From 885ff4705b9f12fde10a50c5805744d4881aa542 Mon Sep 17 00:00:00 2001 From: Lachlan Turner Date: Fri, 24 Nov 2023 12:29:31 +1030 Subject: [PATCH] BEG-133 - Create module to handle authorisation of introspection queries. --- .gitignore | 1 + Model/Config.php | 33 +++++++++++++ .../GraphQlQuery/AuthorisedIntrospection.php | 46 +++++++++++++++++++ README.md | 28 ++++++++++- composer.json | 19 ++++++++ etc/acl.xml | 19 ++++++++ etc/adminhtml/system.xml | 19 ++++++++ etc/graphql/di.xml | 12 +++++ etc/module.xml | 8 ++++ registration.php | 15 ++++++ 10 files changed, 199 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 Model/Config.php create mode 100644 Plugin/GraphQlQuery/AuthorisedIntrospection.php create mode 100644 composer.json create mode 100644 etc/acl.xml create mode 100644 etc/adminhtml/system.xml create mode 100644 etc/graphql/di.xml create mode 100644 etc/module.xml create mode 100644 registration.php diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..485dee6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea diff --git a/Model/Config.php b/Model/Config.php new file mode 100644 index 0000000..bd36923 --- /dev/null +++ b/Model/Config.php @@ -0,0 +1,33 @@ +scopeConfig->isSetFlag(self::XML_PATH_INTROSPECTION_AUTH_ENABLED); + } +} diff --git a/Plugin/GraphQlQuery/AuthorisedIntrospection.php b/Plugin/GraphQlQuery/AuthorisedIntrospection.php new file mode 100644 index 0000000..6b1148d --- /dev/null +++ b/Plugin/GraphQlQuery/AuthorisedIntrospection.php @@ -0,0 +1,46 @@ +config->getIntrospectionAuthEnabled() || $result) { + return $result; + } + + if (!$this->authorization->isAllowed([self::ADMIN_RESOURCE])) { + return true; + } + return false; + } +} diff --git a/README.md b/README.md index 567291d..98e81f4 100644 --- a/README.md +++ b/README.md @@ -1 +1,27 @@ -# magento2-introspection-auth \ No newline at end of file +# magento2-introspection-auth +Magento 2 module to handle authorisation of GraphQL introspection queries. + +## Functionality +In Magento 2, GraphQL introspection can be enabled/disabled globally. +This module adds functionality so that when enabled, introspection queries can only be made by authorised users. + +## Installation +1. Install the package via composer +```bash +composer require aligent/magento2-introspection-auth +``` +2. Enable the module +```bash +bin/magento module:enable Aligent_IntrospectionAuth +``` +3. Run the `setup:upgrade` command +```bash +bin/magento setup:upgrade +``` + +## Configuration +The authorisation functionality can be enabled/disabled via `Stores -> Configuration -> Advanced -> System -> Security -> Enable Introspection Authorisation` +Note that authorisation will only work is GraphQL introspection is enabled. If it is disabled, it will be disabled for all users, regardless of authorisation. + +## Permission +In order to be authorised, users/integrations will need the `Aligent_Introspection::introspection_allowed` permission diff --git a/composer.json b/composer.json new file mode 100644 index 0000000..ab2ce53 --- /dev/null +++ b/composer.json @@ -0,0 +1,19 @@ +{ + "name": "aligent/magento2-introspection-auth", + "description": "Restricts introspection GraphQL queries to authorised users", + "type": "magento2-module", + "require": { + "magento/framework": "*" + }, + "license": [ + "GPL-3.0-only" + ], + "autoload": { + "files": [ + "registration.php" + ], + "psr-4": { + "Aligent\\IntrospectionAuth\\": "" + } + } +} diff --git a/etc/acl.xml b/etc/acl.xml new file mode 100644 index 0000000..fd1c7a6 --- /dev/null +++ b/etc/acl.xml @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + diff --git a/etc/adminhtml/system.xml b/etc/adminhtml/system.xml new file mode 100644 index 0000000..3b4967c --- /dev/null +++ b/etc/adminhtml/system.xml @@ -0,0 +1,19 @@ + + + + +
+ + + + When introspection is enabled, only allow authorised users to perform queries. + Magento\Config\Model\Config\Source\Yesno + + +
+
+
diff --git a/etc/graphql/di.xml b/etc/graphql/di.xml new file mode 100644 index 0000000..a474f7f --- /dev/null +++ b/etc/graphql/di.xml @@ -0,0 +1,12 @@ + + + + + + + diff --git a/etc/module.xml b/etc/module.xml new file mode 100644 index 0000000..d283bb7 --- /dev/null +++ b/etc/module.xml @@ -0,0 +1,8 @@ + + + + + diff --git a/registration.php b/registration.php new file mode 100644 index 0000000..8d816d8 --- /dev/null +++ b/registration.php @@ -0,0 +1,15 @@ +