Application Insights

[rfcdejong]

We used to capture requests from clients to our server using the HttpDataportal and then inside our ObjectFactory we intercepted the requests and modified Http.Context .GetTelemetry and changed the name of the Telemetry being written. This so application Insights showed the Business Object name under the request inside the Log Analytics data / Performance tab inside Application Insights.

See link: #1790 (comment)

I think I have three possible solutions to look at:

1. Somehow make the current telemetry accessible for the Factory
2. Somehow make the dataportal context accessible for the TelemetryInitializer.
3. Deserialize the Request content inside the controller myself before calling base.Post (will probl. have a performance impact)

We used to use nr 1 using the HttpContext, but I don't know why that no longer works...
I believe the initializers are processed before the dataportal context is known, so option 2 is perhaps not possible.
https://docs.microsoft.com/en-GB/azure/azure-monitor/app/api-filtering-sampling#create-a-telemetry-processor-c

Any other idea's?

[rockfordlhotka]

The IAuthorizeDataPortal handler gets the full call context, and is where I'd generally put per-call logging.

[rfcdejong]

The IAuthorizeDataPortal handler gets the full call context, and is where I'd generally put per-call logging.

That will probably work, not perfect as it is to validate authorization, but if it works it fine for me. Perhaps the IInterceptDataPortal Initialize seems more valid for this case. I see that the HttpPortal creates the DataPortal and the DataPortal was constructed for a "CslaAuthorizationProvider" setting by default. Then it calls the authorize provider Authorize method. No fussy stuff so I believe the HttpContext will still be accessible.

I'll implement one provider tomorrow and mark your comment as answer if it works.

[rockfordlhotka]

Yes, the interceptor should also work fine. You shouldn't need to do anything in a factory or business class - that's quite late in the server-side pipeline.

[rfcdejong]

I found the cause which results that the HttpContext.Current is null. It had nothing to do with CSLA upgrade.
After solving our previous code is also working again, our ObjectFactory can access the HttpContext.

Calling the following GetRequestBody() method from our controller results into the HttpContext.Current to be null.

[rfcdejong]

Both at Authorize and Interceptor the HttpContext.Current is always null in the update operation. In our previous code the telemetry was simply not written so noone ever noticed it.

The code I removed from our controller down into the authorizer doesn't allow the HttpContext.Current to be null, because it expects an authorization header to validate an accesstoken passed in by the client.

It would be a solution to have the Request.Content being deserialized in the Controller for the Telemetry to log the name.
Token validation cannot happen inside the custom Authorize class.

[rfcdejong]

@rockfordlhotka perhaps you could make it possible to pass the ObjectType as header in the client-side HttpProxy? That would eliminate the need to deserialize the request in the controller before calling the serverside dataportal.

I looked into the HttpProxy "CallDataPortalServer", but it only passes along the serialized object into the HttpClient. Abusing routing tokens is undoable for so many objects.

[rfcdejong]

I found a new solution and just moved all into our controller as it is the first possible entry and the only place that the HttpContext is always available. Also to not serialize and deserialize more than needed I had to copy csla code into our own controller. The base code does not return information whether there are errors inside the result, so another reason to copy the code.
Client-side there is a new access token acquired by MSAL each time a requests goes into the backend. Some businessobjects are allowed to bypass the token validation.

Here is our new Controller and see why I had to do this.

    public class DataPortalController : Csla.Server.Hosts.HttpPortalController 
    {
        // ReSharper disable once EmptyConstructor
        public DataPortalController()
        {
        }

        public override async Task<HttpResponseMessage> PostAsync(string operation)
        {
            // do not validation accesstoken and log telemetry when not hosted as SaaS -> IsOnline
            if (!ConfigHelper.IsOnline)
                return await base.PostAsync(operation);

            // Beware!!!
            // HtppContext.Current becomes null after content deserialization in combination with using awaiters and synchronisation, especially when operation = update
            // Use it right now and only now
            var telemetry = HttpContext.Current.GetRequestTelemetry();

            var startTime = DateTime.UtcNow;

            // deserialize request content
            var requestData = await Request.Content.ReadAsByteArrayAsync().ConfigureAwait(false);
            var deserialized = MobileFormatter.Deserialize(requestData);

            // obtain typename and user principal from request
            string typeName = string.Empty;
            IPrincipal cslaPrincipal = null;
            switch (deserialized)
            {
                case CriteriaRequest criteriaRequest:
                    typeName = criteriaRequest.TypeName.Substring(0, criteriaRequest.TypeName.IndexOf(','));
                    cslaPrincipal = (IPrincipal)MobileFormatter.Deserialize(criteriaRequest.Principal);
                    break;
                case UpdateRequest updateRequest:
                    var obj = MobileFormatter.Deserialize(updateRequest.ObjectData);
                    typeName = obj.GetType().FullName;
                    cslaPrincipal = (IPrincipal)MobileFormatter.Deserialize(updateRequest.Principal);
                    break;
            }

            // check whether the business object is allowed for anonymous access, if not then validate the accesstoken
            ClaimsPrincipal claimsPrincipal = null;
            if (!string.IsNullOrEmpty(typeName) && !AllowAnonymous(typeName))
            {
                claimsPrincipal = await ValidateTokenAsync();
                if (claimsPrincipal == null)
                    throw new HttpResponseException(HttpStatusCode.Unauthorized);
            }

            // update request telemetry
            UpdateRequestTelemetry(telemetry, typeName, operation, cslaPrincipal, claimsPrincipal);

            // invoke dataportal and serialize to response content
            var portalResult = await InvokePortal(operation, requestData).ConfigureAwait(false);
            var bytes = MobileFormatter.Serialize(portalResult);
            var response = Request.CreateResponse();
            response.Content = new ByteArrayContent(bytes);

            // deserialize the result and set success is true when the dataportal executed successfully
            telemetry.Duration = DateTime.UtcNow - startTime;
            telemetry.Success = portalResult.ErrorData == null;

            return response;
        }

        #region Methods copied from Csla.Server.Hosts.HttpPortalController
        private async Task<Csla.Server.Hosts.HttpChannel.HttpResponse> InvokePortal(string operation, byte[] data)
        {
            var result = new Csla.Server.Hosts.HttpChannel.HttpResponse();
            HttpErrorInfo errorData = null;
            try
            {
                var buffer = new MemoryStream(data);
                buffer.Position = 0;
                var request = MobileFormatter.Deserialize(buffer.ToArray());
                result = await CallPortal(operation, request);
            }
            catch (Exception ex)
            {
                errorData = new HttpErrorInfo(ex);
            }
            return new Csla.Server.Hosts.HttpChannel.HttpResponse { ErrorData = errorData, GlobalContext = result.GlobalContext, ObjectData = result.ObjectData };
        }

        private async Task<Csla.Server.Hosts.HttpChannel.HttpResponse> CallPortal(string operation, object request)
        {
            var portal = Portal;
            switch (operation)
            {
                case "create":
                    return await portal.Create((CriteriaRequest)request).ConfigureAwait(false);
                case "fetch":
                    return await portal.Fetch((CriteriaRequest)request).ConfigureAwait(false);
                case "update":
                    return await portal.Update((UpdateRequest)request).ConfigureAwait(false);
                case "delete":
                    return await portal.Delete((CriteriaRequest)request).ConfigureAwait(false);
                default:
                    throw new InvalidOperationException(operation);
            }
        }
        #endregion

        private void UpdateRequestTelemetry(RequestTelemetry telemetry, string typeName, string operation, IPrincipal userPrincipal, ClaimsPrincipal claimsPrincipal)
        {
            if (telemetry == null) return;

            var operationName = $"{typeName} - {operation}".Replace("UNIT4.Dias.Business.", "");
            telemetry.Context.Operation.Name = operationName;
            telemetry.Name = operationName;

            // Is allowed by GDPR when we use this for performance reasons and support?
            var username = claimsPrincipal?.Claims.First(x => x.Type == "preferred_username").Value;
            if (username != null)
                telemetry.Context.User.AccountId = username;

            if (userPrincipal != null && userPrincipal.Identity is UNIT4Identity unit4Identity)
            {
                telemetry.Context.Session.Id = unit4Identity.UserSessionId?.ToString();
                telemetry.Context.User.Id = unit4Identity.Name;
                telemetry.Context.User.AuthenticatedUserId = unit4Identity.Name;
            }
        }

        private bool AllowAnonymous(string typeName)
        {
            // allow specific business objects for no authorization
            if (typeName == typeof(FallbackAccount).FullName
                || typeName == typeof(InviteFallbackAccountCommand).FullName
                || typeName == typeof(InvitedFallbackAccount).FullName
                || typeName == typeof(SetFallbackAccountCommand).FullName)
            {
                return true;
            }

            return false;
        }

        private async Task<ClaimsPrincipal> ValidateTokenAsync()
        {
            var token = Request.Headers.Authorization.Parameter;

            if (string.IsNullOrEmpty(token))
            {
                return null;
            }

            var validator = new TokenValidator(new List<string> { WebConfigurationManager.AppSettings["ClientId"], WebConfigurationManager.AppSettings["FallbackClientId"] });
            var principal = await validator.ValidateAsync(token);

            if (!principal.Identity.IsAuthenticated)
                return null;

            return principal;
        }
    }