Ability to allow or deny registered functions execution

Rajesh Jinaga · Rajesh Jinaga · commit faf49b057af4 · 2022-07-19T17:44:44.000+05:30
diff --git a/src/Simpleflow/CodeGenerator/ParserEventPublisher.cs b/src/Simpleflow/CodeGenerator/ParserEventPublisher.cs
@@ -0,0 +1,22 @@
+﻿// Copyright (c) navtech.io. All rights reserved. 
+// See License in the project root for license information.
+
+using System;
+
+namespace Simpleflow.CodeGenerator
+{
+    internal enum EventType
+    {
+        None,
+        VisitFunctionOnAvail
+    }
+    internal class ParserEventPublisher
+    {
+        public Action<EventType, object> OnVisit;
+
+        public void Publish(EventType eventType, object data)
+        {
+            OnVisit(eventType, data);
+        }
+    }
+}
diff --git a/src/Simpleflow/CodeGenerator/SimpleflowCodeVisitor.VisitFunction.cs b/src/Simpleflow/CodeGenerator/SimpleflowCodeVisitor.VisitFunction.cs
@@ -21,16 +21,19 @@ partial class SimpleflowCodeVisitor<TArg>
 
         public override Expression VisitFunction([NotNull] SimpleflowParser.FunctionContext context)
         {
-            var functionName = context.FunctionName().GetText();
+            var functionName = context.FunctionName().GetText().Substring(1); // Remove $ symbol
 
             // Get registered function
-            var function = FunctionRegister.GetFunction(functionName.Substring(1)); // Remove $ symbol
+            var function = FunctionRegister.GetFunction(functionName); 
 
             if (function == null)
             {
                 throw new InvalidFunctionException(functionName);
             }
 
+            // Publish event once function is available to compile
+            EventPublisher.Publish(EventType.VisitFunctionOnAvail, functionName);
+
             // Get actual method meta-data info and parameters
             var methodInfo = function.GetMethodInfo();
 
diff --git a/src/Simpleflow/CodeGenerator/SimpleflowCodeVisitor.cs b/src/Simpleflow/CodeGenerator/SimpleflowCodeVisitor.cs
@@ -27,9 +27,12 @@ internal partial class SimpleflowCodeVisitor<TArg> : SimpleflowBaseVisitor<Expre
         protected readonly ParameterExpression Output; // script main function parameter 2
         protected readonly ParameterExpression ScriptHelperContext; //script main function  parameter 3
 
-        public SimpleflowCodeVisitor(IFunctionRegister functionRegister)
+        protected readonly ParserEventPublisher EventPublisher;
+
+        public SimpleflowCodeVisitor(IFunctionRegister functionRegister, ParserEventPublisher eventPublisher)
         {
             FunctionRegister = functionRegister ?? throw new ArgumentNullException(nameof(functionRegister));
+            EventPublisher = eventPublisher;
 
             /* Initialize smart variables and smart json variables */
             Variables = new List<ParameterExpression>();
diff --git a/src/Simpleflow/CodeGenerator/SimpleflowCompiler.cs b/src/Simpleflow/CodeGenerator/SimpleflowCompiler.cs
@@ -15,7 +15,9 @@ namespace Simpleflow.CodeGenerator
     internal class SimpleflowCompiler
     {
 
-        public static Action<FlowInput<TArg>, FlowOutput, ScriptHelperContext> Compile<TArg>(string code, IFunctionRegister activityRegister)
+        public static Action<FlowInput<TArg>, FlowOutput, ScriptHelperContext> Compile<TArg>(string code, 
+            IFunctionRegister activityRegister, 
+            ParserEventPublisher eventPublisher)
         {
             var inputStream = new AntlrInputStream(code);
 
@@ -43,8 +45,9 @@ public static Action<FlowInput<TArg>, FlowOutput, ScriptHelperContext> Compile<T
                 throw new SyntaxException(errorListener.GetAggregateMessages(), errorListener.Errors);
             }
 
+            
             // Generate code
-            var visitor = new SimpleflowCodeVisitor<TArg>(activityRegister);
+            var visitor = new SimpleflowCodeVisitor<TArg>(activityRegister, eventPublisher);
             var program = visitor.Visit(programContext);
 
             // Compile
diff --git a/src/Simpleflow/Exceptions/AccessDeniedException.cs b/src/Simpleflow/Exceptions/AccessDeniedException.cs
@@ -0,0 +1,13 @@
+﻿// Copyright (c) navtech.io. All rights reserved. 
+// See License in the project root for license information.
+
+namespace Simpleflow.Exceptions
+{
+    public class AccessDeniedException : SimpleflowException
+    {
+        public AccessDeniedException(string message) : base(message)
+        {
+
+        }
+    }
+}
diff --git a/src/Simpleflow/FlowOptions.cs b/src/Simpleflow/FlowOptions.cs
@@ -15,11 +15,11 @@ public class FlowOptions : IOptions
         /// <summary>
         /// Gets or sets AllowFunctions
         /// </summary>
-        public string[] AllowOnlyFunctions { get; set; }
+        public string[] AllowFunctions { get; set; }
 
         /// <summary>
         /// Gets or sets DenyFunctions
         /// </summary>
-        public string[] DenyOnlyFunctions { get; set; }
+        public string[] DenyFunctions { get; set; }
     }
 }
diff --git a/src/Simpleflow/IOptions.cs b/src/Simpleflow/IOptions.cs
@@ -14,19 +14,14 @@ public interface IOptions
         bool AllowArgumentToMutate { get;  }
 
         /// <summary>
-        /// Gets or sets AllowFunctions, 
-        /// if nothing is specified all configured functions will be allowed.
-        /// Either <see cref="AllowOnlyFunctions"/> or <see cref="DenyOnlyFunctions"/> 
-        /// must be set, not both.
+        /// Gets or sets AllowFunctions
         /// </summary>
-        public string[] AllowOnlyFunctions { get; set; }
+        public string[] AllowFunctions { get; set; }
 
 
         /// <summary>
         /// Gets or sets DenyFunctions.
-        /// Either <see cref="AllowOnlyFunctions"/> or <see cref="DenyOnlyFunctions"/> 
-        /// must be set, not both.
         /// </summary>
-        public string[] DenyOnlyFunctions { get; set; }
+        public string[] DenyFunctions { get; set; }
     }
 }
diff --git a/src/Simpleflow/Services/CacheService.cs b/src/Simpleflow/Services/CacheService.cs
@@ -106,8 +106,8 @@ protected virtual string GetScriptUniqueId(string script)
         private string GetFlowContextOptionsId(IContextOptions options)
         {
             if (options.AllowArgumentToMutate == false 
-                && (options.AllowOnlyFunctions == null || options.AllowOnlyFunctions.Length == 0)
-                && (options.DenyOnlyFunctions == null  || options.DenyOnlyFunctions.Length == 0)
+                && (options.AllowFunctions == null || options.AllowFunctions.Length == 0)
+                && (options.DenyFunctions == null  || options.DenyFunctions.Length == 0)
                 )
             {
                 return string.Empty;
@@ -116,16 +116,16 @@ private string GetFlowContextOptionsId(IContextOptions options)
             StringBuilder sb = new StringBuilder();
             sb.Append(string.Join(' ', options.AllowArgumentToMutate));
             
-            if (options.AllowOnlyFunctions != null && options.AllowOnlyFunctions.Length > 0)
+            if (options.AllowFunctions != null && options.AllowFunctions.Length > 0)
             {
                 sb.Append("Allow"); //ensure add this to avoid collisions
-                sb.Append(string.Join(' ', options.AllowOnlyFunctions));
+                sb.Append(string.Join(' ', options.AllowFunctions));
             }
 
-            if (options.DenyOnlyFunctions != null && options.DenyOnlyFunctions.Length > 0)
+            if (options.DenyFunctions != null && options.DenyFunctions.Length > 0)
             {
                 sb.Append("Deny"); //ensure add this to avoid collisions
-                sb.Append(string.Join(' ', options.DenyOnlyFunctions ));
+                sb.Append(string.Join(' ', options.DenyFunctions ));
             }
 
             return GetScriptUniqueId(sb.ToString());
diff --git a/src/Simpleflow/Services/CompilerService.cs b/src/Simpleflow/Services/CompilerService.cs
@@ -2,7 +2,9 @@
 // See License in the project root for license information.
 
 using System;
+using System.Linq;
 using Simpleflow.CodeGenerator;
+using Simpleflow.Exceptions;
 
 namespace Simpleflow.Services
 {
@@ -34,7 +36,10 @@ So here we don't need to run again  */
 
             if (context.Internals.CompiledScript == null)
             {
-                context.Internals.CompiledScript = SimpleflowCompiler.Compile<TArg>(context.Script, _activityRegister);
+                var eventPublisher = new ParserEventPublisher();
+                CheckFunctionExecutionPermissions(context, eventPublisher);
+
+                context.Internals.CompiledScript = SimpleflowCompiler.Compile<TArg>(context.Script, _activityRegister, eventPublisher);
 
                 context.Trace.Write("Compiled");
             }
@@ -45,5 +50,33 @@ So here we don't need to run again  */
             
             next?.Invoke(context);
         }
+
+        private static void CheckFunctionExecutionPermissions<TArg>(FlowContext<TArg> context, ParserEventPublisher eventPublisher)
+        {
+            eventPublisher.OnVisit = (type, data) =>
+            {
+                if (type == EventType.VisitFunctionOnAvail 
+                    && context.Options?.DenyFunctions != null)
+                {
+                    var functionName = data.ToString();
+                    if (context.Options.DenyFunctions.Contains(functionName, StringComparer.OrdinalIgnoreCase))
+                    {
+                        throw new AccessDeniedException($"Function '{functionName}' cannot be allowed to run in this context.");
+                    }
+                }
+
+                if (type == EventType.VisitFunctionOnAvail
+                    && context.Options?.AllowFunctions != null)
+                {
+                    var functionName = data.ToString();
+                    if (!context.Options.AllowFunctions.Contains(functionName, StringComparer.OrdinalIgnoreCase))
+                    {
+                        throw new AccessDeniedException($"Function '{functionName}' cannot be allowed to run in this context.");
+                    }
+                }
+            };
+        }
+
+
     }
 }
diff --git a/src/Simpleflow/Simpleflow.xml b/src/Simpleflow/Simpleflow.xml
diff --git a/test/Simpleflow.Tests/Infrastructure/FlowContextOptionsTest.cs b/test/Simpleflow.Tests/Infrastructure/FlowContextOptionsTest.cs
@@ -1,11 +1,12 @@
 ﻿// Copyright (c) navtech.io. All rights reserved.
 // See License in the project root for license information.
 
+using Simpleflow.Exceptions;
 using Xunit;
 
 namespace Simpleflow.Tests.Infrastructure
 {
-    public  class FlowContextOptionsTest
+    public class FlowContextOptionsTest
     {
         [Fact]
         public void CheckFlowContextOptionCacheId()
@@ -22,45 +23,89 @@ public void CheckFlowContextOptionCacheId()
                                     .AddCorePipelineServices(FunctionRegister.Default)
                                     .AddPipelineServices(new LoggingService())
                                     .Build()
-                                    .Run(script, 
+                                    .Run(script,
                                          new object(),
                                          options);
 
             // Assert
             SimpleflowTrace trace = (SimpleflowTrace)result.Output["Trace"];
             var logs = trace.GetLogs();
 
-            Assert.Contains(expectedSubstring: id , actualString: logs);
+            Assert.Contains(expectedSubstring: id, actualString: logs);
         }
 
         [Fact]
         public void CheckFlowContextOptionWithDenyFunction()
         {
             // Arrange
             string script = @"
-                              message ""test""
+                              let d = $GetCurrentDateTime()
+                              message d
                             ";
             string id = System.Guid.NewGuid().ToString();
-            var options = new FlowContextOptions 
-                                    { 
-                                      Id = id, 
-                                      DenyOnlyFunctions=  new string[] { "GetCurrentDateTime" }
-                                    };
+            var options = new FlowContextOptions
+            {
+                Id = id,
+                DenyFunctions = new string[] { "GetCurrentDateTime" }
+            };
 
-            // Act
-            FlowOutput result = new SimpleflowPipelineBuilder()
-                                    .AddCorePipelineServices(FunctionRegister.Default)
-                                    .AddPipelineServices(new LoggingService())
-                                    .Build()
-                                    .Run(script,
-                                         new object(),
-                                         options);
+            // Act & Assert
+            Assert.Throws<AccessDeniedException>(
+                () => new SimpleflowPipelineBuilder()
+                            .AddCorePipelineServices(FunctionRegister.Default)
+                            .AddPipelineServices(new LoggingService())
+                            .Build()
+                            .Run(script,new object(), options));
+        }
 
-            // Assert
-            SimpleflowTrace trace = (SimpleflowTrace)result.Output["Trace"];
-            var logs = trace.GetLogs();
+        [Fact]
+        public void CheckFlowContextOptionWithAllowOnlyFunction()
+        {
+            // Arrange
+            string script = @"
+                              let d = $GetCurrentDate()
+                              message d
+                            ";
+            string id = System.Guid.NewGuid().ToString();
+            var options = new FlowContextOptions
+            {
+                Id = id,
+                AllowFunctions = new string[] { "GetCurrentDateTime" }
+            };
 
-            Assert.Contains(expectedSubstring: id, actualString: logs);
+            // Act & Assert
+            Assert.Throws<AccessDeniedException>(
+                () => new SimpleflowPipelineBuilder()
+                            .AddCorePipelineServices(FunctionRegister.Default)
+                            .AddPipelineServices(new LoggingService())
+                            .Build()
+                            .Run(script, new object(), options));
+        }
+
+        [Fact]
+        public void CheckFlowContextOptionWithAllowOnlyFunctionWithoutError()
+        {
+            // Arrange
+            string script = @"
+                              let d = $GetCurrentDateTime()
+                              message d
+                            ";
+            string id = System.Guid.NewGuid().ToString();
+            var options = new FlowContextOptions
+            {
+                Id = id,
+                AllowFunctions = new string[] { "GetCurrentDateTime" }
+            };
+
+            // Act 
+            var result =
+                    new SimpleflowPipelineBuilder()
+                            .AddCorePipelineServices(FunctionRegister.Default)
+                            .AddPipelineServices(new LoggingService())
+                            .Build()
+                            .Run(script, new object(), options);
+            // Assert
+            Assert.Single(result.Messages);
         }
 
         class LoggingService : IFlowPipelineService

Original file line number	Diff line number	Diff line change
`@@ -21,16 +21,19 @@ partial class SimpleflowCodeVisitor<TArg>`
`21`	`21`
`22`	`22`	`public override Expression VisitFunction([NotNull] SimpleflowParser.FunctionContext context)`
`23`	`23`	`{`
`24`		`- var functionName = context.FunctionName().GetText();`
	`24`	`+ var functionName = context.FunctionName().GetText().Substring(1); // Remove $ symbol`
`25`	`25`
`26`	`26`	`// Get registered function`
`27`		`- var function = FunctionRegister.GetFunction(functionName.Substring(1)); // Remove $ symbol`
	`27`	`+ var function = FunctionRegister.GetFunction(functionName);`
`28`	`28`
`29`	`29`	`if (function == null)`
`30`	`30`	`{`
`31`	`31`	`throw new InvalidFunctionException(functionName);`
`32`	`32`	`}`
`33`	`33`
	`34`	`+ // Publish event once function is available to compile`
	`35`	`+ EventPublisher.Publish(EventType.VisitFunctionOnAvail, functionName);`
	`36`	`+`
`34`	`37`	`// Get actual method meta-data info and parameters`
`35`	`38`	`var methodInfo = function.GetMethodInfo();`
`36`	`39`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,9 @@ namespace Simpleflow.CodeGenerator`
`15`	`15`	`internal class SimpleflowCompiler`
`16`	`16`	`{`
`17`	`17`
`18`		`- public static Action<FlowInput<TArg>, FlowOutput, ScriptHelperContext> Compile<TArg>(string code, IFunctionRegister activityRegister)`
	`18`	`+ public static Action<FlowInput<TArg>, FlowOutput, ScriptHelperContext> Compile<TArg>(string code,`
	`19`	`+ IFunctionRegister activityRegister,`
	`20`	`+ ParserEventPublisher eventPublisher)`
`19`	`21`	`{`
`20`	`22`	`var inputStream = new AntlrInputStream(code);`
`21`	`23`
`@@ -43,8 +45,9 @@ public static Action<FlowInput<TArg>, FlowOutput, ScriptHelperContext> Compile<T`
`43`	`45`	`throw new SyntaxException(errorListener.GetAggregateMessages(), errorListener.Errors);`
`44`	`46`	`}`
`45`	`47`
	`48`	`+`
`46`	`49`	`// Generate code`
`47`		`- var visitor = new SimpleflowCodeVisitor<TArg>(activityRegister);`
	`50`	`+ var visitor = new SimpleflowCodeVisitor<TArg>(activityRegister, eventPublisher);`
`48`	`51`	`var program = visitor.Visit(programContext);`
`49`	`52`
`50`	`53`	`// Compile`
Original file line number	Diff line number	Diff line change
`@@ -15,11 +15,11 @@ public class FlowOptions : IOptions`
`15`	`15`	`/// <summary>`
`16`	`16`	`/// Gets or sets AllowFunctions`
`17`	`17`	`/// </summary>`
`18`		`- public string[] AllowOnlyFunctions { get; set; }`
	`18`	`+ public string[] AllowFunctions { get; set; }`
`19`	`19`
`20`	`20`	`/// <summary>`
`21`	`21`	`/// Gets or sets DenyFunctions`
`22`	`22`	`/// </summary>`
`23`		`- public string[] DenyOnlyFunctions { get; set; }`
	`23`	`+ public string[] DenyFunctions { get; set; }`
`24`	`24`	`}`
`25`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -106,8 +106,8 @@ protected virtual string GetScriptUniqueId(string script)`
`106`	`106`	`private string GetFlowContextOptionsId(IContextOptions options)`
`107`	`107`	`{`
`108`	`108`	`if (options.AllowArgumentToMutate == false`
`109`		`- && (options.AllowOnlyFunctions == null \|\| options.AllowOnlyFunctions.Length == 0)`
`110`		`- && (options.DenyOnlyFunctions == null \|\| options.DenyOnlyFunctions.Length == 0)`
	`109`	`+ && (options.AllowFunctions == null \|\| options.AllowFunctions.Length == 0)`
	`110`	`+ && (options.DenyFunctions == null \|\| options.DenyFunctions.Length == 0)`
`111`	`111`	`)`
`112`	`112`	`{`
`113`	`113`	`return string.Empty;`
`@@ -116,16 +116,16 @@ private string GetFlowContextOptionsId(IContextOptions options)`
`116`	`116`	`StringBuilder sb = new StringBuilder();`
`117`	`117`	`sb.Append(string.Join(' ', options.AllowArgumentToMutate));`
`118`	`118`
`119`		`- if (options.AllowOnlyFunctions != null && options.AllowOnlyFunctions.Length > 0)`
	`119`	`+ if (options.AllowFunctions != null && options.AllowFunctions.Length > 0)`
`120`	`120`	`{`
`121`	`121`	`sb.Append("Allow"); //ensure add this to avoid collisions`
`122`		`- sb.Append(string.Join(' ', options.AllowOnlyFunctions));`
	`122`	`+ sb.Append(string.Join(' ', options.AllowFunctions));`
`123`	`123`	`}`
`124`	`124`
`125`		`- if (options.DenyOnlyFunctions != null && options.DenyOnlyFunctions.Length > 0)`
	`125`	`+ if (options.DenyFunctions != null && options.DenyFunctions.Length > 0)`
`126`	`126`	`{`
`127`	`127`	`sb.Append("Deny"); //ensure add this to avoid collisions`
`128`		`- sb.Append(string.Join(' ', options.DenyOnlyFunctions ));`
	`128`	`+ sb.Append(string.Join(' ', options.DenyFunctions ));`
`129`	`129`	`}`
`130`	`130`
`131`	`131`	`return GetScriptUniqueId(sb.ToString());`