Skip to content

Commit

Permalink
BEG-133 - Create module to handle authorisation of introspection quer…
Browse files Browse the repository at this point in the history
…ies.
  • Loading branch information
aligent-lturner committed Nov 24, 2023
1 parent 4280a52 commit 885ff47
Show file tree
Hide file tree
Showing 10 changed files with 199 additions and 1 deletion.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
.idea
33 changes: 33 additions & 0 deletions Model/Config.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
<?php
/*
* @author Aligent Consulting Team
* @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au)
*/

declare(strict_types=1);
namespace Aligent\IntrospectionAuth\Model;

use Magento\Framework\App\Config\ScopeConfigInterface;

class Config
{
private const XML_PATH_INTROSPECTION_AUTH_ENABLED = 'system/security/introspection_auth';

/**
* @param ScopeConfigInterface $scopeConfig
*/
public function __construct(
private readonly ScopeConfigInterface $scopeConfig
) {
}

/**
* Indicates if introspection authorisation is enabled or disabled
*
* @return bool
*/
public function getIntrospectionAuthEnabled(): bool
{
return $this->scopeConfig->isSetFlag(self::XML_PATH_INTROSPECTION_AUTH_ENABLED);
}
}
46 changes: 46 additions & 0 deletions Plugin/GraphQlQuery/AuthorisedIntrospection.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
<?php
/*
* @author Aligent Consulting Team
* @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au)
*/

declare(strict_types=1);
namespace Aligent\IntrospectionAuth\Plugin\GraphQlQuery;

use Aligent\IntrospectionAuth\Model\Config;
use Magento\Framework\GraphQl\Query\IntrospectionConfiguration;
use Magento\Framework\Webapi\Authorization;

class AuthorisedIntrospection
{
private const ADMIN_RESOURCE = 'Aligent_Introspection::introspection_allowed';

/**
* @param Authorization $authorization
* @param Config $config
*/
public function __construct(
private readonly Authorization $authorization,
private readonly Config $config
) {
}

/**
* Only allow introspection for authorised users
*
* @param IntrospectionConfiguration $subject
* @param bool $result
* @return bool
*/
public function afterIsIntrospectionDisabled(IntrospectionConfiguration $subject, bool $result): bool
{
if (!$this->config->getIntrospectionAuthEnabled() || $result) {
return $result;
}

if (!$this->authorization->isAllowed([self::ADMIN_RESOURCE])) {
return true;
}
return false;
}
}
28 changes: 27 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1 +1,27 @@
# magento2-introspection-auth
# magento2-introspection-auth
Magento 2 module to handle authorisation of GraphQL introspection queries.

## Functionality
In Magento 2, GraphQL introspection can be enabled/disabled globally.
This module adds functionality so that when enabled, introspection queries can only be made by authorised users.

## Installation
1. Install the package via composer
```bash
composer require aligent/magento2-introspection-auth
```
2. Enable the module
```bash
bin/magento module:enable Aligent_IntrospectionAuth
```
3. Run the `setup:upgrade` command
```bash
bin/magento setup:upgrade
```

## Configuration
The authorisation functionality can be enabled/disabled via `Stores -> Configuration -> Advanced -> System -> Security -> Enable Introspection Authorisation`
Note that authorisation will only work is GraphQL introspection is enabled. If it is disabled, it will be disabled for all users, regardless of authorisation.

## Permission
In order to be authorised, users/integrations will need the `Aligent_Introspection::introspection_allowed` permission
19 changes: 19 additions & 0 deletions composer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"name": "aligent/magento2-introspection-auth",
"description": "Restricts introspection GraphQL queries to authorised users",
"type": "magento2-module",
"require": {
"magento/framework": "*"
},
"license": [
"GPL-3.0-only"
],
"autoload": {
"files": [
"registration.php"
],
"psr-4": {
"Aligent\\IntrospectionAuth\\": ""
}
}
}
19 changes: 19 additions & 0 deletions etc/acl.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<?xml version="1.0"?>
<!--
~ @author Aligent Consulting Team
~ @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au)
-->
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
<acl>
<resources>
<resource id="Magento_Backend::admin">
<resource id="Magento_Backend::system">
<resource id="Magento_Backend::system_other_settings">
<resource id="Aligent_Introspection::introspection_allowed" title="Introspection query permission" sortOrder="10"/>
</resource>
</resource>
</resource>
</resources>
</acl>
</config>
19 changes: 19 additions & 0 deletions etc/adminhtml/system.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<?xml version="1.0"?>
<!--
~ @author Aligent Consulting Team
~ @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au)
-->
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
<system>
<section id="system">
<group id="security">
<field id="introspection_auth" type="select" translate="label comment" showInDefault="1" showInWebsite="0" showInStore="0">
<label>Enable Introspection Authorisation</label>
<comment>When introspection is enabled, only allow authorised users to perform queries.</comment>
<source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
</field>
</group>
</section>
</system>
</config>
12 changes: 12 additions & 0 deletions etc/graphql/di.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
<?xml version="1.0"?>
<!--
~ @author Aligent Consulting Team
~ @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au)
-->
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="Magento\Framework\GraphQl\Query\IntrospectionConfiguration">
<plugin name="AuthorisedIntrospection"
type="Aligent\IntrospectionAuth\Plugin\GraphQlQuery\AuthorisedIntrospection"/>
</type>
</config>
8 changes: 8 additions & 0 deletions etc/module.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<?xml version="1.0"?>
<!--
~ @author Aligent Consulting Team
~ @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au)
-->
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
<module name="Aligent_IntrospectionAuth"/>
</config>
15 changes: 15 additions & 0 deletions registration.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
<?php
/*
* @author Aligent Consulting Team
* @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au)
*/

declare(strict_types=1);

use Magento\Framework\Component\ComponentRegistrar;

ComponentRegistrar::register(
ComponentRegistrar::MODULE,
'Aligent_IntrospectionAuth',
__DIR__
);

0 comments on commit 885ff47

Please sign in to comment.