Refined the Authorization Directive (#613)

ChilliCream · Mar 3, 2019 · f969a4b · f969a4b
1 parent 02e7c87
commit f969a4b
Show file tree

Hide file tree

Showing 16 changed files with 287 additions and 31 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Introduced auto-stitching capabilities with the new `StitchingBuilder`.
 - _GraphQL_ _Voyager_. Special thanks to [@drowhunter](https://github.com/drowhunter) who contributed the middleware.
 
+### Changed
+
+- The authoization directive is now more aligned how the authorize attribute in ASP.net works.
+
 ### Fixed
 
 - Introspection default values are now serialized correctly.

diff --git a/examples/AspNetClassic.StarWars/Startup.cs b/examples/AspNetClassic.StarWars/Startup.cs
@@ -1,6 +1,7 @@
 using System;
 using HotChocolate;
 using HotChocolate.AspNetClassic;
+using HotChocolate.AspNetClassic.Voyager;
 using HotChocolate.Execution.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Owin;

diff --git a/src/Core/Abstractions.Tests/Abstractions.Tests.csproj b/src/Core/Abstractions.Tests/Abstractions.Tests.csproj
@@ -36,4 +36,8 @@
     </None>
   </ItemGroup>
 
+  <ItemGroup>
+    <Folder Include="Execution\__snapshots__\__mismatch__\" />
+  </ItemGroup>
+
 </Project>
diff --git a/src/Core/Abstractions.Tests/Execution/QueryRequestBuilderTests.cs b/src/Core/Abstractions.Tests/Execution/QueryRequestBuilderTests.cs
@@ -90,6 +90,39 @@ public void BuildRequest_QueryAndSetVariables_RequestIsCreated()
             request.MatchSnapshot();
         }
 
+        [Fact]
+        public void BuildRequest_QueryAndSetVariable_RequestIsCreated()
+        {
+            // arrange
+            // act
+            IReadOnlyQueryRequest request =
+                QueryRequestBuilder.New()
+                    .SetQuery("{ foo }")
+                    .AddVariableValue("one", "foo")
+                    .SetVariableValue("one", "bar")
+                    .Create();
+
+            // assert
+            // one should be bar
+            request.MatchSnapshot();
+        }
+
+        [Fact]
+        public void BuildRequest_QueryAndSetNewVariable_RequestIsCreated()
+        {
+            // arrange
+            // act
+            IReadOnlyQueryRequest request =
+                QueryRequestBuilder.New()
+                    .SetQuery("{ foo }")
+                    .SetVariableValue("one", "bar")
+                    .Create();
+
+            // assert
+            // one should be bar
+            request.MatchSnapshot();
+        }
+
         [Fact]
         public void BuildRequest_QueryAndResetVariables_RequestIsCreated()
         {
@@ -141,7 +174,40 @@ public void BuildRequest_QueryAndSetProperties_RequestIsCreated()
                     .Create();
 
             // assert
-            // only three should be in the request
+            // only three should exist
+            request.MatchSnapshot();
+        }
+
+        [Fact]
+        public void BuildRequest_QueryAndSetProperty_RequestIsCreated()
+        {
+            // arrange
+            // act
+            IReadOnlyQueryRequest request =
+                QueryRequestBuilder.New()
+                    .SetQuery("{ foo }")
+                    .AddProperty("one", "foo")
+                    .SetProperty("one", "bar")
+                    .Create();
+
+            // assert
+            // one should be bar
+            request.MatchSnapshot();
+        }
+
+        [Fact]
+        public void BuildRequest_QueryAndSetNewProperty_RequestIsCreated()
+        {
+            // arrange
+            // act
+            IReadOnlyQueryRequest request =
+                QueryRequestBuilder.New()
+                    .SetQuery("{ foo }")
+                    .SetProperty("one", "bar")
+                    .Create();
+
+            // assert
+            // one should be bar
             request.MatchSnapshot();
         }
 

diff --git a/...hots__/QueryRequestBuilderTests.BuildRequest_QueryAndSetNewProperty_RequestIsCreated.snap b/...hots__/QueryRequestBuilderTests.BuildRequest_QueryAndSetNewProperty_RequestIsCreated.snap
@@ -0,0 +1,10 @@
+{
+  "Query": "{ foo }",
+  "OperationName": null,
+  "VariableValues": null,
+  "InitialValue": null,
+  "Properties": {
+    "one": "bar"
+  },
+  "Services": null
+}
diff --git a/...hots__/QueryRequestBuilderTests.BuildRequest_QueryAndSetNewVariable_RequestIsCreated.snap b/...hots__/QueryRequestBuilderTests.BuildRequest_QueryAndSetNewVariable_RequestIsCreated.snap
@@ -0,0 +1,10 @@
+{
+  "Query": "{ foo }",
+  "OperationName": null,
+  "VariableValues": {
+    "one": "bar"
+  },
+  "InitialValue": null,
+  "Properties": null,
+  "Services": null
+}
diff --git a/...apshots__/QueryRequestBuilderTests.BuildRequest_QueryAndSetProperty_RequestIsCreated.snap b/...apshots__/QueryRequestBuilderTests.BuildRequest_QueryAndSetProperty_RequestIsCreated.snap
@@ -0,0 +1,10 @@
+{
+  "Query": "{ foo }",
+  "OperationName": null,
+  "VariableValues": null,
+  "InitialValue": null,
+  "Properties": {
+    "one": "bar"
+  },
+  "Services": null
+}
diff --git a/...apshots__/QueryRequestBuilderTests.BuildRequest_QueryAndSetVariable_RequestIsCreated.snap b/...apshots__/QueryRequestBuilderTests.BuildRequest_QueryAndSetVariable_RequestIsCreated.snap
@@ -0,0 +1,10 @@
+{
+  "Query": "{ foo }",
+  "OperationName": null,
+  "VariableValues": {
+    "one": "bar"
+  },
+  "InitialValue": null,
+  "Properties": null,
+  "Services": null
+}
diff --git a/src/Core/Abstractions/Execution/IQueryRequestBuilder.cs b/src/Core/Abstractions/Execution/IQueryRequestBuilder.cs
@@ -14,12 +14,16 @@ IQueryRequestBuilder SetVariableValues(
             IDictionary<string, object> variableValues);
         IQueryRequestBuilder AddVariableValue(
             string name, object value);
+        IQueryRequestBuilder SetVariableValue(
+            string name, object value);
         IQueryRequestBuilder SetInitialValue(
             object initialValue);
         IQueryRequestBuilder SetProperties(
             IDictionary<string, object> properties);
         IQueryRequestBuilder AddProperty(
             string name, object value);
+        IQueryRequestBuilder SetProperty(
+            string name, object value);
         IQueryRequestBuilder SetServices(
             IServiceProvider services);
         IReadOnlyQueryRequest Create();

diff --git a/src/Core/Abstractions/Execution/QueryRequestBuilder.cs b/src/Core/Abstractions/Execution/QueryRequestBuilder.cs
@@ -53,6 +53,17 @@ public IQueryRequestBuilder SetVariableValues(
             return this;
         }
 
+        public IQueryRequestBuilder SetVariableValue(string name, object value)
+        {
+            if (_variableValues == null)
+            {
+                _variableValues = new Dictionary<string, object>();
+            }
+
+            _variableValues[name] = value;
+            return this;
+        }
+
         public IQueryRequestBuilder AddVariableValue(
             string name, object value)
         {
@@ -72,6 +83,17 @@ public IQueryRequestBuilder SetProperties(
             return this;
         }
 
+        public IQueryRequestBuilder SetProperty(string name, object value)
+        {
+            if (_properties == null)
+            {
+                _properties = new Dictionary<string, object>();
+            }
+
+            _properties[name] = value;
+            return this;
+        }
+
         public IQueryRequestBuilder AddProperty(
             string name, object value)
         {

diff --git a/src/Server/AspNetCore.Authorization/AspNetCore.Authorization.csproj b/src/Server/AspNetCore.Authorization/AspNetCore.Authorization.csproj
@@ -25,6 +25,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="2.1.1" />
     <PackageReference Include="Microsoft.AspNetCore.Authorization" Version="2.1.1" />
     <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.1.1" />
   </ItemGroup>

diff --git a/src/Server/AspNetCore.Authorization/AuthorizeDirectiveType.cs b/src/Server/AspNetCore.Authorization/AuthorizeDirectiveType.cs
@@ -1,4 +1,5 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 using System.Security.Claims;
 using System.Security.Principal;
 using System.Threading.Tasks;
@@ -10,6 +11,7 @@
 namespace HotChocolate.AspNetClassic.Authorization
 #else
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace HotChocolate.AspNetCore.Authorization
 #endif
@@ -38,10 +40,18 @@ private static async Task AuthorizeAsync(
             AuthorizeDirective directive = context.Directive
                 .ToObject<AuthorizeDirective>();
 
-            ClaimsPrincipal principal = context
-                .CustomProperty<ClaimsPrincipal>(nameof(ClaimsPrincipal));
+            ClaimsPrincipal principal = null;
+            var allowed = false;
 
-            var allowed = IsInRoles(principal, directive.Roles);
+            if (context.ContextData.TryGetValue(
+                nameof(ClaimsPrincipal), out var o)
+                && o is ClaimsPrincipal p)
+            {
+                principal = p;
+                allowed = p.Identity.IsAuthenticated;
+            }
+
+            allowed = allowed && IsInRoles(principal, directive.Roles);
 
 #if !ASPNETCLASSIC
             if (allowed && NeedsPolicyValidation(directive))
@@ -57,11 +67,13 @@ private static async Task AuthorizeAsync(
             }
             else if (context.Result == null)
             {
-                context.Result = QueryError.CreateFieldError(
-                    "The current user is not authorized to " +
-                    "access this resource.",
-                    context.Path,
-                    context.FieldSelection);
+                context.Result = ErrorBuilder.New()
+                    .SetMessage(
+                        "The current user is not authorized to " +
+                        "access this resource.")
+                    .SetPath(context.Path)
+                    .AddLocation(context.FieldSelection)
+                    .Build();
             }
         }
 
@@ -96,10 +108,16 @@ private static async Task<bool> AuthorizeWithPolicyAsync(
             AuthorizeDirective directive,
             ClaimsPrincipal principal)
         {
-            IAuthorizationService authorizeService = context
-                .Service<IAuthorizationService>();
-            IAuthorizationPolicyProvider policyProvider = context
-                .Service<IAuthorizationPolicyProvider>();
+            IServiceProvider services = context.Service<IServiceProvider>();
+            IAuthorizationService authorizeService =
+                services.GetService<IAuthorizationService>();
+            IAuthorizationPolicyProvider policyProvider =
+                services.GetService<IAuthorizationPolicyProvider>();
+
+            if (authorizeService == null || policyProvider == null)
+            {
+                return string.IsNullOrWhiteSpace(directive.Policy);
+            }
 
             AuthorizationPolicy policy = null;
 

diff --git a/src/Server/AspNetCore.Tests/AspNetCore.Tests.csproj b/src/Server/AspNetCore.Tests/AspNetCore.Tests.csproj
@@ -36,4 +36,8 @@
     </None>
   </ItemGroup>
 
+  <ItemGroup>
+    <Folder Include="Authorization\__snapshots__\__mismatch__\" />
+  </ItemGroup>
+
 </Project>