Provide permissions for each server separately. (drupal-graphql#840)

Author: fubhy

graphql.permissions.yml

@@ -1,19 +1,12 @@
-'execute graphql requests':
-  title: 'Execute arbitrary GraphQL requests'
-  description: 'Allows users to execute arbitrary GraphQL requests.'
-
-'execute persisted graphql requests':
-  title: 'Execute persisted GraphQL requests'
-  description: 'Allows users to execute persisted GraphQL requests.'
-
-'use graphql explorer':
-  title: 'Use GraphiQL'
-  description: 'Allows users to use the GraphiQL interface.'
-
-'use graphql voyager':
-  title: 'Use GraphQL Voyager'
-  description: 'Allows users to use the GraphQL Voyager interface.'
-
-'administer graphql configuration':
+administer graphql configuration:
   title: 'Administer configuration'
   description: 'Allows users to create, edit and delete server configurations.'
+  restrict access: true
+
+bypass graphql access:
+  title: 'Bypass graphql access restrictions'
+  description: 'Use any graphql server regardless of permission restrictions.'
+  restrict access: true
+
+permission_callbacks:
+  - graphql.permission_provider::permissions

graphql.routing.yml

@@ -34,11 +34,11 @@ graphql.explorer:
     _controller: '\Drupal\graphql\Controller\ExplorerController::viewExplorer'
     _title: 'Explorer'
   requirements:
-    _permission: 'use graphql explorer'
+    _graphql_explorer_access: graphql_server:{graphql_server}
   options:
     _admin_route: TRUE
     parameters:
-      graphql_server:
+      server:
         type: entity:graphql_server
 
 graphql.voyager:
@@ -47,7 +47,7 @@ graphql.voyager:
     _controller: '\Drupal\graphql\Controller\VoyagerController::viewVoyager'
     _title: 'Voyager'
   requirements:
-    _permission: 'use graphql voyager'
+    _graphql_voyager_access: graphql_server:{graphql_server}
   options:
     _admin_route: TRUE
     parameters:
@@ -65,4 +65,4 @@ entity.graphql_server.delete_form:
     _admin_route: TRUE
 
 route_callbacks:
-  - 'graphql.route_provider::routes'
+  - graphql.route_provider::routes

graphql.services.yml

@@ -18,6 +18,14 @@ services:
     arguments: ['@request_stack']
     tags:
       - { name: access_check, applies_to: _graphql_query_access }
+  access_check.graphql.explorer:
+    class: Drupal\graphql\Access\ExplorerAccessCheck
+    tags:
+      - { name: access_check, applies_to: _graphql_explorer_access }
+  access_check.graphql.voyager:
+    class: Drupal\graphql\Access\VoyagerAccessCheck
+    tags:
+      - { name: access_check, applies_to: _graphql_voyager_access }
 
   # Logger channel for graphql related logging.
   logger.channel.graphql:
@@ -69,8 +77,13 @@ services:
 
   # Handles the dynamic creation of routes (see graphql.routing.yml).
   graphql.route_provider:
-    class: Drupal\graphql\Routing\QueryRouteProvider
-    arguments: ['@authentication_collector']
+    class: Drupal\graphql\RouteProvider
+    arguments: ['@entity_type.manager', '@authentication_collector']
+
+  # Handles the dynamic creation of routes (see graphql.permissions.yml).
+  graphql.permission_provider:
+    class: Drupal\graphql\PermissionProvider
+    arguments: ['@entity_type.manager']
 
   # Schema introspection service.
   graphql.introspection:

src/Access/ExplorerAccessCheck.php

@@ -0,0 +1,35 @@
+<?php
+
+namespace Drupal\graphql\Access;
+
+use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\graphql\Entity\ServerInterface;
+
+class ExplorerAccessCheck implements AccessInterface {
+
+  /**
+   * Checks access.
+   *
+   * @param \Drupal\Core\Session\AccountInterface $account
+   *   The currently logged in account.
+   * @param \Drupal\graphql\Entity\ServerInterface $graphql_server
+   *   The server instance.
+   *
+   * @return \Drupal\Core\Access\AccessResultInterface
+   *   The access result.
+   */
+  public function access(AccountInterface $account, ServerInterface $graphql_server) {
+    if ($account->hasPermission('bypass graphql access')) {
+      return AccessResult::allowed();
+    }
+
+    $id = $graphql_server->id();
+    return AccessResult::allowedIfHasPermissions($account, [
+      "use $id graphql explorer",
+      "execute $id arbitrary graphql requests",
+    ]);
+  }
+
+}

src/Access/QueryAccessCheck.php

@@ -5,6 +5,7 @@
 use Drupal\Core\Access\AccessResult;
 use Drupal\Core\Routing\Access\AccessInterface;
 use Drupal\Core\Session\AccountInterface;
+use Drupal\graphql\Entity\ServerInterface;
 use Symfony\Component\HttpFoundation\RequestStack;
 
 class QueryAccessCheck implements AccessInterface {
@@ -31,13 +32,20 @@ public function __construct(RequestStack $requestStack) {
    *
    * @param \Drupal\Core\Session\AccountInterface $account
    *   The currently logged in account.
+   * @param \Drupal\graphql\Entity\ServerInterface $graphql_server
+   *   The server instance.
    *
    * @return \Drupal\Core\Access\AccessResultInterface
    *   The access result.
    */
-  public function access(AccountInterface $account) {
+  public function access(AccountInterface $account, ServerInterface $graphql_server) {
+    if ($account->hasPermission('bypass graphql access')) {
+      return AccessResult::allowed();
+    }
+
+    $id = $graphql_server->id();
     // If the user has the global permission to execute any query, let them.
-    if ($account->hasPermission('execute graphql requests')) {
+    if ($account->hasPermission("execute $id arbitrary graphql requests")) {
       return AccessResult::allowed();
     }
 
@@ -53,12 +61,12 @@ public function access(AccountInterface $account) {
       // not a persisted query). Hence, we only grant access if the user has the
       // permission to execute any query.
       if ($operation->getOriginalInput('query')) {
-        return AccessResult::allowedIfHasPermission($account, 'execute graphql requests');
+        return AccessResult::allowedIfHasPermission($account, "execute $id arbitrary graphql requests");
       }
     }
 
     // If we reach this point, this is a persisted query.
-    return AccessResult::allowedIfHasPermission($account, 'execute persisted graphql requests');
+    return AccessResult::allowedIfHasPermission($account, "execute $id persisted graphql requests");
   }
 
 }

src/Access/VoyagerAccessCheck.php

@@ -0,0 +1,35 @@
+<?php
+
+namespace Drupal\graphql\Access;
+
+use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Routing\Access\AccessInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\graphql\Entity\ServerInterface;
+
+class VoyagerAccessCheck implements AccessInterface {
+
+  /**
+   * Checks access.
+   *
+   * @param \Drupal\Core\Session\AccountInterface $account
+   *   The currently logged in account.
+   * @param \Drupal\graphql\Entity\ServerInterface $graphql_server
+   *   The server instance.
+   *
+   * @return \Drupal\Core\Access\AccessResultInterface
+   *   The access result.
+   */
+  public function access(AccountInterface $account, ServerInterface $graphql_server) {
+    if ($account->hasPermission('bypass graphql access')) {
+      return AccessResult::allowed();
+    }
+
+    $id = $graphql_server->id();
+    return AccessResult::allowedIfHasPermissions($account, [
+      "use $id graphql voyager",
+      "execute $id arbitrary graphql requests",
+    ]);
+  }
+
+}

src/Controller/RequestController.php

@@ -41,8 +41,8 @@ public function __construct(array $parameters) {
   /**
    * Handles graphql requests.
    *
-   * @param \Drupal\graphql\Entity\ServerInterface $server
-   *   The name of the server.
+   * @param \Drupal\graphql\Entity\ServerInterface $graphql_server
+   *   The server instance.
    * @param \GraphQL\Server\OperationParams|\GraphQL\Server\OperationParams[] $operations
    *   The graphql operation(s) to execute.
    *
@@ -51,13 +51,13 @@ public function __construct(array $parameters) {
    *
    * @throws \Exception
    */
-  public function handleRequest(ServerInterface $server, $operations) {
+  public function handleRequest(ServerInterface $graphql_server, $operations) {
     if (is_array($operations)) {
-      return $this->handleBatch($server, $operations);
+      return $this->handleBatch($graphql_server, $operations);
     }
 
     /** @var \GraphQL\Server\OperationParams $operations */
-    return $this->handleSingle($server, $operations);
+    return $this->handleSingle($graphql_server, $operations);
   }
 
   /**

src/PermissionProvider.php

@@ -0,0 +1,63 @@
+<?php
+
+namespace Drupal\graphql;
+
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\StringTranslation\StringTranslationTrait;
+
+class PermissionProvider {
+  use StringTranslationTrait;
+
+  /**
+   * The entity type manager service
+   *
+   * @var \Drupal\Core\Authentication\AuthenticationCollectorInterface
+   */
+  protected $entityTypeManager;
+
+  /**
+   * PermissionProvider constructor.
+   *
+   * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entityTypeManager
+   */
+  public function __construct(EntityTypeManagerInterface $entityTypeManager) {
+    $this->entityTypeManager = $entityTypeManager;
+  }
+
+  /**
+   * Collects permissions for the server endpoints.
+   */
+  public function permissions() {
+    $storage = $this->entityTypeManager->getStorage('graphql_server');
+    /** @var \Drupal\graphql\Entity\ServerInterface[] $servers */
+    $servers = $storage->loadMultiple();
+    $permissions = [];
+
+    foreach ($servers as $id => $server) {
+      $params = ['%name' => $server->label()];
+
+      $permissions["execute $id arbitrary graphql requests"] = [
+        'title' => $this->t('%name: Execute arbitrary requests', $params),
+        'description' => $this->t('Allows users to execute arbitrary requests on the %name endpoint.', $params),
+      ];
+
+      $permissions["execute $id persisted graphql requests"] = [
+        'title' => $this->t('%name: Execute persisted requests', $params),
+        'description' => $this->t('Allows users to execute persisted requests on the %name endpoint.', $params),
+      ];
+
+      $permissions["use $id graphql explorer"] = [
+        'title' => $this->t('%name: Use explorer', $params),
+        'description' => $this->t('Allows users use the explorer interface.', $params),
+      ];
+
+      $permissions["execute $id graphql voyager"] = [
+        'title' => $this->t('%name: Use voyager', $params),
+        'description' => $this->t('Allows users to use the voyager interface.', $params),
+      ];
+    }
+
+    return $permissions;
+  }
+
+}

src/Routing/QueryRouteProvider.php src/RouteProvider.php

@@ -1,12 +1,12 @@
 <?php
 
-namespace Drupal\graphql\Routing;
+namespace Drupal\graphql;
 
 use Drupal\Core\Authentication\AuthenticationCollectorInterface;
-use Drupal\graphql\Entity\Server;
+use Drupal\Core\Entity\EntityTypeManagerInterface;
 use Symfony\Component\Routing\Route;
 
-class QueryRouteProvider {
+class RouteProvider {
 
   /**
    * The authentication collector service.
@@ -16,21 +16,32 @@ class QueryRouteProvider {
   protected $authenticationCollector;
 
   /**
-   * QueryRouteProvider constructor.
+   * The entity type manager service.
    *
+   * @var \Drupal\Core\Entity\EntityTypeManagerInterface
+   */
+  protected $entityTypeManager;
+
+  /**
+   * RouteProvider constructor.
+   *
+   * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entityTypeManager
+   *   The entity type manager service.
    * @param \Drupal\Core\Authentication\AuthenticationCollectorInterface $authenticationCollector
    *   The authentication collector service.
    */
-  public function __construct(AuthenticationCollectorInterface $authenticationCollector) {
+  public function __construct(EntityTypeManagerInterface $entityTypeManager, AuthenticationCollectorInterface $authenticationCollector) {
     $this->authenticationCollector = $authenticationCollector;
+    $this->entityTypeManager = $entityTypeManager;
   }
 
   /**
    * Collects routes for the server endpoints.
    */
   public function routes() {
+    $storage = $this->entityTypeManager->getStorage('graphql_server');
     /** @var \Drupal\graphql\Entity\ServerInterface[] $servers */
-    $servers = Server::loadMultiple();
+    $servers = $storage->loadMultiple();
     $routes = [];
 
     // Allow all authentication providers by default.
@@ -41,20 +52,20 @@ public function routes() {
 
       $routes["graphql.query.$id"] = (new Route($path))
         ->addDefaults([
-          'server' => $id,
+          'graphql_server' => $id,
           '_graphql' => TRUE,
           '_controller' => '\Drupal\graphql\Controller\RequestController::handleRequest',
           '_disable_route_normalizer' => TRUE,
         ])
         ->addRequirements([
-          '_graphql_query_access' => 'TRUE',
+          '_graphql_query_access' => 'graphql_server:{graphql_server}',
           '_format' => 'json',
         ])
         ->addOptions([
           '_auth' => $auth,
           'no_cache' => TRUE,
           'default_url_options' => ['path_processing' => FALSE],
-          'parameters' => ['server' => ['type' => 'entity:graphql_server']]
+          'parameters' => ['graphql_server' => ['type' => 'entity:graphql_server']]
         ]);
     }
 

tests/src/Kernel/Framework/PermissionsTest.php

@@ -57,7 +57,7 @@ public function testNoPermissions() {
    * The user is allowed to post any queries.
    */
   public function testFullQueryAccess() {
-    $this->setUpCurrentUser([], ['execute graphql requests']);
+    $this->setUpCurrentUser([], ["execute {$this->server->id()} arbitrary graphql requests"]);
 
     // All queries should work.
     $this->assertEquals(200, $this->query('{ root }')->getStatusCode());

tests/src/Kernel/GraphQLTestBase.php

@@ -120,7 +120,7 @@ protected function defaultCacheContexts() {
    * @return array
    */
   protected function userPermissions() {
-    return ['access content', 'execute graphql requests'];
+    return ['access content', 'bypass graphql access'];
   }
 
 }