subgraph authorizations.

Author: gmac

lib/graphql/stitching.rb

@@ -58,6 +58,14 @@ def visibility_directive
 
       attr_writer :visibility_directive
 
+      # Name of the directive used to denote member authorizations.
+      # @returns [String] name of the authorization directive.
+      def authorization_directive
+        @authorization_directive ||= "authorization"
+      end
+
+      attr_writer :authorization_directive
+
       MIN_VISIBILITY_VERSION = "2.5.3"
 
       # @returns Boolean true if GraphQL::Schema::Visibility is fully supported

lib/graphql/stitching/composer.rb

@@ -4,13 +4,16 @@
 require_relative "composer/validate_interfaces"
 require_relative "composer/validate_type_resolvers"
 require_relative "composer/type_resolver_config"
+require_relative "composer/authorization"
 
 module GraphQL
   module Stitching
     # Composer receives many individual `GraphQL::Schema` instances 
     # representing various graph locations and merges them into one 
     # combined Supergraph that is validated for integrity.
     class Composer
+      include Authorization
+
       # @api private
       NO_DEFAULT_VALUE = begin
         t = Class.new(GraphQL::Schema::Object) do
@@ -74,6 +77,7 @@ def initialize(
         @resolver_configs = {}
         @mapped_type_names = {}
         @visibility_profiles = Set.new(visibility_profiles)
+        @authorizations_by_type_and_field = {}
         @subgraph_directives_by_name_and_location = nil
         @subgraph_types_by_name_and_location = nil
         @schema_directives = nil
@@ -88,6 +92,7 @@ def perform(locations_input)
 
         directives_to_omit = [
           GraphQL::Stitching.stitch_directive,
+          GraphQL::Stitching.authorization_directive,
           Directives::SupergraphKey.graphql_name,
           Directives::SupergraphResolver.graphql_name,
           Directives::SupergraphSource.graphql_name,
@@ -183,6 +188,7 @@ def perform(locations_input)
         select_root_field_locations(schema)
         expand_abstract_resolvers(schema, schemas)
         apply_supergraph_directives(schema, @resolver_map, @field_map)
+        apply_authorization_directives(schema, @authorizations_by_type_and_field)
 
         if (visibility_def = schema.directives[GraphQL::Stitching.visibility_directive])
           visibility_def.get_argument("profiles").default_value(@visibility_profiles.to_a.sort)
@@ -215,6 +221,10 @@ def prepare_locations_input(locations_input)
           @resolver_configs.merge!(TypeResolverConfig.extract_directive_assignments(schema, location, input[:stitch]))
           @resolver_configs.merge!(TypeResolverConfig.extract_federation_entities(schema, location))
 
+          if schema.directives[GraphQL::Stitching.authorization_directive]
+            SubgraphAuthorization.new(schema).reverse_merge!(@authorizations_by_type_and_field)
+          end
+
           schemas[location.to_s] = schema
           executables[location.to_s] = input[:executable] || schema
         end
@@ -774,6 +784,24 @@ def apply_supergraph_directives(schema, resolvers_by_type_name, locations_by_typ
 
         schema_directives.each_value { |directive_class| schema.directive(directive_class) }
       end
+
+      def apply_authorization_directives(schema, authorizations_by_type_and_field)
+        return if authorizations_by_type_and_field.empty?
+
+        schema.types.each_value do |type|
+          authorizations_by_field = authorizations_by_type_and_field[type.graphql_name]
+          next if authorizations_by_field.nil? || !type.kind.fields?
+
+          type.fields.each_value do |field|
+            scopes = authorizations_by_field[field.graphql_name]
+            next if scopes.nil?
+            
+            field.directive(Directives::Authorization, scopes: scopes)
+          end
+        end
+
+        schema.directive(Directives::Authorization)
+      end
     end
   end
 end

lib/graphql/stitching/composer/authorization.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module GraphQL::Stitching
+  class Composer
+    module Authorization
+      private
+      
+      def merge_authorization_scopes(*scopes)
+        merged_scopes = scopes.reduce([]) do |acc, or_scopes|
+          expanded_scopes = []
+          or_scopes.each do |and_scopes|
+            if acc.any?
+              acc.each do |acc_scopes|
+                expanded_scopes << acc_scopes + and_scopes
+              end
+            else
+              expanded_scopes << and_scopes.dup
+            end
+          end
+
+          expanded_scopes
+        end
+
+        merged_scopes.each { _1.tap(&:sort!).tap(&:uniq!) }
+        merged_scopes.tap(&:uniq!).tap(&:sort!)
+      end
+    end
+
+    class SubgraphAuthorization
+      include Authorization
+
+      EMPTY_SCOPES = [EMPTY_ARRAY].freeze
+
+      def initialize(schema)
+        @schema = schema
+      end
+
+      def reverse_merge!(collector)
+        @schema.types.each_value.with_object(collector) do |type, memo|
+          next if type.introspection? || !type.kind.fields?
+
+          type.fields.each_value do |field|
+            field_scopes = scopes_for_field(type, field)
+            if field_scopes.any?(&:any?)
+              memo[type.graphql_name] ||= {}
+
+              existing = memo[type.graphql_name][field.graphql_name]
+              memo[type.graphql_name][field.graphql_name] = if existing
+                merge_authorization_scopes(existing, field_scopes)
+              else
+                field_scopes
+              end
+            end
+          end
+        end
+      end
+
+      def collect
+        reverse_merge!({})
+      end
+      
+      private
+
+      def scopes_for_field(parent_type, field)
+        parent_type_scopes = scopes_from_directives(parent_type.directives)
+        field_scopes = scopes_from_directives(field.directives)
+        field_scopes = merge_authorization_scopes(parent_type_scopes, field_scopes)
+        
+        return_type = field.type.unwrap
+        if return_type.kind.scalar? || return_type.kind.enum?
+          return_type_scopes = scopes_from_directives(return_type.directives)
+          field_scopes = merge_authorization_scopes(field_scopes, return_type_scopes)
+        end
+
+        each_corresponding_interface_field(parent_type, field.graphql_name) do |interface_type, interface_field|
+          field_scopes = merge_authorization_scopes(field_scopes, scopes_from_directives(interface_type.directives))
+          field_scopes = merge_authorization_scopes(field_scopes, scopes_from_directives(interface_field.directives))
+        end
+
+        field_scopes
+      end
+
+      def each_corresponding_interface_field(parent_type, field_name, &block)
+        parent_type.interfaces.each do |interface_type|
+          interface_field = interface_type.get_field(field_name)
+          next if interface_field.nil?
+
+          yield(interface_type, interface_field)
+          each_corresponding_interface_field(interface_type, field_name, &block)
+        end
+      end
+
+      def scopes_from_directives(directives)
+        authorization = directives.find { _1.graphql_name == GraphQL::Stitching.authorization_directive }
+        return EMPTY_SCOPES if authorization.nil?
+
+        authorization.arguments.keyword_arguments[:scopes] || EMPTY_SCOPES
+      end
+    end
+  end
+end

lib/graphql/stitching/directives.rb

@@ -20,6 +20,12 @@ class Visibility < GraphQL::Schema::Directive
       argument :profiles, [String, null: false], required: true
     end
 
+    class Authorization < GraphQL::Schema::Directive
+      graphql_name "authorization"
+      locations(FIELD_DEFINITION, OBJECT, INTERFACE, ENUM, SCALAR)
+      argument :scopes, [[String, null: false], null: false], required: true
+    end
+
     class SupergraphKey < GraphQL::Schema::Directive
       graphql_name "key"
       locations OBJECT, INTERFACE, UNION

lib/graphql/stitching/executor.rb

@@ -45,6 +45,16 @@ def perform(raw: false)
           result["data"] = raw ? @data : Shaper.new(@request).perform!(@data)
         end
 
+        @request.plan.errors.each do |error|
+          case error.code
+          when "unauthorized"
+            @errors << {
+              "message" => "Unauthorized access",
+              "path" => error.path,
+            }
+          end
+        end
+
         if @errors.length > 0
           result["errors"] = @errors
         end

lib/graphql/stitching/plan.rb

@@ -65,10 +65,25 @@ def ==(other)
         end
       end
 
+      class Error
+        attr_reader :code, :path
+        
+        def initialize(code:, path:)
+          @code = code
+          @path = path
+        end
+
+        def as_json
+          {
+            code: code,
+            path: path,
+          }
+        end
+      end
+
       class << self
         def from_json(json)
-          ops = json["ops"]
-          ops = ops.map do |op|
+          ops = json["ops"].map do |op|
             Op.new(
               step: op["step"],
               after: op["after"],
@@ -81,19 +96,37 @@ def from_json(json)
               resolver: op["resolver"],
             )
           end
-          new(ops: ops)
+
+          errors = json["errors"]&.map do |err|
+            Error.new(
+              code: err["code"],
+              path: err["path"],
+            )
+          end
+
+          new(
+            ops: ops,
+            claims: json["claims"] || EMPTY_ARRAY, 
+            errors: errors || EMPTY_ARRAY,
+          )
         end
       end
 
-      attr_reader :ops
+      attr_reader :ops, :claims, :errors
 
-      def initialize(ops: [])
+      def initialize(ops: EMPTY_ARRAY, claims: nil, errors: nil)
         @ops = ops
+        @claims = claims || EMPTY_ARRAY
+        @errors = errors || EMPTY_ARRAY
       end
 
       def as_json
-        { ops: @ops.map(&:as_json) }
+        {
+          ops: @ops.map(&:as_json),
+          claims: @claims,
+          errors: @errors.map(&:as_json),
+        }.tap(&:compact!)
       end
     end
   end
-end
+end

lib/graphql/stitching/planner.rb

@@ -24,12 +24,17 @@ def initialize(request)
         @supergraph = request.supergraph
         @planning_index = ROOT_INDEX
         @steps_by_entrypoint = {}
+        @errors = nil
       end
 
       def perform
         build_root_entrypoints
         expand_abstract_resolvers
-        Plan.new(ops: steps.map!(&:to_plan_op))
+        Plan.new(
+          ops: steps.map!(&:to_plan_op),
+          claims: @request.claims&.to_a || EMPTY_ARRAY,
+          errors: @errors || EMPTY_ARRAY,
+        )
       end
 
       def steps
@@ -115,6 +120,14 @@ def add_step(
         end
       end
 
+      def add_unauthorized(path)
+        @errors ||= []
+        @errors << Plan::Error.new(
+          code: "unauthorized",
+          path: path,
+        )
+      end
+
       # A) Group all root selections by their preferred entrypoint locations.
       def build_root_entrypoints
         parent_type = @request.query.root_type_for_operation(@request.operation.operation_type)
@@ -185,7 +198,11 @@ def each_field_in_scope(parent_type, input_selections, &block)
         input_selections.each do |node|
           case node
           when GraphQL::Language::Nodes::Field
-            yield(node)
+            if @request.authorized?(parent_type.graphql_name, node.name)
+              yield(node)
+            else
+              add_unauthorized([node.alias || node.name])
+            end
 
           when GraphQL::Language::Nodes::InlineFragment
             next unless node.type.nil? || parent_type.graphql_name == node.type.name
@@ -228,6 +245,10 @@ def extract_locale_selections(
             elsif node.name == TYPENAME
               locale_selections << node
               next
+            elsif !@request.authorized?(parent_type.graphql_name, node.name)
+              requires_typename = true
+              add_unauthorized([*path, node.alias || node.name])
+              next
             end
 
             possible_locations = @supergraph.locations_by_type_and_field[parent_type.graphql_name][node.name] || SUPERGRAPH_LOCATIONS

lib/graphql/stitching/request.rb

@@ -20,14 +20,18 @@ class Request
       # @return [Hash] contextual object passed through resolver flows.
       attr_reader :context
 
+      # @return [Array[String]] authorization claims provided for the request.
+      attr_reader :claims
+
       # Creates a new supergraph request.
       # @param supergraph [Supergraph] supergraph instance that resolves the request.
       # @param source [String, GraphQL::Language::Nodes::Document] the request string or parsed AST.
       # @param operation_name [String, nil] operation name selected for the request.
       # @param variables [Hash, nil] input variables for the request.
       # @param context [Hash, nil] a contextual object passed through resolver flows.
-      def initialize(supergraph, source, operation_name: nil, variables: nil, context: nil)
+      def initialize(supergraph, source, operation_name: nil, variables: nil, context: nil, claims: nil)
         @supergraph = supergraph
+        @claims = claims&.to_set&.freeze
         @prepared_document = nil
         @string = nil
         @digest = nil
@@ -122,6 +126,17 @@ def subscription?
         @query.subscription?
       end
 
+      # @return [Boolean] true if authorized to access field on type
+      def authorized?(type_name, field_name)
+        or_scopes = @supergraph.authorizations_by_type_and_field.dig(type_name, field_name)
+        return true unless or_scopes&.any?
+        return false unless @claims&.any?
+
+        or_scopes.any? do |and_scopes|
+          and_scopes.all? { |scope| @claims.include?(scope) }
+        end
+      end
+
       # @return [Hash<String, Any>] provided variables hash filled in with default values from definitions
       def variables
         @variables || with_prepared_document { @variables }