-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
BEG-133 - Create module to handle authorisation of introspection quer…
…ies.
- Loading branch information
1 parent
4280a52
commit 885ff47
Showing
10 changed files
with
199 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
.idea |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
<?php | ||
/* | ||
* @author Aligent Consulting Team | ||
* @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au) | ||
*/ | ||
|
||
declare(strict_types=1); | ||
namespace Aligent\IntrospectionAuth\Model; | ||
|
||
use Magento\Framework\App\Config\ScopeConfigInterface; | ||
|
||
class Config | ||
{ | ||
private const XML_PATH_INTROSPECTION_AUTH_ENABLED = 'system/security/introspection_auth'; | ||
|
||
/** | ||
* @param ScopeConfigInterface $scopeConfig | ||
*/ | ||
public function __construct( | ||
private readonly ScopeConfigInterface $scopeConfig | ||
) { | ||
} | ||
|
||
/** | ||
* Indicates if introspection authorisation is enabled or disabled | ||
* | ||
* @return bool | ||
*/ | ||
public function getIntrospectionAuthEnabled(): bool | ||
{ | ||
return $this->scopeConfig->isSetFlag(self::XML_PATH_INTROSPECTION_AUTH_ENABLED); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
<?php | ||
/* | ||
* @author Aligent Consulting Team | ||
* @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au) | ||
*/ | ||
|
||
declare(strict_types=1); | ||
namespace Aligent\IntrospectionAuth\Plugin\GraphQlQuery; | ||
|
||
use Aligent\IntrospectionAuth\Model\Config; | ||
use Magento\Framework\GraphQl\Query\IntrospectionConfiguration; | ||
use Magento\Framework\Webapi\Authorization; | ||
|
||
class AuthorisedIntrospection | ||
{ | ||
private const ADMIN_RESOURCE = 'Aligent_Introspection::introspection_allowed'; | ||
|
||
/** | ||
* @param Authorization $authorization | ||
* @param Config $config | ||
*/ | ||
public function __construct( | ||
private readonly Authorization $authorization, | ||
private readonly Config $config | ||
) { | ||
} | ||
|
||
/** | ||
* Only allow introspection for authorised users | ||
* | ||
* @param IntrospectionConfiguration $subject | ||
* @param bool $result | ||
* @return bool | ||
*/ | ||
public function afterIsIntrospectionDisabled(IntrospectionConfiguration $subject, bool $result): bool | ||
{ | ||
if (!$this->config->getIntrospectionAuthEnabled() || $result) { | ||
return $result; | ||
} | ||
|
||
if (!$this->authorization->isAllowed([self::ADMIN_RESOURCE])) { | ||
return true; | ||
} | ||
return false; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,27 @@ | ||
# magento2-introspection-auth | ||
# magento2-introspection-auth | ||
Magento 2 module to handle authorisation of GraphQL introspection queries. | ||
|
||
## Functionality | ||
In Magento 2, GraphQL introspection can be enabled/disabled globally. | ||
This module adds functionality so that when enabled, introspection queries can only be made by authorised users. | ||
|
||
## Installation | ||
1. Install the package via composer | ||
```bash | ||
composer require aligent/magento2-introspection-auth | ||
``` | ||
2. Enable the module | ||
```bash | ||
bin/magento module:enable Aligent_IntrospectionAuth | ||
``` | ||
3. Run the `setup:upgrade` command | ||
```bash | ||
bin/magento setup:upgrade | ||
``` | ||
|
||
## Configuration | ||
The authorisation functionality can be enabled/disabled via `Stores -> Configuration -> Advanced -> System -> Security -> Enable Introspection Authorisation` | ||
Note that authorisation will only work is GraphQL introspection is enabled. If it is disabled, it will be disabled for all users, regardless of authorisation. | ||
|
||
## Permission | ||
In order to be authorised, users/integrations will need the `Aligent_Introspection::introspection_allowed` permission |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
{ | ||
"name": "aligent/magento2-introspection-auth", | ||
"description": "Restricts introspection GraphQL queries to authorised users", | ||
"type": "magento2-module", | ||
"require": { | ||
"magento/framework": "*" | ||
}, | ||
"license": [ | ||
"GPL-3.0-only" | ||
], | ||
"autoload": { | ||
"files": [ | ||
"registration.php" | ||
], | ||
"psr-4": { | ||
"Aligent\\IntrospectionAuth\\": "" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
<?xml version="1.0"?> | ||
<!-- | ||
~ @author Aligent Consulting Team | ||
~ @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au) | ||
--> | ||
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd"> | ||
<acl> | ||
<resources> | ||
<resource id="Magento_Backend::admin"> | ||
<resource id="Magento_Backend::system"> | ||
<resource id="Magento_Backend::system_other_settings"> | ||
<resource id="Aligent_Introspection::introspection_allowed" title="Introspection query permission" sortOrder="10"/> | ||
</resource> | ||
</resource> | ||
</resource> | ||
</resources> | ||
</acl> | ||
</config> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
<?xml version="1.0"?> | ||
<!-- | ||
~ @author Aligent Consulting Team | ||
~ @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au) | ||
--> | ||
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd"> | ||
<system> | ||
<section id="system"> | ||
<group id="security"> | ||
<field id="introspection_auth" type="select" translate="label comment" showInDefault="1" showInWebsite="0" showInStore="0"> | ||
<label>Enable Introspection Authorisation</label> | ||
<comment>When introspection is enabled, only allow authorised users to perform queries.</comment> | ||
<source_model>Magento\Config\Model\Config\Source\Yesno</source_model> | ||
</field> | ||
</group> | ||
</section> | ||
</system> | ||
</config> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
<?xml version="1.0"?> | ||
<!-- | ||
~ @author Aligent Consulting Team | ||
~ @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au) | ||
--> | ||
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd"> | ||
<type name="Magento\Framework\GraphQl\Query\IntrospectionConfiguration"> | ||
<plugin name="AuthorisedIntrospection" | ||
type="Aligent\IntrospectionAuth\Plugin\GraphQlQuery\AuthorisedIntrospection"/> | ||
</type> | ||
</config> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
<?xml version="1.0"?> | ||
<!-- | ||
~ @author Aligent Consulting Team | ||
~ @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au) | ||
--> | ||
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd"> | ||
<module name="Aligent_IntrospectionAuth"/> | ||
</config> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
<?php | ||
/* | ||
* @author Aligent Consulting Team | ||
* @copyright Copyright (c) 2023 Aligent Consulting. (http://www.aligent.com.au) | ||
*/ | ||
|
||
declare(strict_types=1); | ||
|
||
use Magento\Framework\Component\ComponentRegistrar; | ||
|
||
ComponentRegistrar::register( | ||
ComponentRegistrar::MODULE, | ||
'Aligent_IntrospectionAuth', | ||
__DIR__ | ||
); |