Azure · seantleonard · Jul 14, 2022 · Jul 8, 2022 · Jul 8, 2022 · Jul 8, 2022
@@ -19,7 +19,7 @@ public class EntityMetadata
         /// Key(field): id -> Value(collection): permitted in {Role1, Role2, ..., RoleN}
         /// Key(field): title -> Value(collection): permitted in {Role1}
         /// </summary>
-        public Dictionary<string, Dictionary<string, IEnumerable<string>>> FieldToRolesMap { get; set; } = new();
+        public Dictionary<string, Dictionary<string, List<string>>> FieldToRolesMap { get; set; } = new();
 
         /// <summary>
         /// Given the key (actionName) returns a collection of roles

@@ -79,10 +79,10 @@ public interface IAuthorizationResolver
         /// Applicable to GraphQL field directive @authorize on ObjectType fields.
         /// </summary>
         /// <param name="entityName">EntityName whose actionMetadata will be searched.</param>
-        /// <param name="actionName">ActionName to lookup field permissions</param>
-        /// <param name="field">Specific field to get collection of roles</param>
-        /// <returns>Collection of role names allowed to perform actionType on Entity's field.</returns>
-        public IEnumerable<string> GetRolesForField(string entityName, string actionName, string field);
+        /// <param name="field">Field to lookup action permissions</param>
+        /// <param name="actionName">Specific action to get collection of roles</param>
+        /// <returns>Collection of role names allowed to perform actionName on Entity's field.</returns>
+        public IEnumerable<string> GetRolesForField(string entityName, string field, string actionName);
 
         /// <summary>
         /// Returns a list of roles which define permissions for the provided action.

@@ -15,6 +15,7 @@ public static class GraphQLUtils
         public const string AUTHORIZE_DIRECTIVE_ARGUMENT_ROLES = "roles";
         public const string OBJECT_TYPE_MUTATION = "mutation";
         public const string OBJECT_TYPE_QUERY = "query";
+        public const string SYSTEM_ROLE_ANONYMOUS = "anonymous";
 
         public static bool IsModelType(ObjectTypeDefinitionNode objectTypeDefinitionNode)
         {

@@ -20,13 +20,18 @@ public static class SchemaConverter
         /// <param name="entityName">Name of the entity in the runtime config to generate the GraphQL object type for.</param>
         /// <param name="tableDefinition">SQL table definition information.</param>
         /// <param name="configEntity">Runtime config information for the table.</param>
+        /// <param name="entities">Key/Value Collection mapping entity name to the entity object,
+        /// currently used to lookup relationship metadata.</param>
+        /// <param name="rolesAllowedForEntity">Roles to add to authorize directive at the object level (applies to query/read ops).</param>
+        /// <param name="rolesAllowedForFields">Roles to add to authorize directive at the field level (applies to mutations).</param>
         /// <returns>A GraphQL object type to be provided to a Hot Chocolate GraphQL document.</returns>
         public static ObjectTypeDefinitionNode FromTableDefinition(
             string entityName,
             TableDefinition tableDefinition,
             [NotNull] Entity configEntity,
             Dictionary<string, Entity> entities,
-            IEnumerable<string>? rolesAllowedForEntity = null)
+            IEnumerable<string> rolesAllowedForEntity,
+            IDictionary<string, IEnumerable<string>> rolesAllowedForFields)
         {
             Dictionary<string, FieldDefinitionNode> fields = new();
             List<DirectiveNode> objectTypeDirectives = new();
@@ -70,16 +75,32 @@ public static ObjectTypeDefinitionNode FromTableDefinition(
                     directives.Add(new DirectiveNode(DefaultValueDirectiveType.DirectiveName, new ArgumentNode("value", arg)));
                 }
 
-                NamedTypeNode fieldType = new(GetGraphQLTypeForColumnType(column.SystemType));
-                FieldDefinitionNode field = new(
-                    location: null,
-                    new(FormatNameForField(columnName)),
-                    description: null,
-                    new List<InputValueDefinitionNode>(),
-                    column.IsNullable ? fieldType : new NonNullTypeNode(fieldType),
-                    directives);
-
-                fields.Add(columnName, field);
+                // If no roles are allowed for the field, we should not include it in the schema.
+                // Consequently, the field is only added to schema if this conditional evaluates to TRUE.
+                if (rolesAllowedForFields.TryGetValue(key: columnName, out IEnumerable<string>? roles))
+                {
+                    // Roles will not be null here if TryGetValue evaluates to true, so here we check if there are any roles to process.
+                    if (roles.Count() > 0)
+                    {
+                        // Add field to object definition but do not add @authorize directive
+                        // if anonymous is defined for field since authentication is not required.
+                        if (!roles.Contains(GraphQLUtils.SYSTEM_ROLE_ANONYMOUS))
+                        {
+                            directives.Add(GraphQLUtils.CreateAuthorizationDirective(roles));
+                        }
+
+                        NamedTypeNode fieldType = new(GetGraphQLTypeForColumnType(column.SystemType));
+                        FieldDefinitionNode field = new(
+                            location: null,
+                            new(FormatNameForField(columnName)),
+                            description: null,
+                            new List<InputValueDefinitionNode>(),
+                            column.IsNullable ? fieldType : new NonNullTypeNode(fieldType),
+                            directives);
+
+                        fields.Add(columnName, field);
+                    }
+                }
             }
 
             if (configEntity.Relationships is not null)
@@ -125,7 +146,7 @@ public static ObjectTypeDefinitionNode FromTableDefinition(
 
             // Any roles passed in will be added to the authorize directive for this ObjectType
             // taking the form: @authorize(roles: [“role1”, ..., “roleN”]) 
-            if (rolesAllowedForEntity is not null)
+            if (rolesAllowedForEntity.Count() >= 1)
             {
                 objectTypeDirectives.Add(GraphQLUtils.CreateAuthorizationDirective(rolesAllowedForEntity));
             }