Policy validation

[marianogenovese]

I want to implement a policy validation for entities where i can pre check if a user can insert/update/delete/query an entity, but i dont see anything at ef core level, at db command level maybe in IUpdateSqlGenerator for insert/update/delete but i think this is not right because is not on top of all specific database providers (implementations), is there something at core level or something at tree level like IDbCommandTreeInterceptor (EF6) ?

My motive to make this question is because i need to implement a web application with owasp security controls in mind, specialy A4 – Insecure Direct Object References. A policy validation is usefull to add a security level to data access.

Thanks.

[skimmilk]

Authorizing requests coming from the web should really be done in the application layer, not the database layer. Here's a framework that's very useful for authentication & authorization which integrates with EF Core and ASP.NET MVC, and is also written by the same .NET teams at Microsoft. So try checking out aspnet/Identity or some other framework first.

[marianogenovese]

I know that framework, but some security validations are in database layer like i can only query/create/delete/update some entities with specific values because my user profile must have that specific value, for example i can only query records from a organization in which my user profile has been asigned.

[divega]

In general it should be possible to perform this kind of validation at the application level if there are controllers that map to specific tables and controller actions that map to CUD operations on those tables. The controller actions could inspect values and execute additional logic to decide whether the operation is allowed for the specific user. Also the functionality in Microsoft.AspNetCore.Authorization could be leveraged for this purpose.

But as soon as the mapping between the controller and the database objects deviates from a simple 1:1 mapping I agree there would be value in having a way to achieve this kind of validation in the data layer.

We currently don't have any feature we have designed to do this. E.g. there is no IDbCommandTreeInterceptor in EF Core and update commands are not represented as expressions that can be parsed and easily reasoned about.

However it should be possible to satisfy some validation needs by overriding the SaveChanges() method as described in the blog post at https://blogs.msdn.microsoft.com/dotnet/2016/09/29/implementing-seeding-custom-conventions-and-interceptors-in-ef-core-1-0/.

Deeper support for this scenario could be added as part of lifecycle hooks (issue #626) and a way to represent update pipeline commands as expressions could be added as part of #5584 in the future.

[divega]

Note for triage: I think this can be closed as a dupe of lifecycle hooks #626. I added a comment there about this scenario.