Add support for Cosmos field level auth (#1468)

## Why make this change?

- Closes #1434, related discussion #1423 .
- Changes to add support for Cosmos to check field level auth for query
filter and query nested filter.
- Changes to add support for Cosmos to check field level auth for
mutation operation.
- Note: current mutation field auth support only check one level down,
will have a follow up PR to check nested field auth for mutations.

## What is this change?

- Enable ```GraphQLFilterParser``` for Cosmos. 
- Resolve ```WILDCARD``` and parse all the columns from schema.gql
- Parse ```Included``` and ```Excluded``` columns from runtime config by
injecting``` AuthorizationResolver``` into the
```CosmosMutationEngine``` to make a call to check the columns. 

## How was this tested?

- [x] Integration Tests
- [x] Unit Tests

Author: tarazou9

config-generators/cosmosdb_nosql-commands.txt

@@ -1,8 +1,15 @@
 init --config "dab-config.CosmosDb_NoSql.json" --database-type "cosmosdb_nosql" --connection-string "AccountEndpoint=https://localhost:8081/;AccountKey=C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==" --cosmosdb_nosql-database "graphqldb" --cosmosdb_nosql-container "planet" --graphql-schema "schema.gql" --host-mode Development --cors-origin "http://localhost:5000"
 add Planet --config "dab-config.CosmosDb_NoSql.json" --source "graphqldb.planet" --permissions "anonymous:create,read,update,delete" --graphql "Planet:Planets"
+update Planet --config "dab-config.CosmosDb_NoSql.json" --permissions "anonymous:read" --fields.include "*"
 update Planet --config "dab-config.CosmosDb_NoSql.json" --permissions "authenticated:create,read,update,delete"
-add Character --config "dab-config.CosmosDb_NoSql.json" --source "graphqldb.character" --permissions "authenticated:create,read,update,delete" --graphql "Character:Characters"
+add Character --config "dab-config.CosmosDb_NoSql.json" --source "graphqldb.character" --permissions "anonymous:create,read,update,delete" --graphql "Character:Characters"
 add StarAlias --config "dab-config.CosmosDb_NoSql.json" --source "graphqldb.star" --permissions "anonymous:create,read,update,delete" --graphql "Star:Stars"
 update StarAlias --config "dab-config.CosmosDb_NoSql.json" --source "graphqldb.star" --permissions "authenticated:create,read,update,delete"
+add TagAlias --config "dab-config.CosmosDb_NoSql.json" --source "graphqldb.tag" --permissions "anonymous:create,read,update,delete" --graphql "Tag:Tags"
 add Moon --config "dab-config.CosmosDb_NoSql.json" --source "graphqldb.moon" --permissions "anonymous:create,read,update,delete" --graphql true
 update Moon --config "dab-config.CosmosDb_NoSql.json" --source "graphqldb.moon" --permissions "authenticated:create,read,update,delete"
+add Earth --config "dab-config.CosmosDb_NoSql.json" --source "graphqldb.earth" --permissions "anonymous:delete" --graphql "Earth:Earths"
+update Earth --config "dab-config.CosmosDb_NoSql.json" --permissions "anonymous:create" --fields.include "id" --fields.exclude "name"
+update Earth --config "dab-config.CosmosDb_NoSql.json" --permissions "anonymous:read" --fields.include "id,type" --fields.exclude "name"
+update Earth --config "dab-config.CosmosDb_NoSql.json" --permissions "anonymous:update" --fields.exclude "*"
+update Earth --config "dab-config.CosmosDb_NoSql.json" --permissions "authenticated:create,read,update,delete"

src/Config/DataApiBuilderException.cs

@@ -17,6 +17,7 @@ public class DataApiBuilderException : Exception
         public const string GRAPHQL_FILTER_ENTITY_AUTHZ_FAILURE = "Access forbidden to the target entity described in the filter.";
         public const string GRAPHQL_FILTER_FIELD_AUTHZ_FAILURE = "Access forbidden to a field referenced in the filter.";
         public const string AUTHORIZATION_FAILURE = "Authorization Failure: Access Not Allowed.";
+        public const string GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE = "Unauthorized due to one or more fields in this mutation.";
 
         public enum SubStatusCodes
         {

src/Service.Tests/Configuration/ConfigurationTests.cs

@@ -300,23 +300,6 @@ public async Task TestInvalidConfigurationAtRuntime()
             Assert.AreEqual(HttpStatusCode.BadRequest, postResult.StatusCode);
         }
 
-        [TestMethod("Validates containing field permission in configuration returns a bad request."), TestCategory(TestCategory.COSMOSDBNOSQL)]
-        public async Task TestInvalidConfigurationWithFieldPermission()
-        {
-            TestServer server = new(Program.CreateWebHostFromInMemoryUpdateableConfBuilder(Array.Empty<string>()));
-            HttpClient httpClient = server.CreateClient();
-
-            ConfigurationPostParameters config = GetCosmosConfigurationParameters();
-            config = config with
-            {
-                Configuration = "{\"$schema\":\"dab.draft.schema.json\",\"data-source\":{\"database-type\":\"cosmosdb_nosql\",\"options\":{\"database\":\"graphqldb\",\"schema\":\"schema.gql\"}},\"entities\":{\"Planet\":{\"source\":\"graphqldb.planet\",\"graphql\":{\"type\":{\"singular\":\"Planet\",\"plural\":\"Planets\"}},\"permissions\":[{\"role\":\"anonymous\",\"actions\":[{\"action\":\"read\",\"fields\":{\"include\":[\"*\"],\"exclude\":[]}}]}]}}}"
-            };
-
-            HttpResponseMessage postResult =
-                await httpClient.PostAsync("/configuration", JsonContent.Create(config));
-            Assert.AreEqual(HttpStatusCode.BadRequest, postResult.StatusCode);
-        }
-
         [TestMethod("Validates a failure in one of the config updated handlers returns a bad request."), TestCategory(TestCategory.COSMOSDBNOSQL)]
         public async Task TestSettingFailureConfigurations()
         {

src/Service.Tests/CosmosTests/CosmosTestHelper.cs

@@ -58,6 +58,11 @@ public static object GetItem(string id, string name = null, int numericVal = 4)
                     name = "first moon",
                     details = "12 Craters"
                 },
+                earth = new
+                {
+                    id = id,
+                    name = "blue earth"
+                },
                 tags = new[] { "tag1", "tag2" }
             };
         }

src/Service.Tests/CosmosTests/MutationTests.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Text.Json;
 using System.Threading.Tasks;
+using Azure.DataApiBuilder.Service.Exceptions;
 using Azure.DataApiBuilder.Service.Resolvers;
 using Microsoft.Azure.Cosmos;
 using Microsoft.Extensions.DependencyInjection;
@@ -42,6 +43,7 @@ public static void TestFixtureSetup(TestContext context)
             cosmosClient.GetDatabase(DATABASE_NAME).CreateContainerIfNotExistsAsync(_containerName, "/id").Wait();
             CreateItems(DATABASE_NAME, _containerName, 10);
             OverrideEntityContainer("Planet", _containerName);
+            OverrideEntityContainer("Earth", _containerName);
         }
 
         [TestMethod]
@@ -242,6 +244,83 @@ public async Task MutationMissingRequiredPartitionKeyValueReturnError()
             Assert.AreEqual("The argument `_partitionKeyValue` is required.", response[0].GetProperty("message").ToString());
         }
 
+        /// <summary>
+        /// Mutation can be performed on the authorized fields because the
+        /// field `id` is an included field for the create operation on the anonymous role defined
+        /// for entity 'earth'
+        /// </summary>
+        [TestMethod]
+        public async Task CanCreateItemWithAuthorizedFields()
+        {
+            // Run mutation Add Earth;
+            string id = Guid.NewGuid().ToString();
+            string mutation = $@"
+mutation {{
+    createEarth (item: {{ id: ""{id}"" }}) {{
+        id
+    }}
+}}";
+            JsonElement response = await ExecuteGraphQLRequestAsync("createEarth", mutation, variables: new());
+
+            // Validate results
+            Assert.AreEqual(id, response.GetProperty("id").GetString());
+        }
+
+        /// <summary>
+        /// Mutation performed on the unauthorized fields throws permission denied error because the
+        /// field `name` is an excluded field for the create operation on the anonymous role defined
+        /// for entity 'earth'
+        /// </summary>
+        [TestMethod]
+        public async Task CreateItemWithUnauthorizedFieldsReturnsError()
+        {
+            // Run mutation Add Earth;
+            string id = Guid.NewGuid().ToString();
+            const string name = "test_name";
+            string mutation = $@"
+mutation {{
+    createEarth (item: {{ id: ""{id}"", name: ""{name}"" }}) {{
+        id
+        name
+    }}
+}}";
+            JsonElement response = await ExecuteGraphQLRequestAsync("createEarth", mutation, variables: new());
+
+            // Validate the result contains the GraphQL authorization error code.
+            string errorMessage = response.ToString();
+            Assert.IsTrue(errorMessage.Contains(DataApiBuilderException.GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE));
+        }
+
+        /// <summary>
+        /// Mutation performed on the unauthorized fields throws permission denied error because the
+        /// wildcard is used in the excluded field for the update operation on the anonymous role defined
+        /// for entity 'earth'
+        /// </summary>
+        [TestMethod]
+        public async Task UpdateItemWithUnauthorizedWildCardReturnsError()
+        {
+            // Run mutation Update Earth;
+            string id = Guid.NewGuid().ToString();
+            string mutation = @"
+mutation ($id: ID!, $partitionKeyValue: String!, $item: UpdateEarthInput!) {
+    updateEarth (id: $id, _partitionKeyValue: $partitionKeyValue, item: $item) {
+        id
+        name
+     }
+}";
+            var update = new
+            {
+                id = id,
+                name = "new_name"
+            };
+
+            JsonElement response = await ExecuteGraphQLRequestAsync("updateEarth", mutation, variables: new() { { "id", id }, { "partitionKeyValue", id }, { "item", update } });
+
+            // Validate the result contains the GraphQL authorization error code.
+            string errorMessage = response.ToString();
+            Assert.IsTrue(errorMessage.Contains(DataApiBuilderException.GRAPHQL_MUTATION_FIELD_AUTHZ_FAILURE));
+        }
+
         /// <summary>
         /// Runs once after all tests in this class are executed
         /// </summary>

src/Service.Tests/CosmosTests/QueryFilterTests.cs

@@ -2,8 +2,11 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Generic;
 using System.Text.Json;
 using System.Threading.Tasks;
+using Azure.DataApiBuilder.Config;
+using Azure.DataApiBuilder.Service.Exceptions;
 using Azure.DataApiBuilder.Service.Resolvers;
 using Microsoft.Azure.Cosmos;
 using Microsoft.Extensions.DependencyInjection;
@@ -20,6 +23,7 @@ public class QueryFilterTests : TestBase
         private static readonly string _containerName = Guid.NewGuid().ToString();
         private static int _pageSize = 10;
         private static readonly string _graphQLQueryName = "planets";
+        private static List<string> _idList;
 
         [ClassInitialize]
         public static void TestFixtureSetup(TestContext context)
@@ -28,8 +32,11 @@ public static void TestFixtureSetup(TestContext context)
             CosmosClient cosmosClient = _application.Services.GetService<CosmosClientProvider>().Client;
             cosmosClient.CreateDatabaseIfNotExistsAsync(DATABASE_NAME).Wait();
             cosmosClient.GetDatabase(DATABASE_NAME).CreateContainerIfNotExistsAsync(_containerName, "/id").Wait();
-            CreateItems(DATABASE_NAME, _containerName, 10);
+            _idList = CreateItems(DATABASE_NAME, _containerName, 10);
             OverrideEntityContainer("Planet", _containerName);
+            OverrideEntityContainer("Earth", _containerName);
+            OverrideEntityContainer("StarAlias", _containerName);
+            OverrideEntityContainer("TagAlias", _containerName);
         }
 
         /// <summary>
@@ -642,6 +649,193 @@ public async Task TestFilterOnInnerNestedFields()
             await ExecuteAndValidateResult(_graphQLQueryName, gqlQuery, dbQuery);
         }
 
+        /// <summary>
+        /// Test filters when entity names are using alias.
+        /// This exercises the scenario when top level entity name is using an alias,
+        /// as well as the nested level entity name is using an alias,
+        /// in both layers, the entity name to GraphQL type lookup is successfully performed.
+        /// </summary>
+        [TestMethod]
+        public async Task TestFilterWithEntityNameAlias()
+        {
+            string gqlQuery = @"{
+                stars(first: 1, " + QueryBuilder.FILTER_FIELD_NAME + @" : {tag : {name : {eq : ""test name""}}})
+                { 
+                    items {
+                        tag {
+                            id
+                            name
+                        }
+                    }
+                 }
+            }";
+
+            string dbQuery = "SELECT top 1 c.tag FROM c where c.tag.name = \"test name\"";
+            await ExecuteAndValidateResult("stars", gqlQuery, dbQuery);
+        }
+
+        #region Field Level Auth
+        /// <summary>
+        /// Tests that the field level query filter succeeds requests when filter fields are authorized
+        /// </summary>
+        [TestMethod]
+        public async Task TestQueryFilterFieldAuth_AuthorizedField()
+        {
+            string gqlQuery = @"{
+                earths(first: 1, " + QueryBuilder.FILTER_FIELD_NAME + @" : {id : {eq : """ + _idList[0] + @"""}})
+                { 
+                    items {
+                        id
+                    }
+                }
+            }";
+
+            string dbQuery = $"SELECT top 1 c.id FROM c where c.id = \"{_idList[0]}\"";
+            await ExecuteAndValidateResult("earths", gqlQuery, dbQuery);
+        }
+
+        /// <summary>
+        /// Tests that the field level query filter fails authorization when filter fields are
+        /// unauthorized because the field 'name' on object type 'earth' is an excluded field of the read
+        /// operation permissions defined for the anonymous role.
+        /// </summary>
+        [TestMethod]
+        public async Task TestQueryFilterFieldAuth_UnauthorizedField()
+        {
+            // Run query
+            string gqlQuery = @"{
+                earths(first: 1, " + QueryBuilder.FILTER_FIELD_NAME + @" : {name : {eq : ""test name""}})
+                { 
+                    items {
+                        name
+                    }
+                }
+            }";
+            string clientRoleHeader = AuthorizationType.Anonymous.ToString();
+            JsonElement response = await ExecuteGraphQLRequestAsync(
+                queryName: "earths",
+                query: gqlQuery,
+                variables: new() { { "name", "test name" } },
+                authToken: AuthTestHelper.CreateStaticWebAppsEasyAuthToken(specificRole: clientRoleHeader),
+                clientRoleHeader: clientRoleHeader);
+
+            // Validate the result contains the GraphQL authorization error code.
+            string errorMessage = response.ToString();
+            Assert.IsTrue(errorMessage.Contains(DataApiBuilderException.GRAPHQL_FILTER_FIELD_AUTHZ_FAILURE));
+        }
+
+        /// <summary>
+        /// Tests that the field level query filter succeeds requests when filter fields are authorized
+        /// </summary>
+        [TestMethod]
+        public async Task TestQueryFilterFieldAuth_AuthorizedWildCard()
+        {
+            // Run query
+            string gqlQuery = @"{
+                planets(first: 1, " + QueryBuilder.FILTER_FIELD_NAME + @" : {name : {eq : ""Earth""}})
+                { 
+                    items {
+                        name
+                    }
+                }
+            }";
+            string clientRoleHeader = AuthorizationType.Anonymous.ToString();
+            JsonElement response = await ExecuteGraphQLRequestAsync(
+                queryName: "planets",
+                query: gqlQuery,
+                variables: new() { },
+                authToken: AuthTestHelper.CreateStaticWebAppsEasyAuthToken(specificRole: clientRoleHeader),
+                clientRoleHeader: clientRoleHeader);
+
+            Assert.AreEqual(response.GetProperty("items")[0].GetProperty("name").ToString(), "Earth");
+        }
+
+        /// <summary>
+        /// Tests that the nested field level query filter passes authorization when nested filter fields are authorized
+        /// because the field 'id' on object type 'earth' is an included field of the read operation 
+        /// permissions defined for the anonymous role.
+        /// </summary>
+        [TestMethod]
+        public async Task TestQueryFilterNestedFieldAuth_AuthorizedNestedField()
+        {
+            string gqlQuery = @"{
+                planets(first: 1, " + QueryBuilder.FILTER_FIELD_NAME + @" : {earth : {id : {eq : """ + _idList[0] + @"""}}})
+                { 
+                    items {
+                        earth {
+                                id
+                              }
+                    }
+                }
+            }";
+
+            JsonElement actual = await ExecuteGraphQLRequestAsync(_graphQLQueryName, query: gqlQuery);
+            Assert.AreEqual(actual.GetProperty("items")[0].GetProperty("earth").GetProperty("id").ToString(), _idList[0]);
+        }
+
+        /// <summary>
+        /// Tests that the nested field level query filter fails authorization when nested filter fields are 
+        /// unauthorized because the field 'name' on object type 'earth' is an excluded field of the read
+        /// operation permissions defined for the anonymous role.
+        /// </summary>
+        [TestMethod]
+        public async Task TestQueryFilterNestedFieldAuth_UnauthorizedNestedField()
+        {
+            // Run query
+            string gqlQuery = @"{
+                planets(first: 1, " + QueryBuilder.FILTER_FIELD_NAME + @" : {earth : {name : {eq : ""test name""}}})
+                { 
+                    items {
+                        id
+                        name
+                        earth {
+                                name
+                              }
+                    }
+                }
+            }";
+
+            string clientRoleHeader = AuthorizationType.Anonymous.ToString();
+            JsonElement response = await ExecuteGraphQLRequestAsync(
+                queryName: _graphQLQueryName,
+                query: gqlQuery,
+                variables: new() { { "name", "test name" } },
+                authToken: AuthTestHelper.CreateStaticWebAppsEasyAuthToken(specificRole: clientRoleHeader),
+                clientRoleHeader: clientRoleHeader);
+
+            // Validate the result contains the GraphQL authorization error code.
+            string errorMessage = response.ToString();
+            Assert.IsTrue(errorMessage.Contains(DataApiBuilderException.GRAPHQL_FILTER_FIELD_AUTHZ_FAILURE));
+        }
+
+        /// <summary>
+        /// This is for testing the scenario when the filter field is authorized, but the query field is unauthorized.
+        /// For "type" field in "Earth" GraphQL type, it has @authorize(policy: "authenticated") directive in the test schema,
+        /// but in the runtime config, this field is marked as included field for read operation with anonymous role,
+        /// this should return unauthorized.
+        /// </summary>
+        [TestMethod]
+        public async Task TestQueryFieldAuthConflictingWithFilterFieldAuth_Unauthorized()
+        {
+            // Run query
+            string gqlQuery = @"{
+                earths(first: 1, " + QueryBuilder.FILTER_FIELD_NAME + @" : {id : {eq : """ + _idList[0] + @"""}})
+                { 
+                    items {
+                        id
+                        type
+                    }
+                }
+            }";
+
+            JsonElement response = await ExecuteGraphQLRequestAsync(_graphQLQueryName, query: gqlQuery);
+
+            // Validate the result contains the GraphQL authorization error code.
+            string errorMessage = response.ToString();
+            Assert.IsTrue(errorMessage.Contains("The current user is not authorized to access this resource."));
+        }
+        #endregion
+
         [ClassCleanup]
         public static void TestFixtureTearDown()
         {