feat: add introspection settings to the symfony config tree

pimcore · Mar 28, 2023 · 1f35dbd · 1f35dbd
1 parent 4f8a9e4
commit 1f35dbd
Show file tree

Hide file tree

Showing 7 changed files with 65 additions and 29 deletions.
diff --git a/doc/10_GraphQL/01_Configuration/03_Security_Settings.md b/doc/10_GraphQL/01_Configuration/03_Security_Settings.md
@@ -9,6 +9,15 @@ Defines how users are authenticated when accessing the endpoint.
 * API Key: needs to be sent with every request.
 * ... more to come
 
+## Introspection settings
+
+Introspection provides an information about queries which are supported by GraphQl schema. This is currently enabled by default. It can be disabled via security settings or in the symfony configuration tree:
+```
+pimcore_data_hub:
+    graphql:
+        allow_introspection: false
+```
+
 ## Workspace Settings
 
 Defines workspaces for data that should be accessible via the endpoint. 

diff --git a/doc/Installation_and_Upgrade/02_Upgrade_Notes.md b/doc/Installation_and_Upgrade/02_Upgrade_Notes.md
@@ -5,6 +5,7 @@
 to the settings store, use the provided `datahub:configuration:migrate-legacy-config` command.
 - Added the ability to import and export each type of data-hub configuration.
 Be sure to include the `supported_types` configuration in any custom implementation to use the import functionality!
+- Added possibility to disable the introspection for GraphQL via configuration tree.
 
 ## 1.5.0
 - When "Skip Permission Check" is active in a GraphQL configuration, the "Workspaces" settings are also skipped 

diff --git a/src/Controller/WebserviceController.php b/src/Controller/WebserviceController.php
@@ -191,7 +191,12 @@ public function webonyxAction(
                 $variableValues = $event->getRequest()->get('variables', $variableValues);
             }
 
-            $disableIntrospection = $configuration->getSecurityConfig()['disableIntrospection'] ?? false;
+            $configAllowIntrospection = true;
+            if (isset($this->config['graphql']) && isset($this->config['graphql']['allow_introspection'])) {
+                $configAllowIntrospection = $this->config['graphql']['allow_introspection'];
+            }
+
+            $disableIntrospection = (!$configAllowIntrospection || $configuration->getSecurityConfig()['disableIntrospection']) ?? false;
             if ($disableIntrospection === true) {
                 DocumentValidator::addRule(new DisableIntrospection());
             }

diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
@@ -38,6 +38,7 @@ public function getConfigTreeBuilder()
                         ->scalarNode('not_allowed_policy')->info('throw exception = 1, return null = 2')->defaultValue(2)->end()
                         ->booleanNode('output_cache_enabled')->info('enables output cache for graphql responses. It is disabled by default')->defaultValue(false)->end()
                         ->integerNode('output_cache_lifetime')->info('output cache in seconds. Default is 30 seconds')->defaultValue(30)->end()
+                        ->booleanNode('allow_introspection')->info('enables introspection for graphql. It is enabled by default')->defaultValue(true)->end()
                     ->end()
                 ->end()
             ->end()

diff --git a/src/EventListener/AdminListener.php b/src/EventListener/AdminListener.php
@@ -19,6 +19,13 @@
 
 class AdminListener
 {
+    private array $config;
+
+    public function __construct(array $config)
+    {
+        $this->config = $config;
+    }
+
     /**
      * Handles INDEX_ACTION_SETTINGS event and adds custom admin UI settings
      *
@@ -27,5 +34,10 @@ class AdminListener
     public function addIndexSettings(IndexActionSettingsEvent $event)
     {
         $event->addSetting('data-hub-writeable', (new \Pimcore\Bundle\DataHubBundle\Configuration(null, null))->isWriteable());
+        $allowIntrospection = true;
+        if (isset($this->config['graphql']) && isset($this->config['graphql']['allow_introspection'])) {
+            $allowIntrospection = $this->config['graphql']['allow_introspection'];
+        }
+        $event->addSetting('allow_introspection', $allowIntrospection);
     }
 }
diff --git a/src/Resources/config/eventlistener.yml b/src/Resources/config/eventlistener.yml
@@ -10,5 +10,7 @@ services:
             - { name: kernel.event_subscriber }
 
     Pimcore\Bundle\DataHubBundle\EventListener\AdminListener:
+        bind:
+            $config: '%pimcore_data_hub%'
         tags:
             - { name: kernel.event_listener, event: pimcore.admin.indexAction.settings, method: addIndexSettings }
diff --git a/src/Resources/public/js/configuration/graphql/configItem.js b/src/Resources/public/js/configuration/graphql/configItem.js
@@ -227,13 +227,6 @@ pimcore.plugin.datahub.configuration.graphql.configItem = Class.create(pimcore.e
             value: this.data.security ? this.data.security.skipPermissionCheck : ""
         });
 
-        var disableIntrospection = new Ext.form.Checkbox({
-            fieldLabel: t('plugin_pimcore_datahub_disable_introspection'),
-            labelWidth: 200,
-            name: "disableIntrospection",
-            value: this.data.security ? this.data.security.disableIntrospection : ""
-        });
-
         this.securityForm = new Ext.form.FormPanel({
             bodyStyle: "padding:10px;",
             autoScroll: true,
@@ -281,30 +274,43 @@ pimcore.plugin.datahub.configuration.graphql.configItem = Class.create(pimcore.e
                     readOnly: true,
                     disabled: true
                 },
-                skipPermissionCheck,
-                disableIntrospection,
-                {
-                    xtype: 'displayfield',
-                    hideLabel: true,
-                    value: t("plugin_pimcore_datahub_security_introspection_description"),
-                    cls: "pimcore_extra_label_bottom",
-                    style: "padding-bottom: 0px",
-                    readOnly: true,
-                    disabled: true
-                },
-                {
-                    xtype: 'fieldset',
-                    width: 800,
-                    title: t("workspaces"),
-                    items: [
-                        this.documentWorkspace.getPanel(),
-                        this.assetWorkspace.getPanel(),
-                        this.objectWorkspace.getPanel()
-                    ]
-                }
+                skipPermissionCheck
             ]
         });
 
+        if (pimcore.settings.allow_introspection) {
+            let disableIntrospection = new Ext.form.Checkbox({
+                fieldLabel: t('plugin_pimcore_datahub_disable_introspection'),
+                labelWidth: 200,
+                name: "disableIntrospection",
+                value: this.data.security ? this.data.security.disableIntrospection : ""
+            });
+            let introspectionDescription = {
+                xtype: 'displayfield',
+                hideLabel: true,
+                value: t("plugin_pimcore_datahub_security_introspection_description"),
+                cls: "pimcore_extra_label_bottom",
+                style: "padding-bottom: 0px",
+                readOnly: true,
+                disabled: true
+            };
+
+            this.securityForm.add(disableIntrospection, introspectionDescription);
+        }
+
+        let workspaces = {
+            xtype: 'fieldset',
+            width: 800,
+            title: t("workspaces"),
+            items: [
+                this.documentWorkspace.getPanel(),
+                this.assetWorkspace.getPanel(),
+                this.objectWorkspace.getPanel()
+            ]
+        };
+
+        this.securityForm.add(workspaces);
+
         return this.securityForm;
     },