From 1f35dbda4c55175acc14dccf79756f11cebef67d Mon Sep 17 00:00:00 2001 From: lukmzig Date: Tue, 28 Mar 2023 08:33:32 +0200 Subject: [PATCH 1/4] feat: add introspection settings to the symfony config tree --- .../01_Configuration/03_Security_Settings.md | 9 +++ .../02_Upgrade_Notes.md | 1 + src/Controller/WebserviceController.php | 7 ++- src/DependencyInjection/Configuration.php | 1 + src/EventListener/AdminListener.php | 12 ++++ src/Resources/config/eventlistener.yml | 2 + .../js/configuration/graphql/configItem.js | 62 ++++++++++--------- 7 files changed, 65 insertions(+), 29 deletions(-) diff --git a/doc/10_GraphQL/01_Configuration/03_Security_Settings.md b/doc/10_GraphQL/01_Configuration/03_Security_Settings.md index 3cff7c83..60f673e6 100644 --- a/doc/10_GraphQL/01_Configuration/03_Security_Settings.md +++ b/doc/10_GraphQL/01_Configuration/03_Security_Settings.md @@ -9,6 +9,15 @@ Defines how users are authenticated when accessing the endpoint. * API Key: needs to be sent with every request. * ... more to come +## Introspection settings + +Introspection provides an information about queries which are supported by GraphQl schema. This is currently enabled by default. It can be disabled via security settings or in the symfony configuration tree: +``` +pimcore_data_hub: + graphql: + allow_introspection: false +``` + ## Workspace Settings Defines workspaces for data that should be accessible via the endpoint. diff --git a/doc/Installation_and_Upgrade/02_Upgrade_Notes.md b/doc/Installation_and_Upgrade/02_Upgrade_Notes.md index e4094394..88f53c9e 100644 --- a/doc/Installation_and_Upgrade/02_Upgrade_Notes.md +++ b/doc/Installation_and_Upgrade/02_Upgrade_Notes.md @@ -5,6 +5,7 @@ to the settings store, use the provided `datahub:configuration:migrate-legacy-config` command. - Added the ability to import and export each type of data-hub configuration. Be sure to include the `supported_types` configuration in any custom implementation to use the import functionality! +- Added possibility to disable the introspection for GraphQL via configuration tree. ## 1.5.0 - When "Skip Permission Check" is active in a GraphQL configuration, the "Workspaces" settings are also skipped diff --git a/src/Controller/WebserviceController.php b/src/Controller/WebserviceController.php index 1715e2cd..c50742fe 100644 --- a/src/Controller/WebserviceController.php +++ b/src/Controller/WebserviceController.php @@ -191,7 +191,12 @@ public function webonyxAction( $variableValues = $event->getRequest()->get('variables', $variableValues); } - $disableIntrospection = $configuration->getSecurityConfig()['disableIntrospection'] ?? false; + $configAllowIntrospection = true; + if (isset($this->config['graphql']) && isset($this->config['graphql']['allow_introspection'])) { + $configAllowIntrospection = $this->config['graphql']['allow_introspection']; + } + + $disableIntrospection = (!$configAllowIntrospection || $configuration->getSecurityConfig()['disableIntrospection']) ?? false; if ($disableIntrospection === true) { DocumentValidator::addRule(new DisableIntrospection()); } diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php index 3b59eba3..f9e41d23 100644 --- a/src/DependencyInjection/Configuration.php +++ b/src/DependencyInjection/Configuration.php @@ -38,6 +38,7 @@ public function getConfigTreeBuilder() ->scalarNode('not_allowed_policy')->info('throw exception = 1, return null = 2')->defaultValue(2)->end() ->booleanNode('output_cache_enabled')->info('enables output cache for graphql responses. It is disabled by default')->defaultValue(false)->end() ->integerNode('output_cache_lifetime')->info('output cache in seconds. Default is 30 seconds')->defaultValue(30)->end() + ->booleanNode('allow_introspection')->info('enables introspection for graphql. It is enabled by default')->defaultValue(true)->end() ->end() ->end() ->end() diff --git a/src/EventListener/AdminListener.php b/src/EventListener/AdminListener.php index 44edd5e6..95cee704 100644 --- a/src/EventListener/AdminListener.php +++ b/src/EventListener/AdminListener.php @@ -19,6 +19,13 @@ class AdminListener { + private array $config; + + public function __construct(array $config) + { + $this->config = $config; + } + /** * Handles INDEX_ACTION_SETTINGS event and adds custom admin UI settings * @@ -27,5 +34,10 @@ class AdminListener public function addIndexSettings(IndexActionSettingsEvent $event) { $event->addSetting('data-hub-writeable', (new \Pimcore\Bundle\DataHubBundle\Configuration(null, null))->isWriteable()); + $allowIntrospection = true; + if (isset($this->config['graphql']) && isset($this->config['graphql']['allow_introspection'])) { + $allowIntrospection = $this->config['graphql']['allow_introspection']; + } + $event->addSetting('allow_introspection', $allowIntrospection); } } diff --git a/src/Resources/config/eventlistener.yml b/src/Resources/config/eventlistener.yml index 6442fdb9..47937ece 100644 --- a/src/Resources/config/eventlistener.yml +++ b/src/Resources/config/eventlistener.yml @@ -10,5 +10,7 @@ services: - { name: kernel.event_subscriber } Pimcore\Bundle\DataHubBundle\EventListener\AdminListener: + bind: + $config: '%pimcore_data_hub%' tags: - { name: kernel.event_listener, event: pimcore.admin.indexAction.settings, method: addIndexSettings } \ No newline at end of file diff --git a/src/Resources/public/js/configuration/graphql/configItem.js b/src/Resources/public/js/configuration/graphql/configItem.js index f9759d53..bee7fa77 100644 --- a/src/Resources/public/js/configuration/graphql/configItem.js +++ b/src/Resources/public/js/configuration/graphql/configItem.js @@ -227,13 +227,6 @@ pimcore.plugin.datahub.configuration.graphql.configItem = Class.create(pimcore.e value: this.data.security ? this.data.security.skipPermissionCheck : "" }); - var disableIntrospection = new Ext.form.Checkbox({ - fieldLabel: t('plugin_pimcore_datahub_disable_introspection'), - labelWidth: 200, - name: "disableIntrospection", - value: this.data.security ? this.data.security.disableIntrospection : "" - }); - this.securityForm = new Ext.form.FormPanel({ bodyStyle: "padding:10px;", autoScroll: true, @@ -281,30 +274,43 @@ pimcore.plugin.datahub.configuration.graphql.configItem = Class.create(pimcore.e readOnly: true, disabled: true }, - skipPermissionCheck, - disableIntrospection, - { - xtype: 'displayfield', - hideLabel: true, - value: t("plugin_pimcore_datahub_security_introspection_description"), - cls: "pimcore_extra_label_bottom", - style: "padding-bottom: 0px", - readOnly: true, - disabled: true - }, - { - xtype: 'fieldset', - width: 800, - title: t("workspaces"), - items: [ - this.documentWorkspace.getPanel(), - this.assetWorkspace.getPanel(), - this.objectWorkspace.getPanel() - ] - } + skipPermissionCheck ] }); + if (pimcore.settings.allow_introspection) { + let disableIntrospection = new Ext.form.Checkbox({ + fieldLabel: t('plugin_pimcore_datahub_disable_introspection'), + labelWidth: 200, + name: "disableIntrospection", + value: this.data.security ? this.data.security.disableIntrospection : "" + }); + let introspectionDescription = { + xtype: 'displayfield', + hideLabel: true, + value: t("plugin_pimcore_datahub_security_introspection_description"), + cls: "pimcore_extra_label_bottom", + style: "padding-bottom: 0px", + readOnly: true, + disabled: true + }; + + this.securityForm.add(disableIntrospection, introspectionDescription); + } + + let workspaces = { + xtype: 'fieldset', + width: 800, + title: t("workspaces"), + items: [ + this.documentWorkspace.getPanel(), + this.assetWorkspace.getPanel(), + this.objectWorkspace.getPanel() + ] + }; + + this.securityForm.add(workspaces); + return this.securityForm; }, From 7755c7b7dc958ec6ba94b29c49afc068dd27ff39 Mon Sep 17 00:00:00 2001 From: lukmzig Date: Tue, 28 Mar 2023 08:45:42 +0200 Subject: [PATCH 2/4] fix: controller conditions --- src/Controller/WebserviceController.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Controller/WebserviceController.php b/src/Controller/WebserviceController.php index c50742fe..3b33b8c2 100644 --- a/src/Controller/WebserviceController.php +++ b/src/Controller/WebserviceController.php @@ -192,11 +192,11 @@ public function webonyxAction( } $configAllowIntrospection = true; - if (isset($this->config['graphql']) && isset($this->config['graphql']['allow_introspection'])) { - $configAllowIntrospection = $this->config['graphql']['allow_introspection']; + if (isset($config['graphql']) && isset($config['graphql']['allow_introspection'])) { + $configAllowIntrospection = $config['graphql']['allow_introspection']; } - $disableIntrospection = (!$configAllowIntrospection || $configuration->getSecurityConfig()['disableIntrospection']) ?? false; + $disableIntrospection = !$configAllowIntrospection || (isset($configuration->getSecurityConfig()['disableIntrospection']) && $configuration->getSecurityConfig()['disableIntrospection']); if ($disableIntrospection === true) { DocumentValidator::addRule(new DisableIntrospection()); } From 62568652c63b23a84828685b89cd292b71c636ef Mon Sep 17 00:00:00 2001 From: lukmzig Date: Tue, 28 Mar 2023 08:57:05 +0200 Subject: [PATCH 3/4] fix: PHP stan --- src/GraphQL/Query/Operator/Thumbnail.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/GraphQL/Query/Operator/Thumbnail.php b/src/GraphQL/Query/Operator/Thumbnail.php index 08a26f93..8a5d9d0e 100644 --- a/src/GraphQL/Query/Operator/Thumbnail.php +++ b/src/GraphQL/Query/Operator/Thumbnail.php @@ -64,7 +64,7 @@ public function getLabeledValue($element, ResolveInfo $resolveInfo = null) if ($childResult->value instanceof Asset\Image || $childResult->value instanceof Asset\Video) { $childValue = $result->value = $childResult->value; $thumbnail = $childValue->getThumbnail($this->thumbnailConfig, false); - $result->value = $thumbnail->getPath(false); + $result->value = $thumbnail->getPath(['deferredAllowed' => false]); } } From 96c19c47becee3edb617f3f7a0fdcac6355bbd10 Mon Sep 17 00:00:00 2001 From: lukmzig Date: Fri, 5 May 2023 11:15:53 +0200 Subject: [PATCH 4/4] update disableIntrospection value type --- src/Controller/WebserviceController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Controller/WebserviceController.php b/src/Controller/WebserviceController.php index f1a11887..b4cf1094 100644 --- a/src/Controller/WebserviceController.php +++ b/src/Controller/WebserviceController.php @@ -198,7 +198,7 @@ public function webonyxAction( $disableIntrospection = !$configAllowIntrospection || (isset($configuration->getSecurityConfig()['disableIntrospection']) && $configuration->getSecurityConfig()['disableIntrospection']); - DocumentValidator::addRule(new DisableIntrospection($disableIntrospection)); + DocumentValidator::addRule(new DisableIntrospection((int)$disableIntrospection)); $result = GraphQL::executeQuery( $event->getSchema(),