check the authorization status of implementors of an interface

[Geal]

If authorization directives are not set consistently on all types implementing an interface, then a query on that interface should use fragments.

In the same way, if they are not applied consistently on the fields of the interface, the query should use fragments.

As an example, with this schema:

type Query {
    test: String
    itf: I!
}

interface I {
    id: ID
}

type A implements I {
    id: ID
    a: String
}

type B implements I @authenticated {
    id: ID
    b: String
}

The query:

query {
    test
    itf {
        id
    }
}

should be filtered as:

query {
    test
}

While this one:

query {
    test
    itf {
        ... on A {
            id
        }

        ... on B {
            id
        }
    }
}

will be filtered as:

query {
 test
 itf {
   ... on A {
     id
   }
 }
}

Todo:

• @authenticated:
  • check different requirements on interface implementors
  • check different requirements on interface fields by implementors
  • check different requirements on union members
  • check authorization on aliases
• @requiresScopes
  • check different requirements on interface implementors
  • check different requirements on interface fields by implementors
  • check different requirements on union members
  • check authorization on aliases
• @policy
  • check different requirements on interface implementors
  • check different requirements on interface fields by implementors
  • check different requirements on union members
  • check authorization on aliases

Checklist

Complete the checklist (and note appropriate exceptions) before a final PR is raised.

• Changes are compatible[^1]
• Documentation[^2] completed
• Performance impact assessed and acceptable
• Tests added and passing[^3]
  • Unit Tests
  • Integration Tests
  • Manual Tests

Exceptions

Note any exceptions here

Notes

[^1]. It may be appropriate to bring upcoming changes to the attention of other (impacted) groups. Please endeavour to do this before seeking PR approval. The mechanism for doing this will vary considerably, so use your judgement as to how and when to do this.
[^2]. Configuration is an important part of many changes. Where applicable please try to document configuration examples.
[^3]. Tick whichever testing boxes are applicable. If you are adding Manual Tests:
- please document the manual testing (extensively) in the Exceptions.
- please raise a separate issue to automate the test and label it (or ask for it to be labeled) as manual test

[router-perf]

CI performance tests

• xxlarge-request - Stress test with 100 MB request payload
• step - Basic stress test that steps up the number of users over time
• events_without_dedup - Stress test for events with a lot of users and deduplication DISABLED
• events - Stress test for events with a lot of users and deduplication ENABLED
• large-request - Stress test with a 1 MB request payload
• const - Basic stress test that runs with a constant number of users
• no-graphos - Basic stress test, no GraphOS.
• reload - Reload test over a long period of time at a constant rate of users
• step-jemalloc-tuning - Clone of the basic stress test for jemalloc tuning
• xlarge-request - Stress test with 10 MB request payload
• events_big_cap_high_rate - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity

[goto-bus-stop]

Would this also be an issue for unions?

type B @authenticated {
  id: ID
}
type A {
  id: ID
}
union I = A | B
type Query {
    test: String
    uni: I!
}

[Geal]

I have a good approach for interfaces now, checking for unions next

[Geal]

there's a test for unions in 924a894, it works :)