Skip to content

Commit d6a443e

Browse files
dkorittkidkorittki
authored
feat(router): add introspection authentication bypass feature (#2192)
1 parent db4c780 commit d6a443e

24 files changed

+1544
-168
lines changed

router-tests/authentication_test.go

Lines changed: 995 additions & 83 deletions
Large diffs are not rendered by default.

router-tests/batch_test.go

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -333,11 +333,18 @@ func TestBatch(t *testing.T) {
333333
t.Parallel()
334334

335335
authenticators, authServer := ConfigureAuth(t)
336+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
337+
Authenticators: authenticators,
338+
AuthenticationRequired: false,
339+
SkipIntrospectionQueries: false,
340+
IntrospectionSkipSecret: "",
341+
})
342+
require.NoError(t, err)
336343

337344
testenv.Run(t,
338345
&testenv.Config{
339346
RouterOptions: []core.Option{
340-
core.WithAccessController(core.NewAccessController(authenticators, false)),
347+
core.WithAccessController(accessController),
341348
},
342349
BatchingConfig: config.BatchingConfig{
343350
Enabled: true,
@@ -692,14 +699,22 @@ func TestBatch(t *testing.T) {
692699
t.Parallel()
693700

694701
authenticators, authServer := ConfigureAuth(t)
702+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
703+
Authenticators: authenticators,
704+
AuthenticationRequired: false,
705+
SkipIntrospectionQueries: false,
706+
IntrospectionSkipSecret: "",
707+
})
708+
require.NoError(t, err)
709+
695710
testenv.Run(t, &testenv.Config{
696711
BatchingConfig: config.BatchingConfig{
697712
Enabled: true,
698713
MaxConcurrency: 10,
699714
MaxEntriesPerBatch: 100,
700715
},
701716
RouterOptions: []core.Option{
702-
core.WithAccessController(core.NewAccessController(authenticators, false)),
717+
core.WithAccessController(accessController),
703718
core.WithRouterTrafficConfig(&config.RouterTrafficConfiguration{
704719
MaxRequestBodyBytes: 5 << 20, // 5MiB
705720
DecompressionEnabled: true,

router-tests/block_operations_test.go

Lines changed: 25 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -150,9 +150,17 @@ func TestBlockOperations(t *testing.T) {
150150
t.Parallel()
151151

152152
authenticators, authServer := ConfigureAuth(t)
153+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
154+
Authenticators: authenticators,
155+
AuthenticationRequired: false,
156+
SkipIntrospectionQueries: false,
157+
IntrospectionSkipSecret: "",
158+
})
159+
require.NoError(t, err)
160+
153161
testenv.Run(t, &testenv.Config{
154162
RouterOptions: []core.Option{
155-
core.WithAccessController(core.NewAccessController(authenticators, false)),
163+
core.WithAccessController(accessController),
156164
},
157165
ModifySecurityConfiguration: func(securityConfiguration *config.SecurityConfiguration) {
158166
securityConfiguration.BlockMutations = config.BlockOperationConfiguration{
@@ -303,10 +311,17 @@ func TestBlockOperations(t *testing.T) {
303311
t.Parallel()
304312

305313
authenticators, authServer := ConfigureAuth(t)
314+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
315+
Authenticators: authenticators,
316+
AuthenticationRequired: false,
317+
SkipIntrospectionQueries: false,
318+
IntrospectionSkipSecret: "",
319+
})
320+
require.NoError(t, err)
306321

307322
testenv.Run(t, &testenv.Config{
308323
RouterOptions: []core.Option{
309-
core.WithAccessController(core.NewAccessController(authenticators, false)),
324+
core.WithAccessController(accessController),
310325
core.WithAuthorizationConfig(&config.AuthorizationConfiguration{
311326
RejectOperationIfUnauthorized: false,
312327
}),
@@ -395,14 +410,21 @@ func TestBlockOperations(t *testing.T) {
395410
t.Parallel()
396411

397412
authenticators, authServer := ConfigureAuth(t)
413+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
414+
Authenticators: authenticators,
415+
AuthenticationRequired: false,
416+
SkipIntrospectionQueries: false,
417+
IntrospectionSkipSecret: "",
418+
})
419+
require.NoError(t, err)
398420

399421
testenv.Run(t, &testenv.Config{
400422
ModifyWebsocketConfiguration: func(cfg *config.WebSocketConfiguration) {
401423
cfg.Authentication.FromInitialPayload.Enabled = true
402424
cfg.Enabled = true
403425
},
404426
RouterOptions: []core.Option{
405-
core.WithAccessController(core.NewAccessController(authenticators, false)),
427+
core.WithAccessController(accessController),
406428
core.WithAuthorizationConfig(&config.AuthorizationConfiguration{
407429
RejectOperationIfUnauthorized: false,
408430
}),

router-tests/header_set_test.go

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -275,13 +275,21 @@ func TestHeaderSetWithExpression(t *testing.T) {
275275
authenticator, err := authentication.NewHttpHeaderAuthenticator(authOptions)
276276
require.NoError(t, err)
277277

278+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
279+
Authenticators: []authentication.Authenticator{authenticator},
280+
AuthenticationRequired: true,
281+
SkipIntrospectionQueries: false,
282+
IntrospectionSkipSecret: "",
283+
})
284+
require.NoError(t, err)
285+
278286
token, err := authServer.TokenForKID(rsa1.KID(), map[string]any{"user_id": "TestId"}, false)
279287
require.NoError(t, err)
280288

281289
testenv.Run(t, &testenv.Config{
282290
RouterOptions: append(
283291
global(customHeader, `request.auth.claims.user_id`),
284-
core.WithAccessController(core.NewAccessController([]authentication.Authenticator{authenticator}, true)),
292+
core.WithAccessController(accessController),
285293
),
286294
}, func(t *testing.T, xEnv *testenv.Environment) {
287295
res := xEnv.MakeGraphQLRequestOK(testenv.GraphQLRequest{

router-tests/modules/router_on_request_test.go

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,12 @@ package module_test
22

33
import (
44
"encoding/json"
5-
"github.com/wundergraph/cosmo/router-tests/modules/router-on-request"
6-
"go.uber.org/zap/zapcore"
75
"net/http"
86
"testing"
97

8+
router_on_request "github.com/wundergraph/cosmo/router-tests/modules/router-on-request"
9+
"go.uber.org/zap/zapcore"
10+
1011
"github.com/stretchr/testify/assert"
1112
"github.com/stretchr/testify/require"
1213
"github.com/wundergraph/cosmo/router-tests/testenv"
@@ -69,9 +70,17 @@ func TestRouterOnRequestHook(t *testing.T) {
6970
},
7071
}
7172

73+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
74+
Authenticators: authenticators,
75+
AuthenticationRequired: true,
76+
SkipIntrospectionQueries: false,
77+
IntrospectionSkipSecret: "",
78+
})
79+
require.NoError(t, err)
80+
7281
testenv.Run(t, &testenv.Config{
7382
RouterOptions: []core.Option{
74-
core.WithAccessController(core.NewAccessController(authenticators, true)),
83+
core.WithAccessController(accessController),
7584
core.WithModulesConfig(cfg.Modules),
7685
core.WithCustomModules(&router_on_request.RouterOnRequestModule{}),
7786
},

router-tests/modules/set_authentication_scopes_test.go

Lines changed: 27 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,17 @@ func TestCustomModuleSetAuthenticationScopes(t *testing.T) {
3232
},
3333
}
3434
authenticators, authServer := configureAuth(t)
35+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
36+
Authenticators: authenticators,
37+
AuthenticationRequired: false,
38+
SkipIntrospectionQueries: false,
39+
IntrospectionSkipSecret: "",
40+
})
41+
require.NoError(t, err)
42+
3543
testenv.Run(t, &testenv.Config{
3644
RouterOptions: []core.Option{
37-
core.WithAccessController(core.NewAccessController(authenticators, false)),
45+
core.WithAccessController(accessController),
3846
core.WithModulesConfig(cfg.Modules),
3947
core.WithCustomModules(&setScopesModule.SetAuthenticationScopesModule{}, &verifyScopes.VerifyScopesModule{}),
4048
},
@@ -73,9 +81,17 @@ func TestCustomModuleSetAuthenticationScopes(t *testing.T) {
7381
},
7482
}
7583
authenticators, authServer := configureAuth(t)
84+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
85+
Authenticators: authenticators,
86+
AuthenticationRequired: false,
87+
SkipIntrospectionQueries: false,
88+
IntrospectionSkipSecret: "",
89+
})
90+
require.NoError(t, err)
91+
7692
testenv.Run(t, &testenv.Config{
7793
RouterOptions: []core.Option{
78-
core.WithAccessController(core.NewAccessController(authenticators, false)),
94+
core.WithAccessController(accessController),
7995
core.WithModulesConfig(cfg.Modules),
8096
core.WithCustomModules(&setScopesModule.SetAuthenticationScopesModule{}, &verifyScopes.VerifyScopesModule{}),
8197
},
@@ -116,9 +132,17 @@ func TestCustomModuleSetAuthenticationScopes(t *testing.T) {
116132
},
117133
}
118134
authenticators, authServer := configureAuth(t)
135+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
136+
Authenticators: authenticators,
137+
AuthenticationRequired: false,
138+
SkipIntrospectionQueries: false,
139+
IntrospectionSkipSecret: "",
140+
})
141+
require.NoError(t, err)
142+
119143
testenv.Run(t, &testenv.Config{
120144
RouterOptions: []core.Option{
121-
core.WithAccessController(core.NewAccessController(authenticators, false)),
145+
core.WithAccessController(accessController),
122146
core.WithModulesConfig(cfg.Modules),
123147
core.WithCustomModules(&setScopesModule.SetAuthenticationScopesModule{}, &verifyScopes.VerifyScopesModule{}),
124148
},

router-tests/modules/set_scopes_test.go

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,9 +61,17 @@ func TestCustomModuleSetScopes(t *testing.T) {
6161
},
6262
}
6363
authenticators, authServer := configureAuth(t)
64+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
65+
Authenticators: authenticators,
66+
AuthenticationRequired: false,
67+
SkipIntrospectionQueries: false,
68+
IntrospectionSkipSecret: "",
69+
})
70+
require.NoError(t, err)
71+
6472
testenv.Run(t, &testenv.Config{
6573
RouterOptions: []core.Option{
66-
core.WithAccessController(core.NewAccessController(authenticators, false)),
74+
core.WithAccessController(accessController),
6775
core.WithModulesConfig(cfg.Modules),
6876
core.WithCustomModules(&module.MyModule{}, &setScopesModule.SetScopesModule{}),
6977
},
@@ -101,9 +109,17 @@ func TestCustomModuleSetScopes(t *testing.T) {
101109
},
102110
}
103111
authenticators, authServer := configureAuth(t)
112+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
113+
Authenticators: authenticators,
114+
AuthenticationRequired: false,
115+
SkipIntrospectionQueries: false,
116+
IntrospectionSkipSecret: "",
117+
})
118+
require.NoError(t, err)
119+
104120
testenv.Run(t, &testenv.Config{
105121
RouterOptions: []core.Option{
106-
core.WithAccessController(core.NewAccessController(authenticators, false)),
122+
core.WithAccessController(accessController),
107123
core.WithModulesConfig(cfg.Modules),
108124
core.WithCustomModules(&module.MyModule{}, &setScopesModule.SetScopesModule{}),
109125
},

router-tests/prometheus_test.go

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4119,6 +4119,14 @@ func TestPrometheus(t *testing.T) {
41194119
const claimVal = "customClaimValue"
41204120

41214121
authenticators, authServer := ConfigureAuth(t)
4122+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
4123+
Authenticators: authenticators,
4124+
AuthenticationRequired: true,
4125+
SkipIntrospectionQueries: false,
4126+
IntrospectionSkipSecret: "",
4127+
})
4128+
require.NoError(t, err)
4129+
41224130
exporter := tracetest.NewInMemoryExporter(t)
41234131
metricReader := metric.NewManualReader()
41244132
promRegistry := prometheus.NewRegistry()
@@ -4128,7 +4136,7 @@ func TestPrometheus(t *testing.T) {
41284136
MetricReader: metricReader,
41294137
PrometheusRegistry: promRegistry,
41304138
RouterOptions: []core.Option{
4131-
core.WithAccessController(core.NewAccessController(authenticators, true)),
4139+
core.WithAccessController(accessController),
41324140
},
41334141
CustomMetricAttributes: []config.CustomAttribute{
41344142
{

router-tests/ratelimit_test.go

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -270,9 +270,17 @@ func TestRateLimit(t *testing.T) {
270270
require.NoError(t, err)
271271
authenticators := []authentication.Authenticator{authenticator}
272272

273+
accessController, err := core.NewAccessController(core.AccessControllerOptions{
274+
Authenticators: authenticators,
275+
AuthenticationRequired: false,
276+
SkipIntrospectionQueries: false,
277+
IntrospectionSkipSecret: "",
278+
})
279+
require.NoError(t, err)
280+
273281
testenv.Run(t, &testenv.Config{
274282
RouterOptions: []core.Option{
275-
core.WithAccessController(core.NewAccessController(authenticators, false)),
283+
core.WithAccessController(accessController),
276284
core.WithRateLimitConfig(&config.RateLimitConfiguration{
277285
Enabled: true,
278286
Strategy: "simple",

router-tests/security_test.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,13 +2,13 @@ package integration
22

33
import (
44
"fmt"
5-
"github.com/wundergraph/cosmo/router/core"
65
"net/http"
76
"testing"
87

98
"github.com/stretchr/testify/require"
109

1110
"github.com/wundergraph/cosmo/router-tests/testenv"
11+
"github.com/wundergraph/cosmo/router/core"
1212
"github.com/wundergraph/cosmo/router/pkg/config"
1313
)
1414

@@ -341,7 +341,9 @@ func TestQueryNamingLimits(t *testing.T) {
341341
securityConfiguration.OperationNameLengthLimit = maxLength
342342
},
343343
RouterOptions: []core.Option{
344-
core.WithIntrospection(false),
344+
core.WithIntrospection(false, config.IntrospectionConfiguration{
345+
Enabled: false,
346+
}),
345347
},
346348
}, func(t *testing.T, xEnv *testenv.Environment) {
347349
expectedErrorMessage := fmt.Sprintf(`{"errors":[{"message":"operation name of length %d exceeds max length of %d"}]}`, len(query1Name), maxLength)

0 commit comments

Comments
 (0)