Role & FeatureLevel based authorization

[jezzsantos]

We want the developer to be able to be declarative in coarse grained roles-based and feature-based authorization for endpoints.

At this stage, we are not designing for fine-grained permissions or policies.

We already define a small number of Authorization policies using net7.0 minimal API authorization policies but those policies are not easily extendable to be used in declarative ways.

All of our Roles and FeatureLevels are already very discrete and can be turned into enumerations (either in code directly or using source generators)

Once we have that and some declarative syntax to markup service operations (i.e., an extension to the RouteAttribute) or another mechanism, we can make the declarative syntax very easy.

One such approach is outlined here: https://www.linkedin.com/pulse/permission-based-authorization-aspnet-7-minimal-apis-yago-vicent/

[jezzsantos]

• [x] Declare on each operation
• [x] Roslyn rule Error Assert that if [Authorization] exists, then [Route(AccessType!=Anonymous)]
• [x] Roslyn rules Information Assert that if [Route(AccessType!=Anonymous] if there is a missing [Authorize]
• [x] Verify that an empty [Authorize] is not allowed to be specified.
• [x] Verify, if no authorize attribute, how should we authorize the request? should we add a policy by default?

[jezzsantos]

Resolving problem with including Roslyn generated code in the Roslyn generator: https://andrewlock.net/creating-a-source-generator-part-6-saving-source-generator-output-in-source-control/