chore(backend): initalize graphql authorization

lusergit · lusergit · commit d29631860c5d · 2026-02-20T16:43:07.000+01:00
Adds an authorization layer, providing an actor to queries trough the token
claims. Such actor is then used to authorize the query/mutation and allow
subscriptions.

The claims structures is unchanged, the actor only contains a map with the
matched claims and is not persisted in the database, but rather passed down the
context of triggered actions.

Signed-off-by: Luca Zaninotto &lt;luca.zaninotto@secomind.com&gt;
diff --git a/backend/config/config.exs b/backend/config/config.exs
@@ -95,6 +95,7 @@ config :edgehog, EdgehogWeb.Endpoint,
 
 config :edgehog, :ash_domains, [
   Edgehog.Astarte,
+  Edgehog.Actors,
   Edgehog.BaseImages,
   Edgehog.Campaigns,
   Edgehog.Containers,
diff --git a/backend/lib/edgehog/actors/actor.ex b/backend/lib/edgehog/actors/actor.ex
@@ -0,0 +1,41 @@
+#
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+defmodule Edgehog.Actors.Actor do
+  @moduledoc """
+  Edgheog Actors.
+  This module represents an actor performing a call trough the GraphQL APIs.
+  """
+
+  use Ash.Resource,
+    domain: Edgehog.Actors
+
+  actions do
+    defaults [:read]
+
+    create :from_claims do
+      accept [:claims]
+    end
+  end
+
+  attributes do
+    attribute :claims, :map, allow_nil?: false
+  end
+end
diff --git a/backend/lib/edgehog/actors/actors.ex b/backend/lib/edgehog/actors/actors.ex
@@ -0,0 +1,33 @@
+#
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+defmodule Edgehog.Actors do
+  @moduledoc """
+  The actors domain.
+  """
+
+  use Ash.Domain
+
+  alias Edgehog.Actors.Actor
+
+  resources do
+    resource Actor
+  end
+end
diff --git a/backend/lib/edgehog/base_images/base_images.ex b/backend/lib/edgehog/base_images/base_images.ex
@@ -25,12 +25,17 @@ defmodule Edgehog.BaseImages do
 
   use Ash.Domain,
     extensions: [
-      AshGraphql.Domain
+      AshGraphql.Domain,
+      Ash.Authorizer
     ]
 
   alias Edgehog.BaseImages.BaseImage
   alias Edgehog.BaseImages.BaseImageCollection
 
+  authorization do
+    authorize :when_requested
+  end
+
   graphql do
     root_level_errors? true
 
diff --git a/backend/lib/edgehog/campaigns/campaigns.ex b/backend/lib/edgehog/campaigns/campaigns.ex
@@ -25,13 +25,18 @@ defmodule Edgehog.Campaigns do
 
   use Ash.Domain,
     extensions: [
-      AshGraphql.Domain
+      AshGraphql.Domain,
+      Ash.Authorizer
     ]
 
   alias Edgehog.Campaigns.Campaign
   alias Edgehog.Campaigns.CampaignTarget
   alias Edgehog.Campaigns.Channel
 
+  authorization do
+    authorize :when_requested
+  end
+
   graphql do
     root_level_errors? true
 
diff --git a/backend/lib/edgehog/containers/containers.ex b/backend/lib/edgehog/containers/containers.ex
@@ -21,7 +21,10 @@
 defmodule Edgehog.Containers do
   @moduledoc false
   use Ash.Domain,
-    extensions: [AshGraphql.Domain]
+    extensions: [
+      AshGraphql.Domain,
+      Ash.Authorizer
+    ]
 
   alias Edgehog.Containers.Application
   alias Edgehog.Containers.Deployment
@@ -33,6 +36,10 @@ defmodule Edgehog.Containers do
   alias Edgehog.Containers.Release
   alias Edgehog.Containers.Volume
 
+  authorization do
+    authorize :when_requested
+  end
+
   graphql do
     root_level_errors? true
 
diff --git a/backend/lib/edgehog/devices/devices.ex b/backend/lib/edgehog/devices/devices.ex
@@ -23,13 +23,18 @@ defmodule Edgehog.Devices do
 
   use Ash.Domain,
     extensions: [
-      AshGraphql.Domain
+      AshGraphql.Domain,
+      Ash.Authorizer
     ]
 
   alias Edgehog.Devices.Device
   alias Edgehog.Devices.HardwareType
   alias Edgehog.Devices.SystemModel
 
+  authorization do
+    authorize :when_requested
+  end
+
   graphql do
     root_level_errors? true
 
diff --git a/backend/lib/edgehog/files/files.ex b/backend/lib/edgehog/files/files.ex
@@ -24,7 +24,11 @@ defmodule Edgehog.Files do
   """
 
   use Ash.Domain,
-    extensions: [AshGraphql.Domain]
+    extensions: [AshGraphql.Domain, Ash.Authorizer]
+
+  authorization do
+    authorize :when_requested
+  end
 
   alias Edgehog.Files.File
   alias Edgehog.Files.Repository
diff --git a/backend/lib/edgehog/forwarder/forwarder.ex b/backend/lib/edgehog/forwarder/forwarder.ex
@@ -22,12 +22,17 @@ defmodule Edgehog.Forwarder do
   @moduledoc false
   use Ash.Domain,
     extensions: [
-      AshGraphql.Domain
+      AshGraphql.Domain,
+      Ash.Authorizer
     ]
 
   alias Edgehog.Forwarder.Config
   alias Edgehog.Forwarder.Session
 
+  authorization do
+    authorize :when_requested
+  end
+
   graphql do
     root_level_errors? true
 
diff --git a/backend/lib/edgehog/groups/groups.ex b/backend/lib/edgehog/groups/groups.ex
@@ -23,10 +23,14 @@ defmodule Edgehog.Groups do
   The Groups context.
   """
 
-  use Ash.Domain, extensions: [AshGraphql.Domain]
+  use Ash.Domain, extensions: [AshGraphql.Domain, Ash.Authorizer]
 
   alias Edgehog.Groups.DeviceGroup
 
+  authorization do
+    authorize :when_requested
+  end
+
   graphql do
     root_level_errors? true
 
diff --git a/backend/lib/edgehog/labeling/labeling.ex b/backend/lib/edgehog/labeling/labeling.ex
@@ -23,10 +23,14 @@ defmodule Edgehog.Labeling do
   The Labeling context, containing all functionalities regarding tags and attributes assignment
   """
 
-  use Ash.Domain, extensions: [AshGraphql.Domain]
+  use Ash.Domain, extensions: [AshGraphql.Domain, Ash.Authorizer]
 
   alias Edgehog.Labeling.Tag
 
+  authorization do
+    authorize :when_requested
+  end
+
   graphql do
     root_level_errors? true
 
diff --git a/backend/lib/edgehog/os_management/os_management.ex b/backend/lib/edgehog/os_management/os_management.ex
@@ -22,11 +22,16 @@ defmodule Edgehog.OSManagement do
   @moduledoc false
   use Ash.Domain,
     extensions: [
-      AshGraphql.Domain
+      AshGraphql.Domain,
+      Ash.Authorizer
     ]
 
   alias Edgehog.OSManagement.OTAOperation
 
+  authorization do
+    authorize :when_requested
+  end
+
   graphql do
     root_level_errors? true
 
diff --git a/backend/lib/edgehog_web/auth/populate_actor.ex b/backend/lib/edgehog_web/auth/populate_actor.ex
@@ -0,0 +1,35 @@
+#
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+defmodule EdgehogWeb.PopulateActor do
+  @moduledoc """
+  This Plug populates the `actor` property of a graphql request, creaiting a
+  meaningful representation of permissions associated to the entity performing
+  the request based on token claims.
+  """
+  @behaviour Plug
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    actor = Guardian.Plug.current_resource(conn)
+    Ash.PlugHelpers.set_actor(conn, actor)
+  end
+end
diff --git a/backend/lib/edgehog_web/auth/token.ex b/backend/lib/edgehog_web/auth/token.ex
@@ -42,7 +42,9 @@ defmodule EdgehogWeb.Auth.Token do
     # e_tga = Edgehog Tenant GraphQL API
     case Map.fetch(claims, "e_tga") do
       {:ok, claims} ->
-        {:ok, %{claims: claims}}
+        Edgehog.Actors.Actor
+        |> Ash.Changeset.for_create(:from_claims, %{claims: %{e_tga: claims}})
+        |> Ash.create()
 
       :error ->
         {:error, :no_valid_claims}
diff --git a/backend/lib/edgehog_web/router.ex b/backend/lib/edgehog_web/router.ex
@@ -25,12 +25,14 @@ defmodule EdgehogWeb.Router do
     plug :accepts, ["json"]
     plug EdgehogWeb.PopulateTenant
     plug EdgehogWeb.Auth
+    plug EdgehogWeb.PopulateActor
     plug AshGraphql.Plug
   end
 
   pipeline :triggers do
     plug :accepts, ["json"]
     plug EdgehogWeb.PopulateTenant
+    plug EdgehogWeb.PopulateActor
   end
 
   pipeline :admin_api do
