Introduce a new BaseEdge class for GraphQL

Background

In !70692 (merged) we introduced a custom implementation of an Edge class, RunnerWebUrlEdge this class extends the GraphQL::Types::Relay::BaseEdge.

Problem

This class does not implement authorization like Types::BaseObject currently does. So adding :authorize to edge classes does not have any effect.

Proposed solution

Implement a Types::BaseEdge class to enforce security/authorization policies.

Original Discussion

The following discussion from !70692 (merged) should be addressed:

• @alexkalderimis started a discussion: (+10 comments)

  Suggestion, since this field is only available for admins, we may wish to hide it (i.e. using visibility overrides) when the current user is not an admin. This will prevent running queries with this field (it will raise the equivalant of a syntax error), and prevent revealing the field in introspection queries.

  Overall I think that would be safer, but please check with security

mentioned in merge request !70692 (merged)

added backend maintenancerefactor security + 1 deleted label

added typebug label

added security-sp-label-missing security-triage-appsec labels

mentioned in commit 24af1022

One thing that such as class would enable would be the use of authorize: annotations on fields.

We should replace the bespoke auth check at !70692 (diffs) with something more like authorize :admin_runner

This should be fairly straightforward to do (see 24af1022) and not disruptive, since it would only need to be added for new edge classes.

We probably want to change the base edge class for all objects however, do ensure that we redact edges with redacted nodes. This could be a bit more complex, and may need new authorization integration tests.

Refinement:

• weight: 3
• notes: needs new base class, and specs - especially integration specs focussed on authorization effects.

added workflowready for development label

set weight to 3

mentioned in commit 400cdaaf

This seems to be a more of a security enhancement and does not describe an actionable vulnerability. With that in mind, I'm going to add the feature flag in order to appease the bot.

added typefeature label and removed security-sp-label-missing security-triage-appsec labels

added groupintegrations [DEPRECATED] label and removed 1 deleted label

Setting label(s) devopsecosystem sectiondev based on ~"group::integrations".

added sectiondev + 1 deleted label

changed milestone to %Backlog

added [deprecated] Accepting merge requests label

mentioned in commit f0270f75

@alexkalderimis I'm assigning this to you just to reflect the current status of the issue as you opened a merge request a few weeks back !71476 (merged).