@apollo/federation-internals 2.10.2 → 2.10.4

package/src/argumentCompositionStrategies.ts

@@ -1,4 +1,4 @@
-import { InputType, NonNullType, Schema, isListType, isNonNullType } from "./definitions"
+import {InputType, NonNullType, Schema, isListType, isNonNullType} from "./definitions"
 import { sameType } from "./types";
 import { valueEquals } from "./values";
 
@@ -19,6 +19,14 @@ function supportFixedTypes(types: (schema: Schema) => InputType[]): TypeSupportV
   };
 }
 
+function supportAnyNonNullNestedArray(): TypeSupportValidator {
+  return (_, type) =>
+    isNonNullType(type) && isListType(type.ofType)
+      && isNonNullType(type.ofType.ofType) && isListType(type.ofType.ofType.ofType)
+        ? { valid: true }
+        : { valid: false, supportedMsg: 'non nullable nested list types of any type' }
+}
+
 function supportAnyNonNullArray(): TypeSupportValidator {
   return (_, type) => isNonNullType(type) && isListType(type.ofType)
     ? { valid: true }
@@ -54,6 +62,138 @@ function unionValues(values: any[]): any {
   }, []);
 }
 
+/**
+ * Performs conjunction of 2d arrays that represent conditions in Disjunctive Normal Form.
+ *
+ * Each 2D array is interpreted as follows
+ * * Inner array is interpreted as the conjunction (an AND) of the conditions in the array.
+ * * Outer array is interpreted as the disjunction (an OR) of the inner arrays.
+ *
+ * Algorithm
+ * * filter out duplicate entries to limit the amount of necessary computations
+ * * calculate cartesian product of the arrays to find all possible combinations
+ *   * simplify combinations by dropping duplicate conditions (i.e. p ^ p = p, p ^ q = q ^ p)
+ * * eliminate entries that are subsumed by others (i.e. (p ^ q) subsumes (p ^ q ^ r))
+ */
+export function dnfConjunction<T>(values: T[][][]): T[][] {
+  // should never be the case
+  if (values.length == 0) {
+    return [];
+  }
+
+  // Copy the 2D arrays, as we'll be modifying them below (due to sorting).
+  for (let i = 0; i < values.length; i++) {
+    // See the doc string for `convertEmptyToTrue()` to understand why this is
+    // necessary.
+    values[i] = convertEmptyToTrue(dnfCopy(values[i]));
+  }
+
+  // we first filter out duplicate values from candidates
+  // this avoids exponential computation of exactly the same conditions
+  const filtered = filterNestedArrayDuplicates(values);
+
+  // initialize with first entry
+  let result: T[][] = filtered[0];
+  // perform cartesian product to find all possible entries
+  for (let i = 1; i < filtered.length; i++) {
+    const current = filtered[i];
+    const accumulator: T[][] = [];
+    const seen = new Set<string>;
+
+    for (const accElement of result) {
+      for (const currentElement of current) {
+        // filter out elements that are already present in accElement
+        const filteredElement = currentElement.filter((e) => !accElement.includes(e));
+        const candidate = [...accElement, ...filteredElement].sort();
+        const key = JSON.stringify(candidate);
+        // only add entries which has not been seen yet
+        if (!seen.has(key)) {
+          seen.add(key);
+          accumulator.push(candidate);
+        }
+      }
+    }
+    // Now we need to deduplicate the results. Given that
+    // - outer array implies OR requirements
+    // - inner array implies AND requirements
+    // We can filter out any inner arrays that fully contain other inner arrays, i.e.
+    //   A OR B OR (A AND B) OR (A AND B AND C) => A OR B
+    result = deduplicateSubsumedValues(accumulator);
+  }
+  return result;
+}
+
+function filterNestedArrayDuplicates<T>(values: T[][][]): T[][][] {
+  const filtered: T[][][] = [];
+  const seen = new Set<string>;
+  values.forEach((value) => {
+    value.forEach((inner) => {
+      inner.sort();
+    })
+    value.sort((a, b) => {
+      const left = JSON.stringify(a);
+      const right = JSON.stringify(b);
+      return left > right ? 1 : left < right ? -1 : 0;
+    });
+    const key = JSON.stringify(value);
+    if (!seen.has(key)) {
+      seen.add(key);
+      filtered.push(value);
+    }
+  });
+  return filtered;
+}
+
+function deduplicateSubsumedValues<T>(values: T[][]): T[][] {
+  const result: T[][] = [];
+  // we first sort by length as the longer ones might be dropped
+  values.sort((first, second) => {
+    if (first.length < second.length) {
+      return -1;
+    } else if (first.length > second.length) {
+      return 1;
+    } else {
+      return 0;
+    }
+  });
+
+  for (const candidate of values) {
+    const entry = new Set(candidate);
+    let redundant = false;
+    for (const r of result) {
+      if (r.every(e => entry.has(e))) {
+        // if `r` is a subset of a `candidate` then it means `candidate` is redundant
+        redundant = true;
+        break;
+      }
+    }
+
+    if (!redundant) {
+      result.push(candidate);
+    }
+  }
+  return result;
+}
+
+function dnfCopy<T>(value: T[][]): T[][] {
+  const newValue = new Array(value.length);
+  for (let i = 0; i < value.length; i++) {
+    newValue[i] = value[i].slice();
+  }
+  return newValue;
+}
+
+/**
+ * Normally for DNF, you'd consider [] to be always false and [[]] to be always
+ * true, and code that uses some()/every() needs no special-casing to work with
+ * these definitions. However, router special-cases [] to also mean true, and so
+ * if we're about to do any evaluation on DNFs, we need to do these conversions
+ * beforehand.
+ */
+export function convertEmptyToTrue<T>(value: T[][]): T[][] {
+  return value.length === 0 ? [[]] : value;
+}
+
 export const ARGUMENT_COMPOSITION_STRATEGIES = {
   MAX: {
     name: 'MAX',
@@ -95,7 +235,8 @@ export const ARGUMENT_COMPOSITION_STRATEGIES = {
       schema.booleanType(),
       new NonNullType(schema.booleanType())
     ]),
-    mergeValues: mergeNullableValues(
+    mergeValues:
+        mergeNullableValues(
       (values: boolean[]) => values.every((v) => v)
     ),
   },
@@ -113,5 +254,10 @@ export const ARGUMENT_COMPOSITION_STRATEGIES = {
     name: 'NULLABLE_UNION',
     isTypeSupported: supportAnyArray(),
     mergeValues: mergeNullableValues(unionValues),
+  },
+  DNF_CONJUNCTION: {
+    name: 'DNF_CONJUNCTION',
+    isTypeSupported: supportAnyNonNullNestedArray(),
+    mergeValues: dnfConjunction
   }
 }

package/src/definitions.ts

@@ -3825,3 +3825,7 @@ function copyDirectiveDefinitionInner(
 export function isFieldDefinition(elem: SchemaElement<any, any>): elem is FieldDefinition<any> {
   return elem instanceof FieldDefinition;
 }
+
+export function isElementNamedType(elem: SchemaElement<any, any>): elem is NamedType {
+  return elem instanceof BaseNamedType;
+}

package/src/error.ts

@@ -627,6 +627,24 @@ const LIST_SIZE_INVALID_SIZED_FIELD = makeCodeDefinition(
   { addedIn: '2.9.2' },
 );
 
+const MAX_VALIDATION_SUBGRAPH_PATHS_EXCEEDED = makeCodeDefinition(
+  'MAX_VALIDATION_SUBGRAPH_PATHS_EXCEEDED',
+  'The maximum number of validation subgraph paths has been exceeded.',
+  { addedIn: '2.8.0' },
+);
+
+const AUTH_REQUIREMENTS_APPLIED_ON_INTERFACE = makeCodeDefinition(
+    'AUTH_REQUIREMENTS_APPLIED_ON_INTERFACE',
+    'The @authenticated, @requiresScopes and @policy directive cannot be applied on interface, interface fields and interface object',
+    { addedIn: '2.9.4' },
+);
+
+const MISSING_TRANSITIVE_AUTH_REQUIREMENTS = makeCodeDefinition(
+    'MISSING_TRANSITIVE_AUTH_REQUIREMENTS',
+    'Field missing transitive @authenticated, @requiresScopes and/or @policy auth requirements needed to access dependent data.',
+    { addedIn: '2.9.4' },
+)
+
 export const ERROR_CATEGORIES = {
   DIRECTIVE_FIELDS_MISSING_EXTERNAL,
   DIRECTIVE_UNSUPPORTED_ON_INTERFACE,
@@ -727,6 +745,9 @@ export const ERRORS = {
   LIST_SIZE_INVALID_ASSUMED_SIZE,
   LIST_SIZE_INVALID_SIZED_FIELD,
   LIST_SIZE_INVALID_SLICING_ARGUMENT,
+  MAX_VALIDATION_SUBGRAPH_PATHS_EXCEEDED,
+  AUTH_REQUIREMENTS_APPLIED_ON_INTERFACE,
+  MISSING_TRANSITIVE_AUTH_REQUIREMENTS,
 };
 
 const codeDefByCode = Object.values(ERRORS).reduce((obj: {[code: string]: ErrorCodeDefinition}, codeDef: ErrorCodeDefinition) => { obj[codeDef.code] = codeDef; return obj; }, {});

package/src/federation.ts

@@ -37,7 +37,7 @@ import {
   isWrapperType,
   possibleRuntimeTypes,
   isIntType,
-  Type,
+  Type, isFieldDefinition, isElementNamedType,
 } from "./definitions";
 import { assert, MultiMap, printHumanReadableList, OrderedMap, mapValues, assertUnreachable } from "./utils";
 import { SDLValidationRule } from "graphql/validation/ValidationContext";
@@ -1840,6 +1840,9 @@ export class FederationBlueprint extends SchemaBlueprint {
       validateSizedFieldsAreValidLists(application, parent, errorCollector);
     }
 
+    // Validate @authenticated, @requireScopes and @policy usage on interfaces and interface objects
+    validateNoAuthenticationOnInterfaces(metadata, errorCollector);
+
     return errorCollector;
   }
 
@@ -2891,3 +2894,39 @@ function withoutNonExternalLeafFields(selectionSet: SelectionSet): SelectionSet
     return undefined;
   });
 }
+
+function validateNoAuthenticationOnInterfaces(metadata: FederationMetadata, errorCollector: GraphQLError[]) {
+  const authenticatedDirective = metadata.authenticatedDirective();
+  const requiresScopesDirective = metadata.requiresScopesDirective();
+  const policyDirective = metadata.policyDirective();
+  [authenticatedDirective, requiresScopesDirective, policyDirective].forEach((directive) => {
+    for (const application of directive.applications()) {
+      const element: SchemaElement<any, any> = application.parent;
+      if (
+        // Is it applied on interface or interface object types?
+        (isElementNamedType(element) &&
+          (isInterfaceType(element) || isInterfaceObjectType(element))
+        ) ||
+        // Is it applied on interface fields?
+        (isFieldDefinition(element) && isInterfaceType(element.parent))
+      ) {
+        let kind = '';
+        switch (element.kind) {
+          case 'FieldDefinition':
+            kind = 'field';
+            break;
+          case 'InterfaceType':
+            kind = 'interface';
+            break;
+          case 'ObjectType':
+            kind = 'interface object';
+            break;
+        }
+        errorCollector.push(ERRORS.AUTH_REQUIREMENTS_APPLIED_ON_INTERFACE.err(
+            `Invalid use of @${directive.name} on ${kind} "${element.coordinate}": @${directive.name} cannot be applied on interfaces, interface fields and interface objects`,
+            {nodes: sourceASTs(application, element.parent)},
+        ));
+      }
+    }
+  });
+}

package/src/specs/authenticatedSpec.ts

@@ -8,6 +8,7 @@ import {
 } from "./coreSpec";
 import { createDirectiveSpecification } from "../directiveAndTypeSpecification";
 import { registerKnownFeature } from "../knownCoreFeatures";
+import {DirectiveDefinition, Schema} from "../definitions";
 
 export class AuthenticatedSpecDefinition extends FeatureDefinition {
   public static readonly directiveName = "authenticated";
@@ -23,6 +24,10 @@ export class AuthenticatedSpecDefinition extends FeatureDefinition {
       minimumFederationVersion,
     );
 
+    // WARNING: we cannot declare staticArgumentTransform() as access control merge logic needs to propagate
+    // requirements upwards/downwards between types and interfaces. We hijack the merge process by providing
+    // implementations/interfaces as "additional sources". This means that we cannot apply staticArgumentTransform()
+    // as subgraph index index will be wrong/undefined.
     this.registerDirective(createDirectiveSpecification({
       name: AuthenticatedSpecDefinition.directiveName,
       locations: [
@@ -37,6 +42,10 @@ export class AuthenticatedSpecDefinition extends FeatureDefinition {
     }));
   }
 
+  authenticatedDirective(schema: Schema): DirectiveDefinition | undefined {
+    return this.directive(schema, AuthenticatedSpecDefinition.directiveName);
+  }
+
   get defaultCorePurpose(): CorePurpose {
     return 'SECURITY';
   }

package/src/specs/policySpec.ts

@@ -6,7 +6,7 @@ import {
   FeatureUrl,
   FeatureVersion,
 } from "./coreSpec";
-import { ListType, NonNullType } from "../definitions";
+import {DirectiveDefinition, ListType, NonNullType, Schema} from "../definitions";
 import { createDirectiveSpecification, createScalarTypeSpecification } from "../directiveAndTypeSpecification";
 import { registerKnownFeature } from "../knownCoreFeatures";
 import { ARGUMENT_COMPOSITION_STRATEGIES } from "../argumentCompositionStrategies";
@@ -31,6 +31,10 @@ export class PolicySpecDefinition extends FeatureDefinition {
 
     this.registerType(createScalarTypeSpecification({ name: PolicyTypeName.POLICY }));
 
+    // WARNING: we cannot declare staticArgumentTransform() as access control merge logic needs to propagate
+    // requirements upwards/downwards between types and interfaces. We hijack the merge process by providing
+    // implementations/interfaces as "additional sources". This means that we cannot apply staticArgumentTransform()
+    // as subgraph index index will be wrong/undefined.
     this.registerDirective(createDirectiveSpecification({
       name: PolicySpecDefinition.directiveName,
       args: [{
@@ -42,7 +46,7 @@ export class PolicySpecDefinition extends FeatureDefinition {
           assert(PolicyType, () => `Expected "${policyName}" to be defined`);
           return new NonNullType(new ListType(new NonNullType(new ListType(new NonNullType(PolicyType)))));
         },
-        compositionStrategy: ARGUMENT_COMPOSITION_STRATEGIES.UNION,
+        compositionStrategy: ARGUMENT_COMPOSITION_STRATEGIES.DNF_CONJUNCTION,
       }],
       locations: [
         DirectiveLocation.FIELD_DEFINITION,
@@ -56,6 +60,10 @@ export class PolicySpecDefinition extends FeatureDefinition {
     }));
   }
 
+  policyDirective(schema: Schema): DirectiveDefinition<{policies: string[][]}> | undefined {
+    return this.directive(schema, PolicySpecDefinition.directiveName);
+  }
+
   get defaultCorePurpose(): CorePurpose {
     return 'SECURITY';
   }

package/src/specs/requiresScopesSpec.ts

@@ -6,7 +6,7 @@ import {
   FeatureUrl,
   FeatureVersion,
 } from "./coreSpec";
-import { ListType, NonNullType } from "../definitions";
+import {DirectiveDefinition, ListType, NonNullType, Schema} from "../definitions";
 import { createDirectiveSpecification, createScalarTypeSpecification } from "../directiveAndTypeSpecification";
 import { registerKnownFeature } from "../knownCoreFeatures";
 import { ARGUMENT_COMPOSITION_STRATEGIES } from "../argumentCompositionStrategies";
@@ -32,6 +32,10 @@ export class RequiresScopesSpecDefinition extends FeatureDefinition {
 
     this.registerType(createScalarTypeSpecification({ name: RequiresScopesTypeName.SCOPE }));
 
+    // WARNING: we cannot declare staticArgumentTransform() as access control merge logic needs to propagate
+    // requirements upwards/downwards between types and interfaces. We hijack the merge process by providing
+    // implementations/interfaces as "additional sources". This means that we cannot apply staticArgumentTransform()
+    // as subgraph index index will be wrong/undefined.
     this.registerDirective(createDirectiveSpecification({
       name: RequiresScopesSpecDefinition.directiveName,
       args: [{
@@ -43,7 +47,7 @@ export class RequiresScopesSpecDefinition extends FeatureDefinition {
           assert(scopeType, () => `Expected "${scopeName}" to be defined`);
           return new NonNullType(new ListType(new NonNullType(new ListType(new NonNullType(scopeType)))));
         },
-        compositionStrategy: ARGUMENT_COMPOSITION_STRATEGIES.UNION,
+        compositionStrategy: ARGUMENT_COMPOSITION_STRATEGIES.DNF_CONJUNCTION,
       }],
       locations: [
         DirectiveLocation.FIELD_DEFINITION,
@@ -57,6 +61,10 @@ export class RequiresScopesSpecDefinition extends FeatureDefinition {
     }));
   }
 
+  requiresScopesDirective(schema: Schema): DirectiveDefinition<{scopes: string[][]}> | undefined {
+    return this.directive(schema, RequiresScopesSpecDefinition.directiveName);
+  }
+
   get defaultCorePurpose(): CorePurpose {
     return 'SECURITY';
   }