Azure · jarupatj · Jul 20, 2022 · Jul 19, 2022 · Jul 19, 2022 · Jul 20, 2022
@@ -14,10 +14,13 @@ public class EntityMetadata
         public Dictionary<string, RoleMetadata> RoleToActionMap { get; set; } = new();
 
         /// <summary>
-        /// Given the key (actionName) returns a key/value collection of fieldName to Roles
-        /// i.e. READ action
-        /// Key(field): id -> Value(collection): permitted in {Role1, Role2, ..., RoleN}
-        /// Key(field): title -> Value(collection): permitted in {Role1}
+        /// Field to action to role mapping.
+        /// Given the key (Field aka. column name) returns a key/value collection of action to Roles
+        /// i.e. ID column
+        /// Key(field): id -> Dictionary(actions)
+        ///     each entry in the dictionary contains action to role map.
+        ///     create: permitted in {Role1, Role2, ..., RoleN}
+        ///     delete: permitted in {Role1, RoleN}
         /// </summary>
         public Dictionary<string, Dictionary<string, List<string>>> FieldToRolesMap { get; set; } = new();
 

@@ -91,14 +91,19 @@ public interface IAuthorizationResolver
         /// <param name="entityName">Entity to lookup permissions</param>
         /// <param name="actionName">Action to lookup applicable roles</param>
         /// <returns>Collection of roles. Empty list if entityPermissionsMap is null.</returns>
-        public static IEnumerable<string> GetRolesForAction(string entityName, string actionName, Dictionary<string, EntityMetadata>? entityPermissionsMap)
+        public static IEnumerable<string> GetRolesForAction(
+            string entityName,
+            string actionName,
+            Dictionary<string, EntityMetadata>? entityPermissionsMap)
         {
             if (entityName is null)
             {
                 throw new ArgumentNullException(paramName: "entityName");
             }
 
-            if (entityPermissionsMap is not null && entityPermissionsMap[entityName].ActionToRolesMap.TryGetValue(actionName, out List<string>? roleList) && roleList is not null)
+            if (entityPermissionsMap is not null &&
+                entityPermissionsMap[entityName].ActionToRolesMap.TryGetValue(actionName, out List<string>? roleList) &&
+                roleList is not null)
             {
                 return roleList;
             }

@@ -1,6 +1,7 @@
 using System.Collections;
 using System.Collections.Generic;
 using System.Security.Claims;
+using System.Text.Json;
 using System.Threading.Tasks;
 using Azure.DataGateway.Auth;
 using Azure.DataGateway.Config;
@@ -346,15 +347,20 @@ IEnumerable<string> columnsRequested
         }
 
         /// <summary>
-        /// Sets up an authorization resolver with a config that specifies the wildcard ("*") as the test entity's actions
+        /// Sets up an authorization resolver with a config that specifies the wildcard ("*") as the test entity's actions.
+        /// Explicitly use this instead of AuthorizationHelpers.InitRuntimeConfig() because we want to create actions as
+        /// array of string instead of array of object.
         /// </summary>
         private static AuthorizationResolver SetupAuthResolverWithWildcardActions()
         {
             RuntimeConfig runtimeConfig = AuthorizationHelpers.InitRuntimeConfig(
                 entityName: AuthorizationHelpers.TEST_ENTITY,
                 roleName: "admin",
-                actionName: "*"
-                );
+                actionName: "*");
+
+            // Override the action to be a list of string for wildcard instead of a list of object created by InitRuntimeConfig()
+            //
+            runtimeConfig.Entities[AuthorizationHelpers.TEST_ENTITY].Permissions[0].Actions = new object[] { JsonSerializer.SerializeToElement(AuthorizationResolver.WILDCARD) };
 
             return AuthorizationHelpers.InitAuthorizationResolver(runtimeConfig);
         }

@@ -25,7 +25,7 @@ namespace Azure.DataGateway.Service.Authorization
     public class AuthorizationResolver : IAuthorizationResolver
     {
         private ISqlMetadataProvider _metadataProvider;
-        private const string WILDCARD = "*";
+        public const string WILDCARD = "*";
         public const string CLAIM_PREFIX = "@claims.";
         public const string FIELD_PREFIX = "@item.";
         public const string CLIENT_ROLE_HEADER = "X-MS-API-ROLE";
@@ -102,8 +102,7 @@ public bool AreRoleAndActionDefinedForEntity(string entityName, string roleName,
             {
                 if (valueOfEntityToRole.RoleToActionMap.TryGetValue(roleName, out RoleMetadata? valueOfRoleToAction))
                 {
-                    if (valueOfRoleToAction!.ActionToColumnMap.ContainsKey(WILDCARD) ||
-                        valueOfRoleToAction!.ActionToColumnMap.ContainsKey(action))
+                    if (valueOfRoleToAction!.ActionToColumnMap.ContainsKey(action))
                     {
                         return true;
                     }
@@ -119,17 +118,7 @@ public bool AreColumnsAllowedForAction(string entityName, string roleName, strin
             // Columns.Count() will never be zero because this method is called after a check ensures Count() > 0
             Assert.IsFalse(columns.Count() == 0, message: "columns.Count() should be greater than 0.");
 
-            ActionMetadata actionToColumnMap;
-            RoleMetadata roleInEntity = EntityPermissionsMap[entityName].RoleToActionMap[roleName];
-
-            try
-            {
-                actionToColumnMap = roleInEntity.ActionToColumnMap[actionName];
-            }
-            catch (KeyNotFoundException)
-            {
-                actionToColumnMap = roleInEntity.ActionToColumnMap[WILDCARD];
-            }
+            ActionMetadata actionToColumnMap = EntityPermissionsMap[entityName].RoleToActionMap[roleName].ActionToColumnMap[actionName];
 
             // Each column present in the request is an "exposedColumn".
             // Authorization permissions reference "backingColumns"
@@ -140,8 +129,8 @@ public bool AreColumnsAllowedForAction(string entityName, string roleName, strin
                 if (_metadataProvider.TryGetBackingColumn(entityName, field: exposedColumn, out string? backingColumn))
                 {
                     // backingColumn will not be null when TryGetBackingColumn() is true.
-                    if (actionToColumnMap.Excluded.Contains(backingColumn!) || actionToColumnMap.Excluded.Contains(WILDCARD) ||
-                    !(actionToColumnMap.Included.Contains(WILDCARD) || actionToColumnMap.Included.Contains(backingColumn!)))
+                    if (actionToColumnMap.Excluded.Contains(backingColumn!) ||
+                        !actionToColumnMap.Included.Contains(backingColumn!))
                     {
                         // If column is present in excluded OR excluded='*'
                         // If column is absent from included and included!=*
@@ -189,20 +178,8 @@ private string GetDBPolicyForRequest(string entityName, string roleName, string
             RoleMetadata roleMetadata = EntityPermissionsMap[entityName].RoleToActionMap[roleName];
             roleMetadata.ActionToColumnMap.TryGetValue(action, out ActionMetadata? actionMetadata);
 
-            // If action exists in map (explicitly specified in config), use its policy
-            // action should only be absent in roleMetadata if WILDCARD is in the map instead of specific actions,
-            // as authorization happens before policy parsing (would have already returned forbidden)
-            string? dbPolicy;
-            if (actionMetadata is not null)
-            {
-                dbPolicy = actionMetadata.DatabasePolicy;
-
-            } // else check if wildcard exists in action map, if so use its policy, else null
-            else
-            {
-                roleMetadata.ActionToColumnMap.TryGetValue(WILDCARD, out ActionMetadata? wildcardMetadata);
-                dbPolicy = wildcardMetadata is not null ? wildcardMetadata.DatabasePolicy : null;
-            }
+            // Get the database policy for the specified action.
+            string? dbPolicy = actionMetadata!.DatabasePolicy;
 
             return dbPolicy is not null ? dbPolicy : string.Empty;
         }
@@ -227,15 +204,15 @@ public void SetEntityPermissionMap(RuntimeConfig? runtimeConfig)
                     object[] Actions = permission.Actions;
                     foreach (JsonElement actionElement in Actions)
                     {
-                        string actionName = string.Empty;
+                        string action = string.Empty;
                         ActionMetadata actionToColumn = new();
                         IEnumerable<string> allTableColumns = ResolveTableDefinitionColumns(entityName);
 
                         // Implicitly, all table columns are 'allowed' when an actiontype is a string.
                         // Since no granular field permissions exist for this action within the current role.
                         if (actionElement.ValueKind is JsonValueKind.String)
                         {
-                            actionName = actionElement.ToString();
+                            action = actionElement.ToString();
                             actionToColumn.Included.UnionWith(allTableColumns);
                             actionToColumn.Allowed.UnionWith(allTableColumns);
                         }
@@ -246,7 +223,7 @@ public void SetEntityPermissionMap(RuntimeConfig? runtimeConfig)
                             if (RuntimeConfig.TryGetDeserializedConfig(actionElement.ToString(), out Action? actionObj)
                                 && actionObj is not null)
                             {
-                                actionName = actionObj.Name;
+                                action = actionObj.Name;
                                 if (actionObj.Fields!.Include is not null)
                                 {
                                     // When a wildcard (*) is defined for Included columns, all of the table's
@@ -287,20 +264,25 @@ public void SetEntityPermissionMap(RuntimeConfig? runtimeConfig)
                             }
                         }
 
-                        // Try to add the actionName to the map if not present.
-                        // Builds up mapping: i.e. ActionType.CREATE permitted in {Role1, Role2, ..., RoleN}
-                        if (!string.IsNullOrWhiteSpace(actionName) && !entityToRoleMap.ActionToRolesMap.TryAdd(actionName, new List<string>(new string[] { role })))
+                        IEnumerable<string> actionNames = GetAllActions(action);
+                        foreach (string actionName in actionNames)
                         {
-                            entityToRoleMap.ActionToRolesMap[actionName].Add(role);
-                        }
+                            // Try to add the actionName to the map if not present.
+                            // Builds up mapping: i.e. ActionType.CREATE permitted in {Role1, Role2, ..., RoleN}
+                            if (!string.IsNullOrWhiteSpace(actionName) &&
+                                !entityToRoleMap.ActionToRolesMap.TryAdd(actionName, new List<string>(new string[] { role })))
+                            {
+                                entityToRoleMap.ActionToRolesMap[actionName].Add(role);
+                            }
 
-                        foreach (string allowedColumn in actionToColumn.Allowed)
-                        {
-                            entityToRoleMap.FieldToRolesMap.TryAdd(key: allowedColumn, CreateActionToRoleMap());
-                            entityToRoleMap.FieldToRolesMap[allowedColumn][actionName].Add(role);
-                        }
+                            foreach (string allowedColumn in actionToColumn.Allowed)
+                            {
+                                entityToRoleMap.FieldToRolesMap.TryAdd(key: allowedColumn, CreateActionToRoleMap());
+                                entityToRoleMap.FieldToRolesMap[allowedColumn][actionName].Add(role);
+                            }
 
-                        roleToAction.ActionToColumnMap[actionName] = actionToColumn;
+                            roleToAction.ActionToColumnMap[actionName] = actionToColumn;
+                        }
                     }
 
                     entityToRoleMap.RoleToActionMap[role] = roleToAction;
@@ -310,6 +292,17 @@ public void SetEntityPermissionMap(RuntimeConfig? runtimeConfig)
             }
         }
 
+        /// <summary>
+        /// Helper method to create a list consisting of the given action name.
+        /// In case the action is a wildcard(*), it gets resolved to a set of CRUD operations.
+        /// </summary>
+        /// <param name="action">Action name.</param>
+        /// <returns>IEnumerable of all available action name</returns>
+        private static IEnumerable<string> GetAllActions(string action)
+        {
+            return WILDCARD.Equals(action) ? RuntimeConfigValidator.ValidActions : new List<string> { action };
+        }
+
         /// <inheritdoc />
         public IEnumerable<string> GetAllowedColumns(string entityName, string roleName, string action)
         {

@@ -35,7 +35,7 @@ public class RuntimeConfigValidator : IConfigValidator
         private static readonly string _claimChars = @"@claims\.[^\s\)]*";
 
         // Set of allowed actions for a request.
-        private static readonly HashSet<string> _validActions = new() { ActionType.CREATE, ActionType.READ, ActionType.UPDATE, ActionType.DELETE };
+        public static readonly HashSet<string> ValidActions = new() { ActionType.CREATE, ActionType.READ, ActionType.UPDATE, ActionType.DELETE };
 
         public RuntimeConfigValidator(
             RuntimeConfigProvider runtimeConfigProvider,
@@ -162,10 +162,10 @@ public void ValidatePermissionsInConfig(RuntimeConfig runtimeConfig)
 
                             // Check if the IncludeSet/ExcludeSet contain wildcard. If they contain wildcard, we make sure that they
                             // don't contain any other field. If they do, we throw an appropriate exception.
-                            if (configAction.Fields!.Include.Contains("*") && configAction.Fields.Include.Count > 1 ||
-                                configAction.Fields.Exclude.Contains("*") && configAction.Fields.Exclude.Count > 1)
+                            if (configAction.Fields!.Include.Contains(AuthorizationResolver.WILDCARD) && configAction.Fields.Include.Count > 1 ||
+                                configAction.Fields.Exclude.Contains(AuthorizationResolver.WILDCARD) && configAction.Fields.Exclude.Count > 1)
                             {
-                                string incExc = configAction.Fields.Include.Contains("*") && configAction.Fields.Include.Count > 1 ? "included" : "excluded";
+                                string incExc = configAction.Fields.Include.Contains(AuthorizationResolver.WILDCARD) && configAction.Fields.Include.Count > 1 ? "included" : "excluded";
                                 throw new DataGatewayException(
                                         message: $"No other field can be present with wildcard in the {incExc} set for: entity:{entityName}," +
                                                  $" role:{permissionSetting.Role}, action:{actionName}",
@@ -389,8 +389,8 @@ private static void AreFieldsAccessible(string policy, HashSet<string> includedF
         private static bool IsFieldAccessible(Match columnNameMatch, HashSet<string> includedFields, HashSet<string> excludedFields)
         {
             string columnName = columnNameMatch.Value.Substring(AuthorizationResolver.FIELD_PREFIX.Length);
-            if (excludedFields.Contains(columnName!) || excludedFields.Contains("*") ||
-                !(includedFields.Contains("*") || includedFields.Contains(columnName)))
+            if (excludedFields.Contains(columnName!) || excludedFields.Contains(AuthorizationResolver.WILDCARD) ||
+                !(includedFields.Contains(AuthorizationResolver.WILDCARD) || includedFields.Contains(columnName)))
             {
                 // If column is present in excluded OR excluded='*'
                 // If column is absent from included and included!=*
@@ -472,7 +472,7 @@ private static void ValidateActionName(string actionName, string entityName, str
         /// <returns>Boolean value indicating whether the actionName is valid or not.</returns>
         public static bool IsValidActionName(string actionName)
         {
-            return actionName.Equals("*") || _validActions.Contains(actionName);
+            return actionName.Equals(AuthorizationResolver.WILDCARD) || ValidActions.Contains(actionName);
         }
     }
 }
@@ -263,16 +263,16 @@ public static string HttpVerbToActions(string httpVerbName)
             switch (httpVerbName)
             {
                 case "POST":
-                    return "create";
+                    return ActionType.CREATE;
                 case "PUT":
                 case "PATCH":
                     // Please refer to the use of this method, which is to look out for policy based on crud operation type.
                     // Since create doesn't have filter predicates, PUT/PATCH would resolve to update operation.
-                    return "update";
+                    return ActionType.UPDATE;
                 case "DELETE":
-                    return "delete";
+                    return ActionType.DELETE;
                 case "GET":
-                    return "read";
+                    return ActionType.READ;
                 default:
                     throw new DataGatewayException(
                         message: "Unsupported operation type.",