mirror of
https://github.com/hasura/graphql-engine.git
synced 2024-12-17 04:24:35 +03:00
92026b769f
fixes #3868 docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de` Note: To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`. Introduction ------------ This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`. How are select permissions of different roles are combined? ------------------------------------------------------------ A select permission includes 5 things: 1. Columns accessible to the role 2. Row selection filter 3. Limit 4. Allow aggregation 5. Scalar computed fields accessible to the role Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`. Let's say the following GraphQL query is queried with the `combined_roles` role. ```graphql query { employees { address phone } } ``` This will translate to the following SQL query: ```sql select (case when (P1 or P2) then address else null end) as address, (case when P2 then phone else null end) as phone from employee where (P1 or P2) ``` The other parameters of the select permission will be combined in the following manner: 1. Limit - Minimum of the limits will be the limit of the inherited role 2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation 3. Scalar computed fields - same as table column fields, as in the above example APIs for inherited roles: ---------------------- 1. `add_inherited_role` `add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments `role_name`: the name of the inherited role to be added (String) `role_set`: list of roles that need to be combined (Array of Strings) Example: ```json { "type": "add_inherited_role", "args": { "role_name":"combined_user", "role_set":[ "user", "user1" ] } } ``` After adding the inherited role, the inherited role can be used like single roles like earlier Note: An inherited role can only be created with non-inherited/singular roles. 2. `drop_inherited_role` The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument: `role_name`: name of the inherited role to be dropped Example: ```json { "type": "drop_inherited_role", "args": { "role_name":"combined_user" } } ``` Metadata --------- The derived roles metadata will be included under the `experimental_features` key while exporting the metadata. ```json { "experimental_features": { "derived_roles": [ { "role_name": "manager_is_employee_too", "role_set": [ "employee", "manager" ] } ] } } ``` Scope ------ Only postgres queries and subscriptions are supported in this PR. Important points: ----------------- 1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done. TODOs ------- - [ ] Tests - [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features - [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?) - [ ] Introspection test with a inherited role (nullability changes in a inherited role) - [ ] Docs - [ ] Changelog Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com> GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
184 lines
6.5 KiB
Haskell
184 lines
6.5 KiB
Haskell
{-# LANGUAGE AllowAmbiguousTypes #-}
|
|
|
|
-- | Helper functions for generating the schema of database tables
|
|
module Hasura.GraphQL.Schema.Table
|
|
( getTableGQLName
|
|
, tableSelectColumnsEnum
|
|
, tableUpdateColumnsEnum
|
|
, tablePermissions
|
|
, tableSelectPermissions
|
|
, tableSelectFields
|
|
, tableColumns
|
|
, tableSelectColumns
|
|
, tableUpdateColumns
|
|
) where
|
|
|
|
import Hasura.Prelude
|
|
|
|
import qualified Data.HashMap.Strict as Map
|
|
import qualified Data.HashSet as Set
|
|
import qualified Language.GraphQL.Draft.Syntax as G
|
|
|
|
import Data.Text.Extended
|
|
|
|
import qualified Hasura.GraphQL.Parser as P
|
|
|
|
import Hasura.GraphQL.Parser (Kind (..), Parser)
|
|
import Hasura.GraphQL.Parser.Class
|
|
import Hasura.GraphQL.Schema.Backend
|
|
import Hasura.RQL.DML.Internal (getRolePermInfo)
|
|
import Hasura.RQL.Types
|
|
|
|
-- | Helper function to get the table GraphQL name. A table may have a
|
|
-- custom name configured with it. When the custom name exists, the GraphQL nodes
|
|
-- that are generated according to the custom name. For example: Let's say,
|
|
-- we have a table called `users address`, the name of the table is not GraphQL
|
|
-- compliant so we configure the table with a GraphQL compliant name,
|
|
-- say `users_address`
|
|
-- The generated top-level nodes of this table will be like `users_address`,
|
|
-- `insert_users_address` etc
|
|
getTableGQLName
|
|
:: forall b r m. (Backend b, MonadTableInfo r m)
|
|
=> TableName b
|
|
-> m G.Name
|
|
getTableGQLName tableName = do
|
|
-- FIXME: pass tableInfo along to avoid unecessary cache lookups
|
|
tableInfo <- askTableInfo @b tableName
|
|
let tableCustomName = _tcCustomName . _tciCustomConfig . _tiCoreInfo $ tableInfo
|
|
tableCustomName
|
|
`onNothing` tableGraphQLName @b tableName
|
|
`onLeft` throwError
|
|
|
|
-- | Table select columns enum
|
|
--
|
|
-- Parser for an enum type that matches the columns of the given
|
|
-- table. Used as a parameter for "distinct", among others. Maps to
|
|
-- the table_select_column object.
|
|
--
|
|
-- Return Nothing if there's no column the current user has "select"
|
|
-- permissions for.
|
|
tableSelectColumnsEnum
|
|
:: forall m n r b
|
|
. (BackendSchema b, MonadSchema n m, MonadRole r m, MonadTableInfo r m)
|
|
=> TableName b
|
|
-> SelPermInfo b
|
|
-> m (Maybe (Parser 'Both n (Column b)))
|
|
tableSelectColumnsEnum table selectPermissions = do
|
|
tableGQLName <- getTableGQLName @b table
|
|
columns <- tableSelectColumns table selectPermissions
|
|
let enumName = tableGQLName <> $$(G.litName "_select_column")
|
|
description = Just $ G.Description $
|
|
"select columns of table " <>> table
|
|
pure $ P.enum enumName description <$> nonEmpty
|
|
[ ( define $ pgiName column
|
|
, pgiColumn column
|
|
)
|
|
| column <- columns
|
|
]
|
|
where
|
|
define name =
|
|
P.mkDefinition name (Just $ G.Description "column name") P.EnumValueInfo
|
|
|
|
-- | Table update columns enum
|
|
--
|
|
-- Parser for an enum type that matches the columns of the given
|
|
-- table. Used for conflict resolution in "insert" mutations, among
|
|
-- others. Maps to the table_update_column object.
|
|
--
|
|
-- Return Nothing if there's no column the current user has "update"
|
|
-- permissions for.
|
|
tableUpdateColumnsEnum
|
|
:: forall m n r b
|
|
. (BackendSchema b, MonadSchema n m, MonadRole r m, MonadTableInfo r m)
|
|
=> TableName b
|
|
-> UpdPermInfo b
|
|
-> m (Maybe (Parser 'Both n (Column b)))
|
|
tableUpdateColumnsEnum table updatePermissions = do
|
|
tableGQLName <- getTableGQLName @b table
|
|
columns <- tableUpdateColumns table updatePermissions
|
|
let enumName = tableGQLName <> $$(G.litName "_update_column")
|
|
description = Just $ G.Description $
|
|
"update columns of table " <>> table
|
|
pure $ P.enum enumName description <$> nonEmpty
|
|
[ ( define $ pgiName column
|
|
, pgiColumn column
|
|
)
|
|
| column <- columns
|
|
]
|
|
where
|
|
define name =
|
|
P.mkDefinition name (Just $ G.Description "column name") P.EnumValueInfo
|
|
|
|
tablePermissions
|
|
:: forall m n r b. (Backend b, MonadSchema n m, MonadTableInfo r m, MonadRole r m)
|
|
=> TableName b
|
|
-> m (Maybe (RolePermInfo b))
|
|
tablePermissions table = do
|
|
roleName <- askRoleName
|
|
tableInfo <- askTableInfo table
|
|
pure $ getRolePermInfo roleName tableInfo
|
|
|
|
tableSelectPermissions
|
|
:: forall m n r b. (Backend b, MonadSchema n m, MonadTableInfo r m, MonadRole r m)
|
|
=> TableName b
|
|
-> m (Maybe (SelPermInfo b))
|
|
tableSelectPermissions table = (_permSel =<<) <$> tablePermissions table
|
|
|
|
tableSelectFields
|
|
:: forall m n r b. (Backend b, MonadSchema n m, MonadTableInfo r m, MonadRole r m)
|
|
=> TableName b
|
|
-> SelPermInfo b
|
|
-> m [FieldInfo b]
|
|
tableSelectFields table permissions = do
|
|
tableFields <- _tciFieldInfoMap . _tiCoreInfo <$> askTableInfo table
|
|
filterM canBeSelected $ Map.elems tableFields
|
|
where
|
|
canBeSelected (FIColumn columnInfo) =
|
|
pure $ Map.member (pgiColumn columnInfo) (spiCols permissions)
|
|
canBeSelected (FIRelationship relationshipInfo) =
|
|
isJust <$> tableSelectPermissions @_ @_ @_ @b (riRTable relationshipInfo)
|
|
canBeSelected (FIComputedField computedFieldInfo) =
|
|
case _cfiReturnType computedFieldInfo of
|
|
CFRScalar _ ->
|
|
pure $ Map.member (_cfiName computedFieldInfo) $ spiScalarComputedFields permissions
|
|
CFRSetofTable tableName ->
|
|
isJust <$> tableSelectPermissions @_ @_ @_ @b tableName
|
|
canBeSelected (FIRemoteRelationship _) = pure True
|
|
|
|
tableColumns
|
|
:: forall m n r b. (Backend b, MonadSchema n m, MonadTableInfo r m)
|
|
=> TableName b
|
|
-> m [ColumnInfo b]
|
|
tableColumns table =
|
|
mapMaybe columnInfo . Map.elems . _tciFieldInfoMap . _tiCoreInfo <$> askTableInfo table
|
|
where
|
|
columnInfo (FIColumn ci) = Just ci
|
|
columnInfo _ = Nothing
|
|
|
|
tableSelectColumns
|
|
:: forall m n r b. (Backend b, MonadSchema n m, MonadTableInfo r m, MonadRole r m)
|
|
=> TableName b
|
|
-> SelPermInfo b
|
|
-> m [ColumnInfo b]
|
|
tableSelectColumns table permissions =
|
|
mapMaybe columnInfo <$> tableSelectFields table permissions
|
|
where
|
|
columnInfo (FIColumn ci) = Just ci
|
|
columnInfo _ = Nothing
|
|
|
|
tableUpdateColumns
|
|
:: forall m n r b. (Backend b, MonadSchema n m, MonadTableInfo r m)
|
|
=> TableName b
|
|
-> UpdPermInfo b
|
|
-> m [ColumnInfo b]
|
|
tableUpdateColumns table permissions = do
|
|
tableFields <- _tciFieldInfoMap . _tiCoreInfo <$> askTableInfo table
|
|
pure $ mapMaybe isUpdatable $ Map.elems tableFields
|
|
where
|
|
isUpdatable (FIColumn columnInfo) =
|
|
if Set.member (pgiColumn columnInfo) (upiCols permissions)
|
|
&& not (Map.member (pgiColumn columnInfo) (upiSet permissions))
|
|
then Just columnInfo
|
|
else Nothing
|
|
isUpdatable _ = Nothing
|