Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix context sql #2343

Closed
wants to merge 3 commits into from
Closed

Fix context sql #2343

wants to merge 3 commits into from

Conversation

M4Al
Copy link

@M4Al M4Al commented Aug 20, 2024

Why make this change?

What is this change?

The changes itself are quite simple and should break nothing, see the diff :-)

How was this tested?

I have not created/adapted any tests yet. Just looking for comments before I go there.

Sample Request(s)

Sample of a JWT token (only the relevant part)
{ "aud": "api://ddcf6b31-5d01-407d-97cf-8efefc455d32", "iss": "https://sts.windows.net/9215c785-95c3-49b0-bdba-2062df5aedb5/", "roles": [ "user", "Allow_Customer_OPS025235", "Allow_Customer_OPS004095" ], "ver": "1.0" }

X-MS-API-ROLE: user

before my change the extra 'roles' that do not match the X-MS-API-ROLE header would never reach the database context.
With my change you can do things like this in SQL Predicates to filter out only subsets of the data:

`CREATE FUNCTION dbo.ops_fact_order_Predicate(@CustomerNo varchar(max))
RETURNS TABLE
WITH SCHEMABINDING
AS RETURN SELECT 1 AS fn_securitypredicate_result
WHERE @CustomerNo in (
select trim(replace(replace(replace([value], '"', ''), ']', ''), 'Allow_Customer_', ''))
from STRING_SPLIT (
CAST(SESSION_CONTEXT(N'original_roles') as varchar(max))
, ','
, 0)
where trim(replace(replace([value], '"', ''), ']', '')) like 'Allow_Customer%'
)

CREATE SECURITY POLICY dbo.ops_fact_order_Policy
ADD FILTER PREDICATE dbo.ops_fact_order_Predicate(CustomerNo)
ON [gold_ops].[ops_fact_order];`

@Mu4all
pp
08f741c
@Mu4all
Preserve original roles claim and allow session context updates
b4239d0 
Added a new constant `ORIGINAL_ROLE_CLAIM_TYPE` in `AuthenticationOptions.cs` to store the original roles claim type. Modified `AuthorizationResolver` to preserve the original 'roles' claim by adding it to the `resolvedClaims` dictionary under the new key. Changed `MsSqlQueryExecutor` to set session context parameters with `@read_only = 0` to allow modifications.
@M4Al
Copy link
Author

M4Al commented Aug 20, 2024

@microsoft-github-policy-service agree company="CNext"

@M4Al M4Al closed this Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aniruddh25 Aniruddh25 Awaiting requested review from Aniruddh25 Aniruddh25 is a code owner

@seantleonard seantleonard Awaiting requested review from seantleonard seantleonard is a code owner

@aaronburtle aaronburtle Awaiting requested review from aaronburtle aaronburtle is a code owner

@abhishekkumams abhishekkumams Awaiting requested review from abhishekkumams abhishekkumams is a code owner

@RubenCerna2079 RubenCerna2079 Awaiting requested review from RubenCerna2079 RubenCerna2079 is a code owner

@ravishetye ravishetye Awaiting requested review from ravishetye ravishetye is a code owner

@rohkhann rohkhann Awaiting requested review from rohkhann rohkhann is a code owner

@neeraj-sharma2592 neeraj-sharma2592 Awaiting requested review from neeraj-sharma2592 neeraj-sharma2592 is a code owner

@sourabh1007 sourabh1007 Awaiting requested review from sourabh1007 sourabh1007 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: MSSQL (and related) - EXEC sp_set_session_context is executed with @read_only = 1
2 participants
@M4Al @Mu4all