Add Sanbox guardrails for mutations (#167)

Author: michaeljguarino

lib/console.ex

@@ -1,6 +1,10 @@
 defmodule Console do
   def conf(key, default \\ nil), do: Application.get_env(:console, key, default)
 
+  def sandbox?(), do: conf(:is_sandbox, false)
+
+  def demo_project?(), do: conf(:is_demo_project, false)
+
   def rand_str(size \\ 32) do
     :crypto.strong_rand_bytes(size)
     |> Base.url_encode64()

lib/console/configuration.ex

@@ -1,10 +1,11 @@
 defmodule Console.Configuration do
-  defstruct [:git_commit, :is_demo_project]
+  defstruct [:git_commit, :is_demo_project, :is_sandbox]
 
   def new() do
     %__MODULE__{
       git_commit: Console.conf(:git_commit),
       is_demo_project: Console.conf(:is_demo_project),
+      is_sandbox: Console.sandbox?()
     }
   end
 end

lib/console/graphql/middleware/sandboxed.ex

@@ -0,0 +1,11 @@
+defmodule Console.Middleware.Sandboxed do
+  @behaviour Absinthe.Middleware
+  alias Console.Schema.User
+
+  def call(resolution, _) do
+    case Console.sandbox?() do
+      true -> Absinthe.Resolution.put_result(resolution, {:error, "cannot perform this action in a sandbox environment"})
+      _ -> resolution
+    end
+  end
+end

lib/console/graphql/users.ex

@@ -1,7 +1,7 @@
 defmodule Console.GraphQl.Users do
   use Console.GraphQl.Schema.Base
   alias Console.GraphQl.Resolvers.User
-  alias Console.Middleware.{Authenticated, AdminRequired, AllowJwt}
+  alias Console.Middleware.{Authenticated, AdminRequired, AllowJwt, Sandboxed}
   alias Console.Schema.Notification.{Severity, Status}
 
   enum_from_list :permission, Console.Schema.Role, :permissions, []
@@ -216,6 +216,7 @@ defmodule Console.GraphQl.Users do
 
     field :signup, :user do
       middleware AllowJwt
+      middleware Sandboxed
       arg :invite_id, non_null(:string)
       arg :attributes, non_null(:user_attributes)
 
@@ -232,13 +233,15 @@ defmodule Console.GraphQl.Users do
 
     field :create_invite, :invite do
       middleware Authenticated
+      middleware Sandboxed
       arg :attributes, non_null(:invite_attributes)
 
       resolve safe_resolver(&User.create_invite/2)
     end
 
     field :update_user, :user do
       middleware Authenticated
+      middleware Sandboxed
       arg :id, :id
       arg :attributes, non_null(:user_attributes)
 
@@ -248,6 +251,7 @@ defmodule Console.GraphQl.Users do
     field :create_group, :group do
       middleware Authenticated
       middleware AdminRequired
+      middleware Sandboxed
       arg :attributes, non_null(:group_attributes)
 
       resolve safe_resolver(&User.create_group/2)
@@ -256,6 +260,7 @@ defmodule Console.GraphQl.Users do
     field :delete_group, :group do
       middleware Authenticated
       middleware AdminRequired
+      middleware Sandboxed
       arg :group_id, non_null(:id)
 
       resolve safe_resolver(&User.delete_group/2)
@@ -264,6 +269,7 @@ defmodule Console.GraphQl.Users do
     field :update_group, :group do
       middleware Authenticated
       middleware AdminRequired
+      middleware Sandboxed
       arg :group_id, non_null(:id)
       arg :attributes, non_null(:group_attributes)
 
@@ -273,6 +279,7 @@ defmodule Console.GraphQl.Users do
     field :create_group_member, :group_member do
       middleware Authenticated
       middleware AdminRequired
+      middleware Sandboxed
       arg :group_id, non_null(:id)
       arg :user_id, non_null(:id)
 
@@ -282,6 +289,7 @@ defmodule Console.GraphQl.Users do
     field :delete_group_member, :group_member do
       middleware Authenticated
       middleware AdminRequired
+      middleware Sandboxed
       arg :group_id, non_null(:id)
       arg :user_id, non_null(:id)
 
@@ -291,6 +299,7 @@ defmodule Console.GraphQl.Users do
     field :create_role, :role do
       middleware Authenticated
       middleware AdminRequired
+      middleware Sandboxed
       arg :attributes, non_null(:role_attributes)
 
       resolve safe_resolver(&User.create_role/2)
@@ -299,6 +308,7 @@ defmodule Console.GraphQl.Users do
     field :update_role, :role do
       middleware Authenticated
       middleware AdminRequired
+      middleware Sandboxed
       arg :id, non_null(:id)
       arg :attributes, non_null(:role_attributes)
 
@@ -308,6 +318,7 @@ defmodule Console.GraphQl.Users do
     field :delete_role, :role do
       middleware Authenticated
       middleware AdminRequired
+      middleware Sandboxed
       arg :id, non_null(:id)
 
       resolve safe_resolver(&User.delete_role/2)

lib/console/graphql/webhooks.ex

@@ -1,7 +1,7 @@
 defmodule Console.GraphQl.Webhooks do
   use Console.GraphQl.Schema.Base
   alias Console.GraphQl.Resolvers.Webhook
-  alias Console.Middleware.{Authenticated}
+  alias Console.Middleware.{Authenticated, Sandboxed}
   alias Console.Schema
 
   ecto_enum :webhook_type, Schema.Webhook.Type
@@ -33,13 +33,15 @@ defmodule Console.GraphQl.Webhooks do
   object :webhook_mutations do
     field :create_webhook, :webhook do
       middleware Authenticated
+      middleware Sandboxed
       arg :attributes, non_null(:webhook_attributes)
 
       resolve safe_resolver(&Webhook.create_webhook/2)
     end
 
     field :delete_webhook, :webhook do
       middleware Authenticated
+      middleware Sandboxed
       arg :id, non_null(:id)
 
       resolve safe_resolver(&Webhook.delete_webhook/2)

rel/config/console.exs

@@ -78,6 +78,7 @@ config :console,
   piazza_secret: get_env("PIAZZA_WEBHOOK_SECRET"),
   cluster_name: get_env("CLUSTER_NAME"),
   is_demo_project: !!get_env("IS_DEMO_PROJECT"),
+  is_sandbox: !!get_env("CONSOLE_SANDBOX"),
   provider: provider
 
 if String.starts_with?(git_url, "https") do