Trying to understand how to use WF rule engine outside of a WWF application. I've only read a blog post on the topic. But I have certain doubts on the feasibility.
My application requirements are as follows:
Web-based UI for writing the rules, and storing them in db.
A windows service will download the rule. A rule execution engine will gather data it requires and execute the rule, and give a result as output.
The rule is simply a set of instructions which must act on a row of a table. The schema of the table is dynamic; however there is some metadata which tells the rule execution engine how to gather the necessary inputs from that row.
I know that rules are usually input using a rules editor; this is a windows form application. This usually generates a *.rules file. The WF rules engine, as per my knowledge, evaluates this file and does the execution of the rule.
The *.rules file is an xml representation of the rule.
Is there any api in the dotnet framework which generates this xml representation? And, can we build a web-based front end for inputting the rules?
Was wondering if there was an api kind of thingy and I came across the following:
http://code.msdn.microsoft.com/windowsdesktop/Creating-Rules-Using-the-23c5d561
It is an api like interface. However it consumes objects from the System.CodeDom namespace (usually various kinds of CodeExpression objects).
To go about using it you have to correctly represent the code expression objects in your front-end via some mechanism (by using xml or json). In the server, i.e. when you post the rule to the server, you have to create the necessary code expression correctly (via parsing) and feed those things to the api.
You need two types of code expression objects - one for evaluation of the rule condition, and the other for the stuff to execute when the rule passes or fails. (I only need stuff to execute when rule passes).
The sample provided there gives you an idea of how to use the api. The rest is something you'd have to build on.
A program source code is commonly represented in memory using an AST. All you'd have to design for is making your own implementation.
If you want to use Windows Workflow Foundation (WF), you must have WF XAML generated - not .rules or XML representation of that (whatever that is). Here is an example of a Workflow XAML file. There are basically three ways to generate this (starting with the least complex method)
By using the designer in Visual Studio
By generating a DynamicActivity-instance runtime and serializing it
By implementing your own generator
To answer your question: Yes - it's option #2. If your rules are very simple (if-then-else) and you don't anticipate them to increase in complexity in the future, option #3 may be a viable alternative as well.
Related
I am looking for a way to programmatically create unit tests using MSTest. I would like to loop through a series of configuration data and create tests dynamically based on the information. The configuration data will not be available at compile time and may come from an external data source such as a database or an XML file. Scenario: Load configuration data into a test harness and loop through the data while creating a new test for each element. Would like each dynamically created test to be reported (success/fail) on separately.
You can use Data Driven Testing depending on how complex your data is. If you are just substituting values and testing to make sure that your code can handle the same inputs that might be the way to go, but this doesn't really sound like what you are after. (You could make this more complex, after all all you are doing is pulling in values from a data source and then making a programmatic decision based on it)
All MS Test really does is run a series of tests and then produce the results (in an xml file) which is then interpreted by the calling application. It's just a wrapper for executing methods that you designate through attributes.
What it sounds like you're asking is to write C# code dynamically, and have it execute in the harness.
If you really want to run this through MS test you could:
Build a method (or series of methods) which looks at the XML file
Write out the C# code (I would maybe look at T4 Templates for this) (Personally, I would use F# to do this, but I'm more partial to functional languages, and this would be easier for me).
Calls the csc.exe (C# compiler)
Invokes MS Test
You could also write MSIL code into the running application directly, and try to get MS Test to execute it, which for some might be fun, but that could be time consuming and not necessarily guaranteed to work (I haven't tried it, so I don't know what the pit falls would be).
Based on this, it might be easier to quickly build your own harness which will interpret your XML file and dynamically build out your test scenarios and produce the same results file. (After all the results are what's important, not how you got there.) Since you said it won't be available during compile time, I would guess that you aren't interested in viewing the results in the VS studio window.
Actually, personally, I wouldn't use XML as your Domain Specific Language (DSL). The parsing of it is easy, because .NET already does that for you, but it's limiting in how it would define how your method can function. It's meant for conveying data, and although technically code is a form of data, it doesn't have the sufficient expressive strength to convey many abilities in more formal language. This is just my personal opinion though, and there are many ways to skin a cat.
I have mail-merge like functionality, which takes a template, some business object, and produces html which is then made into PDF.
I'm using RazorEngine to do the template+model to html bit.
If I let the users specify the templates, what risks am I taking? Is it possible to mitigate any risks?
For example, could the users execute arbitrary code? (delete files, alter database, etc.?) Is there some way I can detect this sort of thing? (I know that would be impossible generally, but the bits of code in the razor template should be model property gets, or possibly if statements based on model property values).
I do basically trust the users here (it's a small private project), but as templating engines go, this one seems excessively powerful for this application.
In version 3 I've introduced an IsolatedTemplateService which supports the parsing/compiling of templates in another AppDomain. You'll be able to control the creation of the application domain that templates will be compiled in, which means you can introduce whatever security requirements you want by applying security policies to the child application domain itself.
In future pushes, I am hoping to introduce a generic way for adding extensions to the pipeline, so you can do things like code generation inspection. I would imagine this will enable scenarios for type checking of the generated code before it is compiled.
I pushed an early version of RazorEngine (v3) onto GitHub a few days ago. Feel free to check it out. https://github.com/Antaris/RazorEngine
A cshtml Razor file is able to execute any. NET code in the context of the site so yes, it is a security risk to permit them to be supplied by users.
You would be better served by accepting a more general HTML template, with custom tokens to input Model data.
I believe that having removed using statements and replacing any #System.[...] like System.IO.File.Delete(filepath) using regex can reduce a fair amount of possible security holes.
Keep in mind that the Template runs inside a context and can access only what is available in it but that includes also .NET Framework assemblies.
During development of a new application, I was wondering how the most flexible solution of a dynamic, let's say ‘scriptable’, system would look like.
In general, I would need a file in plain text (e.g. TXT or XML) wherein I define a trigger (in my example a hex string) and a corresponding action (open a window, execute a SQL transaction, …). I should be able to add new entries without recompiling the whole application.
As you see, it's not really scriptable this way, but I need a solution to define what happens with which input.
Has anyone got some experience with this?
There are various scripting languages you can use inside your .NET application; IronPython being one obvious example, but others are available - javascript for example (talking to your .NET objects; not in a browser). One of these might have some application here?
If you have only simple program flow you can use Windows Workflow Foundation Rules Engine.
Features
Inlcuded in dotnet3.0 runtime, no extra costs
RuleSetDialog can be integrated into your code to edit rules including intellisense
persistable as xml-files.
ruleengine can evaluate expressions and can perform actions
See also
A quick and dirty Rules Engine using Windows Workflow Part1 and Part2
I first found this topic when reading the german languaged magazine dotnetpro 10/2010 on page 30 "Die Rule-Engine aus .NET ohne Workflow benutzen"
Well you can embed a .NET language like IronPython or possibly Boo
AGAIN: If you're voting -1, please leave a comment explaining why. This post isn't about whether or not you approve if this approach, but how to go about it.
Like many architects, I've developed coding standards through years of experience to which I expect my developers to adhere.
This is especially a problem with the crowd that believes that three or four years of experience makes you a senior-level developer.Approaching this as a training and code review issue has generated limited success.
So, I was thinking that it would be great to be able to add custom compile-time errors to the build process to more strictly enforce our in-house best practices and coding standards.
For instance, we use stored procedures for ALL database access, which provides procedure-level security, db encapsulation (table structure is hidden from the app), and other benefits. (Note: I am not interested in starting a debate about this.) Some developers prefer inline SQL or parametrized queries, and that's fine - on their own time and own projects.
I'd like a way to add a compilation check that finds, say, anything that looks like
string sql = "insert into some_table (col1,col2) values (#col1, #col2);"
and generates an error or, in certain circumstances, a warning, with a message like
Inline SQL and parametrized queries are not permitted.
Or, if they use the var keyword
var x = new MyClass();
Variable definitions must be explicitly typed.
Do Visual Studio and MSBuild provide a way to add this functionality? I'm thinking that I could use a regular expression to find unacceptable code and generate the correct error, but I'm not sure what, from a performance standpoint, is the best way to to integrate this into the build process.
We could add a pre- or post-build step to run a custom EXE, but how can I return line- and file-specifc errors? Also, I'd like this to run after compilation of each file, rather than post-link.
Is a regex the best way to perform this type of pattern matching, or should I go crazy and run the code through a C# parser, which would allow node-level validation via the parse tree?
I'd appreciate suggestions and tales of prior experience.
Comments
Several respondents have pointed out that it's possible to restrict the ability of a user to run anything but a stored proc through db permissions. However, we're in the process of porting a 350k+ line application from ASP 3.0 to ASP.NET MVC, and the existing code base relies pretty heavily on concatenated SQL, whereas the new stuff all uses Enterprise Library. I guess I could add a separate web user account for the .NET code with more restrictive permissions.
For coding standards I would look at writing custom rules for FxCop or StyleCop. I don't think Regex would be a suitable tool for the job.
For the specific case of requiring Stored Procedures - if you ensure the application doesn't have permission to do anything else on the production database, everyone will soon fall in line.
What about writing a plugin for Resharper? Here is a tutorial to start with: Writing plug-ins for ReSharper: Part 1 of Undefined
Implicit typing (var x = ....) is a feature that can be turned off on project level in visual studio.
The other one is trickier. Have you had a look at FxCop, which is the tool for enforcing code standards.
The requirement that only stored procedures can be used should be managed through database permissions. The rule against using var seems fairly arbitrary to me and I can't think of a way to enforce it. Do you have any more examples of your best practices?
So here's the concept. I'm trying to write a C# backend for CouchDB (keep reading, this has little or nothing to do with CouchDB).
Here's the basic idea:
1) The DB Driver uploads an arbitrary string to the DB Server.
2) The DB Driver tells the DB server to run the code and produce a view
3) The DB Server loads my C# backend, hands it the input string
4) The DB Server hands the function to the C# backend
5) The DB Server hands the C# backend data to execute the function over
6) The C# Backend executes the code and result the data to the DB Server
7) The DB Server stores, or otherwise sorts and sends the results back to the DB Driver
So the problem I'm having is with the remote code execution. All my models are C# objects. So it'd be really nice to be able to write the code on the front end, and have the code transfered to the back end for execution. Without having to copy DLLs etc. Now currently in CouchDB this query language is JavaScript so it's super simple to just copy the code into a string.
Any options like this in C#? Can I get a string version of a function? Should I create a external server that hosts these DLL assemblies and serves them up to the CouchDB backends? Should I compile them on the front end, and embed the .cs files as a resource? I'm just brainstorming at this point. Any thoughts/ideas/questions are welcome.
Would you be able to achieve this using Expression trees (System.Linq.Expressions)?
Perhaps some means of passing a serialised expression tree to the back end, compiling this into a lambda/Func<> oin the server side and then executing it?
Have not played with them except for some curiosity research when Linq was unveiled, but it may help.
It sounds like what you're looking for is a Javascript style eval method for C#. Unfortunately that does not exist today and is not trivial to implement. The two main approaches for dynamically executing C# code is
Building lightweight methods via Reflection.Emit
Compiling assemblies on the fly (via CodeDom or straight calls to csc).
Another option to consider here is to take advantage of a dynamic language. Starting with C# 4.0, it's very easy to interop with dynamic languages. Instead of the backend being passed C# code, why not pass Python or Ruby and take advantage of the DLR?
Define "function." Is this arbitrary code (which must be dynamically compiled and executed), or a list of methods that could be attached to a class?
If the latter (which is what you should be doing - allowing arbitrary dynamic code execution not only violates the .NET development model (in my opinion - no flames please), it's a huge security risk), you can use a web service.
Web services and WCF services are an excellent way to distribute processing between machines.
There's a couple of projects I've used in the past that might help you out:
Vici Parser
Vici Parser is a .NET library for
late-bound expression parsing and
template rendering. It also includes
an easy to use tokenizer that can be
used for parsing all kinds of file
formats (a full-featured JSON parser
is included).
This Codeproject article
This example shows an "Eval" function
for C# and implements different usages
of this evaluate function. The library
is written in C# and can be tested
with the MainForm in the solution.
Other alternatives include using XSLT scripting (something Umbraco CMS makes use of) and perhaps something like LUA.NET which would enable you to sandbox what the code can do.