Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/system info #5087

Merged
merged 17 commits into from
Jun 19, 2019
Merged

Feature/system info #5087

merged 17 commits into from
Jun 19, 2019

Conversation

chrispotter
Copy link

@chrispotter chrispotter commented Apr 1, 2019
edited by aldeed
Loading

Initial Solution to #1948
Impact: major
Type: feature

Issue

This is the start to a system-info plugin that will offer information related to system

Solution

This is step one from Issue #1948 to add a new graphql schema to be referenced from the dashboard to show appVersion.

Testing

http://localhost:3000/graphql-alpha

{
  systemInformation(shopId: "cmVhY3Rpb24vc2hvcDpKOEJocTN1VHRkZ3daeDNyeg==") {
    apiVersion
    mongoVersion {
      version
    }
    plugins {
      name
      version
    }
  }
}

Use admin auth token and your correct primary shop ID.

@chrispotter chrispotter self-assigned this Apr 1, 2019
focusaurus
focusaurus approved these changes Apr 1, 2019
View reviewed changes
Copy link
Contributor

@focusaurus focusaurus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good!

@mikemurray
Copy link
Member

Maybe you're already thinking about this, but is this API going to remain public, or will it be behind auth of some kind? Since this is system info, it feels like it should be secured somehow.

@chrispotter
Copy link
Author

@mikemurray I was considering throwing in
if (!context.userHasPermission(["owner", "admin"], id)) throw new ReactionError("access-denied", "User does not have permission"); but while I was testing my graphql-fu wasn't high enough to pass in an acceptable user through graphql-alpha and I forgot to add back in after.

@aldeed do you agree this should be behind authentication?

@chrispotter
Copy link
Author

I think there is enough here for a PR with final review.

This can then be used when refactoring the admin page issue in #1948 when that is reconfigured to use updated API techniques. what do you think @focusaurus @aldeed ?

@chrispotter chrispotter marked this pull request as ready for review April 9, 2019 15:59
aldeed
aldeed requested changes Apr 9, 2019
View reviewed changes
Copy link
Contributor

@aldeed aldeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another round of comments

imports/plugins/core/system-info/server/no-meteor/queries/systemInformation.js Outdated Show resolved Hide resolved
imports/plugins/core/system-info/server/no-meteor/resolvers/Query/systemInformation.js Outdated Show resolved Hide resolved
imports/plugins/core/system-info/server/no-meteor/schemas/schema.graphql Show resolved Hide resolved
@ticean
Copy link
Member

ticean commented Apr 9, 2019

This should definitely be protected. We should not expose information like installed plugins to the public API. That would expose business secrets (ie which payment provider is used) as well as provide valuable information to attackers.

@aldeed
Copy link
Contributor

aldeed commented Apr 10, 2019
edited
Loading

@ticean In most cases it's going to be pretty obvious what payment provider is used. Frontend code will have stripe library, or you'll be redirected to paypal payment page, etc. But I'm fine with hiding plugin information from public API to be safe. What do you think about apiVersion field? Can we keep that public?

databaseInformation field should be admin-only.

@ticean
Copy link
Member

ticean commented Apr 10, 2019

I just used payment provider as an example. It doesn't matter if the users see which payment is used on the frontend. That doesn't expose which plugin and plugin version are providing the functionality. A plugin list does. Such a list provides mineable data that can be analyzed to describe all the functionalities the site has, the vulnerabilities available (via cross reference), and generally how up to date the site is keeping their dependencies.

I don't think any part of this endpoint should be public.

@chrispotter
Copy link
Author

chrispotter commented Apr 29, 2019
edited
Loading

I think this will effect this PR

nevermind, looks like shopId is passed rather than as a context variable.

@chrispotter chrispotter requested a review from aldeed April 29, 2019 20:42
@chrispotter
Copy link
Author

@aldeed i think this is ready for your review again!

aldeed
aldeed requested changes Jun 7, 2019
View reviewed changes
Copy link
Contributor

@aldeed aldeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chrispotter A few new suggestions

imports/plugins/core/system-info/server/no-meteor/queries/systemInformation.js Outdated
@@ -0,0 +1,26 @@
import packageJson from "/package.json";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've started thinking about how we're soon wanting to move plugins to be npm packages. An import from outside the plugin like this one won't work in that case. At the moment, we only need the version. Instead, there are two files where new ReactionNodeApp() is done. You can import packageJson in those two files, and add the version to context in the ReactionNodeApp constructor options: appVersion: packageJson.version.

Then here you can use context.appVersion.

imports/plugins/core/system-info/server/no-meteor/queries/systemInformation.js Outdated

const mongoAdmin = await db.admin();
const mongoInfo = await mongoAdmin.serverStatus();
const plugins = await Packages.find({ shopId: { shopId }, version: { $ne: null } }, { projection: { name: 1, version: 1 } }).toArray();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since initially reviewing this, we've been talking more about trying to stop using the Packages collection. The problem is that the collection can get out of sync with what plugins are truly in the codebase. So it would be better to access the actual list of plugins that were registered when the app started up.

On context, context.app is the ReactionNodeApp instance. On that you can find the plugin config for all plugins on app.registeredPlugins object. So I think it would be something like this:

const plugins = Object.values(context.app.registeredPlugins);

The rest should be the same.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that unlike the Packages collection, registeredPlugins is NOT different per shopId. But I think you should keep the shopId param in GraphQL for the permission check and potential future use.

imports/plugins/core/system-info/server/no-meteor/schemas/schema.graphql Outdated
}
"Represents Reaction Plugin"
type Plugin {
"name of plugin"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All field descriptions should begin with a capital letter by convention. I guess our GraphQL linter does not check this.

Chris Potter added 11 commits June 12, 2019 11:25
Updates from linter
cb9ef93 
Signed-off-by: Chris Potter <[email protected]>
Corrected mongoDB query
dc67fba 
Signed-off-by: Chris Potter <[email protected]>
updates from code review including Shop ID and array map
0e66bdd 
Signed-off-by: Chris Potter <[email protected]>
removes version from resgister.js
3d32abe 
Signed-off-by: Chris Potter <[email protected]>
updates graphql queries with projection
dcc062d 
Signed-off-by: Chris Potter <[email protected]>
linting updates
8be4c86 
Signed-off-by: Chris Potter <[email protected]>
gql linter updates
2ee9f94 
Signed-off-by: Chris Potter <[email protected]>
fixes from graphql linter
08052d4 
Signed-off-by: Chris Potter <[email protected]>
Add description capitalization rule
777df00 
Signed-off-by: Chris Potter <[email protected]>
merge resolve
f17aded 
Signed-off-by: Chris Potter <[email protected]>
Updates from PR review
03c50e8 
Signed-off-by: Chris Potter <[email protected]>
@chrispotter chrispotter requested a review from aldeed June 12, 2019 15:34
@aldeed
Copy link
Contributor

aldeed commented Jun 19, 2019

Merged in latest develop to fix the startup bug, and then tested. Looks good!

@aldeed aldeed merged commit 056cd2b into develop Jun 19, 2019
@aldeed aldeed deleted the feature/system-info branch June 19, 2019 11:42
@jeffcorpuz jeffcorpuz mentioned this pull request Jul 2, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@focusaurus focusaurus focusaurus approved these changes

@aldeed aldeed aldeed approved these changes

@mikemurray mikemurray Awaiting requested review from mikemurray

Assignees

@chrispotter chrispotter

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@chrispotter @mikemurray @ticean @aldeed @focusaurus