Align authorization behavior to regular ASP.NET Core

[tobias-tengler]

We noticed some discrepancies between the ASP.NET Core [Authorize] attribute and Hot Chocolate's one.

This PR

• updates the [Authorize] attribute to properly generate the @authorize directive, if both roles and policy are specified (Diff: cb798d3)
• updates the DefaultAuthorizationHandler to construct an AuthorizationPolicy out of the roles and specified policy (similar to what the AuthorizationMiddleware of ASP.NET Core is doing), which is then evaluated through the registered IAuthorizationService. Previously the authorization code was custom and there wouldn't be a RoleRequirement passed to the IAuthorizationService. In our code we use a custom IAuthorizationService to apply fallbacks, so there was a mismatch between what was happening for our REST and GraphQL APIs. (Diff: bfde46f)
• removes the tests for the case where the default policy is set to null, as the property isn't nullable (setting it to null would also have unexpected implications in regular ASP.NET Core) (Diff: c64dd91)

I have also run this against our internal test suite of authorization tests and they're all passing now with these changes.

[codecov]

Codecov Report

Attention: Patch coverage is 97.22222% with 2 lines in your changes missing coverage. Please review.

Project coverage is 77.83%. Comparing base (26e6c73) to head (16328fd).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
...tCore.Authorization/DefaultAuthorizationHandler.cs	88.88%	1 Missing ⚠️
...ons/HotChocolateAuthorizeRequestExecutorBuilder.cs	83.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7408      +/-   ##
==========================================
- Coverage   78.81%   77.83%   -0.98%     
==========================================
  Files        2434     2815     +381     
  Lines      119868   141032   +21164     
==========================================
+ Hits        94469   109770   +15301     
- Misses      25399    31262    +5863     

Flag	Coverage Δ
unittests	77.83% <97.22%> (-0.98%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[tobias-tengler]

I don't get this part in the test setup:
https://github.com/ChilliCream/graphql-platform/blob/main/src/HotChocolate/AspNetCore/test/AspNetCore.Authorization.Tests/AuthorizationTestData.cs#L29-L45

The iterator returns the same exact setup twice. Is this an oversight or intended like this?

[tobias-tengler]

Why do we output the name of the missing policy in the GraphQL error message?

graphql-platform/src/HotChocolate/Core/src/Authorization/AuthorizeMiddleware.cs

Line 87 in 91fc947

_directive.Policy!)

The name could leak details about how the authorization works. Can we make this error generic?