search

reactioncommerce / federated-gateway

An access aware federated GraphQL API gateway for the Reaction Commerce ecosystem
Apache License 2.0
6 stars 3 forks source link

feat: add gateway level authorization service check #32

Closed kieckhafer closed 4 years ago

kieckhafer commented 4 years ago

Resolves #13 Impact: minor Type: feature

Summary

Adds a Gateway level check to make sure the user trying to make a request through the gateway is allowed to use the gateway.

Currently, the policy - added at bin/policies - states all users are allowed to use the gateway, so this won't do anything aside from prove the check works.

Since the check requires the reaction-authorization service to be running, this authorization check is behind a ENABLE_AUTHORIZTION flag, defaulted to false, in the env.

Testing

  1. See that authorization service is not hit if ENABLE_AUTHORIZTION flag is false
  2. See that authorization service is hit if ENABLE_AUTHORIZTION flag is true
  3. in index.js, hardcode isAuthorized to return false
  4. See that this throws an auth error when trying to make any query or mutation - even those that typically were "unauthenticated" in the api
  5. See that all users are allowed to make all requests if you let the authorization service run the check
kieckhafer commented 4 years ago

@rosshadden This is "ready", in that once it's started up by hacking around a bit it works, but there are a couple issues needed to be discussed and fixed here:

1) We discussed this already, but there is a problem running bin/register-policies with the current env setup, due to the array that is used for services. Adding a single quote around the array fixes this issue, however.... 2) Then you can't start the gateway itself. We get an error from envalid:

================================
 Invalid environment variables:
    SERVICES: Invalid json: "'[{ "name": "api", "url": "http://api.reaction.localhost:3000/graphql" },{ "name": "authorization", "url": "http://authorization.reaction.localhost:6000" }]'"
2020-03-06T22:33:50.948148765Z 
 Exiting with error code 1
================================

and if I change envalid to expect a string, then we get to the next step, where we can't iterate over the services because it's a string, not an array.

3) When trying to run bin/register-polices, we need to hit the auth service at http://authorization.reaction.localhost:6001, but the auth service needs to be hit at 6000 when running the gateway - I'm not entirely sure why this is the case at this point, (just making a note of it for now), but i'm sure digging into this will be the easiest of these three issues to fix.

To get it working, I put the ' around the services and changed the auth URL to 6001, ran bin/setup-policies, and then removed the ' and chagned it back to 6000, and it all works correctly once that policy is registered.

kieckhafer commented 4 years ago

@rosshadden my previous comment has been addressed and fixed.

The SERVICES array is no longer in the env. Instead, there is a new file, services.js, which exports the array of services into index.js. I've committed the file with a blank Array, the user will need to add the services to this file in the same way they were adding them to the env.