graphql 2.4.13 → 2.5.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 35661aff446f955116332f131cd6323839e0b5f0ea104512a8257a28d3232e43
-  data.tar.gz: 023eb7cff94490520342572da1b7dc2b017dfa99daa5c9d18503b51de7dccc66
+  metadata.gz: 5c2ef756861a779063236ee9f8745d30ae3494138674239c8f638556d7f5105e
+  data.tar.gz: 23592e61f76acb0be2a4c60d953a829e8f1d46534633513ac44797a5d3386d2a
 SHA512:
-  metadata.gz: 29645fc0f923d6e268888c43fbd703189160ac8be5ea8d0fc9a17683d7336c43b20cfcdfd1cafd90291840c59e2d06d3eb8b27b66bb41e26beea0f4388e7a839
-  data.tar.gz: 63f1a5c91cbd08948ffc96bcb0d581a3959c2d0f13be19402200d1e0209187ab70d6f8c27e2b6a62ac93a27a945792d93ecf03bb6f53b37778eb88c3570e2553
+  metadata.gz: 5c8db1d976343d569aa1fec1cee02de2c72947e0937fcd9917f8f6e078204efd373d244954e9e03b8dc7fd20066dcf7533bf4b52c706dba0f5640b60ae0465f0
+  data.tar.gz: 38422c543b159cc7243ac4dcc9139ed95b2583cab7942c60e4c557b89d6a4ffaa8fb1df94286fa3fbe4b918f5c116364d5fbe5c2afa611ba9d46d7ac56c18e61

data/lib/graphql/analysis/query_complexity.rb

@@ -13,7 +13,32 @@ module GraphQL
 
       # Override this method to use the complexity result
       def result
-        max_possible_complexity
+        case subject.schema.complexity_cost_calculation_mode_for(subject.context)
+        when :future
+          max_possible_complexity
+        when :legacy
+          max_possible_complexity(mode: :legacy)
+        when :compare
+          future_complexity = max_possible_complexity
+          legacy_complexity = max_possible_complexity(mode: :legacy)
+          if future_complexity != legacy_complexity
+            subject.schema.legacy_complexity_cost_calculation_mismatch(subject, future_complexity, legacy_complexity)
+          else
+            future_complexity
+          end
+        when nil
+          subject.logger.warn <<~GRAPHQL
+            GraphQL-Ruby's complexity cost system is getting some "breaking fixes" in a future version. See the migration notes at https://graphql-ruby.org/api-doc/#{GraphQL::VERSION}/GraphQL/Schema.html#complexity_cost_calculation_mode_for-class_method
+
+            To opt into the future behavior, configure your schema (#{subject.schema.name ? subject.schema.name : subject.schema.ancestors}) with:
+
+              complexity_cost_calculation_mode(:future) # or `:legacy`, `:compare`
+
+          GRAPHQL
+          max_possible_complexity(mode: :legacy)
+        else
+          raise ArgumentError, "Expected `:future`, `:legacy`, `:compare`, or `nil` from `#{query.schema}.complexity_cost_calculation_mode_for` but got: #{query.schema.complexity_cost_calculation_mode.inspect}"
+        end
       end
 
       # ScopedTypeComplexity models a tree of GraphQL types mapped to inner selections, ie:
@@ -44,6 +69,10 @@ module GraphQL
         def own_complexity(child_complexity)
           @field_definition.calculate_complexity(query: @query, nodes: @nodes, child_complexity: child_complexity)
         end
+
+        def composite?
+          !empty?
+        end
       end
 
       def on_enter_field(node, parent, visitor)
@@ -77,16 +106,17 @@ module GraphQL
       private
 
       # @return [Integer]
-      def max_possible_complexity
+      def max_possible_complexity(mode: :future)
         @complexities_on_type_by_query.reduce(0) do |total, (query, scopes_stack)|
-          total + merged_max_complexity_for_scopes(query, [scopes_stack.first])
+          total + merged_max_complexity_for_scopes(query, [scopes_stack.first], mode)
         end
       end
 
       # @param query [GraphQL::Query] Used for `query.possible_types`
       # @param scopes [Array<ScopedTypeComplexity>] Array of scoped type complexities
+      # @param mode [:future, :legacy]
       # @return [Integer]
-      def merged_max_complexity_for_scopes(query, scopes)
+      def merged_max_complexity_for_scopes(query, scopes, mode)
         # Aggregate a set of all possible scope types encountered (scope keys).
         # Use a hash, but ignore the values; it's just a fast way to work with the keys.
         possible_scope_types = scopes.each_with_object({}) do |scope, memo|
@@ -115,14 +145,20 @@ module GraphQL
           end
 
           # Find the maximum complexity for the scope type among possible lexical branches.
-          complexity = merged_max_complexity(query, all_inner_selections)
+          complexity = case mode
+          when :legacy
+            legacy_merged_max_complexity(query, all_inner_selections)
+          when :future
+            merged_max_complexity(query, all_inner_selections)
+          else
+            raise ArgumentError, "Expected :legacy or :future, not: #{mode.inspect}"
+          end
           complexity > max ? complexity : max
         end
       end
 
       def types_intersect?(query, a, b)
         return true if a == b
-
         a_types = query.types.possible_types(a)
         query.types.possible_types(b).any? { |t| a_types.include?(t) }
       end
@@ -145,6 +181,50 @@ module GraphQL
           memo.merge!(inner_selection)
         end
 
+        # Add up the total cost for each unique field name's coalesced selections
+        unique_field_keys.each_key.reduce(0) do |total, field_key|
+          # Collect all child scopes for this field key;
+          # all keys come with at least one scope.
+          child_scopes = inner_selections.filter_map { _1[field_key] }
+
+          # Compute maximum possible cost of child selections;
+          # composites merge their maximums, while leaf scopes are always zero.
+          # FieldsWillMerge validation assures all scopes are uniformly composite or leaf.
+          maximum_children_cost = if child_scopes.any?(&:composite?)
+            merged_max_complexity_for_scopes(query, child_scopes, :future)
+          else
+            0
+          end
+
+          # Identify the maximum cost and scope among possibilities
+          maximum_cost = 0
+          maximum_scope = child_scopes.reduce(child_scopes.last) do |max_scope, possible_scope|
+            scope_cost = possible_scope.own_complexity(maximum_children_cost)
+            if scope_cost > maximum_cost
+              maximum_cost = scope_cost
+              possible_scope
+            else
+              max_scope
+            end
+          end
+
+          field_complexity(
+            maximum_scope,
+            max_complexity: maximum_cost,
+            child_complexity: maximum_children_cost,
+          )
+
+          total + maximum_cost
+        end
+      end
+
+      def legacy_merged_max_complexity(query, inner_selections)
+        # Aggregate a set of all unique field selection keys across all scopes.
+        # Use a hash, but ignore the values; it's just a fast way to work with the keys.
+        unique_field_keys = inner_selections.each_with_object({}) do |inner_selection, memo|
+          memo.merge!(inner_selection)
+        end
+
         # Add up the total cost for each unique field name's coalesced selections
         unique_field_keys.each_key.reduce(0) do |total, field_key|
           composite_scopes = nil
@@ -167,7 +247,7 @@ module GraphQL
           end
 
           if composite_scopes
-            child_complexity = merged_max_complexity_for_scopes(query, composite_scopes)
+            child_complexity = merged_max_complexity_for_scopes(query, composite_scopes, :legacy)
 
             # This is the last composite scope visited; assume it's representative (for backwards compatibility).
             # Note: it would be more correct to score each composite scope and use the maximum possibility.

data/lib/graphql/backtrace/table.rb

@@ -78,23 +78,32 @@ module GraphQL
             end
           end
 
-
           object = result.graphql_application_value.object.inspect
-          ast_node = result.graphql_selections.find { |s| s.alias == last_part || s.name == last_part }
-          field_defn = query.get_field(result.graphql_result_type, ast_node.name)
-          args = query.arguments_for(ast_node, field_defn).to_h
-          field_path = field_defn.path
-          if ast_node.alias
-            field_path += " as #{ast_node.alias}"
+          ast_node = nil
+          result.graphql_selections.each do |s|
+            found_ast_node = find_ast_node(s, last_part)
+            if found_ast_node
+              ast_node = found_ast_node
+              break
+            end
           end
 
-          rows << [
-            ast_node.position.join(":"),
-            field_path,
-            "#{object}",
-            args.inspect,
-            inspect_result(@override_value)
-          ]
+          if ast_node
+            field_defn = query.get_field(result.graphql_result_type, ast_node.name)
+            args = query.arguments_for(ast_node, field_defn).to_h
+            field_path = field_defn.path
+            if ast_node.alias
+              field_path += " as #{ast_node.alias}"
+            end
+
+            rows << [
+              ast_node.position.join(":"),
+              field_path,
+              "#{object}",
+              args.inspect,
+              inspect_result(@override_value)
+            ]
+          end
 
           rows << HEADERS
           rows.reverse!
@@ -102,6 +111,20 @@ module GraphQL
         end
       end
 
+      def find_ast_node(node, last_part)
+        return nil unless node
+        return node if node.respond_to?(:alias) && node.respond_to?(:name) && (node.alias == last_part || node.name == last_part)
+        return nil unless node.respond_to?(:selections)
+        return nil if node.selections.nil? || node.selections.empty?
+
+        node.selections.each do |child|
+          child_ast_node = find_ast_node(child, last_part)
+          return child_ast_node if child_ast_node
+        end
+
+        nil
+      end
+
       # @return [String]
       def render_table(rows)
         max = Array.new(HEADERS.length, MIN_COL_WIDTH)

data/lib/graphql/current.rb

@@ -22,7 +22,7 @@ module GraphQL
   #   ]
   #
   module Current
-    # @return [String, nil] Comma-joined operation names for the currently-running {Multiplex}. `nil` if all operations are anonymous.
+    # @return [String, nil] Comma-joined operation names for the currently-running {Execution::Multiplex}. `nil` if all operations are anonymous.
     def self.operation_name
       if (m = Fiber[:__graphql_current_multiplex])
         m.context[:__graphql_current_operation_name] ||= begin

data/lib/graphql/dashboard/detailed_traces.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+require_relative "./installable"
+module Graphql
+  class Dashboard < Rails::Engine
+    module DetailedTraces
+      class TracesController < Graphql::Dashboard::ApplicationController
+        include Installable
+
+        def index
+          @last = params[:last]&.to_i || 50
+          @before = params[:before]&.to_i
+          @traces = schema_class.detailed_trace.traces(last: @last, before: @before)
+        end
+
+        def show
+          trace = schema_class.detailed_trace.find_trace(params[:id].to_i)
+          send_data(trace.trace_data)
+        end
+
+        def destroy
+          schema_class.detailed_trace.delete_trace(params[:id])
+          flash[:success] = "Trace deleted."
+          head :no_content
+        end
+
+        def delete_all
+          schema_class.detailed_trace.delete_all_traces
+          flash[:success] = "Deleted all traces."
+          head :no_content
+        end
+
+        private
+
+        def feature_installed?
+          !!schema_class.detailed_trace
+        end
+
+        INSTALLABLE_COMPONENT_HEADER_HTML = "Detailed traces aren't installed yet."
+        INSTALLABLE_COMPONENT_MESSAGE_HTML = <<~HTML.html_safe
+          GraphQL-Ruby can instrument production traffic and save tracing artifacts here for later review.
+          <br>
+          Read more in <a href="https://graphql-ruby.org/queries/tracing#detailed-traces">the detailed tracing docs</a>.
+        HTML
+      end
+    end
+  end
+end

data/lib/graphql/dashboard/installable.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module Graphql
+  class Dashboard < Rails::Engine
+    module Installable
+      def self.included(child_module)
+        child_module.before_action(:check_installed)
+      end
+
+      def feature_installed?
+        raise "Implement #{self.class}#feature_installed? to check whether this should render `not_installed` or not."
+      end
+
+      def check_installed
+        if !feature_installed?
+          @component_header_html = self.class::INSTALLABLE_COMPONENT_HEADER_HTML
+          @component_message_html = self.class::INSTALLABLE_COMPONENT_MESSAGE_HTML
+          render "graphql/dashboard/not_installed"
+        end
+      end
+    end
+  end
+end

data/lib/graphql/dashboard/limiters.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+require_relative "./installable"
+module Graphql
+  class Dashboard < Rails::Engine
+    module Limiters
+      class LimitersController < Dashboard::ApplicationController
+        include Installable
+        FALLBACK_CSP_NONCE_GENERATOR = ->(_req) { SecureRandom.hex(32) }
+
+        def show
+          name = params[:name]
+          @title = case name
+          when "runtime"
+            "Runtime Limiter"
+          when "active_operations"
+            "Active Operation Limiter"
+          when "mutations"
+            "Mutation Limiter"
+          else
+            raise ArgumentError, "Unknown limiter name: #{name}"
+          end
+
+          limiter = limiter_for(name)
+          if limiter.nil?
+            @install_path = "http://graphql-ruby.org/limiters/#{name}"
+          else
+            @chart_mode = params[:chart] || "day"
+            @current_soft = limiter.soft_limit_enabled?
+            @histogram = limiter.dashboard_histogram(@chart_mode)
+
+            # These configs may have already been defined by the application; provide overrides here if not.
+            request.content_security_policy_nonce_generator ||= FALLBACK_CSP_NONCE_GENERATOR
+            nonce_dirs = request.content_security_policy_nonce_directives || []
+            if !nonce_dirs.include?("style-src")
+              nonce_dirs += ["style-src"]
+              request.content_security_policy_nonce_directives = nonce_dirs
+            end
+            @csp_nonce = request.content_security_policy_nonce
+          end
+        end
+
+        def update
+          name = params[:name]
+          limiter = limiter_for(name)
+          if limiter
+            limiter.toggle_soft_limit
+            flash[:success] = if limiter.soft_limit_enabled?
+              "Enabled soft limiting -- over-limit traffic will be logged but not rejected."
+            else
+              "Disabled soft limiting -- over-limit traffic will be rejected."
+            end
+          else
+            flash[:warning] = "No limiter configured for #{name.inspect}"
+          end
+
+          redirect_to graphql_dashboard.limiters_limiter_path(name, chart: params[:chart])
+        end
+
+        private
+
+        def limiter_for(name)
+          case name
+          when "runtime"
+            schema_class.enterprise_runtime_limiter
+          when "active_operations"
+            schema_class.enterprise_active_operation_limiter
+          when "mutations"
+            schema_class.enterprise_mutation_limiter
+          else
+            raise ArgumentError, "Unknown limiter: #{name}"
+          end
+        end
+
+        def feature_installed?
+          defined?(GraphQL::Enterprise::Limiter) &&
+            (
+              schema_class.enterprise_active_operation_limiter ||
+              schema_class.enterprise_runtime_limiter ||
+              (schema_class.respond_to?(:enterprise_mutation_limiter) && schema_class.enterprise_mutation_limiter)
+            )
+        end
+
+
+        INSTALLABLE_COMPONENT_HEADER_HTML = "Rate limiters aren't installed on this schema yet."
+        INSTALLABLE_COMPONENT_MESSAGE_HTML = <<-HTML.html_safe
+          Check out the docs to get started with GraphQL-Enterprise's
+          <a href="https://graphql-ruby.org/limiters/runtime.html">runtime limiter</a> or
+          <a href="https://graphql-ruby.org/limiters/active_operations.html">active operation limiter</a>.
+        HTML
+      end
+    end
+  end
+end

data/lib/graphql/dashboard/operation_store.rb

@@ -0,0 +1,199 @@
+# frozen_string_literal: true
+require_relative "./installable"
+module Graphql
+  class Dashboard < Rails::Engine
+    module OperationStore
+      class BaseController < Dashboard::ApplicationController
+        include Installable
+
+        private
+
+        def feature_installed?
+          schema_class.respond_to?(:operation_store) && schema_class.operation_store.is_a?(GraphQL::Pro::OperationStore)
+        end
+
+        INSTALLABLE_COMPONENT_HEADER_HTML = "<code>OperationStore</code> isn't installed for this schema yet.".html_safe
+        INSTALLABLE_COMPONENT_MESSAGE_HTML = <<-HTML.html_safe
+          Learn more about improving performance and security with stored operations
+          in the <a href="https://graphql-ruby.org/operation_store/overview.html"><code>OperationStore</code> docs</a>.
+        HTML
+      end
+
+      class ClientsController < BaseController
+        def index
+          @order_by = params[:order_by] || "name"
+          @order_dir = params[:order_dir].presence || "asc"
+          clients_page = schema_class.operation_store.all_clients(
+            page: params[:page]&.to_i || 1,
+            per_page: params[:per_page]&.to_i || 25,
+            order_by: @order_by,
+            order_dir: @order_dir,
+          )
+
+          @clients_page = clients_page
+        end
+
+        def new
+          @client = init_client(secret: SecureRandom.hex(32))
+        end
+
+        def create
+          client_params = params.require(:client).permit(:name, :secret)
+          schema_class.operation_store.upsert_client(client_params[:name], client_params[:secret])
+          flash[:success] = "Created #{client_params[:name].inspect}"
+          redirect_to graphql_dashboard.operation_store_clients_path
+        end
+
+        def edit
+          @client = schema_class.operation_store.get_client(params[:name])
+        end
+
+        def update
+          client_name = params[:name]
+          client_secret = params.require(:client).permit(:secret)[:secret]
+          schema_class.operation_store.upsert_client(client_name, client_secret)
+          flash[:success] = "Updated #{client_name.inspect}"
+          redirect_to graphql_dashboard.operation_store_clients_path
+        end
+
+        def destroy
+          client_name = params[:name]
+          schema_class.operation_store.delete_client(client_name)
+          flash[:success] = "Deleted #{client_name.inspect}"
+          redirect_to graphql_dashboard.operation_store_clients_path
+        end
+
+        private
+
+        def init_client(name: nil, secret: nil)
+          GraphQL::Pro::OperationStore::ClientRecord.new(
+            name: name,
+            secret: secret,
+            created_at: nil,
+            operations_count: 0,
+            archived_operations_count: 0,
+            last_synced_at: nil,
+            last_used_at: nil,
+          )
+        end
+      end
+
+      class OperationsController < BaseController
+        def index
+          @client_operations = client_name = params[:client_name]
+          per_page = params[:per_page]&.to_i || 25
+          page = params[:page]&.to_i || 1
+          @is_archived = params[:archived_status] == :archived
+          order_by = params[:order_by] || "name"
+          order_dir = params[:order_dir]&.to_sym || :asc
+          if @client_operations
+            @operations_page = schema_class.operation_store.get_client_operations_by_client(
+              client_name,
+              page: page,
+              per_page: per_page,
+              is_archived: @is_archived,
+              order_by: order_by,
+              order_dir: order_dir,
+            )
+            opposite_archive_mode_count = schema_class.operation_store.get_client_operations_by_client(
+              client_name,
+              page: 1,
+              per_page: 1,
+              is_archived: !@is_archived,
+              order_by: order_by,
+              order_dir: order_dir,
+            ).total_count
+          else
+            @operations_page = schema_class.operation_store.all_operations(
+              page: page,
+              per_page: per_page,
+              is_archived: @is_archived,
+              order_by: order_by,
+              order_dir: order_dir,
+            )
+            opposite_archive_mode_count = schema_class.operation_store.all_operations(
+              page: 1,
+              per_page: 1,
+              is_archived: !@is_archived,
+              order_by: order_by,
+              order_dir: order_dir,
+            ).total_count
+          end
+
+          if @is_archived
+            @archived_operations_count = @operations_page.total_count
+            @unarchived_operations_count = opposite_archive_mode_count
+          else
+            @archived_operations_count = opposite_archive_mode_count
+            @unarchived_operations_count = @operations_page.total_count
+          end
+        end
+
+        def show
+          digest = params[:digest]
+          @operation = schema_class.operation_store.get_operation_by_digest(digest)
+          if @operation
+            # Parse & re-format the query
+            document = GraphQL.parse(@operation.body)
+            @graphql_source = document.to_query_string
+
+            @client_operations = schema_class.operation_store.get_client_operations_by_digest(digest)
+            @entries = schema_class.operation_store.get_index_entries_by_digest(digest)
+          end
+        end
+
+        def update
+          is_archived = case params[:modification]
+          when :archive
+            true
+          when :unarchive
+            false
+          else
+            raise ArgumentError, "Unexpected modification: #{params[:modification].inspect}"
+          end
+
+          if (client_name = params[:client_name])
+            operation_aliases = params[:operation_aliases]
+            schema_class.operation_store.archive_client_operations(
+              client_name: client_name,
+              operation_aliases: operation_aliases,
+              is_archived: is_archived
+            )
+            flash[:success] = "#{is_archived ? "Archived" : "Activated"} #{operation_aliases.size} #{"operation".pluralize(operation_aliases.size)}"
+          else
+            digests = params[:digests]
+            schema_class.operation_store.archive_operations(
+              digests: digests,
+              is_archived: is_archived
+            )
+            flash[:success] = "#{is_archived ? "Archived" : "Activated"} #{digests.size} #{"operation".pluralize(digests.size)}"
+          end
+          head :no_content
+        end
+      end
+
+      class IndexEntriesController < BaseController
+        def index
+          @search_term = if request.params["q"] && request.params["q"].length > 0
+            request.params["q"]
+          else
+            nil
+          end
+
+          @index_entries_page = schema_class.operation_store.all_index_entries(
+            search_term: @search_term,
+            page: params[:page]&.to_i || 1,
+            per_page: params[:per_page]&.to_i || 25,
+          )
+        end
+
+        def show
+          name = params[:name]
+          @entry = schema_class.operation_store.index.get_entry(name)
+          @chain = schema_class.operation_store.index.index_entry_chain(name)
+          @operations = schema_class.operation_store.get_operations_by_index_entry(name)
+        end
+      end
+    end
+  end
+end