Set up default protection ruleset for default and release branches
1 file changed
tree: e007b84358048053e5b4b97a14948211311703fa
  1. .github/
  2. authz/
  3. examples/
  4. tests/
  5. .asf.yaml
  6. .gitignore
  7. .releaserc.json
  8. CHANGELOG.md
  9. LICENSE
  10. README.md
  11. requirements.txt
  12. requirements_dev.txt
  13. setup.cfg
  14. setup.py
README.md

graphql-authz

Build Status Coverage Status Version PyPI - Wheel Pyversions Download Discord

GraphQL-Authz is a Python port of GraphQL-Authz, the Casbin authorization middleware implementation in Node.js.

This package should be used with GraphQL-core 3, providing the capability to limit access to each GraphQL resource with the authorization middleware.

Installation

Install the package using pip.

pip install casbin-graphql-authz

Get Started

Limit the access to each GraphQL resource with a policy. For example, given this policy for an RBAC model:

p, authorized_user, hello, query

Authorization can be enforced using:

import casbin
from authz.middleware import enforcer_middleware

from graphql import (
    graphql_sync,
    GraphQLSchema,
    GraphQLObjectType,
    GraphQLField,
    GraphQLString,
)


schema = GraphQLSchema(
    query=GraphQLObjectType(
        name="RootQueryType",
        fields={
            "hello": GraphQLField(
                GraphQLString,
                resolve=lambda obj, info: "world")
        }))

enforcer = casbin.Enforcer("model_file.conf", "policy_file.csv")
authorization_middleware = enforcer_middleware(enforcer)

query = """{ hello }"""

# Authorized user ("authorized_user") has access to data
response = graphql_sync(
    schema,
    query,
    middleware=[authorization_middleware],
    context_value={"role": "authorized_user"}
)
assert response.data == {"hello": "world"}

# Unauthorized users ("unauthorized_user") are rejected
response = graphql_sync(
    schema,
    query,
    middleware=[authorization_middleware],
    context_value={"role": "unauthorized_user"}
)
assert response.errors[0].message == "unauthorized_user can not query hello"

For more interesting scenarios see tests folder.

Credits

Implementation was heavily inspired by the Node.js middleware GraphQL-Authz.

Authorization enforcement is based on Casbin authorization library.