From 410b012e2972819c2523706bfba83be109e490cd Mon Sep 17 00:00:00 2001 From: Patrick McLain Date: Mon, 31 Dec 2018 14:43:41 -0500 Subject: [PATCH] Allow introspection by default in production mode Adds env.php parameter for disabling introspection: ```php ... 'graphql' => [ 'disable_introspection' => true, ], ... ``` Fixes #232 --- .../GraphQl/IntrospectionQueryTest.php | 11 ++--- .../Query/IntrospectionConfiguration.php | 42 +++++++++++++++++++ .../GraphQl/Query/QueryComplexityLimiter.php | 14 ++++++- 3 files changed, 57 insertions(+), 10 deletions(-) create mode 100644 lib/internal/Magento/Framework/GraphQl/Query/IntrospectionConfiguration.php diff --git a/dev/tests/api-functional/testsuite/Magento/GraphQl/IntrospectionQueryTest.php b/dev/tests/api-functional/testsuite/Magento/GraphQl/IntrospectionQueryTest.php index 85b4c62c41945..60acb3a7a4d44 100644 --- a/dev/tests/api-functional/testsuite/Magento/GraphQl/IntrospectionQueryTest.php +++ b/dev/tests/api-functional/testsuite/Magento/GraphQl/IntrospectionQueryTest.php @@ -12,10 +12,10 @@ class IntrospectionQueryTest extends GraphQlAbstract { /** - * Tests that Introspection is disabled when not in developer mode + * Tests that Introspection is allowed by default * @SuppressWarnings(PHPMD.ExcessiveMethodLength) */ - public function testIntrospectionQueryWithFieldArgs() + public function testIntrospectionQuery() { $query = <<expectException(\Exception::class); - $this->expectExceptionMessage( - 'GraphQL response contains errors: GraphQL introspection is not allowed, but ' . - 'the query contained __schema or __type' - ); - $this->graphQlQuery($query); + $this->assertArrayHasKey('__schema', $this->graphQlQuery($query)); } } diff --git a/lib/internal/Magento/Framework/GraphQl/Query/IntrospectionConfiguration.php b/lib/internal/Magento/Framework/GraphQl/Query/IntrospectionConfiguration.php new file mode 100644 index 0000000000000..1bdb5e56d10de --- /dev/null +++ b/lib/internal/Magento/Framework/GraphQl/Query/IntrospectionConfiguration.php @@ -0,0 +1,42 @@ +deploymentConfig = $deploymentConfig; + } + + /** + * Check the the environment config to determine if introspection should be disabled. + * + * @return int + */ + public function disableIntrospection(): int + { + return (int) $this->deploymentConfig->get(self::CONFIG_PATH_DISABLE_INTROSPECTION); + } +} diff --git a/lib/internal/Magento/Framework/GraphQl/Query/QueryComplexityLimiter.php b/lib/internal/Magento/Framework/GraphQl/Query/QueryComplexityLimiter.php index 5730156ca5b34..2e88f8902b663 100644 --- a/lib/internal/Magento/Framework/GraphQl/Query/QueryComplexityLimiter.php +++ b/lib/internal/Magento/Framework/GraphQl/Query/QueryComplexityLimiter.php @@ -11,6 +11,7 @@ use GraphQL\Validator\Rules\DisableIntrospection; use GraphQL\Validator\Rules\QueryDepth; use GraphQL\Validator\Rules\QueryComplexity; +use Magento\Framework\App\ObjectManager; /** * QueryComplexityLimiter @@ -33,16 +34,25 @@ class QueryComplexityLimiter */ private $queryComplexity; + /** + * @var IntrospectionConfiguration + */ + private $introspectionConfig; + /** * @param int $queryDepth * @param int $queryComplexity + * @param IntrospectionConfiguration $introspectionConfig */ public function __construct( int $queryDepth, - int $queryComplexity + int $queryComplexity, + IntrospectionConfiguration $introspectionConfig = null ) { $this->queryDepth = $queryDepth; $this->queryComplexity = $queryComplexity; + $this->introspectionConfig = $introspectionConfig ?? ObjectManager::getInstance() + ->get(IntrospectionConfiguration::class); } /** @@ -53,7 +63,7 @@ public function __construct( public function execute(): void { DocumentValidator::addRule(new QueryComplexity($this->queryComplexity)); - DocumentValidator::addRule(new DisableIntrospection()); + DocumentValidator::addRule(new DisableIntrospection($this->introspectionConfig->disableIntrospection())); DocumentValidator::addRule(new QueryDepth($this->queryDepth)); } }