WIP: Make GraphQL Types authorizable

What does this MR do?

• Allows GraphQL Types to be authorizable
• Allows GraphQL Scalar fields (ones that return Strings, or Integers) to be authorizable
• authorize can be passed a Proc

Type authorization

All of these will work:

class ProjectType < BaseObject
  authorize :read_project
end

class ProjectType < BaseObject
  authorize [:read_project, :something_else] 
end

class ProjectType < BaseObject
  authorize ->(obj, args, ctx) { ... }
end

class ProjectType < BaseObject
  authorize [->(obj, args, ctx) { ... }, :read_project]
end

If all of the permission checks do not pass, then:

# Query:
{
  project(fullPath: "root/my-project") {
    id
  }
}

# Response:
{
  "data": {
    "project": null
  }
}

Field authorization

Scalar-types (fields that return Strings, Integers etc.) can now be authorized. The subject for the permission check is different for when the return type is a Scalar vs a Types::*Type:

:some_permission check will be against the Project:

class ProjectType
  field :id, GraphQL::ID_TYPE, authorize: :some_permission
end

:some_permission check will be against the MergeRequest:

class ProjectType
  field :merge_request, Types::MergeRequestType, authorize: :some_permission
end

And, err.. if you want to pass an Array of permissions, it has to be done like this... (!).

class UserType
  field :id, GraphQL::ID_TYPE do 
    authorize [:some_permission, :another_one] 
  end
end

Like Type authorization, Field authorizations also nullify the data if the authorization checks fail:

# Query:
{
  project(fullPath: "root/squash-project") {
    id
  }
}

# Response:
{
  "data": {
    "project": {
      "id": null
    }
  }
}

Type and Field authorization together

Permissions are cumulative, so where permissions are defined in both the Type and the Field:

class UserType
  authorize: :some_permission
end

class IssueType
  field :author, UserType, authorize: :another_permission
end

The user would need both permissions on the User.

Mutation authorization

Mutation authorization is the same as it was before - some methods have been moved from Authorization to AuthorizeResource to allow this. It means that currently the mutation authorization doesn't support Procs, which we could change in the future if we wanted to.

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-ce/issues/54417

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the merge request performance guidelines
• Conforms to the style guides
• Conforms to the database guides
• Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process.
• Security reports checked/validated by reviewer

Closes #54417 (closed)