Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix context sql #2344

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Fix context sql #2344

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
08f741c
pp
Mu4all Aug 16, 2024
b4239d0
Preserve original roles claim and allow session context updates
Mu4all Aug 20, 2024
2ed72b4
Merge branch 'main' into fix_context_sql
M4Al Aug 20, 2024
132a46e
Revert "pp"
Mu4all Aug 20, 2024
b0bc518
Merge branch 'fix_context_sql' of https://github.com/M4Al/data-api-bu…
Mu4all Aug 20, 2024
19e9dbc
Adjust the relevant tests
Mu4all Aug 21, 2024
d10be7a
Update src/Core/Resolvers/MsSqlQueryExecutor.cs
M4Al Aug 30, 2024
4c5a5b8
Add recordcount
Mu4all Sep 3, 2024
20f4b6b
Merge branch 'fix_context_sql' of https://github.com/M4Al/data-api-bu…
Mu4all Sep 3, 2024
b560b20
Update dockerfile to .net8
Mu4all Sep 4, 2024
3567785
Downgrade SqlClient
Mu4all Sep 4, 2024
1479f34
Rename FIRST_URL constant value from "$first" to "$top"
Mu4all Sep 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/Config/ObjectModel/AuthenticationOptions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ public record AuthenticationOptions(string Provider = nameof(EasyAuthType.Static
public const string CLIENT_PRINCIPAL_HEADER = "X-MS-CLIENT-PRINCIPAL";
public const string NAME_CLAIM_TYPE = "name";
public const string ROLE_CLAIM_TYPE = "roles";
public const string ORIGINAL_ROLE_CLAIM_TYPE = "original_roles";

/// <summary>
/// Returns whether the configured Provider matches an
Expand Down
7 changes: 6 additions & 1 deletion src/Core/Authorization/AuthorizationResolver.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -604,9 +604,14 @@ public static Dictionary<string, List<Claim>> GetAllAuthenticatedUserClaims(Http
// into a list and storing that in resolvedClaims using the claimType as the key.
foreach (Claim claim in identity.Claims)
{
// 'roles' claim has already been processed.
// 'roles' claim has already been processed. But we preserve the original 'roles' claim
if (claim.Type.Equals(AuthenticationOptions.ROLE_CLAIM_TYPE))
{
if(!resolvedClaims.TryAdd(AuthenticationOptions.ORIGINAL_ROLE_CLAIM_TYPE, new List<Claim>() { claim }))
{
resolvedClaims[AuthenticationOptions.ORIGINAL_ROLE_CLAIM_TYPE].Add(claim);
}

continue;
}

Expand Down
4 changes: 2 additions & 2 deletions src/Core/Resolvers/MsSqlQueryExecutor.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,9 +217,9 @@ public override string GetSessionParamsQuery(HttpContext? httpContext, IDictiona
foreach ((string claimType, string claimValue) in sessionParams)
{
string paramName = $"{SESSION_PARAM_NAME}{counter.Next()}";
parameters.Add(paramName, new(claimValue));
parameters.Add(paramName, new(claimValue));
M4Al marked this conversation as resolved.
Show resolved Hide resolved
// Append statement to set read only param value - can be set only once for a connection.
string statementToSetReadOnlyParam = "EXEC sp_set_session_context " + $"'{claimType}', " + paramName + ", @read_only = 1;";
string statementToSetReadOnlyParam = "EXEC sp_set_session_context " + $"'{claimType}', " + paramName + ", @read_only = 0;";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curious, did you experience - your mutation operations being blocked because of this setting?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the SQL Endpoint did reject the second query as described in #2341

sessionMapQuery = sessionMapQuery.Append(statementToSetReadOnlyParam);
}

Expand Down
6 changes: 4 additions & 2 deletions src/Service.Tests/Authorization/AuthorizationResolverUnitTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1293,7 +1293,8 @@ public void UniqueClaimsResolvedForDbPolicy_SessionCtx_Usage()
new("sub", "Aa_0RISCzzZ-abC1De2fGHIjKLMNo123pQ4rStUVWXY"),
new("oid", "55296aad-ea7f-4c44-9a4c-bb1e8d43a005"),
new(AuthenticationOptions.ROLE_CLAIM_TYPE, TEST_ROLE),
new(AuthenticationOptions.ROLE_CLAIM_TYPE, "ROLE2")
new(AuthenticationOptions.ROLE_CLAIM_TYPE, "ROLE2"),
new(AuthenticationOptions.ROLE_CLAIM_TYPE, "ROLE3")
};

//Add identity object to the Mock context object.
Expand All @@ -1315,6 +1316,7 @@ public void UniqueClaimsResolvedForDbPolicy_SessionCtx_Usage()
Assert.AreEqual(expected: "Aa_0RISCzzZ-abC1De2fGHIjKLMNo123pQ4rStUVWXY", actual: claimsInRequestContext["sub"], message: "Expected the sub claim to be present.");
Assert.AreEqual(expected: "55296aad-ea7f-4c44-9a4c-bb1e8d43a005", actual: claimsInRequestContext["oid"], message: "Expected the oid claim to be present.");
Assert.AreEqual(claimsInRequestContext[AuthenticationOptions.ROLE_CLAIM_TYPE], actual: TEST_ROLE, message: "The roles claim should have the value:" + TEST_ROLE);
Assert.AreEqual(expected: "[\"" + TEST_ROLE + "\",\"ROLE2\",\"ROLE3\"]", actual: claimsInRequestContext[AuthenticationOptions.ORIGINAL_ROLE_CLAIM_TYPE], message: "Original roles should be preserved in a new context");
}

/// <summary>
Expand Down Expand Up @@ -1365,7 +1367,7 @@ public void ValidateUnauthenticatedUserClaimsAreNotResolvedWhenProcessingUserCla
Dictionary<string, string> resolvedClaims = AuthorizationResolver.GetProcessedUserClaims(context.Object);

// Assert
Assert.AreEqual(expected: authenticatedUserclaims.Count, actual: resolvedClaims.Count, message: "Only two claims should be present.");
Assert.AreEqual(expected: authenticatedUserclaims.Count + 1, actual: resolvedClaims.Count, message: "Only " + (authenticatedUserclaims.Count + 1) + " claims should be present.");
Assert.AreEqual(expected: "openid", actual: resolvedClaims["scp"], message: "Unexpected scp claim returned.");

bool didResolveUnauthenticatedRoleClaim = resolvedClaims[AuthenticationOptions.ROLE_CLAIM_TYPE] == "Don't_Parse_This_Role";
Expand Down