Bump GraphQL Version, update rules

joemcbride · joemcbride · commit ce417b566d65 · 2017-09-18T09:12:01.000-07:00
diff --git a/src/GraphQL.Authorization/AuthorizationPolicyBuilder.cs b/src/GraphQL.Authorization/AuthorizationPolicyBuilder.cs
@@ -1,4 +1,5 @@
 ﻿using System.Collections.Generic;
+using System.Linq;
 
 namespace GraphQL.Authorization
 {
@@ -24,9 +25,16 @@ public AuthorizationPolicyBuilder RequireClaim(string claimType)
             return this;
         }
 
-        public AuthorizationPolicyBuilder RequireClaim(string claimType, params string[] requiredValues)
+        public AuthorizationPolicyBuilder RequireClaim(string claimType, params string[] allowedValues)
         {
-            var requirement = new ClaimAuthorizationRequirement(claimType, requiredValues);
+            var requirement = new ClaimAuthorizationRequirement(claimType, allowedValues);
+            _requirements.Add(requirement);
+            return this;
+        }
+
+        public AuthorizationPolicyBuilder RequireClaim(string claimType, IEnumerable<string> allowedValues, IEnumerable<string> displayValues)
+        {
+            var requirement = new ClaimAuthorizationRequirement(claimType, allowedValues, displayValues);
             _requirements.Add(requirement);
             return this;
         }
diff --git a/src/GraphQL.Authorization/AuthorizationValidationRule.cs b/src/GraphQL.Authorization/AuthorizationValidationRule.cs
@@ -1,4 +1,5 @@
 ﻿using GraphQL.Language.AST;
+using GraphQL.Types;
 using GraphQL.Validation;
 
 namespace GraphQL.Authorization
@@ -18,32 +19,52 @@ public INodeVisitor Validate(ValidationContext context)
 
             return new EnterLeaveListener(_ =>
             {
-                // this could leak info about hidden fields in error messages
+                var operationType = OperationType.Query;
+
+                // this could leak info about hidden fields or types in error messages
                 // it would be better to implement a filter on the Schema so it
                 // acts as if they just don't exist vs. an auth denied error
                 // - filtering the Schema is not currently supported
+
+                _.Match<Operation>(astType =>
+                {
+                    operationType = astType.OperationType;
+
+                    var type = context.TypeInfo.GetLastType();
+                    CheckAuth(astType, type, userContext, context, operationType);
+                });
+
                 _.Match<Field>(fieldAst =>
                 {
                     var fieldDef = context.TypeInfo.GetFieldDef();
+                    CheckAuth(fieldAst, fieldDef, userContext, context, operationType);
+                });
+            });
+        }
 
-                    if (!fieldDef.RequiresAuthorization()) return;
+        private void CheckAuth(
+            INode node,
+            IProvideMetadata type,
+            IProvideClaimsPrincipal userContext,
+            ValidationContext context,
+            OperationType operationType)
+        {
+            if (type == null || !type.RequiresAuthorization()) return;
 
-                    var result = fieldDef
-                        .Authorize(userContext?.User, context.UserContext, _evaluator)
-                        .GetAwaiter()
-                        .GetResult();
+            var result = type
+                .Authorize(userContext?.User, context.UserContext, _evaluator)
+                .GetAwaiter()
+                .GetResult();
 
-                    if (result.Succeeded) return;
+            if (result.Succeeded) return;
 
-                    var errors = string.Join("\n", result.Errors);
+            var errors = string.Join("\n", result.Errors);
 
-                    context.ReportError(new ValidationError(
-                        context.OriginalQuery,
-                        "authorization",
-                        $"You are not authorized to run this query.\n{errors}",
-                        fieldAst));
-                });
-            });
+            context.ReportError(new ValidationError(
+                context.OriginalQuery,
+                "authorization",
+                $"You are not authorized to run this {operationType.ToString().ToLower()}.\n{errors}",
+                node));
         }
     }
 }
diff --git a/src/GraphQL.Authorization/ClaimAuthorizationRequirement.cs b/src/GraphQL.Authorization/ClaimAuthorizationRequirement.cs
@@ -8,23 +8,30 @@ namespace GraphQL.Authorization
     public class ClaimAuthorizationRequirement : IAuthorizationRequirement
     {
         private readonly string _claimType;
+        private readonly IEnumerable<string> _displayValues;
         private readonly IEnumerable<string> _allowedValues;
 
         public ClaimAuthorizationRequirement(string claimType)
-            : this(claimType, null)
+            : this(claimType, null, null)
         {
         }
 
         public ClaimAuthorizationRequirement(string claimType, IEnumerable<string> allowedValues)
+            : this(claimType, allowedValues, null)
+        {
+        }
+
+        public ClaimAuthorizationRequirement(string claimType, IEnumerable<string> allowedValues, IEnumerable<string> displayValues)
         {
             _claimType = claimType;
             _allowedValues = allowedValues ?? new List<string>();
+            _displayValues = displayValues;
         }
 
         public Task Authorize(AuthorizationContext context)
         {
             var found = false;
-            if(_allowedValues == null || !_allowedValues.Any())
+            if (_allowedValues == null || !_allowedValues.Any())
             {
                 found = context.User.Claims.Any(
                     c => string.Equals(c.Type, _claimType, StringComparison.OrdinalIgnoreCase));
@@ -40,7 +47,7 @@ public Task Authorize(AuthorizationContext context)
             {
                 if (_allowedValues != null && _allowedValues.Any())
                 {
-                    var values = string.Join(", ", _allowedValues);
+                    var values = string.Join(", ", _displayValues ?? _allowedValues);
                     context.ReportError($"Required claim '{_claimType}' with any value of '{values}' is not present.");
                 }
                 else
diff --git a/src/GraphQL.Authorization/GraphQL.Authorization.csproj b/src/GraphQL.Authorization/GraphQL.Authorization.csproj
@@ -26,8 +26,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="GraphQL" Version="0.18.0-alpha-754" />
-    <PackageReference Include="GraphQL-Parser" Version="2.0.0" />
+    <PackageReference Include="GraphQL" Version="2.0.0-alpha-783" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard1.3'">

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`using System.Collections.Generic;`
	`2`	`+using System.Linq;`
`2`	`3`
`3`	`4`	`namespace GraphQL.Authorization`
`4`	`5`	`{`
`@@ -24,9 +25,16 @@ public AuthorizationPolicyBuilder RequireClaim(string claimType)`
`24`	`25`	`return this;`
`25`	`26`	`}`
`26`	`27`
`27`		`- public AuthorizationPolicyBuilder RequireClaim(string claimType, params string[] requiredValues)`
	`28`	`+ public AuthorizationPolicyBuilder RequireClaim(string claimType, params string[] allowedValues)`
`28`	`29`	`{`
`29`		`- var requirement = new ClaimAuthorizationRequirement(claimType, requiredValues);`
	`30`	`+ var requirement = new ClaimAuthorizationRequirement(claimType, allowedValues);`
	`31`	`+ _requirements.Add(requirement);`
	`32`	`+ return this;`
	`33`	`+ }`
	`34`	`+`
	`35`	`+ public AuthorizationPolicyBuilder RequireClaim(string claimType, IEnumerable<string> allowedValues, IEnumerable<string> displayValues)`
	`36`	`+ {`
	`37`	`+ var requirement = new ClaimAuthorizationRequirement(claimType, allowedValues, displayValues);`
`30`	`38`	`_requirements.Add(requirement);`
`31`	`39`	`return this;`
`32`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,23 +8,30 @@ namespace GraphQL.Authorization`
`8`	`8`	`public class ClaimAuthorizationRequirement : IAuthorizationRequirement`
`9`	`9`	`{`
`10`	`10`	`private readonly string _claimType;`
	`11`	`+ private readonly IEnumerable<string> _displayValues;`
`11`	`12`	`private readonly IEnumerable<string> _allowedValues;`
`12`	`13`
`13`	`14`	`public ClaimAuthorizationRequirement(string claimType)`
`14`		`- : this(claimType, null)`
	`15`	`+ : this(claimType, null, null)`
`15`	`16`	`{`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`public ClaimAuthorizationRequirement(string claimType, IEnumerable<string> allowedValues)`
	`20`	`+ : this(claimType, allowedValues, null)`
	`21`	`+ {`
	`22`	`+ }`
	`23`	`+`
	`24`	`+ public ClaimAuthorizationRequirement(string claimType, IEnumerable<string> allowedValues, IEnumerable<string> displayValues)`
`19`	`25`	`{`
`20`	`26`	`_claimType = claimType;`
`21`	`27`	`_allowedValues = allowedValues ?? new List<string>();`
	`28`	`+ _displayValues = displayValues;`
`22`	`29`	`}`
`23`	`30`
`24`	`31`	`public Task Authorize(AuthorizationContext context)`
`25`	`32`	`{`
`26`	`33`	`var found = false;`
`27`		`- if(_allowedValues == null \|\| !_allowedValues.Any())`
	`34`	`+ if (_allowedValues == null \|\| !_allowedValues.Any())`
`28`	`35`	`{`
`29`	`36`	`found = context.User.Claims.Any(`
`30`	`37`	`c => string.Equals(c.Type, _claimType, StringComparison.OrdinalIgnoreCase));`
`@@ -40,7 +47,7 @@ public Task Authorize(AuthorizationContext context)`
`40`	`47`	`{`
`41`	`48`	`if (_allowedValues != null && _allowedValues.Any())`
`42`	`49`	`{`
`43`		`- var values = string.Join(", ", _allowedValues);`
	`50`	`+ var values = string.Join(", ", _displayValues ?? _allowedValues);`
`44`	`51`	`context.ReportError($"Required claim '{_claimType}' with any value of '{values}' is not present.");`
`45`	`52`	`}`
`46`	`53`	`else`