Activities of "alexander.nikonov"
I have a separate IdentityServer.
One of the projects has RabbitMQ receiver, where all other projects send the data too. This receiver needs to insert data into DB based on the received RabbitMQ input and it uses INotificationAppService in the same project to do that. See the code below.
When I do not use Authorization attribute - it of course works OK. But I want to make it work secure - i.e. if I do not use typical request authorization (since there is no request in question here) RabbitMQ needs to be trusted somehow inside AppService.
So what are your proposals again - even if you mean not to use AppService at all here? Could you please write a couple of code lines to describe the idea?
public override async Task<object> Received(BasicDeliverEventArgs @event)
{
var notificationCacheRabbitMqEto = @event.ToDataObject<NotificationRabbitMqEto>();
var hubContext = _serviceProvider.GetService<IHubContext<NotificationHub>>();
using (var scope = _serviceProvider.CreateScope())
{
try
{
var notificationAppService = scope.ServiceProvider.GetRequiredService<INotificationAppService>();
var newNotification = await notificationAppService.CreateAsync(new NotificationCreateDto
{
TenantId = notificationCacheRabbitMqEto.TenantId,
Login = notificationCacheRabbitMqEto.Login,
Level = (int)notificationCacheRabbitMqEto.Level,
Title = notificationCacheRabbitMqEto.Title,
Details = notificationCacheRabbitMqEto.Details,
IsActive = true,
IsImportant = notificationCacheRabbitMqEto.IsImportant,
CreatorName = GetTrimmedCreatorName(notificationCacheRabbitMqEto.Login), //Like so?
LastModifierName = GetTrimmedCreatorName(notificationCacheRabbitMqEto.Login) //Like so?
});
await hubContext.Clients.Group(notificationCacheRabbitMqEto.Login).SendAsync("notificationReceived", newNotification);
}
catch (Exception ex)
{
Log.Error(ex.Message);
}
}
return Task.FromResult<object>(null);
}
[RemoteService(IsEnabled = false)]
//[Authorize]
public class NotificationAppService : INotificationAppService
{
private readonly IServiceProvider _serviceProvider;
private readonly INotificationRepository _notificationRepository;
private readonly IStringLocalizer<CommonUIResource> _stringLocalizer;
private readonly IUnitOfWorkManager _unitOfWorkManager;
private readonly IObjectMapper _objectMapper;
public NotificationAppService
(
IServiceProvider serviceProvider,
INotificationRepository notificationRepository,
IStringLocalizer<CommonUIResource> stringLocalizer,
IUnitOfWorkManager unitOfWorkManager,
IObjectMapper objectMapper
)
{
_serviceProvider = serviceProvider;
_notificationRepository = notificationRepository;
_stringLocalizer = stringLocalizer;
_unitOfWorkManager = unitOfWorkManager;
_objectMapper = objectMapper;
}
...
}
public interface INotificationAppService : IApplicationService, ITransientDependency {
...
}
You should not remove
Authorize, We recommend that you pass the access token to complete the authentication.https://learn.microsoft.com/en-us/aspnet/core/signalr/authn-and-authz?view=aspnetcore-7.0#built-in-jwt-authentication https://ocelot.readthedocs.io/en/latest/features/websockets.html
I've already seen and used it before. As I said, passing token in URL doesn't seem very prominent. But this confuses me at Ocelot at NOT SUPPORTED section: "Authentication - If anyone requests it we might be able to do something with basic authentication."
So what is the underline here? Does authentication for Ocelot + SignalR does not suggest another way of request authentication besides passing token via URL?
UPDATE.
It started to work after I removed [Authorize] attribute from my Hub class.
Does it mean that currently SignalR is working without authentication? I know that SignalR does not work with headers, but I don't want to pass token via URL. Should I ever worry about that, if my SignalRService code works within AppComponent which is available only for authorized user?
Probably you can suggest another approach to be on safe side? In addition to using tokens, I used to create token cookie in my HttpApi.Host project middleware and added it later on to each request like this (for instance, for Hangfire dashboard page), but at some point cookie functionality got broken - probably after introducing Ocelot gateway, not sure...
Recreating our structure having several projects using a brand new ABP project is not a trivial and time consuming task and I'm afraid I have no project time for that. For this reason I'm asking you if there's something wrong with the code above. This is all I can provide. If this code makes no sense - I'd like to know why permission cache is not properly updated across the applications sharing the same cache - no matter if I use default in-memory cache or Redis server. All the apps are using the same Identity server and now hosted on localhost.
Hi.
It's not possible to check out. Because we've already upgraded.
In my opinion there shouldn't be any special custom code if using Redis: all permissions from all applications use the same permission cache, but they have own cache prefix, so the permissions are not mixed. And once I am done editing the roles, the cache has to be automatically updated, so when a user refreshes a webpage in app B, app C - he sees only the pages which are available according to the updated permissions. Unfortunately, it doesn't work...
Hi. Could you please let me know why this does not work anymore? Maybe it has something to do with the ABP version upgrade? If I remember it right, it was done for 4.x. Now we have ABP 5.1.3 and even though RabbitMq data seems to be correct, the permission update happens RANDOMLY, i.e. sometimes the permission with "false" value are not removed in fact from cache. Sometimes permissions with "true" value are not added... The question is related to SetManyAsync. I've tried to use sync method instead, tried to use RefreshManyAsync after SetManyAsync, it's all in vain:
public class MyPermissionCacheRabbitMqReceiver : RabbitMqReceiverBase
{
private readonly IServiceProvider _serviceProvider;
public MyPermissionCacheRabbitMqReceiver(IServiceProvider serviceProvider, string queueName) : base(queueName)
{
_serviceProvider = serviceProvider;
}
public override async Task<object> Received(BasicDeliverEventArgs @event)
{
var permissionCacheRabbitMqEto = @event.ToDataObject<PermissionCacheRabbitMqEto>();
var permissionGrantCache = _serviceProvider.GetService<IDistributedCache<PermissionGrantCacheItem>>();
var currentTenant = _serviceProvider.GetService<ICurrentTenant>();
using (currentTenant.Change(permissionCacheRabbitMqEto.AbpTenantId))
{
await permissionGrantCache.SetManyAsync(
permissionCacheRabbitMqEto.Permissions.Select(permission =>
new KeyValuePair<string, PermissionGrantCacheItem>(permission.Key, new PermissionGrantCacheItem(permission.Value))));
}
return Task.FromResult<object>(null);
}
}
The service which sends the message resides on the different host and looks like this:
[Dependency(ReplaceServices = true)]
[ExposeServices(typeof(IPermissionAppService))]
public class ApiPermissionAppService : PermissionAppService
{
private readonly IRabbitMqManager _rabbitMqManager;
public ApiPermissionAppService
(
IPermissionManager permissionManager,
IPermissionDefinitionManager permissionDefinitionManager,
IOptions<PermissionManagementOptions> options,
ISimpleStateCheckerManager<PermissionDefinition> permissionStateManager,
IRabbitMqManager rabbitMqManager
)
: base(permissionManager, permissionDefinitionManager, options, permissionStateManager)
{
_rabbitMqManager = rabbitMqManager;
}
public override async Task UpdateAsync(string providerName, string providerKey, UpdatePermissionsDto input)
{
await base.UpdateAsync(providerName, providerKey, input);
var permissions = input.Permissions.Select(x => x)
.ToDictionary(x => PermissionGrantCacheItem.CalculateCacheKey(x.Name, providerName, providerKey), x => x.IsGranted);
await _rabbitMqManager.SendPermissionCacheChangeAsync("AbxEps-Abp-Caching", CurrentTenant.Id, permissions);
}
}
Sorry, we cannot share our code. Creating a test project would be too complex too.
UPDATE: I've tried to use Redis server cache instead of the built-in cache. And the problem remains. Do I ever need to make something special if I change role permission on separate app server A and want them to get applied on server B, server C...?
Your bot has closed these ticket again. How to prevent this?
Unfortunately, I cannot share the source code, but I'll try to describe what I've found out.
I've revealed that the issue happens when I am trying to modify HttpContext response stream. I have to return custom JSON response when my application throws an exception. For this goal, the middleware has been created. It analyzes HttpContext response headers and replaces this response stream - when an exception happens - with custom JSON response. The middleware uses IAuditingManager to collect the information about errors.
Do you have any idea how modifying HttpContext response stream may affect IAuditLogRepository logic?
This issue can be reproduced when you are trying to save some error (the exception which happens in your application). Have you reproduced this case?
Hi. Not exactly.
I use the RequiredPolicy options for routing configuration of an application menu. It allows me to limit the displayed menu items based on user permissions. When a user tries to navigate to the page directly - he sees 403 error page. I would like to show information about a missing permission here. But HttpErrorResponse object doesn't contain such information. I've made the research of JS code and found out that the inner logic doesn't include it for HttpErrorResponse object. Please see the corresponding part of your source code below:
