Merge branch 'master' into remove_metadata_file

.circleci/test-server-flags.sh

@@ -72,7 +72,7 @@ echoInfo "Test we didn't compile in the deveoper-only APIs"
 run_hge_with_flags
 
 code=$(curl -s -o /dev/null -w "%{http_code}"  http://localhost:8080/dev/plan_cache)
-if [ "$code" != "404" ]; then  
+if [ "$code" != "404" ]; then
   echo "Expected a dev endpoint to return 404, but got: $code"
   exit 1
 fi

.circleci/test-server.sh

@@ -529,6 +529,19 @@ pytest -n 1 -vv --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" -
 
 kill_hge_servers
 
+echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE WITH REMOTE SCHEMA PERMISSIONS ENABLED ########>\n"
+TEST_TYPE="remote-schema-permissions"
+export HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS=true
+
+run_hge_with_args serve
+wait_for_port 8080
+
+pytest -n 1 -vv --hge-urls "$HGE_URL" --pg-urls "$HASURA_GRAPHQL_DATABASE_URL" --hge-key="$HASURA_GRAPHQL_ADMIN_SECRET"  --enable-remote-schema-permissions test_remote_schema_permissions.py
+
+unset HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS
+
+kill_hge_servers
+
 echo -e "\n$(time_elapsed): <########## TEST GRAPHQL-ENGINE QUERY CACHING #####################################>\n"
 TEST_TYPE="query-caching"
 

.github/workflows/shadow-pr.yml

@@ -5,64 +5,143 @@ on:
 
 jobs:
   open-pr:
-    runs-on: ubuntu-latest
     if: ${{ startsWith(github.event.pull_request.body, '<!-- from mono -->') != true }}
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-
-      - name: Get all commit authors of pull request
-        uses: actions/github-script@v3
-        id: commit-authors
-        with:
-          github-token: ${{secrets.HASURA_BOT_GH_TOKEN}}
-          script: |
-            const pullRequestNumber = context.payload.number;
-
-            const commits = await github.pulls.listCommits({
+    - name: Get pull request
+      uses: actions/github-script@v3
+      id: pr
+      with:
+        github-token: ${{secrets.HASURA_BOT_GH_TOKEN}}
+        script: |
+          const pullRequestNumber = context.payload.number;
+
+          const pr = await github.pulls.get({
+            owner: 'hasura',
+            repo: 'graphql-engine',
+            pull_number: pullRequestNumber
+          });
+
+          if (pr.status != 200) {
+            core.setFailed('API request to get pull request returned non-success status code ' + pr.status);
+            return;
+          }
+
+          core.setOutput('ossPrBaseSha', pr.data.base.sha);
+          core.setOutput('ossPrTitle', pr.data.title);
+          core.setOutput('ossPrUrl', pr.data.html_url);
+
+          const fs = require('fs');
+          fs.writeFileSync('pr-body.txt', pr.data.body);
+
+          let kodiakCommitMessage = `<!-- kodiak-commit-message-body-start: do not remove/edit this line -->\n`;
+          kodiakCommitMessage += `GITHUB_PR_NUMBER: ${pullRequestNumber}\nGITHUB_PR_URL: ${pr.data.html_url}`;
+          fs.writeFileSync('kodiak-commit-message-body.txt', kodiakCommitMessage);
+
+    - name: Get all authors of the pull request
+      uses: actions/github-script@v3
+      id: commit-authors
+      with:
+        github-token: ${{secrets.HASURA_BOT_GH_TOKEN}}
+        script: |
+          const pullRequestNumber = context.payload.number;
+
+          const commits = await github.pulls.listCommits({
+            owner: 'hasura',
+            repo: 'graphql-engine',
+            pull_number: pullRequestNumber
+          });
+
+          if (commits.status != 200) {
+            core.setFailed('API request to get commits of pull request returned non-success status code ' + commits.status);
+            return;
+          }
+
+          let authors = commits.data.map(c => `${c.commit.author.name} <${c.commit.author.email}>`);
+          authors = Array.from(new Set(authors));
+          core.setOutput('allCommitAuthors', authors.join(','));
+          core.setOutput('coAuthoredBy', authors.map(author => `Co-authored-by: ${author}`).join('\n'));
+          core.setOutput('firstCommitAuthor', authors[0]);
+
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+        token: ${{secrets.HASURA_BOT_GH_TOKEN}}
+        repository: hasura/graphql-engine-mono
+        path: graphql-engine-mono
+
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+        repository: hasura/graphql-engine
+        path: graphql-engine
+
+    - name: "Merge and push pr branch"
+      env:
+        PR_NUMBER: ${{ github.event.number }}
+        PR_TITLE: ${{ steps.pr.outputs.ossPrTitle }}
+        PR_URL: ${{ steps.pr.outputs.ossPrUrl }}
+        PR_CO_AUTHORS: ${{ steps.commit-authors.outputs.coAuthoredBy }}
+        COMMIT_AUTHOR: ${{ steps.commit-authors.outputs.firstCommitAuthor }}
+      run: |
+        cp graphql-engine-mono/bot.gitconfig $HOME/.gitconfig
+
+        COMMIT_MESSAGE=$(printf "$PR_TITLE\n\n$PR_CO_AUTHORS\nGITHUB_PR_NUMBER: $PR_NUMBER\nGITHUB_PR_URL: $PR_URL")
+
+        mkdir -p graphql-engine-transforms
+
+        pushd graphql-engine
+          git fetch origin pull/$PR_NUMBER/head:migration-source
+          git checkout migration-source
+          git merge master
+
+          mv .circleci ../graphql-engine-transforms/oss-.circleci
+          mv .github ../graphql-engine-transforms/oss-.github
+          mv .gitignore ../graphql-engine-transforms/oss-.gitignore
+          rsync -av --delete ./* ../graphql-engine-mono --exclude .git
+        popd
+
+        rsync -av --delete graphql-engine-transforms/* graphql-engine-mono/
+
+        pushd graphql-engine-mono
+          git status
+          git add .
+          git commit --author="$COMMIT_AUTHOR" -m "$COMMIT_MESSAGE"
+          git checkout -b oss_pr_refs/pull/$PR_NUMBER/head
+          git push origin oss_pr_refs/pull/$PR_NUMBER/head -f
+        popd
+
+    - name: "Open pull request"
+      uses: actions/github-script@v3
+      with:
+        github-token: ${{secrets.HASURA_BOT_GH_TOKEN}}
+        script: |
+          const fs = require('fs');
+          const prBody = fs.readFileSync('pr-body.txt', 'utf-8');
+          const kodiakCommitMessage = fs.readFileSync('kodiak-commit-message-body.txt', 'utf-8');
+
+          let body = `This PR was migrated from ${{ steps.pr.outputs.ossPrUrl }} \n\n---\n`;
+          body += `${prBody} \n\n---\n\n`;
+          body += `### Kodiak commit message\nInformation used by [Kodiak bot](https://kodiakhq.com/) while merging this PR.\n\n`;
+          body += `#### Commit title\nSame as the title of this pull request\n\n`;
+          body += `#### Commit body\n(Append below if you want to add something to the commit body)\n\n${kodiakCommitMessage}`
+
+          try {
+            const pr = await github.pulls.create({
               owner: 'hasura',
-              repo: 'graphql-engine',
-              pull_number: pullRequestNumber
+              repo: 'graphql-engine-mono',
+              head: 'oss_pr_refs/pull/${{ github.event.number }}/head',
+              base: 'main',
+              title: '${{ steps.pr.outputs.ossPrTitle }}',
+              body,
             });
 
-            if (commits.status != 200) {
-              core.setFailed('API request to get commits of pull request returned non-success status code ' + commits.status);
-              return;
+            console.log('Migrated PR in graphql-engine-mono = ', pr.data.html_url);
+          } catch (err) {
+            if (err.message.includes('pull request already exists')) {
+              console.log(`Skipping pull request creation: ${err.message}`);
+            } else {
+              console.error(err);
+              core.setFailed(`Failed to create pull request: ${err.message}`);
             }
-
-            let authors = commits.data.map(function(c) { return `${c.commit.author.name} <${c.commit.author.email}>`; });
-            authors = Array.from(new Set(authors));
-            authors = authors.join(',');
-            core.setOutput('allCommitAuthors', authors);
-
-      - name: "Shadow pull request"
-        env:
-          PR_NUMBER: ${{ github.event.number }}
-          GH_USERNAME: hasura-bot
-          GH_CREDS: $GH_USERNAME:${{ secrets.HASURA_BOT_GH_TOKEN }}
-          GH_SSH_KEY: ${{ secrets.HASURA_BOT_SSH_KEY }}
-          GH_BASE_REPO_HEAD_SHA: ${{ github.event.pull_request.base.sha }}
-          ALL_COMMIT_AUTHORS: ${{ steps.commit-authors.outputs.allCommitAuthors }}
-        run: |
-          touch .git-credentials
-          echo "https://$GH_CREDS@api.github.com" >> .git-credentials
-          echo "https://$GH_CREDS@github.com" >> .git-credentials
-
-          mkdir .ssh
-          echo "$GH_SSH_KEY" | tr -d '\r' > .ssh/id_rsa
-          chmod 400 .ssh/id_rsa
-          ssh-keyscan -t rsa github.com > .ssh/known_hosts
-
-          docker run --rm \
-            -v ${PWD}/.git-credentials:/root/.git-credentials \
-            -v ${PWD}/.ssh:/root/.ssh \
-            -v ${PWD}/.github/workflows/bot.gitconfig:/root/.gitconfig \
-            -v ${PWD}/.github/workflows:/usr/src/app \
-            --env COPYBARA_CONFIG=copy.bara.sky \
-            --env COPYBARA_SUBCOMMAND=migrate \
-            --env COPYBARA_OPTIONS="--ignore-noop --last-rev $GH_BASE_REPO_HEAD_SHA" \
-            --env COPYBARA_WORKFLOW="shadow-pr" \
-            --env COPYBARA_SOURCEREF=$PR_NUMBER \
-            --env ALL_COMMIT_AUTHORS="$ALL_COMMIT_AUTHORS" \
-            ghcr.io/scriptnull/copybara:latest copybara
+          }

.kodiak.toml

@@ -83,17 +83,17 @@ title = "pull_request_title" # default: "github_default", options: "github_defau
 # to create the body text of a merge commit. `"pull_request_body"` uses the
 # content of the PR to generate the body content while `"empty"` sets an empty
 # body.
-body = "empty" # default: "github_default", options: "github_default", "pull_request_body", "empty"
+body = "pull_request_body" # default: "github_default", options: "github_default", "pull_request_body", "empty"
 
 # Append the Pull Request URL to the merge message. Makes navigating to the PR
 # from the commit easier.
-include_pull_request_url = true # default: false
+include_pull_request_url = false # default: false
 
 # Add the PR number to the merge commit title. This setting replicates GitHub's
 # behavior of automatically adding the PR number to the title of merges created
 # through the UI. This option only applies when `merge.message.title` does not
 # equal `"github_default"`.
-include_pr_number = true # default: true
+include_pr_number = false # default: true
 
 # Control the text used in the merge commit. The GitHub default is markdown, but
 # `"plain_text"` or `"html"` can be used to render the pull request body as text
@@ -104,7 +104,15 @@ body_type = "markdown" # default: "markdown", options: "plain_text", "markdown",
 # Strip HTML comments (`<!-- some HTML comment -->`) from merge commit body.
 # This setting is useful for stripping HTML comments created by PR templates.
 # This option only applies when `merge.message.body_type = "markdown"`.
-strip_html_comments = false # default: false
+strip_html_comments = true # default: false
+
+# Remove all content before the configured string in the pull request body.
+# This setting is useful when we want to include only a part of the pull request
+# description as the commit message.
+# This option only applies when `merge.message.body_type = "markdown"`.
+cut_body_before = "<!-- kodiak-commit-message-body-start: do not remove/edit this line -->"
+
+include_coauthors = true
 
 [update]
 

CHANGELOG.md

@@ -41,19 +41,38 @@ mutations:
     }
 ```
 
+### Remote schema permissions
+
+Now, permissions can be configured for remote schemas as well, which works similar
+to the permissions system of the postgres tables. Fields/arguments can be removed from the
+schema and arguments can also be preset to limit the role from having unrestricted
+access over it.
+
+*NOTE*: To enable remote schema permissions, the graphql-engine needs to be started
+either with the server flag ``--enable-remote-schema-permissions`` or the environment
+variable ``HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS`` set to ``true``.
+
 ### Breaking changes
 
-This release contains the [PDV refactor (#4111)](https://github.com/hasura/graphql-engine/pull/4111), a significant rewrite of the internals of the server, which did include some breaking changes:
+- This release contains the [PDV refactor (#4111)](https://github.com/hasura/graphql-engine/pull/4111), a significant rewrite of the internals of the server, which did include some breaking changes:
 
-- The semantics of explicit `null` values in `where` filters have changed according to the discussion in [issue 704](https://github.com/hasura/graphql-engine/issues/704#issuecomment-635571407): an explicit `null` value in a comparison input object will be treated as an error rather than resulting in the expression being evaluated to `True`. For instance: `delete_users(where: {id: {_eq: $userId}}) { name }` will yield an error if `$userId` is `null` instead of deleting all users.
-- The validation of required headers has been fixed (closing #14 and #3659):
-  - if a query selects table `bar` through table `foo` via a relationship, the required permissions headers will be the union of the required headers of table `foo` and table `bar` (we used to only check the headers of the root table);
-  - if an insert does not have an `on_conflict` clause, it will not require the update permissions headers.
+   - The semantics of explicit `null` values in `where` filters have changed according to the discussion in [issue 704](https://github.com/hasura/graphql-engine/issues/704#issuecomment-635571407): an explicit `null` value in a comparison input object will be treated as an error rather than resulting in the expression being evaluated to `True`. For instance: `delete_users(where: {id: {_eq: $userId}}) { name }` will yield an error if `$userId` is `null` instead of deleting all users.
+   - The validation of required headers has been fixed (closing #14 and #3659):
+     - if a query selects table `bar` through table `foo` via a relationship, the required permissions headers will be the union of the required headers of table `foo` and table `bar` (we used to only check the headers of the root table);
+     - if an insert does not have an `on_conflict` clause, it will not require the update permissions headers.
+
+This release contains the remote schema permissions feature, which introduces a breaking change:
+
+Earlier, remote schemas were considered to be a public entity and all the roles had unrestricted
+access to the remote schema. If remote schema permissions are enabled in the graphql-engine, a given
+remote schema will only be accessible to a role ,if the role has permissions configured for the said remote schema
+and be accessible according to the permissions that were configured for the role.
 
 ### Bug fixes and improvements
 
 (Add entries here in the order of: server, console, cli, docs, others)
 
+- server: fix a regression where variables in fragments weren't accepted (fix #6303)
 - server: output stack traces when encountering conflicting GraphQL types in the schema
 - server: add `--websocket-compression` command-line flag for enabling websocket compression (fix #3292)
 - server: some mutations that cannot be performed will no longer be in the schema (for instance, `delete_by_pk` mutations won't be shown to users that do not have select permissions on all primary keys) (#4111)
@@ -65,15 +84,21 @@ This release contains the [PDV refactor (#4111)](https://github.com/hasura/graph
 - server: support joining Int or String scalar types to ID scalar type in remote relationship
 - server: add support for POSIX operators (close #4317) (#6172)
 - server: do not block catalog migration on inconsistent metadata
+- server: update `forkImmortal` function to log more information, i.e log starting of threads and log asynchronous and synchronous exception.
+- server: various changes to ensure timely cleanup of background threads and other resources in the event of a SIGTERM signal.
+- server: fix issue when the `relationships` field in `objects` field is passed `[]` in the `set_custom_types` API (fix #6357)
 - console: allow user to cascade Postgres dependencies when dropping Postgres objects (close #5109) (#5248)
 - console: mark inconsistent remote schemas in the UI (close #5093) (#5181)
 - console: remove ONLY as default for ALTER TABLE in column alter operations (close #5512) #5706
 - console: add option to flag an insertion as a migration from `Data` section (close #1766) (#4933)
 - console: down migrations improvements (close #3503, #4988) (#4790)
 - console: allow setting computed fields for views (close #6168) (#6174)
 - console: select first operator by default on the browse rows screen (close #5729) (#6032)
+- console: fix allow-list not getting added to metadata/allow_list.yaml in CLI mode (close #6374)
+- console: misc bug fixes (close #4785, #6330, #6288)
 - cli: add missing global flags for seed command (#5565)
 - cli: allow seeds as alias for seed command (#5693)
+- cli: fix action timeouts not being picked up in metadata operations (#6220)
 - build: add `test_server_pg_13` to the CI to run the server tests on Postgres v13 (#6070)
 
 ## v1.3.3

cli/metadata/actions/actions.go

@@ -124,6 +124,7 @@ input SampleInput {
 		for oldActionIndex, oldActionObj := range oldAction.Actions {
 			if action.Name == oldActionObj.Name {
 				sdlFromResp.Actions[actionIndex].Permissions = oldAction.Actions[oldActionIndex].Permissions
+				sdlFromResp.Actions[actionIndex].Definition.Timeout = oldAction.Actions[oldActionIndex].Definition.Timeout
 				sdlFromResp.Actions[actionIndex].Definition.Kind = oldAction.Actions[oldActionIndex].Definition.Kind
 				sdlFromResp.Actions[actionIndex].Definition.Type = oldAction.Actions[oldActionIndex].Definition.Type
 				sdlFromResp.Actions[actionIndex].Definition.Handler = oldAction.Actions[oldActionIndex].Definition.Handler
@@ -295,6 +296,7 @@ func (a *ActionConfig) Build(metadata *yaml.MapSlice) error {
 			if action.Name == newActionObj.Name {
 				isFound = true
 				sdlFromResp.Actions[newActionIndex].Permissions = oldAction.Actions[actionIndex].Permissions
+				sdlFromResp.Actions[newActionIndex].Definition.Timeout = oldAction.Actions[actionIndex].Definition.Timeout
 				sdlFromResp.Actions[newActionIndex].Definition.Kind = oldAction.Actions[actionIndex].Definition.Kind
 				sdlFromResp.Actions[newActionIndex].Definition.Handler = oldAction.Actions[actionIndex].Definition.Handler
 				sdlFromResp.Actions[newActionIndex].Definition.ForwardClientHeaders = oldAction.Actions[actionIndex].Definition.ForwardClientHeaders

cli/metadata/actions/types/types.go

@@ -73,6 +73,7 @@ type ActionDef struct {
 	OutputType           string          `json:"output_type" yaml:"output_type,omitempty"`
 	ForwardClientHeaders bool            `json:"-" yaml:"forward_client_headers,omitempty"`
 	Headers              []yaml.MapSlice `json:"-" yaml:"headers,omitempty"`
+	Timeout              int             `json:"-" yaml:"timeout,omitempty"`
 }
 
 type CustomTypes struct {