[json_msg['id']] = queue.Queue(maxsize=-1)
|
||||
#Put event in the correponding query_queue
|
||||
self.ws_id_query_queues[query_id].put(json_msg)
|
||||
|
||||
|
||||
if json_msg['type'] != 'ping':
|
||||
self.ws_queue.put(json_msg)
|
||||
|
||||
def _on_close(self):
|
||||
self.remote_closed = True
|
||||
self.init_done = False
|
||||
|
||||
|
||||
def get_conn_close_state(self):
|
||||
return self.remote_closed or self.is_closing
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user