Merge branch 'master' of github.com:graphql-dotnet/authorization into develop

# Conflicts:
#	src/Directory.Build.props
#	src/GraphQL.Authorization/AuthorizationValidationRule.cs

Author: sungam3r

src/BasicSample/Program.cs

@@ -44,14 +44,14 @@ type Query {
             // remove claims to see the failure
             var authorizedUser = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim("role", "Admin") }));
 
-            string json = await schema.ExecuteAsync(_ =>
+            string json = await schema.ExecuteAsync(options =>
             {
-                _.Query = "{ viewer { id name } }";
-                _.ValidationRules = serviceProvider
+                options.Query = "{ viewer { id name } }";
+                options.ValidationRules = serviceProvider
                     .GetServices<IValidationRule>()
                     .Concat(DocumentValidator.CoreRules);
-                _.RequestServices = serviceProvider;
-                _.UserContext = new GraphQLUserContext { User = authorizedUser };
+                options.RequestServices = serviceProvider;
+                options.UserContext = new GraphQLUserContext { User = authorizedUser };
             });
 
             Console.WriteLine(json);

src/GraphQL.Authorization.ApiTests/GraphQL.Authorization.approved.txt

@@ -63,6 +63,9 @@ namespace GraphQL.Authorization
         public ClaimAuthorizationRequirement(string claimType, System.Collections.Generic.IEnumerable<string> allowedValues) { }
         public ClaimAuthorizationRequirement(string claimType, params string[] allowedValues) { }
         public ClaimAuthorizationRequirement(string claimType, System.Collections.Generic.IEnumerable<string> allowedValues, System.Collections.Generic.IEnumerable<string> displayValues) { }
+        public System.Collections.Generic.IEnumerable<string> AllowedValues { get; }
+        public string ClaimType { get; }
+        public System.Collections.Generic.IEnumerable<string> DisplayValues { get; }
         public System.Threading.Tasks.Task Authorize(GraphQL.Authorization.AuthorizationContext context) { }
     }
     public interface IAuthorizationEvaluator

src/GraphQL.Authorization.Tests/AuthorizationValidationRuleTests.cs

@@ -223,6 +223,48 @@ public void Issue61()
             });
         }
 
+        [Fact]
+        public void passes_with_claim_on_variable_type()
+        {
+            Settings.AddPolicy("FieldPolicy", builder => builder.RequireClaim("admin"));
+
+            ShouldPassRule(config =>
+            {
+                config.Query = @"query Author($input: AuthorInputType!) { author(input: $input) }";
+                config.Schema = TypedSchema();
+                config.Inputs = new Inputs(new Dictionary<string, object>()
+                {
+                    {
+                      "input",
+                      new Dictionary<string,object>{ { "name","Quinn" } }
+                    }
+                });
+                config.User = CreatePrincipal(claims: new Dictionary<string, string>
+                    {
+                        { "Admin", "true" }
+                    });
+            });
+        }
+
+        [Fact]
+        public void fails_on_missing_claim_on_variable_type()
+        {
+            Settings.AddPolicy("FieldPolicy", builder => builder.RequireClaim("admin"));
+
+            ShouldFailRule(config =>
+            {
+                config.Query = @"query Author($input: AuthorInputType!) { author(input: $input) }";
+                config.Schema = TypedSchema();
+                config.Inputs = new Inputs(new Dictionary<string, object>()
+                {
+                    {
+                      "input",
+                      new Dictionary<string,object>{ { "name","Quinn" } }
+                    }
+                });
+            });
+        }
+
         [Fact]
         public void passes_with_policy_on_connection_type()
         {

src/GraphQL.Authorization/AuthorizationValidationRule.cs

@@ -1,3 +1,4 @@
+using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
 using GraphQL.Language.AST;
@@ -121,6 +122,30 @@ public ValueTask<INodeVisitor> ValidateAsync(ValidationContext context)
                     CheckAuth(fieldAst, fieldDef, userContext, context, operationType);
                     // check returned graph type
                     CheckAuth(fieldAst, fieldDef.ResolvedType.GetNamedType(), userContext, context, operationType);
+                }),
+
+                new MatchingNodeVisitor<VariableReference>((variableRef, context) =>
+                {
+                    if (!(context.TypeInfo.GetArgument().ResolvedType.GetNamedType() is IComplexGraphType variableType))
+                        return;
+
+                    CheckAuth(variableRef, variableType, userContext, context, operationType);
+
+                    // Check each supplied field in the variable that exists in the variable type.
+                    // If some supplied field does not exist in the variable type then some other
+                    // validation rule should check that but here we should just ignore that
+                    // "unknown" field.
+                    if (context.Inputs.TryGetValue(variableRef.Name, out object input) &&
+                        input is Dictionary<string, object> fieldsValues)
+                    {
+                        foreach (var field in variableType.Fields)
+                        {
+                            if (fieldsValues.ContainsKey(field.Name))
+                            {
+                                CheckAuth(variableRef, field, userContext, context, operationType);
+                            }
+                        }
+                    }
                 })
             ));
         }

src/GraphQL.Authorization/Requirements/ClaimAuthorizationRequirement.cs

@@ -11,10 +11,6 @@ namespace GraphQL.Authorization
     /// </summary>
     public class ClaimAuthorizationRequirement : IAuthorizationRequirement
     {
-        private readonly string _claimType;
-        private readonly IEnumerable<string> _displayValues;
-        private readonly IEnumerable<string> _allowedValues;
-
         /// <summary>
         /// Creates a new instance of <see cref="ClaimAuthorizationRequirement"/> with
         /// the specified claim type.
@@ -53,41 +49,58 @@ public ClaimAuthorizationRequirement(string claimType, params string[] allowedVa
         /// </summary>
         public ClaimAuthorizationRequirement(string claimType, IEnumerable<string> allowedValues, IEnumerable<string> displayValues)
         {
-            _claimType = claimType ?? throw new ArgumentNullException(nameof(claimType));
-            _allowedValues = allowedValues ?? Enumerable.Empty<string>();
-            _displayValues = displayValues;
+            ClaimType = claimType ?? throw new ArgumentNullException(nameof(claimType));
+            AllowedValues = allowedValues ?? Enumerable.Empty<string>();
+            DisplayValues = displayValues;
         }
 
+        /// <summary>
+        /// Claim type that claims principal from <see cref="AuthorizationContext"/> should have.
+        /// </summary>
+        public string ClaimType { get; }
+
+        /// <summary>
+        /// List of claim values, which, if present, the claim must match.
+        /// </summary>
+        public IEnumerable<string> AllowedValues { get; }
+
+        /// <summary>
+        /// Specifies the set of displayed claim values that will be used
+        /// to generate an error message if the requirement is not met.
+        /// If null then values from <see cref="AllowedValues"/> are used.
+        /// </summary>
+        public IEnumerable<string> DisplayValues { get; }
+
         /// <inheritdoc />
         public Task Authorize(AuthorizationContext context)
         {
             bool found = false;
 
             if (context.User != null)
             {
-                if (_allowedValues == null || !_allowedValues.Any())
+                if (AllowedValues == null || !AllowedValues.Any())
                 {
                     found = context.User.Claims.Any(
-                        claim => string.Equals(claim.Type, _claimType, StringComparison.OrdinalIgnoreCase));
+                        claim => string.Equals(claim.Type, ClaimType, StringComparison.OrdinalIgnoreCase));
                 }
                 else
                 {
                     found = context.User.Claims.Any(
-                        claim => string.Equals(claim.Type, _claimType, StringComparison.OrdinalIgnoreCase)
-                             && _allowedValues.Contains(claim.Value, StringComparer.Ordinal));
+                        claim => string.Equals(claim.Type, ClaimType, StringComparison.OrdinalIgnoreCase)
+                             && AllowedValues.Contains(claim.Value, StringComparer.Ordinal));
                 }
             }
 
             if (!found)
             {
-                if (_allowedValues != null && _allowedValues.Any())
+                if (AllowedValues != null && AllowedValues.Any())
                 {
-                    string values = string.Join(", ", _displayValues ?? _allowedValues);
-                    context.ReportError($"Required claim '{_claimType}' with any value of '{values}' is not present.");
+                    string values = string.Join(", ", DisplayValues ?? AllowedValues);
+                    context.ReportError($"Required claim '{ClaimType}' with any value of '{values}' is not present.");
                 }
                 else
                 {
-                    context.ReportError($"Required claim '{_claimType}' is not present.");
+                    context.ReportError($"Required claim '{ClaimType}' is not present.");
                 }
             }