feat(router): HMAC based Subgraph Auth

Author: ardatan

Cargo.lock

@@ -8,6 +8,7 @@
 |[**csrf**](#csrf)|`object`|Configuration for CSRF prevention.<br/>Default: `{"enabled":false,"required_headers":[]}`<br/>||
 |[**graphiql**](#graphiql)|`object`|Configuration for the GraphiQL interface.<br/>Default: `{"enabled":true}`<br/>||
 |[**headers**](#headers)|`object`|Configuration for the headers.<br/>Default: `{}`<br/>||
+|[**hmac\_signature**](#hmac_signature)|`object`||yes|
 |[**http**](#http)|`object`|Configuration for the HTTP server/listener.<br/>Default: `{"host":"0.0.0.0","port":4000}`<br/>||
 |[**jwt**](#jwt)|`object`|Configuration for JWT authentication plugin.<br/>|yes|
 |[**log**](#log)|`object`|The router logger configuration.<br/>Default: `{"filter":null,"format":"json","level":"info"}`<br/>||
@@ -57,6 +58,8 @@ headers:
             default: unknown
             named: x-tenant-id
             rename: x-acct-tenant
+hmac_signature:
+  extension_name: hmac_signature
 http:
   host: 0.0.0.0
   port: 4000
@@ -1341,6 +1344,24 @@ For more information on the available functions and syntax, see the
 |**expression**|`string`||yes|
 
 
+<a name="hmac_signature"></a>
+## hmac\_signature: object
+
+**Properties**
+
+|Name|Type|Description|Required|
+|----|----|-----------|--------|
+|**enabled**|||yes|
+|**extension\_name**|`string`|Default: `"hmac_signature"`<br/>|no|
+|**secret**|`string`||yes|
+
+**Example**
+
+```yaml
+extension_name: hmac_signature
+
+```
+
 <a name="http"></a>
 ## http: object
 

docs/README.md

@@ -50,6 +50,9 @@ ryu = "1.0.20"
 indexmap = "2.10.0"
 bumpalo = "3.19.0"
 once_cell = "1.21.3"
+hmac = "0.12.1"
+sha2 = "0.10.9"
+hex = "0.4.3"
 
 [dev-dependencies]
 subgraphs = { path = "../../bench/subgraphs" }

lib/executor/Cargo.toml

@@ -708,6 +708,7 @@ impl<'exec, 'req> Executor<'exec, 'req> {
             representations,
             headers: headers_map,
             extensions: None,
+            client_request: self.client_request,
         };
 
         if let Some(jwt_forwarding_plan) = &self.jwt_forwarding_plan {
@@ -722,7 +723,7 @@ impl<'exec, 'req> Executor<'exec, 'req> {
             subgraph_name: node.service_name.clone(),
             response: self
                 .executors
-                .execute(&node.service_name, subgraph_request, self.client_request)
+                .execute(&node.service_name, subgraph_request)
                 .await
                 .into(),
         }))

lib/executor/src/execution/plan.rs

@@ -5,11 +5,13 @@ use bytes::Bytes;
 use http::HeaderMap;
 use sonic_rs::Value;
 
+use crate::execution::client_request_details::ClientRequestDetails;
+
 #[async_trait]
 pub trait SubgraphExecutor {
-    async fn execute<'a>(
+    async fn execute<'exec, 'req>(
         &self,
-        execution_request: HttpExecutionRequest<'a>,
+        execution_request: HttpExecutionRequest<'exec, 'req>,
     ) -> HttpExecutionResponse;
 
     fn to_boxed_arc<'a>(self) -> Arc<Box<dyn SubgraphExecutor + Send + Sync + 'a>>
@@ -26,18 +28,19 @@ pub type SubgraphExecutorBoxedArc = Arc<Box<SubgraphExecutorType>>;
 
 pub type SubgraphRequestExtensions = HashMap<String, Value>;
 
-pub struct HttpExecutionRequest<'a> {
-    pub query: &'a str,
+pub struct HttpExecutionRequest<'exec, 'req> {
+    pub query: &'exec str,
     pub dedupe: bool,
-    pub operation_name: Option<&'a str>,
+    pub operation_name: Option<&'exec str>,
     // TODO: variables could be stringified before even executing the request
-    pub variables: Option<HashMap<&'a str, &'a sonic_rs::Value>>,
+    pub variables: Option<HashMap<&'exec str, &'exec sonic_rs::Value>>,
     pub headers: HeaderMap,
     pub representations: Option<Vec<u8>>,
     pub extensions: Option<SubgraphRequestExtensions>,
+    pub client_request: &'exec ClientRequestDetails<'exec, 'req>,
 }
 
-impl HttpExecutionRequest<'_> {
+impl HttpExecutionRequest<'_, '_> {
     pub fn add_request_extensions_field(&mut self, key: String, value: Value) {
         self.extensions
             .get_or_insert_with(HashMap::new)

lib/executor/src/executors/common.rs

@@ -20,6 +20,12 @@ pub enum SubgraphExecutorError {
     RequestFailure(String, String),
     #[error("Failed to serialize variable \"{0}\": {1}")]
     VariablesSerializationFailure(String, String),
+    #[error("Failed to serialize extension \"{0}\": {1}")]
+    ExtensionSerializationFailure(String, String),
+    #[error("Failed to build HMAC expression for subgraph '{0}'. Please check your VRL expression for syntax errors. Diagnostic: {1}")]
+    HMACExpressionBuild(String, String),
+    #[error("HMAC signature error: {0}")]
+    HMACSignatureError(String),
 }
 
 impl From<SubgraphExecutorError> for GraphQLError {
@@ -61,6 +67,13 @@ impl SubgraphExecutorError {
             SubgraphExecutorError::VariablesSerializationFailure(_, _) => {
                 "SUBGRAPH_VARIABLES_SERIALIZATION_FAILURE"
             }
+            SubgraphExecutorError::ExtensionSerializationFailure(_, _) => {
+                "SUBGRAPH_EXTENSION_SERIALIZATION_FAILURE"
+            }
+            SubgraphExecutorError::HMACSignatureError(_) => "SUBGRAPH_HMAC_SIGNATURE_ERROR",
+            SubgraphExecutorError::HMACExpressionBuild(_, _) => {
+                "SUBGRAPH_HMAC_EXPRESSION_BUILD_FAILURE"
+            }
         }
     }
 }

lib/executor/src/executors/error.rs

@@ -1,23 +1,28 @@
+use std::collections::BTreeMap;
 use std::sync::Arc;
 
 use crate::executors::common::HttpExecutionResponse;
 use crate::executors::dedupe::{request_fingerprint, ABuildHasher, SharedResponse};
+use crate::utils::expression::execute_expression_with_value;
 use dashmap::DashMap;
 use hive_router_config::HiveRouterConfig;
 use tokio::sync::OnceCell;
 
 use async_trait::async_trait;
 
 use bytes::{BufMut, Bytes, BytesMut};
+use hmac::{Hmac, Mac};
 use http::HeaderMap;
 use http::HeaderValue;
 use http_body_util::BodyExt;
 use http_body_util::Full;
 use hyper::Version;
 use hyper_tls::HttpsConnector;
 use hyper_util::client::legacy::{connect::HttpConnector, Client};
+use sha2::Sha256;
 use tokio::sync::Semaphore;
 use tracing::debug;
+use vrl::compiler::Program as VrlProgram;
 
 use crate::executors::common::HttpExecutionRequest;
 use crate::executors::error::SubgraphExecutorError;
@@ -27,6 +32,7 @@ use crate::utils::consts::COLON;
 use crate::utils::consts::COMMA;
 use crate::utils::consts::QUOTE;
 use crate::{executors::common::SubgraphExecutor, json_writer::write_and_escape_string};
+use vrl::core::Value as VrlValue;
 
 #[derive(Debug)]
 pub struct HTTPSubgraphExecutor {
@@ -37,13 +43,23 @@ pub struct HTTPSubgraphExecutor {
     pub semaphore: Arc<Semaphore>,
     pub config: Arc<HiveRouterConfig>,
     pub in_flight_requests: Arc<DashMap<u64, Arc<OnceCell<SharedResponse>>, ABuildHasher>>,
+    pub should_sign_hmac: BooleanOrProgram,
 }
 
 const FIRST_VARIABLE_STR: &[u8] = b",\"variables\":{";
 const FIRST_QUOTE_STR: &[u8] = b"{\"query\":";
+const FIRST_EXTENSION_STR: &[u8] = b",\"extensions\":{";
 
 pub type HttpClient = Client<HttpsConnector<HttpConnector>, Full<Bytes>>;
 
+type HmacSha256 = Hmac<Sha256>;
+
+#[derive(Debug)]
+pub enum BooleanOrProgram {
+    Boolean(bool),
+    Program(Box<VrlProgram>),
+}
+
 impl HTTPSubgraphExecutor {
     pub fn new(
         subgraph_name: String,
@@ -52,6 +68,7 @@ impl HTTPSubgraphExecutor {
         semaphore: Arc<Semaphore>,
         config: Arc<HiveRouterConfig>,
         in_flight_requests: Arc<DashMap<u64, Arc<OnceCell<SharedResponse>>, ABuildHasher>>,
+        should_sign_hmac: BooleanOrProgram,
     ) -> Self {
         let mut header_map = HeaderMap::new();
         header_map.insert(
@@ -71,12 +88,13 @@ impl HTTPSubgraphExecutor {
             semaphore,
             config,
             in_flight_requests,
+            should_sign_hmac,
         }
     }
 
-    fn build_request_body<'a>(
+    fn build_request_body<'exec, 'req>(
         &self,
-        execution_request: &HttpExecutionRequest<'a>,
+        execution_request: &HttpExecutionRequest<'exec, 'req>,
     ) -> Result<Vec<u8>, SubgraphExecutorError> {
         let mut body = Vec::with_capacity(4096);
         body.put(FIRST_QUOTE_STR);
@@ -118,13 +136,89 @@ impl HTTPSubgraphExecutor {
             body.put(CLOSE_BRACE);
         }
 
-        if let Some(extensions) = &execution_request.extensions {
-            if !extensions.is_empty() {
-                let as_value = sonic_rs::to_value(extensions).unwrap();
+        let should_sign_hmac = match &self.should_sign_hmac {
+            BooleanOrProgram::Boolean(b) => *b,
+            BooleanOrProgram::Program(expr) => {
+                // .subgraph
+                let subgraph_value = VrlValue::Object(BTreeMap::from([(
+                    "name".into(),
+                    VrlValue::Bytes(Bytes::from(self.subgraph_name.to_owned())),
+                )]));
+                // .request
+                let request_value: VrlValue = execution_request.client_request.into();
+                let target_value = VrlValue::Object(BTreeMap::from([
+                    ("subgraph".into(), subgraph_value),
+                    ("request".into(), request_value),
+                ]));
+                let result = execute_expression_with_value(expr, target_value);
+                match result {
+                    Ok(VrlValue::Boolean(b)) => b,
+                    Ok(_) => {
+                        return Err(SubgraphExecutorError::HMACSignatureError(
+                            "HMAC signature expression did not evaluate to a boolean".to_string(),
+                        ));
+                    }
+                    Err(e) => {
+                        return Err(SubgraphExecutorError::HMACSignatureError(format!(
+                            "HMAC signature expression evaluation error: {}",
+                            e
+                        )));
+                    }
+                }
+            }
+        };
 
-                body.put(COMMA);
-                body.put("\"extensions\":".as_bytes());
-                body.extend_from_slice(as_value.to_string().as_bytes());
+        let hmac_signature_ext = if should_sign_hmac {
+            let mut mac = HmacSha256::new_from_slice(self.config.hmac_signature.secret.as_bytes())
+                .map_err(|e| {
+                    SubgraphExecutorError::HMACSignatureError(format!(
+                        "Failed to create HMAC instance: {}",
+                        e
+                    ))
+                })?;
+            let mut body_without_extensions = body.clone();
+            body_without_extensions.put(CLOSE_BRACE);
+            mac.update(&body_without_extensions);
+            let result = mac.finalize();
+            let result_bytes = result.into_bytes();
+            Some(result_bytes)
+        } else {
+            None
+        };
+
+        if let Some(extensions) = &execution_request.extensions {
+            let mut first = true;
+            if let Some(hmac_bytes) = hmac_signature_ext {
+                if first {
+                    body.put(FIRST_EXTENSION_STR);
+                    first = false;
+                } else {
+                    body.put(COMMA);
+                }
+                body.put(self.config.hmac_signature.extension_name.as_bytes());
+                let hmac_hex = hex::encode(hmac_bytes);
+                body.put(QUOTE);
+                body.put(hmac_hex.as_bytes());
+                body.put(QUOTE);
+            }
+            for (extension_name, extension_value) in extensions {
+                if first {
+                    body.put(FIRST_EXTENSION_STR);
+                    first = false;
+                } else {
+                    body.put(COMMA);
+                }
+                body.put(QUOTE);
+                body.put(extension_name.as_bytes());
+                body.put(QUOTE);
+                body.put(COLON);
+                let value_str = sonic_rs::to_string(extension_value).map_err(|err| {
+                    SubgraphExecutorError::ExtensionSerializationFailure(
+                        extension_name.to_string(),
+                        err.to_string(),
+                    )
+                })?;
+                body.put(value_str.as_bytes());
             }
         }
 
@@ -210,9 +304,9 @@ impl HTTPSubgraphExecutor {
 #[async_trait]
 impl SubgraphExecutor for HTTPSubgraphExecutor {
     #[tracing::instrument(skip_all, fields(subgraph_name = self.subgraph_name))]
-    async fn execute<'a>(
+    async fn execute<'exec, 'req>(
         &self,
-        execution_request: HttpExecutionRequest<'a>,
+        execution_request: HttpExecutionRequest<'exec, 'req>,
     ) -> HttpExecutionResponse {
         let body = match self.build_request_body(&execution_request) {
             Ok(body) => body,