Allow access to health endpoint as per defined roles (#2632)

## Why make this change?
Closes [#2531](#2531)

## What is this change?
This PR involves creating another parameter in the runtime config which
defines the **allowed roles** for the health endpoint.
+ It created
`src/Config/Converters/RuntimeHealthOptionsConvertorFactory.cs` which
takes care of serialization and deserialization of runtime config custom
way.
+ The incoming role and token are taken up to firct check if the role in
the header is matching with the allowed roles in the runtime config.
+ Further this role and token are passed to execute the REST and GraphQL
queries for DAB.

Scenarios
1. Allowed Roles are not configured.
+ Mode is Development - we allow all requests
+ Mode is Production - we dont allow any requests. We show 403
3. Allowed Roles are configured
+ Mode is Development or Production - we performt the role check in
allowed roles.

## How was this tested?

- [ ] Integration Tests
- [x] Unit Tests

## Sample Request(s)
Roles: ["authenticated"]
Mode: Development or Production
<img width="499" alt="image"
src="https://github.com/user-attachments/assets/a2045fd6-dc3b-4fbc-8c81-87aa763df482"
/>
<img width="467" alt="image"
src="https://github.com/user-attachments/assets/6816f9ff-0aa2-4fcf-99ac-b4c6bec956be"
/>

Roles: Not Configured
Mode: Development
<img width="487" alt="image"
src="https://github.com/user-attachments/assets/17374e66-c3cb-47cf-8ac8-b58185b46ca5"
/>

Mode: Production
<img width="461" alt="image"
src="https://github.com/user-attachments/assets/96f9c201-072b-4c7a-a3d3-2350b245f200"
/>


Roles: ["admin"]
Mode: Development or Production
<img width="389" alt="image"
src="https://github.com/user-attachments/assets/2523d28d-c950-49bf-8300-1302c5774017"
/>

---------

Co-authored-by: sezalchug <[email protected]>
Co-authored-by: Aniruddh Munde <[email protected]>
Co-authored-by: Ruben Cerna <[email protected]>
Co-authored-by: RubenCerna2079 <[email protected]>

Author: 4 people

schemas/dab.draft.schema.json

@@ -399,6 +399,14 @@
               "description": "Enable health check endpoint globally",
               "default": true,
               "additionalProperties": false
+            },
+            "roles": {
+              "type": "array",
+              "description": "Allowed Roles for Comprehensive Health Endpoint",
+              "items": {
+                "type": "string"
+              },
+              "default": null
             }
           }
         }

src/Cli.Tests/ModuleInitializer.cs

@@ -77,6 +77,8 @@ public static void Init()
         VerifierSettings.IgnoreMember<RuntimeConfig>(config => config.AllowIntrospection);
         // Ignore the EnableAggregation as that's unimportant from a test standpoint.
         VerifierSettings.IgnoreMember<RuntimeConfig>(options => options.EnableAggregation);
+        // Ignore the AllowedRolesForHealth as that's unimportant from a test standpoint.
+        VerifierSettings.IgnoreMember<RuntimeConfig>(config => config.AllowedRolesForHealth);
         // Ignore the EnableAggregation as that's unimportant from a test standpoint.
         VerifierSettings.IgnoreMember<GraphQLRuntimeOptions>(options => options.EnableAggregation);
         // Ignore the EnableDwNto1JoinOpt as that's unimportant from a test standpoint.

src/Config/Converters/RuntimeHealthOptionsConvertorFactory.cs

@@ -0,0 +1,140 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using Azure.DataApiBuilder.Config.ObjectModel;
+
+namespace Azure.DataApiBuilder.Config.Converters;
+
+internal class RuntimeHealthOptionsConvertorFactory : JsonConverterFactory
+{
+    // Determines whether to replace environment variable with its
+    // value or not while deserializing.
+    private bool _replaceEnvVar;
+
+    /// <inheritdoc/>
+    public override bool CanConvert(Type typeToConvert)
+    {
+        return typeToConvert.IsAssignableTo(typeof(RuntimeHealthCheckConfig));
+    }
+
+    /// <inheritdoc/>
+    public override JsonConverter? CreateConverter(Type typeToConvert, JsonSerializerOptions options)
+    {
+        return new HealthCheckOptionsConverter(_replaceEnvVar);
+    }
+
+    internal RuntimeHealthOptionsConvertorFactory(bool replaceEnvVar)
+    {
+        _replaceEnvVar = replaceEnvVar;
+    }
+
+    private class HealthCheckOptionsConverter : JsonConverter<RuntimeHealthCheckConfig>
+    {
+        // Determines whether to replace environment variable with its
+        // value or not while deserializing.
+        private bool _replaceEnvVar;
+
+        /// <param name="replaceEnvVar">Whether to replace environment variable with its
+        /// value or not while deserializing.</param>
+        internal HealthCheckOptionsConverter(bool replaceEnvVar)
+        {
+            _replaceEnvVar = replaceEnvVar;
+        }
+
+        /// <summary>
+        /// Defines how DAB reads the runtime's health options and defines which values are
+        /// used to instantiate RuntimeHealthCheckConfig.
+        /// </summary>
+        /// <exception cref="JsonException">Thrown when improperly formatted health check options are provided.</exception>
+        public override RuntimeHealthCheckConfig? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+        {
+            if (reader.TokenType is JsonTokenType.StartObject)
+            {
+                bool? enabled = null;
+                HashSet<string>? roles = null;
+
+                while (reader.Read())
+                {
+                    if (reader.TokenType is JsonTokenType.EndObject)
+                    {
+                        return new RuntimeHealthCheckConfig(enabled, roles);
+                    }
+
+                    string? property = reader.GetString();
+                    reader.Read();
+
+                    switch (property)
+                    {
+                        case "enabled":
+                            if (reader.TokenType is not JsonTokenType.Null)
+                            {
+                                enabled = reader.GetBoolean();
+                            }
+
+                            break;
+                        case "roles":
+                            if (reader.TokenType is not JsonTokenType.Null)
+                            {
+                                // Check if the token type is an array
+                                if (reader.TokenType == JsonTokenType.StartArray)
+                                {
+                                    HashSet<string> stringList = new();
+
+                                    // Read the array elements one by one
+                                    while (reader.Read() && reader.TokenType != JsonTokenType.EndArray)
+                                    {
+                                        if (reader.TokenType == JsonTokenType.String)
+                                        {
+                                            string? currentRole = reader.DeserializeString(_replaceEnvVar);
+                                            if (!string.IsNullOrEmpty(currentRole))
+                                            {
+                                                stringList.Add(currentRole);
+                                            }
+                                        }
+                                    }
+
+                                    // After reading the array, assign it to the string[] variable
+                                    roles = stringList;
+                                }
+                                else
+                                {
+                                    // Handle case where the token is not an array (e.g., throw an exception or handle differently)
+                                    throw new JsonException("Expected an array of strings, but the token type is not an array.");
+                                }
+                            }
+
+                            break;
+
+                        default:
+                            throw new JsonException($"Unexpected property {property}");
+                    }
+                }
+            }
+
+            throw new JsonException("Runtime Health Options has a missing }.");
+        }
+
+        public override void Write(Utf8JsonWriter writer, RuntimeHealthCheckConfig value, JsonSerializerOptions options)
+        {
+            if (value?.UserProvidedEnabled is true)
+            {
+                writer.WriteStartObject();
+                writer.WritePropertyName("enabled");
+                JsonSerializer.Serialize(writer, value.Enabled, options);
+                if (value?.Roles is not null)
+                {
+                    writer.WritePropertyName("roles");
+                    JsonSerializer.Serialize(writer, value.Roles, options);
+                }
+
+                writer.WriteEndObject();
+            }
+            else
+            {
+                writer.WriteNullValue();
+            }
+        }
+    }
+}

src/Config/HealthCheck/RuntimeHealthCheckConfig.cs

@@ -8,8 +8,7 @@ public record RuntimeHealthCheckConfig : HealthCheckConfig
     // TODO: Add support for caching in upcoming PRs
     // public int cache-ttl-seconds { get; set; };
 
-    // TODO: Add support for "roles": ["anonymous", "authenticated"] in upcoming PRs
-    // public string[] Roles { get; set; };
+    public HashSet<string>? Roles { get; set; }
 
     // TODO: Add support for parallel stream to run the health check query in upcoming PRs
     // public int MaxDop { get; set; } = 1; // Parallelized streams to run Health Check (Default: 1)
@@ -18,7 +17,8 @@ public RuntimeHealthCheckConfig() : base()
     {
     }
 
-    public RuntimeHealthCheckConfig(bool? Enabled) : base(Enabled)
+    public RuntimeHealthCheckConfig(bool? Enabled, HashSet<string>? Roles = null) : base(Enabled)
     {
+        this.Roles = Roles;
     }
 }

src/Config/ObjectModel/RuntimeConfig.cs

@@ -150,6 +150,10 @@ Runtime is not null &&
         Runtime.GraphQL is not null &&
         Runtime.GraphQL.EnableAggregation;
 
+    [JsonIgnore]
+    public HashSet<string> AllowedRolesForHealth =>
+        Runtime?.Health?.Roles ?? new HashSet<string>();
+
     /// <summary>
     /// Retrieves the value of runtime.graphql.dwnto1joinopt.enabled property if present, default is false.
     /// </summary>

src/Config/RuntimeConfigLoader.cs

@@ -241,6 +241,7 @@ public static JsonSerializerOptions GetSerializationOptions(
             Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
         };
         options.Converters.Add(new EnumMemberJsonEnumConverterFactory());
+        options.Converters.Add(new RuntimeHealthOptionsConvertorFactory(replaceEnvVar));
         options.Converters.Add(new DataSourceHealthOptionsConvertorFactory(replaceEnvVar));
         options.Converters.Add(new EntityHealthOptionsConvertorFactory());
         options.Converters.Add(new RestRuntimeOptionsConverterFactory());

src/Service.Tests/Configuration/ConfigurationTests.cs

@@ -4054,7 +4054,7 @@ public async Task ComprehensiveHealthEndpoint_ValidateContents(bool enableGlobal
                 { "Book", requiredEntity }
             };
 
-            CreateCustomConfigFile(entityMap, enableGlobalRest, enableGlobalGraphql, enableGlobalHealth, enableDatasourceHealth);
+            CreateCustomConfigFile(entityMap, enableGlobalRest, enableGlobalGraphql, enableGlobalHealth, enableDatasourceHealth, HostMode.Development);
 
             string[] args = new[]
             {
@@ -4667,14 +4667,14 @@ public async Task TestNoDepthLimitOnGrahQLInNonHostedMode(int? depthLimit)
         /// </summary>
         /// <param name="entityMap">Collection of entityName -> Entity object.</param>
         /// <param name="enableGlobalRest">flag to enable or disabled REST globally.</param>
-        private static void CreateCustomConfigFile(Dictionary<string, Entity> entityMap, bool enableGlobalRest = true, bool enableGlobalGraphql = true, bool enableGlobalHealth = true, bool enableDatasourceHealth = true)
+        private static void CreateCustomConfigFile(Dictionary<string, Entity> entityMap, bool enableGlobalRest = true, bool enableGlobalGraphql = true, bool enableGlobalHealth = true, bool enableDatasourceHealth = true, HostMode hostMode = HostMode.Production)
         {
             DataSource dataSource = new(
                 DatabaseType.MSSQL,
                 GetConnectionStringFromEnvironmentConfig(environment: TestCategory.MSSQL),
                 Options: null,
                 Health: new(enableDatasourceHealth));
-            HostOptions hostOptions = new(Cors: null, Authentication: new() { Provider = nameof(EasyAuthType.StaticWebApps) });
+            HostOptions hostOptions = new(Mode: hostMode, Cors: null, Authentication: new() { Provider = nameof(EasyAuthType.StaticWebApps) });
 
             RuntimeConfig runtimeConfig = new(
                 Schema: string.Empty,

src/Service.Tests/Configuration/HealthEndpointRolesTests.cs

@@ -0,0 +1,139 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+#nullable enable
+using System.Collections.Generic;
+using System.IO;
+using System.Net;
+using System.Net.Http;
+using System.Threading.Tasks;
+using Azure.DataApiBuilder.Config.ObjectModel;
+using Azure.DataApiBuilder.Core.Authorization;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace Azure.DataApiBuilder.Service.Tests.Configuration
+{
+    [TestClass]
+    public class HealthEndpointRolesTests
+    {
+        private const string STARTUP_CONFIG_ROLE = "authenticated";
+
+        private const string CUSTOM_CONFIG_FILENAME = "custom-config.json";
+
+        [TestCleanup]
+        public void CleanupAfterEachTest()
+        {
+            if (File.Exists(CUSTOM_CONFIG_FILENAME))
+            {
+                File.Delete(CUSTOM_CONFIG_FILENAME);
+            }
+
+            TestHelper.UnsetAllDABEnvironmentVariables();
+        }
+
+        [TestMethod]
+        [TestCategory(TestCategory.MSSQL)]
+        [DataRow(null, null, DisplayName = "Validate Health Report when roles is not configured and HostMode is null.")]
+        [DataRow(null, HostMode.Development, DisplayName = "Validate Health Report when roles is not configured and HostMode is Development.")]
+        [DataRow(null, HostMode.Production, DisplayName = "Validate Health Report when roles is not configured and HostMode is Production.")]
+        [DataRow("authenticated", HostMode.Production, DisplayName = "Validate Health Report when roles is configured to 'authenticated' and HostMode is Production.")]
+        [DataRow("temp-role", HostMode.Production, DisplayName = "Validate Health Report when roles is configured to 'temp-role' which is not in token and HostMode is Production.")]
+        [DataRow("authenticated", HostMode.Development, DisplayName = "Validate Health Report when roles is configured to 'authenticated' and HostMode is Development.")]
+        [DataRow("temp-role", HostMode.Development, DisplayName = "Validate Health Report when roles is configured to 'temp-role' which is not in token and HostMode is Development.")]
+        public async Task ComprehensiveHealthEndpoint_RolesTests(string role, HostMode hostMode)
+        {
+            // Arrange
+            // At least one entity is required in the runtime config for the engine to start.
+            // Even though this entity is not under test, it must be supplied enable successful
+            // config file creation.
+            Entity requiredEntity = new(
+                Health: new(Enabled: true),
+                Source: new("books", EntitySourceType.Table, null, null),
+                Rest: new(Enabled: true),
+                GraphQL: new("book", "books", true),
+                Permissions: new[] { ConfigurationTests.GetMinimalPermissionConfig(AuthorizationResolver.ROLE_ANONYMOUS) },
+                Relationships: null,
+                Mappings: null);
+
+            Dictionary<string, Entity> entityMap = new()
+            {
+                { "Book", requiredEntity }
+            };
+
+            CreateCustomConfigFile(entityMap, role, hostMode);
+
+            string[] args = new[]
+            {
+                $"--ConfigFileName={CUSTOM_CONFIG_FILENAME}"
+            };
+
+            using (TestServer server = new(Program.CreateWebHostBuilder(args)))
+            using (HttpClient client = server.CreateClient())
+            {
+                // Sends a GET request to a protected entity which requires a specific role to access.
+                // Authorization checks
+                HttpRequestMessage message = new(method: HttpMethod.Get, requestUri: $"/health");
+                string swaTokenPayload = AuthTestHelper.CreateStaticWebAppsEasyAuthToken(
+                    addAuthenticated: true,
+                    specificRole: STARTUP_CONFIG_ROLE);
+                message.Headers.Add(AuthenticationOptions.CLIENT_PRINCIPAL_HEADER, swaTokenPayload);
+                message.Headers.Add(AuthorizationResolver.CLIENT_ROLE_HEADER, STARTUP_CONFIG_ROLE);
+                HttpResponseMessage authorizedResponse = await client.SendAsync(message);
+
+                switch (role)
+                {
+                    case null:
+                        if (hostMode == HostMode.Development)
+                        {
+                            Assert.AreEqual(expected: HttpStatusCode.OK, actual: authorizedResponse.StatusCode);
+                        }
+                        else
+                        {
+                            Assert.AreEqual(expected: HttpStatusCode.Forbidden, actual: authorizedResponse.StatusCode);
+                        }
+
+                        break;
+                    case "temp-role":
+                        Assert.AreEqual(expected: HttpStatusCode.Forbidden, actual: authorizedResponse.StatusCode);
+                        break;
+
+                    default:
+                        Assert.AreEqual(expected: HttpStatusCode.OK, actual: authorizedResponse.StatusCode);
+                        break;
+                }
+            }
+        }
+
+        /// <summary>
+        /// Helper function to write custom configuration file with minimal REST/GraphQL global settings
+        /// using the supplied entities.
+        /// </summary>
+        /// <param name="entityMap">Collection of entityName -> Entity object.</param>
+        /// <param name="role">Allowed Roles for comprehensive health endpoint.</param>
+        private static void CreateCustomConfigFile(Dictionary<string, Entity> entityMap, string? role, HostMode hostMode = HostMode.Production)
+        {
+            DataSource dataSource = new(
+                DatabaseType.MSSQL,
+                ConfigurationTests.GetConnectionStringFromEnvironmentConfig(environment: TestCategory.MSSQL),
+                Options: null,
+                Health: new(true));
+            HostOptions hostOptions = new(Mode: hostMode, Cors: null, Authentication: new() { Provider = nameof(EasyAuthType.StaticWebApps) });
+
+            RuntimeConfig runtimeConfig = new(
+                Schema: string.Empty,
+                DataSource: dataSource,
+                Runtime: new(
+                    Health: new(Enabled: true, Roles: role != null ? new HashSet<string> { role } : null),
+                    Rest: new(Enabled: true),
+                    GraphQL: new(Enabled: true),
+                    Host: hostOptions
+                ),
+                Entities: new(entityMap));
+
+            File.WriteAllText(
+                path: CUSTOM_CONFIG_FILENAME,
+                contents: runtimeConfig.ToJson());
+        }
+    }
+}

src/Service.Tests/ModuleInitializer.cs

@@ -83,6 +83,8 @@ public static void Init()
         VerifierSettings.IgnoreMember<RuntimeConfig>(config => config.AllowIntrospection);
         // Ignore the EnableAggregation as that's unimportant from a test standpoint.
         VerifierSettings.IgnoreMember<RuntimeConfig>(options => options.EnableAggregation);
+        // Ignore the AllowedRolesForHealth as that's unimportant from a test standpoint.
+        VerifierSettings.IgnoreMember<RuntimeConfig>(config => config.AllowedRolesForHealth);
         // Ignore the EnableAggregation as that's unimportant from a test standpoint.
         VerifierSettings.IgnoreMember<GraphQLRuntimeOptions>(options => options.EnableAggregation);
         // Ignore the EnableDwNto1JoinOpt as that's unimportant from a test standpoint.