Brett Walker authored 5 years ago and Mayra Cabrera committed 5 years ago

- Due to https://github.com/exAspArk/batch-loader/pull/32,
we  changed BatchLoader.for into BatchLoader::GraphQL.for
- since our results are wrapped in a BatchLoader::GraphQL,
calling `sync` during authorization is required to get real object
- `graphql` now has it's own authorization system.  Our
`authorized?` method conflicted and required renaming

Brett Walker authored 5 years ago and Mayra Cabrera committed 5 years ago

The `GraphQL::Function` has been deprecated in
favor of resolvers.

Alessio Caiazza authored 5 years ago and Mayra Cabrera committed 5 years ago

Root namespaces have storage statistics.
This commit allows namespace owners to get those stats via GraphQL
queries like the following one

{
  namespace(fullPath: "a_namespace_path") {
    rootStorageStatistics {
      storageSize
      repositorySize
      lfsObjectsSize
      buildArtifactsSize
      packagesSize
      wikiSize
    }
  }
}

Igor Drozdov authored 5 years ago and Nick Thomas committed 5 years ago

This is part of migration of Folder View to Vue

Adds more friendly docs for GraphQl implementation

- Remove Gitaly call check for fields that have a constant complexity
declared
- Add associated test

- Add 1 for all fields that call Gitaly (with resolvers or without)
- Clarify comment regarding Gitaly call alert
- Expose predicate `calls_gitaly?` instead of ivar

- Add `calls_gitaly: true` to some fields missing (hey, it works!)
- Clarify proc wrapping
- Add kwargs argument to `mount_mutation`

- Move `calls_gitaly_check` to public
- Add instrumentation for flagging missing CallsGitaly declarations
- Wrap resolver proc in before-and-after Gitaly counts to get the net
Gitaly call count for the resolver.

EE MR https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14292
https://gitlab.com/gitlab-org/gitlab-ee/issues/9491

Adding new `AddAwardEmoji`, `RemoveAwardEmoji` and `ToggleAwardEmoji`
GraphQL mutations.

Adding new `#authorized_find_with_pre_checks!` and (unused, but for
completeness `#authorized_find_with_post_checks!`) authorization
methods. These allow us to perform an authorized find, and run our own
additional checks before or after the authorization runs.

https://gitlab.com/gitlab-org/gitlab-ce/issues/62826

https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/29921#note_184713939

Raise an exception if a developer calls any of the GraphQL authorization
methods and a `authorize :permission` is missing from a mutation class.

Previously `authorized?` would return `true` in this situation, which
although technically is accurate is not what a developer is intending.

This makes sure we also enforce authorizations for non-nullable
fields.

We are defining our authorizations on the unwrapped
types (Repository). But when a type like that is presented in a
non-nullable field, it's type is different (Repository!). The
non-nullable type would not have the authorization metadata.

This makes sure we check the metadata on the unwrapped type for
finding authorizations.

Bob Van Landuyt :neckbeard: authored 5 years ago and Douwe Maan committed 5 years ago

This adds a `markdown_field` to our types.

Using this helper will render a model's markdown field using the
existing `MarkupHelper` with the context of the GraphQL query
available to the helper.

Having the context available to the helper is needed for redacting
links to resources that the current user is not allowed to see.

Because rendering the HTML can cause queries, the complexity of a
these fields is raised by 5 above the default.

The markdown field helper can be used as follows:

      ```
      markdown_field :note_html, null: false
      ```

This would generate a field that will render the markdown field `note`
of the model. This could be overridden by adding the `method:`
argument. Passing a symbol for the method name:

      ```
      markdown_field :body_html, null: false, method: :note
      ```

It will have this description by default:

> The GitLab Flavored Markdown rendering of `note`

This could be overridden by passing a `description:` argument.

The type of a `markdown_field` is always `GraphQL::STRING_TYPE`.

Since we're not actually  loading commits in that loader, but we're
loading blobs with LFS oids in batch and returning only the oids.

This exposes all fields named `id` as GlobalIDs so they can be used
across our entire GraphQL implementation.

When the objects loaded are `ApplicationRecord`s. We'll use our
existing batchloading to find them. Otherwise, we'll fall back to the
default implementation of `GlobalID`: Calling the `.find` method on
the class.

We can query namespaces, and nested projects.

Projects now exposes statistics

Charlie Ablett authored 5 years ago and Charlie Ablett committed 5 years ago

- Comply doc with guidelines
- Improve tests for readability and completeness
- Separate out phases visually with newlines
- Add `format_message` test
- test readability
- code and test structure/styling
- static query analyzers
- call `as_json` on `provided_variables`
- add exception handling

Tidy tests according to reviewer comments.
Move complexity and depth calls from `initial_value` to `final_value`
Log variables as json

- Add changelog file
- Fix failing tests

Remove instance variables for class re-use, test individual methods,
use `monotonic_time`

- Modify GraphqlLogger to subclass JsonLogger
- Replace the single-line analyser with one that can log all the GraphQL
query related information in one place.
- Implement analyzer behavior with spec

Specify dedicated logfile and logger class for GraphQL queries. Move
complexity analyzer to a dedicated class.

Jan Provaznik authored 5 years ago and Bob Van Landuyt :neckbeard: committed 5 years ago

Extends existing graphql's tracer with opentracing measurements. Because
it also adds Tracing::Graphql class (for opentracing), it also renames
Graphql::Tracing class to Graphql::GenericTracing to minimize confusion
with similar class names.

With this we only check abilities on the rendered edges of a GraphQL
connection instead of all the nodes in it.

Extends graphql's platform tracing class to observe duration
of graphql methods.

In graphql 1.8.11 is added prometheus class but it's not very useful
for us because it uses prometheus_exporter to export results.

It makes all Types::BaseField default to a complexity of 1.

Queries themselves now have limited complexity, scaled
to the type of user: no user, authenticated user, or an
admin user.

Enables authorizations to be defined on GraphQL Types.

    module Types
      class ProjectType < BaseObject
        authorize :read_project
      end
    end

If a field has authorizations defined on it, and the return type of the
field also has authorizations defined on it. then all of the combined
permissions in the authorizations will be checked and must pass.

Connection fields are checked by "digging" to find the type class of the
"node" field in the expected location of edges->node.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54417

This reverts merge request !26569

Extends graphql's platform tracing class to observe duration
of graphql methods.

In graphql 1.8.11 is added prometheus class but it's not very useful
for us because it uses prometheus_exporter to export results.

Previously GraphQL field authorization happened like this:

    class ProjectType
      field :my_field, MyFieldType do
        authorize :permission
      end
    end

This change allowed us to authorize like this instead:

    class ProjectType
      field :my_field, MyFieldType, authorize: :permission
    end

A new initializer registers the `authorize` metadata keyword on GraphQL
Schema Objects and Fields, and we can collect this data within the
context of Instrumentation like this:

    field.metadata[:authorize]

The previous functionality of authorize is still being used for
mutations, as the #authorize method here is called at during the code
that executes during the mutation, rather than when a field resolves.

https://gitlab.com/gitlab-org/gitlab-ce/issues/57828

And add tests

And add tests