Feature/security (#21)

xclemence · web-flow · commit 6a8cafc836d6 · 2021-06-08T02:11:22.000+02:00
* Add security management
diff --git a/.env b/.env
@@ -1 +1,5 @@
 NEO4J_HOST='bolt://localhost'
+DEBUG=@neo4j/graphql:*
+GRAPH_SECURITY_ENABLED=true
+GRAPH_TOKEN_ROLES_PATH=resource_access.graph-graphql.roles
+GRAPH_TOKEN_AUTHORITY=http://localhost:9080/auth/realms/dependencies
diff --git a/README.md b/README.md
@@ -31,9 +31,13 @@ This image is base on **Linux**.
 
 You can configure container by setting environment variables.
 
-| Environment variable     |          Comment           |   default value     |
+| Environment variable     |          Comment           |   sample value     |
 |------------------------- | :--------------------------|-------------------- |
 | NEO4J_HOST               | Noe4j database uri         | bolt://localhost    |
+| GRAPH_SECURITY_ENABLED   | Enable jwt validation      | bolt://localhost    |
+| GRAPH_TOKEN_ROLES_PATH   | Roles path inside jwt        | resource_access.graph-graphql.roles    |
+| GRAPH_TOKEN_AUTHORITY    | Authority for token validation | http://localhost:9080/auth/realms/dependencies    |
+| DEBUG                    | Activate @neo4j/graphql traces | @neo4j/graphql:*    |
 
 Port exposed by Container:
 
diff --git a/doc/releases/v2.0.0.md b/doc/releases/v2.0.0.md
@@ -0,0 +1,8 @@
+### Changes
+- Add security management (token validation)
+- Docker image: ARM architecture support (linux/arm64, linux/arm/v7)
+- Migrating from "neo4j-graphql-js" (deprecated) to "@neo4j/graphql"
+
+Docker image available on:
+- [github](https://github.com/xclemence/dependencies-graph-graphql/packages)
+- [dockerhub](https://hub.docker.com/r/xclemence/dependencies-graph-graphql)
diff --git a/package.json b/package.json
@@ -1,13 +1,13 @@
 {
   "name": "dependencies-graph-graphql",
-  "version": "1.1.0",
+  "version": "2.0.0",
   "description": "",
-  "main": "index.js",
+  "main": "server.js",
   "scripts": {
     "start": "node dotenv/config 'dist/server.js'",
-    "build": "tsc -p . && ncp src/definitions dist/definitions",
+    "build": "tsc -p . && ncp src/definitions dist/definitions && ncp src/definitions-rights dist/definitions-rights",
     "dev": "nodemon --exec \"yarn ts-node\" src/server.ts -e ts,graphql ",
-    "ts-node": "ts-node"
+    "ts-node": "ts-node "
   },
   "repository": {
     "type": "git",
@@ -24,6 +24,7 @@
     "@types/compression": "^1.7.0",
     "@types/dotenv": "^8.2.0",
     "@types/express": "^4.17.12",
+    "@types/express-jwt": "^6.0.1",
     "@types/graphql-depth-limit": "^1.1.2",
     "@types/lodash": "^4.14.170",
     "@types/node": "^15.12.1",
@@ -40,6 +41,7 @@
     "@neo4j/graphql-ogm": "^1.0.2",
     "apollo-server": "^2.25.0",
     "apollo-server-express": "^2.25.0",
+    "axios": "^0.21.1",
     "compression": "^1.7.4",
     "cors": "^2.8.5",
     "dotenv": "^10.0.0",
diff --git a/src/apollo-server.ts b/src/apollo-server.ts
@@ -0,0 +1,60 @@
+import './env';
+
+import depthLimit from 'graphql-depth-limit';
+import { driver } from 'neo4j-driver';
+import { OGM } from '@neo4j/graphql-ogm';
+
+import { getTypesFiles, getResolvers } from './schema';
+import { Context } from './types/context';
+import { Neo4jGraphQL } from '@neo4j/graphql';
+import { Neo4jGraphQLConfig } from '@neo4j/graphql/dist/classes';
+import { ApolloServer } from 'apollo-server-express';
+
+export function createApolloServerWithToken(
+  neo4jHost: string,
+  tokenValidation: { publicKey: string, rolesPath: string | undefined }
+): ApolloServer {
+
+  return createApolloServerBase(
+    neo4jHost,
+    true,
+    {
+      jwt: {
+        secret: tokenValidation.publicKey,
+        rolesPath: tokenValidation.rolesPath
+      }
+    }
+  );
+}
+
+export function createApolloServerNoToken(neo4jHost: string): ApolloServer {
+  return createApolloServerBase(neo4jHost, false);
+}
+
+
+function createApolloServerBase(
+  neo4jHost: string,
+  enabledSecurity: boolean,
+  config?: Neo4jGraphQLConfig
+): ApolloServer {
+
+  const driverInstance = driver(neo4jHost);
+  const typesFiles = getTypesFiles(enabledSecurity);
+
+  const ogm = new OGM({
+    typeDefs: typesFiles,
+    driver: driverInstance,
+  });
+
+  const neo4jGraphQL = new Neo4jGraphQL({
+    typeDefs: typesFiles,
+    resolvers: getResolvers(),
+    config
+  });
+
+  return new ApolloServer({
+    schema: neo4jGraphQL.schema,
+    validationRules: [depthLimit(10)],
+    context: ({ req }) => ({ req, ogm, driver: driverInstance } as Context)
+  });
+}
diff --git a/src/app-process-env.ts b/src/app-process-env.ts
@@ -3,6 +3,9 @@ declare global {
       interface ProcessEnv {
         NEO4J_HOST: string;
         NODE_ENV: 'development' | 'production';
+        GRAPH_TOKEN_ROLES_PATH: string;
+        GRAPH_SECURITY_ENABLED: string;
+        GRAPH_TOKEN_AUTHORITY: string;
       }
     }
   }
diff --git a/src/definitions-rights/Assembly.graphql b/src/definitions-rights/Assembly.graphql
@@ -0,0 +1,3 @@
+type Mutation {
+  removeAssembly(assemblyName: String!): Assembly @auth(rules: [{ operations: [DELETE], roles: ["write"] }])
+}
diff --git a/src/keycloak.ts b/src/keycloak.ts
@@ -0,0 +1,7 @@
+import axios from 'axios';
+
+export async function getPublicKey(server: string): Promise<string> {
+    const response = await axios.get(server);
+    return `-----BEGIN PUBLIC KEY-----\r\n${response.data.public_key}\r\n-----END PUBLIC KEY-----`;
+}
+
diff --git a/src/resolvers/main-resolver.ts b/src/resolvers/main-resolver.ts
@@ -2,10 +2,10 @@ const mainResolver = {
   Query: {
     isAlive() {
       return true;
-    },
+    }
   },
   Mutation: {
-    hello: (parent: any, parameters: { name: string }): string => {
+    hello: (_: any, parameters: { name: string }): string => {
       return `Hello ${parameters.name}!`;
     }
   }
diff --git a/src/schema.ts b/src/schema.ts
@@ -1,23 +1,28 @@
 import { loadFilesSync } from '@graphql-tools/load-files';
 import { mergeResolvers } from '@graphql-tools/merge';
 import path from 'path';
-import { Neo4jGraphQL } from '@neo4j/graphql';
 
-export const typesFiles = loadFilesSync(path.join(__dirname, 'definitions/*.graphql'))
+export function getTypesFiles(enabledSecurity: boolean): any[] {
+  let typesFilesPatterns = [
+    path.join(__dirname, 'definitions/*.graphql'),
+  ];
 
-const resolverPatterns = [
-    path.join(__dirname, 'resolvers/*.ts'),
-    path.join(__dirname, 'resolvers/*.js')
-];
-
- const resolversFiles = loadFilesSync(resolverPatterns);
-const resolvers = mergeResolvers(resolversFiles);
+  if (enabledSecurity) {
+    typesFilesPatterns = [
+      ...typesFilesPatterns,
+      path.join(__dirname, 'definitions-rights/*.graphql')
+    ];
+  }
 
-const neo4jGraphQL = new Neo4jGraphQL({
-    typeDefs: typesFiles,
-    resolvers,
-});
+  return loadFilesSync(typesFilesPatterns);
+}
 
-const schema = neo4jGraphQL.schema;
+export function getResolvers(): any {
+  const resolverPatterns = [
+    path.join(__dirname, 'resolvers/*.ts'),
+    path.join(__dirname, 'resolvers/*.js')
+  ];
 
-export default schema;
+  const resolversFiles = loadFilesSync(resolverPatterns);
+  return mergeResolvers(resolversFiles);
+}
diff --git a/src/server.ts b/src/server.ts
@@ -1,46 +1,64 @@
 import './env';
 
-import { ApolloServer } from 'apollo-server-express';
 import compression from 'compression';
 import cors from 'cors';
 import express from 'express';
-import depthLimit from 'graphql-depth-limit';
 import { createServer } from 'http';
-import { driver } from 'neo4j-driver';
-import { OGM } from '@neo4j/graphql-ogm';
 
-import schema, { typesFiles } from './schema';
-import { Context } from './types/context';
+import { getPublicKey } from './keycloak';
+import { createApolloServerNoToken, createApolloServerWithToken } from './apollo-server';
+import { ApolloServer } from 'apollo-server-express';
 
 const port = 4001;
 
-if(!process.env.NEO4J_HOST) {
+if (!process.env.NEO4J_HOST) {
   throw new Error('Unexpected error: Missing host name');
 }
 
-const driverInstance = driver(process.env.NEO4J_HOST);
+const host = process.env.NEO4J_HOST;
+const rolesPath = process.env.GRAPH_TOKEN_ROLES_PATH;
+const securityEnabled = process.env.GRAPH_SECURITY_ENABLED === 'true';
+const tokenAuthority = process.env.GRAPH_TOKEN_AUTHORITY;
+
+(async () => {
+  try {
+
+    const app = express();
+
+    let server: ApolloServer;
+
+    if (securityEnabled) {
+
+      if (!tokenAuthority) {
+        throw new Error('Unexpected error: Missing token Authority');
+      }
+
+      if (!rolesPath) {
+        throw new Error('Unexpected error: Missing token roles path');
+      }
+
+      const publicKey = await getPublicKey(tokenAuthority);
+      server = createApolloServerWithToken(host, { publicKey, rolesPath });
+    }
+    else {
+      server = createApolloServerNoToken(host);
+    }
 
-const ogm = new OGM({
-  typeDefs: typesFiles,
-  driver: driverInstance,
-});
+    app.use(cors());
+    app.use(compression());
 
-const server = new ApolloServer({
-  schema,
-  validationRules: [depthLimit(10)],
-  context: () => ({ ogm, driver: driverInstance } as Context),
-});
+    server.applyMiddleware({ app, path: '/graphql' });
 
-const app = express();
+    const httpServer = createServer(app);
 
-app.use(cors());
-app.use(compression());
+    httpServer.listen(
+      { port },
+      (): void => console.log(`\nGraphQL is now running on http://localhost:${port}/graphql`)
+    );
 
-server.applyMiddleware({ app, path: '/graphql' });
+  } catch(error: any) {
+    console.error(error);
+  }
 
-const httpServer = createServer(app);
+})();
 
-httpServer.listen(
-  { port },
-  (): void => console.log(`\nGraphQL is now running on http://localhost:${port}/graphql`)
-);
diff --git a/src/types/context.ts b/src/types/context.ts
@@ -4,4 +4,5 @@ import { OGM } from '@neo4j/graphql-ogm';
 export type Context = {
     ogm: OGM;
     driver: Driver;
+    req: any;
 };
diff --git a/yarn.lock b/yarn.lock
@@ -323,6 +323,14 @@
   dependencies:
     dotenv "*"
 
+"@types/express-jwt@^6.0.1":
+  version "6.0.1"
+  resolved "https://registry.yarnpkg.com/@types/express-jwt/-/express-jwt-6.0.1.tgz#616cbd149438345084c41544d7dd49cfeca60079"
+  integrity sha512-zB/oXzS8/NTWUzAG343frlqUrsygHPeyYMVcbJ8YYk7rF1G15eUapPgWh0HdeFi51ajFkkUOU+Q540z1Eu4hJQ==
+  dependencies:
+    "@types/express" "*"
+    "@types/express-unless" "*"
+
 "@types/express-serve-static-core@4.17.19":
   version "4.17.19"
   resolved "https://registry.yarnpkg.com/@types/express-serve-static-core/-/express-serve-static-core-4.17.19.tgz#00acfc1632e729acac4f1530e9e16f6dd1508a1d"
@@ -341,6 +349,13 @@
     "@types/qs" "*"
     "@types/range-parser" "*"
 
+"@types/express-unless@*":
+  version "0.5.1"
+  resolved "https://registry.yarnpkg.com/@types/express-unless/-/express-unless-0.5.1.tgz#4f440b905e42bbf53382b8207bc337dc5ff9fd1f"
+  integrity sha512-5fuvg7C69lemNgl0+v+CUxDYWVPSfXHhJPst4yTLcqi4zKJpORCxnDrnnilk3k0DTq/WrAUdvXFs01+vUqUZHw==
+  dependencies:
+    "@types/express" "*"
+
 "@types/express@*", "@types/express@^4.17.12":
   version "4.17.12"
   resolved "https://registry.yarnpkg.com/@types/express/-/express-4.17.12.tgz#4bc1bf3cd0cfe6d3f6f2853648b40db7d54de350"
@@ -718,6 +733,13 @@ available-typed-arrays@^1.0.2:
   resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.4.tgz#9e0ae84ecff20caae6a94a1c3bc39b955649b7a9"
   integrity sha512-SA5mXJWrId1TaQjfxUYghbqQ/hYioKmLJvPJyDuYRtXXenFNMjj4hSSt1Cf1xsuXSXrtxrVC5Ot4eU6cOtBDdA==
 
+axios@^0.21.1:
+  version "0.21.1"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-0.21.1.tgz#22563481962f4d6bde9a76d516ef0e5d3c09b2b8"
+  integrity sha512-dKQiRHxGD9PPRIUNIWvZhPTPpl1rf/OxTYKsqKUDjBwYylTvV7SjSHJb9ratfyzM6wCdLCOYLzs73qpg5c4iGA==
+  dependencies:
+    follow-redirects "^1.10.0"
+
 backo2@^1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/backo2/-/backo2-1.0.2.tgz#31ab1ac8b129363463e35b3ebb69f4dfcfba7947"
@@ -1291,6 +1313,11 @@ finalhandler@~1.1.2:
     statuses "~1.5.0"
     unpipe "~1.0.0"
 
+follow-redirects@^1.10.0:
+  version "1.14.1"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.14.1.tgz#d9114ded0a1cfdd334e164e6662ad02bfd91ff43"
+  integrity sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg==
+
 for-each@^0.3.3:
   version "0.3.3"
   resolved "https://registry.yarnpkg.com/for-each/-/for-each-0.3.3.tgz#69b447e88a0a5d32c3e7084f3f1710034b21376e"

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,9 @@ declare global {`
`3`	`3`	`interface ProcessEnv {`
`4`	`4`	`NEO4J_HOST: string;`
`5`	`5`	`NODE_ENV: 'development' \| 'production';`
	`6`	`+ GRAPH_TOKEN_ROLES_PATH: string;`
	`7`	`+ GRAPH_SECURITY_ENABLED: string;`
	`8`	`+ GRAPH_TOKEN_AUTHORITY: string;`
`6`	`9`	`}`
`7`	`10`	`}`
`8`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+type Mutation {`
	`2`	`+ removeAssembly(assemblyName: String!): Assembly @auth(rules: [{ operations: [DELETE], roles: ["write"] }])`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -2,10 +2,10 @@ const mainResolver = {`
`2`	`2`	`Query: {`
`3`	`3`	`isAlive() {`
`4`	`4`	`return true;`
`5`		`- },`
	`5`	`+ }`
`6`	`6`	`},`
`7`	`7`	`Mutation: {`
`8`		`- hello: (parent: any, parameters: { name: string }): string => {`
	`8`	`+ hello: (_: any, parameters: { name: string }): string => {`
`9`	`9`	return `Hello ${parameters.name}!`;
`10`	`10`	`}`
`11`	`11`	`}`