Block unauthorized requests when 'anon' role is not defined

2019-11-02 17:13:17 -04:00 · 2019-11-02 17:13:17 -04:00 · 77a51924a7
parent 0deb3596c5
commit 77a51924a7
14 changed files with 80 additions and 82 deletions
--- a/config/allow.list
+++ b/config/allow.list
@ -159,7 +159,6 @@ query {
  }
 }

-
 variables {
 	"data": {
 		"email": "gfk@myspace.com",
@ -272,4 +271,20 @@ query {
  }
 }

+query {
+  users {
+    id
+    email
+    picture: avatar
+    password
+    full_name
+    products(limit: 2, where: {price: {gt: 10}}) {
+      id
+      name
+      description
+      price
+    }
+  }
+}
+

--- a/config/dev.yml
+++ b/config/dev.yml
@ -12,8 +12,7 @@ log_level: "debug"
 use_allow_list: false

 # Throw a 401 on auth failure for queries that need auth
-# valid values: always, per_query, never
-auth_fail_block: never
+auth_fail_block: false

 # Latency tracing for database queries and remote joins
 # the resulting latency information is returned with the
--- a/config/prod.yml
+++ b/config/prod.yml
@ -16,8 +16,7 @@ log_level: "info"
 use_allow_list: true

 # Throw a 401 on auth failure for queries that need auth
-# valid values: always, per_query, never
-auth_fail_block: always
+auth_fail_block: true

 # Latency tracing for database queries and remote joins
 # the resulting latency information is returned with the
--- a/psql/mutate_test.go
+++ b/psql/mutate_test.go
@ -2,7 +2,6 @@ package psql

 import (
 	"encoding/json"
-	"fmt"
 	"testing"
 )

@ -261,8 +260,6 @@ func simpleUpdateWithPresets(t *testing.T) {
 		t.Fatal(err)
 	}

-	fmt.Println(string(resSQL))
-
 	if string(resSQL) != sql {
 		t.Fatal(errNotExpected)
 	}
--- a/serv/allow.go
+++ b/serv/allow.go
@ -211,12 +211,12 @@ func (al *allowList) save(item *allowItem) {

 	key := gqlHash(item.gql, item.vars, "")

-	if idx, ok := al.index[key]; ok {
-		al.list[idx] = item
-	} else {
+	if _, ok := al.index[key]; ok {
+		return
+	}
+
 	al.list = append(al.list, item)
 	al.index[key] = len(al.list) - 1
-	}

 	f, err := os.Create(al.filepath)
 	if err != nil {
--- a/serv/auth_rails.go
+++ b/serv/auth_rails.go
@ -121,7 +121,7 @@ func railsCookieHandler(next http.HandlerFunc) http.HandlerFunc {

 	return func(w http.ResponseWriter, r *http.Request) {
 		ck, err := r.Cookie(cookie)
-		if err != nil {
+		if err != nil || len(ck.Value) == 0 {
 			logger.Warn().Err(err).Msg("rails cookie missing")
 			next.ServeHTTP(w, r)
 			return
--- a/serv/cmd.go
+++ b/serv/cmd.go
@ -19,10 +19,6 @@ import (

 const (
 	serverName = "Super Graph"
-
-	authFailBlockAlways = iota + 1
-	authFailBlockPerQuery
-	authFailBlockNever
 )

 var (
@ -32,7 +28,6 @@ var (
 	db       *pgxpool.Pool
 	qcompile *qcode.Compiler
 	pcompile *psql.Compiler
-	authFailBlock int
 )

 func Init() {
@ -179,8 +174,6 @@ func initConf() (*config, error) {
 		return nil, fmt.Errorf("unable to decode config, %v", err)
 	}

-	authFailBlock = getAuthFailBlock(c)
-
 	logLevel, err := zerolog.ParseLevel(c.LogLevel)
 	if err != nil {
 		logger.Error().Err(err).Msg("error setting log_level")
--- a/serv/config.go
+++ b/serv/config.go
@ -24,7 +24,7 @@ type config struct {
 	EnableTracing  bool   `mapstructure:"enable_tracing"`
 	UseAllowList   bool   `mapstructure:"use_allow_list"`
 	WatchAndReload bool   `mapstructure:"reload_on_config_change"`
-	AuthFailBlock  string `mapstructure:"auth_fail_block"`
+	AuthFailBlock  bool   `mapstructure:"auth_fail_block"`
 	SeedFile       string `mapstructure:"seed_file"`
 	MigrationsPath string `mapstructure:"migrations_path"`

@ -103,10 +103,7 @@ type configRemote struct {
 	} `mapstructure:"set_headers"`
 }

-type configRoleTable struct {
-	Name string
-
-	Query struct {
+type configQuery struct {
 	Limit            int
 	Filters          []string
 	Columns          []string
@ -114,25 +111,33 @@ type configRoleTable struct {
 	Block            bool
 }

-	Insert struct {
+type configInsert struct {
 	Filters []string
 	Columns []string
 	Presets map[string]string
 	Block   bool
 }

-	Update struct {
+type configUpdate struct {
 	Filters []string
 	Columns []string
 	Presets map[string]string
 	Block   bool
 }

-	Delete struct {
+type configDelete struct {
 	Filters []string
 	Columns []string
 	Block   bool
 }
+
+type configRoleTable struct {
+	Name string
+
+	Query  configQuery
+	Insert configInsert
+	Update configUpdate
+	Delete configDelete
 }

 type configRole struct {
@ -213,7 +218,7 @@ func (c *config) Init(vi *viper.Viper) error {
 	rolesMap := make(map[string]struct{})

 	for i := range c.Roles {
-		role := &c.Roles[i]
+		role := c.Roles[i]

 		if _, ok := rolesMap[role.Name]; ok {
 			logger.Fatal().Msgf("duplicate role '%s' found", role.Name)
@ -228,7 +233,8 @@ func (c *config) Init(vi *viper.Viper) error {
 	}

 	if _, ok := rolesMap["anon"]; !ok {
-		c.Roles = append(c.Roles, configRole{Name: "anon"})
+		logger.Warn().Msg("unauthenticated requests will be blocked. no role 'anon' defined")
+		c.AuthFailBlock = true
 	}

 	c.validate()
--- a/serv/core.go
+++ b/serv/core.go
@ -208,10 +208,8 @@ func (c *coreContext) resolveSQL() ([]byte, uint32, error) {
 	buf := &bytes.Buffer{}
 	_, err = t.ExecuteFunc(buf, varMap(c))

-	if err == errNoUserID &&
-		authFailBlock == authFailBlockPerQuery &&
-		authCheck(c) == false {
-		return nil, 0, errUnauthorized
+	if err == errNoUserID {
+		logger.Warn().Msg("no user id found. query requires an authenicated request")
 	}

 	if err != nil {
--- a/serv/http.go
+++ b/serv/http.go
@ -70,10 +70,9 @@ type resolver struct {
 func apiv1Http(w http.ResponseWriter, r *http.Request) {
 	ctx := &coreContext{Context: r.Context()}

-	if authFailBlock == authFailBlockAlways && authCheck(ctx) == false {
-		err := "Not authorized"
-		logger.Debug().Msg(err)
-		http.Error(w, err, 401)
+	if conf.AuthFailBlock && authCheck(ctx) == false {
+		w.WriteHeader(http.StatusUnauthorized)
+		json.NewEncoder(w).Encode(gqlResp{Error: errUnauthorized.Error()})
 		return
 	}

--- a/serv/reload.go
+++ b/serv/reload.go
@ -107,6 +107,13 @@ func Do(log func(string, ...interface{}), additional ...dir) error {
 			case event := <-watcher.Events:
 				// Ensure that we use the correct events, as they are not uniform across
 				// platforms. See https://github.com/fsnotify/fsnotify/issues/74
+
+				if conf.UseAllowList == false && strings.HasSuffix(event.Name, "/allow.list") {
+					continue
+				}
+
+				logger.Info().Msgf("Reloading, file changed detected '%s'", event)
+
 				var trigger bool
 				switch runtime.GOOS {
 				case "darwin", "freebsd", "openbsd", "netbsd", "dragonfly":
--- a/serv/serv.go
+++ b/serv/serv.go
@ -204,16 +204,3 @@ func getConfigName() string {

 	return ge
 }
-
-func getAuthFailBlock(c *config) int {
-	switch c.AuthFailBlock {
-	case "always":
-		return authFailBlockAlways
-	case "per_query", "perquery", "query":
-		return authFailBlockPerQuery
-	case "never", "false":
-		return authFailBlockNever
-	}
-
-	return authFailBlockAlways
-}
--- a/tmpl/dev.yml
+++ b/tmpl/dev.yml
@ -12,8 +12,7 @@ log_level: "debug"
 use_allow_list: false

 # Throw a 401 on auth failure for queries that need auth
-# valid values: always, per_query, never
-auth_fail_block: never
+auth_fail_block: false

 # Latency tracing for database queries and remote joins
 # the resulting latency information is returned with the
--- a/tmpl/prod.yml
+++ b/tmpl/prod.yml
@ -16,8 +16,7 @@ log_level: "info"
 use_allow_list: true

 # Throw a 401 on auth failure for queries that need auth
-# valid values: always, per_query, never
-auth_fail_block: always
+auth_fail_block: true

 # Latency tracing for database queries and remote joins
 # the resulting latency information is returned with the