GraphOS Enterprise: authorization directives

.changesets/feat_geal_authorization_directives.md

@@ -0,0 +1,22 @@
+### GraphOS Enterprise: authorization directives ([PR #3397](https://github.com/apollographql/router/pull/3397))
+
+We introduce two new directives, `@authenticated` and `requiresScopes`, that define authorization policies for field and types in the supergraph schema.
+
+They are defined as follows:
+
+```graphql
+directive @authenticated on OBJECT | FIELD_DEFINITION | INTERFACE | SCALAR | ENUM
+
+scalar federation__Scope
+directive @requiresScopes(scopes: [[federation__Scope!]!]!) on OBJECT | FIELD_DEFINITION | INTERFACE | SCALAR | ENUM
+```
+
+They are implemented by hooking the request lifecycle at multiple steps:
+- in query analysis, we extract from the query the list of scopes that would be relevant to authorize the query
+- in a supergraph plugin, we calculate the authorization status and put it in the context: `is_authenticated` for `@authenticated`, and the intersection of the query's required scopes and the scopes provided in the token, for `@requiresScopes`
+- in the query planning phase, we filter the query to remove the fields that are not authorized, then the filtered query goes through query planning
+- at the subgraph level, if query deduplication is active, the authorization status is used to group queries together
+- at the execution service level, the response is formatted according to the filtered query first, which will remove any unauthorized information, then to the shape of the original query, which will propagate nulls as needed
+- at the execution service level, errors are added to the response indicating which fields were removed because they were not authorized
+
+By [@Geal](https://github.com/Geal) in https://github.com/apollographql/router/pull/3397

Cargo.lock

@@ -5183,9 +5183,9 @@ dependencies = [
 
 [[package]]
 name = "router-bridge"
-version = "0.4.0+v2.4.10"
+version = "0.5.1+v2.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ca7a000e3c4e1f6539581443354403f50d9a85b22c9a9a5572be0cf581c25df"
+checksum = "6b16165d85954933e84512b7c34805d2b876c8ea4e9f206fe0812ad201eefb05"
 dependencies = [
  "anyhow",
  "async-channel",

apollo-router/Cargo.toml

@@ -172,7 +172,7 @@ reqwest = { version = "0.11.19", default-features = false, features = [
     "stream",
 ] }
 # note: this dependency should _always_ be pinned, prefix the version with an `=`
-router-bridge = "=0.4.0+v2.4.10"
+router-bridge = "=0.5.1+v2.5.1"
 rust-embed="6.8.1"
 rustls = "0.21.6"
 rustls-pemfile = "1.0.3"

apollo-router/feature_discussions.json

@@ -5,5 +5,7 @@
     "experimental_logging": "https://github.com/apollographql/router/discussions/1961",
     "experimental_http_max_request_bytes": "https://github.com/apollographql/router/discussions/3220"
   },
-  "preview": {}
+  "preview": {
+    "preview_directives": "https://github.com/apollographql/router/discussions/???"
+  }
 }

apollo-router/src/configuration/metrics.rs

@@ -144,7 +144,9 @@ impl Metrics {
             value.apollo.router.config.authorization,
             "$.authorization",
             opt.require_authentication,
-            "$[?(@.require_authentication == true)]"
+            "$[?(@.require_authentication == true)]",
+            opt.directives,
+            "$.preview_directives[?(@.enabled == true)]"
         );
         log_usage_metrics!(
             value.apollo.router.config.coprocessor,

apollo-router/src/configuration/snapshots/apollo_router__configuration__metrics__test__metrics@authorization.router.yaml.snap

@@ -4,5 +4,6 @@ expression: "&metrics.metrics"
 ---
 value.apollo.router.config.authorization:
   - 1
-  - opt__require_authentication__: "true"
+  - opt__directives__: "false"
+    opt__require_authentication__: "true"
 

apollo-router/src/configuration/snapshots/apollo_router__configuration__metrics__test__metrics@authorization_directives.router.yaml.snap

@@ -0,0 +1,9 @@
+---
+source: apollo-router/src/configuration/metrics.rs
+expression: "&metrics.metrics"
+---
+value.apollo.router.config.authorization:
+  - 1
+  - opt__directives__: "true"
+    opt__require_authentication__: "false"
+

apollo-router/src/configuration/snapshots/apollo_router__configuration__tests__schema_generation.snap

@@ -512,12 +512,21 @@ expression: "&schema"
     "authorization": {
       "description": "Authorization plugin",
       "type": "object",
-      "required": [
-        "require_authentication"
-      ],
       "properties": {
+        "preview_directives": {
+          "description": "`@authenticated` and `@requiresScopes` directives",
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "description": "enables the `@authenticated` and `@requiresScopes` directives",
+              "default": false,
+              "type": "boolean"
+            }
+          }
+        },
         "require_authentication": {
           "description": "Reject unauthenticated requests",
+          "default": false,
           "type": "boolean"
         }
       }

apollo-router/src/configuration/testdata/metrics/authorization.router.yaml

@@ -1,2 +1,2 @@
 authorization:
-  require_authentication: true
+  require_authentication: true

apollo-router/src/configuration/testdata/metrics/authorization_directives.router.yaml

@@ -0,0 +1,3 @@
+authorization:
+  preview_directives:
+    enabled: true

apollo-router/src/error.rs

@@ -293,6 +293,9 @@ pub(crate) enum QueryPlannerError {
 
     /// complexity limit exceeded
     LimitExceeded(OperationLimits<bool>),
+
+    /// Unauthorized field or type
+    Unauthorized(Vec<Path>),
 }
 
 impl IntoGraphQLErrors for QueryPlannerError {