Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting Access forbidden message when trying to use filter on graphql queries #1434

Closed
dgcaron opened this issue Apr 12, 2023 Discussed in #1423 · 14 comments · Fixed by #1468 or #1501
Closed

Getting Access forbidden message when trying to use filter on graphql queries #1434

dgcaron opened this issue Apr 12, 2023 Discussed in #1423 · 14 comments · Fixed by #1468 or #1501
Assignees
@mbhaskar @sajeetharan @tarazou9
Labels
auth bug Something isn't working cosmos engine issues that require change in engine code graphql

Comments

@dgcaron
Copy link

dgcaron commented Apr 12, 2023
edited
Loading

Discussed in #1423

Originally posted by sumchans April 7, 2023
I have been trying out the data api builder for azure cosmos db and so far was successfully able to pull data from Azure Cosmos db. The issue I am having now is, when I use filter on the queries I get "Access forbidden to a field referenced in the filter." I believe this has something to do configuring the permissions on the dab-config.json, but I am not able to get a head start so far on this.

Here is my query -

query filteritems {
    items(filter: { userPhoneNumber: { contains: "4160000000" } }) {
        items {
            partitionKey
            userPhoneNumber
            userDisplayName
        }
    }
}

Here is the result -

{
  "errors": [
    {
      "message": "Access forbidden to a field referenced in the filter.",
      "extensions": {
        "code": "AuthorizationCheckFailed"
      }
    }
  ]
}

Also attaching my dab-config json file -

{
  "$schema": "https://github.com/Azure/data-api-builder/releases/download/v0.6.13/dab.draft.schema.json",
  "data-source": {
    "database-type": "cosmosdb_nosql",
    "options": {
      "database": "Database",
      "schema": "schema.gql"
    },
    "connection-string": "connection-string;"
  },
  "runtime": {
    "graphql": {
      "allow-introspection": true,
      "enabled": true,
      "path": "/graphql"
    },
    "host": {
      "mode": "development",
      "cors": {
        "origins": [],
        "allow-credentials": false
      },
      "authentication": {
        "provider": "StaticWebApps"
      }
    }
  },
  "entities": {
    "Item": {
      "source": "Items",
      "graphql": true,
      "permissions": [
        {
          "role": "anonymous",
          "actions": [
            "*"
          ],
          "fields": {
            "include": [
              "*"
            ]
          }
        }
      ]
    }
  }
}

i have tried changing the configation and types of permissions but it looks like something broken between the current build (0.6.13)
and the previous (0.35.5).

the stacktrace shows

[dataApi] info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
[dataApi]       Request starting HTTP/1.1 POST http://localhost:4280/graphql application/json 247
[dataApi] info: Microsoft.AspNetCore.Routing.EndpointMiddleware[0]
[dataApi]       Executing endpoint 'Hot Chocolate GraphQL Pipeline'
[dataApi] fail: Azure.DataApiBuilder.Service.Startup[0]
[dataApi]       Access forbidden to a field referenced in the filter.
[dataApi] fail: Azure.DataApiBuilder.Service.Startup[0]
[dataApi]          at Azure.DataApiBuilder.Service.Models.GQLFilterParser.Parse(IMiddlewareContext ctx, IInputField filterArgumentSchema, List`1 fields, BaseQueryStructure queryStructure) in /_/src/Service/Models/GraphQLFilterParsers.cs:line 159   
[dataApi]          at Azure.DataApiBuilder.Service.Resolvers.CosmosQueryStructure.Init(IDictionary`2 queryParams) in /_/src/Service/Resolvers/CosmosQueryStructure.cs:line 160
[dataApi]          at Azure.DataApiBuilder.Service.Resolvers.CosmosQueryEngine.ExecuteAsync(IMiddlewareContext context, IDictionary`2 parameters) in /_/src/Service/Resolvers/CosmosQueryEngine.cs:line 64
[dataApi]          at Azure.DataApiBuilder.Service.Services.ResolverMiddleware.InvokeAsync(IMiddlewareContext context) in /_/src/Service/Services/ResolverMiddleware.cs:line 95
[dataApi]          at HotChocolate.Utilities.MiddlewareCompiler`1.ExpressionHelper.AwaitTaskHelper(Task task)
[dataApi]          at HotChocolate.Execution.Processing.Tasks.ResolverTask.ExecuteResolverPipelineAsync(CancellationToken cancellationToken)
[dataApi]          at HotChocolate.Execution.Processing.Tasks.ResolverTask.TryExecuteAsync(CancellationToken cancellationToken)
[dataApi] info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]
[dataApi]       Executed endpoint 'Hot Chocolate GraphQL Pipeline'
[dataApi] info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
[dataApi]       Request finished HTTP/1.1 POST http://localhost:4280/graphql application/json 247 - 500 - application/json;+charset=utf-8 864.3125ms

the code is not picking up any of the permissions (not explicit, not * and not if left empty) always returning false from this line

data-api-builder/src/Service/Models/GraphQLFilterParsers.cs

Line 151 in 893f503

bool columnAccessPermitted = queryStructure.AuthorizationResolver.AreColumnsAllowedForOperation(

if i revert to previous version, the exact same definition works fine.
@dgcaron dgcaron mentioned this issue Apr 12, 2023
Closed
1 task
@sajeetharan sajeetharan added bug Something isn't working cosmos auth graphql engine issues that require change in engine code labels Apr 13, 2023
@ksdaniel
Copy link

Until a couple of days ago - reverting to an older version for development, and then deploying to SWA was working fine.

It seems that this change was now deployed to Azure SWA's and it broke the functionality there as well. (very sad)

@thomasgauvin
Copy link
Contributor

@ksdaniel we're looking into this and jumping onto this to fix the SWA integration and roll-back this change

@thomasgauvin
Copy link
Contributor

thomasgauvin commented Apr 26, 2023
edited
Loading

@ksdaniel We've rolled back the change in Static Web Apps, can you confirm if this is working for you?

@ksdaniel
Copy link

@thomasgauvin - looks good now - we are somewhat unblocked - the 0.6.13 bug is no longer visible for our requests.

@sajeetharan
Copy link
Member

Closing the issue!

@tarazou9 tarazou9 mentioned this issue May 2, 2023
Merged
2 tasks
tarazou9 added a commit that referenced this issue May 11, 2023
@tarazou9
Add support for Cosmos field level auth (#1468)
f3eac1f 
## Why make this change?

- Closes #1434, related discussion #1423 .
- Changes to add support for Cosmos to check field level auth for query
filter and query nested filter.
- Changes to add support for Cosmos to check field level auth for
mutation operation.
- Note: current mutation field auth support only check one level down,
will have a follow up PR to check nested field auth for mutations.

## What is this change?

- Enable ```GraphQLFilterParser``` for Cosmos. 
- Resolve ```WILDCARD``` and parse all the columns from schema.gql
- Parse ```Included``` and ```Excluded``` columns from runtime config by
injecting``` AuthorizationResolver``` into the
```CosmosMutationEngine``` to make a call to check the columns. 

## How was this tested?

- [x] Integration Tests
- [x] Unit Tests
@dgcaron
Copy link
Author

dgcaron commented May 15, 2023

it looks like the issue has returned in the 0.7.15 version of dab..when i run it with with the swa cli it runs with the latest version and this error is returned. when i manually start the older version the error goes away

@ksdaniel
Copy link

I can also confirm that I have the issue with 7.15 - Azure SWA's are still working - but I am genuinely worried.

@abhishekkumams
Copy link
Contributor

Thanks @dgcaron for notifying. we are taking a look on what's causing it.

@sajeetharan
Copy link
Member

@dgcaron This release contains the actual fix for the field level authorization for Cosmos DB and can you provide us the configuration file that you're trying with? Is it same as above?

@Mathos1432
Copy link
Contributor

We're still investigating, but as a workaround, it seems like updating the graphql property of the entities could fix the issue.

So in the above config going from this:

"entities": {
    "Item": {
      "source": "Items",
      "graphql": true,
      "permissions": [
...

to this:

"entities": {
    "Item": {
      "source": "Items",
      "graphql": {
        "type": {
          "singular": "Item",
          "plural": "Items"
        }
      },
      "permissions": [

We apologize for the inconvenience.

@Aniruddh25
Copy link
Contributor

Thanks @dgcaron and @ksdaniel for reporting the issue! Really appreciate it.

0.7.5 is now marked our pre-release version for the upcoming new features.
SWA CLI/Azure SWA database connections feature should still continue to work.
They will not be updated unless we have the next stable dab version.

@tarazou9 tarazou9 mentioned this issue May 16, 2023
Merged
1 task
tarazou9 added a commit that referenced this issue May 24, 2023
@tarazou9 @Aniruddh25
Fix issue when graphql is true and include permission is WILDCARD (#1501
5686386 
)

## Why make this change?

- Closes #1434 
- When ```graphql``` is set to true without singular type specified in
runtime config file, in addition to when field auth ```include```
permission is using WILDCARD, this was giving user's access forbidden
error.

## What is this change?

- Reason for causing this is because
```GraphQLSingularTypeToEntityNameMap``` in ```RuntimeConfig.cs``` is
not adding the entity type when there is no singular type passed in, and
for WILDCARD permission check, the ```AuthorizationResolver``` is
retrieving all the fields columns using the
```GraphQLSingularTypeToEntityNameMap``` keys.

## How was this tested?

- [x] Integration Tests

---------

Co-authored-by: Aniruddh Munde <anmunde@microsoft.com>
@tarazou9 tarazou9 mentioned this issue May 24, 2023
Merged
1 task
@Aniruddh25
Copy link
Contributor

Hi @dgcaron, 0.7.6 is now the latest release where the access forbidden issue should not occur again, could you please try it on your end, to confirm the same?

@dgcaron
Copy link
Author

dgcaron commented Jun 12, 2023

this looks fine to me, with my current configuration

@Aniruddh25
Copy link
Contributor

this looks fine to me, with my current configuration

Thank you for your confirmation, and helping us validate!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbhaskar mbhaskar

@sajeetharan sajeetharan

@tarazou9 tarazou9

Labels
auth bug Something isn't working cosmos engine issues that require change in engine code graphql
Projects
None yet
Milestone
No milestone
9 participants
@mbhaskar @Aniruddh25 @sajeetharan @Mathos1432 @dgcaron @ksdaniel @thomasgauvin @tarazou9 @abhishekkumams