feat(keystone): INFRA-931 add ApolloQueryBlockingPlugin (#5914)

* refactor(keystone): INFRA-931 reorganize plugins

* feat(keystone): INFRA-931 add ApolloQueryBlockingPlugin

* docs(keystone): INFRA-931 added docs to ApolloQueryBlockingPlugin

* refactor(keystone): INFRA-931 inline error type

Author: SavelevMatthew

apps/condo/domains/user/schema/ResetUserLimitAction.test.js

@@ -3,8 +3,8 @@
  */
 const { faker } = require('@faker-js/faker')
 
+const { ApolloRateLimitingPlugin } = require('@open-condo/keystone/apolloServerPlugins')
 const { getKVClient } = require('@open-condo/keystone/kv')
-const { ApolloRateLimitingPlugin } = require('@open-condo/keystone/rateLimiting')
 const { makeLoggedInAdminClient, makeClient, expectToThrowGQLError } = require('@open-condo/keystone/test.utils')
 const {
     expectToThrowAuthenticationErrorToObj,

apps/condo/domains/user/utils/limits/resetters/RateLimitResetter.js

@@ -1,5 +1,5 @@
+const { ApolloRateLimitingPlugin } = require('@open-condo/keystone/apolloServerPlugins')
 const { getKVClient } = require('@open-condo/keystone/kv')
-const { ApolloRateLimitingPlugin } = require('@open-condo/keystone/rateLimiting')
 
 const { UUID_TYPE, IPv4_TYPE } = require('@condo/domains/user/constants/identifiers')
 

apps/condo/lang/en/en.json

@@ -349,6 +349,7 @@
   "api.common.WRONG_PHONE_FORMAT": "Wrong phone number format",
   "api.contact.contact.CONTACT_DUPLICATE_ERROR": "Contact with this phone number is already registered in this room",
   "api.document.WRONG_PROPERTY_ORGANIZATION": "Property has different organization",
+  "api.global.queryBlocking.FORBIDDEN_REQUEST": "This request is denied by the server because it contains blocked operations: {blockedOperations}",
   "api.global.rateLimit.RATE_LIMIT_EXCEEDED": "You've made too many requests recently, try again later",
   "api.marketplace.invoice.ALREADY_CANCELED": "Changing of canceled invoice is forbidden",
   "api.marketplace.invoice.ALREADY_PAID": "Changing of paid invoice is forbidden",

apps/condo/lang/es/es.json

@@ -349,6 +349,7 @@
   "api.common.WRONG_PHONE_FORMAT": "Formato del número de teléfono incorrecto",
   "api.contact.contact.CONTACT_DUPLICATE_ERROR": "Un contacto con este número de teléfono ya está registrado en esta propiedad",
   "api.document.WRONG_PROPERTY_ORGANIZATION": "La propiedad tiene una organización diferente",
+  "api.global.queryBlocking.FORBIDDEN_REQUEST": "Esta petición ha sido denegada por el servidor porque contiene operaciones bloqueadas: {blockedOperations}",
   "api.global.rateLimit.RATE_LIMIT_EXCEEDED": "Has creado demasiadas incidencias. Por favor, inténtalo más tarde.",
   "api.marketplace.invoice.ALREADY_CANCELED": "No se puede modificar una factura cancelada",
   "api.marketplace.invoice.ALREADY_PAID": "No se puede modificar una factura pagada",

apps/condo/lang/ru/ru.json

@@ -349,6 +349,7 @@
   "api.common.WRONG_PHONE_FORMAT": "Неверный формат номера телефона",
   "api.contact.contact.CONTACT_DUPLICATE_ERROR": "Контакт с таким номером телефона уже зарегистрирован в этом помещении",
   "api.document.WRONG_PROPERTY_ORGANIZATION": "Дом находится в другой организации",
+  "api.global.queryBlocking.FORBIDDEN_REQUEST": "Данный запрос запрещен сервером, так как содержит заблокированные операции: {blockedOperations}",
   "api.global.rateLimit.RATE_LIMIT_EXCEEDED": "Вы сделали слишком много запросов за последнее время, повторите попытку позднее",
   "api.marketplace.invoice.ALREADY_CANCELED": "Нельзя изменять отмененный счет",
   "api.marketplace.invoice.ALREADY_PAID": "Нельзя изменять оплаченный счет",

packages/keystone/KSv5v6/v5/prepareKeystone.js

@@ -12,6 +12,8 @@ const { v4 } = require('uuid')
 
 const conf = require('@open-condo/config')
 const { safeApolloErrorFormatter } = require('@open-condo/keystone/apolloErrorFormatter')
+const { ApolloRateLimitingPlugin, ApolloQueryBlockingPlugin } = require('@open-condo/keystone/apolloServerPlugins')
+const { ApolloSentryPlugin } = require('@open-condo/keystone/apolloServerPlugins')
 const { ExtendedPasswordAuthStrategy } = require('@open-condo/keystone/authStrategy/passwordAuth')
 const { parseCorsSettings } = require('@open-condo/keystone/cors.utils')
 const { _internalGetExecutionContextAsyncLocalStorage } = require('@open-condo/keystone/executionContext')
@@ -23,8 +25,6 @@ const { expressErrorHandler } = require('@open-condo/keystone/logging/expressErr
 const metrics = require('@open-condo/keystone/metrics')
 const { composeNonResolveInputHook, composeResolveInputHook } = require('@open-condo/keystone/plugins/utils')
 const { schemaDocPreprocessor, adminDocPreprocessor, escapeSearchPreprocessor, customAccessPostProcessor } = require('@open-condo/keystone/preprocessors')
-const { ApolloRateLimitingPlugin } = require('@open-condo/keystone/rateLimiting')
-const { ApolloSentryPlugin } = require('@open-condo/keystone/sentry')
 const { prepareDefaultKeystoneConfig } = require('@open-condo/keystone/setup.utils')
 const { registerTasks, registerTaskQueues, taskQueues } = require('@open-condo/keystone/tasks')
 const { KeystoneTracingApp } = require('@open-condo/keystone/tracing')
@@ -49,6 +49,7 @@ const INFINITY_MAX_AGE_COOKIE = 1707195600
 const SERVICE_USER_SESSION_TTL_IN_SEC = 7 * 24 * 60 * 60 // 7 days in sec
 const RATE_LIMIT_CONFIG = JSON.parse(conf['RATE_LIMIT_CONFIG'] || '{}')
 const IS_RATE_LIMIT_DISABLED = conf['DISABLE_RATE_LIMIT'] === 'true'
+const BLOCKED_OPERATIONS = JSON.parse(conf['BLOCKED_OPERATIONS'] || '{}')
 
 const logger = getLogger('uncaughtError')
 
@@ -92,6 +93,26 @@ class DataVersionChecker {
     }
 }
 
+function _getApolloServerPlugins (keystone) {
+    /** @type {Array<import('apollo-server-plugin-base').ApolloServerPlugin>} */
+    const apolloServerPlugins = [
+        new ApolloQueryBlockingPlugin(BLOCKED_OPERATIONS),
+    ]
+
+    if (!IS_RATE_LIMIT_DISABLED) {
+        apolloServerPlugins.push(new ApolloRateLimitingPlugin(keystone, RATE_LIMIT_CONFIG))
+    }
+
+    // NOTE: Must be after all req.context filling plugins
+    apolloServerPlugins.push(new GraphQLLoggerPlugin())
+
+    if (IS_SENTRY_ENABLED) {
+        apolloServerPlugins.unshift(new ApolloSentryPlugin())
+    }
+
+    return apolloServerPlugins
+}
+
 function prepareKeystone ({ onConnect, extendKeystoneConfig, extendExpressApp, schemas, schemasPreprocessors, tasks, queues, apps, lastApp, graphql, ui, authStrategyOpts }) {
     // trying to be compatible with keystone-6 and keystone-5
     // TODO(pahaz): add storage like https://keystonejs.com/docs/config/config#storage-images-and-files
@@ -178,15 +199,7 @@ function prepareKeystone ({ onConnect, extendKeystoneConfig, extendExpressApp, s
         setInterval(sendAppMetrics, 2000)
     }
 
-    const apolloPlugins = []
-    if (!IS_RATE_LIMIT_DISABLED) {
-        apolloPlugins.push(new ApolloRateLimitingPlugin(keystone, RATE_LIMIT_CONFIG))
-    }
-    apolloPlugins.push(new GraphQLLoggerPlugin())
-
-    if (IS_SENTRY_ENABLED) {
-        apolloPlugins.unshift(new ApolloSentryPlugin())
-    }
+    const apolloServerPlugins = _getApolloServerPlugins(keystone)
 
     return {
         keystone,
@@ -211,7 +224,7 @@ function prepareKeystone ({ onConnect, extendKeystoneConfig, extendExpressApp, s
                     debug: IS_ENABLE_APOLLO_DEBUG,
                     introspection: IS_ENABLE_DANGEROUS_GRAPHQL_PLAYGROUND,
                     playground: false,
-                    plugins: apolloPlugins,
+                    plugins: apolloServerPlugins,
                 },
                 ...(graphql || {}),
             }),

packages/keystone/apolloServerPlugins/index.js

@@ -0,0 +1,9 @@
+const { ApolloQueryBlockingPlugin } = require('./queryBlocking')
+const { ApolloRateLimitingPlugin } = require('./rateLimiting')
+const { ApolloSentryPlugin } = require('./sentry')
+
+module.exports = {
+    ApolloQueryBlockingPlugin,
+    ApolloRateLimitingPlugin,
+    ApolloSentryPlugin,
+}

packages/keystone/apolloServerPlugins/queryBlocking/README.md

@@ -0,0 +1,15 @@
+# ApolloQueryBlockingPlugin
+
+> With this plugin you can block a particular request / mutation in the API in case of an incident 
+> without re-deploying the application.
+
+## Working principle
+1. Queries and mutations are extracted from each request.
+2. If some query / mutation from the request is in the block list, the entire request will be rejected
+
+## Configuring
+
+You can find full config spec in [config.utils.specs.js](./config.utils.spec.js), but here's some brief example:
+```dotenv
+BLOCKED_OPERATIONS='{"queries": ["allResidentBillingReceipts"], "mutations": ["registerMultiPayment"]}'
+```

packages/keystone/apolloServerPlugins/queryBlocking/config.utils.js

@@ -0,0 +1,32 @@
+const Ajv = require('ajv')
+
+const ajv = new Ajv()
+
+const PLUGIN_OPTIONS_SCHEMA = {
+    type: 'object',
+    properties: {
+        queries: {
+            items: { type: 'string' },
+            type: 'array',
+        },
+        mutations: {
+            items: { type: 'string' },
+            type: 'array',
+        },
+    },
+    additionalProperties: false,
+}
+
+const _validate = ajv.compile(PLUGIN_OPTIONS_SCHEMA)
+
+function validatePluginConfig (options) {
+    if (!_validate(options)) {
+        throw new TypeError(`Invalid ApolloQueryBlockingPlugin options provided: ${ajv.errorsText(_validate.errors)}`)
+    }
+
+    return options
+}
+
+module.exports = {
+    validatePluginConfig,
+}

packages/keystone/apolloServerPlugins/queryBlocking/config.utils.spec.js

@@ -0,0 +1,35 @@
+const { validatePluginConfig } = require('./config.utils')
+
+describe('Plugin config utils', () => {
+    describe('validatePluginOptions', () => {
+        describe('Must bypass valid options', () => {
+            const validCases = [
+                ['empty config', {}],
+                ['queries config', { queries: ['allTickets', '_allTicketsMeta'] }],
+                ['mutations config', { mutations: ['createUser', 'updateProperty'] }],
+                ['combined config', { queries: ['allTickets', '_allTicketsMeta'], mutations: ['createUser', 'updateProperty'] }],
+            ]
+
+            test.each(validCases)('%p', (_, options) => {
+                expect(() => validatePluginConfig(options)).not.toThrow()
+                const validated = validatePluginConfig(options)
+                expect(validated).toEqual(options)
+            })
+        })
+        describe('Must throw error on invalid options', () => {
+            const invalidCases = [
+                ['config is not object', 123],
+                ['config is JSON.stringify object', '{}'],
+                ['config with unknown properties', { fields: ['myField'] }],
+                ['config with invalid queries #1', { queries: [123] }],
+                ['config with invalid queries #2', { queries: 'allTickets' }],
+                ['config with invalid mutations #1', { mutations: [123] }],
+                ['config with invalid mutations #2', { mutations: 'allTickets' }],
+            ]
+
+            test.each(invalidCases)('%p', (_, options) => {
+                expect(() => validatePluginConfig(options)).toThrow(/Invalid ApolloQueryBlockingPlugin options provided/)
+            })
+        })
+    })
+})

packages/keystone/apolloServerPlugins/queryBlocking/index.js

@@ -0,0 +1,5 @@
+const { ApolloQueryBlockingPlugin } = require('./plugin')
+
+module.exports = {
+    ApolloQueryBlockingPlugin,
+}

packages/keystone/apolloServerPlugins/queryBlocking/plugin.js

@@ -0,0 +1,58 @@
+const { GQLError, GQLErrorCode: { FORBIDDEN } } = require('@open-condo/keystone/errors')
+
+const { validatePluginConfig } = require('./config.utils')
+
+const { extractQueriesAndMutationsFromRequest } = require('../utils/requests')
+
+/** @implements {import('apollo-server-plugin-base').ApolloServerPlugin} */
+class ApolloQueryBlockingPlugin {
+    /** @type {Set<string>} */
+    #blockedQueries = new Set()
+    /** @type {Set<string>} */
+    #blockedMutations = new Set()
+
+    constructor (config) {
+        config = validatePluginConfig(config || {})
+
+        if (config.queries) {
+            this.#blockedQueries = new Set(config.queries)
+        }
+
+        if (config.mutations) {
+            this.#blockedMutations = new Set(config.mutations)
+        }
+    }
+
+    requestDidStart () {
+        return {
+            didResolveOperation: async (requestContext) => {
+                if (!this.#blockedQueries.size && !this.#blockedMutations.size) return
+                
+                const { mutations, queries } = extractQueriesAndMutationsFromRequest(requestContext)
+
+                const blockedMutations = mutations
+                    .map(mutation => mutation.name)
+                    .filter(name => this.#blockedMutations.has(name))
+                const blockedQueries = queries
+                    .map(query => query.name)
+                    .filter(name => this.#blockedQueries.has(name))
+
+                if (blockedMutations.length || blockedQueries.length) {
+                    throw new GQLError({
+                        code: FORBIDDEN,
+                        type: 'FORBIDDEN_REQUEST',
+                        message: 'Request is rejected because it contains blocked queries / mutations: {blockedOperations}',
+                        messageForUser: 'api.global.queryBlocking.FORBIDDEN_REQUEST',
+                        messageInterpolation: {
+                            blockedOperations: [...blockedMutations, ...blockedQueries].join(', '),
+                        },
+                    }, requestContext.context)
+                }
+            },
+        }
+    }
+}
+
+module.exports = {
+    ApolloQueryBlockingPlugin,
+}

packages/keystone/rateLimiting/README.md packages/keystone/apolloServerPlugins/rateLimiting/README.md

@@ -5,7 +5,7 @@
 2. For each query it's complexity calculated
 3. Mutations and queries complexities are summed to form total request complexity
 4. Complexity is extracted from request in logger plugin.
-5. (TODO) If request is too complex or there's no quota left it throws 429 GQLError
+5. If request is too complex or there's no quota left it throws 429 GQLError
 
 ## Calculating query complexity
 ### List query complexity

packages/keystone/rateLimiting/config.utils.js packages/keystone/apolloServerPlugins/rateLimiting/config.utils.js

@@ -16,9 +16,11 @@ const {
     ERROR_TYPE,
 } = require('./constants')
 const { extractWhereComplexityFactor, extractRelationsComplexityFactor } = require('./query.utils')
-const { extractQueriesAndMutationsFromRequest, extractQuotaKeyFromRequest, addComplexity, buildQuotaKey } = require('./request.utils')
+const { extractQuotaKeyFromRequest, addComplexity, buildQuotaKey } = require('./request.utils')
 const { extractPossibleArgsFromSchemaQueries, extractKeystoneListsData } = require('./schema.utils')
 
+const { extractQueriesAndMutationsFromRequest } = require('../utils/requests')
+
 /** @implements {import('apollo-server-plugin-base').ApolloServerPlugin} */
 class ApolloRateLimitingPlugin {
     /** @type {import('@keystonejs/keystone').Keystone} */

packages/keystone/rateLimiting/config.utils.spec.js packages/keystone/apolloServerPlugins/rateLimiting/config.utils.spec.js

@@ -0,0 +1,37 @@
+const { PLUGIN_KEY_PREFIX } = require('./constants')
+
+function buildQuotaKey (identityPrefix, identity) {
+    return [PLUGIN_KEY_PREFIX, identityPrefix, identity].join(':')
+}
+
+function extractQuotaKeyFromRequest (requestContext) {
+    const isAuthed = Boolean(requestContext.context.authedItem)
+    const identifier = isAuthed ? requestContext.context.authedItem.id : requestContext.context.req.ip
+    const identityPrefix = isAuthed ? 'user' : 'ip'
+    const key = buildQuotaKey(identityPrefix, identifier)
+
+    return { isAuthed, key, identifier }
+}
+
+function addComplexity (existingComplexity, newComplexity) {
+    if (!existingComplexity) {
+        return newComplexity
+    }
+
+    return {
+        ...existingComplexity,
+        details: {
+            queries: [...existingComplexity.details.queries, ...newComplexity.details.queries],
+            mutations: [...existingComplexity.details.mutations, ...newComplexity.details.mutations],
+        },
+        queries: existingComplexity.queries + newComplexity.queries,
+        mutations: existingComplexity.mutations + newComplexity.mutations,
+        total: existingComplexity.total + newComplexity.total,
+    }
+}
+
+module.exports = {
+    extractQuotaKeyFromRequest,
+    addComplexity,
+    buildQuotaKey,
+}

packages/keystone/rateLimiting/constants.js packages/keystone/apolloServerPlugins/rateLimiting/constants.js

@@ -1,5 +1,3 @@
-const { PLUGIN_KEY_PREFIX } = require('./constants')
-
 function extractArgValue (valueNode, variables) {
     switch (valueNode.kind) {
         case 'Variable':
@@ -75,39 +73,6 @@ function extractQueriesAndMutationsFromRequest (requestContext) {
     return { queries, mutations }
 }
 
-function buildQuotaKey (identityPrefix, identity) {
-    return [PLUGIN_KEY_PREFIX, identityPrefix, identity].join(':')
-}
-
-function extractQuotaKeyFromRequest (requestContext) {
-    const isAuthed = Boolean(requestContext.context.authedItem)
-    const identifier = isAuthed ? requestContext.context.authedItem.id : requestContext.context.req.ip
-    const identityPrefix = isAuthed ? 'user' : 'ip'
-    const key = buildQuotaKey(identityPrefix, identifier)
-
-    return { isAuthed, key, identifier }
-}
-
-function addComplexity (existingComplexity, newComplexity) {
-    if (!existingComplexity) {
-        return newComplexity
-    }
-
-    return {
-        ...existingComplexity,
-        details: {
-            queries: [...existingComplexity.details.queries, ...newComplexity.details.queries],
-            mutations: [...existingComplexity.details.mutations, ...newComplexity.details.mutations],
-        },
-        queries: existingComplexity.queries + newComplexity.queries,
-        mutations: existingComplexity.mutations + newComplexity.mutations,
-        total: existingComplexity.total + newComplexity.total,
-    }
-}
-
 module.exports = {
     extractQueriesAndMutationsFromRequest,
-    extractQuotaKeyFromRequest,
-    addComplexity,
-    buildQuotaKey,
 }