@axinom/mosaic-graphql-common 0.1.0-rc.0

package/src/plugins/annotate-types-with-permissions-plugin.spec.ts

@@ -0,0 +1,158 @@
+import 'jest-extended';
+import { exportedForTestingAnnotatePlugin } from './annotate-types-with-permissions-plugin';
+const getPolicy = (
+  overrides: {
+    permissive?: string;
+    command?: string;
+    using?: string;
+    withcheck?: string;
+  } = {},
+): any => {
+  return {
+    schemaname: 'app_public',
+    tablename: 'entities',
+    permissive: 'PERMISSIVE',
+    command: 'SELECT',
+    using: `((SELECT user_has_permission('READER,EDITOR,ADMIN'::text)) AND ((entity_type)::text = 'MOVIE_GENRE'::text))`,
+    withcheck: null,
+    ...overrides,
+  };
+};
+
+describe('AnnotateTypesWithPermissionsPlugin', () => {
+  describe('setPermissionsCommentText', () => {
+    it.each([undefined, null, '', ' '])(
+      'empty original description without policies -> empty result',
+      (description) => {
+        // Act
+        const result =
+          exportedForTestingAnnotatePlugin.setPermissionsCommentText(
+            description,
+            [],
+            'INSERT',
+          );
+
+        // Assert
+        expect(result).toBe('');
+      },
+    );
+
+    it.each([undefined, null, '', ' '])(
+      'empty original description with matching policy -> permissions without description',
+      (description) => {
+        // Act
+        const result =
+          exportedForTestingAnnotatePlugin.setPermissionsCommentText(
+            description,
+            [getPolicy()],
+            'SELECT',
+          );
+
+        // Assert
+        expect(result).toBe('@permissions: READER,EDITOR,ADMIN');
+      },
+    );
+
+    it('non-empty original description without matching policy -> description without permissions', () => {
+      // Act
+      const result = exportedForTestingAnnotatePlugin.setPermissionsCommentText(
+        'Test description of some GraphQL type.',
+        [getPolicy({ command: 'UPDATE' })],
+        'SELECT',
+      );
+
+      // Assert
+      expect(result).toBe('Test description of some GraphQL type.');
+    });
+
+    it.each(['SELECT', 'ALL'])(
+      'non-empty original description with matching policy -> permissions with description',
+      (command) => {
+        // Act
+        const result =
+          exportedForTestingAnnotatePlugin.setPermissionsCommentText(
+            'Test description of some GraphQL type.',
+            [getPolicy({ command })],
+            'SELECT',
+          );
+
+        // Assert
+        expect(result).toBe(
+          'Test description of some GraphQL type.\n@permissions: READER,EDITOR,ADMIN',
+        );
+      },
+    );
+
+    it('non-empty original description with restrictive and permissive policies -> description with restrictive permissions', () => {
+      // Act
+      const result = exportedForTestingAnnotatePlugin.setPermissionsCommentText(
+        'Test description of some GraphQL type.',
+        [
+          getPolicy({
+            command: 'DELETE',
+            permissive: 'RESTRICTIVE',
+            using: `user_has_permission('ADMIN'::text)`,
+          }),
+          getPolicy({
+            command: 'ALL',
+            permissive: 'PERMISSIVE',
+            using: `(user_has_permission('READER,EDITOR,ADMIN'::text) AND (1 = 1))`,
+            withcheck: `(user_has_permission('EDITOR,ADMIN'::text) AND (1 = 1))`,
+          }),
+        ],
+        'DELETE',
+      );
+
+      // Assert
+      expect(result).toBe(
+        'Test description of some GraphQL type.\n@permissions: ADMIN',
+      );
+    });
+
+    it('non-empty original description with multiple matching policies -> description with multiple permission sets', () => {
+      // Act
+      const result = exportedForTestingAnnotatePlugin.setPermissionsCommentText(
+        'Test description of some GraphQL type.',
+        [
+          // Backwards-compatibility control case
+          getPolicy({
+            command: 'UPDATE',
+            permissive: 'PERMISSIVE',
+            using: `(user_has_permission('TVSHOWS_EDIT,ADMIN'::text) AND ((entity_type)::text = 'TVSHOW'::text))`,
+            withcheck: `(user_has_permission('TVSHOWS_EDIT,ADMIN'::text) AND ((entity_type)::text = 'TVSHOW'::text))`,
+          }),
+          getPolicy({
+            command: 'UPDATE',
+            permissive: 'PERMISSIVE',
+            using: `((SELECT user_has_permission('SETTINGS_EDIT,ADMIN'::text)) AND ((entity_type)::text = 'MOVIE_GENRE'::text))`,
+            withcheck: `((SELECT user_has_permission('SETTINGS_EDIT,ADMIN'::text)) AND ((entity_type)::text = 'MOVIE_GENRE'::text))`,
+          }),
+          getPolicy({
+            command: 'UPDATE',
+            permissive: 'PERMISSIVE',
+            using: `((SELECT user_has_permission('MOVIES_EDIT,ADMIN'::text)) AND ((entity_type)::text = 'MOVIE'::text))`,
+            withcheck: `((SELECT user_has_permission('MOVIES_EDIT,ADMIN'::text)) AND ((entity_type)::text = 'MOVIE'::text))`,
+          }),
+          getPolicy({
+            command: 'UPDATE',
+            permissive: 'PERMISSIVE',
+            using: `((SELECT user_has_permission('TVSHOWS_EDIT,ADMIN'::text)) AND ((entity_type)::text = 'EPISODE'::text))`,
+            withcheck: `((SELECT user_has_permission('TVSHOWS_EDIT,ADMIN'::text)) AND ((entity_type)::text = 'EPISODE'::text))`,
+          }),
+          getPolicy({
+            command: 'UPDATE',
+            permissive: 'PERMISSIVE',
+            using: `((SELECT user_has_permission('SETTINGS_EDIT,ADMIN'::text)) AND ((entity_type)::text = 'TVSHOW_GENRE'::text))`,
+            withcheck: `((SELECT user_has_permission('SETTINGS_EDIT,ADMIN'::text)) AND ((entity_type)::text = 'TVSHOW_GENRE'::text))`,
+          }),
+        ],
+        'UPDATE',
+      );
+
+      // Assert
+      expect(result).toBe(
+        'Test description of some GraphQL type.\n@permissions: MOVIES_EDIT,ADMIN\n@permissions: SETTINGS_EDIT,ADMIN\n@permissions: TVSHOWS_EDIT,ADMIN',
+      );
+    });
+  });
+});

package/src/plugins/annotate-types-with-permissions-plugin.ts

@@ -0,0 +1,205 @@
+import { Pool } from 'pg';
+import { Plugin } from 'postgraphile';
+import { isNullOrWhitespace } from '../common';
+
+interface PolicyRow {
+  schemaname: string;
+  tablename: string;
+  permissive: 'PERMISSIVE' | 'RESTRICTIVE';
+  command: string;
+  using: string | null;
+  withcheck: string | null;
+}
+
+type SqlOperation = 'SELECT' | 'INSERT' | 'UPDATE' | 'DELETE';
+type AllOperations = 'ALL' | SqlOperation;
+
+async function loadPolicies(ownerPool: Pool): Promise<PolicyRow[]> {
+  const client = await ownerPool.connect();
+  try {
+    // get all policies, sort so "ALL" is last and custom ones come earlier
+    const queryResult = await client.query(`
+    select 
+      schemaname,
+      tablename,
+      permissive,
+      cmd as command,
+      qual as using,
+      with_check as withcheck
+    from pg_policies
+    order by command desc`);
+    return queryResult.rows;
+  } finally {
+    client.release();
+  }
+}
+
+function parsePermissions(sqlPolicy: string): string {
+  const matches = /(ax_utils\.)?user_has_permission\('([^']+)/.exec(sqlPolicy);
+  return matches && matches.length > 2 ? matches[2] : '';
+}
+
+function getPermissions(
+  policies: PolicyRow[],
+  commands: AllOperations[],
+  field: 'using' | 'withcheck',
+): string[] {
+  let matchingPolicies = policies.filter(
+    (p) => commands.find((cmd) => p.command === cmd) && p[field],
+  );
+
+  // If RESTRICTIVE policies found, list only them and remove PERMISSIVE ones
+  if (matchingPolicies.some((policy) => policy.permissive === 'RESTRICTIVE')) {
+    matchingPolicies = matchingPolicies.filter(
+      (policy) => policy.permissive === 'RESTRICTIVE',
+    );
+  }
+
+  return [
+    ...new Set<string>( // removes duplicates
+      matchingPolicies
+        .map((p) => parsePermissions(p[field] as string))
+        .filter((p) => !isNullOrWhitespace(p))
+        .sort(),
+    ),
+  ];
+}
+
+function setPermissionsCommentText(
+  currentDescription: string | null | undefined,
+  policies: PolicyRow[],
+  type: SqlOperation,
+): string {
+  const field = type === 'SELECT' || type === 'DELETE' ? 'using' : 'withcheck';
+
+  const permissions = getPermissions(policies, ['ALL', type], field);
+  const description = isNullOrWhitespace(currentDescription)
+    ? ''
+    : currentDescription;
+  return permissions.length > 0
+    ? [
+        isNullOrWhitespace(description) ? description : `${description}\n`,
+        ...permissions
+          .map((permission) => `@permissions: ${permission}`)
+          .join('\n'),
+      ].join('')
+    : description;
+}
+
+// all available hooks are defined here:
+// https://www.graphile.org/graphile-build/all-hooks/
+/**
+ * Plugin that adds permissions annotation to graphql schema descriptions.
+ *
+ * @param graphileBuildOptions should be of type `Partial<Options> & { ownerPool: Pool }`
+ */
+export const AnnotateTypesWithPermissionsPlugin: Plugin = async (
+  builder,
+  { ownerPool },
+) => {
+  const allPolicies = await loadPolicies(ownerPool);
+  builder.hook('GraphQLInputObjectType', (obj, _build, context) => {
+    const scope = context.scope;
+
+    // PostGraphile input Types that do not correspond to a database table
+    if (
+      scope.isPointInputType ||
+      scope.isIntervalInputType ||
+      scope.isPgConnectionFilterOperators ||
+      scope.isPgConnectionFilterMany ||
+      scope.isPgCondition ||
+      scope.isPgConnectionFilter
+    ) {
+      return obj;
+    }
+
+    // PostGraphile generated input types for DB mutations
+    if (scope.pgIntrospection) {
+      const policies = allPolicies.filter(
+        (value) =>
+          value.schemaname === scope.pgIntrospection.namespaceName &&
+          value.tablename === scope.pgIntrospection.name,
+      );
+
+      let operation: SqlOperation;
+
+      switch (true) {
+        case scope.isPgCreateInputType:
+          operation = 'INSERT';
+          break;
+        case scope.isPgUpdateInputType:
+          operation = 'UPDATE';
+          break;
+        case scope.isPgDeleteInputType:
+          operation = 'DELETE';
+          break;
+        default:
+          return obj;
+      }
+
+      obj.description = setPermissionsCommentText(
+        obj.description,
+        policies,
+        operation,
+      );
+      return obj;
+    }
+
+    // The input objects that come to this code-path are custom input types
+    // and require custom logic to protect them!
+    // Only works if they have input >types< - if they have no input or scalar
+    // input values they cannot be found by this method.
+    // Example: PopulateInput from the populate endpoint
+    return obj;
+  });
+
+  builder.hook('GraphQLObjectType', (obj, _build, context) => {
+    const scope = context.scope;
+
+    if (
+      // PostGraphile Types that do not correspond to a database table
+      scope.isPointType ||
+      scope.isIntervalType ||
+      scope.isPgConnectionFilterOperators ||
+      scope.isPgConnectionFilterMany ||
+      scope.isPgCondition ||
+      scope.isPgConnectionFilter ||
+      scope.isPageInfo ||
+      scope.isEdgeType ||
+      scope.isRootQuery ||
+      scope.isRootMutation ||
+      scope.isRootSubscription ||
+      scope.isMutationPayload ||
+      scope.isPgDeletePayloadType ||
+      scope.isPgUpdatePayloadType ||
+      // TODO: Procedures have no row level security: secure them in another way
+      context?.scope?.pgIntrospection?.kind === 'procedure'
+    ) {
+      return obj;
+    }
+
+    // PostGraphile generated types for DB queries
+    if (scope.pgIntrospection) {
+      const policies = allPolicies.filter(
+        (value) =>
+          value.schemaname === scope.pgIntrospection.namespaceName &&
+          value.tablename === scope.pgIntrospection.name,
+      );
+
+      obj.description = setPermissionsCommentText(
+        obj.description,
+        policies,
+        'SELECT',
+      );
+      return obj;
+    }
+
+    // The objects that come to this code-path are custom types
+    // and require custom logic to protect them!
+    // Only works if they have >types< - if they have no input or scalar
+    // input values they cannot be found by this method.
+    return obj;
+  });
+};
+
+export const exportedForTestingAnnotatePlugin = { setPermissionsCommentText };

package/src/plugins/deprecate-stray-node-id-fields-plugin.ts

@@ -0,0 +1,41 @@
+import { Plugin } from 'postgraphile';
+import { UnreachableCaseError } from '../common';
+
+type DeprecateMode = 'DEPRECATE' | 'DROP';
+
+/**
+ * NodePlugin is excluded by default to remove all references of NodeId fields
+ * and byNodeId operations. A few such instances are not removed and handled
+ * explicitly by this plugin, e.g. deletedEntityNodeId in the
+ * DeleteEntityPayload types.
+ *
+ * By default, the plugin marks each field as deprecated. Pass an explicit
+ * `DROP` value to drop the fields instead.
+ */
+export const DeprecateStrayNodeIdFieldsPlugin =
+  (mode: DeprecateMode = 'DEPRECATE'): Plugin =>
+  (builder) => {
+    builder.hook('GraphQLObjectType:fields', (fields, _build, context) => {
+      const typeName = context.Self.name as string;
+      if (typeName.startsWith('Delete') && typeName.endsWith('Payload')) {
+        Object.keys(fields)
+          .filter(
+            (name) => name.startsWith('deleted') && name.endsWith('NodeId'),
+          )
+          .map((name) => {
+            switch (mode) {
+              case 'DEPRECATE':
+                fields[name].deprecationReason = 'The field is obsolete.';
+                break;
+              case 'DROP':
+                delete fields[name];
+                break;
+
+              default:
+                throw new UnreachableCaseError(mode);
+            }
+          });
+      }
+      return fields;
+    });
+  };