Merge pull request #58 from fossapps/directive

feat(directive): add require permission directive

Author: cyberhck

Micro.Auth.Api/GraphQL/AuthSchema.cs

@@ -11,7 +11,9 @@ public AuthSchema(IServiceProvider services, Query query, Mutation mutation) : b
             Query = query;
             Mutation = mutation;
             Directives.Register(new AuthorizeDirective());
+            Directives.Register(new RequirePermissionDirective());
             RegisterVisitor(typeof(AuthorizeDirectiveVisitor));
+            RegisterVisitor(typeof(RequirePermissionDirectiveVisitor));
         }
     }
 }

Micro.Auth.Api/GraphQL/Directives/AuthorizeDirective.cs

@@ -46,7 +46,7 @@ public override void VisitObjectFieldDefinition(FieldType field, IObjectGraphTyp
 
             field.Resolver = new AsyncFieldResolver<object>(async context =>
             {
-                throw new NotAuthorizedException();
+                throw new NotAuthenticatedException();
             });
         }
     }

Micro.Auth.Api/GraphQL/Directives/Exceptions/NotAuthenticatedException.cs

@@ -0,0 +1,11 @@
+using System;
+
+namespace Micro.Auth.Api.GraphQL.Directives.Exceptions
+{
+    public class NotAuthenticatedException : Exception
+    {
+        public NotAuthenticatedException() : base("This operation requires logging in")
+        {
+        }
+    }
+}

Micro.Auth.Api/GraphQL/Directives/Exceptions/NotAuthorizedException.cs

@@ -4,7 +4,7 @@ namespace Micro.Auth.Api.GraphQL.Directives.Exceptions
 {
     public class NotAuthorizedException : Exception
     {
-        public NotAuthorizedException() : base("This operation requires logging in")
+        public NotAuthorizedException() : base("You do not have sufficient permission to perform this operation")
         {
         }
     }

Micro.Auth.Api/GraphQL/Directives/Extensions/Directives.cs

@@ -14,5 +14,32 @@ public static FieldBuilder<TSourceType, TReturnType> Authorize<TSourceType, TRet
         {
             return type.Directive(AuthorizeDirective.DirectiveName);
         }
+
+        public static FieldType RequirePermission(this FieldType type, string permission)
+        {
+            return type.ApplyDirective(RequirePermissionDirective.DirectiveName, "permission", permission);
+        }
+
+        public static FieldBuilder<TSourceType, TReturnType> RequirePermission<TSourceType, TReturnType>(
+            this FieldBuilder<TSourceType, TReturnType> type, string permission)
+        {
+            return type.Directive(RequirePermissionDirective.DirectiveName, "permission", permission);
+        }
+
+        public static string? GetAppliedPermission(this FieldType fieldType)
+        {
+            var applied = fieldType.FindAppliedDirective(RequirePermissionDirective.DirectiveName);
+            if (applied == null)
+            {
+                return null;
+            }
+            var arg = applied.FindArgument("permission");
+            if (arg.Name == "permission")
+            {
+                return (string) arg.Value;
+            }
+
+            return null;
+        }
     }
 }

Micro.Auth.Api/GraphQL/Directives/RequirePermissionDirective.cs

@@ -0,0 +1,52 @@
+using GraphQL.Resolvers;
+using GraphQL.Types;
+using GraphQL.Utilities;
+using Micro.Auth.Api.GraphQL.Directives.Exceptions;
+using Micro.Auth.Api.GraphQL.Directives.Extensions;
+using Microsoft.AspNetCore.Http;
+
+namespace Micro.Auth.Api.GraphQL.Directives
+{
+    public class RequirePermissionDirective : DirectiveGraphType
+    {
+        public const string DirectiveName = "requirePermission";
+
+        public RequirePermissionDirective() : base(
+            DirectiveName,
+            DirectiveLocation.Field,
+            DirectiveLocation.Mutation,
+            DirectiveLocation.Query,
+            DirectiveLocation.FieldDefinition)
+        {
+        }
+    }
+    public class RequirePermissionDirectiveVisitor : BaseSchemaNodeVisitor
+    {
+        private readonly IHttpContextAccessor _contextAccessor;
+
+        public RequirePermissionDirectiveVisitor(IHttpContextAccessor contextAccessor)
+        {
+            _contextAccessor = contextAccessor;
+        }
+        public override void VisitObjectFieldDefinition(FieldType field, IObjectGraphType type, ISchema schema)
+        {
+            var permission = field.GetAppliedPermission();
+            if (permission == null)
+            {
+                return;
+            }
+
+            var isAuthorized = _contextAccessor
+                .HttpContext
+                ?.User
+                .HasClaim(x => x.Type == "Permission" && x.Value == permission);
+
+            if (isAuthorized == true)
+            {
+                return;
+            }
+
+            field.Resolver = new AsyncFieldResolver<object>(async context => throw new NotAuthorizedException());
+        }
+    }
+}