Merge pull request #488 from fsprojects/authorization_middleware

Authorization middleware sample

Author: xperiandri

samples/star-wars-api/AuthorizationMiddleware.fs

@@ -0,0 +1,118 @@
+namespace FSharp.Data.GraphQL.Samples.StarWarsApi.Middleware
+
+open System
+open System.Threading.Tasks
+open Microsoft.FSharp.Quotations
+open Microsoft.FSharp.Quotations.Patterns
+open Microsoft.FSharp.Linq.RuntimeHelpers
+open Microsoft.AspNetCore.Authorization
+open Microsoft.AspNetCore.Http
+open Microsoft.Extensions.DependencyInjection
+
+open FSharp.Data.GraphQL
+open FSharp.Data.GraphQL.Types
+open FSharp.Data.GraphQL.Samples.StarWarsApi
+
+type FieldPolicyMiddleware<'Val, 'Res> = ResolveFieldContext -> 'Val -> (ResolveFieldContext -> 'Val -> Async<'Res>) -> Async<'Res>
+
+type internal CustomPolicyFieldDefinition<'Val, 'Res> (source : FieldDef<'Val, 'Res>, middleware : FieldPolicyMiddleware<'Val, 'Res>) =
+
+    interface FieldDef<'Val, 'Res> with
+
+        member _.Name = source.Name
+        member _.Description = source.Description
+        member _.DeprecationReason = source.DeprecationReason
+        member _.TypeDef = source.TypeDef
+        member _.Args = source.Args
+        member _.Metadata = source.Metadata
+        member _.Resolve =
+
+            let changeAsyncResolver expr =
+                let expr =
+                    match expr with
+                    | WithValue (_, _, e) -> e
+                    | _ -> failwith "Unexpected resolver expression."
+                let resolver =
+                    <@ fun ctx input -> middleware ctx input (%%expr : ResolveFieldContext -> 'Val -> Async<'Res>) @>
+                let compiledResolver = LeafExpressionConverter.EvaluateQuotation resolver
+                Expr.WithValue (compiledResolver, resolver.Type, resolver)
+
+            let changeSyncResolver expr =
+                let expr =
+                    match expr with
+                    | WithValue (_, _, e) -> e
+                    | _ -> failwith "Unexpected resolver expression."
+                let resolver =
+                    <@
+                        fun ctx input ->
+                            middleware ctx input (fun ctx input ->
+                                ((%%expr : ResolveFieldContext -> 'Val -> 'Res) ctx input)
+                                |> async.Return)
+                    @>
+                try
+                    let compiledResolver = LeafExpressionConverter.EvaluateQuotation resolver
+                    Expr.WithValue (compiledResolver, resolver.Type, resolver)
+                with :? NotSupportedException as ex ->
+                    let message =
+                        $"F# compiler cannot convert '{source.Name}' field resolver expression to LINQ, use function instead"
+                    raise (NotSupportedException (message, ex))
+
+            match source.Resolve with
+            | Sync (input, output, expr) -> Async (input, output, changeSyncResolver expr)
+            | Async (input, output, expr) -> Async (input, output, changeAsyncResolver expr)
+            | Undefined -> failwith "Field has no resolve function."
+            | x -> failwith <| sprintf "Resolver '%A' is not supported." x
+
+    interface IEquatable<FieldDef> with
+        member _.Equals (other) = source.Equals (other)
+
+    override _.Equals y = source.Equals y
+    override _.GetHashCode () = source.GetHashCode ()
+    override _.ToString () = source.ToString ()
+
+[<AutoOpen>]
+module TypeSystemExtensions =
+
+    let handlePolicies (policies : string array) (ctx : ResolveFieldContext) value = async {
+
+        let root : Root = downcast ctx.Context.RootValue
+        let serviceProvider = root.ServiceProvider
+        let authorizationService = serviceProvider.GetRequiredService<IAuthorizationService> ()
+        let principal = serviceProvider.GetRequiredService<IHttpContextAccessor>().HttpContext.User
+
+        let! authorizationResults =
+            policies
+            |> Seq.map (fun p -> authorizationService.AuthorizeAsync (principal, value, p))
+            |> Seq.toArray
+            |> Task.WhenAll
+            |> Async.AwaitTask
+
+        let failedRequirements =
+            authorizationResults
+            |> Seq.where (fun r -> not r.Succeeded)
+            |> Seq.collect (fun r -> r.Failure.FailedRequirements)
+
+        if Seq.isEmpty failedRequirements then
+            return Ok ()
+        else
+            return Error "Forbidden"
+    }
+
+    [<Literal>]
+    let AuthorizationPolicy = "AuthorizationPolicy"
+
+    type FieldDef<'Val, 'Res> with
+
+        member field.WithPolicyMiddleware<'Val, 'Res> (middleware : FieldPolicyMiddleware<'Val, 'Res>) : FieldDef<'Val, 'Res> =
+            upcast CustomPolicyFieldDefinition (field, middleware)
+
+        member field.WithAuthorizationPolicies<'Val, 'Res> ([<ParamArray>] policies : string array) : FieldDef<'Val, 'Res> =
+
+            let middleware ctx value (resolver : ResolveFieldContext -> 'Val -> Async<'Res>) : Async<'Res> = async {
+                let! result = handlePolicies policies ctx value
+                match result with
+                | Ok _ -> return! resolver ctx value
+                | Error error -> return raise (GQLMessageException error)
+            }
+
+            field.WithPolicyMiddleware<'Val, 'Res> middleware

samples/star-wars-api/Policies.fs

@@ -0,0 +1,38 @@
+namespace FSharp.Data.GraphQL.Samples.StarWarsApi.Authorization
+
+open System.Threading.Tasks
+open FSharp.Core
+open Microsoft.AspNetCore.Authorization
+
+module Policies =
+
+    let [<Literal>] Dummy = "Dummy"
+    let [<Literal>] CanSetMoon = "CanSetMoon"
+
+type DummyRequirement () = interface IAuthorizationRequirement
+
+type DummyHandler () =
+
+    inherit AuthorizationHandler<DummyRequirement> ()
+
+    override _.HandleRequirementAsync (context, requirement) =
+        context.Succeed requirement
+        Task.CompletedTask
+
+type IsCharacterRequirement (character : string Set) =
+    member val Characters = character
+    interface IAuthorizationRequirement
+
+type IsCharacterHandler () =
+
+    inherit AuthorizationHandler<IsCharacterRequirement> () // Inject services from DI
+
+    override _.HandleRequirementAsync (context, requirement) =
+        Async.StartImmediateAsTask(async {
+            let allowedCharacters = requirement.Characters
+            if context.User.Claims
+                |> Seq.where (fun c -> c.Type = "character")
+                |> Seq.exists (fun c -> allowedCharacters |> Set.contains c.Value)
+            then context.Succeed requirement
+            else () // Go to the next handler if registered
+        }) :> _

samples/star-wars-api/Root.fs

@@ -0,0 +1,12 @@
+namespace FSharp.Data.GraphQL.Samples.StarWarsApi
+
+open System
+open Microsoft.AspNetCore.Http
+open Microsoft.Extensions.DependencyInjection
+
+type Root(ctx : HttpContext) =
+
+    member _.RequestId = ctx.TraceIdentifier
+    member _.RequestAborted: System.Threading.CancellationToken = ctx.RequestAborted
+    member _.ServiceProvider: IServiceProvider = ctx.RequestServices
+    member root.GetRequiredService<'t>() = root.ServiceProvider.GetRequiredService<'t>()

samples/star-wars-api/Schema.fs

@@ -1,20 +1,10 @@
 namespace FSharp.Data.GraphQL.Samples.StarWarsApi
 
-open System
-open Microsoft.AspNetCore.Http
-open Microsoft.Extensions.DependencyInjection
-
-type Root(ctx : HttpContext) =
-
-    member _.RequestId = ctx.TraceIdentifier
-    member _.RequestAborted: System.Threading.CancellationToken = ctx.RequestAborted
-    member _.ServiceProvider: IServiceProvider = ctx.RequestServices
-    member root.GetRequiredService<'t>() = root.ServiceProvider.GetRequiredService<'t>()
-
 open FSharp.Data.GraphQL
 open FSharp.Data.GraphQL.Types
 open FSharp.Data.GraphQL.Server.Relay
 open FSharp.Data.GraphQL.Server.Middleware
+open FsToolkit.ErrorHandling
 
 #nowarn "40"
 
@@ -277,24 +267,39 @@ module Schema =
 
     let schemaConfig = SchemaConfig.Default
 
+    open FSharp.Data.GraphQL.Samples.StarWarsApi.Middleware
+    open FSharp.Data.GraphQL.Samples.StarWarsApi.Authorization
+
     let Mutation =
         Define.Object<Root> (
             name = "Mutation",
-            fields =
-                [ Define.Field(
-                      "setMoon",
-                      Nullable PlanetType,
-                      "Defines if a planet is actually a moon or not.",
-                      [ Define.Input ("id", StringType); Define.Input ("isMoon", BooleanType) ],
-                      fun ctx _ ->
-                          getPlanet (ctx.Arg ("id"))
-                          |> Option.map (fun x ->
-                              x.SetMoon (Some (ctx.Arg ("isMoon"))) |> ignore
-                              schemaConfig.SubscriptionProvider.Publish<Planet> "watchMoon" x
-                              schemaConfig.LiveFieldSubscriptionProvider.Publish<Planet> "Planet" "isMoon" x
-                              x)
-                  )
-                ]
+            fields = [
+                let setMoon (ctx : ResolveFieldContext) (_ : Root) = option {
+                    let! planet = getPlanet (ctx.Arg ("id"))
+                    ignore (planet.SetMoon (Some (ctx.Arg ("isMoon"))))
+                    ctx.Schema.SubscriptionProvider.Publish<Planet> "watchMoon" planet
+                    ctx.Schema.LiveFieldSubscriptionProvider.Publish<Planet> "Planet" "isMoon" planet
+                    return planet
+                }
+                Define.Field(
+                    "setMoon",
+                    Nullable PlanetType,
+                    "Defines if a planet is actually a moon or not.",
+                    [ Define.Input ("id", StringType); Define.Input ("isMoon", BooleanType) ],
+                    setMoon
+                    // Using complex lambda crashes
+                    //(fun ctx _ -> option {
+                    //    let! planet = getPlanet (ctx.Arg ("id"))
+                    //    let planet = planet.SetMoon (Some (ctx.Arg ("isMoon")))
+                    //    ctx.Schema.SubscriptionProvider.Publish<Planet> "watchMoon" planet
+                    //    ctx.Schema.LiveFieldSubscriptionProvider.Publish<Planet> "Planet" "isMoon" planet
+                    //    return planet
+                    //})
+                // For demo purposes of authorization
+                //).WithAuthorizationPolicies(Policies.CanSetMoon)
+                // For build verification purposes
+                ).WithAuthorizationPolicies(Policies.Dummy)
+            ]
         )
 
     let schema : ISchema<Root> = upcast Schema (Query, Mutation, Subscription, schemaConfig)

samples/star-wars-api/Startup.fs

@@ -2,6 +2,7 @@ namespace FSharp.Data.GraphQL.Samples.StarWarsApi
 
 open System
 open System.Threading.Tasks
+open Microsoft.AspNetCore.Authorization
 open Microsoft.AspNetCore.Builder
 open Microsoft.AspNetCore.Http
 open Microsoft.Extensions.Configuration
@@ -11,6 +12,7 @@ open Microsoft.Extensions.Hosting
 open Oxpecker
 open FSharp.Data.GraphQL.Server.AspNetCore
 open FSharp.Data.GraphQL.Server.AspNetCore.Oxpecker
+open FSharp.Data.GraphQL.Samples.StarWarsApi.Authorization
 
 type Startup private () =
 
@@ -28,6 +30,14 @@ type Startup private () =
 
     member _.ConfigureServices (services : IServiceCollection) : unit =
         services
+            .AddAuthorization(fun options ->
+                options.AddPolicy (Policies.Dummy, fun policy -> policy.Requirements.Add (DummyRequirement ()))
+                options.AddPolicy(
+                    Policies.CanSetMoon,
+                    (fun policy -> policy.Requirements.Add (IsCharacterRequirement (Set.singleton "droid"))))
+                )
+            .AddScoped<IAuthorizationHandler, DummyHandler>()
+            .AddScoped<IAuthorizationHandler, IsCharacterHandler>()
             .AddOxpecker()
             .AddGraphQL<Root> (Schema.executor, rootFactory, configure = configure)
         |> ignore

samples/star-wars-api/star-wars-api.fsproj

@@ -17,6 +17,9 @@
 
   <ItemGroup>
     <None Include="ApplicationInsights.config" />
+    <Compile Include="Root.fs" />
+    <Compile Include="Policies.fs" />
+    <Compile Include="AuthorizationMiddleware.fs" />
     <Compile Include="Schema.fs" />
     <None Include="MultipartRequest.fs" />
     <Compile Include="Startup.fs" />

src/FSharp.Data.GraphQL.Server.AspNetCore/GraphQLRequestHandler.fs

@@ -232,7 +232,7 @@ type GraphQLRequestHandler<'Root> (
         let root = options.CurrentValue.RootFactory ctx
 
         let! result =
-            Async.StartAsTask(
+            Async.StartImmediateAsTask(
                 executor.AsyncExecute(content.Ast, root, ?variables = variables, ?operationName = operationName),
                 cancellationToken = ctx.RequestAborted
             )

src/FSharp.Data.GraphQL.Shared/AsyncVal.fs

@@ -62,7 +62,7 @@ module AsyncVal =
     let toTask (x : AsyncVal<'T>) =
         match x with
         | Value v -> Task.FromResult (v)
-        | Async a -> Async.StartAsTask (a)
+        | Async a -> Async.StartImmediateAsTask (a)
         | Failure f -> Task.FromException<'T> (f)
 
     /// Returns an empty AsyncVal with immediatelly executed value.