The documentation for using Function Monkey with F# is finally on its way! I’ve got an actual documentation site under construction at the moment and it includes video content – the first of which is here!
The full source code, expanded with validation, is available on GitHub.
And as always feedback is welcome on Twitter.
There are a lot of improvements coming in v4 of Function Monkey and the beta is currently available on NuGet. As the full release approaches I thought it would make sense to introduce some of these new capabilities here.
In order to simplyify Azure Functions development Function Monkey makes heavy use of commanding via a mediator and ships with my own mediation library. However there’s a lot of existing code out their that makes use of the popular MediatR library which, if Function Monkey supported, could fairly easily be moved into a serverless execution environment.
Happily Function Monkey now supports just this! You can use my existing bundled mediator, bring your own mediator, or add the shiny new FunctionMonkey.MediatR NuGet package. Here we’re going to take a look at using the latter.
First begin by creating a new, empty, Azure Functions project and add three NuGet packages:
FunctionMonkey FunctionMonkey.Compiler FunctionMonkey.MediatR
At the time of writing be sure to use the prerelease packages version 4.0.39-beta.4 or later.
Next create a folder called Models. Add a class called ToDoItem:
public class ToDoItem
{
public Guid Id { get; set; }
public string Title { get; set; }
public bool IsComplete { get; set; }
}
Now add a folder called Services and add an interface called IRepository:
internal interface IRepository
{
Task<ToDoItem> Create(string title);
}
And a memory based implementation of this called Repository:
internal class Repository : IRepository
{
private readonly List<ToDoItem> _items = new List<ToDoItem>();
public Task<ToDoItem> Create(string title)
{
ToDoItem newItem = new ToDoItem()
{
Title = title,
Id = Guid.NewGuid(),
IsComplete = false
};
_items.Add(newItem);
return Task.FromResult(newItem);
}
}
Now create a folder called Commands and in here create a class called CreateToDoItemCommand:
public class CreateToDoItemCommand : IRequest<ToDoItem>
{
public string Title { get; set; }
}
If you’re familiar with Function Monkey you’ll notice the difference here – we’d normally implement the ICommand<> interface but here we’re implementing MediatR’s IRequest<> interface instead.
Next create a folder called Handlers and in here create a class called CreateToDoItemCommandHandler as shown below:
internal class CreateToDoItemCommandHandler : IRequestHandler<CreateToDoItemCommand, ToDoItem>
{
private readonly IRepository _repository;
public CreateToDoItemCommandHandler(IRepository repository)
{
_repository = repository;
}
public Task<ToDoItem> Handle(CreateToDoItemCommand request, CancellationToken cancellationToken)
{
return _repository.Create(request.Title);
}
}
Again the only real difference here is that rather than implement the ICommandHandler interface we implement the IRequestHandler interface from MediatR.
Finally we need to add our FunctionAppConfiguration class to the root of the project to wire everything up:
public class FunctionAppConfiguration : IFunctionAppConfiguration
{
public void Build(IFunctionHostBuilder builder)
{
builder
.Setup(sc => sc
.AddMediatR(typeof(FunctionAppConfiguration).Assembly)
.AddSingleton<IRepository, Repository>()
)
.UseMediatR()
.Functions(functions => functions
.HttpRoute("todo", route => route
.HttpFunction<CreateToDoItemCommand>(HttpMethod.Post)
)
);
}
}
Again this should look familiar however their are two key differences. Firstly in the Setup block we use MediatR’s IServiceCollection extension method AddMediatR – this will wire up the request handlers in the dependency injector. Secondly the .UseMediatR() option instructs Function Monkey to use MediatR for its command mediation.
And really that’s all their is to it! You can use both requests and notifications and you can find a more fleshed out example of this on GitHub.
As always feedback is welcome on Twitter or over on the GitHub issues page for Function Monkey.
Part 5 of my series on writing Azure Functions with Function Monkey is now available on YouTube:
This part focuses on adding authorisation with the help of an external identity provider – in this case Auth0.
Part 3 of my series on writing Azure Functions with Function Monkey focuses on writing tests using the newly released testing package – while this is by no means required it does make writing high value acceptance tests that use your applications full runtime easy and quick.
It really is amazing how quickly time passes when you’re talking and coding – I really hadn’t realised I’d recorded over an hours footage until I came to edit the video. I thought about splitting it in two but the contents really belonged together so I’ve left it as is.
Part 2 in my series of writing and testing Azure Functions with Function Monkey looks at adding validation and returning appropriate status codes from HTTP requests. Part 3 will look at acceptance testing this.
(Don’t worry – we’re going to look at some additional trigger types soon!)
I made a bunch of changes following some awesome feedback on Twitter and hopefully that results in an improved viewing experience for people.
I still haven’t got the font size right – I used a mix of Windows 10 scaling and zoomed text in Visual Studio but its not quite there. I also need to start thinking of actually using zoom when I’m pointing at something.
Hopefully part 3 I can address more of these things.
I’ve long thought about creating some video content but forever put it off – like many people I dislike seeing and hearing myself on video (as I quipped half in jest, half in horror, on Twitter “I have a face made for radio and a voice for silent movies”). I finally convinced myself to just get on with it and so my first effort is presented below along with some lessons learned.
Hopefully video n+1 will be an improvement on video n in this series – if I can do that I’ll be happy!
This was very much a voyage of discovery – I’ve never attempted recording myself code before and I’ve never edited video before.
To capture the screen and initial audio I used the free OBS Studio which after a little bit of fiddling to persuade it to capture at 4K and user error resulting in the loss of 20 minutes of video worked really well. It was unobtrusive and did what it says on the tin.
I use a good quality 4K display with my desktop machine and so on my first experiment the text was far too smaller, I used the scaling feature in Windows 10 to bump things up to 200% and that seemed about right (but you tell me!).
I sketched out a rough application to build but left things fairly loose as I hoped the video would feel natural and I know from presentations (which I don’t mind at all – in contrast to seeing and hearing myself!) that if I plan too much I get a bit robotic. I also figured I’d be likely to make some mistakes and with a bit of luck they’d be mistakes that would be informative to others.
This mostly worked but I could have done with a little more practice up front as I took myself down a stupid route at one point as my brain struggled with coding and narrating simulatanously! Fortunately I was able to fix this later while editing but I made things harder for myself than it needed to be and there’s a slight alteration in audo tone as I cut the new voice work in.
Having captured the video I transferred it to my MacBook to process in Final Cut Pro X and at this point realised I’d captured the video in flv – a format Final Cut doesn’t import. This necessitated downloading Handbrake to convert the video into something Final Cut could import. Not a big deal but I could have saved myself some time – even a pretty fast Mac takes a while to re-encode 55 minutes of 4K video!
I’d never used Final Cut before but it turned out to be fairly easy to use and I was able to cut out my slurps of coffee and the time wasting uninformative mistake I made. I did have to recut some audio as I realised I’d mangled some names – this was fairly simple but the audio doesn’t sound exactly the same as it did when recorded earlier despite using the same microphone in the same room. Again not the end of the world (I’m not challenging for an Oscar here).
Slightly more irritating – I have a mechanical cherry switch keyboard which I find super pleasant to type on, but carries the downside of making quite a clatter which is really rather loud in the video. Hmmm. I do have an Apple bluetooth keyboard next to me, I may try connecting that to the PC for the next installment but it might impede my typing too much.
Overall that was a less fraught experience than I’d imagined – I did slowly get used to hearing myself while editing the video, though listening to it fresh again a day later some of that discomfort has returned! I’m sure I’ll get used to it in time.
Would love to hear any feedback over on Twitter.
I’ve been meaning to write about a real cloud based project for some time but the criteria a good candidate project needs to fit are challenging:
To expand upon that last point a little – I don’t have the time to build something just for a series of blog posts and if I did I suspect it would be too artificial and essentially would end up a strawman.
The real world and real development is constrained messy, you come across things that you can’t economically solve in an ivory towered fashion. You can’t always predict everything in advance, you get things wrong and don’t always have the time available to start again and so have to do the best that you can with what you have.
In the case of this project I hadn’t really thought about it as a candidate for writing about until I neared the end of building the MVP and so it comes, rather handily, with warts and all. For sure I’ve refactored things but no more than you’d expect to on any time and budget constrained project.
My intention is, over the course of a series of posts, to explore this application in an end to end fashion: the requirements, the architecture, the code, testing, deployment – pretty much its end to end lifecycle. Hopefully this will contain useful nuggets of information that can be applied on other projects and help those new to Azure get up and running.
So what does the project do?
If you’re a keen cyclist you’ll know that you need to check various components on your bike at regular intervals. You’ll also know that some of the components last just long enough that you’ll forget about them – my personal nemesis is chain wear, more than once I’ve taken that to the point where it is likely to start damaging the rear cassette having completely forgotten about it.
I’m fortunate enough to have a rather nice bike and so there is nothing cheap about replacing anything so really not a mistake you want to be making. Many bikes also now contain components that need charging – Di2 and eTap are increasingly common and though I’ve yet to get caught out on a ride I’ve definitely run it closer than I realised.
After the last time I made this mistake I decided to do something about it and thus was born Bike Reminders: a website that links up with Strava to send you reminders as you accrue mileage on each of your bikes. While not a substitute for regularly checking your bike I’m hopeful it will at least give me a prod over chain wear! I contemplated going direct to Garmin but they seem to want circa $5000 for API access and thats a lot of component damage before I break even – ouch.
In terms of an MVP that distilled out into a handful of high level requirements:
There were also some requirements I wanted to keep in mind for the future:
Setting off on the project I set a number of overarching goals / none functional requirements for it:
And although I try not to jump ahead of myself that mapped nicely onto using Azure as a cloud provider with Azure Functions for compute and Azure DevOps and Application Insights for the operational side of things.
The next step was to figure out what I’d need to build – initially I worked this through on a “mental beermat” while out cycling but I like to use the C4 Model to describe software systems. It gives a basic structure and just enough tools to think about and describe systems at different levels of architecture without disappearing up its own backside in complexity and becoming an end in and of itself.
For this fairly simple and greenfield system establishing the big picture was fairly straight forward. It’s initially going to comprise of a website accessed by cyclists with their Strava logins, connecting to Strava for tracking mileage, and sending emails for which I chose SendGrid due to existing familiarity with it.
Breaking this down into more detail forced me to start making some additional decisions. If I was going to build an interactive website / app I’d need some kind of API for which I decided to use Azure Functions. I’ve done a lot of work with them, have a pretty good library for building REST APIs with them (Function Monkey) and they come with a generous free usage allowance which would help me meet my low cost to operate criterion. The event based programming model would also lend itself to handling things like processing queues which is how I envisaged sending emails (hence a message broker – the Azure Service Bus).
For storage I wanted something simple – although at an early stage it seemed to me that I’d be able to store all the key details about cyclists, their bikes and reminders in a JSON document keyed off the cyclists ID. And if something more complex emerged I reasoned it would be easy to convert this kind of format into another. Again cost was a factor and as I couldn’t see, based on my simple requirements, any need for complex queries I decided to at least start with plain old Azure Storage Blob Containers and a filename based on the ID. This would have the advantage of being really simple and really cheap!
The user interface was a simple decision: I’ve done a lot of work with React and I saw no reason it wouldn’t work for this project. Over the last few months I’ve been experimenting with TypeScript and I’ve found it of help with the maintainability of JavaScript projects and so decided to use that from the start on this project.
Finally I needed to figure out how I’d most likely interact with the Strava API to track changes in mileage. They do have a push API that is available by email request but I wanted to start quickly (and this was Christmas and I had no idea how soon I’d hear back from them) and I’d probably have to do some buffering around the ingestion – when you upload a route its not necessarily associated with the right bike (for example my Zwift rides always end up on my main road bike, not my turbo trainer mounted bike) to prevent confusing short term adjustments.
So to begin with I decided to poll Strava once a day for updates which would require some form of scheduling. While I wasn’t expecting huge amounts of overnight for the website Strava do rate limit APIs and so I couldn’t use a timer function with Azure as that would run the risk of overloading the API quite easily. Instead I figured I could use enqueue visibility on the Service Bus and spread out athletes so that the API would never be overloaded. I’ve faced a similar issue before and so I figured this might also make for a useful piece of open source (it did).
All this is summarised in the diagram below:
Mapped (largely) onto Azure I expected the system to look something like the below:
The notable exception is the introduction of Netlify for my static site hosting. While you can host static sites on Azure it is inelegant at best (and the Azure Storage SPA support is useless as you can’t use SSL and a custom domain) and so a few months back I went searching for an alternative and came across Netlify. It makes building, deploying and hosting sites ridiculously easy and so I’ve been gradually switching my work over to here.
I also, currently, don’t have API Management in front of the Azure Functions that present the REST API – the provisioned approach is simply too expensive for this system at the moment and the consumption model, at least at the time of writing, has a horrific cold start time. I do plan to revisit this.
In the next part we’ll break out the code and begin by taking a look at how I structured the Azure Function app.
I’ve written previously about some of the issues with using Cosmos DB as a graph database from .NET. One of the more serious issues, I think, is that the documentation doesn’t really demonstrate how to avoid an injection attack when using Gremlin as it presents examples using hard coded strings which are then just picked up and run through the Gremlin.NET library:
// Gremlin queries that will be executed.
private static Dictionary<string, string> gremlinQueries = new Dictionary<string, string>
{
{ "Cleanup", "g.V().drop()" },
{ "AddVertex 1", "g.addV('person').property('id', 'thomas').property('firstName', 'Thomas').property('age', 44)" },
{ "AddVertex 2", "g.addV('person').property('id', 'mary').property('firstName', 'Mary').property('lastName', 'Andersen').property('age', 39)" },
{ "AddVertex 3", "g.addV('person').property('id', 'ben').property('firstName', 'Ben').property('lastName', 'Miller')" },
{ "AddVertex 4", "g.addV('person').property('id', 'robin').property('firstName', 'Robin').property('lastName', 'Wakefield')" },
{ "AddEdge 1", "g.V('thomas').addE('knows').to(g.V('mary'))" },
{ "AddEdge 2", "g.V('thomas').addE('knows').to(g.V('ben'))" },
{ "AddEdge 3", "g.V('ben').addE('knows').to(g.V('robin'))" },
{ "UpdateVertex", "g.V('thomas').property('age', 44)" },
{ "CountVertices", "g.V().count()" },
{ "Filter Range", "g.V().hasLabel('person').has('age', gt(40))" },
{ "Project", "g.V().hasLabel('person').values('firstName')" },
{ "Sort", "g.V().hasLabel('person').order().by('firstName', decr)" },
{ "Traverse", "g.V('thomas').out('knows').hasLabel('person')" },
{ "Traverse 2x", "g.V('thomas').out('knows').hasLabel('person').out('knows').hasLabel('person')" },
{ "Loop", "g.V('thomas').repeat(out()).until(has('id', 'robin')).path()" },
{ "DropEdge", "g.V('thomas').outE('knows').where(inV().has('id', 'mary')).drop()" },
{ "CountEdges", "g.E().count()" },
{ "DropVertex", "g.V('thomas').drop()" },
};
Focusing in on one of the add vertex examples and how it might be executed with the Gremlin.NET library:
private async Task BadExample()
{
using (GremlinClient client = new GremlinClient(_gremlinServer, new GraphSON2Reader(),
new GraphSON2Writer(), GremlinClient.GraphSON2MimeType))
{
await client.SubmitAsync(
"g.addV('person').property('id', 'thomas').property('firstName', 'Thomas').property('age', 44)");
}
}
We know from years of SQL that examples like this quickly become widespread injection prone pieces of code like the below, particularly if people are new to working with a new database (and in the case of graph databases and Gremlin – that’s most people):
private async Task BadExample(string firstName, int age)
{
using (GremlinClient client = new GremlinClient(_gremlinServer, new GraphSON2Reader(),
new GraphSON2Writer(), GremlinClient.GraphSON2MimeType))
{
await client.SubmitAsync(
$"g.addV('person').property('id', '{firstName.ToLower()}').property('firstName', '{firstName}').property('age', {age})");
}
}
The issue, if you’re not familiar with injection attacks, is that as a user I can enter a ‘ character in the input and break out to add my own code through a user interface that executes on the server – for example I could supply a firstName of:
James').property('myinjectedproperty','hahaha got ya
And I’ve managed to attach some data of my own choosing. Obviously I could do more nefarious things too.
Fortunately Gremlin does support parameterised queries and we can rewrite the code above more safely to look like this and leave the libraries and database to take care of this:
private async Task BetterExample(string firstName, int age)
{
using (GremlinClient client = new GremlinClient(_gremlinServer, new GraphSON2Reader(),
new GraphSON2Writer(), GremlinClient.GraphSON2MimeType))
{
Dictionary<string, object> arguments = new Dictionary<string, object>
{
{ "firstNameAsId", firstName.ToLower() },
{ "firstName", firstName },
{ "age", age }
};
await client.SubmitAsync(
$"g.addV('person').property('id', firstNameAsId).property('firstName', firstName).property('age', age)", arguments);
}
}
With the uptake of Cosmos and Graph databases being new to most people I really wish the Cosmos team would update these docs with a security first mindset and its something I’ve fed back to them previously. Leaving the documentation as it stands is almost certainly going to lead to more insecure code being written than would otherwise be the case.
I’ll probably drop out a few short Cosmos posts over the next few days – I’m doing a lot of (quite interesting!) work with it at the moment.
When I originally posted this piece the library I was using and developing was in an early stage of development. The good news if you’re looking to build REST APIs with Azure Functions its now pretty mature, well documented, and carries the name Function Monkey.
A good jumping off point is this video series here:
Or the getting started guide here:
http://functionmonkey.azurefromthetrenches.com/guides/gettingStarted.html
There are also a few more posts on this blog:
https://www.azurefromthetrenches.com/category/function-monkey/
Original Post
Serverless technologies bring a lot of benefits to developers and organisations running compute activities in the cloud – in fact I’d argue if you’re considering compute for your next solution or looking to evolve an existing platform and you are not considering serverless as a core component then you’re building for the past.
Serverless might not form your whole solution but for the right problem the technology and patterns can be transformational shifting the focus ever further away from managing infrastructure and a platform towards focusing on your application logic.
Azure Functions are Microsoft’s offering in this space and they can be very cost-effective as not only do they remove management burden, scale with consumption, and simplify handling events but they come with a generous monthly free allowance.
That being the case building a REST API on top of this model is a compelling proposition.
However… its a bit awkward. Azure Functions are more abstract than something like ASP.Net Core having to deal with all manner of events in addition to HTTP. For example the out the box example for a function that responds to a HTTP request looks like this:
public static class Function1
{
[FunctionName("Function1")]
public static IActionResult Run([HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)]HttpRequest req, TraceWriter log)
{
log.Info("C# HTTP trigger function processed a request.");
string name = req.Query["name"];
string requestBody = new StreamReader(req.Body).ReadToEnd();
dynamic data = JsonConvert.DeserializeObject(requestBody);
name = name ?? data?.name;
return name != null
? (ActionResult)new OkObjectResult($"Hello, {name}")
: new BadRequestObjectResult("Please pass a name on the query string or in the request body");
}
}
It’s missing all the niceties that come with a more dedicated HTTP framework, there’s no provision for cross cutting concerns, and if you want a nice public route to your Function you also need to build out proxies in a proxies.json file.
I think the boilerplate and cruft that goes with a typical ASP.NET Core project is bad enough and so I wouldn’t want to build out 20 or 30 of those to support a REST API. Its not that there’s anything wrong with what these teams have done (ASP.NET Core and Azure Functions) but they have to ship something that allows for as many user scenarios as possible – whereas simplifying something is generally about making decisions and assumptions on behalf of users and removing things. That I’ve been able to build both my REST framework and now this on top of the respective platforms is testament to a job well done!
In any case to help with this I’ve built out a framework that takes advantage of Roslyn and my commanding mediator framework to enable REST APIs to be created using Azure Functions in a more elegant manner. I had some very specific technical objectives:
Probably the easiest way to illustrate how this works is by way of an example – so fire up Visual Studio 2017 and follow the steps below.
Firstly create a new Azure Function project in Visual Studio. When you’re presented with the Azure Functions new project dialog make sure you use the Azure Functions v2 Preview and create an Empty project:
After your project is created you should see an empty Azure Functions project. The next step is to add the required NuGet packages – using the Package Manager Console run the following commands:
Install-Package FunctionMonkey -pre Install-Package FunctionMonkey.Compiler -pre
The first package adds the references we need for the commanding framework and Function specific components while the second adds an MSBuild build target that will be run as part of the build process to generate an assembly containing our Functions and the corresponding JSON for them.
Next create a folder in the project called Model and into that add a class named BlogPost:
class BlogPost
{
public Guid PostId { get; set; }
public string Title { get; set; }
public string Body { get; set; }
}
Next create a folder in the solution called Queries and into that add a class called GetBlogPostQuery:
public class GetBlogPostQuery : ICommand<BlogPost>
{
public Guid PostId { get; set; }
}
This declares a command which when invoked with a blog post ID will return a blog post.
Now we need to write some code that will actually handle the invoked command – we’ll just write something that returns a blog post with some static content but with a post ID that mirrors that supplied. Create a folder called Handlers and into that add a class called GetBlogPostQueryHandler:
class GetBlogPostQueryHandler : ICommandHandler<GetBlogPostQuery, BlogPost>
{
public Task<BlogPost> ExecuteAsync(GetBlogPostQuery command, BlogPost previousResult)
{
return Task.FromResult(new BlogPost
{
Body = "Our blog posts main text",
PostId = command.PostId,
Title = "Post Title"
});
}
}
At this point we’ve written our application logic and you should have a solution structure that looks like this:
With that in place its time to surface this as a REST end point on an Azure Function. To do this we need to add a class into the project that implements the IFunctionAppConfiguration interface. This class is used in two ways: firstly the FunctionMonkey.Compiler package will look for this in order to compile the assembly containing our function triggers and the associated JSON, secondly it will be invoked at runtime to provide an operating environment that supplies implementations for our cross cutting concerns.
Create a class called ServerlessBlogConfiguration and add it to the root of the project:
public class ServerlessBlogConfiguration : IFunctionAppConfiguration
{
public void Build(IFunctionHostBuilder builder)
{
builder
.Setup((serviceCollection, commandRegistry) =>
{
commandRegistry.Discover<ServerlessBlogConfiguration>();
})
.Functions(functions => functions
.HttpRoute("/api/v1/post", route => route
.HttpFunction<GetBlogPostQuery>(HttpMethod.Get)
)
);
}
}
The interface requires us to implement the Build method and this is supplied a IFunctionHostBuilder and its this we use to define both our Azure Functions and a runtime environment. In this simple case its very simple.
Firstly in the Setup method we use the supplied commandRegistry (an ICommandRegistry interface – for more details on my commanding framework please see the documentation here) to register our command handlers (our GetBlogPostQueryHandler class) via a discovery approach (supplying ServerlessBlogConfiguration as a reference type for the assembly to search). The serviceCollection parameter is an IServiceCollection interface from Microsofts IoC extensions package that we can use to register any further dependencies.
Secondly we define our Azure Functions based on commands. As we’re building a REST API we can also group HTTP functions by route (this is optional – you can just define a set of functions directly without routing) essentially associating a command type with a verb. (Quick note on routes: proxies don’t work in the local debug host for Azure Functions but a proxies.json file is generated that will work when the functions are published to Azure).
If you run the project you should see the Azure Functions local host start and a HTTP function that corresponds to our GetBlogPostQuery command being exposed:
The function naming uses a convention based approach which will give each function the same name as the command but remove a postfix of Command or Query – hence GetBlogPost.
If we run this in Postman we can see that it works as we’d expect – it runs the code in our GetBlogPostQueryHandler:
The example here is fairly simple but already a little cleaner than rolling out functions by hand. However it starts to come into its own when we have more Functions to define. Lets elaborate on our configuration block:
public class ServerlessBlogConfiguration : IFunctionAppConfiguration
{
private const string ObjectIdentifierClaimType = "http://schemas.microsoft.com/identity/claims/objectidentifier";
public void Build(IFunctionHostBuilder builder)
{
builder
.Setup((serviceCollection, commandRegistry) =>
{
serviceCollection.AddTransient<IPostRepository, CosmosDbPostRepository>();
commandRegistry.Discover<ServerlessBlogConfiguration>();
})
.Authorization(authorization => authorization
.TokenValidator<BearerTokenValidator>()
.Claims(mapping => mapping
.MapClaimToCommandProperty(ClaimTypes.ObjectIdentifierClaimType, "AuthenticatedUserId"))
)
.Functions(functions => functions
.HttpRoute("/api/v1/post", route => route
.HttpFunction<GetBlogPostQuery>("/{postId}", HttpMethod.Get)
.HttpFunction<CreateBlogPostCommand>(HttpMethod.Post)
)
.HttpRoute("/api/v1/user", route => route
.HttpFunction<GetUserProfileQuery>(HttpMethod.Get)
.HttpFunction<UpdateProfileCommand>(HttpMethod.Put)
.HttpFunction<GetUserBlogPostsQuery>("/posts", HttpMethod.Get)
)
.StorageQueueFunction<CreateZipBackupCommand>("StorageAccountConnectionString", "BackupQueue")
);
}
}
In this example we’ve defined more API endpoints and we’ve also introduced a Function with a storage queue trigger – this will behave just like our HTTP functions but instead of being triggered by an HTTP request will be triggered by an item on a queue and so applying the same principles to this trigger type (note: I haven’t yet pushed this to the public package).
You can also see me registering a dependency in our IoC container – this will be available for injection across the system and into any of our command handlers.
We’ve also added support for token based security with our Authorization block – this adds in a class that validates tokens and builds a ClaimsPrincipal from them which we can then use by mapping claims onto the properties of our commands. This works in exactly the same way as it does on my REST API commanding library and with or without claims mapping or Authorization sensitive properties can be prevented from user access with the SecurityPropertyAttribute in the same way as in the REST API library too.
The code for the above can be found in GitHub.
Development Status
The eagle eyed will have noticed that these packages I’ve referenced here are in preview (as is the v2 Azure Functions runtime itself) and for sure I still have more work to do but they are already usable and I’m using them in three different serverless projects at the moment – as such development on them is moving quite fast, I’m essentially dogfooding.
As a rough roadmap I’m planning on tackling the following things (no particular order, they’re all important before I move out of beta):
I’ve pushed this out as a couple of people have been asking if they can take a look and I’d really like to get some feedback on it. The code for the implementation of the NuGet packages is in GitHub here (make sure you’re in the develop branch).
Please do let me have any feedback over on Twitter or on the GitHub Issues page for this project.
Over the last year or two, as many visitors to my blog and Twitter will know, I’ve been spending significant time and effort advocating approaches that allow a codebase and architecture to be “best fit” for its stage in the development lifecycle while being able to evolve as your product, systems and customers evolve.
As an example for early stage projects this is often about building a modular monolith that can be evolved into micro-services as market fit is achieved, the customer base grows, and both the systems and development teams need to scale.
The underlying principals with which I approach this are both organisational and technical.
On the technical side the core of the approach is to express operations as state and execute them through a mediator rather than, as in a more traditional (layered) architecture, through direct compile time interfaces and implementations. In other words I dispatch commands and queries as POCOs rather than calling methods on an interface. These operations are then executed somewhere, somehow, by a command handler.
One of the many advantages of this approach is that you can configure the mediator to behave in different ways based on the type of the command – you might choose to execute a command immediately in memory or you might dispatch it to a queue and execute it asynchronously somewhere else. And you can do this without changing any of your business logic.
It’s really what my command mediator framework is all about and at this point its getting pretty mature with a solid core and a growing number of extensions. For a broader introduction to this architectural pattern I have a series on this blog which covers moving from a, perhaps more familiar to many, “layered” approach to one based around a mediator.
However as I used this approach over a number of projects I still found myself writing very similar ASP.Net Core code time and time again to support a REST API. Nothing complicated but it was still repetitive, still onerous, and still error prone.
What I was doing, directly or otherwise, was exposing the commands on HTTP endpoints. Which makes sense – in a system built around operations expressed as commands then a subset of those commands are likely to need to be invoked via a REST API. However the payload didn’t always come exclusively from the endpoint payload (be that a request body or route parameters) – sometimes properties were sourced from claims.
It struck me that given this I had all the information I needed to generate a REST API based on the command definitions themselves and some basic configuration and so invested some time in building a new extension package for my framework: AzureFromTheTrenches.Commanding.AspNetCore.
This allows you to take a completely “code free” (ASP.Net code) approach to exposing a command based system as a set of REST APIs simply by supplying some basic configuration. An example configuration based on a typical ASP.Net startup block is shown below:
public void ConfigureServices(IServiceCollection services)
{
// Configure a dependency resolver adapter around IServiceCollection and add the commanding
// system to the service collection
ICommandingDependencyResolverAdapter commandingAdapter =
new CommandingDependencyResolverAdapter(
(fromType,toInstance) => services.AddSingleton(fromType, toInstance),
(fromType,toType) => services.AddTransient(fromType, toType),
(resolveType) => ServiceProvider.GetService(resolveType)
);
// Add the core commanding framework and discover our command handlers
commandingAdapter.AddCommanding().Discover<Startup>();
// Add MVC to our dependencies and then configure our REST API
services
.AddMvc()
.AddAspNetCoreCommanding(cfg => cfg
// configure our controller and actions
.Controller("Posts", controller => controller
.Action<GetPostQuery>(HttpMethod.Get, "{Id}")
.Action<GetPostsQuery,FromQueryAttribute>(HttpMethod.Get)
.Action<CreatePostCommand>(HttpMethod.Post)
)
);
}
If we enable Swagger too then that gives us an API that looks like this:
There is, quite literally, no other ASP.Net code involved – there are no controllers to write.
So how does it work? Essentially by writing and compiling the controllers for you using Roslyn and adding a couple of pieces of ASP.Net Core plumbing (but nothing that interferes with the broader running of ASP.Net – you can mix and match command based controllers with hand written controllers) as shown in the diagram below:
Essentially you bring along the configuration block (as shown in the code sample earlier) and your commands and the framework will do the rest.
I have a quickstart and detailed documentation available on the frameworks documentation site but I’m going to take a different perspective on this here and break down a more complex configuration block than that I showed above:
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
ICommandingDependencyResolverAdapter commandingAdapter =
new CommandingDependencyResolverAdapter(
(fromType,toInstance) => services.AddSingleton(fromType, toInstance),
(fromType,toType) => services.AddTransient(fromType, toType),
(resolveType) => ServiceProvider.GetService(resolveType)
);
ICommandRegistry commandRegistry = commandingAdapter.AddCommanding().Discover<Startup>();
services
.Replace(new ServiceDescriptor(typeof(ICommandDispatcher), typeof(ApplicationErrorAwareCommandDispatcher), ServiceLifetime.Transient))
.AddMvc(mvc => mvc.Filters.Add(new FakeClaimsProvider()))
.AddAspNetCoreCommanding(cfg => cfg
.DefaultControllerRoute("/api/v1/[controller]")
.Controller("Posts", controller => controller
.Action<GetPostQuery>(HttpMethod.Get, "{Id}")
.Action<GetPostsQuery,FromQueryAttribute>(HttpMethod.Get)
.Action<CreatePostCommand>(HttpMethod.Post)
)
.Claims(mapping => mapping.MapClaimToPropertyName("UserId", "AuthenticatedUserId"))
)
.AddFluentValidation();
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info { Title = "Headless Blog API", Version = "v1" });
c.AddAspNetCoreCommanding();
});
}
Firstly we register the commanding framework:
ICommandingDependencyResolverAdapter commandingAdapter =
new CommandingDependencyResolverAdapter(
(fromType,toInstance) => services.AddSingleton(fromType, toInstance),
(fromType,toType) => services.AddTransient(fromType, toType),
(resolveType) => ServiceProvider.GetService(resolveType)
);
ICommandRegistry commandRegistry = commandingAdapter.AddCommanding().Discover<Startup>();
If you’ve used this framework below then this will be quite familiar code – we create an adapter for our IoC container (the framework itself is agnostic of IoC container and uses an adapter to work with any IoC framework of your choice) and then register the commanding infrastructure with it and finally we use the .Discover method to search for and register command handlers in the same assembly as our Startup class.
Next we begin to register our other services, including MVC, with our IoC container:
services
.Replace(new ServiceDescriptor(typeof(ICommandDispatcher), typeof(ApplicationErrorAwareCommandDispatcher), ServiceLifetime.Transient))
The first service we register is a command dispatcher – as we’ll see shortly this is a decorator for the framework provided dispatcher. This is entirely optional but its quite common to want to apply cross cutting concerns to every operation and implementing a decorator like this is an excellent place to do so. In our example we want to translate application errors that occur during command handling into appropriate HTTP responses. The code for this decorator is shown below:
public class ApplicationErrorAwareCommandDispatcher : ICommandDispatcher
{
private readonly IFrameworkCommandDispatcher _underlyingCommandDispatcher;
public ApplicationErrorAwareCommandDispatcher(IFrameworkCommandDispatcher underlyingCommandDispatcher)
{
_underlyingCommandDispatcher = underlyingCommandDispatcher;
}
public async Task<CommandResult<TResult>> DispatchAsync<TResult>(ICommand<TResult> command, CancellationToken cancellationToken = new CancellationToken())
{
try
{
CommandResult<TResult> result = await _underlyingCommandDispatcher.DispatchAsync(command, cancellationToken);
if (result.Result == null)
{
throw new RestApiException(HttpStatusCode.NotFound);
}
return result;
}
catch (CommandModelException ex)
{
ModelStateDictionary modelStateDictionary = new ModelStateDictionary();
modelStateDictionary.AddModelError(ex.Property, ex.Message);
throw new RestApiException(HttpStatusCode.BadRequest, modelStateDictionary);
}
}
public Task<CommandResult> DispatchAsync(ICommand command, CancellationToken cancellationToken = new CancellationToken())
{
return _underlyingCommandDispatcher.DispatchAsync(command, cancellationToken);
}
public ICommandExecuter AssociatedExecuter { get; } = null;
}
Essentially this traps a specific exception raised from our handlers (CommandModelException) and translates it into model state information and rethrows that as a RestApiException. The RestApiException is an exception defined by the framework that our configuration based controllers expect to handle and will catch and translate into the appropraite HTTP result. In our case a BadRequest with the model state as the response.
This is a good example of the sort of code that, if you write controllers by hand, you tend to find yourself writing time and time again – and even if you write a base class and helpers you still need to write the code that invokes them for each action in each controller and its not uncommon to find inconsistencies creeping in over time or things being outright missed.
Returning to our configuration block the next thing we add to the service collection is ASP.Net Core MVC:
.AddMvc(mvc => mvc.Filters.Add(new FakeClaimsProvider()))
In the example I’m basing this on I want to demonstrate the claims support without having to have everybody set up a real identity provider and so I also add a global resource filter that simply adds some fake claims to our identity model.
AddMvc returns an IMvcBuilder interface that can be used to provide additional configuration and this is what the REST commanding framework configures in order to expose commands as REST endpoints and so the next line adds our framework components to MVC and then supplies a builder of its own for configuring our endpoints and other behaviours:
.AddAspNetCoreCommanding(cfg => cfg
On the next line we use of the configurations options exposed by the framework to replace the default controller route prefix with a versioned one:
.DefaultControllerRoute("/api/v1/[controller]")
This is entirely optional and if not specified the framework will simply to default to the same convention used by ASP.Net Core (/api/[controller]).
Next we have a simple repition of the block we looked at earlier:
.Controller("Posts", controller => controller
.Action<GetPostQuery>(HttpMethod.Get, "{Id}")
.Action<GetPostsQuery,FromQueryAttribute>(HttpMethod.Get)
.Action<CreatePostCommand>(HttpMethod.Post)
)
This defines a controller called Posts (the generated class name will be PostsController) and then assigns 3 actions to it to give us endpoints we saw in the Swagger definition:
For more information on how actions can be configured take a look at this here.
Next we instruct the framework to map the claim named UserId onto any command property called AuthenticatedUserId:
.Claims(mapping => mapping.MapClaimToPropertyName("UserId", "AuthenticatedUserId"))
Their is another variant of the claims mapper declaration that allows properties to be configured on a per command basis though if you are starting with a greenfield solution taking a consistent approach to naming can simplify things.
Data sourced from claims is generally not something you want a user to be able to supply – for example if they can supply a different user ID in our example here then that might lead to a data breach with users being able to access inappropriate data. In order to ensure this cannot happen the framework supplies an attribute, SecurityPropertyAttribute, that enables properties to be marked as sensitive. For example here’s the CreatePostCommand from the example we are looking at:
public class CreatePostCommand : ICommand<PublishedPost>
{
// Marking this property with the SecurityProperty attribute means that the ASP.Net Core Commanding
// framework will not allow binding to the property except by the claims mapper
[SecurityProperty]
public Guid AuthenticatedUserId { get; set; }
public string Title { get; set; }
public string Body { get; set; }
}
The framework installs extensions into ASP.Net Core that adjust model metadata and binding (including from request bodies – that ASP.Net Core behaves somewhat inconsistently with) to ensure that they cannot be written to from an endpoint and, as we’ll see shortly, are hidden from Swagger.
The final line of our MVC builder extensions replaces the built in validation with Fluent Validation:
.AddFluentValidation();
This is optional and you can use the attribute based validation model (or any other validation model) with the command framework however if you do so you’re baking validation data into your commands and this can be limiting: for example you may want to apply different validations based on context (queue vs. REST API). It’s important to note that validation, and all other ASP.Net Core functionality, will be applied to the commands as they pass through its pipeline – their is nothing special about them at all other than what I outlined above in terms of sensitive properties. This framework really does just build on ASP.Net Core – it doesn’t subvert it or twist it in some abominable way.
Then finally we add a Swagger endpoint using Swashbuckle:
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info { Title = "Headless Blog API", Version = "v1" });
c.AddAspNetCoreCommanding();
});
The call to AddAspNetCoreCommanding here adds schema filters into Swagger that understand how to interpret the SecurityPropertyAttribute attribute and will prevent those properties from appearing in the Swagger document.
By taking the approach outlined in this post we’ve greatly reduced the amount of code we need to write eliminating all the boilerplate normally associated with writing a REST API in ASP.Net Core and we’ve completely decoupled our application logic from communication protocols, runtime model and host.
Simplistically less code gives us less to test, less to review, lower maintenance, improved consistency and fewer defects.
And we’ve gained a massive amount of flexibility in our application architecture that allows us to tailor our approach to best fit our project at a given point in time / stage of development lifecycle and more easily take advantage of new technologies.
To give a flavour of the latter, support for Azure Functions is currently under development allowing for the same API and underlying implementation to be expressed in a serverless model simply by adopting a new NuGet package and changing the configuration to the below (please bear in mind this comes from the early, but functional, work in progress and so is liable to change):
public class FunctionAppConfiguration : IFunctionAppConfiguration
{
public void Build(IFunctionHostBuilder builder)
{
builder
// register services and commands
.Setup((services, commandRegistry) => commandRegistry.Discover<FunctionAppConfiguration>())
// register functions - by default the functions will be given the name of the command minus the postfix Command and use the GET verb
.Functions(functions => functions
.HttpFunction<GetPostsQuery>()
.HttpFunction<GetPostQuery>()
.HttpFunction<CreatePostCommand>(function => function.AddVerb(HttpMethod.Post))
);
}
}
In addition to bringing the same benefits to Functions as the approach above does to ASP.Net Core this also provides, to my eyes, a cleaner approach for expressing Function triggers and provides structure for things like an IoC container.
GiottoPress by Enrique Chavez
Recent Comments