Implemented per field authorization using ASP.NET authorization policies

xperiandri · xperiandri · commit 0a3b9e69adb7 · 2024-09-12T00:13:23.000+04:00
diff --git a/samples/star-wars-api/AuthorizationMiddleware.fs b/samples/star-wars-api/AuthorizationMiddleware.fs
@@ -0,0 +1,112 @@
+namespace FSharp.Data.GraphQL.Samples.StarWarsApi.Middleware
+
+open System
+open System.Threading.Tasks
+open Microsoft.FSharp.Quotations
+open Microsoft.FSharp.Quotations.Patterns
+open Microsoft.FSharp.Linq.RuntimeHelpers
+open Microsoft.AspNetCore.Authorization
+open Microsoft.AspNetCore.Http
+open Microsoft.Extensions.DependencyInjection
+
+open FSharp.Data.GraphQL
+open FSharp.Data.GraphQL.Types
+open FSharp.Data.GraphQL.Samples.StarWarsApi
+
+type FieldPolicyMiddleware<'Val, 'Res> = ResolveFieldContext -> 'Val -> (ResolveFieldContext -> 'Val -> Async<'Res>) -> Async<'Res>
+
+type internal CustomPolicyFieldDefinition<'Val, 'Res> (source : FieldDef<'Val, 'Res>, middleware : FieldPolicyMiddleware<'Val, 'Res>) =
+
+    interface FieldDef<'Val, 'Res> with
+
+        member _.Name = source.Name
+        member _.Description = source.Description
+        member _.DeprecationReason = source.DeprecationReason
+        member _.TypeDef = source.TypeDef
+        member _.Args = source.Args
+        member _.Metadata = source.Metadata
+        member _.Resolve =
+
+            let changeAsyncResolver expr =
+                let expr =
+                    match expr with
+                    | WithValue (_, _, e) -> e
+                    | _ -> failwith "Unexpected resolver expression."
+                let resolver =
+                    <@ fun ctx input -> middleware ctx input (%%expr : ResolveFieldContext -> 'Val -> Async<'Res>) @>
+                let compiledResolver = LeafExpressionConverter.EvaluateQuotation resolver
+                Expr.WithValue (compiledResolver, resolver.Type, resolver)
+
+            let changeSyncResolver expr =
+                let expr =
+                    match expr with
+                    | WithValue (_, _, e) -> e
+                    | _ -> failwith "Unexpected resolver expression."
+                let resolver =
+                    <@
+                        fun ctx input ->
+                            middleware ctx input (fun ctx input ->
+                                ((%%expr : ResolveFieldContext -> 'Val -> 'Res) ctx input)
+                                |> async.Return)
+                    @>
+                let compiledResolver = LeafExpressionConverter.EvaluateQuotation resolver
+                Expr.WithValue (compiledResolver, resolver.Type, resolver)
+
+            match source.Resolve with
+            | Sync (input, output, expr) -> Async (input, output, changeSyncResolver expr)
+            | Async (input, output, expr) -> Async (input, output, changeAsyncResolver expr)
+            | Undefined -> failwith "Field has no resolve function."
+            | x -> failwith <| sprintf "Resolver '%A' is not supported." x
+
+    interface IEquatable<FieldDef> with
+        member _.Equals (other) = source.Equals (other)
+
+    override _.Equals y = source.Equals y
+    override _.GetHashCode () = source.GetHashCode ()
+    override _.ToString () = source.ToString ()
+
+[<AutoOpen>]
+module TypeSystemExtensions =
+
+    let handlePolicies (policies : string array) (ctx : ResolveFieldContext) value = async {
+
+        let root : Root = downcast ctx.Context.RootValue
+        let serviceProvider = root.ServiceProvider
+        let authorizationService = serviceProvider.GetRequiredService<IAuthorizationService> ()
+        let principal = serviceProvider.GetRequiredService<IHttpContextAccessor>().HttpContext.User
+
+        let! authorizationResults =
+            policies
+            |> Seq.map (fun p -> authorizationService.AuthorizeAsync (principal, value, p))
+            |> Seq.toArray
+            |> Task.WhenAll
+            |> Async.AwaitTask
+
+        let requirements =
+            authorizationResults
+            |> Seq.where (fun r -> not r.Succeeded)
+            |> Seq.collect (fun r -> r.Failure.FailedRequirements)
+
+        if Seq.isEmpty requirements
+        then return Ok ()
+        else return Error "Forbidden"
+    }
+
+    [<Literal>]
+    let AuthorizationPolicy = "AuthorizationPolicy"
+
+    type FieldDef<'Val, 'Res> with
+
+        member this.WithPolicyMiddleware<'Val, 'Res> (middleware : FieldPolicyMiddleware<'Val, 'Res>) : FieldDef<'Val, 'Res> =
+            upcast CustomPolicyFieldDefinition (this, middleware)
+
+        member field.WithAuthorizationPolicies<'Val, 'Res> ([<ParamArray>] policies : string array) : FieldDef<'Val, 'Res> =
+
+            let middleware ctx value (resolver : ResolveFieldContext -> 'Val -> Async<'Res>) : Async<'Res> = async {
+                let! result = handlePolicies policies ctx value
+                match result with
+                | Ok _ -> return! resolver ctx value
+                | Error error -> return raise (GQLMessageException error)
+            }
+
+            field.WithPolicyMiddleware<'Val, 'Res> middleware
diff --git a/samples/star-wars-api/Policies.fs b/samples/star-wars-api/Policies.fs
@@ -0,0 +1,26 @@
+namespace FSharp.Data.GraphQL.Samples.StarWarsApi.Authorization
+
+open FSharp.Core
+open Microsoft.AspNetCore.Authorization
+
+module Policies =
+
+    let [<Literal>] CanSetMoon = "CanSetMoon"
+
+type IsCharacterRequierment (character : string list) =
+    member val Characters = character
+    interface IAuthorizationRequirement
+
+type IsCharacterHandler () =
+
+    inherit AuthorizationHandler<IsCharacterRequierment> () // Inject services from DI
+
+        override _.HandleRequirementAsync (context, requirement) =
+            Async.StartAsTask(async {
+                let allowedCharacters = requirement.Characters
+                if context.User.Claims
+                   |> Seq.where (fun c -> c.Type = "character")
+                   |> Seq.exists (fun c -> allowedCharacters |> List.contains c.Value)
+                then context.Succeed requirement
+                else () // Go to the next handler if registered
+            }) :> _
diff --git a/samples/star-wars-api/Root.fs b/samples/star-wars-api/Root.fs
@@ -0,0 +1,12 @@
+namespace FSharp.Data.GraphQL.Samples.StarWarsApi
+
+open System
+open Microsoft.AspNetCore.Http
+open Microsoft.Extensions.DependencyInjection
+
+type Root(ctx : HttpContext) =
+
+    member _.RequestId = ctx.TraceIdentifier
+    member _.RequestAborted: System.Threading.CancellationToken = ctx.RequestAborted
+    member _.ServiceProvider: IServiceProvider = ctx.RequestServices
+    member root.GetRequiredService<'t>() = root.ServiceProvider.GetRequiredService<'t>()
diff --git a/samples/star-wars-api/Schema.fs b/samples/star-wars-api/Schema.fs
@@ -1,20 +1,10 @@
 namespace FSharp.Data.GraphQL.Samples.StarWarsApi
 
-open System
-open Microsoft.AspNetCore.Http
-open Microsoft.Extensions.DependencyInjection
-
-type Root(ctx : HttpContext) =
-
-    member _.RequestId = ctx.TraceIdentifier
-    member _.RequestAborted: System.Threading.CancellationToken = ctx.RequestAborted
-    member _.ServiceProvider: IServiceProvider = ctx.RequestServices
-    member root.GetRequiredService<'t>() = root.ServiceProvider.GetRequiredService<'t>()
-
 open FSharp.Data.GraphQL
 open FSharp.Data.GraphQL.Types
 open FSharp.Data.GraphQL.Server.Relay
 open FSharp.Data.GraphQL.Server.Middleware
+open FsToolkit.ErrorHandling
 
 #nowarn "40"
 
@@ -277,24 +267,36 @@ module Schema =
 
     let schemaConfig = SchemaConfig.Default
 
+    open FSharp.Data.GraphQL.Samples.StarWarsApi.Middleware
+    open FSharp.Data.GraphQL.Samples.StarWarsApi.Authorization
+
     let Mutation =
         Define.Object<Root> (
             name = "Mutation",
-            fields =
-                [ Define.Field(
-                      "setMoon",
-                      Nullable PlanetType,
-                      "Defines if a planet is actually a moon or not.",
-                      [ Define.Input ("id", StringType); Define.Input ("isMoon", BooleanType) ],
-                      fun ctx _ ->
-                          getPlanet (ctx.Arg ("id"))
-                          |> Option.map (fun x ->
-                              x.SetMoon (Some (ctx.Arg ("isMoon"))) |> ignore
-                              schemaConfig.SubscriptionProvider.Publish<Planet> "watchMoon" x
-                              schemaConfig.LiveFieldSubscriptionProvider.Publish<Planet> "Planet" "isMoon" x
-                              x)
-                  )
-                ]
+            fields = [
+                let setMoon (ctx : ResolveFieldContext) (_ : Root) = option {
+                    let! planet = getPlanet (ctx.Arg ("id"))
+                    ignore (planet.SetMoon (Some (ctx.Arg ("isMoon"))))
+                    schemaConfig.SubscriptionProvider.Publish<Planet> "watchMoon" planet
+                    schemaConfig.LiveFieldSubscriptionProvider.Publish<Planet> "Planet" "isMoon" planet
+                    return planet
+                }
+                Define.Field(
+                    "setMoon",
+                    Nullable PlanetType,
+                    "Defines if a planet is actually a moon or not.",
+                    [ Define.Input ("id", StringType); Define.Input ("isMoon", BooleanType) ],
+                    setMoon
+                    // Using complex lambda crashes
+                    //(fun ctx _ -> option {
+                    //    let! planet = getPlanet (ctx.Arg ("id"))
+                    //    ignore (planet.SetMoon (Some (ctx.Arg ("isMoon"))))
+                    //    schemaConfig.SubscriptionProvider.Publish<Planet> "watchMoon" planet
+                    //    schemaConfig.LiveFieldSubscriptionProvider.Publish<Planet> "Planet" "isMoon" planet
+                    //    return planet
+                    //})
+                ).WithAuthorizationPolicies(Policies.CanSetMoon)
+            ]
         )
 
     let schema : ISchema<Root> = upcast Schema (Query, Mutation, Subscription, schemaConfig)
diff --git a/samples/star-wars-api/Startup.fs b/samples/star-wars-api/Startup.fs
@@ -2,6 +2,7 @@ namespace FSharp.Data.GraphQL.Samples.StarWarsApi
 
 open System
 open System.Threading.Tasks
+open Microsoft.AspNetCore.Authorization
 open Microsoft.AspNetCore.Builder
 open Microsoft.AspNetCore.Http
 open Microsoft.Extensions.Configuration
@@ -11,6 +12,7 @@ open Microsoft.Extensions.Hosting
 open Oxpecker
 open FSharp.Data.GraphQL.Server.AspNetCore
 open FSharp.Data.GraphQL.Server.AspNetCore.Oxpecker
+open FSharp.Data.GraphQL.Samples.StarWarsApi.Authorization
 
 type Startup private () =
 
@@ -28,6 +30,12 @@ type Startup private () =
 
     member _.ConfigureServices (services : IServiceCollection) : unit =
         services
+            .AddAuthorization(fun options ->
+                options.AddPolicy (
+                    Policies.CanSetMoon,
+                    (fun policy -> policy.Requirements.Add (IsCharacterRequierment (List.singleton "droid"))))
+                )
+            .AddScoped<IAuthorizationHandler, IsCharacterHandler>()
             .AddOxpecker()
             .AddGraphQL<Root> (Schema.executor, rootFactory, configure = configure)
         |> ignore
diff --git a/samples/star-wars-api/star-wars-api.fsproj b/samples/star-wars-api/star-wars-api.fsproj
@@ -17,6 +17,9 @@
 
   <ItemGroup>
     <None Include="ApplicationInsights.config" />
+    <Compile Include="Root.fs" />
+    <Compile Include="Policies.fs" />
+    <Compile Include="AuthorizationMiddleware.fs" />
     <Compile Include="Schema.fs" />
     <None Include="MultipartRequest.fs" />
     <Compile Include="Startup.fs" />
