Skip to content

Add GraphQL API endpoint access from primary to secondary Geo nodes

Catalin Irimie requested to merge cat-geo-graphql-api into master

What does this MR do and why?

Related to #345420 (closed).

This adds a api/v4/geo/node_proxy/:id/graphql endpoint that forwards the request from to another Geo secondary node (the one with :id) and returns the GraphQL response back.

This includes an authentication method that sends a Geo signed token from the primary using the current session's user ID, that is then authenticated on the secondary.

The flow should be:

  1. The api/v4/geo/node_proxy/:id/graphql route uses the API input as-is (env['api.request.input']) and generates a token with authenticating_user_id in the data (based on the same BaseRequestService we're using the opposite way), which then sends to GeoNode.find(secondary_id).graphql_url which is basically "#{node.internal_url}/api/v4/geo/graphql
  2. On the secondary, we also alias api/v4/geo/graphql to api/graphql (GraphqlController), and add to the Workhorse Geo routes so it doesn't get proxied (plus fix the readonly middleware to take it into account too, since it's a POST)
  3. There's a new find_user_from_geo_token auth finder which tries to decode the Authorization Geo token, if present, and the path starts with /api/v4/geo/, so also for security reasons it's limited to these routes. Was thinking to also put it under a feature flag since it touches the place handling all auth finders (overriding in EE, wasn't there before)
  4. The GraphQL controller uses the sessionless authentication which uses the finder above, logs in as the user sent by the primary (current_user on the primary so there needs to be a session in the first place), then fulfills the request and sends the data back

How to set up and validate locally

  1. Have GDK with Geo setup, or patch this MR on a GET env.
  2. Enable the feature flag 
    Feature.enable(:geo_token_user_authentication)
  3. Get a private token and set it in your env vars, like export TOK="glpat-test"
  4. This assumes your primary is at URL https://gdk.test:3443 and your secondary node has id 2. Run curl -H "PRIVATE-TOKEN: $TOK" https://gdk.test:3443/api/v4/geo/node_proxy/2/graphql -X POST -i -H 'Content-Type: application/json' --data "{\"query\": \"query {currentUser {name}}\"}"

You should receive a {"data":{"currentUser":{"name":"Administrator"}}} response back (or the user name of the user you created a PAT as).

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Michael Kozono

Merge request reports