feat(gateway-framework): remove unused deployment id authorization checks (#741)

Signed-off-by: Lorenzo Delgado <[email protected]>

Author: LNSD

gateway-framework/Cargo.toml

@@ -37,7 +37,7 @@ serde_json = { workspace = true, features = ["raw_value"] }
 serde_with.workspace = true
 siphasher.workspace = true
 tap_core = { git = "https://github.com/semiotic-ai/timeline-aggregation-protocol", rev = "c179dfe" }
-thegraph-core = { workspace = true, features = ["subgraph-client"] }
+thegraph-core = { workspace = true, features = ["subgraph-client", "subscriptions"] }
 thegraph-graphql-http.workspace = true
 thiserror.workspace = true
 tokio.workspace = true

gateway-framework/src/auth/mod.rs renamed to gateway-framework/src/auth.rs

@@ -1,14 +1,11 @@
-pub mod context;
-pub mod methods;
-
-use std::sync::Arc;
-
-use methods::{api_keys, subscriptions};
 use ordered_float::NotNan;
-use thegraph_core::types::{DeploymentId, SubgraphId};
+use thegraph_core::types::SubgraphId;
 
 pub use self::context::AuthContext;
-use crate::topology::network::Deployment;
+use self::methods::{api_keys, subscriptions};
+
+pub mod context;
+pub mod methods;
 
 /// User query settings typically associated with an auth token.
 #[derive(Clone, Debug, Default)]
@@ -33,35 +30,25 @@ impl AuthToken {
         }
     }
 
-    /// Check if the given deployment is authorized for this auth token.
-    pub fn is_deployment_authorized(&self, deployment: &DeploymentId) -> bool {
+    /// Check if ANY of the given deployment subgraphs are authorized for this auth token.
+    pub fn is_any_deployment_subgraph_authorized(&self, subgraphs: &[&SubgraphId]) -> bool {
         match self {
-            AuthToken::ApiKey(auth) => auth.is_deployment_authorized(deployment),
-            AuthToken::SubscriptionsAuthToken(auth) => auth.is_deployment_authorized(deployment),
+            AuthToken::ApiKey(auth) => subgraphs
+                .iter()
+                .any(|subgraph| auth.is_subgraph_authorized(subgraph)),
+            AuthToken::SubscriptionsAuthToken(auth) => subgraphs
+                .iter()
+                .any(|subgraph| auth.is_subgraph_authorized(subgraph)),
         }
     }
 
-    /// Check if the given origin domain is authorized for this auth token.    
+    /// Check if the given origin domain is authorized for this auth token.
     pub fn is_domain_authorized(&self, domain: &str) -> bool {
         match self {
             AuthToken::ApiKey(auth) => auth.is_domain_authorized(domain),
             AuthToken::SubscriptionsAuthToken(auth) => auth.is_domain_authorized(domain),
         }
     }
-
-    pub fn are_subgraphs_authorized(&self, deployments: &[Arc<Deployment>]) -> bool {
-        match self {
-            AuthToken::ApiKey(auth) => auth.are_subgraphs_authorized(deployments),
-            AuthToken::SubscriptionsAuthToken(auth) => auth.are_subgraphs_authorized(deployments),
-        }
-    }
-
-    pub fn are_deployments_authorized(&self, deployments: &[Arc<Deployment>]) -> bool {
-        match self {
-            AuthToken::ApiKey(auth) => auth.are_deployments_authorized(deployments),
-            AuthToken::SubscriptionsAuthToken(auth) => auth.are_deployments_authorized(deployments),
-        }
-    }
 }
 
 impl From<api_keys::AuthToken> for AuthToken {

gateway-framework/src/auth/methods/mod.rs renamed to gateway-framework/src/auth/methods.rs

@@ -7,14 +7,14 @@ use alloy_primitives::Address;
 use ordered_float::NotNan;
 use serde::Deserialize;
 use serde_with::serde_as;
-use thegraph_core::types::{DeploymentId, SubgraphId};
+use thegraph_core::types::SubgraphId;
 use tokio::sync::watch;
 
 use super::common;
-use crate::{
-    auth::QuerySettings, http::middleware::RateLimitSettings, topology::network::Deployment,
-};
+use crate::{auth::QuerySettings, http::middleware::RateLimitSettings};
 
+// TODO: This type MUST NOT implement the `Deserialize` trait.
+//   Decouple the API keys fetch types from the API keys types.
 #[serde_as]
 #[derive(Clone, Debug, Default, Deserialize)]
 pub struct APIKey {
@@ -25,13 +25,13 @@ pub struct APIKey {
     #[serde(rename = "max_budget")]
     pub max_budget_usd: Option<NotNan<f64>>,
     #[serde(default)]
-    pub deployments: Vec<DeploymentId>,
-    #[serde(default)]
     pub subgraphs: Vec<SubgraphId>,
     #[serde(default)]
     pub domains: Vec<String>,
 }
 
+// TODO: This type MUST NOT implement the `Deserialize` trait.
+//   Decouple the API keys fetch types from the API keys types.
 #[derive(Clone, Copy, Debug, Default, Deserialize)]
 #[serde(rename_all = "SCREAMING_SNAKE_CASE")]
 pub enum QueryStatus {
@@ -109,22 +109,6 @@ impl AuthToken {
         let allowed_subgraphs = &self.api_key.subgraphs;
         common::is_subgraph_authorized(allowed_subgraphs, subgraph)
     }
-
-    /// Check if the given deployment is authorized by the API key.
-    pub fn is_deployment_authorized(&self, deployment: &DeploymentId) -> bool {
-        let allowed_deployments = &self.api_key.deployments;
-        common::is_deployment_authorized(allowed_deployments, deployment)
-    }
-
-    pub fn are_subgraphs_authorized(&self, deployments: &[Arc<Deployment>]) -> bool {
-        let allowed_subgraphs = &self.api_key.subgraphs;
-        common::are_subgraphs_authorized(allowed_subgraphs, deployments)
-    }
-
-    pub fn are_deployments_authorized(&self, deployments: &[Arc<Deployment>]) -> bool {
-        let allowed_deployments = &self.api_key.deployments;
-        common::are_deployments_authorized(allowed_deployments, deployments)
-    }
 }
 
 impl std::fmt::Display for AuthToken {
@@ -160,7 +144,7 @@ impl AuthContext {
     }
 }
 
-/// Parse the bearer token as a API key and retrieve the associated API key.
+/// Parse the bearer token as an API key and retrieve the associated API key.
 pub fn parse_auth_token(
     ctx: &AuthContext,
     token: &str,

gateway-framework/src/auth/methods/api_keys.rs

@@ -1,46 +1,44 @@
-use std::sync::Arc;
-
 use thegraph_core::types::{DeploymentId, SubgraphId};
 
-use crate::topology::network::Deployment;
+/// Check if the given deployment is authorized.
+///
+/// It checks if the given deployment is contained in the authorized set. If the authorized set is
+/// empty, any deployment is considered authorized.
+pub fn is_deployment_authorized(authorized: &[DeploymentId], deployment: &DeploymentId) -> bool {
+    authorized.is_empty() || authorized.contains(deployment)
+}
 
-/// Check if the given deployments are authorized by the given authorized deployments.
+/// Check if ALL the deployments are authorized.
 ///
-/// If the authorized deployments set is empty, all deployments are considered authorized.
+/// It checks if all deployments are contained in the authorized set. If the authorized set is
+/// empty, any deployment is considered authorized.
 pub fn are_deployments_authorized(
     authorized: &[DeploymentId],
-    deployments: &[Arc<Deployment>],
+    deployments: &[DeploymentId],
 ) -> bool {
     authorized.is_empty()
         || deployments
             .iter()
-            .any(|deployment| authorized.contains(&deployment.id))
+            .all(|deployment| authorized.contains(deployment))
 }
 
-/// Check if the given deployment is authorized by the given authorized deployments.
-pub fn is_deployment_authorized(authorized: &[DeploymentId], deployment: &DeploymentId) -> bool {
-    authorized.is_empty() || authorized.contains(deployment)
+/// Check if the given subgraph is authorized.
+///
+/// It checks if the given subgraph is contained in the authorized set. If the authorized set is
+/// empty, any subgraph is considered authorized.
+pub fn is_subgraph_authorized(authorized: &[SubgraphId], subgraph: &SubgraphId) -> bool {
+    authorized.is_empty() || authorized.contains(subgraph)
 }
 
-/// Check if any of the given deployments are authorized by the given authorized subgraphs.
+/// Check if ALL the subgraphs are authorized.
 ///
-/// If the authorized subgraphs set is empty, all deployments are considered authorized.
-pub fn are_subgraphs_authorized(
-    authorized: &[SubgraphId],
-    deployments: &[Arc<Deployment>],
-) -> bool {
+/// It checks if all subgraphs are contained in the authorized set. If the authorized set is empty,
+/// any subgraph is considered authorized.
+pub fn are_subgraphs_authorized(authorized: &[SubgraphId], subgraphs: &[SubgraphId]) -> bool {
     authorized.is_empty()
-        || deployments.iter().any(|deployment| {
-            deployment
-                .subgraphs
-                .iter()
-                .any(|subgraph_id| authorized.contains(subgraph_id))
-        })
-}
-
-/// Check if the given subgraph is authorized by the given authorized subgraphs.
-pub fn is_subgraph_authorized(authorized: &[SubgraphId], subgraph: &SubgraphId) -> bool {
-    authorized.is_empty() || authorized.contains(subgraph)
+        || subgraphs
+            .iter()
+            .all(|subgraph| authorized.contains(subgraph))
 }
 
 /// Check if the query origin domain is authorized.

gateway-framework/src/auth/methods/common.rs

@@ -8,14 +8,13 @@ use thegraph_core::{
     subscriptions::auth::{
         parse_auth_token as parse_bearer_token, verify_auth_token_claims, AuthTokenClaims,
     },
-    types::{DeploymentId, SubgraphId},
+    types::SubgraphId,
 };
 use tokio::sync::watch;
 
 use super::common;
 use crate::{
     auth::QuerySettings, http::middleware::RateLimitSettings, subscriptions::Subscription,
-    topology::network::Deployment,
 };
 
 /// Auth token wrapper around the Subscriptions auth token claims and the subscription.
@@ -68,22 +67,6 @@ impl AuthToken {
         let allowed_subgraphs = &self.claims.allowed_subgraphs;
         common::is_subgraph_authorized(allowed_subgraphs, subgraph)
     }
-
-    /// Check if the given deployment is authorized by the auth token claims.
-    pub fn is_deployment_authorized(&self, deployment: &DeploymentId) -> bool {
-        let allowed_deployments = &self.claims.allowed_deployments;
-        common::is_deployment_authorized(allowed_deployments, deployment)
-    }
-
-    pub fn are_subgraphs_authorized(&self, deployments: &[Arc<Deployment>]) -> bool {
-        let allowed_subgraphs = &self.claims.allowed_subgraphs;
-        common::are_subgraphs_authorized(allowed_subgraphs, deployments)
-    }
-
-    pub fn are_deployments_authorized(&self, deployments: &[Arc<Deployment>]) -> bool {
-        let allowed_deployments = &self.claims.allowed_deployments;
-        common::are_deployments_authorized(allowed_deployments, deployments)
-    }
 }
 
 impl std::fmt::Display for AuthToken {

gateway-framework/src/auth/methods/subscriptions.rs

@@ -24,10 +24,7 @@ use gateway_framework::{
     blocks::Block,
     budgets::USD,
     chains::ChainReader,
-    errors::{
-        Error, IndexerError,
-        UnavailableReason::{self, *},
-    },
+    errors::{Error, IndexerError, UnavailableReason},
     network::{
         discovery::Status,
         indexing_performance::{IndexingPerformance, Snapshot},
@@ -96,36 +93,38 @@ pub async fn handle_query(
     let start_time = Instant::now();
     let timestamp = unix_timestamp();
 
-    // Check if the query selector is authorized by the auth token
-    match &selector {
+    // Check if the query selector is authorized by the auth token and
+    // resolve the subgraph deployments for the query.
+    let (deployments, subgraph) = match &selector {
         QuerySelector::Subgraph(id) => {
+            // If the subgraph is not authorized, return an error.
             if !auth.is_subgraph_authorized(id) {
                 return Err(Error::Auth(anyhow!("Subgraph not authorized by user")));
             }
+
+            resolve_subgraph_deployments(&ctx.network, &selector)?
         }
-        QuerySelector::Deployment(id) => {
-            if !auth.is_deployment_authorized(id) {
+        QuerySelector::Deployment(_) => {
+            // Authorization is based on the "authorized subgraphs" allowlist. We need to resolve
+            // the subgraph deployments to check if any of the deployment's subgraphs are
+            // authorized, otherwise return an error.
+            let (deployments, subgraph) = resolve_subgraph_deployments(&ctx.network, &selector)?;
+
+            // If none of the deployment's subgraphs are authorized, return an error.
+            let deployment_subgraphs = deployments
+                .iter()
+                .flat_map(|d| d.subgraphs.iter())
+                .collect::<Vec<_>>();
+            if !auth.is_any_deployment_subgraph_authorized(&deployment_subgraphs) {
                 return Err(Error::Auth(anyhow!("Deployment not authorized by user")));
             }
+
+            (deployments, subgraph)
         }
-    }
+    };
 
-    let (deployments, subgraph) = resolve_subgraph_deployments(&ctx.network, &selector)?;
     tracing::info!(deployments = ?deployments.iter().map(|d| d.id).collect::<Vec<_>>());
 
-    // Check authorization for the resolved deployments
-    if !auth.are_deployments_authorized(&deployments) {
-        return Err(Error::Auth(anyhow::anyhow!(
-            "deployment not authorized by user"
-        )));
-    }
-
-    if !auth.are_subgraphs_authorized(&deployments) {
-        return Err(Error::Auth(anyhow::anyhow!(
-            "subgraph not authorized by user"
-        )));
-    }
-
     if let Some(l2_url) = ctx.l2_gateway.as_ref() {
         // Forward query to L2 gateway if it's marked as transferred & there are no allocations.
         // abf62a6d-c071-4507-b528-ddc8e250127a
@@ -268,7 +267,10 @@ async fn handle_client_query_inner(
         .unwrap_or_default();
     available_indexers.retain(|candidate| {
         if blocklist.contains(candidate) || ctx.bad_indexers.contains(&candidate.indexer) {
-            indexer_errors.insert(candidate.indexer, IndexerError::Unavailable(NoStatus));
+            indexer_errors.insert(
+                candidate.indexer,
+                IndexerError::Unavailable(UnavailableReason::NoStatus),
+            );
             return false;
         }
         true
@@ -720,7 +722,7 @@ async fn handle_indexer_query_inner(
         .iter()
         .try_for_each(|err| check_block_error(&err.message))
         .map_err(|block_error| ExtendedIndexerError {
-            error: IndexerError::Unavailable(MissingBlock),
+            error: IndexerError::Unavailable(UnavailableReason::MissingBlock),
             latest_block: block_error.latest_block,
         })?;
 
@@ -793,8 +795,10 @@ pub fn indexer_fee(
         .map(|model| model.cost_with_context(context))
     {
         None => Ok(0),
-        Some(Ok(fee)) => fee.to_u128().ok_or(IndexerError::Unavailable(NoFee)),
-        Some(Err(_)) => Err(IndexerError::Unavailable(NoFee)),
+        Some(Ok(fee)) => fee
+            .to_u128()
+            .ok_or(IndexerError::Unavailable(UnavailableReason::NoFee)),
+        Some(Err(_)) => Err(IndexerError::Unavailable(UnavailableReason::NoFee)),
     }
 }