Added allowAnnonymous directive (#6134)

ChilliCream · May 9, 2023 · ff14574 · ff14574
1 parent 21e0228
commit ff14574
Show file tree

Hide file tree

Showing 20 changed files with 204 additions and 15 deletions.
diff --git a/...Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy.graphql b/...Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/...Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy_AfterResolver.graphql b/...Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy_AfterResolver.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/...ests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy_BeforeResolver.graphql b/...ests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy_BeforeResolver.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/...on.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy_Validation.graphql b/...on.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_DefaultPolicy_Validation.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/...re.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy.graphql b/...re.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/...on.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy_AfterResolver.graphql b/...on.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy_AfterResolver.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/...n.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy_BeforeResolver.graphql b/...n.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy_BeforeResolver.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/...ation.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy_Validation.graphql b/...ation.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithPolicy_Validation.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/...ore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithRoles.graphql b/...ore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.FieldAuth_WithRoles.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/....Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.TypeAuth_DefaultPolicy.graphql b/....Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.TypeAuth_DefaultPolicy.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/...ore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.TypeAuth_WithPolicy.graphql b/...ore.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.TypeAuth_WithPolicy.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/...Core.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.TypeAuth_WithRoles.graphql b/...Core.Authorization.Tests/__snapshots__/AuthorizeDirectiveTests.TypeAuth_WithRoles.graphql
@@ -12,4 +12,6 @@ enum ApplyPolicy {
   VALIDATION
 }
 
+directive @allowAnonymous repeatable on FIELD_DEFINITION
+
 directive @authorize("The name of the authorization policy that determines access to the annotated resource." policy: String "Roles that are allowed to access the annotated resource." roles: [String!] "Defines when when the authorize directive shall be applied.By default the authorize directives are applied during the validation phase." apply: ApplyPolicy! = BEFORE_RESOLVER) repeatable on OBJECT | FIELD_DEFINITION
diff --git a/src/HotChocolate/Core/src/Abstractions/WellKnownContextData.cs b/src/HotChocolate/Core/src/Abstractions/WellKnownContextData.cs
@@ -264,4 +264,9 @@ public static class WellKnownContextData
     /// The key to access the authorization handler on the global context.
     /// </summary>
     public const string AuthorizationHandler = "HotChocolate.Authorization.AuthorizationHandler";
+
+    /// <summary>
+    /// The key to access the authorization allowed flag on the member context.
+    /// </summary>
+    public const string AllowAnonymous = "HotChocolate.Authorization.AllowAnonymous";
 }
diff --git a/src/HotChocolate/Core/src/Authorization/AllowAnonymousAttribute.cs b/src/HotChocolate/Core/src/Authorization/AllowAnonymousAttribute.cs
@@ -0,0 +1,17 @@
+using System.Reflection;
+using HotChocolate.Types;
+using HotChocolate.Types.Descriptors;
+
+namespace HotChocolate.Authorization;
+
+/// <summary>
+/// Allows anonymous access to the annotated field.
+/// </summary>
+public sealed class AllowAnonymousAttribute : ObjectFieldDescriptorAttribute
+{
+    protected override void OnConfigure(
+        IDescriptorContext context,
+        IObjectFieldDescriptor descriptor,
+        MemberInfo member)
+        => descriptor.AllowAnonymous();
+}
diff --git a/src/HotChocolate/Core/src/Authorization/AllowAnonymousDirectiveType.cs b/src/HotChocolate/Core/src/Authorization/AllowAnonymousDirectiveType.cs
@@ -0,0 +1,46 @@
+using System.Collections.Generic;
+using HotChocolate.Language;
+using HotChocolate.Types;
+using HotChocolate.Types.Descriptors;
+using HotChocolate.Types.Descriptors.Definitions;
+using DirectiveLocation = HotChocolate.Types.DirectiveLocation;
+
+namespace HotChocolate.Authorization;
+
+internal sealed class AllowAnonymousDirectiveType
+    : DirectiveType
+    , ISchemaDirective
+{
+    public AllowAnonymousDirectiveType()
+    {
+        Name = Names.AllowAnonymous;
+    }
+
+    protected override void Configure(IDirectiveTypeDescriptor descriptor)
+    {
+        descriptor
+            .Name(Names.AllowAnonymous)
+            .Location(DirectiveLocation.FieldDefinition)
+            .Repeatable()
+            .Internal();
+    }
+
+    public void ApplyConfiguration(
+        IDescriptorContext context,
+        DirectiveNode directiveNode,
+        IDefinition definition,
+        Stack<IDefinition> path)
+    {
+        ((IHasDirectiveDefinition)definition).Directives.Add(new(directiveNode));
+
+        if (definition is ObjectFieldDefinition fieldDef)
+        {
+            fieldDef.ContextData[WellKnownContextData.AllowAnonymous] = true;
+        }
+    }
+
+    public static class Names
+    {
+        public const string AllowAnonymous = "allowAnonymous";
+    }
+}
diff --git a/src/HotChocolate/Core/src/Authorization/AuthorizationTypeInterceptor.cs b/src/HotChocolate/Core/src/Authorization/AuthorizationTypeInterceptor.cs
@@ -163,15 +163,20 @@ private void InspectObjectTypesForAuthDirective(State state)
                 {
                     foreach (var fieldDef in type.TypeDef.Fields)
                     {
+                        // we are not interested in introspection fields or the node fields.
                         if (fieldDef.IsIntrospectionField || fieldDef.IsNodeField())
                         {
                             continue;
                         }
 
-                        ApplyAuthMiddleware(
-                            fieldDef,
-                            registration,
-                            false);
+                        // if the field contains the AnonymousAllowed flag we will not
+                        // apply authorization on it.
+                        if(fieldDef.GetContextData().ContainsKey(AllowAnonymous))
+                        {
+                            continue;
+                        }
+
+                        ApplyAuthMiddleware(fieldDef, registration, false);
                     }
                 }
 
@@ -338,6 +343,13 @@ private void ApplyAuthMiddleware(
         ObjectFieldDefinition fieldDef,
         State state)
     {
+        // if the field contains the AnonymousAllowed flag we will not apply authorization
+        // on it.
+        if(fieldDef.GetContextData().ContainsKey(AllowAnonymous))
+        {
+            return;
+        }
+
         var isNodeField = fieldDef.IsNodeField();
 
         if (fieldDef.Type is not null &&

diff --git a/src/HotChocolate/Core/src/Authorization/AuthorizeDirectiveType.cs b/src/HotChocolate/Core/src/Authorization/AuthorizeDirectiveType.cs
@@ -1,4 +1,3 @@
-using System;
 using System.Collections.Generic;
 using HotChocolate.Language;
 using HotChocolate.Resolvers;
@@ -51,8 +50,7 @@ protected override void Configure(IDirectiveTypeDescriptor<AuthorizeDirective> d
             .Type<NonNullType<ApplyPolicyType>>()
             .DefaultValue(ApplyPolicy.BeforeResolver);
 
-        var context = descriptor.Extend().Context;
-        descriptor.Use(CreateMiddleware(context.Services));
+        descriptor.Use(CreateMiddleware());
     }
 
     public void ApplyConfiguration(
@@ -88,16 +86,13 @@ arg.Value is EnumValueNode value &&
         }
     }
 
-    private static DirectiveMiddleware CreateMiddleware(
-        IServiceProvider schemaServices)
-    {
-        return (next, directive) =>
+    private static DirectiveMiddleware CreateMiddleware()
+        => (next, directive) =>
         {
             var value = directive.AsValue<AuthorizeDirective>();
             var auth = new AuthorizeMiddleware(next, value);
             return async context => await auth.InvokeAsync(context).ConfigureAwait(false);
         };
-    }
 
     public static class Names
     {

diff --git a/...otChocolate/Core/src/Authorization/Extensions/AuthorizeObjectFieldDescriptorExtensions.cs b/...otChocolate/Core/src/Authorization/Extensions/AuthorizeObjectFieldDescriptorExtensions.cs
@@ -88,4 +88,29 @@ public static IObjectFieldDescriptor Authorize(
 
         return descriptor.Directive(new AuthorizeDirective(roles));
     }
+
+    /// <summary>
+    /// Allows anonymous access to this field.
+    /// </summary>
+    /// <param name="descriptor">
+    /// The field descriptor.
+    /// </param>
+    /// <returns>
+    ///  Returns the <see cref="IObjectFieldDescriptor"/> for configuration chaining.
+    /// </returns>
+    /// <exception cref="ArgumentNullException">
+    /// The <paramref name="descriptor"/> is <c>null</c>.
+    /// </exception>
+    public static IObjectFieldDescriptor AllowAnonymous(
+        this IObjectFieldDescriptor descriptor)
+    {
+        if (descriptor == null)
+        {
+            throw new ArgumentNullException(nameof(descriptor));
+        }
+
+        descriptor.Directive(AllowAnonymousDirectiveType.Names.AllowAnonymous);
+        descriptor.Extend().Definition.ContextData[WellKnownContextData.AllowAnonymous] = true;
+        return descriptor;
+    }
 }
diff --git a/src/HotChocolate/Core/src/Authorization/Extensions/AuthorizeSchemaBuilderExtensions.cs b/src/HotChocolate/Core/src/Authorization/Extensions/AuthorizeSchemaBuilderExtensions.cs
@@ -12,11 +12,14 @@ public static ISchemaBuilder AddAuthorizeDirectiveType(this ISchemaBuilder build
             throw new ArgumentNullException(nameof(builder));
         }
 
-        var type = new AuthorizeDirectiveType();
+        var authorize = new AuthorizeDirectiveType();
+        var allowAnonymous = new AllowAnonymousDirectiveType();
 
         return builder
-            .AddDirectiveType(type)
-            .TryAddSchemaDirective(type)
+            .AddDirectiveType(authorize)
+            .AddDirectiveType(allowAnonymous)
+            .TryAddSchemaDirective(authorize)
+            .TryAddSchemaDirective(allowAnonymous)
             .TryAddTypeInterceptor<AuthorizationTypeInterceptor>();
     }
 }
diff --git a/src/HotChocolate/Core/test/Authorization.Tests/AnnotationBasedAuthorizationTests.cs b/src/HotChocolate/Core/test/Authorization.Tests/AnnotationBasedAuthorizationTests.cs
@@ -158,6 +158,63 @@ public async Task Authorize_Query_NoAccess()
         Assert.Equal(401, value);
     }
 
+    [Fact]
+    public async Task Authorize_Person_AllowAnonymous()
+    {
+        // arrange
+        var handler = new AuthHandler(
+            resolver: AuthorizeResult.NotAllowed,
+            validation: AuthorizeResult.Allowed);
+        var services = CreateServices(handler);
+        var executor = await services.GetRequestExecutorAsync();
+
+        // act
+        var result = await executor.ExecuteAsync(
+            """
+            {
+              person(id: "UGVyc29uCmRhYmM=") {
+                name
+              }
+              person2(id: "UGVyc29uCmRhYmM=") {
+                name
+              }
+            }
+            """);
+
+        // assert
+        Snapshot
+            .Create()
+            .Add(result)
+            .MatchInline(
+                """
+                {
+                  "errors": [
+                    {
+                      "message": "The current user is not authorized to access this resource.",
+                      "locations": [
+                        {
+                          "line": 2,
+                          "column": 3
+                        }
+                      ],
+                      "path": [
+                        "person"
+                      ],
+                      "extensions": {
+                        "code": "AUTH_NOT_AUTHORIZED"
+                      }
+                    }
+                  ],
+                  "data": {
+                    "person": null,
+                    "person2": {
+                      "name": "Joe"
+                    }
+                  }
+                }
+                """);
+    }
+
     [Fact]
     public async Task Authorize_CityOrStreet_Skip_Auth_When_Street()
     {
@@ -863,12 +920,17 @@ private static IServiceProvider CreateServices(
 
     [FooDirective]
     [Authorize("QUERY", ApplyPolicy.Validation)]
+    [Authorize("QUERY2", ApplyPolicy.BeforeResolver)]
     public sealed class Query
     {
         [NodeResolver]
         public Person? GetPerson(string id)
             => new(id, "Joe");
 
+        [AllowAnonymous]
+        public Person? GetPerson2(string id)
+            => new(id, "Joe");
+
         public ICityOrStreet? GetCityOrStreet(bool street)
             => street
                 ? new Street("Somewhere")