debian-mirror-gitlab/app/controllers/graphql_controller.rb

211 lines
6.2 KiB
Ruby
Raw Normal View History

2018-12-05 23:21:45 +05:30
# frozen_string_literal: true
2018-11-08 19:23:39 +05:30
class GraphqlController < ApplicationController
2021-11-18 22:05:49 +05:30
extend ::Gitlab::Utils::Override
2018-11-08 19:23:39 +05:30
# Unauthenticated users have access to the API for public data
skip_before_action :authenticate_user!
2020-05-24 23:13:21 +05:30
2021-04-29 21:17:54 +05:30
# Header can be passed by tests to disable SQL query limits.
DISABLE_SQL_QUERY_LIMIT_HEADER = 'HTTP_X_GITLAB_DISABLE_SQL_QUERY_LIMIT'
2021-04-17 20:07:23 +05:30
2021-12-07 22:27:20 +05:30
# Max size of the query text in characters
MAX_QUERY_SIZE = 10_000
2020-05-24 23:13:21 +05:30
# If a user is using their session to access GraphQL, we need to have session
# storage, since the admin-mode check is session wide.
# We can't enable this for anonymous users because that would cause users using
# enforced SSO from using an auth token to access the API.
skip_around_action :set_session_storage, unless: :current_user
2019-07-07 11:18:12 +05:30
# Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing,
# the user won't be authenticated but can proceed as an anonymous user.
#
# If a CSRF is valid, the user is authenticated. This makes it easier to play
# around in GraphiQL.
protect_from_forgery with: :null_session, only: :execute
2018-11-08 19:23:39 +05:30
2021-07-02 01:05:55 +05:30
# must come first: current_user is set up here
2019-07-07 11:18:12 +05:30
before_action(only: [:execute]) { authenticate_sessionless_user!(:api) }
2021-07-02 01:05:55 +05:30
before_action :authorize_access_api!
2020-05-24 23:13:21 +05:30
before_action :set_user_last_activity
2021-03-11 19:13:27 +05:30
before_action :track_vs_code_usage
2021-04-29 21:17:54 +05:30
before_action :disable_query_limiting
2021-12-07 22:27:20 +05:30
before_action :limit_query_size
2018-11-08 19:23:39 +05:30
2021-07-02 01:05:55 +05:30
before_action :disallow_mutations_for_get
2020-04-08 14:13:33 +05:30
# Since we deactivate authentication from the main ApplicationController and
# defer it to :authorize_access_api!, we need to override the bypass session
# callback execution order here
around_action :sessionless_bypass_admin_mode!, if: :sessionless_user?
2021-11-18 22:05:49 +05:30
# The default feature category is overridden to read from request
2021-01-03 14:25:43 +05:30
feature_category :not_owned
2018-11-08 19:23:39 +05:30
def execute
2019-09-04 21:01:54 +05:30
result = multiplex? ? execute_multiplex : execute_query
2018-11-08 19:23:39 +05:30
render json: result
end
rescue_from StandardError do |exception|
2022-01-26 12:08:38 +05:30
@exception_object = exception
2018-11-08 19:23:39 +05:30
log_exception(exception)
2021-02-22 17:27:13 +05:30
if Rails.env.test? || Rails.env.development?
render_error("Internal server error: #{exception.message}")
else
render_error("Internal server error")
end
2018-11-08 19:23:39 +05:30
end
rescue_from Gitlab::Graphql::Variables::Invalid do |exception|
render_error(exception.message, status: :unprocessable_entity)
end
2019-10-12 21:52:04 +05:30
rescue_from Gitlab::Graphql::Errors::ArgumentError do |exception|
render_error(exception.message, status: :unprocessable_entity)
end
2021-01-03 14:25:43 +05:30
rescue_from ::GraphQL::CoercionError do |exception|
render_error(exception.message, status: :unprocessable_entity)
end
2021-11-18 22:05:49 +05:30
override :feature_category
def feature_category
::Gitlab::FeatureCategories.default.from_request(request) || super
end
2018-11-08 19:23:39 +05:30
private
2021-07-02 01:05:55 +05:30
def disallow_mutations_for_get
return unless request.get? || request.head?
return unless any_mutating_query?
raise ::Gitlab::Graphql::Errors::ArgumentError, "Mutations are forbidden in #{request.request_method} requests"
end
2021-12-07 22:27:20 +05:30
def limit_query_size
total_size = if multiplex?
params[:_json].sum { _1[:query].size }
else
query.size
end
raise ::Gitlab::Graphql::Errors::ArgumentError, "Query too large" if total_size > MAX_QUERY_SIZE
end
2021-07-02 01:05:55 +05:30
def any_mutating_query?
if multiplex?
multiplex_queries.any? { |q| mutation?(q[:query], q[:operation_name]) }
else
mutation?(query)
end
end
def mutation?(query_string, operation_name = params[:operationName])
::GraphQL::Query.new(GitlabSchema, query_string, operation_name: operation_name).mutation?
end
2021-04-29 21:17:54 +05:30
# Tests may mark some GraphQL queries as exempt from SQL query limits
def disable_query_limiting
return unless Gitlab::QueryLimiting.enabled_for_env?
disable_issue = request.headers[DISABLE_SQL_QUERY_LIMIT_HEADER]
return unless disable_issue
2021-04-17 20:07:23 +05:30
2021-04-29 21:17:54 +05:30
Gitlab::QueryLimiting.disable!(disable_issue)
2021-04-17 20:07:23 +05:30
end
2020-05-24 23:13:21 +05:30
def set_user_last_activity
return unless current_user
Users::ActivityService.new(current_user).execute
end
2021-03-11 19:13:27 +05:30
def track_vs_code_usage
2021-04-17 20:07:23 +05:30
Gitlab::UsageDataCounters::VSCodeExtensionActivityUniqueCounter
.track_api_request_when_trackable(user_agent: request.user_agent, user: current_user)
2021-03-11 19:13:27 +05:30
end
2019-09-04 21:01:54 +05:30
def execute_multiplex
GitlabSchema.multiplex(multiplex_queries, context: context)
end
def execute_query
variables = build_variables(params[:variables])
operation_name = params[:operationName]
GitlabSchema.execute(query, variables: variables, context: context, operation_name: operation_name)
end
def query
2021-12-07 22:27:20 +05:30
params.fetch(:query, '')
2019-09-04 21:01:54 +05:30
end
def multiplex_queries
params[:_json].map do |single_query_info|
{
query: single_query_info[:query],
variables: build_variables(single_query_info[:variables]),
operation_name: single_query_info[:operationName],
context: context
}
end
end
2021-06-08 01:23:25 +05:30
# When modifying the context, also update GraphqlChannel#context if needed
# so that we have similar context when executing queries, mutations, and subscriptions
2019-09-04 21:01:54 +05:30
def context
2021-04-28 17:22:55 +05:30
api_user = !!sessionless_user?
@context ||= {
current_user: current_user,
is_sessionless_user: api_user,
request: request,
scope_validator: ::Gitlab::Auth::ScopeValidator.new(api_user, request_authenticator)
}
2019-09-04 21:01:54 +05:30
end
def build_variables(variable_info)
Gitlab::Graphql::Variables.new(variable_info).to_h
end
def multiplex?
params[:_json].present?
end
2019-07-07 11:18:12 +05:30
def authorize_access_api!
2021-07-02 01:05:55 +05:30
return if can?(current_user, :access_api)
render_error('API not accessible for user', status: :forbidden)
2019-07-07 11:18:12 +05:30
end
2018-11-08 19:23:39 +05:30
# Overridden from the ApplicationController to make the response look like
# a GraphQL response. That is nicely picked up in Graphiql.
def render_404
render_error("Not found!", status: :not_found)
end
def render_error(message, status: 500)
error = { errors: [message: message] }
render json: error, status: status
end
2020-11-24 15:15:51 +05:30
def append_info_to_payload(payload)
super
# Merging to :metadata will ensure these are logged as top level keys
payload[:metadata] ||= {}
2022-01-26 12:08:38 +05:30
payload[:metadata][:graphql] = logs
payload[:exception_object] = @exception_object if @exception_object
2021-01-03 14:25:43 +05:30
end
def logs
2021-04-29 21:17:54 +05:30
RequestStore.store[:graphql_logs].to_a
2020-11-24 15:15:51 +05:30
end
2018-11-08 19:23:39 +05:30
end