Azure · ayush3797 · Mar 21, 2024 · Nov 28, 2023 · Nov 28, 2023 · Nov 28, 2023
diff --git a/config-generators/mssql-commands.txt b/config-generators/mssql-commands.txt
@@ -14,6 +14,7 @@ add stocks_price --config "dab-config.MsSql.json" --source stocks_price --permis
 update stocks_price --config "dab-config.MsSql.json" --permissions "anonymous:read"
 update stocks_price --config "dab-config.MsSql.json" --permissions "TestNestedFilterFieldIsNull_ColumnForbidden:read" --fields.exclude "price"
 update stocks_price --config "dab-config.MsSql.json" --permissions "TestNestedFilterFieldIsNull_EntityReadForbidden:create"
+update stocks_price --config "dab-config.MsSql.json" --permissions "test_role_with_excluded_fields_on_create:create,read,update,delete"
 add Tree --config "dab-config.MsSql.json" --source trees --permissions "anonymous:create,read,update,delete"
 add Shrub --config "dab-config.MsSql.json" --source trees --permissions "anonymous:create,read,update,delete" --rest plants
 add Fungus --config "dab-config.MsSql.json" --source fungi --permissions "anonymous:create,read,update,delete" --graphql "fungus:fungi"
@@ -65,6 +66,8 @@ update Publisher --config "dab-config.MsSql.json" --permissions "database_policy
 update Publisher --config "dab-config.MsSql.json" --permissions "database_policy_tester:update" --policy-database "@item.id ne 1234"
 update Publisher --config "dab-config.MsSql.json" --permissions "database_policy_tester:create" --policy-database "@item.name ne 'New publisher'"
 update Stock --config "dab-config.MsSql.json" --permissions "authenticated:create,read,update,delete"
+update Stock --config "dab-config.MsSql.json" --permissions "test_role_with_excluded_fields_on_create:read,update,delete"
+update Stock --config "dab-config.MsSql.json" --permissions "test_role_with_excluded_fields_on_create:create" --fields.exclude "piecesAvailable"
 update Stock --config "dab-config.MsSql.json" --rest commodities --graphql true --relationship stocks_price --target.entity stocks_price --cardinality one
 update Book --config "dab-config.MsSql.json" --permissions "authenticated:create,read,update,delete"
 update Book --config "dab-config.MsSql.json" --relationship publishers --target.entity Publisher --cardinality one
@@ -112,6 +115,7 @@ update WebsiteUser --config "dab-config.MsSql.json" --permissions "authenticated
 update Revenue --config "dab-config.MsSql.json" --permissions "database_policy_tester:create" --policy-database "@item.revenue gt 1000"
 update Comic --config "dab-config.MsSql.json" --permissions "authenticated:create,read,update,delete" --rest true --graphql true --relationship myseries --target.entity series --cardinality one
 update series --config "dab-config.MsSql.json" --relationship comics --target.entity Comic --cardinality many
+update stocks_price --config "dab-config.MsSql.json" --relationship Stock --target.entity Stock --cardinality one
 update Broker --config "dab-config.MsSql.json" --permissions "authenticated:create,update,read,delete" --graphql false
 update Tree --config "dab-config.MsSql.json" --rest true --graphql false --permissions "authenticated:create,read,update,delete" --map "species:Scientific Name,region:United State's Region"
 update Shrub --config "dab-config.MsSql.json" --permissions "authenticated:create,read,update,delete" --map "species:fancyName"

diff --git a/src/Core/Authorization/AuthorizationResolver.cs b/src/Core/Authorization/AuthorizationResolver.cs
@@ -13,6 +13,7 @@
 using Azure.DataApiBuilder.Core.Services;
 using Azure.DataApiBuilder.Core.Services.MetadataProviders;
 using Azure.DataApiBuilder.Service.Exceptions;
+using HotChocolate.Resolvers;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Primitives;
 
@@ -213,6 +214,31 @@ public string GetDBPolicyForRequest(string entityName, string roleName, EntityAc
         return dbPolicy is not null ? dbPolicy : string.Empty;
     }
 
+    /// <summary>
+    ///  Helper method to get the role with which the GraphQL API request was executed.
+    /// </summary>
+    /// <param name="context">HotChocolate context for the GraphQL request.</param>
+    /// <returns>Role of the current GraphQL API request.</returns>
+    /// <exception cref="DataApiBuilderException">Throws exception when no client role could be inferred from the context.</exception>
+    public static string GetRoleOfGraphQLRequest(IMiddlewareContext context)
+    {
+        string role = string.Empty;
+        if (context.ContextData.TryGetValue(key: CLIENT_ROLE_HEADER, out object? value) && value is StringValues stringVals)
+        {
+            role = stringVals.ToString();
+        }
+
+        if (string.IsNullOrEmpty(role))
+        {
+            throw new DataApiBuilderException(
+                message: "No ClientRoleHeader available to perform authorization.",
+                statusCode: HttpStatusCode.Forbidden,
+                subStatusCode: DataApiBuilderException.SubStatusCodes.AuthorizationCheckFailed);
+        }
+
+        return role;
+    }
+
     #region Helpers
     /// <summary>
     /// Method to read in data from the config class into a Dictionary for quick lookup

diff --git a/src/Core/Resolvers/CosmosMutationEngine.cs b/src/Core/Resolvers/CosmosMutationEngine.cs
@@ -16,7 +16,6 @@
 using HotChocolate.Resolvers;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Azure.Cosmos;
-using Microsoft.Extensions.Primitives;
 using Newtonsoft.Json.Linq;
 
 namespace Azure.DataApiBuilder.Core.Resolvers
@@ -64,7 +63,7 @@ private async Task<JObject> ExecuteAsync(IMiddlewareContext context, IDictionary
             // If authorization fails, an exception will be thrown and request execution halts.
             string graphQLType = context.Selection.Field.Type.NamedType().Name.Value;
             string entityName = metadataProvider.GetEntityName(graphQLType);
-            AuthorizeMutationFields(context, queryArgs, entityName, resolver.OperationType);
+            AuthorizeMutation(context, queryArgs, entityName, resolver.OperationType);
 
             ItemResponse<JObject>? response = resolver.OperationType switch
             {
@@ -74,7 +73,7 @@ private async Task<JObject> ExecuteAsync(IMiddlewareContext context, IDictionary
                 _ => throw new NotSupportedException($"unsupported operation type: {resolver.OperationType}")
             };
 
-            string roleName = GetRoleOfGraphQLRequest(context);
+            string roleName = AuthorizationResolver.GetRoleOfGraphQLRequest(context);
 
             // The presence of READ permission is checked in the current role (with which the request is executed) as well as Anonymous role. This is because, for GraphQL requests,
             // READ permission is inherited by other roles from Anonymous role when present.
@@ -93,14 +92,13 @@ private async Task<JObject> ExecuteAsync(IMiddlewareContext context, IDictionary
         }
 
         /// <inheritdoc/>
-        public void AuthorizeMutationFields(
+        public void AuthorizeMutation(
             IMiddlewareContext context,
             IDictionary<string, object?> parameters,
             string entityName,
             EntityActionOperation mutationOperation)
         {
-            string role = GetRoleOfGraphQLRequest(context);
-
+            string clientRole = AuthorizationResolver.GetRoleOfGraphQLRequest(context);
             List<string> inputArgumentKeys;
             if (mutationOperation != EntityActionOperation.Delete)
             {
@@ -114,9 +112,9 @@ public void AuthorizeMutationFields(
             bool isAuthorized = mutationOperation switch
             {
                 EntityActionOperation.UpdateGraphQL =>
-                    _authorizationResolver.AreColumnsAllowedForOperation(entityName, roleName: role, operation: EntityActionOperation.Update, inputArgumentKeys),
+                    _authorizationResolver.AreColumnsAllowedForOperation(entityName, roleName: clientRole, operation: EntityActionOperation.Update, inputArgumentKeys),
                 EntityActionOperation.Create =>
-                    _authorizationResolver.AreColumnsAllowedForOperation(entityName, roleName: role, operation: mutationOperation, inputArgumentKeys),
+                    _authorizationResolver.AreColumnsAllowedForOperation(entityName, roleName: clientRole, operation: mutationOperation, inputArgumentKeys),
                 EntityActionOperation.Delete => true,// Field level authorization is not supported for delete mutations. A requestor must be authorized
                                                      // to perform the delete operation on the entity to reach this point.
                 _ => throw new DataApiBuilderException(
@@ -261,29 +259,6 @@ private static async Task<ItemResponse<JObject>> HandleUpdateAsync(IDictionary<s
             return item;
         }
 
-        /// <summary>
-        /// Helper method to get the role with which the GraphQL API request was executed.
-        /// </summary>
-        /// <param name="context">HotChocolate context for the GraphQL request</param>
-        private static string GetRoleOfGraphQLRequest(IMiddlewareContext context)
-        {
-            string role = string.Empty;
-            if (context.ContextData.TryGetValue(key: AuthorizationResolver.CLIENT_ROLE_HEADER, out object? value) && value is StringValues stringVals)
-            {
-                role = stringVals.ToString();
-            }
-
-            if (string.IsNullOrEmpty(role))
-            {
-                throw new DataApiBuilderException(
-                    message: "No ClientRoleHeader available to perform authorization.",
-                    statusCode: HttpStatusCode.Unauthorized,
-                    subStatusCode: DataApiBuilderException.SubStatusCodes.AuthorizationCheckFailed);
-            }
-
-            return role;
-        }
-
         /// <summary>
         /// The method is for parsing the mutation input object with nested inner objects when input is passing inline.
         /// </summary>

diff --git a/src/Core/Resolvers/IMutationEngine.cs b/src/Core/Resolvers/IMutationEngine.cs
@@ -4,6 +4,7 @@
 using System.Text.Json;
 using Azure.DataApiBuilder.Config.ObjectModel;
 using Azure.DataApiBuilder.Core.Models;
+using Azure.DataApiBuilder.Service.Exceptions;
 using HotChocolate.Resolvers;
 using Microsoft.AspNetCore.Mvc;
 
@@ -41,12 +42,13 @@ public interface IMutationEngine
         /// <summary>
         /// Authorization check on mutation fields provided in a GraphQL Mutation request.
         /// </summary>
-        /// <param name="context">Middleware context of the mutation</param>
+        /// <param name="context">GraphQL request context.</param>
+        /// <param name="clientRole">Client role header value extracted from the middleware context of the mutation</param>
         /// <param name="parameters">parameters in the mutation query.</param>
         /// <param name="entityName">entity name</param>
         /// <param name="mutationOperation">mutation operation</param>
         /// <exception cref="DataApiBuilderException"></exception>
-        public void AuthorizeMutationFields(
+        public void AuthorizeMutation(
             IMiddlewareContext context,
             IDictionary<string, object?> parameters,
             string entityName,