2018-09-14 01:42:05 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2017-08-16 09:04:41 -04:00
|
|
|
class GraphqlController < ApplicationController
|
|
|
|
# Unauthenticated users have access to the API for public data
|
|
|
|
skip_before_action :authenticate_user!
|
2020-05-12 14:07:54 -04:00
|
|
|
|
2021-03-16 14:11:53 -04:00
|
|
|
# Header can be passed by tests to disable SQL query limits.
|
|
|
|
DISABLE_SQL_QUERY_LIMIT_HEADER = 'HTTP_X_GITLAB_DISABLE_SQL_QUERY_LIMIT'
|
2021-03-03 07:11:16 -05:00
|
|
|
|
2020-05-12 14:07:54 -04:00
|
|
|
# If a user is using their session to access GraphQL, we need to have session
|
|
|
|
# storage, since the admin-mode check is session wide.
|
|
|
|
# We can't enable this for anonymous users because that would cause users using
|
|
|
|
# enforced SSO from using an auth token to access the API.
|
|
|
|
skip_around_action :set_session_storage, unless: :current_user
|
2019-03-03 07:53:03 -05:00
|
|
|
|
|
|
|
# Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing,
|
|
|
|
# the user won't be authenticated but can proceed as an anonymous user.
|
|
|
|
#
|
|
|
|
# If a CSRF is valid, the user is authenticated. This makes it easier to play
|
|
|
|
# around in GraphiQL.
|
|
|
|
protect_from_forgery with: :null_session, only: :execute
|
2017-08-16 09:04:41 -04:00
|
|
|
|
2019-03-27 10:59:02 -04:00
|
|
|
before_action :authorize_access_api!
|
2019-03-03 07:53:03 -05:00
|
|
|
before_action(only: [:execute]) { authenticate_sessionless_user!(:api) }
|
2020-05-14 11:08:14 -04:00
|
|
|
before_action :set_user_last_activity
|
2021-02-14 04:09:06 -05:00
|
|
|
before_action :track_vs_code_usage
|
2021-03-16 14:11:53 -04:00
|
|
|
before_action :disable_query_limiting
|
2017-08-16 09:04:41 -04:00
|
|
|
|
2020-03-02 07:07:57 -05:00
|
|
|
# Since we deactivate authentication from the main ApplicationController and
|
|
|
|
# defer it to :authorize_access_api!, we need to override the bypass session
|
|
|
|
# callback execution order here
|
|
|
|
around_action :sessionless_bypass_admin_mode!, if: :sessionless_user?
|
|
|
|
|
2020-10-06 08:08:38 -04:00
|
|
|
feature_category :not_owned
|
|
|
|
|
2017-08-16 09:04:41 -04:00
|
|
|
def execute
|
2019-05-09 05:27:07 -04:00
|
|
|
result = multiplex? ? execute_multiplex : execute_query
|
2017-08-16 09:04:41 -04:00
|
|
|
render json: result
|
|
|
|
end
|
|
|
|
|
2018-05-21 07:42:07 -04:00
|
|
|
rescue_from StandardError do |exception|
|
|
|
|
log_exception(exception)
|
|
|
|
|
2020-11-27 04:09:31 -05:00
|
|
|
if Rails.env.test? || Rails.env.development?
|
|
|
|
render_error("Internal server error: #{exception.message}")
|
|
|
|
else
|
|
|
|
render_error("Internal server error")
|
|
|
|
end
|
2018-05-21 07:42:07 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
rescue_from Gitlab::Graphql::Variables::Invalid do |exception|
|
|
|
|
render_error(exception.message, status: :unprocessable_entity)
|
|
|
|
end
|
|
|
|
|
2019-07-29 14:36:35 -04:00
|
|
|
rescue_from Gitlab::Graphql::Errors::ArgumentError do |exception|
|
|
|
|
render_error(exception.message, status: :unprocessable_entity)
|
|
|
|
end
|
|
|
|
|
2020-10-07 23:08:39 -04:00
|
|
|
rescue_from ::GraphQL::CoercionError do |exception|
|
|
|
|
render_error(exception.message, status: :unprocessable_entity)
|
|
|
|
end
|
|
|
|
|
2017-08-16 09:04:41 -04:00
|
|
|
private
|
|
|
|
|
2021-03-16 14:11:53 -04:00
|
|
|
# Tests may mark some GraphQL queries as exempt from SQL query limits
|
|
|
|
def disable_query_limiting
|
|
|
|
return unless Gitlab::QueryLimiting.enabled_for_env?
|
2021-03-03 07:11:16 -05:00
|
|
|
|
2021-03-16 14:11:53 -04:00
|
|
|
disable_issue = request.headers[DISABLE_SQL_QUERY_LIMIT_HEADER]
|
|
|
|
return unless disable_issue
|
|
|
|
|
|
|
|
Gitlab::QueryLimiting.disable!(disable_issue)
|
2021-03-03 07:11:16 -05:00
|
|
|
end
|
|
|
|
|
2020-05-14 11:08:14 -04:00
|
|
|
def set_user_last_activity
|
|
|
|
return unless current_user
|
|
|
|
|
|
|
|
Users::ActivityService.new(current_user).execute
|
|
|
|
end
|
|
|
|
|
2021-02-14 04:09:06 -05:00
|
|
|
def track_vs_code_usage
|
2021-03-03 07:11:16 -05:00
|
|
|
Gitlab::UsageDataCounters::VSCodeExtensionActivityUniqueCounter
|
|
|
|
.track_api_request_when_trackable(user_agent: request.user_agent, user: current_user)
|
2021-02-14 04:09:06 -05:00
|
|
|
end
|
|
|
|
|
2019-05-09 05:27:07 -04:00
|
|
|
def execute_multiplex
|
|
|
|
GitlabSchema.multiplex(multiplex_queries, context: context)
|
|
|
|
end
|
|
|
|
|
|
|
|
def execute_query
|
|
|
|
variables = build_variables(params[:variables])
|
|
|
|
operation_name = params[:operationName]
|
|
|
|
|
|
|
|
GitlabSchema.execute(query, variables: variables, context: context, operation_name: operation_name)
|
|
|
|
end
|
|
|
|
|
|
|
|
def query
|
|
|
|
params[:query]
|
|
|
|
end
|
|
|
|
|
|
|
|
def multiplex_queries
|
|
|
|
params[:_json].map do |single_query_info|
|
|
|
|
{
|
|
|
|
query: single_query_info[:query],
|
|
|
|
variables: build_variables(single_query_info[:variables]),
|
2019-05-28 09:41:57 -04:00
|
|
|
operation_name: single_query_info[:operationName],
|
|
|
|
context: context
|
2019-05-09 05:27:07 -04:00
|
|
|
}
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def context
|
2020-10-06 05:08:32 -04:00
|
|
|
@context ||= { current_user: current_user, is_sessionless_user: !!sessionless_user?, request: request }
|
2019-05-09 05:27:07 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def build_variables(variable_info)
|
|
|
|
Gitlab::Graphql::Variables.new(variable_info).to_h
|
|
|
|
end
|
|
|
|
|
|
|
|
def multiplex?
|
|
|
|
params[:_json].present?
|
|
|
|
end
|
|
|
|
|
2019-03-27 10:59:02 -04:00
|
|
|
def authorize_access_api!
|
|
|
|
access_denied!("API not accessible for user.") unless can?(current_user, :access_api)
|
|
|
|
end
|
|
|
|
|
2017-08-16 09:04:41 -04:00
|
|
|
# Overridden from the ApplicationController to make the response look like
|
|
|
|
# a GraphQL response. That is nicely picked up in Graphiql.
|
|
|
|
def render_404
|
2018-05-21 07:42:07 -04:00
|
|
|
render_error("Not found!", status: :not_found)
|
|
|
|
end
|
|
|
|
|
|
|
|
def render_error(message, status: 500)
|
|
|
|
error = { errors: [message: message] }
|
2017-08-16 09:04:41 -04:00
|
|
|
|
2018-05-21 07:42:07 -04:00
|
|
|
render json: error, status: status
|
2017-08-16 09:04:41 -04:00
|
|
|
end
|
2020-09-13 23:09:21 -04:00
|
|
|
|
|
|
|
def append_info_to_payload(payload)
|
|
|
|
super
|
|
|
|
|
|
|
|
# Merging to :metadata will ensure these are logged as top level keys
|
|
|
|
payload[:metadata] ||= {}
|
2020-10-06 08:08:38 -04:00
|
|
|
payload[:metadata].merge!(graphql: logs)
|
|
|
|
end
|
|
|
|
|
|
|
|
def logs
|
2021-03-23 14:09:05 -04:00
|
|
|
RequestStore.store[:graphql_logs].to_a
|
|
|
|
.map { |log| log.except(:duration_s, :query_string) }
|
2020-09-13 23:09:21 -04:00
|
|
|
end
|
2017-08-16 09:04:41 -04:00
|
|
|
end
|