graphql: add GraphQL authorisation (#5179)

* add Auth directive (#5178)
* parse auth rules (#5180)
* added query rewriting and e2e tests (#5229)
* parse and evaluate RBAC rules. (#5210)
* added test cases for auth schema parsing. (#5195)
* process auth query rules (#5181)
* send auth variable in custom jwt token. (#5220)
* auth on get and mutation results (#5259)
* delete authorization (#5270)
* parse auth meta info from schema. (#5269)
* auth on add update mutations (#5300)
* query e2e tests for authentication (#5312)
* more testing around additional deletes and auth (#5357)
* add RSA algo for JWT token verification. (#5358)

Author: MichaelJCompton

graphql/admin/schema.go

@@ -106,6 +106,7 @@ func (asr *updateSchemaResolver) Execute(
 		return &dgoapi.Response{Json: b}, err
 	}
 
+	req.CommitNow = true
 	resp, err := asr.baseMutationExecutor.Execute(ctx, req)
 	if err != nil {
 		return nil, err
@@ -124,6 +125,10 @@ func (asr *updateSchemaResolver) Execute(
 	return resp, nil
 }
 
+func (asr *updateSchemaResolver) CommitOrAbort(ctx context.Context, tc *dgoapi.TxnContext) error {
+	return asr.baseMutationExecutor.CommitOrAbort(ctx, tc)
+}
+
 func (gsr *getSchemaResolver) Rewrite(ctx context.Context,
 	gqlQuery schema.Query) (*gql.GraphQuery, error) {
 	gsr.gqlQuery = gqlQuery
@@ -138,6 +143,10 @@ func (gsr *getSchemaResolver) Execute(
 	return &dgoapi.Response{Json: b}, err
 }
 
+func (gsr *getSchemaResolver) CommitOrAbort(ctx context.Context, tc *dgoapi.TxnContext) error {
+	return nil
+}
+
 func doQuery(gql *gqlSchema, field schema.Field) ([]byte, error) {
 
 	var buf bytes.Buffer

graphql/admin/update_group.go

@@ -34,7 +34,7 @@ func (urw *updateGroupRewriter) Rewrite(
 		return nil, nil
 	}
 
-	upsertQuery := resolve.RewriteUpsertQueryFromMutation(m)
+	upsertQuery := resolve.RewriteUpsertQueryFromMutation(m, nil)
 	srcUID := resolve.MutationQueryVarUID
 
 	var errSet, errDel error

graphql/authorization/auth.go

@@ -0,0 +1,210 @@
+/*
+ * Copyright 2020 Dgraph Labs, Inc. and Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package authorization
+
+import (
+	"bytes"
+	"context"
+	"crypto/rsa"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc/metadata"
+)
+
+type ctxKey string
+
+const (
+	AuthJwtCtxKey = ctxKey("authorizationJwt")
+	RSA256        = "RS256"
+	HMAC256       = "HS256"
+)
+
+var (
+	metainfo = &AuthMeta{}
+)
+
+type AuthMeta struct {
+	HMACPublicKey string
+	RSAPublicKey  *rsa.PublicKey
+	Header        string
+	Namespace     string
+	Algo          string
+}
+
+func (m *AuthMeta) Parse(schema string) error {
+	lastCommentIdx := strings.LastIndex(schema, "#")
+	if lastCommentIdx == -1 {
+		return nil
+	}
+	lastComment := schema[lastCommentIdx:]
+	if !strings.HasPrefix(lastComment, "# Authorization") {
+		return nil
+	}
+
+	// This regex matches authorization information present in the last line of the schema.
+	// Format: # Authorization <HTTP header> <Claim namespace> <Algorithm> "<verification key>"
+	// Example: # Authorization X-Test-Auth https://xyz.io/jwt/claims HS256 "secretkey"
+	// On successful regex match the index for the following strings will be returned.
+	// [0][0]:[0][1] : # Authorization X-Test-Auth https://xyz.io/jwt/claims HS256 "secretkey"
+	// [0][2]:[0][3] : Authorization, [0][4]:[0][5] : X-Test-Auth,
+	// [0][6]:[0][7] : https://xyz.io/jwt/claims,
+	// [0][8]:[0][9] : HS256, [0][10]:[0][11] : secretkey
+	authMetaRegex, err :=
+		regexp.Compile(`^#[\s]([^\s]+)[\s]+([^\s]+)[\s]+([^\s]+)[\s]+([^\s]+)[\s]+"([^\"]+)"`)
+	if err != nil {
+		return errors.Errorf("error while parsing jwt authorization info: %v", err)
+	}
+	idx := authMetaRegex.FindAllStringSubmatchIndex(lastComment, -1)
+	if len(idx) != 1 || len(idx[0]) != 12 ||
+		!strings.HasPrefix(lastComment, lastComment[idx[0][0]:idx[0][1]]) {
+		return errors.Errorf("error while parsing jwt authorization info")
+	}
+
+	m.Header = lastComment[idx[0][4]:idx[0][5]]
+	m.Namespace = lastComment[idx[0][6]:idx[0][7]]
+	m.Algo = lastComment[idx[0][8]:idx[0][9]]
+
+	key := lastComment[idx[0][10]:idx[0][11]]
+	if m.Algo == HMAC256 {
+		m.HMACPublicKey = key
+		return nil
+	}
+	if m.Algo != RSA256 {
+		return errors.Errorf(
+			"invalid jwt algorithm: found %s, but supported options are HS256 or RS256", m.Algo)
+	}
+
+	// The jwt library internally uses `bytes.IndexByte(data, '\n')` to fetch new line and fails
+	// if we have newline "\n" as ASCII value {92,110} instead of the actual ASCII value of 10.
+	// To fix this we replace "\n" with new line's ASCII value.
+	bytekey := bytes.ReplaceAll([]byte(key), []byte{92, 110}, []byte{10})
+
+	m.RSAPublicKey, err = jwt.ParseRSAPublicKeyFromPEM(bytekey)
+	return err
+}
+
+func ParseAuthMeta(schema string) error {
+	return metainfo.Parse(schema)
+}
+
+// AttachAuthorizationJwt adds any incoming JWT authorization data into the grpc context metadata.
+func AttachAuthorizationJwt(ctx context.Context, r *http.Request) context.Context {
+	authorizationJwt := r.Header.Get(metainfo.Header)
+	if authorizationJwt == "" {
+		return ctx
+	}
+
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		md = metadata.New(nil)
+	}
+
+	md.Append(string(AuthJwtCtxKey), authorizationJwt)
+	ctx = metadata.NewIncomingContext(ctx, md)
+	return ctx
+}
+
+type CustomClaims struct {
+	AuthVariables map[string]interface{}
+	jwt.StandardClaims
+}
+
+func (c *CustomClaims) UnmarshalJSON(data []byte) error {
+	// Unmarshal the standard claims first.
+	if err := json.Unmarshal(data, &c.StandardClaims); err != nil {
+		return err
+	}
+
+	var result map[string]interface{}
+	if err := json.Unmarshal(data, &result); err != nil {
+		return err
+	}
+
+	// Unmarshal the auth variables for a particular namespace.
+	if authVariables, ok := result[metainfo.Namespace]; ok {
+		c.AuthVariables, _ = authVariables.(map[string]interface{})
+	}
+	return nil
+}
+
+func ExtractAuthVariables(ctx context.Context) (map[string]interface{}, error) {
+	// Extract the jwt and unmarshal the jwt to get the auth variables.
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return nil, nil
+	}
+
+	jwtToken := md.Get(string(AuthJwtCtxKey))
+	if len(jwtToken) == 0 {
+		return nil, nil
+	} else if len(jwtToken) > 1 {
+		return nil, fmt.Errorf("invalid jwt auth token")
+	}
+
+	return validateToken(jwtToken[0])
+}
+
+func validateToken(jwtStr string) (map[string]interface{}, error) {
+	if metainfo.Algo == "" {
+		return nil, fmt.Errorf(
+			"jwt token cannot be validated because verification algorithm is not set")
+	}
+
+	token, err :=
+		jwt.ParseWithClaims(jwtStr, &CustomClaims{}, func(token *jwt.Token) (interface{}, error) {
+			algo, _ := token.Header["alg"].(string)
+			if algo != metainfo.Algo {
+				return nil, errors.Errorf("unexpected signing method: Expected %s Found %s",
+					metainfo.Algo, algo)
+			}
+			if algo == HMAC256 {
+				if _, ok := token.Method.(*jwt.SigningMethodHMAC); ok {
+					return []byte(metainfo.HMACPublicKey), nil
+				}
+			} else if algo == RSA256 {
+				if _, ok := token.Method.(*jwt.SigningMethodRSA); ok {
+					return metainfo.RSAPublicKey, nil
+				}
+			}
+			return nil, errors.Errorf("couldn't parse signing method from token header: %s", algo)
+		})
+
+	if err != nil {
+		return nil, errors.Errorf("unable to parse jwt token:%v", err)
+	}
+
+	claims, ok := token.Claims.(*CustomClaims)
+	if !ok || !token.Valid {
+		return nil, errors.Errorf("claims in jwt token is not map claims")
+	}
+
+	// by default, the MapClaims.Valid will return true if the exp field is not set
+	// here we enforce the checking to make sure that the refresh token has not expired
+	now := time.Now().Unix()
+	if !claims.VerifyExpiresAt(now, true) {
+		return nil, errors.Errorf("Token is expired") // the same error msg that's used inside jwt-go
+	}
+
+	return claims.AuthVariables, nil
+}

graphql/dgraph/execute.go

@@ -57,3 +57,9 @@ func (dg *DgraphEx) Execute(ctx context.Context, req *dgoapi.Request) (*dgoapi.R
 
 	return resp, schema.GQLWrapf(err, "Dgraph execution failed")
 }
+
+// CommitOrAbort is the underlying dgraph implementation for commiting a Dgraph transaction
+func (dg *DgraphEx) CommitOrAbort(ctx context.Context, tc *dgoapi.TxnContext) error {
+	_, err := (&edgraph.Server{}).CommitOrAbort(ctx, tc)
+	return err
+}

graphql/dgraph/graphquery.go

@@ -34,13 +34,13 @@ func AsString(query *gql.GraphQuery) string {
 
 	var b strings.Builder
 	x.Check2(b.WriteString("query {\n"))
-	writeQuery(&b, query, "  ", true)
+	writeQuery(&b, query, "  ")
 	x.Check2(b.WriteString("}"))
 
 	return b.String()
 }
 
-func writeQuery(b *strings.Builder, query *gql.GraphQuery, prefix string, root bool) {
+func writeQuery(b *strings.Builder, query *gql.GraphQuery, prefix string) {
 	if query.Var != "" || query.Alias != "" || query.Attr != "" {
 		x.Check2(b.WriteString(prefix))
 	}
@@ -63,12 +63,16 @@ func writeQuery(b *strings.Builder, query *gql.GraphQuery, prefix string, root b
 		x.Check2(b.WriteRune(')'))
 	}
 
-	if !root && hasOrderOrPage(query) {
+	if query.Func == nil && hasOrderOrPage(query) {
 		x.Check2(b.WriteString(" ("))
 		writeOrderAndPage(b, query, false)
 		x.Check2(b.WriteRune(')'))
 	}
 
+	if query.Cascade {
+		x.Check2(b.WriteString(" @cascade"))
+	}
+
 	switch {
 	case len(query.Children) > 0:
 		prefixAdd := ""
@@ -77,7 +81,7 @@ func writeQuery(b *strings.Builder, query *gql.GraphQuery, prefix string, root b
 			prefixAdd = "  "
 		}
 		for _, c := range query.Children {
-			writeQuery(b, c, prefix+prefixAdd, false)
+			writeQuery(b, c, prefix+prefixAdd)
 		}
 		if query.Attr != "" {
 			x.Check2(b.WriteString(prefix))