Merge pull request #40 from patelhumaira21/custom_error

Customizing the error message

README.md

@@ -16,7 +16,8 @@
 This library enforces access control on GraphQL queries by checking for allowed types and fields. A GraphQL query that 
 has access to some of the requested fields/types will return:
 * Requested fields it has access to
-* Authorization Error message for the fields it does not have access to
+* Authorization Error message for the fields it does not have access to. You can customize the error message by over-riding the
+`getErrorMessage` method in the `ScopeProvider` interface. 
 
 ```json lines
  "errors": [

src/main/java/com/intuit/graphql/authorization/enforcement/AuthzInstrumentation.java

@@ -162,7 +162,7 @@ FragmentDefinition redactFragment(FragmentDefinition fragmentDefinition, Executi
 
     return (FragmentDefinition)
         queryTransformer.transform(new RedactingVisitor(state, executionContext, authzListener,
-            authorizationExtension));
+            authorizationExtension, scopeProvider));
   }
 
 
@@ -177,7 +177,7 @@ SelectionSet redactSelectionSet(ExecutionContext executionContext, AuthzInstrume
         .build();
 
     return (SelectionSet) transformer.transform(new RedactingVisitor(state, executionContext, authzListener,
-        authorizationExtension));
+        authorizationExtension, scopeProvider));
   }
 
 

src/main/java/com/intuit/graphql/authorization/enforcement/RedactingVisitor.java

@@ -6,6 +6,7 @@
 import com.intuit.graphql.authorization.extension.AuthorizationExtension;
 import com.intuit.graphql.authorization.extension.FieldAuthorizationEnvironment;
 import com.intuit.graphql.authorization.extension.FieldAuthorizationResult;
+import com.intuit.graphql.authorization.util.ScopeProvider;
 import graphql.GraphQLError;
 import graphql.GraphqlErrorBuilder;
 import graphql.analysis.QueryVisitorFieldEnvironment;
@@ -27,15 +28,18 @@ public class RedactingVisitor extends QueryVisitorStub {
   private final AuthzListener authzListener;
   private final AuthorizationExtension authorizationExtension;
 
+  private final ScopeProvider scopeProvider;
+
 
   public RedactingVisitor(AuthzInstrumentation.AuthzInstrumentationState state,
-      ExecutionContext executionContext, AuthzListener authzListener,
-      AuthorizationExtension authorizationExtension) {
+                          ExecutionContext executionContext, AuthzListener authzListener,
+                          AuthorizationExtension authorizationExtension, ScopeProvider scopeProvider) {
     this.instrumentationState = state;
     this.executionContext = executionContext;
     this.authzListener = authzListener;
     this.authorizationExtension = authorizationExtension;
     this.typeFieldPermissionVerifier = instrumentationState.getTypeFieldPermissionVerifier();
+    this.scopeProvider = scopeProvider;
   }
 
   @Override
@@ -51,9 +55,14 @@ public void visitField(QueryVisitorFieldEnvironment queryVisitorFieldEnvironment
       authzListener.onFieldRedaction(executionContext, queryVisitorFieldEnvironment);
       Field field = queryVisitorFieldEnvironment.getField();
 
+      String errorMessage = scopeProvider.getErrorMessage(RedactionContext.builder()
+              .fieldCoordinates(FieldCoordinates.coordinates(parentName, field.getName()))
+              .field(field)
+              .build());
+
       GraphQLError error = GraphqlErrorBuilder.newError()
           .errorType(DataFetchingException)
-          .message("403 - Not authorized to access field=%s of type=%s", field.getName(), parentName)
+          .message(errorMessage)
           .location(field.getSourceLocation())
           .build();
       instrumentationState.getAuthzErrors().add(error);

src/main/java/com/intuit/graphql/authorization/enforcement/RedactionContext.java

@@ -0,0 +1,13 @@
+package com.intuit.graphql.authorization.enforcement;
+
+import graphql.language.Field;
+import graphql.schema.FieldCoordinates;
+import lombok.Builder;
+import lombok.Getter;
+
+@Builder
+@Getter
+public class RedactionContext {
+    Field field;
+    FieldCoordinates fieldCoordinates;
+}

src/main/java/com/intuit/graphql/authorization/util/ScopeProvider.java

@@ -1,13 +1,22 @@
 package com.intuit.graphql.authorization.util;
 
+import com.intuit.graphql.authorization.enforcement.RedactionContext;
+
 import java.util.HashSet;
 import java.util.Set;
 
 public interface ScopeProvider {
 
+  String DEFAULT_ERROR_MESSAGE = "403 - Not authorized to access field=%s of type=%s";
+
   // This method needs to return a set of strings if the scopes are passed and an empty set if not passed
   default Set<String> getScopes(Object o) {
     return new HashSet<>();
   }
 
+  default String getErrorMessage(RedactionContext redactionContext) {
+    return String.format(DEFAULT_ERROR_MESSAGE,
+            redactionContext.getField().getName(), redactionContext.getFieldCoordinates().getTypeName());
+  }
+
 }

src/test/java/com/intuit/graphql/authorization/enforcement/RedactingVisitorTest.java

@@ -9,6 +9,7 @@
 
 import com.intuit.graphql.authorization.extension.AuthorizationExtension;
 import com.intuit.graphql.authorization.extension.FieldAuthorizationResult;
+import com.intuit.graphql.authorization.util.ScopeProvider;
 import graphql.GraphQLError;
 import graphql.GraphqlErrorException;
 import graphql.analysis.QueryVisitorFieldEnvironment;
@@ -54,6 +55,10 @@ public class RedactingVisitorTest {
 
   @Mock
   private QueryVisitorFieldEnvironment queryVisitorFieldEnvironment;
+
+  @Mock
+  private ScopeProvider scopeProvider;
+
   @Mock
   private GraphQLFieldDefinition fieldDefinition;
 
@@ -75,7 +80,7 @@ public void setup() {
     when(instrumentationState.getAuthzErrors()).thenReturn(graphQLErrorList);
 
     subjectUnderTest = new RedactingVisitor(instrumentationState, executionContext, authzListener,
-        authorizationExtension);
+            authorizationExtension, scopeProvider);
 
     when(queryVisitorFieldEnvironment.getParentType()).thenReturn(PARENT_TYPE);
     when(queryVisitorFieldEnvironment.getFieldDefinition()).thenReturn(fieldDefinition);