feat(bigquery): support authorized views with dataset restrictions

docs/en/resources/tools/bigquery/bigquery-execute-sql.md

@@ -39,11 +39,10 @@ layer of security by controlling which datasets can be accessed:
 
 - **Without `allowedDatasets` restriction:** The tool can execute any valid
   GoogleSQL query.
-- **With `allowedDatasets` restriction:** Before execution, the tool performs a
-  dry run to analyze the query.
-  It will reject the query if it attempts to access any table outside the
-  allowed `datasets` list. To enforce this restriction, the following operations
-  are also disallowed:
+- **With `allowedDatasets` restriction:** The tool analyzes the query before execution to ensure that it only accesses the allowed datasets.
+  This check also supports authorized views by validating direct references against the allowed list.
+  To enforce this restriction, the following operations are also disallowed:
+
   - **Dataset-level operations** (e.g., `CREATE SCHEMA`, `ALTER SCHEMA`).
   - **Unanalyzable operations** where the accessed tables cannot be determined
     statically (e.g., `EXECUTE IMMEDIATE`, `CREATE PROCEDURE`, `CALL`).

internal/tools/bigquery/bigqueryanalyzecontribution/bigqueryanalyzecontribution.go

@@ -214,24 +214,9 @@ func (t Tool) Invoke(ctx context.Context, resourceMgr tools.SourceProvider, para
 					{Key: "session_id", Value: session.ID},
 				}
 			}
-			dryRunJob, err := bqutil.DryRunQuery(ctx, restService, source.BigQueryClient().Project(), source.BigQueryClient().Location, inputData, nil, connProps)
-			if err != nil {
-				return nil, fmt.Errorf("query validation failed: %w", err)
-			}
-			statementType := dryRunJob.Statistics.Query.StatementType
-			if statementType != "SELECT" {
-				return nil, fmt.Errorf("the 'input_data' parameter only supports a table ID or a SELECT query. The provided query has statement type '%s'", statementType)
-			}
 
-			queryStats := dryRunJob.Statistics.Query
-			if queryStats != nil {
-				for _, tableRef := range queryStats.ReferencedTables {
-					if !source.IsDatasetAllowed(tableRef.ProjectId, tableRef.DatasetId) {
-						return nil, fmt.Errorf("query in input_data accesses dataset '%s.%s', which is not in the allowed list", tableRef.ProjectId, tableRef.DatasetId)
-					}
-				}
-			} else {
-				return nil, fmt.Errorf("could not analyze query in input_data to validate against allowed datasets")
+			if _, err := bqutil.ValidateQueryAgainstAllowedDatasets(ctx, restService, source.BigQueryClient().Project(), source.BigQueryClient().Location, inputData, nil, connProps, source); err != nil {
+				return nil, err
 			}
 		}
 		inputDataSource = fmt.Sprintf("(%s)", inputData)