Add analyzer for detecting misplaced attributes on delegates

[captainsafia]

This PR adds an analyzer that detects if attributes are incorrectly placed on a method invoked from an attribute in a lambda.

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
var app = WebApplication.Create();
app.MapGet(""/"", () => Hello());
[Authorize]
void Hello() { }

The above will produce a diagnostic warning the user about the misplaced AuthorizeAttribute with the following message:

'AuthorizeAttribute' should not be placed on 'Hello'. Place 'AuthorizeAttribute' on the endpoint delegate instead.

Fixes #35638

[pranavkm]

Shouldn't we be producing the diagnostic on the attribute (rather than on the delegate)?

[captainsafia]

Hmmm, I think it makes more sense to put it on the delegate since that is where the user will take the action to resolve the issue (absent us providing a codefix).

[pranavkm]

Can we add a test with an invalid lambda or a invalid method reference? e.g.

app.MapGet(""/"", () => DoesNotExist());

One with a MethodReference:

app.MapGet(""/"", GetPersonId);

[Authorize]
public string GetPersonId() => string.Empty;

and with a reference to a different source:

// Source1 
app.MapGet(""/"", () => PersonHandlers.GetPersonId);

Where PersonHandlers.GetPersonId is in a separate source file / SyntaxTree

[captainsafia]

Yep, good idea. Here's the expected behavior for these:

1. Invalid reference: No warning from us but user gets a not defined warning.
2. Method reference: No warning from us since this warning only applies to lambdas.
3. Reference to a method in a different class: Warning from us about misplaced attribute.

Where PersonHandlers.GetPersonId is in a separate source file / SyntaxTree

For this part, I couldn't find any examples in our codebase of the GetDiagnosticsAsync method processing sources from different source files so I put it in separate files. Is there a way to do that?

[pranavkm]

This one's interesting - if the code looked like:

(int id) => if (id == 0) { return Results.NotFound(); } else { return Hello(); }

This would produce no diagnostics? Is that weird?

[captainsafia]

Yeah, that's a consequence of not doing the full search through the syntax tree that we were doing before (see #35779 (comment)).

Supporting this scenario invites the question of how "deep" in the syntax tree we want to look for returned invocations and support throwing a warning.

[pranavkm]

Could we look up the assembly name or walk up the namespace? Allocating a formatted string on every attribute doesn't sound great for performance.

[captainsafia]

We can walk up the namespace, we'll still have to evaluate against the string representation of the NamespaceSymbol though.

[pranavkm]

That should be fine. It wouldn't allocate a new string every time no?

[captainsafia]

Eh, actually, it uses the same SymbolDisplay logic under the hood.

I ended up rewriting this to avoid interacting with the FQNS of the type at all. We can just traverse up the tree until we find an AspNetCore namespace containing in a Microsoft namespace and treat that as a valid scenario.

[pranavkm]

Nice.

[captainsafia]

/backport release/6.0

[captainsafia]

/backport to release/6.0

[github-actions]

Started backporting to release/6.0: https://github.com/dotnet/aspnetcore/actions/runs/1190188412