Commit 5e3e5e2
Fix Session Context Key set as Read_Only & maintain original roles from the JWT token (#2344)
## Why make this change?
- Fixes #2341
- The session context in SQL server is `read_only = 1` which prevents
users from doing multiple requests on the same connection.
- The row level security is not accurately implemented when using a JWT
token.
## What is this change?
Changes the session context from `read_only = 1` to `read_only = 0` to
allow multiple requests to be done in the same connection,
Creates a copy of the original 'roles' from the JWT token to use it on
the SQL Filter Predicate to accurately implement row level security.
## How was this tested?
- [ ] Integration Tests
- [x] Unit Tests
Updated `AuthorizationResolver` tests to ensure the original roles copy
is working properly.
## Sample Request(s)
Sample of a JWT token (only the relevant part)
```
{
"aud": "api://ddcf6b31-5d01-407d-97cf-8efefc455d32",
"iss": "https://sts.windows.net/9215c785-95c3-49b0-bdba-2062df5aedb5/",
"roles": [
"user",
"Allow_Customer_OPS025235",
"Allow_Customer_OPS004095"
],
"ver": "1.0"
}
```
X-MS-API-ROLE: user
before my change the extra 'roles' that do not match the X-MS-API-ROLE
header would never reach the database context.
With my change you can do things like this in SQL Predicates to filter
out only subsets of the data:
```
CREATE FUNCTION dbo.ops_fact_order_Predicate(@CustomerNo varchar(max))
RETURNS TABLE
WITH SCHEMABINDING
AS RETURN SELECT 1 AS fn_securitypredicate_result
WHERE @CustomerNo in (
select trim(replace(replace(replace([value], '"', ''), ']', ''), 'Allow_Customer_', ''))
from STRING_SPLIT (
CAST(SESSION_CONTEXT(N'original_roles') as varchar(max))
, ','
, 0)
where trim(replace(replace([value], '"', ''), ']', '')) like 'Allow_Customer%'
)
CREATE SECURITY POLICY dbo.ops_fact_order_Policy
ADD FILTER PREDICATE dbo.ops_fact_order_Predicate(CustomerNo)
ON [gold_ops].[ops_fact_order];
```
---------
Co-authored-by: KobeLenjou <kobe@lenjou.be>
Co-authored-by: Aniruddh Munde <anmunde@microsoft.com>
Co-authored-by: Ruben Cerna <rcernaserna@microsoft.com>
Co-authored-by: RubenCerna2079 <32799214+RubenCerna2079@users.noreply.github.com>1 parent 5f3643e commit 5e3e5e2
4 files changed
Lines changed: 12 additions & 4 deletions
File tree
- src
- Config/ObjectModel
- Core
- Authorization
- Resolvers
- Service.Tests/Authorization
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
| 20 | + | |
20 | 21 | | |
21 | 22 | | |
22 | 23 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
617 | 617 | | |
618 | 618 | | |
619 | 619 | | |
620 | | - | |
| 620 | + | |
621 | 621 | | |
622 | 622 | | |
| 623 | + | |
| 624 | + | |
| 625 | + | |
| 626 | + | |
| 627 | + | |
623 | 628 | | |
624 | 629 | | |
625 | 630 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
284 | 284 | | |
285 | 285 | | |
286 | 286 | | |
287 | | - | |
| 287 | + | |
288 | 288 | | |
289 | 289 | | |
290 | 290 | | |
| |||
Lines changed: 4 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1293 | 1293 | | |
1294 | 1294 | | |
1295 | 1295 | | |
1296 | | - | |
| 1296 | + | |
| 1297 | + | |
1297 | 1298 | | |
1298 | 1299 | | |
1299 | 1300 | | |
| |||
1315 | 1316 | | |
1316 | 1317 | | |
1317 | 1318 | | |
| 1319 | + | |
1318 | 1320 | | |
1319 | 1321 | | |
1320 | 1322 | | |
| |||
1365 | 1367 | | |
1366 | 1368 | | |
1367 | 1369 | | |
1368 | | - | |
| 1370 | + | |
1369 | 1371 | | |
1370 | 1372 | | |
1371 | 1373 | | |
| |||
0 commit comments