Added authorization for VariableReference fields (#179)

sungam3r · web-flow · commit d0b411f36827 · 2021-12-11T23:04:01.000+03:00
diff --git a/src/GraphQL.Authorization.Tests/AuthorizationValidationRuleTests.cs b/src/GraphQL.Authorization.Tests/AuthorizationValidationRuleTests.cs
@@ -177,6 +177,48 @@ public void Issue61()
             });
         }
 
+        [Fact]
+        public void passes_with_claim_on_variable_type()
+        {
+            Settings.AddPolicy("FieldPolicy", builder => builder.RequireClaim("admin"));
+
+            ShouldPassRule(config =>
+            {
+                config.Query = @"query Author($input: AuthorInputType!) { author(input: $input) }";
+                config.Schema = TypedSchema();
+                config.Inputs = new Inputs(new Dictionary<string, object>()
+                {
+                    {
+                      "input",
+                      new Dictionary<string,object>{ { "name","Quinn" } }
+                    }
+                });
+                config.User = CreatePrincipal(claims: new Dictionary<string, string>
+                    {
+                        { "Admin", "true" }
+                    });
+            });
+        }
+
+        [Fact]
+        public void fails_on_missing_claim_on_variable_type()
+        {
+            Settings.AddPolicy("FieldPolicy", builder => builder.RequireClaim("admin"));
+
+            ShouldFailRule(config =>
+            {
+                config.Query = @"query Author($input: AuthorInputType!) { author(input: $input) }";
+                config.Schema = TypedSchema();
+                config.Inputs = new Inputs(new Dictionary<string, object>()
+                {
+                    {
+                      "input",
+                      new Dictionary<string,object>{ { "name","Quinn" } }
+                    }
+                });
+            });
+        }
+
         [Fact]
         public void passes_with_policy_on_connection_type()
         {
diff --git a/src/GraphQL.Authorization/AuthorizationValidationRule.cs b/src/GraphQL.Authorization/AuthorizationValidationRule.cs
@@ -1,3 +1,4 @@
+using System.Collections.Generic;
 using System.Threading.Tasks;
 using GraphQL.Language.AST;
 using GraphQL.Types;
@@ -63,6 +64,30 @@ public Task<INodeVisitor> ValidateAsync(ValidationContext context)
                     CheckAuth(fieldAst, fieldDef, userContext, context, operationType);
                     // check returned graph type
                     CheckAuth(fieldAst, fieldDef.ResolvedType.GetNamedType(), userContext, context, operationType);
+                }),
+
+                new MatchingNodeVisitor<VariableReference>((variableRef, context) =>
+                {
+                    if (!(context.TypeInfo.GetArgument().ResolvedType.GetNamedType() is IComplexGraphType variableType))
+                        return;
+
+                    CheckAuth(variableRef, variableType, userContext, context, operationType);
+
+                    // Check each supplied field in the variable that exists in the variable type.
+                    // If some supplied field does not exist in the variable type then some other
+                    // validation rule should check that but here we should just ignore that
+                    // "unknown" field.
+                    if (context.Inputs.TryGetValue(variableRef.Name, out object input) &&
+                        input is Dictionary<string, object> fieldsValues)
+                    {
+                        foreach (var field in variableType.Fields)
+                        {
+                            if (fieldsValues.ContainsKey(field.Name))
+                            {
+                                CheckAuth(variableRef, field, userContext, context, operationType);
+                            }
+                        }
+                    }
                 })
             ));
         }
