The Freak Parade

I’ve written previously about “claims based authorization,” and how I believe it will eventually become a ubiquitous approach to identity management as the world of online digital identity reinvents itself in order to avoid implosion. If you aren’t familiar with the concept of claims based identity, I recommend checking out the post linked above or following some of the links from this post.  If you just want to examine the sample code for this post, it is here.

In this post I’m interested in how a set of claims presented by a user when making a service call can be evaluated against specific authorization rules to determine whether or not the user has access to the requested resource.

The details of how a user is associated with such claims, how they are secured, and how claims are embedded inside calls to your service are beyond the scope of this post, but the links listed above should provide a place to put the tip of that chisel. For the purposes of this post I will assume that claims are presented via a list of IClaim objects, and an IClaim is nothing but a Name/Value pair – IList<IClaim>. This is very similar to how Micrisofts new Zermatt Identity Framework represents claims, and this was intentional as I believe that Zermatt is probably the future of Identity Management on the .NET platform.

So then, given IList<IClaim> claims, how can we make rational authorization decisions, such as “I only want users who are in the Premium Members role and whose age is older than 21 to access this (probably seedy) service method.” One obvious, simple approach would be to evaluate the claims programmatically. Some simple extension methods can make this much easier:

public static class ClaimsExtensions
{
   public static T GetClaimValue<t>(this IList<iclaim> claims, string claimType)
   {
       foreach (IClaim claim in claims)
       {
           if (String.Compare(claim.ClaimType, claimType, true) == 0)
           {
               return TypeNormalizer.EnsureType<t>(claim.Value, default(T));
           }
       }
       return default(T);
   }

   public static bool ClaimEqualsAny(this IList<iclaim> claims, string claimType, string claimValue)
   {
       foreach (IClaim claim in claims)
       {
           if (String.Compare(claim.ClaimType, claimType, true) == 0)
           {
               if (claim.Value.Equals(claimValue, StringComparison.InvariantCultureIgnoreCase))
                   return true;
           }
       }
       return false;
   }

   public static bool EvaluateClaim<t>(this IList<iclaim> claims, string claimType, Func<t , bool> eval)
   {
       var claimValue = claims.GetClaimValue</t><t>(claimType);
       return eval(claimValue);
   }
}

Then, from within a method that needs protecting, you can easily do something like this:

public void MyServiceMethod()
{
    if (CurrentUser.Claims.EvaluateClaim<int>(CustomClaimTypes.AgeInYears,age => age < 21) ||
        CurrentUser.Claims.ClaimEqualsAny(CustomClaimTypes.Role,"Premium User") == false)
    {
	//Whatever you do when someone isn't authorized. Throw a not authorized exception? Return a fault code?
    }

    //Implement your service method here, your user is old enough and has paid their money
}

If you were clever, you could probably figure out a way to use LINQ expressions to make the syntax even cleaner. This is all good and well, but it has at least one major problem – authorization rules are probably likely to change far more frequently than your application code. Even worse, you may wish your power users to be able to manage their own authorization rules for certain kinds of access or for named permissions. Using the technique described above, any change to any authorization rule will require you compile and deploy your application.

One common solution to conundrums such as these is to use a DSL (Domain Specific Language). And while you certainly could write a custom DSL to implement your authorization rules, authorization rules have an interesting characteristic: they always resolve to a discrete value, a true or a false. They are simply boolean expressions.

There are a number of Expression Evaluators available from the open source community that will fit the bill perfectly. An Expression Evaluator will allow you to specify your authorization rules as simple strings, which means they can be stored in a configuration file or a database or some other persistent store and modified and run-time as needed. They are also serializable by definition and can easily be requested by and cached at the user interface to allow the user interface to use the same authorization logic  to render itself appropriately with respect to the permissions of the currently logged in user that the server will use to authorize access to its API without (necessarily) having any code in common other than a reference to the same expression evaluator library.

In this example I will be using Simple Expression Evaluator available on Codeplex. I chose this library purely out of nepotism, because I wrote it, but you should be able to use any expression evaluator that catches your fancy. A number of options for .NET are listed here.

Using an Simple Expression Evaluator we could rewrite the above authorization rule like this:

AgeInYears >= 21 and MatchesAny(Role = "Premium User")

In the sample project I added a custom function, IsInRole, allowing this syntax:

AgeInYears >= 21 and IsInRole("Premium User")

To make this happen, Simple Expression Evaluator will need a little help in interpreting claim names. The main reason behind this is that claims are usually represented by a URI, such as http://thefreakparade.com/claims/role, but accessed through code using string constants, such as

public static class CustomClaimTypes
{
     public const string Role = "http://thefreakparade.com/claims/role";
     //...more...
}

and therefore accessed in code like this:

var claim = new Claim(CustomClaimTypes.AgeInYears,43);

The expression evaluator will interperet something like AgeInYears to be a variable, and the name AgeInYears won’t naturally correspond to anything, because it’s really just a property name, the real claim is represented by a URI that would be far too ugly to stick in an expression. The solution is to give the expression evaluator a little help when evaluating variables, like so:

public bool Authorize(IList<iclaim> claims,string authExpression)
{
    var context = new ExpressionContext(claims);

    context.ResolveUnknownVariable +=
        (sender, args) =>
            {
               args.VariableValue =
                 claims.GetClaimValue(_claimAliases[args.VariableName]);

            };

    context.ResolveMissingFunction +=
        (sender, args) =>
            {
                if (args.FunctionName.Equals("IsInRole",StringComparison.OrdinalIgnoreCase))
                {
                    args.Function = (funcArgs) => IsInRole(claims,funcArgs);
                }
            };

    return ExpressionEvaluator.EvaluateExpression(authExpression,context);    

}

This method was modified a little from the actual sample to the purpose of clarity, but the general idea is the same. Also demonstrated is the technique required to add an IsInRole method to the expression language. The actual implementation of the IsInRole functionality is implemented off screen, see the sample for the actual code. This method also relies on a hashtable called _claimAliases being pre-populated with a mapping between the URI of a claim type and the friendly name the expression language will use. In the sample app, I simply used reflection to load the alias table with a mapping between the field name of each const and the actual URI.

Now, if you simple use the expression evaluator an call Authorize from within your service methods, like this:

public void MyServiceMethod()
{
    if (AuthorizationHelper.Authorize(
           CurrentUser.Claims,"AgeInYears >= 21 and IsInRole('Premium User')" == false)
    {
	//Whatever you do when someone isn't authorized. Throw a not authorized exception? Return a fault code?
    }

    //Implement your service method here, your user is old enough and has paid their money
}

Then all we added with the dynamic expression was complexity – your rules are still defined inline in your code. What you really want is a syntax like this:

public void MyServiceMethod()
{
    if (AuthorizationManager.Authorize(CurrentUser.Claims,Permissions.CanAccessServiceMethod) == false)
    {
        //no access
    }
    //service code
}

Where Permissions.CanAccessServiceMethod will key into a persistent authorization rule store such as a config file or database, so that the rule expressions themselves can be dynamically loaded at runtime and therefore modified outside of the code. The sample application takes advantage of a very simplified implementation of the Repository pattern and introduces an IAuthorizationRuleRepository to solve that issue. If you were really, really smart you could get to a syntax like this without much extra effort. Note this sample application does not quite go this far, but it shouldn’t be a stretch for you get there yourself if you care to:

[RequiresPermission(Permissions.CanAccessServiceMethod)]
public void MyServiceMethod()
{
    //service code
}

The only caveat with an attribute based approach is that access to your protected method is all or nothing. You can’t return a set of records filtered one way when one permission level is present, and another for a lower level of permission. But nothing would prevent you from mixing an attribute based approach with an inline-code based approach as appropriate.

Finally, here is a sample of the actual authorization syntax as implemented by the Identity at Rest sample application:

public List<monkey> ListAllMonkeys()
{
    //Only administrators can list all monkeys.
    //Everyone else can just list shaved monkeys.
    if (AuthorizeFor(
            Permissions.MonkeyShavingService.CanViewUnshavedMonkeys) == false)
    {
        return ListMonkeysByStatus(MonkeyStatus.ShavedClean.ToString());
    }

    return _monkeys;
}

And that’s about it. If you’ve made it this far, your very well aware that this post is describing a general approach to claims based authorization using an expression oriented DSL – the code samples listed here aren’t detailed enough to get you from point A to point B in an actual implementation. However, the included sample application, which is an evolution of the Identity At Rest sample application provided for this post, does provide an end to end application that fully implements the concepts discussed here. The sample comes with a “smart client” Winforms application that uses WCF to communicate with a remote  REST based API. All API calls are secured using the above described techniques.

I would be the last one to suggest that this approach is a “best practice” in managing claims based authorization, but it made sense to us and seems to work pretty well so far.  As always, I’d love to hear about any other approaches that you may be using.

Evaluating dynamic, ad hoc or user provided expressions at runtime, usually in the context of an application’s current state, has been a valuable tool in the programmers tool-belt since the days when Cro-Magnon man was beating the brains out of Saber-toothed tigers to feed his hungry, hairy family.

In an interpreted language, like JavaScript, this is no problem, there is almost always some kind of Eval(string) command that will allow you to pass in and execute some arbitrary piece of code, such as an expression, as capriciously as you like.

With compiled languages, though, by the time your program actually executes, the compiler has completed its work and gone home to have a glass of Wild Turkey and watch football. If you want to evaluate some arbitrary expression (like this one that you might use in a reporting tool)

if (Amount < 0) then 'Red' else 'Black'

You either need to call the compiler back into the office or roll up your sleeves and do the job yourself. Some people would call this a DSL, or Domain Specific Language, at this point, although personally I feel like calling a simple expression language a DSL, especially if it doesn’t have any elements that relate to your specific domain but just operate on the objects you have in memory, whatever they are, is a bit of a stretch. But that’s an abstract distinction, DSL or not, the options are the same.

Compile Code on the Fly

In .NET you can use the System.CodeDom.Compiler classes to compile some arbitrary piece of source code into an in-memory class inside an in-memory assembly, and then execute the code. This is the approach you would take if you were going to use Boo (or some expression language based on Boo), but really there is a lot of baggage that comes with that approach that I think makes it inappropriate for most scenarios where you want to evaluate ad hoc expressions. Namely, if you are dealing with a large number of potential expressions that aren’t mostly known at the start of your application, you will be creating lots of dynamic assemblies, which isn’t blazing fast (although executing the expressions will be), and keeping them around in memory. If you allow end users or developers to modify expressions at runtime, the old assembly holding the previous version of the expression can’t be unloaded from memory, and you generally have a mess. However, there is a huge design-time upside to this approach, which is that you don’t have to define an expression language yourself, you can re-use the expression syntax of the language you are using, and you don’t have to think much about parsing or compiling anything. But the runtime story in many scenario often makes the approach untenable.

Reflection Emit – the lightweight, high performance approach

If you’re very clever, there is a middle way in .NET, which is to use black magic and Reflection.Emit to generate methods straight to IL (basically a custom parser/compiler just for expressions), which bypasses most of the ugliness of the previous approach. Expressions are still compiled and use early binding (not reflection) to evaluate your expressions. I think in many, many scenarios this is a great option. Plus, you don’t need to collect all the frogs tongues and newts eyes to whip up this voodoo yourself, some kind, intelligent soul has done this for us.

The Old-Fashioned Way

If you want complete control of your expression language, though, perhaps to make it more end user friendly than C#, or you need late bound semantics when evaluating your expressions, or you just like to take things apart and get dirty, there’s always the old fashioned way. The old fashioned way is a three part approach, both a bit tedious, but not particularly difficult, especially with modern tools.

1. Define the syntax and grammar of your expression language

2. Parse your expression into an Abstract Syntax Tree (AST) based on your grammar

3. Compile your expression into an object model (or, alternatively, directly interpret from the AST)

Step one involves taking a string like “(10 – 2) + x ^ y” and splitting it up into something a computer can make use of. AST’s are all the rage now-a-days along with DSL’s, so won’t go into too much detail here, ask Google all about them. The point is, the string needs to be parsed. This task itself can be accomplished in one of three ways:

A. Hand roll parsing logic, possibly using Regular Expressions. Yuck. Error prone and tedious.

B. Use a modern parser-generator, like ANTLR, to define the grammar of your expression language in a clean, easily understood manner and let the tool code generate the classes required to parse expression strings according to your grammar. This is a straightforward, robust approach that offers the most flexibility. However, it also requires a few steps to create a grammar, generate a parser, test, modify, repeat. It isn’t without some tedium.

C. Use a parser that doesn’t use code generation, but allows your grammar to be directly defined in your target language and fed directly to a parser for parsing your strings. The only example of this I am aware of is a very cool tool on CodePlex called Irony. There may be others like it, but this is the only one I’m aware of personally, and it is quite nice.

(D. Of course, you could use an existing expression evaluator library – there are several – one of them is certain to suit your needs – I list the ones I’ve found below)

Once your expressions are parsed into a nice Abstract Syntax Tree, you need to do something with that tree. You can interpret the tree directly, or you can “compile” the AST into an object model that can be used to quickly evaluate the expression in many different contexts, with many different values for variables, etc. This is it’s own exercise in tedium, but once done can be relatively easily enhanced and modified as your expression language evolves.

[UPDATE:] A CodeProject article just popped up with another Parser Generator for .NET that looks pretty cool. This is a stand alone tool that takes your grammar and generates a parser <GASP!> No…really? Um…like all other parser generators in the world? Yes, BUT, it generates the parser completely, i.e. it does NOT generate some source code that derives from or must be consumed by the parent library (like most other parser generators). This means that the parser this tool generates is entirely standalone, it adds no dependencies to your project, and if you feel like it you could tweak it or study it or do whatever you like, it’s all there. I haven’t evaluated this one yet, but I definitely will in the near future. Here is a blurb from the intro to the CodeProject article:

“TinyGP stands for “Tiny Parser Generator”. This particular generator is an LL(1) recursive descent parser generator. This means that instead of generating a state machine out of a grammar like most compiler compilers, instead it will generate source code directly; basically generating a method for each non-terminal in the grammar. Terminals are expressed using .Net’s powerful regular expressions. To help the programmer create .Net regular expressions a Regex tool is embedded in TinyPG. Grammars can be written using the extended BNF notation. TinyGP will generate a scanner, parser and parsetree file in c# code from this which can be compiled directly into your own projects.”

[UPDATE 2] Using the recipe above, and Irony.net, I have posted a reference implementation an object-model based expression evaluator on Codeplex and called it Simple Expression Evaluator. Check it out. I used Irony.net as the default compiler, but structured the project so that by implementing a simple interface you could easily plug in any parser you like.

And that’s it, then you’re done. For those too busy or not geeky enough to want to build your own expression evaluating machines, I’ll list the libraries I have identified that looked good enough (to me) to use in a professional project.

Resources

1. Flee – Fast Lightweight Expression Evaluator – uses IL generation to produce a high performance expression evaluator based on C#.

2. LazyParser.NET – a late bound expression evaluator that does the whole bit manually. Uses reflection to resolve context variables, so it is slower than flee, but has the advantage of being late bound and so a little more flexible in certain circumstances.

3. The Spring.NET framework has a pretty intense expression evaluator library as well

4. Script.NET – A fully featured, interpreted scripting language based on C# and using Irony.NET. It can do a lot more than evaluate expressions, but it can evaluate expressions, too.

5. CodeProject article on using the ANTLR + Grammar approach to rolling your own expression evaluator. Article has a pretty professional library included in the code download.

6. Irony.NET compiler construction kit on Code Plex – a code gen-less parser tool. Create your grammars directly in C#.

7. A blog post on how Irony works

8. CodeProject article on getting started with Irony.NET

9. CodeProject article on writing a DSL using Irony.NET

10. Several approaches to evaluating expressions, ignoring the parsing aspect. Basically, various ways you could transform your AST into an object model.

11. TinyParser Generator is a utility that will generate the source code for a complete compiler from your grammar, without any intermediate libraries needed to be referenced by your code.

12. Simple Expression Evaluator – Irony.NET based Expression Evaluator

Boo is an interesting, extremely flexible CLR language with an “open compiler architecture” – which means that you can easily extend its compiler to accommodate your needs. I bought a Manning Early Access Program (unfinished, unedited, and rough around the edges) book by Ayende Rahien called Building Domain Specific Languages in Boo that, despite the writing style, which conveys an accent and is so informal that it almost borders on the insane, has already proven quite useful. The book relies on an open source library, also by Ayende Rahien (of Rhino Mocks fame) called Rhino DSL. The library itself is small, simple and effective. In addition to DSL’s, Boo (which is a statically typed, compiled language) has an optional interpreter and seems like it could be effectively used as a runtime scripting language, in addition of course to being a full blown .NET language you could write your business objects or UI in.

Anyway, below are a few resources I have come across while researching this topic in support of creating a state machine DSL referenced in my previous post:

Scripting With Boo
Binsor : Castle IOC container configuration using Boo DSL from Ayende

DSL Support
Early Access Book: Building DSLs in Boo (Ayende)

Specter Framework – writing executable object specs using a Boo DSL

An interesting example of TDD using Specter
Article on DSL’s using BOO by Ayende

A list of open source apps written in boo

Martin Fowler is writing a book on DSL’s also

Using Boo as an embedded scripting language

Visual Studio Integration via BooLangStudio

SimpleStateMachine project using a Boo DSL for configuration

I have posted a CodePlex project here that implements a simple, customizable State Machine & miniature runtime. The point of this project was to replace Windows Workflow Foundation in one of our applications as the state machine engine. Windows Workflow foundation is a powerful, robust technology but turns out to be unsupportable overkill if all you are really after is defining and coordinating state transitions in your application. Plus, it can be rather difficult to unit test, even more difficult to version and extend once an application is deployed, and requires all sorts of baggage in the form of database infrastructure and GAC requirements, etc.

Anyway, this library does nothing else besides let you define a set of events, states, and transitions between states when triggered by events, and optionally allows for user defined actions to fire during the initialization or finalization of any or all states.

As for representing the actual state machines there are a few options: A visual designer such as WF provides. The WF designer itself is awful for representing state machines, even simple ones, as it was designed to suit sequential workflows as well and the two kinds of diagrams have different needs. It might be possible to create a visual designer that did the job well, but it would be a big task. Another option is to configure state machines in code using an object model or fluent interface. This would have worked, but it ends up looking pretty ugly after a while and you can’t change your state machines without deploying updated assemblies.

The approach I settled on was to use a DSL, using Boo and Rhino DSL, as described by Ayende Rahien in his (unfinished) book on the subject. The State Machine language itself was inspired by Martin Fowler, who appears also to be writing a book about DSL’s.

An example state machine definition looks like the sample below. It isn’t as snazzy and colorful as the visual designer version you get with WF, but in practice it is much more practical.

workflow "Telephone Call"

trigger @CallDialed
trigger @HungUp
trigger @CallConnected
trigger @LeftMessage
trigger @PlacedOnHold
trigger @TakenOffHold
trigger @PhoneHurledAgainstWall

state @OffHook:
	when @CallDialed             >> @Ringing

state @Ringing:
	when @HungUp                 >> @OffHook
	when @CallConnected          >> @Connected

state @Connected:
	when @LeftMessage            >> @OffHook
	when @HungUp                 >> @OffHook
	when @PlacedOnHold           >> @OnHold

state @OnHold:
	when @TakenOffHold           >> @Connected
	when @HungUp                 >> @OffHook
	when @PhoneHurledAgainstWall >> @PhoneDestroyed

state @PhoneDestroyed