Support specifying session configs in http and graphql endpoints (#9110)

For http we add a `config` parameter, and for graphql we add a
`__config__` key to `variables` (mirroring the newer and more graphql
standard compliant way for globals).

I made dbview responsible for loading the config, like it is for binary
proto state (with `decode_state`).

Author: msullivan

docs/cloud/http_gql.rst

@@ -78,7 +78,7 @@ HTTP
 ----
 
 - :ref:`Overview <ref_edgeql_http>`
-- :ref:`ref_edgeqlql_protocol`
+- :ref:`ref_edgeql_protocol`
 - :ref:`ref_edgeql_http_health_checks`
 
 

docs/reference/using/graphql/index.rst

@@ -109,6 +109,7 @@ Requests can contain the following fields:
   keys must be the fully qualified names of the globals to set (e.g.,
   ``default::current_user`` for the global ``current_user`` in the ``default``
   module).
+- ``variables["__config__"]`` - a JSON object containing session configuration values. **Optional**.  **Added in 7.0.**
 - ``operationName`` - the name of the operation that must be
   executed. **Optional** If the GraphQL query contains several named
   operations, it is required.

docs/reference/using/http.rst

@@ -86,23 +86,25 @@ example showing how you might send the query ``select Person {*};`` using cURL:
 
 .. lint-on
 
-.. _ref_edgeqlql_protocol:
+.. _ref_edgeql_protocol:
 
 Querying
 ========
 
 |Gel| supports GET and POST methods for handling EdgeQL over HTTP protocol. Both GET and POST methods use the following fields:
 
 - ``query`` - contains the EdgeQL query string
-- ``variables``- contains a JSON object where the keys are the parameter names from the query and the values are the arguments to be used in this execution of the query.
-- ``globals``- contains a JSON object where the keys are the fully qualified global names and the values are the desired values for those globals.
+- ``variables``- contains a JSON object where the keys are the parameter names from the query and the values are the arguments to be used in this execution of the query.  **Optional**
+- ``globals``- contains a JSON object where the keys are the fully qualified global names and the values are the desired values for those globals.  **Optional**
+
+- ``config`` - contains a JSON object where the keys are configuration option names and the values are the desired values for those configs.  **Optional**. **Added in 7.0.**
 
 The protocol supports HTTP Keep-Alive.
 
 GET request
 -----------
 
-The HTTP GET request passes the fields as query parameters: ``query`` string and JSON-encoded ``variables`` mapping.
+The HTTP GET request passes the fields as query parameters: ``query`` string and JSON-encoded ``variables``, ``globals``, and ``config`` mappings.
 
 
 POST request
@@ -115,7 +117,8 @@ The POST request should use ``application/json`` content type and submit the fol
   {
     "query": "select Person {*} filter .name = <str>$name;",
     "variables": { "name": "John" },
-    "globals": { "default::global_name": "value" }
+    "globals": { "default::global_name": "value" },
+    "config": { "default_transaction_isolation": "RepeatableRead" }
   }
 
 

docs/resources/changelog/7_x.rst

@@ -1,6 +1,6 @@
-===========
-v7.0 beta 1
-===========
+====
+v7.0
+====
 
 :edb-alt-title: Gel v7
 
@@ -10,7 +10,7 @@ automatically suggested:
 
 .. code-block:: bash
 
-  $ gel project init --server-version 7.0-beta.1
+  $ gel project init --server-version 7.0-rc.3
 
 
 Upgrading
@@ -121,6 +121,14 @@ Third-party SQL tools can use the pg_connector role and access
 policies will be disable.
 
 
+Session configuration for GraphQL and EdgeQL HTTP interfaces
+------------------------------------------------------------
+
+The :ref:`GraphQL <ref_graphql_protocol>` and :ref:`EdgeQL HTTP <ref_edgeql_protocol>` interfaces now support passing in session configuration variables.
+
+If you are exposing HTTP/GraphQL endpoints to users and relying on them not being able to perform configuration, you will need to instead have them use roles that have not been given permission to modify sensitive configs.
+
+
 Simpler scoping rules deprecation warnings
 ------------------------------------------
 

edb/graphql/extension.pyx

@@ -102,6 +102,7 @@ async def handle_request(
     operation_name = None
     variables = None
     globals = None
+    config = None
     deprecated_globals = None
     query = None
     query_bytes_len = 0
@@ -179,6 +180,12 @@ async def handle_request(
         if variables is not None:
             globals = variables.get('__globals__')
 
+        if variables is not None:
+            config = variables.get('__config__')
+
+        if config is not None and not isinstance(config, dict):
+            raise TypeError('"__config__" must be a JSON object')
+
         if globals is not None and not isinstance(globals, dict):
             raise TypeError('"__globals__" must be a JSON object')
         if (
@@ -210,7 +217,9 @@ async def handle_request(
     response.content_type = b'application/json'
     try:
         result = await _execute(
-            db, role_name, tenant, query, operation_name, variables, globals)
+            db, role_name, tenant, query, operation_name, variables, globals,
+            config,
+        )
     except Exception as ex:
         if debug.flags.server:
             markup.dump(ex)
@@ -239,14 +248,15 @@ async def handle_request(
 
 
 async def compile(
-    dbview.Database db,
+    dbview.DatabaseConnectionView dbv,
     tenant,
     query: str,
     tokens: Optional[List[Tuple[int, int, int, str]]],
     substitutions: Optional[Dict[str, Tuple[str, int, int]]],
     operation_name: Optional[str],
     variables: Dict[str, Any],
 ):
+    db = dbv._db
     server = tenant.server
     compiler_pool = server.get_compiler_pool()
     started_at = time.monotonic()
@@ -256,8 +266,9 @@ async def compile(
             db.user_schema_pickle,
             tenant.get_global_schema_pickle(),
             db.reflection_cache,
-            db.db_config,
-            db._index.get_compilation_system_config(),
+            dbv.get_database_config(),
+            dbv.get_compilation_system_config(),
+            dbv.get_session_config(),
             query,
             tokens,
             substitutions,
@@ -274,7 +285,7 @@ async def compile(
         )
 
 async def _execute(
-    db, role_name, tenant, query, operation_name, variables, globals
+    db, role_name, tenant, query, operation_name, variables, globals, config
 ):
     dbver = db.dbver
     query_cache = tenant.server._http_query_cache
@@ -316,7 +327,27 @@ async def _execute(
             print(rewritten)
             print(f'variables: {vars}')
 
-    cache_key = ('graphql', prepared_query, (), operation_name, dbver)
+    await db.introspection()
+
+    dbv: dbview.DatabaseConnectionView = await tenant.new_dbview(
+        dbname=db.name,
+        query_cache=False,
+        protocol_version=edbdef.CURRENT_PROTOCOL,
+        role_name=role_name,
+    )
+    dbv.is_transient = True
+    dbv.decode_json_session_config(config)
+
+    # Put the compilation-affecting session config into the cache key.
+    # N.B: We skip putting system/database config in here, since dbver
+    # gets bumped whenever those change.
+    config_key = db.server.compilation_config_serializer.encode_configs(
+        dbv.get_session_config()
+    )
+
+    cache_key = (
+        'graphql', prepared_query, (), operation_name, dbver, config_key
+    )
     use_prep_stmt = False
 
     entry: CacheEntry = None
@@ -328,15 +359,15 @@ async def _execute(
             print("REDIRECT", entry.key_vars)
 
         key_vars2 = tuple(vars[k] for k in entry.key_vars)
-        cache_key2 = (prepared_query, key_vars2, operation_name, dbver)
+        cache_key2 = (
+            prepared_query, key_vars2, operation_name, dbver, config_key
+        )
         entry = query_cache.get(cache_key2, None)
 
-    await db.introspection()
-
     if entry is None:
         if rewritten is not None:
             qug, gql_op = await compile(
-                db,
+                dbv,
                 tenant,
                 query,
                 rewritten.tokens(gql_lexer.TokenKind),
@@ -346,7 +377,7 @@ async def _execute(
             )
         else:
             qug, gql_op = await compile(
-                db,
+                dbv,
                 tenant,
                 query,
                 None,
@@ -381,13 +412,6 @@ async def _execute(
 
     compiled = dbview.CompiledQuery(query_unit_group=qug)
 
-    dbv = await tenant.new_dbview(
-        dbname=db.name,
-        query_cache=False,
-        protocol_version=edbdef.CURRENT_PROTOCOL,
-        role_name=role_name,
-    )
-
     async with tenant.with_pgcon(db.name) as pgcon:
         try:
             return await execute.execute_json(

edb/server/compiler_pool/worker.py

@@ -18,7 +18,7 @@
 
 
 from __future__ import annotations
-from typing import Any, Optional
+from typing import Any, Mapping, Optional
 
 import pickle
 
@@ -262,6 +262,7 @@ def compile_graphql(
     global_schema: Optional[bytes],
     database_config: Optional[bytes],
     system_config: Optional[bytes],
+    session_config: Mapping[str, Any],
     *compile_args: Any,
     **compile_kwargs: Any,
 ) -> tuple[compiler.QueryUnitGroup, graphql.TranspiledOperation]:
@@ -303,7 +304,7 @@ def compile_graphql(
         inline_typenames=False,
         inline_objectids=False,
         modaliases=None,
-        session_config=None,
+        session_config=session_config,
     )
 
     unit_group, _ = COMPILER.compile(

edb/server/dbview/dbview.pxd

@@ -253,7 +253,9 @@ cdef class DatabaseConnectionView:
     cdef bint is_state_desc_changed(self)
     cdef describe_state(self)
     cdef encode_state(self)
+    cdef check_session_config_perms(self, keys)
     cdef decode_state(self, type_id, data)
+    cdef decode_json_session_config(self, json_session_config)
     cdef bint needs_commit_after_state_sync(self)
 
     cdef check_capabilities(

edb/server/dbview/dbview.pyx

@@ -974,6 +974,21 @@ cdef class DatabaseConnectionView:
             state['globals'] = {k: v.value for k, v in globals_.items()}
         return serializer.type_id, serializer.encode(state)
 
+    cdef check_session_config_perms(self, keys):
+        is_superuser, permissions = self.get_permissions()
+        if not is_superuser:
+            settings = self.get_config_spec()
+            for k in keys:
+                setting = settings[k]
+                if setting.session_restricted and not (
+                    setting.session_permission
+                    and setting.session_permission in permissions
+                ):
+                    raise errors.DisabledCapabilityError(
+                        f'role {self._role_name} does not have permission to '
+                        f'configure session config variable {k}'
+                    )
+
     cdef decode_state(self, type_id, data):
         serializer = self.get_state_serializer()
         self._command_state_serializer = serializer
@@ -1001,27 +1016,15 @@ cdef class DatabaseConnectionView:
         aliases[None] = state.get('module', defines.DEFAULT_MODULE_ALIAS)
         aliases = immutables.Map(aliases)
 
-        is_superuser, permissions = self.get_permissions()
-        if not is_superuser:
-            settings = self.get_config_spec()
-            for k in state.get('config', ()):
-                setting = settings[k]
-                if setting.session_restricted and not (
-                    setting.session_permission
-                    and setting.session_permission in permissions
-                ):
-                    raise errors.DisabledCapabilityError(
-                        f'role {self._role_name} does not have permission to '
-                        f'configure session config variable {k}'
-                    )
-
+        config_obj = state.get('config', {})
+        self.check_session_config_perms(config_obj)
         session_config = immutables.Map({
             k: config.SettingValue(
                 name=k,
                 value=v,
                 source='session',
                 scope=qltypes.ConfigScope.SESSION,
-            ) for k, v in state.get('config', {}).items()
+            ) for k, v in config_obj.items()
         })
         globals_ = immutables.Map({
             k: config.SettingValue(
@@ -1038,6 +1041,25 @@ cdef class DatabaseConnectionView:
             aliases, session_config, globals_, type_id, data
         )
 
+    cdef decode_json_session_config(self, json_session_config):
+        if not json_session_config:
+            return
+
+        settings = self.get_config_spec()
+
+        self.check_session_config_perms(json_session_config)
+
+        session_config = self.get_session_config()
+        for k, v in json_session_config.items():
+            op = config.Operation(
+                config.OpCode.CONFIG_SET,
+                qltypes.ConfigScope.SESSION,
+                k,
+                v,
+            )
+            session_config = op.apply(settings, session_config)
+        self.set_session_config(session_config)
+
     cdef bint needs_commit_after_state_sync(self):
         return any(
             tx_conf in self._config
@@ -1402,25 +1424,14 @@ cdef class DatabaseConnectionView:
 
         for op in ops:
             if op.scope is config.ConfigScope.INSTANCE:
+                assert conn is not None
                 await self._db._index.apply_system_config_op(conn, op)
             elif op.scope is config.ConfigScope.DATABASE:
                 self.set_database_config(
                     op.apply(settings, self.get_database_config()),
                 )
             elif op.scope is config.ConfigScope.SESSION:
-                is_superuser, permissions = self.get_permissions()
-                if not is_superuser:
-                    setting = op.get_setting(settings)
-                    if setting.session_restricted and not (
-                        setting.session_permission
-                        and setting.session_permission in permissions
-                    ):
-                        raise errors.DisabledCapabilityError(
-                            f'role {self._role_name} does not have permission '
-                            f'to configure session config variable '
-                            f'{setting.name}'
-                        )
-
+                self.check_session_config_perms([op.setting_name])
                 self.set_session_config(
                     op.apply(settings, self.get_session_config()),
                 )