Skip to content

Proxy Server for enforcing GraphQL Policies on TIBCO Cloud™ API Management

License

Notifications You must be signed in to change notification settings

TIBCOSoftware/tcapim-graphql-proxy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GraphQL Proxy for TIBCO Cloud™ API Management

Proxy Server for enforcing GraphQL Policies


GraphQL Proxy for TIBCO Cloud™ API Management is a Node.js application that is deployed on TIBCO Cloud™ Integration (TCI) and invoked as a preprocessor from TIBCO Cloud™ API Management. This application can help enforce below policies -

  • Max Query Depth - Specify the maximum allowed depth for the graphQL query
  • Allow Introspection - Option to allow/restrict introspection queries
  • Allow Mutation - Option to allow/restrict mutation queries
  • Restricted Objects - Control and restrict access to top-level objects

DISCLAIMER: The application provided in this repository is intended as an accelerator and should therefore be tested and verified independently prior to deployment into any production usage.

Table of Contents

  1. Overview
  2. Building the Application
  3. Configuring Application on TCI
  4. Configuring TIBCO Cloud API Management
    1. Area Level Configurations
    2. Endpoint Configuration
  5. Demo
  6. Known Limitations

Overview

The inline-proxy orchestrator capability of TIBCO Cloud™ API Management enables users to invoke any TCI application to pre- or post-process an API request. The tcapim-graphql-proxy application leverages the pre-processor functionality to validate the incoming graphql query. API Product Managers can define the graphql policies at Package Keys in TIBCO Cloud™ API Management. These policies are sourced to the Inline-proxy pre-processor for validation.

graphql-proxy-overview

The requests that fail to pass the validation rules are rejected by the Inline-proxy orchestrator, thus safeguarding the GraphQL backend from receiving any invalid queries.

Building the Application

This section describes the steps for building the application.

Prerequisites: GraphQL Schema
Application needs a schema of the graphql backend to validate the graphql query. This repository includes a Countries schema for a quick setup and can be used to test against the graphql service available at https://countries.trevorblades.com/graphql

  1. Clone this repository - git clone https://github.com/TIBCOSoftware/tcapim-graphql-proxy.git
  2. Rename your GraphQL Schema to schema.graphql
  3. Move schema.graphql to /package/src/config/
  4. Create the deployable package by executing -
    zip -r tcapim-graphql-proxy.zip package -x package/node_modules/\*
  5. Update the text tcapim-graphql-proxy in manifest.json to change the application and service name on TCI

This creates tcapim-graphql-proxy.zip artifacts needed for deployment along with the updated manifest.json

A short clip showing the above configurations -

todo-graphql-proxy.mp4

Configuring Application on TCI

This section describes the steps to deploy and configure the application on TIBCO Cloud Integration.

  1. Login to cloud.tibco.com and navigate to integration capability
  2. Use Create/Import option to create a new nodejs application
  3. Upload the tcapim-graphql-proxy.zip and manifest.json files
  4. Once the application is created, you can rename it or change the description as required
  5. Scale the application to bring it in Running State
  6. Update endpoint visibility to TIBCO Cloud™ Mesh. This ensures that the application can be discovered by TIBCO Cloud API Management

Configuring TIBCO Cloud API Management

Configuring TIBCO Cloud™ API Management for using the GraphQL Proxy application and configuring EAVs.

Area Level Configurations

❗ These configurations can be performed only by a TIBCO administrator. Please reach out to your Account Partner or Customer Success team to help with these configurations.

  1. Ensure that the area is enabled to use Inline-proxy Orchestrator
  2. Update the Package Keys Data Model to include the below EAVs
Name Label Type Description Default Value
max_query_depth Max Query Depth int Define Max Query Depth for Graphql endpoint. Set value as '0' to skip this validation. 3
allow_introspection Allow Introspection bool Enable introspection queries to the graphql backend false
allow_mutation Allow Mutations bool Enable mutations to the graphql backend false
restricted_objects Restricted Objects varchar Restrict access to the Objects (Comma Separated)

Endpoint Configuration

These configurations can be done by API Product Manager on the Endpoint exposing graphql backend. The high-level steps are -

  1. Configure the Pre-processor by discovering the inline-proxy orchestrator application
  2. Select headers & body in API Request Elements
  3. Configure EAVs to include max_query_depth, allow_introspection, allow_mutation and restricted_objects in Package Key fields
  4. Optionally update timeout settings

Below video demonstrates the configurations -

gql-proxy-configuration.mp4

Demo

Checkout this awesome demo that shows policies in action for the API requests from GraphQL playground!

gql-proxy-playground.mp4

Known Limitations

Inline-proxy orchestrator supports payload size of 1 Mb. Requests containing more than 1 Mb payload will be rejected.

License

This repository is governed by the license specified in the license file.

Help

This repository is a collaborative space for sharing samples for TIBCO Cloud API Management products. The samples provided here are maintained and supported by the user community. For raising any issues or questions related to the samples provided here please create a GitHub issue.

If you would like to contribute, please send us a note at [email protected]

About

Proxy Server for enforcing GraphQL Policies on TIBCO Cloud™ API Management

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 3

  •  
  •  
  •