🛂 Introduce @Permission decorator

This decorator can accept permission conditions required
to access the resource. For example:
```
@Permission(({ args }) =>
  Promise.resolve({
    or: [
      { type: 'global', permission: P.global.VIEW_ANY_PLAN_DATA },
      { type: 'plan', permission: P.plan.VIEW_DATA, id: args.id },
    ],
  })
)
```

If only global permission check is needed, it can be used directly:
```
@Permission({
  type: 'global',
  permission: P.global.VIEW_ALL_JOBS,
})
```

Author: Pl217

src/common-libs/auth/permission-decorator.ts

@@ -0,0 +1,31 @@
+import { actionIsPermitted } from '@unocha/hpc-api-core/src/auth';
+import { RequiredPermissionsCondition } from '@unocha/hpc-api-core/src/auth/permissions';
+import { Context } from '@unocha/hpc-api-core/src/lib/context';
+import { ForbiddenError } from '@unocha/hpc-api-core/src/util/error';
+import { createMethodDecorator, ResolverData } from 'type-graphql';
+
+type RequiredPermissions = (
+  resolverData: ResolverData<Context>
+) => Promise<RequiredPermissionsCondition<never>>;
+
+// eslint-disable-next-line @typescript-eslint/naming-convention
+export function Permission(
+  requiredPermissions: RequiredPermissions | RequiredPermissionsCondition<never>
+): MethodDecorator {
+  return createMethodDecorator(
+    async (resolverData: ResolverData<Context>, next) => {
+      let permissions: RequiredPermissionsCondition<never>;
+      if (typeof requiredPermissions === 'function') {
+        permissions = await requiredPermissions(resolverData);
+      } else {
+        permissions = requiredPermissions;
+      }
+
+      if (!(await actionIsPermitted(permissions, resolverData.context))) {
+        throw new ForbiddenError('No permission to perform this action');
+      }
+
+      return next();
+    }
+  );
+}