The open-source Spring Cloud Gateway project includes a number of built-in filters for use in Gateway routes. The following commercial filters provided by VMware Spring Cloud Gateway for Kubernetes can be used in addition to those included in the OSS project.
RestrictGraphQLOperationCount
The RestrictGraphQLOperationCount filter offers protection for your GraphQL APIs from requests containing large numbers of operations. For example:
{
"query": "query Query1 { ... } mutation Mutation1 { ... } ... query QueryN { ... }",
"operationName": "Query10"
}
To use the RestrictGraphQLOperationCount filter, apply it to a route:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGatewayRouteConfig
metadata:
name: test-gateway-routes
spec:
service:
name: my-graphql-server
routes:
- predicates:
- Path=/graphql/**
filters:
- RestrictGraphQLOperationCount=3
The filter configuration takes a single, positive integer argument that specifies the maximum allowed number of GraphQL operations in a single request.
The behavior of the filter is as follows:
- Requests containing a number of GraphQL operations which is less than or equal to the specified limit are routed to the specified service.
- Requests containing a number of GraphQL operations which is greater than the specified limit are rejected with a
403 Forbiddenresponse. - Malformed GraphQL requests are rejected with a
400 Bad Requestresponse. - Requests made with HTTP methods other than
GETandPOSTare rejected with a405 Method Not Allowedresponse. - Requests made with the
GETmethod and specifying theMutationoperation type are rejected with a405 Method Not Allowedresponse.
RestrictGraphQLOperationDepth
The RestrictGraphQLOperationDepth filter offers protection for your GraphQL APIs from excessively nested operations. An example of such a deeply nested query is shown in the following:
query AuthorById($authorId: ID!) { # depth 0
authorById(id: $authorId) { # depth 1
books { # depth 2
author { # depth 3
books { # depth 4
author { # depth 5
books { # depth 6
... # depth n
}
}
}
}
}
}
}
The filter also applies to mutations, because mutations must specify their desired response, similar to a query. For example:
mutation AddBook($bookId: ID!, $title: String!, $pageCount: Int!, $authorId: ID!) { # depth 0
addBook(id: $bookId, title: $title, pageCount: $pageCount, authorId: $authorId) { # depth 1
author { # depth 2
books { # depth 3
author { # depth 4
books { # depth 5
author { # depth 6
... # depth n
}
}
}
}
}
}
}
To use the RestrictGraphQLOperationDepth filter, apply it to a route:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGatewayRouteConfig
metadata:
name: test-gateway-routes
spec:
service:
name: my-graphql-server
routes:
- predicates:
- Path=/graphql/**
filters:
- RestrictGraphQLOperationDepth=3
The filter configuration takes a single, positive integer argument which specifies the maximum allowed operation depth.
The behavior of the filter is as follows:
- Requests specifying GraphQL operations with a depth less than or equal to the specified depth are routed to the specified service.
- Requests specifying GraphQL operations with a depth greater than the specified depth are rejected with a
403 Forbiddenresponse. - Malformed GraphQL requests are rejected with a
400 Bad Requestresponse. - Requests made with HTTP methods other than
GETandPOSTare rejected with a405 Method Not Allowedresponse. - Requests made with the
GETmethod and specifying theMutationoperation type are rejected with a405 Method Not Allowedresponse.
RestrictGraphQLType
The RestrictGraphQLType applies Role Based Access Control (RBAC) to GraphQL operations. To use operations protected by the filter, users must be authenticated, and be granted one or more of the specified roles. For more about roles and RBAC authorization, see Single Sign-On and JwtKey filter.
To use the RestrictGraphQLType filter, apply it to a route:
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGatewayRouteConfig
metadata:
name: test-gateway-routes
spec:
service:
name: my-graphql-server
routes:
- predicates:
- Path=/graphql/**
filters:
# Users must have the EDITOR or ADMIN role in order to access Query type entry points.
- RestrictGraphQLType=Query,EDITOR;ADMIN
# Users must have the ADMIN role in order to access Mutation type entry points.
# Note that the filter can be specified multiple times on the same route to apply
# different policies to the different types of operation.
- RestrictGraphQLType=Mutation,ADMIN
The filter configuration takes a list of two comma-delimited arguments:
- The type of operation to restrict access to. This must be one of
Query,MutationorAll.Allmakes the filter apply to both Query and Mutation operation types. - A list of roles required to access the restricted operations, separated by semicolons. The empty list is not allowed.
The behavior of the filter is as follows:
- Requests specifying a GraphQL operation type that matches the type specified in the filter configuration must contain one of the specified roles in its authentication to be allowed through the filter, otherwise they will be rejected with a
403 Forbiddenresponse. - Requests specifying GraphQL operation types that do not match the type specified in the filter configuration will be ignored by the filter and passed through the filter chain. Therefore to apply RBAC to both Query and Mutation operations, you must apply the filter twice, or set the filter's operation type to
All. - Malformed GraphQL requests are rejected with a
400 Bad Requestresponse. - Requests made with HTTP methods other than
GETandPOSTare rejected with a405 Method Not Allowedresponse. - Requests made with the
GETmethod and specifying theMutationoperation type are rejected with a405 Method Not Allowedresponse. - Requests specifying the
Subscriptionoperation type are not supported and are rejected with a500 Internal Server Errorresponse.
