add mutation auth tests

sourabh1007 · sourabh1007 · commit a3c4d18a7d09 · 2024-02-13T21:15:53.000+05:30
diff --git a/src/Service.Tests/CosmosTests/MutationTests.cs b/src/Service.Tests/CosmosTests/MutationTests.cs
@@ -13,12 +13,10 @@
 using Azure.DataApiBuilder.Core.Configurations;
 using Azure.DataApiBuilder.Core.Resolvers;
 using Azure.DataApiBuilder.Service.Exceptions;
-using Azure.DataApiBuilder.Service.GraphQLBuilder.Queries;
 using Azure.DataApiBuilder.Service.Tests.Configuration;
 using Microsoft.AspNetCore.TestHost;
 using Microsoft.Azure.Cosmos;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.OData.UriParser;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 
 namespace Azure.DataApiBuilder.Service.Tests.CosmosTests
@@ -255,62 +253,76 @@ public async Task MutationMissingRequiredPartitionKeyValueReturnError()
         }
 
         /// <summary>
-        /// Mutation can be performed on the authorized fields because the
-        /// field `id` is an included field for the create operation on the anonymous role defined
-        /// for entity 'earth'
+        /// Create Mutation performed on the fields with different auth permissions
+        /// It throws permission denied error if role doesn't have permission to perform the operation
         /// </summary>
         [TestMethod]
-        public async Task CanCreateItemWithAuthorizedFields()
+        [DataRow("field-mutation-with-read-permission", DataApiBuilderException.GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE)] // exclude and include fields
+        [DataRow("authenticated", null)] // full permission
+        [DataRow("only-create-role", "The mutation operation createEarth was successful but the current user is unauthorized to view the response due to lack of read permissions")] // if only create permission is there
+        [DataRow("wildcard-exclude-fields-role", DataApiBuilderException.GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE)] // exclude wildcard
+        [DataRow("only-update-role", "The current user is not authorized to access this resource" )] // if create permission is not there
+        public async Task CreateItemWithAuthPermissions(string roleName, string expectedErrorMessage)
         {
             // Run mutation Add Earth;
             string id = Guid.NewGuid().ToString();
+            const string name = "test_name";
             string mutation = $@"
 mutation {{
-    createEarth (item: {{ id: ""{id}"" }}) {{
+    createEarth (item: {{ id: ""{id}"", name: ""{name}"" }}) {{
         id
+        name
     }}
 }}";
-            JsonElement response = await ExecuteGraphQLRequestAsync("createEarth", mutation, variables: new());
+            string authtoken = AuthTestHelper.CreateStaticWebAppsEasyAuthToken(specificRole: roleName);
+            JsonElement response = await ExecuteGraphQLRequestAsync("createEarth", mutation, variables: new(), authToken: authtoken, clientRoleHeader: roleName);
 
-            // Validate results
-            Assert.AreEqual(id, response.GetProperty("id").GetString());
+            // Validate the result contains the GraphQL authorization error code.
+            Console.WriteLine(response.ToString());
+            if (string.IsNullOrEmpty(expectedErrorMessage))
+            {
+                Assert.AreEqual(id, response.GetProperty("id").GetString());
+            }
+            else
+            {
+                // Validate the result contains the GraphQL authorization error code.
+                string errorMessage = response.ToString();
+                Assert.IsTrue(errorMessage.Contains(expectedErrorMessage));
+            }
         }
 
         /// <summary>
-        /// Mutation performed on the unauthorized fields throws permission denied error because the
-        /// field `name` is an excluded field for the create operation on the anonymous role defined
-        /// for entity 'earth'
+        /// Update Mutation performed on the fields with different auth permissions
+        /// It throws permission denied error if role doesn't have permission to perform the operation
         /// </summary>
         [TestMethod]
-        public async Task CreateItemWithUnauthorizedFieldsReturnsError()
+        [DataRow("field-mutation-with-read-permission", DataApiBuilderException.GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE)] // exclude and include fields
+        [DataRow("authenticated", null)] // full permission
+        [DataRow("only-update-role", "The mutation operation updateEarth was successful but the current user is unauthorized to view the response due to lack of read permissions")] // if only update permission is there
+        [DataRow("wildcard-exclude-fields-role", DataApiBuilderException.GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE)] // exclude wildcard
+        [DataRow("only-create-role", "The current user is not authorized to access this resource")] // if update permission is not there
+        public async Task UpdateItemWithAuthPermissions(string roleName, string expectedErrorMessage)
         {
-            // Run mutation Add Earth;
+            // Create an item with "Authenticated" role
             string id = Guid.NewGuid().ToString();
             const string name = "test_name";
-            string mutation = $@"
+            string createMutation = $@"
 mutation {{
     createEarth (item: {{ id: ""{id}"", name: ""{name}"" }}) {{
         id
         name
     }}
 }}";
-            JsonElement response = await ExecuteGraphQLRequestAsync("createEarth", mutation, variables: new());
 
-            // Validate the result contains the GraphQL authorization error code.
-            string errorMessage = response.ToString();
-            Assert.IsTrue(errorMessage.Contains(DataApiBuilderException.GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE));
-        }
+            JsonElement createResponse = await ExecuteGraphQLRequestAsync("createEarth", createMutation,
+                variables: new(),
+                authToken: AuthTestHelper.CreateStaticWebAppsEasyAuthToken(specificRole: AuthorizationType.Authenticated.ToString()),
+                clientRoleHeader: AuthorizationType.Authenticated.ToString());
+
+            // Making sure item is created successfully
+            Assert.AreEqual(id, createResponse.GetProperty("id").GetString());
 
-        /// <summary>
-        /// Mutation performed on the unauthorized fields throws permission denied error because the
-        /// wildcard is used in the excluded field for the update operation on the anonymous role defined
-        /// for entity 'earth'
-        /// </summary>
-        [TestMethod]
-        public async Task UpdateItemWithUnauthorizedWildCardReturnsError()
-        {
             // Run mutation Update Earth;
-            string id = Guid.NewGuid().ToString();
             string mutation = @"
 mutation ($id: ID!, $partitionKeyValue: String!, $item: UpdateEarthInput!) {
     updateEarth (id: $id, _partitionKeyValue: $partitionKeyValue, item: $item) {
@@ -324,11 +336,83 @@ public async Task UpdateItemWithUnauthorizedWildCardReturnsError()
                 name = "new_name"
             };
 
-            JsonElement response = await ExecuteGraphQLRequestAsync("updateEarth", mutation, variables: new() { { "id", id }, { "partitionKeyValue", id }, { "item", update } });
+            string authtoken = AuthTestHelper.CreateStaticWebAppsEasyAuthToken(specificRole: roleName);
+            JsonElement response = await ExecuteGraphQLRequestAsync(
+                queryName: "updateEarth",
+                query: mutation,
+                variables: new() { { "id", id }, { "partitionKeyValue", id }, { "item", update } },
+                authToken: authtoken,
+                clientRoleHeader: roleName);
 
-            // Validate the result contains the GraphQL authorization error code.
-            string errorMessage = response.ToString();
-            Assert.IsTrue(errorMessage.Contains(DataApiBuilderException.GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE));
+            if (string.IsNullOrEmpty(expectedErrorMessage))
+            {
+                Assert.AreEqual(id, response.GetProperty("id").GetString());
+            }
+            else
+            {
+                // Validate the result contains the GraphQL authorization error code.
+                string errorMessage = response.ToString();
+                Assert.IsTrue(errorMessage.Contains(expectedErrorMessage));
+            }
+        }
+
+        /// <summary>
+        /// Delete Mutation performed on the fields with different auth permissions
+        /// It throws permission denied error if role doesn't have permission to perform the operation
+        /// </summary>
+        [TestMethod]
+        [DataRow("field-mutation-with-read-permission", null)] // exclude and include fields. Response is BLANK.
+        [DataRow("authenticated", null)] // full permission. Response is BLANK
+        [DataRow("only-delete-role", "The mutation operation deleteEarth was successful but the current user is unauthorized to view the response due to lack of read permissions")] // if only update permission is there
+        [DataRow("wildcard-exclude-fields-role", "The mutation operation deleteEarth was successful but the current user is unauthorized to view the response due to lack of read permissions")] // exclude wildcard
+        [DataRow("only-create-role", "The current user is not authorized to access this resource")] // if update permission is not there
+        public async Task DeleteItemWithAuthPermissions(string roleName, string expectedErrorMessage)
+        {
+            // Create an item with "Authenticated" role
+            string id = Guid.NewGuid().ToString();
+            const string name = "test_name";
+            string createMutation = $@"
+mutation {{
+    createEarth (item: {{ id: ""{id}"", name: ""{name}"" }}) {{
+        id
+        name
+    }}
+}}";
+
+            JsonElement createResponse = await ExecuteGraphQLRequestAsync("createEarth", createMutation,
+                variables: new(),
+                authToken: AuthTestHelper.CreateStaticWebAppsEasyAuthToken(specificRole: AuthorizationType.Authenticated.ToString()),
+                clientRoleHeader: AuthorizationType.Authenticated.ToString());
+
+            // Making sure item is created successfully
+            Assert.AreEqual(id, createResponse.GetProperty("id").GetString());
+
+            // Run mutation Update Earth;
+            string mutation = @"
+mutation ($id: ID!, $partitionKeyValue: String!) {
+    deleteEarth (id: $id, _partitionKeyValue: $partitionKeyValue) {
+        id
+        name
+     }
+}";
+            string authtoken = AuthTestHelper.CreateStaticWebAppsEasyAuthToken(specificRole: roleName);
+            JsonElement response = await ExecuteGraphQLRequestAsync(
+                queryName: "deleteEarth",
+                query: mutation,
+                variables: new() { { "id", id }, { "partitionKeyValue", id }},
+                authToken: authtoken,
+                clientRoleHeader: roleName);
+
+            if (string.IsNullOrEmpty(expectedErrorMessage))
+            {
+                Assert.IsTrue(string.IsNullOrEmpty(response.ToString()));
+            }
+            else
+            {
+                // Validate the result contains the GraphQL authorization error code.
+                string errorMessage = response.ToString();
+                Assert.IsTrue(errorMessage.Contains(expectedErrorMessage));
+            }
         }
 
         /// <summary>
@@ -649,7 +733,7 @@ public void TestFixtureTearDown()
         {
             CosmosClientProvider cosmosClientProvider = _application.Services.GetService<CosmosClientProvider>();
             CosmosClient cosmosClient = cosmosClientProvider.Clients[cosmosClientProvider.RuntimeConfigProvider.GetConfig().GetDefaultDataSourceName()];
-           // cosmosClient.GetDatabase(DATABASE_NAME).GetContainer(_containerName).DeleteContainerAsync().Wait();
+            cosmosClient.GetDatabase(DATABASE_NAME).GetContainer(_containerName).DeleteContainerAsync().Wait();
         }
     }
 }
diff --git a/src/Service.Tests/dab-config.CosmosDb_NoSql.json b/src/Service.Tests/dab-config.CosmosDb_NoSql.json
@@ -277,18 +277,41 @@
       },
       "permissions": [
         {
-          "role": "anonymous",
+          "role": "authenticated",
           "actions": [
             {
-              "action": "update",
+              "action": "create"
+            },
+            {
+              "action": "read"
+            },
+            {
+              "action": "update"
+            },
+            {
+              "action": "delete"
+            }
+          ]
+        },
+        {
+          "role": "field-mutation-with-read-permission",
+          "actions": [
+            {
+              "action": "read"
+            },
+            {
+              "action": "create",
               "fields": {
                 "exclude": [
-                  "*"
+                  "name"
+                ],
+                "include": [
+                  "id"
                 ]
               }
             },
             {
-              "action": "read",
+              "action": "update",
               "fields": {
                 "exclude": [
                   "name"
@@ -300,33 +323,68 @@
               }
             },
             {
-              "action": "create",
+              "action": "delete",
               "fields": {
                 "exclude": [
                   "name"
                 ],
                 "include": [
-                  "id"
+                  "id",
+                  "type"
                 ]
               }
-            },
-            {
-              "action": "delete"
             }
           ]
         },
         {
-          "role": "authenticated",
+          "role": "wildcard-exclude-fields-role",
           "actions": [
             {
-              "action": "create"
+              "action": "update",
+              "fields": {
+                "exclude": [
+                  "*"
+                ]
+              }
             },
             {
-              "action": "read"
+              "action": "create",
+              "fields": {
+                "exclude": [
+                  "*"
+                ]
+              }
             },
+            {
+              "action": "delete",
+              "fields": {
+                "exclude": [
+                  "*"
+                ]
+              }
+            }
+
+          ]
+        },
+        {
+          "role": "only-create-role",
+          "actions": [
+            {
+              "action": "create"
+            }
+          ]
+        },
+        {
+          "role": "only-update-role",
+          "actions": [
             {
               "action": "update"
-            },
+            }
+          ]
+        },
+        {
+          "role": "only-delete-role",
+          "actions": [
             {
               "action": "delete"
             }
