wip - JWT claims with explicit SQL predicate

Author: ddebrunner

protection/jwt-claims-dbquery/README.md

@@ -0,0 +1,29 @@
+# Pulling field arguments from JWT claims
+
+Run the [sample operations](operations.graphql):
+
+JWT with `regions: IN`.
+```
+stepzen request -f operations.graphql --operation-name=Customers \
+   --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI1IiwicmVnaW9ucyI6WyJJTiJdfQ.hDi3-qaIOSFKzlFvaXwSh0trXC3vjiOehSKE0OxgOdE"
+```
+
+
+JWT with `regions: IN, UK`.
+```
+stepzen request -f operations.graphql --operation-name=Customers \
+    --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI1IiwicmVnaW9ucyI6WyJJTiJdfQ.hDi3-qaIOSFKzlFvaXwSh0trXC3vjiOehSKE0OxgOdE"
+```
+
+JWT with `regions: US, UK`.
+```
+stepzen request -f operations.graphql --operation-name=Customers \
+   --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI1IiwicmVnaW9ucyI6WyJVUyIsIlVLIl19.pf0-A6TN_hT-ldCvsZyqYGv4Twjm9s6wO1aatCjK9Aw"
+```
+
+JWT with `regions: US, UK` and user supplied filter
+```
+stepzen request -f operations.graphql --operation-name=Customers \
+   --var f='{"city": {"eq":"London"}}' \
+   --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI1IiwicmVnaW9ucyI6WyJVUyIsIlVLIl19.pf0-A6TN_hT-ldCvsZyqYGv4Twjm9s6wO1aatCjK9Aw"
+```

protection/jwt-claims-dbquery/config.yaml

@@ -0,0 +1,21 @@
+deployment:
+  identity:
+    keys:
+      - algorithm: HS256
+        key: development-only
+access:
+  policies:
+    - type: Query
+      policyDefault:
+        condition: false
+      rules:
+        - name: "jwt-control"
+          fields: [customers]
+          condition: "?$jwt"
+        - name: "introspection"
+          fields: [__schema, __type]
+          condition: true
+configurationset:
+  - configuration:
+      name: postgresql_config
+      uri: postgresql://postgresql.introspection.stepzen.net/introspection?user=testUserIntrospection&password=HurricaneStartingSample1934

protection/jwt-claims-dbquery/index.graphql

@@ -0,0 +1,14 @@
+schema
+  @sdl(
+    files: ["paging.graphql"]
+    # visibilty controls how fields included through files in this directive
+    # are visible outside the scope of this directive to GraphQL introspection
+    # and field references through @materializer etc.
+    #
+    # types and fields are regular expressions that match type and field names.
+    # Like field access rules if aat least one visibility pattern is present then by default
+    # root operation type (Query, Mutation, Subscription) fields are not exposed.
+    visibility: [{ expose: true, types: "Query", fields: ".*" }]
+  ) {
+  query: Query
+}

protection/jwt-claims-dbquery/operations.graphql

@@ -0,0 +1,8 @@
+query Customers($f:CustomerFilter) {
+  customers(filter:$f) {
+    id
+    name
+    city
+    region
+  }
+}

protection/jwt-claims-dbquery/paging.graphql

@@ -0,0 +1,95 @@
+type Customer {
+  id: ID!
+  name: String
+  email: String
+  street: String
+  city: String
+  region: String
+}
+
+"""
+`CustomerConnection` is the connection type for `Customer` pagination.
+In StepZen, a field returning a connection type must have arguments
+`first` (number of nodes to fetch) and `after` (opaque cursor indicating
+the starting point).
+"""
+type CustomerConnection {
+  edges: [CustomerEdge]
+  pageInfo: PageInfo!
+}
+
+"""
+`CustomerEdge` provides access to the node and its cursor.
+"""
+type CustomerEdge {
+  node: Customer
+  cursor: String
+}
+
+input StringFilter {
+  eq: String
+  ne: String
+}
+
+input CustomerFilter {
+  name: StringFilter
+  email: StringFilter
+  city: StringFilter
+}
+
+extend type Query {
+  # customers is the exposed field that limits the caller to regions
+  # based upon the regions claim in the request's JWT.
+  customers(
+    first: Int! = 10
+    filter: CustomerFilter
+  ): [Customer]
+    @sequence(
+      steps: [
+        { query: "_regions" }
+        {
+          query: "_customers_flatten"
+          arguments: [
+            { name: "first", argument: "first" }
+            { name: "filter", argument: "filter" }
+          ]
+        }
+      ]
+    )
+
+  # extracts the regions visible to the request from the JWT.
+  _regions: [String]! @value(script: { src: "$jwt.regions" })
+
+  # this flattens the customer connection pagination structure
+  # into a simple list of Customer objects.
+  # This is needed as @sequence is not supported for connection types.
+  _customers_flatten(
+    first: Int! = 10
+    filter: CustomerFilter
+    regions: [String]!
+  ): [Customer] @materializer(query: "_customers { edges { node }}")
+
+  # Standard paginated field for a customers table in a database.
+  # Additional regions argument that is used to limit customer
+  # visibility based upon the 'regions' claim in a JWT.
+  # The regions allows a list of regions and uses SQL ANY to match rows.
+  _customers(
+    first: Int! = 10
+    after: String! = ""
+    filter: CustomerFilter # regions: [String]!
+    regions: [String]!
+  ): CustomerConnection
+    @dbquery(
+      type: "postgresql"
+      schema: "public"
+      query: """
+      SELECT C.id, C.name, C.email, A.street, A.city, A.countryregion AS region
+        FROM customer C, address A, customeraddress CA
+        WHERE
+          CA.customerid = C.id AND
+          CA.addressid = A.id AND
+          A.countryregion = ANY(CAST($1 AS VARCHAR ARRAY))
+      """
+      configuration: "postgresql_config"
+    )
+}

protection/jwt-claims-dbquery/stepzen.config.json

@@ -0,0 +1,3 @@
+{
+  "endpoint": "api/miscellaneous"
+}